Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit218b024

Browse files
committed
Accept SCRAM channel binding enabled clients
Add support to the SCRAM exchange for clients that support channelbinding, such as PostgreSQL version 11 and beyond. If such a clientencounters a PostgreSQL 10 server that does not support channel binding,it will send a channel binding flag 'y', meaning the client supportschannel binding but thinks the server does not. But PostgreSQL 10erroneously did not accept that flag. This would cause connections tofail if a version 11 client connects to a version 10 server with SCRAMauthentication over SSL.Author: Michael Paquier <michael.paquier@gmail.com>
1 parentee5b595 commit218b024

File tree

1 file changed

+8
-2
lines changed

1 file changed

+8
-2
lines changed

‎src/backend/libpq/auth-scram.c

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -112,6 +112,8 @@ typedef struct
112112

113113
constchar*username;/* username from startup packet */
114114

115+
charcbind_flag;
116+
115117
intiterations;
116118
char*salt;/* base64-encoded */
117119
uint8StoredKey[SCRAM_KEY_LEN];
@@ -774,6 +776,7 @@ read_client_first_message(scram_state *state, char *input)
774776
*/
775777

776778
/* read gs2-cbind-flag */
779+
state->cbind_flag=*input;
777780
switch (*input)
778781
{
779782
case'n':
@@ -1033,10 +1036,13 @@ read_client_final_message(scram_state *state, char *input)
10331036

10341037
/*
10351038
* Read channel-binding. We don't support channel binding, so it's
1036-
* expected to always be "biws", which is "n,,", base64-encoded.
1039+
* expected to always be "biws", which is "n,,", base64-encoded, or
1040+
* "eSws", which is "y,,". We also have to check whether the flag is
1041+
* the same one that the client originally sent.
10371042
*/
10381043
channel_binding=read_attr_value(&p,'c');
1039-
if (strcmp(channel_binding,"biws")!=0)
1044+
if (!(strcmp(channel_binding,"biws")==0&&state->cbind_flag=='n')&&
1045+
!(strcmp(channel_binding,"eSws")==0&&state->cbind_flag=='y'))
10401046
ereport(ERROR,
10411047
(errcode(ERRCODE_PROTOCOL_VIOLATION),
10421048
(errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp