Hi all, Please find attached a patch to add support for channel binding for SCRAM, to mitigate MITM attacks using this protocol. Per RFC5802 (https://tools.ietf.org/html/rfc5802), servers supporting channel binding need to add support for tls-unique, and this is what this patch does.
As defined in RFC5056 (exactly here => https://tools.ietf.org/html/rfc5056#section-4.1), servers can use the TLS finish message to determine if the client is actually the same as the one who initiated the connection, to eliminate the risk of MITM attacks. OpenSSL offers two undocumented APIs for this purpose: - SSL_get_finished() to get the latest TLS finish message that the client has sent. - SSL_get_peer_finished(), to get the latest TLS finish message expected by the server. So basically what is needed here is saving the latest message generated by client in libpq using get_finished(), send it to the server using the SASL exchange messages (value sent with the final client message), and then compare it with what the server expected. Connection is successful if what the client has sent and what the server expects match. There is also a clear documentation about what is expected from the client and the server in terms of how both should behave using the first client message https://tools.ietf.org/html/rfc5802#section-6. So I have tried to follow it, reviews are welcome particularly regarding that. The implementation is done in such a way that channel binding is used in the context of an SSL connection, which is what the RFCs expect from an implementation. Before even that, the server needs to send to the client the list of SASL mechanisms that are supported. This adds SCRAM-SHA-256-PLUS if the server has been built with SSL support to the list. Comments are welcome, I am parking that in the next CF for integration in PG11. Thanks, -- Michael
Description: Binary data
-- Sent via pgsql-hackers mailing list (firstname.lastname@example.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers