Add libpq connection parameter "scram_channel_binding"

This parameter can be used to enforce the channel binding type used
during a SCRAM authentication.  This can be useful to check code paths
where an invalid channel binding type is used by a client and will be
even more useful to allow testing other channel binding types when they
are added.

The default value is tls-unique, which is what RFC 5802 specifies.
Clients can optionally specify an empty value, which has as effect to
not use channel binding and use SCRAM-SHA-256 as chosen SASL mechanism.

More tests for SCRAM and channel binding are added to the SSL test
suite.

Author: Author: Michael Paquier <michael.paquier@gmail.com>

1 files changed, 6 insertions, 3 deletions

diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 2cfdb7c125c..3340a9ad933 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -528,11 +528,13 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 
 		/*
 		 * Select the mechanism to use.  Pick SCRAM-SHA-256-PLUS over anything
-		 * else.  Pick SCRAM-SHA-256 if nothing else has already been picked.
-		 * If we add more mechanisms, a more refined priority mechanism might
-		 * become necessary.
+		 * else if a channel binding type is set.  Pick SCRAM-SHA-256 if
+		 * nothing else has already been picked.  If we add more mechanisms, a
+		 * more refined priority mechanism might become necessary.
 		 */
 		if (conn->ssl_in_use &&
+			conn->scram_channel_binding &&
+			strlen(conn->scram_channel_binding) > 0 &&
 			strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
 			selected_mechanism = SCRAM_SHA256_PLUS_NAME;
 		else if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0 &&
@@ -591,6 +593,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										password,
 										conn->ssl_in_use,
 										selected_mechanism,
+										conn->scram_channel_binding,
 										tls_finished,
 										tls_finished_len);
 	if (!conn->sasl_state)