Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commit86ab28f

Browse files
committed
Check channel binding flag at end of SCRAM exchange
We need to check whether the channel-binding flag encoded in theclient-final-message is the same one sent in the client-first-message.Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
1 parent143b54d commit86ab28f

File tree

2 files changed

+12
-3
lines changed

2 files changed

+12
-3
lines changed

‎src/backend/libpq/auth-scram.c

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -110,6 +110,7 @@ typedef struct
110110

111111
constchar*username;/* username from startup packet */
112112

113+
charcbind_flag;
113114
boolssl_in_use;
114115
constchar*tls_finished_message;
115116
size_ttls_finished_len;
@@ -788,6 +789,7 @@ read_client_first_message(scram_state *state, char *input)
788789
* Read gs2-cbind-flag. (For details see also RFC 5802 Section 6 "Channel
789790
* Binding".)
790791
*/
792+
state->cbind_flag=*input;
791793
switch (*input)
792794
{
793795
case'n':
@@ -1111,6 +1113,8 @@ read_client_final_message(scram_state *state, char *input)
11111113
char*b64_message;
11121114
intb64_message_len;
11131115

1116+
Assert(state->cbind_flag=='p');
1117+
11141118
/*
11151119
* Fetch data appropriate for channel binding type
11161120
*/
@@ -1155,10 +1159,11 @@ read_client_final_message(scram_state *state, char *input)
11551159
/*
11561160
* If we are not using channel binding, the binding data is expected
11571161
* to always be "biws", which is "n,," base64-encoded, or "eSws",
1158-
* which is "y,,".
1162+
* which is "y,,". We also have to check whether the flag is the same
1163+
* one that the client originally sent.
11591164
*/
1160-
if (strcmp(channel_binding,"biws")!=0&&
1161-
strcmp(channel_binding,"eSws")!=0)
1165+
if (!(strcmp(channel_binding,"biws")==0&&state->cbind_flag=='n')&&
1166+
!(strcmp(channel_binding,"eSws")==0&&state->cbind_flag=='y'))
11621167
ereport(ERROR,
11631168
(errcode(ERRCODE_PROTOCOL_VIOLATION),
11641169
(errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));

‎src/interfaces/libpq/fe-auth-scram.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -437,6 +437,10 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
437437
/*
438438
* Construct client-final-message-without-proof. We need to remember it
439439
* for verifying the server proof in the final step of authentication.
440+
*
441+
* The channel binding flag handling (p/y/n) must be consistent with
442+
* build_client_first_message(), because the server will check that it's
443+
* the same flag both times.
440444
*/
441445
if (strcmp(state->sasl_mechanism,SCRAM_SHA256_PLUS_NAME)==0)
442446
{

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp