Channel binding support for SCRAM-SHA-256

From a950cf8d2a57ddffde7a5796997c0e1676352ef7 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 16 Jun 2017 17:00:06 +0900
Subject: [PATCH 1/4] Refactor routine to test connection to SSL server

Move the sub-routines wrappers to check if a connection to a server is
fine or not into the test main module. This is useful for other tests
willing to check connectivity into a server.
---
 src/test/ssl/ServerSetup.pm    |  45 +++++++++++++-
 src/test/ssl/t/001_ssltests.pl | 132 +++++++++++++++++------------------------
 2 files changed, 100 insertions(+), 77 deletions(-)

diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index f63c81cfc6..ad2e036602 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -26,9 +26,52 @@ use Test::More;
 
 use Exporter 'import';
 our @EXPORT = qw(
-  configure_test_server_for_ssl switch_server_cert
+  configure_test_server_for_ssl
+  run_test_psql
+  switch_server_cert
+  test_connect_fails
+  test_connect_ok
 );
 
+# Define a couple of helper functions to test connecting to the server.
+
+# Attempt connection to server with given connection string.
+sub run_test_psql
+{
+	my $connstr   = $_[0];
+	my $logstring = $_[1];
+
+	my $cmd = [
+		'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
+		'-d', "$connstr" ];
+
+	my $result = run_log($cmd);
+	return $result;
+}
+
+#
+# The first argument is a base connection string to use for connection.
+# The second argument is a complementary connection string, and it's also
+# printed out as the test case name.
+sub test_connect_ok
+{
+	my $common_connstr = $_[0];
+	my $connstr = $_[1];
+
+	my $result =
+	  run_test_psql("$common_connstr $connstr", "(should succeed)");
+	ok($result, $connstr);
+}
+
+sub test_connect_fails
+{
+	my $common_connstr = $_[0];
+	my $connstr = $_[1];
+
+	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
+	ok(!$result, "$connstr (should fail)");
+}
+
 # Copy a set of files, taking into account wildcards
 sub copy_files
 {
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 32df273929..890e3051a2 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -13,44 +13,9 @@ use File::Copy;
 # postgresql-ssl-regression.test.
 my $SERVERHOSTADDR = '127.0.0.1';
 
-# Define a couple of helper functions to test connecting to the server.
-
+# Allocation of base connection string shared among multiple tests.
 my $common_connstr;
 
-sub run_test_psql
-{
-	my $connstr   = $_[0];
-	my $logstring = $_[1];
-
-	my $cmd = [
-		'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
-		'-d', "$connstr" ];
-
-	my $result = run_log($cmd);
-	return $result;
-}
-
-#
-# The first argument is a (part of a) connection string, and it's also printed
-# out as the test case name. It is appended to $common_connstr global variable,
-# which also contains a libpq connection string.
-sub test_connect_ok
-{
-	my $connstr = $_[0];
-
-	my $result =
-	  run_test_psql("$common_connstr $connstr", "(should succeed)");
-	ok($result, $connstr);
-}
-
-sub test_connect_fails
-{
-	my $connstr = $_[0];
-
-	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
-	ok(!$result, "$connstr (should fail)");
-}
-
 # The client's private key must not be world-readable, so take a copy
 # of the key stored in the code tree and update its permissions.
 copy("ssl/client.key", "ssl/client_tmp.key");
@@ -83,50 +48,59 @@ $common_connstr =
 
 # The server should not accept non-SSL connections
 note "test that the server doesn't accept non-SSL connections";
-test_connect_fails("sslmode=disable");
+test_connect_fails($common_connstr, "sslmode=disable");
 
 # Try without a root cert. In sslmode=require, this should work. In verify-ca
 # or verify-full mode it should fail
 note "connect without server root cert";
-test_connect_ok("sslrootcert=invalid sslmode=require");
-test_connect_fails("sslrootcert=invalid sslmode=verify-ca");
-test_connect_fails("sslrootcert=invalid sslmode=verify-full");
+test_connect_ok($common_connstr, "sslrootcert=invalid sslmode=require");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-ca");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-full");
 
