NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commitf3049a6

committed

Refactor channel binding code to fetch cbind_data only when necessary

As things stand now, channel binding data is fetched from OpenSSL andsaved into the SCRAM exchange context for any SSL connection attemptedfor a SCRAM authentication, resulting in data fetched but not used if nochannel binding is used or if a different channel binding type is usedthan what the data is here for.Refactor the code in such a way that binding data is fetched from theSSL stack only when a specific channel binding is used for both thefrontend and the backend. In order to achieve that, save the libpqconnection context directly in the SCRAM exchange state, and add adependency to SSL in the low-level SCRAM routines.This makes the interface in charge of initializing the SCRAM contextcleaner as all its data comes from either PGconn* (for frontend) orPort* (for the backend).Author: Michael Paquier <michael.paquier@gmail.com>

1 parent3ad2afc commitf3049a6Copy full SHA for f3049a6

File tree

6 files changed

+102

-152

lines changed

src
- backend/libpq
  - auth-scram.c
  - auth.c
- include/libpq
  - scram.h
- interfaces/libpq

6 files changed

+102

-152

lines changed

`‎src/backend/libpq/auth-scram.c`

Lines changed: 13 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -110,10 +110,8 @@ typedef struct`
`110`	`110`
`111`	`111`	`constcharusername;/ username from startup packet */`
`112`	`112`
	`113`	`+Port*port;`
`113`	`114`	`charcbind_flag;`
`114`		`-boolssl_in_use;`
`115`		`-constchar*tls_finished_message;`
`116`		`-size_ttls_finished_len;`
`117`	`115`	`char*channel_binding_type;`
`118`	`116`
`119`	`117`	`intiterations;`
`@@ -172,21 +170,15 @@ static char scram_mock_salt(const char username);`
`172`	`170`	`* it will fail, as if an incorrect password was given.`
`173`	`171`	`*/`
`174`	`172`	`void*`
`175`		`-pg_be_scram_init(constchar*username,`
`176`		`-constchar*shadow_pass,`
`177`		`-boolssl_in_use,`
`178`		`-constchar*tls_finished_message,`
`179`		`-size_ttls_finished_len)`
	`173`	`+pg_be_scram_init(Port*port,`
	`174`	`+constchar*shadow_pass)`
`180`	`175`	`{`
`181`	`176`	`scram_state*state;`
`182`	`177`	`boolgot_verifier;`
`183`	`178`
`184`	`179`	`state= (scram_state*)palloc0(sizeof(scram_state));`
	`180`	`+state->port=port;`
`185`	`181`	`state->state=SCRAM_AUTH_INIT;`
`186`		`-state->username=username;`
`187`		`-state->ssl_in_use=ssl_in_use;`
`188`		`-state->tls_finished_message=tls_finished_message;`
`189`		`-state->tls_finished_len=tls_finished_len;`
`190`	`182`	`state->channel_binding_type=NULL;`
`191`	`183`
`192`	`184`	`/*`
`@@ -209,7 +201,7 @@ pg_be_scram_init(const char *username,`
`209`	`201`	`*/`
`210`	`202`	`ereport(LOG,`
`211`	`203`	`(errmsg("invalid SCRAM verifier for user \"%s\"",`
`212`		`-username)));`
	`204`	`+state->port->user_name)));`
`213`	`205`	`got_verifier= false;`
`214`	`206`	`}`
`215`	`207`	`}`
`@@ -220,7 +212,7 @@ pg_be_scram_init(const char *username,`
`220`	`212`	`* authentication with an MD5 hash.)`
`221`	`213`	`*/`
`222`	`214`	`state->logdetail=psprintf(_("User \"%s\" does not have a valid SCRAM verifier."),`
`223`		`-state->username);`
	`215`	`+state->port->user_name);`
`224`	`216`	`got_verifier= false;`
`225`	`217`	`}`
`226`	`218`	`}`
`@@ -242,8 +234,8 @@ pg_be_scram_init(const char *username,`
`242`	`234`	`*/`
`243`	`235`	`if (!got_verifier)`
`244`	`236`	`{`
`245`		`-mock_scram_verifier(username,&state->iterations,&state->salt,`
`246`		`-state->StoredKey,state->ServerKey);`
	`237`	`+mock_scram_verifier(state->port->user_name,&state->iterations,`
	`238`	`+&state->salt,state->StoredKey,state->ServerKey);`
`247`	`239`	`state->doomed= true;`
`248`	`240`	`}`
`249`	`241`
`@@ -815,7 +807,7 @@ read_client_first_message(scram_state state, char input)`
`815`	`807`	`* it supports channel binding, which in this implementation is`
`816`	`808`	`* the case if a connection is using SSL.`
`817`	`809`	`*/`
`818`		`-if (state->ssl_in_use)`
	`810`	`+if (state->port->ssl_in_use)`
`819`	`811`	`ereport(ERROR,`
`820`	`812`	`(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),`
`821`	`813`	`errmsg("SCRAM channel binding negotiation error"),`
`@@ -839,7 +831,7 @@ read_client_first_message(scram_state state, char input)`
`839`	`831`	`{`
`840`	`832`	`char*channel_binding_type;`
`841`	`833`
`842`		`-if (!state->ssl_in_use)`
	`834`	`+if (!state->port->ssl_in_use)`
`843`	`835`	`{`
`844`	`836`	`/*`
`845`	`837`	`* Without SSL, we don't support channel binding.`
`@@ -1120,8 +1112,9 @@ read_client_final_message(scram_state state, char input)`
`1120`	`1112`	`*/`
`1121`	`1113`	`if (strcmp(state->channel_binding_type,SCRAM_CHANNEL_BINDING_TLS_UNIQUE)==0)`
`1122`	`1114`	`{`
`1123`		`-cbind_data=state->tls_finished_message;`
`1124`		`-cbind_data_len=state->tls_finished_len;`
	`1115`	`+#ifdefUSE_SSL`
	`1116`	`+cbind_data=be_tls_get_peer_finished(state->port,&cbind_data_len);`
	`1117`	`+#endif`
`1125`	`1118`	`}`
`1126`	`1119`	`else`
`1127`	`1120`	`{`

