Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit00707fa

Browse files
committed
Minor cleanup of backend SCRAM code.
Free each SASL message after sending it. It's not a lot of wasted memory,and it's short-lived, but the authentication code in general tries topfree() stuff, so let's follow the example.Adding the pfree() revealed a little bug in build_server_first_message().It attempts to keeps a copy of the sent message, but it was missing apstrdup(), so the pointer started to dangle, after adding the pfree()into CheckSCRAMAuth().Reword comments and debug messages slightly, while we're at it.Reviewed by Michael Paquier.Discussion:https://www.postgresql.org/message-id/6490b975-5ee1-6280-ac1d-af975b19fb9a@iki.fi
1 parent3d5facf commit00707fa

File tree

2 files changed

+12
-10
lines changed

2 files changed

+12
-10
lines changed

‎src/backend/libpq/auth-scram.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -161,10 +161,10 @@ static char *scram_MockSalt(const char *username);
161161
* needs to be called before doing any exchange. It will be filled later
162162
* after the beginning of the exchange with verifier data.
163163
*
164-
* 'username' is the provided by the client. 'shadow_pass' istherole's
165-
* password verifier, from pg_authid.rolpassword. If 'shadow_pass' is NULL, we
166-
* still perform an authentication exchange, but it will fail, as if an
167-
* incorrect password was given.
164+
* 'username' is theusernameprovided by the client inthestartup message.
165+
*'shadow_pass' is the role'spassword verifier, from pg_authid.rolpassword.
166+
*If 'shadow_pass' is NULL, westill perform an authentication exchange, but
167+
*it will fail, as if anincorrect password was given.
168168
*/
169169
void*
170170
pg_be_scram_init(constchar*username,constchar*shadow_pass)
@@ -984,7 +984,7 @@ build_server_first_message(scram_state *state)
984984
state->client_nonce,state->server_nonce,
985985
state->salt,state->iterations);
986986

987-
returnstate->server_first_message;
987+
returnpstrdup(state->server_first_message);
988988
}
989989

990990

‎src/backend/libpq/auth.c

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -872,6 +872,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
872872
strlen(SCRAM_SHA256_NAME)+1);
873873

874874
/*
875+
* Initialize the status tracker for message exchanges.
876+
*
875877
* If the user doesn't exist, or doesn't have a valid password, or it's
876878
* expired, we still go through the motions of SASL authentication, but
877879
* tell the authentication method that the authentication is "doomed".
@@ -880,8 +882,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
880882
* This is because we don't want to reveal to an attacker what usernames
881883
* are valid, nor which users have a valid password.
882884
*/
883-
884-
/* Initialize the status tracker for message exchanges */
885885
scram_opaq=pg_be_scram_init(port->user_name,shadow_pass);
886886

887887
/*
@@ -918,7 +918,7 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
918918
returnSTATUS_ERROR;
919919
}
920920

921-
elog(DEBUG4,"Processing received SASLtoken of length %d",buf.len);
921+
elog(DEBUG4,"Processing received SASLresponse of length %d",buf.len);
922922

923923
/*
924924
* we pass 'logdetail' as NULL when doing a mock authentication,
@@ -931,14 +931,16 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
931931
/* input buffer no longer used */
932932
pfree(buf.data);
933933

934-
if (outputlen>0)
934+
if (output)
935935
{
936936
/*
937937
* Negotiation generated data to be sent to the client.
938938
*/
939-
elog(DEBUG4,"sending SASLresponse token of length %u",outputlen);
939+
elog(DEBUG4,"sending SASLchallenge of length %u",outputlen);
940940

941941
sendAuthRequest(port,AUTH_REQ_SASL_CONT,output,outputlen);
942+
943+
pfree(output);
942944
}
943945
}while (result==SASL_EXCHANGE_CONTINUE);
944946

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp