Feedback-ID: i0fe9450f:Fastmail
Date: Tue, 24 Mar 2026 08:33:10 +0900
From: Michael Paquier <michael@paquier.xyz>
To: John Naylor <johncnaylorls@gmail.com>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Subject: Re: Non-compliant SASLprep implementation for ASCII characters
Message-ID: <acHNtuWEbQajldY8@paquier.xyz>
References: <aaEJ-El2seZHeFcG@paquier.xyz>
 <CANWCAZbgyvx66qfngNvW0n+uEv3=Bak1X5GLPr4sZApuHDPV-g@mail.gmail.com>
 <abt60Gcc4drBlY1N@paquier.xyz>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="I98RhssuJhSMXEcr"
Content-Disposition: inline
In-Reply-To: <abt60Gcc4drBlY1N@paquier.xyz>
Archived-At: 
 <https://www.postgresql.org/message-id/acHNtuWEbQajldY8%40paquier.xyz>
Precedence: bulk


--I98RhssuJhSMXEcr
Content-Type: multipart/mixed; boundary="R9SH4Wct3fz4Hzxl"
Content-Disposition: inline


--R9SH4Wct3fz4Hzxl
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Mar 19, 2026 at 01:25:52PM +0900, Michael Paquier wrote:
> Applied the result for the module, to have at least the coverage part.
> The last piece is refreshed, and attached for now.

I have worked on the final piece of this thread, and applied it.

I am also attaching a small module, called scram_utils(), that I have
used to validate this change by creating SCRAM verifiers with
non-printable ASCII characters, like:
SELECT scram_utils_verifier_bytea('myrole', '\x010203', 200, 10);

This function passes down the password data to scram_build_secret()
after applying pg_saslprep(), reusing the original password if
the SASLprep was not a success.  That's the same as what we do in
pg_be_scram_build_secret() but I wanted control over the salt length
and the number of iterations for each function call (implemented that
years ago with tested SCRAM), hence the split.

Then use for example something like that for the input:
export PGPASSWORD=$(printf '%b%b%b' '\01\02\03')

The validation between the non-compliant and the compliant
implementation then comes down to:
- Generate the rolpassword on HEAD patched (new) and unpatched (old).
- Check connections with libpq patched (new) and unpatched (old), with
client->server as of new->old, old->new, new->new.
--
Michael

--R9SH4Wct3fz4Hzxl
Content-Type: application/gzip
Content-Disposition: attachment; filename=scram_utils.tar.gz
Content-Transfer-Encoding: base64

