fix: salt and iterations parsing for scram #1026
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| @elprans, looks like all the checks have passed, so could you, please, review these two small changes?) |
| I'm seeing the error multiple times a day on an AWS Lambda connecting to RDS, so happy to throw in everything from moral support to providing code changes where asked! |
| quick question - what's the timeline for a patch release including this? considering where to throw my resources at - monkeypatching? |
elprans added a commit that referenced this pull request Jul 7, 2023
Minor fixes and improvements. Changes ======= * Do not try to cleanup statements (#981) (by @fvannee in d2e710f for #981) * Add Pool.is_closing() method (#973) (by @singingwolfboy in 9cb2c1c for #973) * Fix test_tls_version for LibreSSL (#974) (by @CyberTailor in 7df9812 for #974) * Handle environments without home dir (#1011) (by @LeonardBesson in 172b8f6 for #1011) * fix: salt and iterations parsing for scram (#1026) (by @trigonometr in 7443a9e for #1026) * Add support for target_session_attrs (#987) (by @JesseDeLoore in bf74e88 for #987) * Add support for READ UNCOMMITTED (#1039) (by @benwah in 2f20bae for #1039) * Update benchmarks, add psycopg3 (#1042) (by @elprans in 7d4fcf0 for #1042)
Merged
elprans added a commit that referenced this pull request Jul 7, 2023
Minor fixes and improvements. Changes ======= * Do not try to cleanup statements (#981) (by @fvannee in d2e710f for #981) * Add Pool.is_closing() method (#973) (by @singingwolfboy in 9cb2c1c for #973) * Fix test_tls_version for LibreSSL (#974) (by @CyberTailor in 7df9812 for #974) * Handle environments without home dir (#1011) (by @LeonardBesson in 172b8f6 for #1011) * fix: salt and iterations parsing for scram (#1026) (by @trigonometr in 7443a9e for #1026) * Add support for target_session_attrs (#987) (by @JesseDeLoore in bf74e88 for #987) * Add support for READ UNCOMMITTED (#1039) (by @benwah in 2f20bae for #1039) * Update benchmarks, add psycopg3 (#1042) (by @elprans in 7d4fcf0 for #1042)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
According to RFC5802 server-first-message has the following form: [reserved-mext ","] nonce "," salt "," iteration-count ["," extensions]. Where nonce is a sequence of random printable ASCII characters excluding ','. So the nonce can potentially contain the substring "s=". In the previous version of parsing, the salt could be taken from the nonce part of the message because of that.
For instance, the server first message was b'r=Cipys==4,s=c2FsdA==,i=4096', then the old parsing would have b'=4' as a salt, which is wrong. The same problem could be with iteration-count.