Re: [HACKERS] On-disk format of SCRAM verifiers
On 04/21/2017 05:33 PM, Simon Riggs wrote: On 21 April 2017 at 14:42, Heikki Linnakangas wrote: SCRAM-SHA-256$:$: Could you explain where you are looking? I don't see that in RFC5803 >From 1. Overview: Yeah, it's not easy to see, I missed it earlier too. You have to look at RFC 5803 and RFC 3112 together. RFC 3112 says that the overall format is "$$", and RFC5803 says that for SCRAM, scheme is "SCRAM-SHA-256" (for our variant), authInfo is ":" and authValue is ":" They really should've included examples in those RFCs. Thanks +1 for change Committed, thanks. - Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] On-disk format of SCRAM verifiers
On 21 April 2017 at 14:42, Heikki Linnakangas wrote: SCRAM-SHA-256$:$: >>> >>> Could you explain where you are looking? I don't see that in RFC5803 >> > >From 1. Overview: > > Yeah, it's not easy to see, I missed it earlier too. You have to look at RFC > 5803 and RFC 3112 together. RFC 3112 says that the overall format is > "$$", and RFC5803 says that for SCRAM, scheme is > "SCRAM-SHA-256" (for our variant), authInfo is ":" and > authValue is ":" > > They really should've included examples in those RFCs. Thanks +1 for change -- Simon Riggshttp://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] On-disk format of SCRAM verifiers
Michael Paquier writes: > On Fri, Apr 21, 2017 at 10:02 PM, Simon Riggs wrote: >> On 21 April 2017 at 10:20, Heikki Linnakangas wrote: >>> But looking more closely, I think I misunderstood RFC 5803. It *does* in >>> fact specify a single string format to store the verifier in. And the format >>> looks like: >>> >>> SCRAM-SHA-256$:$: >> >> Could you explain where you are looking? I don't see that in RFC5803 > > From 1. Overview: > >Syntax of the attribute can be expressed using ABNF [RFC5234]. Non- >terminal references in the following ABNF are defined in either >[AUTHPASS], [RFC4422], or [RFC5234]. > >scram-mech = "SCRAM-SHA-1" / scram-mech-ext > ; Complies with ABNF for > ; defined in [AUTHPASS]. > >scram-authInfo = iter-count ":" salt > ; Complies with ABNF for > ; defined in [AUTHPASS]. > >scram-authValue = stored-key ":" server-key > ; Complies with ABNF for > ; defined in [AUTHPASS]. And scram-mech, scram-authInfo and scram-authValue are used as the "scheme", "authInfo" and "authValue" parts as specified in [AUTHPASS] (RFC3112): authPasswordValue = w scheme s authInfo s authValue w scheme = %x30-39 / %x41-5A / %x2D-2F / %x5F ; 0-9, A-Z, "-", ".", "/", or "_" authInfo= schemeSpecificValue authValue = schemeSpecificValue schemeSpecificValue = *( %x21-23 / %x25-7E ) ; printable ASCII less "$" and " " s = w SEP w w = *SP SEP = %x24 ; "$" SP = %x20 ; " " (space) > Thanks, > -- > Michael - ilmari -- "A disappointingly low fraction of the human race is, at any given time, on fire." - Stig Sandbeck Mathisen -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] On-disk format of SCRAM verifiers
On 21 April 2017 16:20:56 EEST, Michael Paquier wrote: >On Fri, Apr 21, 2017 at 10:02 PM, Simon Riggs >wrote: >> On 21 April 2017 at 10:20, Heikki Linnakangas >wrote: >>> But looking more closely, I think I misunderstood RFC 5803. It >*does* in >>> fact specify a single string format to store the verifier in. And >the format >>> looks like: >>> >>> SCRAM-SHA-256$:$: >> >> Could you explain where you are looking? I don't see that in RFC5803 > >From 1. Overview: Yeah, it's not easy to see, I missed it earlier too. You have to look at RFC 5803 and RFC 3112 together. RFC 3112 says that the overall format is "$$", and RFC5803 says that for SCRAM, scheme is "SCRAM-SHA-256" (for our variant), authInfo is ":" and authValue is ":" They really should've included examples in those RFCs. - Heikki -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] On-disk format of SCRAM verifiers