H4sIAAAAAAAAA+07a3fiOLL9Ff+KmkzvAmlIDOSx00zmHA9xaO4mJBdIzytzfBRbgDbCckty
HrO797ffU/IDQ8hjZjvpvXupD51EKpXrIVWVStVbE6bZJBSSvnkxsG3b3tvbMT9t217+ads7
u28au409u7Wzu9PYe2PbjZa923xjvxxLc4iVJvKNbUsh9GN4T80vC/d/BL6GLg2pJJoGoOLL
gEnqayEZVda2pCrmWm1bX5rJNbwYnJArOmb8BU//0+e/tbu3fP6bu8399fl/BTg5PTw/dodw
AMqXZObFmnFlWe6PI7c/7J32lyYOnZGzOFSvN7bsLfWJW2fdo96xe+gOO3AAGwUUqMO5Zpxp
RhWMhYRhZ+CcAIn1lIaa+UQzEW5Y1sDtDtzhPV7Oul7ntH/U68IBRBPPF+GYTayz7o9DeH8A
bytqSjmHt5Ucrwr1ejS5VVWLhT6PA2omfxxW147sHgxc5/DEfdlvPHH+G/Z+a/n8N/Z3dtbn
/xWgeNIO5mBZQ6pBjCHODy691TQMWDhJj28kRUSlmbq8A02ucIoE1yTUZEJxrRIzanFxU+f0
mnJwznoKQqEhSTL4HdDbiAumySWnhsaUQqyoBKJh+N/HYJZtwWjKVHaS1XurnnqHy5jxwLum
ko0ZlZVqDQioO6XpDMZx6KNPAT0lGnwSwqWhHIAWEEcB0dQCIKkgGQm4YXoKBOYcq0QHIkJi
Cnwxi4hMqNxMibYA4khpSclMgRiPqVSgWOhTuG7YKJAvQi0F56gZFI6FGlMt5MwXcaiBhIEF
ZkoRroHTcKKnteSPmynzpzChWsEkT9Eu79AFXhL/ioaBJ0kYiJkR3QJQWopwAskgKBFLn6L2
6FxCpgDVpiGiEgZHHdjf29+vIRupWpQF+AF0zSwwvjo3yoRd09BIRTincmvtTP8TgN5G1Nc0
2H7Bb6A/3N/fffj+Z9v38j+MF7svyFMO/8/9f27/QiDYEvGjov5eeCL+txqN/WX7767j/+tA
Z+A6Ixfm+X5hH7StdHZweuyCpBNJlfIKCF7jaZTm0yittjV0R+mXWRYiFRxAw7btZDIiSt0I
GXg09OWdCchwAGWzpq6mpN7c3Su3Led45A4e4RfOnOHwh9PBIZTHQlwSWW5b9Tq0ZABETuIZ
DTUGSQx6YTy7pBLj/5ylGuzoaYZQCNlb1tA9djujovbmqUl5pV7KtZyHGrRsuwYNu9q2VpIA
q74SLLAqDZDipmqhGGepkpJMJhRhPZIsTPIrf0ok8TWVKon3YcznY4/y713eaUpWS9FCKS5u
bTRUY0EOdzA4HbwH6IW+kJjv5SZMuSt+Xz2f+8/AatPG35uPqzwh9ZDi76s/5UoKHpIZrVmA
G5DeRp6kESc+rUjBMw3UoFwxuWd9+MHBnVu9eFu5CN5V31d+IfXfnPrPdv2bd9sHv77DicLQ
wfavq5CMZI23F8333+Km/O7tt0oLSYMrevfd+28VlddU4u/lKhAFBUa8GVFXFHPQo8HpSSHz
++GDO3AzYeB/YJVGy3A6OHQH8P1PGWLbghSylSn8A5bgPg/LGA9q/t1jFnnQUKu9wT9gwQxv
cRs/ocPVpJr3SLX+IKXWPUrNpylVWrgLVdWyDgenZ4/668cRmk8htFKEBwLGlw5na/idsKqS
97m/8VT9p7nfWM7/dnbt1jr/ewXY3iwe4O1V2wE2t012geUPTlgIbIxrWGRSpaTOEAALIVKf
eA0k0VOKdQMSwjUjsJxhWhfUnwo4VxQ2Hss+N7DMwgUJQE+ZAnyk2IKLTzHTyA0ytCpsp1Md
SYmmDxR4NL2dZyNbuCLl4+i83xktsTFP4yyAXt/UQkxoQyq1ZCzPbApjhTyWhdkgenFOQxyp
WgN3dD7oD80iyxlCOanFe2fO6EPfOXHL1rHT7547XRc6MBwNep1R+zHRk4zlOQpIUpvfrYE0
u3qGHgziyyriSx+c/xAoXvv9F/rG4/6/0WzY9/x/a3dn/f73GrC9+QfS6YeS7E0LFsLJlm/B
ZqmUPiVkVfmH3wBTCh0R3Uk2mWqo+FVofPPNXr1pN/dqcCaUnkiKbwNdLi4Jh0Os04vI3Nu7
UsRRSqJ36PZHvaNex0FvZriAhwKd4dKCz6qIbcv6Ont83IgSttXWdKMwOp5NJI4UhojvU6W2
p5REZLaInU3pOHpwwguoJijQAoJPNOFiss3CgN6ycLJ6Nr/6LU2L2UyE24ooHkkarZ40NZjk
j0WEGVM+CWZsaTixgHmIYKFaNScpXzWs7pRP/Ck1ajvremmcOHG6vU7bjGTxy+v1j069j43K
qjhWbT8bNQl51bZlKU008+FasMBaiWked0LCK74IlTYVC9jMomTNKiUAUJzOCwLzaYYVqHnB
