On Thu, Mar 08, 2018 at 02:19:55PM -0500, Peter Eisentraut wrote: > Moved to next CF along with those other two patches.
Attached is a refreshed patch for this thread, which failed to apply after recent changes. This is tied with patches for other SSL implementations, so let's see about it later if necessary. -- Michael
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 63f37902e6..6ad5e2eedf 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,6 +873,7 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
int inputlen;
int result;
bool initial;
+ List *channel_bindings = NIL;
/*
* SASL auth is not supported for protocol versions before 3, because it
@@ -898,7 +899,17 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
strlen(SCRAM_SHA_256_NAME) + 3);
p = sasl_mechs;
- if (port->ssl_in_use)
+#ifdef USE_SSL
+ /*
+ * Get the list of channel binding types supported by the SSL
+ * implementation used to determine if server should publish any
+ * SASL mechanism supporting channel binding or not.
+ */
+ channel_bindings = be_tls_list_channel_bindings();
+#endif
+
+ if (port->ssl_in_use &&
+ list_length(channel_bindings) > 0)
{
strcpy(p, SCRAM_SHA_256_PLUS_NAME);
p += strlen(SCRAM_SHA_256_PLUS_NAME) + 1;
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 48b468f62f..cc55ce04ef 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -36,6 +36,7 @@
#include <openssl/ec.h>
#endif
+#include "common/scram-common.h"
#include "libpq/libpq.h"
#include "miscadmin.h"
#include "pgstat.h"
@@ -1184,6 +1185,18 @@ be_tls_get_certificate_hash(Port *port, size_t *len)
#endif
}
+/*
+ * Routine to get the list of channel binding types available in this SSL
+ * implementation. For OpenSSL, both tls-unique and tls-server-end-point
+ * are supported.
+ */
+List *
+be_tls_list_channel_bindings(void)
+{
+ return list_make2(pstrdup(SCRAM_CHANNEL_BINDING_TLS_UNIQUE),
+ pstrdup(SCRAM_CHANNEL_BINDING_TLS_END_POINT));
+}
+
/*
* Convert an X509 subject name to a cstring.
*
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 7698cd1f88..1a314346b8 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -259,6 +259,7 @@ extern bool be_tls_get_compression(Port *port);
extern const char *be_tls_get_version(Port *port);
extern const char *be_tls_get_cipher(Port *port);
extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
+extern List *be_tls_list_channel_bindings(void);
/*
* Get the expected TLS Finished message information from the client, useful
signature.asc
Description: PGP signature
