NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit41a6de4

committed

Fix confusing error caused by connection parameter channel_binding

When using a client compiled without channel binding support (linking toOpenSSL 1.0.1 or older) to connect to a server which supports channelbinding (linking to OpenSSL 1.0.2 or newer), libpq would generate aconfusing error message with channel_binding=require for an SSLconnection, where the server sends back SCRAM-SHA-256-PLUS:"channel binding is required, but server did not offer an authenticationmethod that supports channel binding."This is confusing because the server did send a SASL mechanism able tosupport channel binding, but libpq was not able to detect thatproperly.The situation can be summarized as followed for the case described inthe previous paragraph for the SASL mechanisms used with the variousmodes of channel_binding:1) Client supports channel binding.1-1) channel_binding = disable => OK, with SCRAM-SHA-256.1-2) channel_binding = prefer => OK, with SCRAM-SHA-256-PLUS.1-3) channel_binding = require => OK, with SCRAM-SHA-256-PLUS.2) Client does not support channel binding.2-1) channel_binding = disable => OK, with SCRAM-SHA-256.2-2) channel_binding = prefer => OK, with SCRAM-SHA-256.2-3) channel_binding = require => failure with new error message,instead of the confusing one.This commit updates case 2-3 to generate a better error message. Notethat the SSL TAP tests are not impacted as it is not possible to testwith mixed versions of OpenSSL for the backend and libpq.Reported-by: Tom LaneAuthor: Michael PaquierReviewed-by: Jeff Davis, Tom LaneDiscussion:https://postgr.es/m/24857.1569775891@sss.pgh.pa.us

1 parent5dd7fc1 commit41a6de4Copy full SHA for 41a6de4

File tree

1 file changed

+18

-4

lines changed

src/interfaces/libpq
- fe-auth.c

1 file changed

+18

-4

lines changed

`‎src/interfaces/libpq/fe-auth.c`

Lines changed: 18 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -471,14 +471,28 @@ pg_SASL_init(PGconn *conn, int payloadlen)`
`471`	`471`	`{`
`472`	`472`	`if (conn->ssl_in_use)`
`473`	`473`	`{`
	`474`	`+/* The server has offered SCRAM-SHA-256-PLUS. */`
	`475`	`+`
	`476`	`+#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH`
`474`	`477`	`/*`
`475`		`- * The server has offered SCRAM-SHA-256-PLUS, which is only`
`476`		`- * supported by the client if a hash of the peer certificate`
`477`		`- * can be created, and if channel_binding is not disabled.`
	`478`	`+ * The client supports channel binding, which is chosen if`
	`479`	`+ * channel_binding is not disabled.`
`478`	`480`	`*/`
`479`		`-#ifdefHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH`
`480`	`481`	`if (conn->channel_binding[0]!='d')/* disable */`
`481`	`482`	`selected_mechanism=SCRAM_SHA_256_PLUS_NAME;`
	`483`	`+#else`
	`484`	`+/*`
	`485`	`+ * The client does not support channel binding. If it is`
	`486`	`+ * required, complain immediately instead of the error below`
	`487`	`+ * which would be confusing as the server is publishing`
	`488`	`+ * SCRAM-SHA-256-PLUS.`
	`489`	`+ */`
	`490`	`+if (conn->channel_binding[0]=='r')/* require */`
	`491`	`+{`
	`492`	`+printfPQExpBuffer(&conn->errorMessage,`
	`493`	`+libpq_gettext("channel binding is required, but client does not support it\n"));`
	`494`	`+gotoerror;`
	`495`	`+}`
`482`	`496`	`#endif`
`483`	`497`	`}`
`484`	`498`	`else`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit41a6de4

File tree

1 file changed

1 file changed

`‎src/interfaces/libpq/fe-auth.c`

0 commit comments