On 21 April 2017 at 14:20, Michael Paquier wrote: > On Fri, Apr 21, 2017 at 10:02 PM, Simon Riggs wrote: >> On 21 April 2017 at 10:20, Heikki Linnakangas wrote: >>> But looking more closely, I think I misunderstood RFC 5803. It *does* in >>> fact specify a single string format to store the verifier in. And the format >>> looks like: >>> >>> SCRAM-SHA-256$:$: >> >> Could you explain where you are looking? I don't see that in RFC5803 > > From 1. Overview: > >Syntax of the attribute can be expressed using ABNF [RFC5234]. Non- >terminal references in the following ABNF are defined in either >[AUTHPASS], [RFC4422], or [RFC5234]. > >scram-mech = "SCRAM-SHA-1" / scram-mech-ext > ; Complies with ABNF for > ; defined in [AUTHPASS]. > >scram-authInfo = iter-count ":" salt > ; Complies with ABNF for > ; defined in [AUTHPASS]. > >scram-authValue = stored-key ":" server-key > ; Complies with ABNF for > ; defined in [AUTHPASS]. > > Thanks, The above text, which I've already read, does not explain the suggested change from : to $. Could you explain? -- Simon Riggshttp://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] On-disk format of SCRAM verifiers
On Fri, Apr 21, 2017 at 9:25 PM, Stephen Frost wrote: > * Heikki Linnakangas (hlinn...@iki.fi) wrote: >> I think we should adopt that exact format, so that our verifiers are >> compatible with RFC 5803. It doesn't make any immediate difference, >> but since there is a standard out there, might as well follow it. > > +1 > >> And just in case we get support for looking up SCRAM verifiers from >> an LDAP server in the future, it will come handy as we won't need to >> parse two different formats. > > Agreed. +1 to all that. Consistency is a good thing. -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] On-disk format of SCRAM verifiers
On Fri, Apr 21, 2017 at 10:02 PM, Simon Riggs wrote: > On 21 April 2017 at 10:20, Heikki Linnakangas wrote: >> But looking more closely, I think I misunderstood RFC 5803. It *does* in >> fact specify a single string format to store the verifier in. And the format >> looks like: >> >> SCRAM-SHA-256$:$: > > Could you explain where you are looking? I don't see that in RFC5803 >From 1. Overview: Syntax of the attribute can be expressed using ABNF [RFC5234]. Non- terminal references in the following ABNF are defined in either [AUTHPASS], [RFC4422], or [RFC5234]. scram-mech = "SCRAM-SHA-1" / scram-mech-ext ; Complies with ABNF for ; defined in [AUTHPASS]. scram-authInfo = iter-count ":" salt ; Complies with ABNF for ; defined in [AUTHPASS]. scram-authValue = stored-key ":" server-key ; Complies with ABNF for ; defined in [AUTHPASS]. Thanks, -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] On-disk format of SCRAM verifiers
On 21 April 2017 at 10:20, Heikki Linnakangas wrote: > But looking more closely, I think I misunderstood RFC 5803. It *does* in > fact specify a single string format to store the verifier in. And the format > looks like: > > SCRAM-SHA-256$:$: Could you explain where you are looking? I don't see that in RFC5803 -- Simon Riggshttp://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
Re: [HACKERS] On-disk format of SCRAM verifiers
Heikki, * Heikki Linnakangas (hlinn...@iki.fi) wrote: > I think we should adopt that exact format, so that our verifiers are > compatible with RFC 5803. It doesn't make any immediate difference, > but since there is a standard out there, might as well follow it. +1 > And just in case we get support for looking up SCRAM verifiers from > an LDAP server in the future, it will come handy as we won't need to > parse two different formats. Agreed. Thanks! Stephen signature.asc Description: Digital signature