database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-08-21 10:42:50 +03:00
Code Activity

Rename "scram" to "scram-sha-256" in pg_hba.conf and password_encryption.

Browse Source 
Per discussion, plain "scram" is confusing because we actually implement
SCRAM-SHA-256 rather than the original SCRAM that uses SHA-1 as the hash
algorithm. If we add support for SCRAM-SHA-512 or some other mechanism in
the SCRAM family in the future, that would become even more confusing.

Most of the internal files and functions still use just "scram" as a
shorthand for SCRMA-SHA-256, but I did change PASSWORD_TYPE_SCRAM to
PASSWORD_TYPE_SCRAM_SHA_256, as that could potentially be used by 3rd
party extensions that hook into the password-check hook.

Michael Paquier did this in an earlier version of the SCRAM patch set
already, but I didn't include that in the version that was committed.

Discussion: https://www.postgresql.org/message-id/fde71ff1-5858-90c8-99a9-1c2427e7bafb@iki.fi
This commit is contained in:
Heikki Linnakangas
2017-04-18 14:50:50 +03:00
parent 123aaffb5b
commit c727f120ff
15 changed files with 60 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/test/authentication/t/001_password.pl
View File

@@ -51,7 +51,7 @@ SKIP:
# Create 3 roles with different password methods for each one. The same
# password is used for all of them.
$node->safe_psql('postgres', "SET password_encryption='scram'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';");
$node->safe_psql('postgres', "SET password_encryption='scram-sha-256'; CREATE ROLE scram_role LOGIN PASSWORD 'pass';");
$node->safe_psql('postgres', "SET password_encryption='md5'; CREATE ROLE md5_role LOGIN PASSWORD 'pass';");
$node->safe_psql('postgres', "SET password_encryption='plain'; CREATE ROLE plain_role LOGIN PASSWORD 'pass';");
$ENV{"PGPASSWORD"} = 'pass';
@@ -68,12 +68,12 @@ SKIP:
test_role($node, 'md5_role', 'password', 0);
test_role($node, 'plain_role', 'password', 0);
# For "scram" method, user "plain_role" and "scram_role" should be able to
# connect.
reset_pg_hba($node, 'scram');
test_role($node, 'scram_role', 'scram', 0);
test_role($node, 'md5_role', 'scram', 2);
test_role($node, 'plain_role', 'scram', 0);
# For "scram-sha-256" method, user "plain_role" and "scram_role" should
# be able to connect.
reset_pg_hba($node, 'scram-sha-256');
test_role($node, 'scram_role', 'scram-sha-256', 0);
test_role($node, 'md5_role', 'scram-sha-256', 2);
test_role($node, 'plain_role', 'scram-sha-256', 0);
# For "md5" method, all users should be able to connect (SCRAM
# authentication will be performed for the user with a scram verifier.)

4
src/test/authentication/t/002_saslprep.pl
View File

@@ -63,7 +63,7 @@ SKIP:
# Create test roles.
$node->safe_psql('postgres',
"SET password_encryption='scram';
"SET password_encryption='scram-sha-256';
SET client_encoding='utf8';
CREATE ROLE saslpreptest1_role LOGIN PASSWORD 'IX';
CREATE ROLE saslpreptest4a_role LOGIN PASSWORD 'a';
@@ -73,7 +73,7 @@ SKIP:
");
# Require password from now on.
reset_pg_hba($node, 'scram');
reset_pg_hba($node, 'scram-sha-256');
# Check that #1 and #5 are treated the same as just 'IX'
test_login($node, 'saslpreptest1_role', "I\xc2\xadX", 0);