Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitadcdb2c

Browse files
Explicitly require password for SCRAM exchange
This refactors the SASL init flow to set password_needed on the twoSCRAM exchanges currently supported. The code already required thisbut was set up in such a way that all SASL exchanges required usinga password, a restriction which may not hold for all exchanges (theexample at hand being the proposed OAuthbearer exchange).This was extracted from a larger patchset to introduce OAuthBearerauthentication and authorization.Author: Jacob Champion <jacob.champion@enterprisedb.com>Discussion:https://postgr.es/m/d1b467a78e0e36ed85a09adf979d04cf124a9d4b.camel@vmware.com
1 parent24178e2 commitadcdb2c

File tree

1 file changed

+15
-13
lines changed

1 file changed

+15
-13
lines changed

‎src/interfaces/libpq/fe-auth.c

Lines changed: 15 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -425,7 +425,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
425425
intinitialresponselen;
426426
constchar*selected_mechanism;
427427
PQExpBufferDatamechanism_buf;
428-
char*password;
428+
char*password=NULL;
429429
SASLStatusstatus;
430430

431431
initPQExpBuffer(&mechanism_buf);
@@ -446,8 +446,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
446446
/*
447447
* Parse the list of SASL authentication mechanisms in the
448448
* AuthenticationSASL message, and select the best mechanism that we
449-
* support. SCRAM-SHA-256-PLUS and SCRAM-SHA-256 are the only ones
450-
* supported at the moment, listed by order of decreasing importance.
449+
* support. Mechanisms are listed by order of decreasing importance.
451450
*/
452451
selected_mechanism=NULL;
453452
for (;;)
@@ -487,6 +486,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
487486
{
488487
selected_mechanism=SCRAM_SHA_256_PLUS_NAME;
489488
conn->sasl=&pg_scram_mech;
489+
conn->password_needed= true;
490490
}
491491
#else
492492
/*
@@ -522,6 +522,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
522522
{
523523
selected_mechanism=SCRAM_SHA_256_NAME;
524524
conn->sasl=&pg_scram_mech;
525+
conn->password_needed= true;
525526
}
526527
}
527528

@@ -545,18 +546,19 @@ pg_SASL_init(PGconn *conn, int payloadlen)
545546

546547
/*
547548
* First, select the password to use for the exchange, complaining if
548-
* there isn't one. Currently, all supported SASL mechanisms require a
549-
* password, so we can just go ahead here without further distinction.
549+
* there isn't one and the selected SASL mechanism needs it.
550550
*/
551-
conn->password_needed= true;
552-
password=conn->connhost[conn->whichhost].password;
553-
if (password==NULL)
554-
password=conn->pgpass;
555-
if (password==NULL||password[0]=='\0')
551+
if (conn->password_needed)
556552
{
557-
appendPQExpBufferStr(&conn->errorMessage,
558-
PQnoPasswordSupplied);
559-
gotoerror;
553+
password=conn->connhost[conn->whichhost].password;
554+
if (password==NULL)
555+
password=conn->pgpass;
556+
if (password==NULL||password[0]=='\0')
557+
{
558+
appendPQExpBufferStr(&conn->errorMessage,
559+
PQnoPasswordSupplied);
560+
gotoerror;
561+
}
560562
}
561563

562564
Assert(conn->sasl);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp