Support channel binding 'tls-unique' in SCRAM

This is the basic feature set using OpenSSL to support the feature. In order to allow the frontend and the backend to fetch the sent and expected TLS Finished messages, a PG-like API is added to be able to make the interface pluggable for other SSL implementations. This commit also adds a infrastructure to facilitate the addition of future channel binding types as well as libpq parameters to control the SASL mechanism names and channel binding names. Those will be added by upcoming commits. Some tests are added to the SSL test suite to test SCRAM authentication with channel binding. Author: Michael Paquier <michael@paquier.xyz> Reviewed-by: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
2025-06-22 02:52:08 +03:00 · 2017-11-18 10:07:57 -05:00
parent 611fe7d479
commit 9288d62bb4
14 changed files with 557 additions and 114 deletions
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@ -1215,6 +1215,30 @@ be_tls_get_peerdn_name(Port *port, char *ptr, size_t len)
 		ptr[0] = '\0';
 }

+/*
+ * Routine to get the expected TLS Finished message information from the
+ * client, useful for authorization when doing channel binding.
+ *
+ * Result is a palloc'd copy of the TLS Finished message with its size.
+ */
+char *
+be_tls_get_peer_finished(Port *port, size_t *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to directly get the length of the
+	 * expected TLS Finished message, so just do a dummy call to grab this
+	 * information to allow caller to do an allocation with a correct size.
+	 */
+	*len = SSL_get_peer_finished(port->ssl, dummy, sizeof(dummy));
+	result = palloc(*len);
+	(void) SSL_get_peer_finished(port->ssl, result, *len);
+
+	return result;
+}
+
 /*
 * Convert an X509 subject name to a cstring.
 *