aXEiDZtV6+9WKZp4mVk86YP021YJqZYAYNOM5uH4APrnx8dtqxSzUP/FICCly3hcXJNJ0rZK
HyiJRnHEaUnwQOMvCSMhvTF/ta2SmT6kyi8FCj89oNywXJKUt63SIdHxrFTC4od3TfgvfaK1
8vJd9mvbKl0KwVOMMOZPoeA/q1CK6qRSKi1zca0SG0PlKxVHVKIhKtWqVSpRSSMhdcUUqBKx
KlRKXwQUxzqnh67X6w/Pj456nZ7bH3lng97H3rHbdasJNiD6TE0qG7NYaXxazL8wf18EEdKy
Wsq/NqrVKu6l0jY6OfM2OLd1VnDE4lyhtIi+xMhRyKO+PQC7apX+XpDmB2fQ7/W7c3kMg/Pi
2/JnahDQMYnxBE6Q6z8FG9leMzx7ww+O19zd8w7dI+f8eOT1Ru7AONOhkaFUWijUPrWmbZX+
mdojS/3+gBBFtTxTjIyVoXM88o7dfsp8xkTG+TJayu/2plWCTegLOSOc/UZN3Xexjjl0hsfG
NQL0xsmDcyCoCssaboS8qsEl9UmsqCG0sJwZpGvCWQDno6P6X0BI82RMWKjweX3KLhk++hZL
t3+LlTakIil8SlMmkK6QbMJCwud5PUBlSCne2zA+KnxW1yIyoRgvU1Wks22VpJ801mTepDIv
U/55wY+g5tCCuODACH42cM+809MTc664mKSHCjZEbEL+jM6EvNt4YOHwvNNxh0NcXHBVC/6z
CgscpGcna1kEkr92485AYVK/hhIRzoVfUew3KsYV4/mqmJ6kLjRl6SsU3DycZ6/pKYVajnlP
uCPCeNIFkD3MF9nYyE7499igML97IXf5HwcLTQyK+pJqbGAafnCau3u1pfP0V/cn3JR5MMBc
ZonL2qqgUQIo2DLxjtXMLy6aFm0wlpRWli1uRPm43EBQA5V7unnV2OxFlhhCUg4HYKr3noho
WHFiPe0FWZjoBTUYiBv31uexYtf0WPhX5mtZwMGjSYn0p8M71cGg36g458l9sAadoZYsnHSp
NnGmkoXZam7WPIL11Ec8YZWM7rNjwHn/0D3q9d1D7/T7/3I7o8z7Z25JCk7hYuNP6mLDnHjT
2kJvmdIbNZgzlKnw9K+1JPTL2NfmwM5EgEoNIJE3efWgN3MHgWqc0ZmiupKHwBqMCVe0Bum+
zieM6EVsjKkrsXEiYWseWJ0wns3jqlcoz0MdGr+iJWWMYT8P6E+vmBtpRG9TQxVSsELkf5qW
EQNZDhR6q2wX4QagypcVSTmSzPITOABMoj2j4jvPjOU7oAaB8muQSZL+lqhrrs62VeokubHZ
Rudmr+N3avDnjFL9O+0pysc1yD5s1DqgnBJFs40733rteUjpcKEKR6cGl7GGK0oj4MK/As04
N46b6a3UTSdHycd1CRt9kR2af1rW9vLda14RS25EBZ+Ze6H8Hpa9NSzdxwqNQbhjkYxEzdPA
bPCyKpx9Gmp5h89LxdaiLYAfcFvn5jRNREiHKFPu2TJ3JbM3VmbVlWKi7gy6Q5P6rsqwcYvS
W+1p4fnKbDxc23VHzqDrjdwfR97ZWcU2p2RVBv6s5Y3Ev4S6tJT+zFF7/VGrWWnO8eaZxjJS
y+yHx+8S+f2h4MiLz9GFaHbW9ZJCmofZb6XafnxbpNXCZHMM2YxxYtLXlVao1hL3tGhHNGJa
TDQebxxzJKYFaKr00gsuooGin2Ia+lQ9Zfe01PgS1k+KnwY2JbnxAqLJgnW+/2nkOh5a+zMb
u3A9y/OZdCEOcBq2izmnOXREL6RmVdQzat2IjzbBTIvMOwcFKHKd9hsaOmm6LMYm5iTCM4Vk
OFVqC5bI36DjwSQTFOaKROeExkyiURfaBsA0Z4KkJo/JdkNu5nSbaJFkrMUP1fLnBGSWjfFL
6DU1XpwWv5IEVZX5wVRVcAAfncGw97NbyaxYhTqOfTgcDH9uW8WcMskF7Uq29h000nDpR3eF
fPejM8AO9znF5NylJyzD+yUdw8BUvrDLWUaltOQ0zMlV4auDfPmzL54fnePeoXfmDJwTd+QO
vI/O8bm7nHs8r6liI80+XtTFfOkC5hr+JViogyYlic/+jSfef+1ma+de/5/daKzr/68AXxcD
ftLjr7ASnxYN0MOl5XstBL9Xus8yxbKV1mHQwai0Oa+xZZetmQhiTr2I6GkaqMtvOcP/aFis
wZctSbnAYvSlyd7xtrF2La8A6hN/ydZvA3+g/7uxt9dc93+/AqD9izHgBdp/nvL/TXvnXv/3
zn5r3f/zGvB4//frNYB/0Q7wf7MW8H+3Vu4v2Zu97qs2fdXrvt41rGENa1jDGtawhjWsYQ3/
Mvwv3jKQ6QBQAAA=

