diff options
author | Peter Eisentraut <peter_e@gmx.net> | 2017-12-18 18:05:24 -0500 |
---|---|---|
committer | Peter Eisentraut <peter_e@gmx.net> | 2017-12-19 10:12:36 -0500 |
commit | 4bbf110d2fb4f74b9385bd5a521f824dfa5f15ec (patch) | |
tree | b09d54898a8c006c0ff4964c0bb0d22489b96d14 /src/interfaces/libpq/fe-auth-scram.c | |
parent | ab9e0e718acb9ded7e4c4b5cedc1d410690ea6ba (diff) | |
download | postgresql-4bbf110d2fb4f74b9385bd5a521f824dfa5f15ec.tar.gz postgresql-4bbf110d2fb4f74b9385bd5a521f824dfa5f15ec.zip |
Add libpq connection parameter "scram_channel_binding"
This parameter can be used to enforce the channel binding type used
during a SCRAM authentication. This can be useful to check code paths
where an invalid channel binding type is used by a client and will be
even more useful to allow testing other channel binding types when they
are added.
The default value is tls-unique, which is what RFC 5802 specifies.
Clients can optionally specify an empty value, which has as effect to
not use channel binding and use SCRAM-SHA-256 as chosen SASL mechanism.
More tests for SCRAM and channel binding are added to the SSL test
suite.
Author: Author: Michael Paquier <michael.paquier@gmail.com>
Diffstat (limited to 'src/interfaces/libpq/fe-auth-scram.c')
-rw-r--r-- | src/interfaces/libpq/fe-auth-scram.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c index 4cad93c24ad..b8f7a6b5be9 100644 --- a/src/interfaces/libpq/fe-auth-scram.c +++ b/src/interfaces/libpq/fe-auth-scram.c @@ -93,6 +93,7 @@ pg_fe_scram_init(const char *username, const char *password, bool ssl_in_use, const char *sasl_mechanism, + const char *channel_binding_type, char *tls_finished_message, size_t tls_finished_len) { @@ -112,17 +113,14 @@ pg_fe_scram_init(const char *username, state->tls_finished_message = tls_finished_message; state->tls_finished_len = tls_finished_len; state->sasl_mechanism = strdup(sasl_mechanism); + state->channel_binding_type = channel_binding_type; + if (!state->sasl_mechanism) { free(state); return NULL; } - /* - * Store channel binding type. Only one type is currently supported. - */ - state->channel_binding_type = SCRAM_CHANNEL_BINDING_TLS_UNIQUE; - /* Normalize the password with SASLprep, if possible */ rc = pg_saslprep(password, &prep_password); if (rc == SASLPREP_OOM) @@ -375,6 +373,15 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage) Assert(state->ssl_in_use); appendPQExpBuffer(&buf, "p=%s", state->channel_binding_type); } + else if (state->channel_binding_type == NULL || + strlen(state->channel_binding_type) == 0) + { + /* + * Client has chosen to not show to server that it supports channel + * binding. + */ + appendPQExpBuffer(&buf, "n"); + } else if (state->ssl_in_use) { /* @@ -493,6 +500,9 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage) free(cbind_input); } + else if (state->channel_binding_type == NULL || + strlen(state->channel_binding_type) == 0) + appendPQExpBuffer(&buf, "c=biws"); /* base64 of "n,," */ else if (state->ssl_in_use) appendPQExpBuffer(&buf, "c=eSws"); /* base64 of "y,," */ else |