From f3049a603a7950f313b33ab214f11563c66dc069 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Thu, 4 Jan 2018 13:53:09 -0500 Subject: Refactor channel binding code to fetch cbind_data only when necessary As things stand now, channel binding data is fetched from OpenSSL and saved into the SCRAM exchange context for any SSL connection attempted for a SCRAM authentication, resulting in data fetched but not used if no channel binding is used or if a different channel binding type is used than what the data is here for. Refactor the code in such a way that binding data is fetched from the SSL stack only when a specific channel binding is used for both the frontend and the backend. In order to achieve that, save the libpq connection context directly in the SCRAM exchange state, and add a dependency to SSL in the low-level SCRAM routines. This makes the interface in charge of initializing the SCRAM context cleaner as all its data comes from either PGconn* (for frontend) or Port* (for the backend). Author: Michael Paquier --- src/backend/libpq/auth.c | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) (limited to 'src/backend/libpq/auth.c') diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index f327f7bb1bf..746d7cbb8ad 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -873,8 +873,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail) int inputlen; int result; bool initial; - char *tls_finished = NULL; - size_t tls_finished_len = 0; /* * SASL auth is not supported for protocol versions before 3, because it @@ -915,17 +913,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail) sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, p - sasl_mechs + 1); pfree(sasl_mechs); -#ifdef USE_SSL - - /* - * Get data for channel binding. - */ - if (port->ssl_in_use) - { - tls_finished = be_tls_get_peer_finished(port, &tls_finished_len); - } -#endif - /* * Initialize the status tracker for message exchanges. * @@ -937,11 +924,7 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail) * This is because we don't want to reveal to an attacker what usernames * are valid, nor which users have a valid password. */ - scram_opaq = pg_be_scram_init(port->user_name, - shadow_pass, - port->ssl_in_use, - tls_finished, - tls_finished_len); + scram_opaq = pg_be_scram_init(port, shadow_pass); /* * Loop through SASL message exchange. This exchange can consist of -- cgit v1.2.3