Support channel binding 'tls-unique' in SCRAM

This is the basic feature set using OpenSSL to support the feature.  In
order to allow the frontend and the backend to fetch the sent and
expected TLS Finished messages, a PG-like API is added to be able to
make the interface pluggable for other SSL implementations.

This commit also adds a infrastructure to facilitate the addition of
future channel binding types as well as libpq parameters to control the
SASL mechanism names and channel binding names.  Those will be added by
upcoming commits.

Some tests are added to the SSL test suite to test SCRAM authentication
with channel binding.

Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>

1 files changed, 24 insertions, 0 deletions

diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index fe15227a773..1e3e19f5e02 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1216,6 +1216,30 @@ be_tls_get_peerdn_name(Port *port, char *ptr, size_t len)
 }
 
 /*
+ * Routine to get the expected TLS Finished message information from the
+ * client, useful for authorization when doing channel binding.
+ *
+ * Result is a palloc'd copy of the TLS Finished message with its size.
+ */
+char *
+be_tls_get_peer_finished(Port *port, size_t *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to directly get the length of the
+	 * expected TLS Finished message, so just do a dummy call to grab this
+	 * information to allow caller to do an allocation with a correct size.
+	 */
+	*len = SSL_get_peer_finished(port->ssl, dummy, sizeof(dummy));
+	result = palloc(*len);
+	(void) SSL_get_peer_finished(port->ssl, result, *len);
+
+	return result;
+}
+
+/*
  * Convert an X509 subject name to a cstring.
  *
  */