Implement channel binding tls-server-end-point for SCRAM

This adds a second standard channel binding type for SCRAM. It is mainly intended for third-party clients that cannot implement tls-unique, for example JDBC. Author: Michael Paquier <michael.paquier@gmail.com>
2025-10-25 13:17:41 +03:00 · 2018-01-04 15:18:39 -05:00
parent 39cfe86195
commit d3fb72ea6d
9 changed files with 189 additions and 12 deletions
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -444,6 +444,21 @@ build_client_final_message(fe_scram_state *state)
 			cbind_data = pgtls_get_finished(state->conn, &cbind_data_len);
 			if (cbind_data == NULL)
 				goto oom_error;
+#endif
+		}
+		else if (strcmp(conn->scram_channel_binding,
+						SCRAM_CHANNEL_BINDING_TLS_END_POINT) == 0)
+		{
+			/* Fetch hash data of server's SSL certificate */
+#ifdef USE_SSL
+			cbind_data =
+				pgtls_get_peer_certificate_hash(state->conn,
+												&cbind_data_len);
+			if (cbind_data == NULL)
+			{
+				/* error message is already set on error */
+				return NULL;
+			}
 #endif
 		}
 		else