Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit adcdb2c

Browse filesBrowse files
danielgustafssondanielgustafsson
committed
Explicitly require password for SCRAM exchange
This refactors the SASL init flow to set password_needed on the two SCRAM exchanges currently supported. The code already required this but was set up in such a way that all SASL exchanges required using a password, a restriction which may not hold for all exchanges (the example at hand being the proposed OAuthbearer exchange). This was extracted from a larger patchset to introduce OAuthBearer authentication and authorization. Author: Jacob Champion <jacob.champion@enterprisedb.com> Discussion: https://postgr.es/m/d1b467a78e0e36ed85a09adf979d04cf124a9d4b.camel@vmware.com
1 parent 24178e2 commit adcdb2c
Copy full SHA for adcdb2c

File tree

Expand file treeCollapse file tree

1 file changed

+15
-13
lines changed
Filter options
Expand file treeCollapse file tree

1 file changed

+15
-13
lines changed

‎src/interfaces/libpq/fe-auth.c

Copy file name to clipboardExpand all lines: src/interfaces/libpq/fe-auth.c
+15-13Lines changed: 15 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -425,7 +425,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
425425
int initialresponselen;
426426
const char *selected_mechanism;
427427
PQExpBufferData mechanism_buf;
428-
char *password;
428+
char *password = NULL;
429429
SASLStatus status;
430430

431431
initPQExpBuffer(&mechanism_buf);
@@ -446,8 +446,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
446446
/*
447447
* Parse the list of SASL authentication mechanisms in the
448448
* AuthenticationSASL message, and select the best mechanism that we
449-
* support. SCRAM-SHA-256-PLUS and SCRAM-SHA-256 are the only ones
450-
* supported at the moment, listed by order of decreasing importance.
449+
* support. Mechanisms are listed by order of decreasing importance.
451450
*/
452451
selected_mechanism = NULL;
453452
for (;;)
@@ -487,6 +486,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
487486
{
488487
selected_mechanism = SCRAM_SHA_256_PLUS_NAME;
489488
conn->sasl = &pg_scram_mech;
489+
conn->password_needed = true;
490490
}
491491
#else
492492
/*
@@ -522,6 +522,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
522522
{
523523
selected_mechanism = SCRAM_SHA_256_NAME;
524524
conn->sasl = &pg_scram_mech;
525+
conn->password_needed = true;
525526
}
526527
}
527528

@@ -545,18 +546,19 @@ pg_SASL_init(PGconn *conn, int payloadlen)
545546

546547
/*
547548
* First, select the password to use for the exchange, complaining if
548-
* there isn't one. Currently, all supported SASL mechanisms require a
549-
* password, so we can just go ahead here without further distinction.
549+
* there isn't one and the selected SASL mechanism needs it.
550550
*/
551-
conn->password_needed = true;
552-
password = conn->connhost[conn->whichhost].password;
553-
if (password == NULL)
554-
password = conn->pgpass;
555-
if (password == NULL || password[0] == '\0')
551+
if (conn->password_needed)
556552
{
557-
appendPQExpBufferStr(&conn->errorMessage,
558-
PQnoPasswordSupplied);
559-
goto error;
553+
password = conn->connhost[conn->whichhost].password;
554+
if (password == NULL)
555+
password = conn->pgpass;
556+
if (password == NULL || password[0] == '\0')
557+
{
558+
appendPQExpBufferStr(&conn->errorMessage,
559+
PQnoPasswordSupplied);
560+
goto error;
561+
}
560562
}
561563

562564
Assert(conn->sasl);

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.