Server ignores contents of SASLInitialResponse
Michael Paquier <michael.paquier@gmail.com>
From: Michael Paquier <michael.paquier@gmail.com>
To: PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2017-05-25T03:33:37Z
Lists: pgsql-hackers
Attachments
- scram-trick-server.patch (application/octet-stream) patch
- fix-sasl-init.patch (application/octet-stream) patch
Hi all,
I have noticed today that the server ignores completely the contents
of SASLInitialResponse. For example with the patch attached called
scram-trick-server:
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index f4397afc64..8fe1c8edfb 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -540,7 +540,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
conn->sasl_state = pg_fe_scram_init(conn->pguser, password);
if (!conn->sasl_state)
goto oom_error;
- selected_mechanism = SCRAM_SHA256_NAME;
+ selected_mechanism = "kunfoobar";
}
}
This sends a custom string to the server to name a SASL mechanism,
about which the server complains with a COMMERROR log:
LOG: client selected an invalid SASL authentication mechanism
However this error is completely ignored and the server continues
authentication, succeeding if the password is right. It seems to me
that the error that should be returned to the user is a password
mismatch, and that the COMMERROR message is kept only for the server
logs. Attached is a patch to fix the problem.
Open item added as well.
Thanks,
--
Michael
Commits
-
Clear auth context correctly when re-connecting after failed auth attempt.
- f44c609ea014 9.6.4 landed
- 1fe1fc449772 9.4.13 landed
- f2fa0c6514b6 9.3.18 landed
- 739cb7f8bfeb 9.5.8 landed
- e6c33d594a00 10.0 landed
-
Fix double-free bug in GSS authentication.
- 3344582e6f16 10.0 landed
-
Abort authentication if the client selected an invalid SASL mechanism.
- 505b5d2f8672 10.0 landed
-
Refactor libpq authentication request processing.
- 61bf96cab063 10.0 cited