</listitem>
</varlistentry>
+ <varlistentry id="libpq-scram-channel-binding" xreflabel="scram_channel_binding">
+ <term><literal>scram_channel_binding</literal></term>
+ <listitem>
+ <para>
+ Specifies the channel binding type to use with SCRAM authentication.
+ The list of channel binding types supported by server are listed in
+ <xref linkend="sasl-authentication"/>. An empty value specifies that
+ the client will not use channel binding. The default value is
+ <literal>tls-unique</literal>.
+ </para>
+
+ <para>
+ Channel binding is only supported on SSL connections. If the
+ connection is not using SSL, then this setting is ignored.
+ </para>
+
+ <para>
+ This parameter is mainly intended for protocol testing. In normal
+ use, there should not be a need to choose a channel binding type other
+ than the default one.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
<term><literal>sslmode</literal></term>
<listitem>
const char *password,
bool ssl_in_use,
const char *sasl_mechanism,
+ const char *channel_binding_type,
char *tls_finished_message,
size_t tls_finished_len)
{
state->tls_finished_message = tls_finished_message;
state->tls_finished_len = tls_finished_len;
state->sasl_mechanism = strdup(sasl_mechanism);
+ state->channel_binding_type = channel_binding_type;
+
if (!state->sasl_mechanism)
{
free(state);
return NULL;
}
- /*
- * Store channel binding type. Only one type is currently supported.
- */
- state->channel_binding_type = SCRAM_CHANNEL_BINDING_TLS_UNIQUE;
-
/* Normalize the password with SASLprep, if possible */
rc = pg_saslprep(password, &prep_password);
if (rc == SASLPREP_OOM)
Assert(state->ssl_in_use);
appendPQExpBuffer(&buf, "p=%s", state->channel_binding_type);
}
+ else if (state->channel_binding_type == NULL ||
+ strlen(state->channel_binding_type) == 0)
+ {
+ /*
+ * Client has chosen to not show to server that it supports channel
+ * binding.
+ */
+ appendPQExpBuffer(&buf, "n");
+ }
else if (state->ssl_in_use)
{
/*
free(cbind_input);
}
+ else if (state->channel_binding_type == NULL ||
+ strlen(state->channel_binding_type) == 0)
+ appendPQExpBuffer(&buf, "c=biws"); /* base64 of "n,," */
else if (state->ssl_in_use)
appendPQExpBuffer(&buf, "c=eSws"); /* base64 of "y,," */
else
/*
* Select the mechanism to use. Pick SCRAM-SHA-256-PLUS over anything
- * else. Pick SCRAM-SHA-256 if nothing else has already been picked.
- * If we add more mechanisms, a more refined priority mechanism might
- * become necessary.
+ * else if a channel binding type is set. Pick SCRAM-SHA-256 if
+ * nothing else has already been picked. If we add more mechanisms, a
+ * more refined priority mechanism might become necessary.
*/
if (conn->ssl_in_use &&
+ conn->scram_channel_binding &&
+ strlen(conn->scram_channel_binding) > 0 &&
strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
selected_mechanism = SCRAM_SHA256_PLUS_NAME;
else if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0 &&
password,
conn->ssl_in_use,
selected_mechanism,
+ conn->scram_channel_binding,
tls_finished,
tls_finished_len);
if (!conn->sasl_state)
const char *password,
bool ssl_in_use,
const char *sasl_mechanism,
+ const char *channel_binding_type,
char *tls_finished_message,
size_t tls_finished_len);
extern void pg_fe_scram_free(void *opaq);
#endif
#include "common/ip.h"
+#include "common/scram-common.h"
#include "mb/pg_wchar.h"
#include "port/pg_bswap.h"
#define DefaultOption ""
#define DefaultAuthtype ""
#define DefaultTargetSessionAttrs "any"
+#define DefaultSCRAMChannelBinding SCRAM_CHANNEL_BINDING_TLS_UNIQUE
#ifdef USE_SSL
#define DefaultSSLMode "prefer"
#else
"TCP-Keepalives-Count", "", 10, /* strlen(INT32_MAX) == 10 */
offsetof(struct pg_conn, keepalives_count)},
+ {"scram_channel_binding", NULL, DefaultSCRAMChannelBinding, NULL,
+ "SCRAM-Channel-Binding", "D",
+ 21, /* sizeof("tls-server-end-point") == 21 */
+ offsetof(struct pg_conn, scram_channel_binding)},
+
/*
* ssl options are allowed even without client SSL support because the
* client can still handle SSL modes "disable" and "allow". Other
free(conn->keepalives_interval);
if (conn->keepalives_count)
free(conn->keepalives_count);
+ if (conn->scram_channel_binding)
+ free(conn->scram_channel_binding);
if (conn->sslmode)
free(conn->sslmode);
if (conn->sslcert)
* retransmits */
char *keepalives_count; /* maximum number of TCP keepalive
* retransmits */
+ char *scram_channel_binding; /* SCRAM channel binding type */
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
char *sslcompression; /* SSL compression (0 or 1) */
char *sslkey; /* client key filename */
use warnings;
use PostgresNode;
use TestLib;
-use Test::More tests => 1;
+use Test::More tests => 4;
use ServerSetup;
use File::Copy;
$common_connstr =
"user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
+# Default settings
test_connect_ok($common_connstr, '',
"SCRAM authentication with default channel binding");
+
+# Channel binding settings
+test_connect_ok($common_connstr,
+ "scram_channel_binding=tls-unique",
+ "SCRAM authentication with tls-unique as channel binding");
+test_connect_ok($common_connstr,
+ "scram_channel_binding=''",
+ "SCRAM authentication without channel binding");
+test_connect_fails($common_connstr,
+ "scram_channel_binding=not-exists",
+ "SCRAM authentication with invalid channel binding");
projects / postgresql / commitdiff