Implement channel binding tls-server-end-point for SCRAM

This adds a second standard channel binding type for SCRAM. It is mainly intended for third-party clients that cannot implement tls-unique, for example JDBC. Author: Michael Paquier <michael.paquier@gmail.com>
2025-08-18 12:22:09 +03:00 · 2018-01-04 15:18:39 -05:00
parent 39cfe86195
commit d3fb72ea6d
9 changed files with 189 additions and 12 deletions
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -849,13 +849,14 @@ read_client_first_message(scram_state *state, char *input)
 				}

 				/*
-				 * Read value provided by client; only tls-unique is supported
-				 * for now.  (It is not safe to print the name of an
-				 * unsupported binding type in the error message.  Pranksters
-				 * could print arbitrary strings into the log that way.)
+				 * Read value provided by client.  (It is not safe to print
+				 * the name of an unsupported binding type in the error
+				 * message.  Pranksters could print arbitrary strings into the
+				 * log that way.)
 				 */
 				channel_binding_type = read_attr_value(&input, 'p');
-				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0)
+				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0 &&
+					strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_END_POINT) != 0)
 					ereport(ERROR,
 							(errcode(ERRCODE_PROTOCOL_VIOLATION),
 							 (errmsg("unsupported SCRAM channel-binding type"))));
@@ -1114,6 +1115,15 @@ read_client_final_message(scram_state *state, char *input)
 		{
 #ifdef USE_SSL
 			cbind_data = be_tls_get_peer_finished(state->port, &cbind_data_len);
+#endif
+		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_END_POINT) == 0)
+		{
+			/* Fetch hash data of server's SSL certificate */
+#ifdef USE_SSL
+			cbind_data = be_tls_get_certificate_hash(state->port,
+													 &cbind_data_len);
 #endif
 		}
 		else