On Wed, Nov 9, 2016 at 3:13 PM, Victor Wagner <vi...@wagner.pp.ru> wrote:
> On Tue, 18 Oct 2016 16:35:27 +0900
> Michael Paquier <michael.paqu...@gmail.com> wrote:
>  Hi
>> Attached is a rebased patch set for SCRAM, with the following things:
>> - 0001, moving all the SHA2 functions to src/common/ and introducing a
>> PG-like interface. No actual changes here.
> It seems, that client nonce generation in this patch is not
> RFC-compliant.
> RFC 5802 states that SCRAM nonce should be
> a sequence of random printable ASCII
>       characters excluding ','
> while this patch uses sequence of random bytes from pg_strong_random
> function with zero byte appended.

(This is about patch 0007, not 0001)
Thanks, you are right. That's not good as-is. So this basically means
that the characters here should be from 32 to 127 included.
generate_nonce needs just to be made smarter in the way it selects the
character bytes.

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to