From 4bbf110d2fb4f74b9385bd5a521f824dfa5f15ec Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Mon, 18 Dec 2017 18:05:24 -0500 Subject: Add libpq connection parameter "scram_channel_binding" This parameter can be used to enforce the channel binding type used during a SCRAM authentication. This can be useful to check code paths where an invalid channel binding type is used by a client and will be even more useful to allow testing other channel binding types when they are added. The default value is tls-unique, which is what RFC 5802 specifies. Clients can optionally specify an empty value, which has as effect to not use channel binding and use SCRAM-SHA-256 as chosen SASL mechanism. More tests for SCRAM and channel binding are added to the SSL test suite. Author: Author: Michael Paquier --- src/interfaces/libpq/fe-auth.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'src/interfaces/libpq/fe-auth.c') diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 2cfdb7c125c..3340a9ad933 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -528,11 +528,13 @@ pg_SASL_init(PGconn *conn, int payloadlen) /* * Select the mechanism to use. Pick SCRAM-SHA-256-PLUS over anything - * else. Pick SCRAM-SHA-256 if nothing else has already been picked. - * If we add more mechanisms, a more refined priority mechanism might - * become necessary. + * else if a channel binding type is set. Pick SCRAM-SHA-256 if + * nothing else has already been picked. If we add more mechanisms, a + * more refined priority mechanism might become necessary. */ if (conn->ssl_in_use && + conn->scram_channel_binding && + strlen(conn->scram_channel_binding) > 0 && strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0) selected_mechanism = SCRAM_SHA256_PLUS_NAME; else if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0 && @@ -591,6 +593,7 @@ pg_SASL_init(PGconn *conn, int payloadlen) password, conn->ssl_in_use, selected_mechanism, + conn->scram_channel_binding, tls_finished, tls_finished_len); if (!conn->sasl_state) -- cgit v1.2.3