Implement channel binding tls-server-end-point for SCRAM

This adds a second standard channel binding type for SCRAM. It is mainly intended for third-party clients that cannot implement tls-unique, for example JDBC. Author: Michael Paquier <michael.paquier@gmail.com>
author: Peter Eisentraut <peter_e@gmx.net> 2018-01-04 15:18:39 -0500
committer: Peter Eisentraut <peter_e@gmx.net> 2018-01-04 15:29:50 -0500
commit: d3fb72ea6de58d285e278459bca9d7cdf7f6a38b (patch)
tree: 27a374b84f98441e85da97a68dd4d144c699f38a /src/interfaces/libpq/fe-auth-scram.c
parent: 39cfe86195f0b5cbc5fbe8d4e3aa6e2b0e322d0b (diff)
download: postgresql-d3fb72ea6de58d285e278459bca9d7cdf7f6a38b.tar.gz
postgresql-d3fb72ea6de58d285e278459bca9d7cdf7f6a38b.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 06c9cb26141..23bd5fb2b61 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -446,6 +446,21 @@ build_client_final_message(fe_scram_state *state)
 				goto oom_error;
 #endif
 		}
+		else if (strcmp(conn->scram_channel_binding,
+						SCRAM_CHANNEL_BINDING_TLS_END_POINT) == 0)
+		{
+			/* Fetch hash data of server's SSL certificate */
+#ifdef USE_SSL
+			cbind_data =
+				pgtls_get_peer_certificate_hash(state->conn,
+												&cbind_data_len);
+			if (cbind_data == NULL)
+			{
+				/* error message is already set on error */
+				return NULL;
+			}
+#endif
+		}
 		else
 		{
 			/* should not happen */
author	Peter Eisentraut <peter_e@gmx.net>	2018-01-04 15:18:39 -0500
committer	Peter Eisentraut <peter_e@gmx.net>	2018-01-04 15:29:50 -0500
commit	d3fb72ea6de58d285e278459bca9d7cdf7f6a38b (patch)
tree	27a374b84f98441e85da97a68dd4d144c699f38a /src/interfaces/libpq/fe-auth-scram.c
parent	39cfe86195f0b5cbc5fbe8d4e3aa6e2b0e322d0b (diff)
download	postgresql-d3fb72ea6de58d285e278459bca9d7cdf7f6a38b.tar.gz postgresql-d3fb72ea6de58d285e278459bca9d7cdf7f6a38b.zip