proxy: simplify password validation #7188
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
for HTTP/WS/password hack flows we imitate SCRAM to validate passwords. This code was unnecessarily complicated.
Summary of changes
Copy in the
pbkdf2
and 'derive keys' steps from thepostgres_protocol
crate in ourrust-postgres
fork. Derive theclient_key
,server_key
andstored_key
from the password directly. Use constant time equality to compare thestored_key
andserver_key
with the ones we are sent from cplane.Checklist before requesting a review
Checklist before merging