--R9SH4Wct3fz4Hzxl--

--I98RhssuJhSMXEcr
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEG72nH6vTowiyblFKnvQgOdbyQH0FAmnBzbYACgkQnvQgOdby
QH0UtxAAoL2zqij+mHBmCVLFIa7HonQwCWEUXW773h1jz2XqdImsYSWwYpPHyyNf
p8wBVr4xX9SdPisEyXDV8MY1A0Xuo7UpBGbTolhIGYh8M81Dn2Zx5ZzEiujHU1e+
GqCSBMvj2L/q/oFBGzHaV1Cc15dx7aTsm2VwL7ufdJvj0TcRkHH+/HgqRnW+/vW4
z207uC1rUM6UL407fGEN9yqH1TuIArDeubbwsRZ3vu1cHnPn6q5RJFPjhKphU/m6
y5+bsKamFymlA2kUrbgzTplWs3+ob2pnA1+0lZqBnpbFF0lcrgH8WyGysb2txXJA
uhLWoB50bjTIOUplZ1TD/1Lf2EMQNBiuFTsv5cmfVrwOtqbSa3blFLvQdtypCXPN
qJisqk0zrxH5NTJZ3bMirFqq9q3NIj6Kl7aGyo6kbPVOBQ/zjaOohOhc9x6Opvc5
mbqzPQ+ZvPnyd0M+Lgm2aWxV/mO08UZdcafmXRWFgGZ55nXjbkig1IQ40l7XXafC
fA81G1i28GuHWE+syzAhpiScV5CVxfrRpHUeDdMsfg080OYKIsm8wYUuvE2ImORK
lpskzY38oT0H9k/axkqx79SoEpeXVDJxV204s0ggSeD8b9M0Ue/ApqFmCdHP7Son
dWaXOsS8ZW+UNGlIaLKcVfW4SN42mHwczwloEthy+3qk4OlFjOw=
=94el
-----END PGP SIGNATURE-----

--I98RhssuJhSMXEcr--