database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-10-25 13:17:41 +03:00
Code Activity

Add libpq connection parameter "scram_channel_binding"

Browse Source 
This parameter can be used to enforce the channel binding type used
during a SCRAM authentication.  This can be useful to check code paths
where an invalid channel binding type is used by a client and will be
even more useful to allow testing other channel binding types when they
are added.

The default value is tls-unique, which is what RFC 5802 specifies.
Clients can optionally specify an empty value, which has as effect to
not use channel binding and use SCRAM-SHA-256 as chosen SASL mechanism.

More tests for SCRAM and channel binding are added to the SSL test
suite.

Author: Author: Michael Paquier <michael.paquier@gmail.com>
This commit is contained in:
Peter Eisentraut
2017-12-18 18:05:24 -05:00
parent ab9e0e718a
commit 4bbf110d2f
7 changed files with 69 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/interfaces/libpq/fe-auth-scram.c
View File

@@ -93,6 +93,7 @@ pg_fe_scram_init(const char *username,
const char *password,
bool ssl_in_use,
const char *sasl_mechanism,
const char *channel_binding_type,
char *tls_finished_message,
size_t tls_finished_len)
{
@@ -112,17 +113,14 @@ pg_fe_scram_init(const char *username,
state->tls_finished_message = tls_finished_message;
state->tls_finished_len = tls_finished_len;
state->sasl_mechanism = strdup(sasl_mechanism);
state->channel_binding_type = channel_binding_type;
if (!state->sasl_mechanism)
{
free(state);
return NULL;
}
/*
* Store channel binding type. Only one type is currently supported.
*/
state->channel_binding_type = SCRAM_CHANNEL_BINDING_TLS_UNIQUE;
/* Normalize the password with SASLprep, if possible */
rc = pg_saslprep(password, &prep_password);
if (rc == SASLPREP_OOM)
@@ -375,6 +373,15 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
Assert(state->ssl_in_use);
appendPQExpBuffer(&buf, "p=%s", state->channel_binding_type);
}
else if (state->channel_binding_type == NULL ||
strlen(state->channel_binding_type) == 0)
{
/*
* Client has chosen to not show to server that it supports channel
* binding.
*/
appendPQExpBuffer(&buf, "n");
}
else if (state->ssl_in_use)
{
/*
@@ -493,6 +500,9 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
free(cbind_input);
}
else if (state->channel_binding_type == NULL ||
strlen(state->channel_binding_type) == 0)
appendPQExpBuffer(&buf, "c=biws"); /* base64 of "n,," */
else if (state->ssl_in_use)
appendPQExpBuffer(&buf, "c=eSws"); /* base64 of "y,," */
else