 # Try with wrong root cert, should fail. (we're using the client CA as the
 # root, but the server's key is signed by the server CA)
 note "connect without wrong server root cert";
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=require");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-full");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=require");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-full");
 
 # Try with just the server CA's cert. This fails because the root file
 # must contain the whole chain up to the root CA.
 note "connect with server CA cert, without root CA";
-test_connect_fails("sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
 
 # And finally, with the correct root cert.
 note "connect with correct server CA cert file";
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=require");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
 
 # Test with cert root file that contains two certificates. The client should
 # be able to pick the right one, regardless of the order in the file.
-test_connect_ok("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
 
 note "testing sslcrl option with a non-revoked cert";
 
 # Invalid CRL filename is the same as no CRL, succeeds
-test_connect_ok(
+test_connect_ok($common_connstr,
 	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
 
 # A CRL belonging to a different CA is not accepted, fails
-test_connect_fails(
+test_connect_fails($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
 
 # With the correct CRL, succeeds (this cert is not revoked)
-test_connect_ok(
+test_connect_ok($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
 );
 
@@ -136,9 +110,9 @@ note "test mismatch between hostname and server certificate";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("sslmode=require host=wronghost.test");
-test_connect_ok("sslmode=verify-ca host=wronghost.test");
-test_connect_fails("sslmode=verify-full host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=require host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=verify-ca host=wronghost.test");
+test_connect_fails($common_connstr, "sslmode=verify-full host=wronghost.test");
 
 # Test Subject Alternative Names.
 switch_server_cert($node, 'server-multiple-alt-names');
@@ -147,12 +121,13 @@ note "test hostname matching with X.509 Subject Alternative Names";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_ok("host=foo.wildcard.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=foo.wildcard.pg-ssltest.test");
 
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"host=deep.subdomain.wildcard.pg-ssltest.test");
 
 # Test certificate with a single Subject Alternative Name. (this gives a
 # slightly different error message, that's all)
@@ -162,10 +137,11 @@ note "test hostname matching with a single X.509 Subject Alternative Name";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=single.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=single.alt-name.pg-ssltest.test");
 
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"host=deep.subdomain.wildcard.pg-ssltest.test");
 
 # Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
 # should be ignored when the certificate has both.
@@ -175,9 +151,9 @@ note "test certificate with both a CN and SANs";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_fails("host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=common-name.pg-ssltest.test");
 
 # Finally, test a server certificate that has no CN or SANs. Of course, that's
 # not a very sensible certificate, but libpq should handle it gracefully.
@@ -185,8 +161,10 @@ switch_server_cert($node, 'server-no-names');
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
-test_connect_ok("sslmode=verify-ca host=common-name.pg-ssltest.test");
-test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr,
+	"sslmode=verify-ca host=common-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"sslmode=verify-full host=common-name.pg-ssltest.test");
 
 # Test that the CRL works
 note "testing client-side CRL";
@@ -196,8 +174,9 @@ $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
 
 # Without the CRL, succeeds. With it, fails.
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_fails(
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
 );
 
@@ -210,18 +189,18 @@ $common_connstr =
 "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
 
 # no client cert
-test_connect_fails("user=ssltestuser sslcert=invalid");
+test_connect_fails($common_connstr, "user=ssltestuser sslcert=invalid");
 
 # correct client cert
-test_connect_ok(
+test_connect_ok($common_connstr,
 	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # client cert belonging to another user
-test_connect_fails(
+test_connect_fails($common_connstr,
 	"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # revoked client cert
-test_connect_fails(
+test_connect_fails($common_connstr,
 "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"
 );
 
@@ -230,8 +209,9 @@ switch_server_cert($node, 'server-cn-only', 'root_ca');
 $common_connstr =
 "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
-test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");
-test_connect_fails("sslmode=require sslcert=ssl/client.crt");
+test_connect_ok($common_connstr,
+	"sslmode=require sslcert=ssl/client+client_ca.crt");
+test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt");
 
 # clean up
 unlink "ssl/client_tmp.key";
-- 
2.13.1

From b98d908688abe7529a5800c277930f3523969dd9 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 20 Jun 2017 10:18:58 +0900
Subject: [PATCH 2/4] Support channel binding 'tls-unique' in SCRAM

