diff options
| author | Peter Eisentraut | 2018-01-04 18:53:09 +0000 |
|---|---|---|
| committer | Peter Eisentraut | 2018-01-04 18:55:12 +0000 |
| commit | f3049a603a7950f313b33ab214f11563c66dc069 (patch) | |
| tree | f870af0cee87ab890b6925a202c43de7624972fd /src/interfaces/libpq/fe-auth.c | |
| parent | 3ad2afc2e98fc85d5cf9529d84265b70acc0b13d (diff) | |
Refactor channel binding code to fetch cbind_data only when necessary
As things stand now, channel binding data is fetched from OpenSSL and
saved into the SCRAM exchange context for any SSL connection attempted
for a SCRAM authentication, resulting in data fetched but not used if no
channel binding is used or if a different channel binding type is used
than what the data is here for.
Refactor the code in such a way that binding data is fetched from the
SSL stack only when a specific channel binding is used for both the
frontend and the backend. In order to achieve that, save the libpq
connection context directly in the SCRAM exchange state, and add a
dependency to SSL in the low-level SCRAM routines.
This makes the interface in charge of initializing the SCRAM context
cleaner as all its data comes from either PGconn* (for frontend) or
Port* (for the backend).
Author: Michael Paquier <[email protected]>
Diffstat (limited to 'src/interfaces/libpq/fe-auth.c')
| -rw-r--r-- | src/interfaces/libpq/fe-auth.c | 27 |
1 files changed, 4 insertions, 23 deletions
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index ecaed048e65..7bcbca9df61 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -491,8 +491,6 @@ pg_SASL_init(PGconn *conn, int payloadlen) bool success; const char *selected_mechanism; PQExpBufferData mechanism_buf; - char *tls_finished = NULL; - size_t tls_finished_len = 0; char *password; initPQExpBuffer(&mechanism_buf); @@ -570,32 +568,15 @@ pg_SASL_init(PGconn *conn, int payloadlen) goto error; } -#ifdef USE_SSL - - /* - * Get data for channel binding. - */ - if (strcmp(selected_mechanism, SCRAM_SHA256_PLUS_NAME) == 0) - { - tls_finished = pgtls_get_finished(conn, &tls_finished_len); - if (tls_finished == NULL) - goto oom_error; - } -#endif - /* * Initialize the SASL state information with all the information gathered * during the initial exchange. * * Note: Only tls-unique is supported for the moment. */ - conn->sasl_state = pg_fe_scram_init(conn->pguser, + conn->sasl_state = pg_fe_scram_init(conn, password, - conn->ssl_in_use, - selected_mechanism, - conn->scram_channel_binding, - tls_finished, - tls_finished_len); + selected_mechanism); if (!conn->sasl_state) goto oom_error; @@ -603,7 +584,7 @@ pg_SASL_init(PGconn *conn, int payloadlen) pg_fe_scram_exchange(conn->sasl_state, NULL, -1, &initialresponse, &initialresponselen, - &done, &success, &conn->errorMessage); + &done, &success); if (done && !success) goto error; @@ -684,7 +665,7 @@ pg_SASL_continue(PGconn *conn, int payloadlen, bool final) pg_fe_scram_exchange(conn->sasl_state, challenge, payloadlen, &output, &outputlen, - &done, &success, &conn->errorMessage); + &done, &success); free(challenge); /* don't need the input anymore */ if (final && !done) |