`‎src/backend/libpq/auth.c`

Lines changed: 1 addition & 18 deletions

Original file line number	Diff line number	Diff line change
`@@ -873,8 +873,6 @@ CheckSCRAMAuth(Port port, char shadow_pass, char **logdetail)`
`873`	`873`	`intinputlen;`
`874`	`874`	`intresult;`
`875`	`875`	`boolinitial;`
`876`		`-char*tls_finished=NULL;`
`877`		`-size_ttls_finished_len=0;`
`878`	`876`
`879`	`877`	`/*`
`880`	`878`	`* SASL auth is not supported for protocol versions before 3, because it`
`@@ -915,17 +913,6 @@ CheckSCRAMAuth(Port port, char shadow_pass, char **logdetail)`
`915`	`913`	`sendAuthRequest(port,AUTH_REQ_SASL,sasl_mechs,p-sasl_mechs+1);`
`916`	`914`	`pfree(sasl_mechs);`
`917`	`915`
`918`		`-#ifdefUSE_SSL`
`919`		`-`
`920`		`-/*`
`921`		`- * Get data for channel binding.`
`922`		`- */`
`923`		`-if (port->ssl_in_use)`
`924`		`-{`
`925`		`-tls_finished=be_tls_get_peer_finished(port,&tls_finished_len);`
`926`		`-}`
`927`		`-#endif`
`928`		`-`
`929`	`916`	`/*`
`930`	`917`	`* Initialize the status tracker for message exchanges.`
`931`	`918`	`*`
`@@ -937,11 +924,7 @@ CheckSCRAMAuth(Port port, char shadow_pass, char **logdetail)`
`937`	`924`	`* This is because we don't want to reveal to an attacker what usernames`
`938`	`925`	`* are valid, nor which users have a valid password.`
`939`	`926`	`*/`
`940`		`-scram_opaq=pg_be_scram_init(port->user_name,`
`941`		`-shadow_pass,`
`942`		`-port->ssl_in_use,`
`943`		`-tls_finished,`
`944`		`-tls_finished_len);`
	`927`	`+scram_opaq=pg_be_scram_init(port,shadow_pass);`
`945`	`928`
`946`	`929`	`/*`
`947`	`930`	`* Loop through SASL message exchange. This exchange can consist of`

`‎src/include/libpq/scram.h`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -13,15 +13,15 @@`
`13`	`13`	`#ifndefPG_SCRAM_H`
`14`	`14`	`#definePG_SCRAM_H`
`15`	`15`
	`16`	`+#include"libpq/libpq-be.h"`
	`17`	`+`
`16`	`18`	`/* Status codes for message exchange */`
`17`	`19`	`#defineSASL_EXCHANGE_CONTINUE0`
`18`	`20`	`#defineSASL_EXCHANGE_SUCCESS1`
`19`	`21`	`#defineSASL_EXCHANGE_FAILURE2`
`20`	`22`
`21`	`23`	`/* Routines dedicated to authentication */`
`22`		`-externvoidpg_be_scram_init(constcharusername,constchar*shadow_pass,`
`23`		`-boolssl_in_use,constchar*tls_finished_message,`
`24`		`-size_ttls_finished_len);`
	`24`	`+externvoidpg_be_scram_init(Portport,constchar*shadow_pass);`
`25`	`25`	`externintpg_be_scram_exchange(voidopaq,charinput,intinputlen,`
`26`	`26`	`char*output,intoutputlen,char**logdetail);`
`27`	`27`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitf3049a6

File tree

6 files changed

6 files changed

`‎src/backend/libpq/auth-scram.c`

`‎src/backend/libpq/auth.c`

`‎src/include/libpq/scram.h`

0 commit comments