Check channel binding flag at end of SCRAM exchange

We need to check whether the channel-binding flag encoded in the client-final-message is the same one sent in the client-first-message. Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
author: Peter Eisentraut <peter_e@gmx.net> 2017-11-22 14:02:57 -0500
committer: Peter Eisentraut <peter_e@gmx.net> 2017-12-01 09:53:26 -0500
commit: 86ab28fbd19a6a0742a7f66e69a595b61eb13d00 (patch)
tree: 782040f1c7f38de43e86373a40a9e1a0b511abe9 /src/interfaces/libpq/fe-auth-scram.c
parent: 143b54d21d37804707c27edebdbd4410891da133 (diff)
download: postgresql-86ab28fbd19a6a0742a7f66e69a595b61eb13d00.tar.gz
postgresql-86ab28fbd19a6a0742a7f66e69a595b61eb13d00.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 97db0b1faa8..5b783bc3136 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -437,6 +437,10 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	/*
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
+	 *
+	 * The channel binding flag handling (p/y/n) must be consistent with
+	 * build_client_first_message(), because the server will check that it's
+	 * the same flag both times.
 	 */
 	if (strcmp(state->sasl_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
 	{
author	Peter Eisentraut <peter_e@gmx.net>	2017-11-22 14:02:57 -0500
committer	Peter Eisentraut <peter_e@gmx.net>	2017-12-01 09:53:26 -0500
commit	86ab28fbd19a6a0742a7f66e69a595b61eb13d00 (patch)
tree	782040f1c7f38de43e86373a40a9e1a0b511abe9 /src/interfaces/libpq/fe-auth-scram.c
parent	143b54d21d37804707c27edebdbd4410891da133 (diff)
download	postgresql-86ab28fbd19a6a0742a7f66e69a595b61eb13d00.tar.gz postgresql-86ab28fbd19a6a0742a7f66e69a595b61eb13d00.zip