NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit86ab28f

committed

Check channel binding flag at end of SCRAM exchange

We need to check whether the channel-binding flag encoded in theclient-final-message is the same one sent in the client-first-message.Reviewed-by: Michael Paquier <michael.paquier@gmail.com>

1 parent143b54d commit86ab28fCopy full SHA for 86ab28f

File tree

2 files changed

+12

-3

lines changed

src
- backend/libpq
  - auth-scram.c
- interfaces/libpq
  - fe-auth-scram.c

2 files changed

+12

-3

lines changed

`‎src/backend/libpq/auth-scram.c`

Lines changed: 8 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,7 @@ typedef struct`
`110`	`110`
`111`	`111`	`constcharusername;/ username from startup packet */`
`112`	`112`
	`113`	`+charcbind_flag;`
`113`	`114`	`boolssl_in_use;`
`114`	`115`	`constchar*tls_finished_message;`
`115`	`116`	`size_ttls_finished_len;`
`@@ -788,6 +789,7 @@ read_client_first_message(scram_state state, char input)`
`788`	`789`	`* Read gs2-cbind-flag. (For details see also RFC 5802 Section 6 "Channel`
`789`	`790`	`* Binding".)`
`790`	`791`	`*/`
	`792`	`+state->cbind_flag=*input;`
`791`	`793`	`switch (*input)`
`792`	`794`	`{`
`793`	`795`	`case'n':`
`@@ -1111,6 +1113,8 @@ read_client_final_message(scram_state state, char input)`
`1111`	`1113`	`char*b64_message;`
`1112`	`1114`	`intb64_message_len;`
`1113`	`1115`
	`1116`	`+Assert(state->cbind_flag=='p');`
	`1117`	`+`
`1114`	`1118`	`/*`
`1115`	`1119`	`* Fetch data appropriate for channel binding type`
`1116`	`1120`	`*/`
`@@ -1155,10 +1159,11 @@ read_client_final_message(scram_state state, char input)`
`1155`	`1159`	`/*`
`1156`	`1160`	`* If we are not using channel binding, the binding data is expected`
`1157`	`1161`	`* to always be "biws", which is "n,," base64-encoded, or "eSws",`
`1158`		`- * which is "y,,".`
	`1162`	`+ * which is "y,,". We also have to check whether the flag is the same`
	`1163`	`+ * one that the client originally sent.`
`1159`	`1164`	`*/`
`1160`		`-if (strcmp(channel_binding,"biws")!=0&&`
`1161`		`-strcmp(channel_binding,"eSws")!=0)`
	`1165`	`+if (!(strcmp(channel_binding,"biws")==0&&state->cbind_flag=='n')&&`
	`1166`	`+!(strcmp(channel_binding,"eSws")==0&&state->cbind_flag=='y'))`
`1162`	`1167`	`ereport(ERROR,`
`1163`	`1168`	`(errcode(ERRCODE_PROTOCOL_VIOLATION),`
`1164`	`1169`	`(errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));`

`‎src/interfaces/libpq/fe-auth-scram.c`

Lines changed: 4 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -437,6 +437,10 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)`
`437`	`437`	`/*`
`438`	`438`	`* Construct client-final-message-without-proof. We need to remember it`
`439`	`439`	`* for verifying the server proof in the final step of authentication.`
	`440`	`+ *`
	`441`	`+ * The channel binding flag handling (p/y/n) must be consistent with`
	`442`	`+ * build_client_first_message(), because the server will check that it's`
	`443`	`+ * the same flag both times.`
`440`	`444`	`*/`
`441`	`445`	`if (strcmp(state->sasl_mechanism,SCRAM_SHA256_PLUS_NAME)==0)`
`442`	`446`	`{`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit86ab28f

File tree

2 files changed

2 files changed

`‎src/backend/libpq/auth-scram.c`

`‎src/interfaces/libpq/fe-auth-scram.c`

0 commit comments