This is the basic feature set using OpenSSL to support the feature.
In order to allow the frontend and the backend to fetch the sent and
expected TLS finish messages, a PG-like API is added to be able to
make the interface pluggable for other SSL implementations.
---
 doc/src/sgml/protocol.sgml               |  24 +++--
 src/backend/libpq/auth-scram.c           | 151 +++++++++++++++++++++++++------
 src/backend/libpq/auth.c                 |  86 +++++++++++++++---
 src/backend/libpq/be-secure-openssl.c    |  24 +++++
 src/include/libpq/libpq-be.h             |   1 +
 src/include/libpq/scram.h                |  10 +-
 src/interfaces/libpq/fe-auth-scram.c     | 105 ++++++++++++++++-----
 src/interfaces/libpq/fe-auth.c           |  43 ++++++++-
 src/interfaces/libpq/fe-auth.h           |   4 +-
 src/interfaces/libpq/fe-secure-openssl.c |  26 ++++++
 src/interfaces/libpq/libpq-int.h         |   5 +-
 11 files changed, 404 insertions(+), 75 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index a7a3d3b2f9..0a556ebdc6 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1342,10 +1342,11 @@
 
 <para>
 <firstterm>SASL</> is a framework for authentication in connection-oriented
-protocols. At the moment, <productname>PostgreSQL</> implements only one SASL
-authentication mechanism, SCRAM-SHA-256, but more might be added in the
-future. The below steps illustrate how SASL authentication is performed in
-general, while the next subsection gives more details on SCRAM-SHA-256.
+protocols. At the moment, <productname>PostgreSQL</> implements only two SASL
+authentication mechanisms, SCRAM-SHA-256 and SCRAM-SHA-256-PLUS, but more
+might be added in the future. The below steps illustrate how SASL
+authentication is performed in general, while the next subsection gives
+more details on SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
 </para>
 
 <procedure>
@@ -1430,7 +1431,10 @@ the password is in.
   </para>
 
   <para>
-<firstterm>Channel binding</> has not been implemented yet.
+<firstterm>Channel binding</> is supported in builds with SSL support, and
+uses as mechanism name <literal>SCRAM-SHA-256-PLUS</> for this purpose as
+defined per IANA. The only channel binding type supported by the server
+is <literal>tls-unique</>.
   </para>
 
 <procedure>
@@ -1439,14 +1443,18 @@ the password is in.
 <para>
   The server sends an AuthenticationSASL message. It includes a list of
   SASL authentication mechanisms that the server can accept.
+  <literal>SCRAM-SHA-256</> and <literal>SCRAM-SHA-256-PLUS</> are the
+  two mechanism names that the server lists in this message. Support for
+  channel binding is not included if the server is built without SSL
+  support and if the connection attempt is done without SSL.
 </para>
 </step>
 <step id="scram-client-first">
 <para>
   The client responds by sending a SASLInitialResponse message, which
-  indicates the chosen mechanism, <literal>SCRAM-SHA-256</>. In the Initial
-  Client response field, the message contains the SCRAM
-  <structname>client-first-message</>.
+  indicates the chosen mechanism, <literal>SCRAM-SHA-256</> or
+  <literal>SCRAM-SHA-256-PLUS</>. In the Initial Client response field,
+  the message contains the SCRAM <structname>client-first-message</>.
 </para>
 </step>
 <step id="scram-server-first">
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index a6042b8013..90c6b20b82 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -17,8 +17,6 @@
  *	 by the SASLprep profile, we skip the SASLprep pre-processing and use
  *	 the raw bytes in calculating the hash.
  *
- * - Channel binding is not supported yet.
- *
  *
  * The password stored in pg_authid consists of the iteration count, salt,
  * StoredKey and ServerKey.
@@ -112,6 +110,10 @@ typedef struct
 
 	const char *username;		/* username from startup packet */
 
+	bool		ssl_in_use;
+	char	   *tls_finish_message;
+	int			tls_finish_len;
+
 	int			iterations;
 	char	   *salt;			/* base64-encoded */
 	uint8		StoredKey[SCRAM_KEY_LEN];
@@ -168,7 +170,11 @@ static char *scram_mock_salt(const char *username);
  * it will fail, as if an incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username, const char *shadow_pass)
+pg_be_scram_init(const char *username,
+				 const char *shadow_pass,
+				 bool ssl_in_use,
+				 char *tls_finish_message,
+				 int tls_finish_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -176,6 +182,9 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 	state = (scram_state *) palloc0(sizeof(scram_state));
 	state->state = SCRAM_AUTH_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->tls_finish_message = tls_finish_message;
+	state->tls_finish_len = tls_finish_len;
 
