On Wed, Nov 9, 2016 at 3:13 PM, Victor Wagner <vi...@wagner.pp.ru> wrote: > On Tue, 18 Oct 2016 16:35:27 +0900 > Michael Paquier <michael.paqu...@gmail.com> wrote: > > Hi >> Attached is a rebased patch set for SCRAM, with the following things: >> - 0001, moving all the SHA2 functions to src/common/ and introducing a >> PG-like interface. No actual changes here. > > It seems, that client nonce generation in this patch is not > RFC-compliant. > > RFC 5802 states that SCRAM nonce should be > > a sequence of random printable ASCII > characters excluding ',' > > while this patch uses sequence of random bytes from pg_strong_random > function with zero byte appended.
(This is about patch 0007, not 0001) Thanks, you are right. That's not good as-is. So this basically means that the characters here should be from 32 to 127 included. generate_nonce needs just to be made smarter in the way it selects the character bytes. -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers