On 12/22/17 03:10, Michael Paquier wrote:
> On Fri, Dec 22, 2017 at 11:59 AM, Michael Paquier
> <michael.paquier@gmail.com> wrote:
>> I have looked at how things could be done in symmetry for both the frontend
>> and backend code, and I have produced the attached patch 0002, which
>> can be applied on top of 0001 implementing tls-server-end-point. This
>> simplifies the interfaces to initialize the SCRAM status data by saving
>> into scram_state and fe_scram_state respectively Port* and PGconn* which
>> holds most of the data needed for the exchange. With this patch, cbind_data
>> is generated only if a specific channel binding type is used with the
>> appropriate data. So if no channel binding is used there is no additional
>> SSL call done to get the TLS finished data or the server certificate hash.
>>
>> 0001 has no real changes compared to the last versions.
>
> Second thoughts on 0002 as there is actually no need to move around
> errorMessage if the PGconn* pointer is saved in the SCRAM status data
> as both are linked. The attached simplifies the logic even more.
>
That all looks pretty reasonable.
I'm working through patch 0001 now. I haven't found any documentation
on the function OBJ_find_sigid_algs(). What does it do? One might
think that the nid returned by X509_get_signature_nid() is already the
algo_nid we want to use, but there appears to be more to this.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