 	/*
 	 * Parse the stored password verifier.
@@ -773,31 +782,93 @@ read_client_first_message(scram_state *state, char *input)
 	 *------
 	 */
 
-	/* read gs2-cbind-flag */
+	/*
+	 * Read gs2-cbind-flag. Server handles its value as described in RFC 5802,
+	 * section 6 dealing with channel binding.
+	 */
 	switch (*input)
 	{
 		case 'n':
-			/* Client does not support channel binding */
+			/*
+			 * Client does not support channel binding, this is authorized
+			 * only in builds not supporting SSL.  If SSL is supported, the
+			 * server cannot support this option either.
+			 */
+#ifdef USE_SSL
+			if (state->ssl_in_use)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client does not support SCRAM channel binding, but server needs it for SSL connections")));
+			else
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client does not support SCRAM channel binding, but server does")));
+#endif
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character %s.",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'y':
-			/* Client supports channel binding, but we're not doing it today */
+			/*
+			 * Client supports channel binding, but we're not doing it today
+			 * in the context of a non-SSL connection.  Complain though if
+			 * the client is trying to trick the server in not doing channel
+			 * binding with a downgrade attack if a SSL connection is
+			 * attempted.
+			 */
+			if (state->ssl_in_use)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client support SCRAM channel binding, but server needs it for SSL connections")));
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character %s.",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'p':
+			{
+#ifdef USE_SSL
+				char *channel_name;
 
-			/*
-			 * Client requires channel binding.  We don't support it.
-			 *
-			 * RFC 5802 specifies a particular error code,
-			 * e=server-does-support-channel-binding, for this.  But it can
-			 * only be sent in the server-final message, and we don't want to
-			 * go through the motions of the authentication, knowing it will
-			 * fail, just to send that error message.
-			 */
-			ereport(ERROR,
-					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
-					 errmsg("client requires SCRAM channel binding, but it is not supported")));
+				if (!state->ssl_in_use)
+					ereport(ERROR,
+							(errcode(ERRCODE_PROTOCOL_VIOLATION),
+							 errmsg("client supports SCRAM channel binding, but server does not need it for non-SSL connections")));
+
+				/*
+				 * Read value provided by client, only tls-unique is supported
+				 * for now.
+				 */
+				channel_name = read_attr_value(&input, 'p');
+				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0)
+					ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 (errmsg("unexpected SCRAM channel-binding type"))));
+#else
+				/*
+				 * Client requires channel binding.  We don't support it.
+				 *
+				 * RFC 5802 specifies a particular error code,
+				 * e=server-does-support-channel-binding, for this.  But it
+				 * can only be sent in the server-final message, and we don't
+				 * want to go through the motions of the authentication,
+				 * knowing it will fail, just to send that error message.
+				 */
+				ereport(ERROR,
+						(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+						 errmsg("client requires SCRAM channel binding, but it is not supported")));
+#endif
+			}
+			break;
 		default:
 			ereport(ERROR,
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
@@ -805,13 +876,6 @@ read_client_first_message(scram_state *state, char *input)
 					 errdetail("Unexpected channel-binding flag %s.",
 							   sanitize_char(*input))));
 	}
-	if (*input != ',')
-		ereport(ERROR,
-				(errcode(ERRCODE_PROTOCOL_VIOLATION),
-				 errmsg("malformed SCRAM message"),
-				 errdetail("Comma expected, but found character %s.",
-						   sanitize_char(*input))));
-	input++;
 
 	/*
 	 * Forbid optional authzid (authorization identity).  We don't support it.
@@ -1032,14 +1096,47 @@ read_client_final_message(scram_state *state, char *input)
 	 */
 
