From 4bbf110d2fb4f74b9385bd5a521f824dfa5f15ec Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Mon, 18 Dec 2017 18:05:24 -0500 Subject: Add libpq connection parameter "scram_channel_binding" This parameter can be used to enforce the channel binding type used during a SCRAM authentication. This can be useful to check code paths where an invalid channel binding type is used by a client and will be even more useful to allow testing other channel binding types when they are added. The default value is tls-unique, which is what RFC 5802 specifies. Clients can optionally specify an empty value, which has as effect to not use channel binding and use SCRAM-SHA-256 as chosen SASL mechanism. More tests for SCRAM and channel binding are added to the SSL test suite. Author: Author: Michael Paquier --- src/interfaces/libpq/fe-connect.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'src/interfaces/libpq/fe-connect.c') diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 2c175a2a24a..68fb9a124aa 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -71,6 +71,7 @@ static int ldapServiceLookup(const char *purl, PQconninfoOption *options, #endif #include "common/ip.h" +#include "common/scram-common.h" #include "mb/pg_wchar.h" #include "port/pg_bswap.h" @@ -122,6 +123,7 @@ static int ldapServiceLookup(const char *purl, PQconninfoOption *options, #define DefaultOption "" #define DefaultAuthtype "" #define DefaultTargetSessionAttrs "any" +#define DefaultSCRAMChannelBinding SCRAM_CHANNEL_BINDING_TLS_UNIQUE #ifdef USE_SSL #define DefaultSSLMode "prefer" #else @@ -262,6 +264,11 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "TCP-Keepalives-Count", "", 10, /* strlen(INT32_MAX) == 10 */ offsetof(struct pg_conn, keepalives_count)}, + {"scram_channel_binding", NULL, DefaultSCRAMChannelBinding, NULL, + "SCRAM-Channel-Binding", "D", + 21, /* sizeof("tls-server-end-point") == 21 */ + offsetof(struct pg_conn, scram_channel_binding)}, + /* * ssl options are allowed even without client SSL support because the * client can still handle SSL modes "disable" and "allow". Other @@ -3469,6 +3476,8 @@ freePGconn(PGconn *conn) free(conn->keepalives_interval); if (conn->keepalives_count) free(conn->keepalives_count); + if (conn->scram_channel_binding) + free(conn->scram_channel_binding); if (conn->sslmode) free(conn->sslmode); if (conn->sslcert) -- cgit v1.2.3