Support channel binding 'tls-unique' in SCRAM
This is the basic feature set using OpenSSL to support the feature. In
order to allow the frontend and the backend to fetch the sent and
expected TLS Finished messages, a PG-like API is added to be able to
make the interface pluggable for other SSL implementations.
This commit also adds a infrastructure to facilitate the addition of
future channel binding types as well as libpq parameters to control the
SASL mechanism names and channel binding names. Those will be added by
upcoming commits.
Some tests are added to the SSL test suite to test SCRAM authentication
with channel binding.
Author: Michael Paquier <michael@paquier.xyz>
Reviewed-by: Peter Eisentraut <peter.eisentraut@2ndquadrant.com>
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/9288d62bb4b6f302bf13bb2fed3783b61385f315
Modified Files
--------------
doc/src/sgml/protocol.sgml | 31 ++++--
src/backend/libpq/auth-scram.c | 181 ++++++++++++++++++++++++++-----
src/backend/libpq/auth.c | 54 +++++++--
src/backend/libpq/be-secure-openssl.c | 24 ++++
src/include/libpq/libpq-be.h | 1 +
src/include/libpq/scram.h | 10 +-
src/interfaces/libpq/fe-auth-scram.c | 170 +++++++++++++++++++++++++----
src/interfaces/libpq/fe-auth.c | 90 ++++++++++-----
src/interfaces/libpq/fe-auth.h | 7 +-
src/interfaces/libpq/fe-secure-openssl.c | 27 +++++
src/interfaces/libpq/libpq-int.h | 5 +-
src/test/ssl/ServerSetup.pm | 27 +++--
src/test/ssl/t/001_ssltests.pl | 2 +-
src/test/ssl/t/002_scram.pl | 38 +++++++
14 files changed, 555 insertions(+), 112 deletions(-)