From f3049a603a7950f313b33ab214f11563c66dc069 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Thu, 4 Jan 2018 13:53:09 -0500 Subject: Refactor channel binding code to fetch cbind_data only when necessary As things stand now, channel binding data is fetched from OpenSSL and saved into the SCRAM exchange context for any SSL connection attempted for a SCRAM authentication, resulting in data fetched but not used if no channel binding is used or if a different channel binding type is used than what the data is here for. Refactor the code in such a way that binding data is fetched from the SSL stack only when a specific channel binding is used for both the frontend and the backend. In order to achieve that, save the libpq connection context directly in the SCRAM exchange state, and add a dependency to SSL in the low-level SCRAM routines. This makes the interface in charge of initializing the SCRAM context cleaner as all its data comes from either PGconn* (for frontend) or Port* (for the backend). Author: Michael Paquier --- src/interfaces/libpq/fe-auth.h | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'src/interfaces/libpq/fe-auth.h') diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h index 91bc21ee8d1..a8a27c24a61 100644 --- a/src/interfaces/libpq/fe-auth.h +++ b/src/interfaces/libpq/fe-auth.h @@ -23,17 +23,13 @@ extern int pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn); extern char *pg_fe_getauthname(PQExpBuffer errorMessage); /* Prototypes for functions in fe-auth-scram.c */ -extern void *pg_fe_scram_init(const char *username, +extern void *pg_fe_scram_init(PGconn *conn, const char *password, - bool ssl_in_use, - const char *sasl_mechanism, - const char *channel_binding_type, - char *tls_finished_message, - size_t tls_finished_len); + const char *sasl_mechanism); extern void pg_fe_scram_free(void *opaq); extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen, char **output, int *outputlen, - bool *done, bool *success, PQExpBuffer errorMessage); + bool *done, bool *success); extern char *pg_fe_scram_build_verifier(const char *password); #endif /* FE_AUTH_H */ -- cgit v1.2.3