NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit87c346a

committed

Fix SCRAM authentication via SSL when mixing versions of OpenSSL

When using a libpq client linked with OpenSSL 1.0.1 or older to connectto a backend linked with OpenSSL 1.0.2 or newer, the server would sendSCRAM-SHA-256-PLUS and SCRAM-SHA-256 as valid mechanisms for the SASLexchange, and the client would choose SCRAM-SHA-256-PLUS even if it doesnot support channel binding, leading to a confusing error. In thiscase, what the client ought to do is switch to SCRAM-SHA-256 so as theauthentication can move on and succeed.So for a SCRAM authentication over SSL, here are all the cases presentand how we deal with them using libpq:1) Server supports channel binding, it sends SCRAM-SHA-256-PLUS andSCRAM-SHA-256 as allowed mechanisms.1-1) Client supports channel binding, chooses SCRAM-SHA-256-PLUS.1-2) Client does not support channel binding, chooses SCRAM-SHA-256.2) Server does not support channel binding, sends SCRAM-SHA-256 asallowed mechanism.2-1) Client supports channel binding, still it has no choice but tochoose SCRAM-SHA-256.2-2) Client does not support channel binding, it chooses SCRAM-SHA-256.In all these scenarios the connection should succeed, and the one whichwas handled incorrectly prior this commit is 1-2), causing theconnection attempt to fail because client chose SCRAM-SHA-256-PLUS overSCRAM-SHA-256.Reported-by: Hugh RanalliDiagnosed-by: Peter EisentrautAuthor: Michael PaquierReviewed-by: Peter EisentrautDiscussion:https://postgr.es/m/CAAhbUMO89SqUk-5mMY+OapgWf-twF2NA5sCucbHEzMfGbvcepA@mail.gmail.comBackpatch-through: 11

1 parentda35d14 commit87c346aCopy full SHA for 87c346a

File tree

1 file changed

+13

-3

lines changed

src/interfaces/libpq
- fe-auth.c

1 file changed

+13

-3

lines changed

`‎src/interfaces/libpq/fe-auth.c`

Lines changed: 13 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -526,14 +526,24 @@ pg_SASL_init(PGconn *conn, int payloadlen)`
`526`	`526`
`527`	`527`	`/*`
`528`	`528`	`* Select the mechanism to use. Pick SCRAM-SHA-256-PLUS over anything`
`529`		`- * else if a channel binding type is set. Pick SCRAM-SHA-256 if`
`530`		`- * nothing else has already been picked. If we add more mechanisms, a`
`531`		`- * more refined priority mechanism might become necessary.`
	`529`	`+ * else if a channel binding type is set and if the client supports`
	`530`	`+ * it. Pick SCRAM-SHA-256 if nothing else has already been picked. If`
	`531`	`+ * we add more mechanisms, a more refined priority mechanism might`
	`532`	`+ * become necessary.`
`532`	`533`	`*/`
`533`	`534`	`if (strcmp(mechanism_buf.data,SCRAM_SHA_256_PLUS_NAME)==0)`
`534`	`535`	`{`
`535`	`536`	`if (conn->ssl_in_use)`
	`537`	`+{`
	`538`	`+/*`
	`539`	`+ * The server has offered SCRAM-SHA-256-PLUS, which is only`
	`540`	`+ * supported by the client if a hash of the peer certificate`
	`541`	`+ * can be created.`
	`542`	`+ */`
	`543`	`+#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH`
`536`	`544`	`selected_mechanism=SCRAM_SHA_256_PLUS_NAME;`
	`545`	`+#endif`
	`546`	`+}`
`537`	`547`	`else`
`538`	`548`	`{`
`539`	`549`	`/*`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit87c346a

File tree

1 file changed

1 file changed

`‎src/interfaces/libpq/fe-auth.c`

0 commit comments