diff options
| author | Peter Eisentraut <peter_e@gmx.net> | 2018-01-04 13:53:09 -0500 |
|---|---|---|
| committer | Peter Eisentraut <peter_e@gmx.net> | 2018-01-04 13:55:12 -0500 |
| commit | f3049a603a7950f313b33ab214f11563c66dc069 (patch) | |
| tree | f870af0cee87ab890b6925a202c43de7624972fd /src/backend/libpq/auth.c | |
| parent | 3ad2afc2e98fc85d5cf9529d84265b70acc0b13d (diff) | |
Refactor channel binding code to fetch cbind_data only when necessary
As things stand now, channel binding data is fetched from OpenSSL and
saved into the SCRAM exchange context for any SSL connection attempted
for a SCRAM authentication, resulting in data fetched but not used if no
channel binding is used or if a different channel binding type is used
than what the data is here for.
Refactor the code in such a way that binding data is fetched from the
SSL stack only when a specific channel binding is used for both the
frontend and the backend. In order to achieve that, save the libpq
connection context directly in the SCRAM exchange state, and add a
dependency to SSL in the low-level SCRAM routines.
This makes the interface in charge of initializing the SCRAM context
cleaner as all its data comes from either PGconn* (for frontend) or
Port* (for the backend).
Author: Michael Paquier <michael.paquier@gmail.com>
Diffstat (limited to 'src/backend/libpq/auth.c')
| -rw-r--r-- | src/backend/libpq/auth.c | 19 |
1 files changed, 1 insertions, 18 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index f327f7bb1bf..746d7cbb8ad 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -873,8 +873,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail) int inputlen; int result; bool initial; - char *tls_finished = NULL; - size_t tls_finished_len = 0; /* * SASL auth is not supported for protocol versions before 3, because it @@ -915,17 +913,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail) sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, p - sasl_mechs + 1); pfree(sasl_mechs); -#ifdef USE_SSL - - /* - * Get data for channel binding. - */ - if (port->ssl_in_use) - { - tls_finished = be_tls_get_peer_finished(port, &tls_finished_len); - } -#endif - /* * Initialize the status tracker for message exchanges. * @@ -937,11 +924,7 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail) * This is because we don't want to reveal to an attacker what usernames * are valid, nor which users have a valid password. */ - scram_opaq = pg_be_scram_init(port->user_name, - shadow_pass, - port->ssl_in_use, - tls_finished, - tls_finished_len); + scram_opaq = pg_be_scram_init(port, shadow_pass); /* * Loop through SASL message exchange. This exchange can consist of |