 	/*
-	 * Read channel-binding.  We don't support channel binding, so it's
-	 * expected to always be "biws", which is "n,,", base64-encoded.
+	 * Read channel-binding.  We don't support channel binding for builds
+	 * without SSL support, so it's expected to always be "biws" in this case,
+	 * which is "n,,", base64-encoded.  In builds supporting SSL, "biws" is
+	 * used for Non-SSL connection attempts, and for SSL connections the
+	 * client has to provide channel binding value.
 	 */
 	channel_binding = read_attr_value(&p, 'c');
+#ifdef USE_SSL
+	if (state->ssl_in_use)
+	{
+		char	   *enc_tls_message;
+		int			enc_tls_len;
+
+		enc_tls_message = palloc(pg_b64_enc_len(state->tls_finish_len) + 1);
+		enc_tls_len = pg_b64_encode(state->tls_finish_message,
+									state->tls_finish_len,
+									enc_tls_message);
+		enc_tls_message[enc_tls_len] = '\0';
+
+		/*
+		 * Compare the value sent by the client with the TLS finish message
+		 * expected by the server.
+		 */
+		if (strcmp(channel_binding, enc_tls_message) != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("no match for SCRAM channel-binding attribute in client-final-message"))));
+	}
+	else
+	{
+		if (strcmp(channel_binding, "biws") != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+	}
+#else
 	if (strcmp(channel_binding, "biws") != 0)
 		ereport(ERROR,
 				(errcode(ERRCODE_PROTOCOL_VIOLATION),
 				 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+#endif
 	state->client_final_nonce = read_attr_value(&p, 'r');
 
 	/* ignore optional extensions */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 081c06a1e6..439e4e8ab9 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -841,10 +841,14 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	void	   *scram_opaq;
 	char	   *output = NULL;
 	int			outputlen = 0;
-	char	   *input;
+	char	   *input, *p;
+	char	   *sasl_mechs;
 	int			inputlen;
+	int			listlen = 0;
 	int			result;
 	bool		initial;
+	char	   *tls_finish = NULL;
+	int			tls_finish_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -861,12 +865,49 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 	/*
 	 * Send the SASL authentication request to user.  It includes the list of
-	 * authentication mechanisms (which is trivial, because we only support
-	 * SCRAM-SHA-256 at the moment).  The extra "\0" is for an empty string to
-	 * terminate the list.
+	 * authentication mechanisms that are supported:
+	 * - SCRAM-SHA-256, which is the mechanism with the same name.
+	 * - SCRAM-SHA-256-PLUS, which is SCRAM-SHA-256 with channel binding. This
+	 * is advertised to the client only if connection is attempted with SSL.
+	 * The order of mechanisms is advertised in decreasing order of importance.
+	 * The extra "\0" is for an empty string to terminate the list, and each
+	 * mechanism listed needs to be separated with "\0".
 	 */
-	sendAuthRequest(port, AUTH_REQ_SASL, SCRAM_SHA256_NAME "\0",
-					strlen(SCRAM_SHA256_NAME) + 2);
+	listlen = 0;
+	sasl_mechs = (char *) palloc(strlen(SCRAM_SHA256_PLUS_NAME) +
+								 strlen(SCRAM_SHA256_NAME) + 3);
+	p = sasl_mechs;
+
+	/* add SCRAM-SHA-256-PLUS, which depends on if SSL is in use */
+	if (port->ssl_in_use)
+	{
+		strcpy(p, SCRAM_SHA256_PLUS_NAME);
+		listlen += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+		p += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+	}
+
+	/* add generic SCRAM-SHA-256 */
+	strcpy(p, SCRAM_SHA256_NAME);
+	listlen += strlen(SCRAM_SHA256_NAME) + 1;
+	p += strlen(SCRAM_SHA256_NAME) + 1;
+
+	/* put "\0" to mark that list is finished */
+	p[0] = '\0';
+	listlen++;
+
+	sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, listlen);
+	pfree(sasl_mechs);
+
+#ifdef USE_SSL
+	/*
+	 * Fetch the data related to the SSL finish message to be used in the
+	 * exchange.
+	 */
+	if (port->ssl_in_use)
+	{
+		tls_finish = be_tls_get_peer_finish(port, &tls_finish_len);
+	}
+#endif
 
