commit 0d6fb7a3eb0a9754348ec15be14a017a1c84df0f
author Fatih Acar <facar@scaleway.com> Mon Sep 26 17:27:11 2022 +0200
committer Christopher Faulet <cfaulet@haproxy.com> Mon Oct 03 15:31:22 2022 +0200
tree 481c2c73a3044d0899bb5d46b64a825913c9e720
parent dd4a2a69dcb9be001a9299eb65caa96ad6e950e0

BUG/MINOR: checks: update pgsql regex on auth packet

This patch adds support to the following authentication methods:

- AUTH_REQ_GSS (7)
- AUTH_REQ_SSPI (9)
- AUTH_REQ_SASL (10)

Note that since AUTH_REQ_SASL allows multiple authentication mechanisms
such as SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, the auth payload length may
vary since the method is sent in plaintext. In order to allow this, the
regex now matches any payload length.

This partially fixes Github issue #1508 since user authentication is
still broken but should restore pre-2.2 behavior.

This should be backported up to 2.2.

Signed-off-by: Fatih Acar <facar@scaleway.com>

src/tcpcheck.c

diff --git a/src/tcpcheck.c b/src/tcpcheck.c
index 5ef1c69..366a8d0 100644
--- a/src/tcpcheck.c
+++ b/src/tcpcheck.c
@@ -4517,7 +4517,7 @@
 	chk->index = 2;
 	LIST_APPEND(&rs->rules, &chk->list);
 
-	chk = parse_tcpcheck_expect((char *[]){"tcp-check", "expect", "rbinary", "^52000000(08|0A|0C)000000(00|02|03|04|05|06)",
+	chk = parse_tcpcheck_expect((char *[]){"tcp-check", "expect", "rbinary", "^52000000[A-Z0-9]{2}000000(00|02|03|04|05|06|07|09|0A)",
 				               "min-recv", "9",
 				               "error-status", "L7STS",
 				               "on-success", "PostgreSQL server is ok",