 	/*
 	 * Initialize the status tracker for message exchanges.
@@ -879,7 +920,11 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	scram_opaq = pg_be_scram_init(port->user_name, shadow_pass);
+	scram_opaq = pg_be_scram_init(port->user_name,
+								  shadow_pass,
+								  port->ssl_in_use,
+								  tls_finish,
+								  tls_finish_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
@@ -928,17 +973,36 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 			const char *selected_mech;
 
 			/*
-			 * We only support SCRAM-SHA-256 at the moment, so anything else
-			 * is an error.
+			 * We only support SCRAM-SHA-256 and SCRAM-SHA-256-PLUS at the
+			 * moment, so anything else is an error.
 			 */
 			selected_mech = pq_getmsgrawstring(&buf);
-			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0)
+			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0 &&
+				strcmp(selected_mech, SCRAM_SHA256_PLUS_NAME) != 0)
 			{
 				ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
-						 errmsg("client selected an invalid SASL authentication mechanism")));
+						 errmsg("client selected an invalid SASL authentication mechanism"),
+						 errdetail("Incorrect SASL mechanism name specified")));
 			}
 
+#ifdef USE_SSL
+			/*
+			 * If an SSL connection is attempted, check for downgrade attacks.
+			 * A connection is not allowed to specify SCRAM-SHA-256 if its
+			 * -PLUS version has been submitted back to the client, which is
+			 * the default.
+			 */
+			if (port->ssl_in_use &&
+				strcmp(selected_mech, SCRAM_SHA256_NAME) == 0)
+			{
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client selected invalid SASL authentication mechanism"),
+						 errdetail("Channel binding published to client but not selected.")));
+			}
+#endif
+
 			inputlen = pq_getmsgint(&buf, 4);
 			if (inputlen == -1)
 				input = NULL;
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 44c84a7869..42c35800aa 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1275,6 +1275,30 @@ be_tls_get_peerdn_name(Port *port, char *ptr, size_t len)
 }
 
 /*
+ * Routine to get the expected TLS finish message information from the
+ * client, useful for authorization when doing channel binding.
+ *
+ * Result is a palloc'd copy of the TLS finish message with its size.
+ */
+char *
+be_tls_get_peer_finish(Port *port, int *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the
+	 * expected TLS finish message, so just do a dummy call to grab this
+	 * information to allow caller to do an allocation with a correct size.
+	 */
+	*len = SSL_get_peer_finished(port->ssl, dummy, sizeof(dummy));
+	result = (char *) palloc(*len * sizeof(char));
+	(void) SSL_get_peer_finished(port->ssl, result, *len);
+
+	return result;
+}
+
+/*
  * Convert an X509 subject name to a cstring.
  *
  */
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 0669b924cf..3957d04702 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -209,6 +209,7 @@ extern bool be_tls_get_compression(Port *port);
 extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
+extern char *be_tls_get_peer_finish(Port *port, int *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 14b48af12f..58eae11231 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -13,8 +13,12 @@
 #ifndef PG_SCRAM_H
 #define PG_SCRAM_H
 
-/* Name of SCRAM-SHA-256 per IANA */
+/* Name of SCRAM mechanisms per IANA */
 #define SCRAM_SHA256_NAME "SCRAM-SHA-256"
+#define SCRAM_SHA256_PLUS_NAME "SCRAM-SHA-256-PLUS"	/* with channel binding */
+
+/* Channel binding names */
+#define SCRAM_CHANNEL_TLS_UNIQUE	"tls-unique"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -22,7 +26,9 @@
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
+extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
+					 bool ssl_in_use, char *tls_finish_message,
+					 int tls_finish_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index d2e355a8b8..3a9fe4e057 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -17,6 +17,7 @@
 #include "common/base64.h"
 #include "common/saslprep.h"
 #include "common/scram-common.h"
+#include "libpq/scram.h"
 #include "fe-auth.h"
 
 /* These are needed for getpid(), in the fallback implementation */
@@ -44,6 +45,9 @@ typedef struct
 	/* These are supplied by the user */
 	const char *username;
 	char	   *password;
+	bool		ssl_in_use;
+	char	   *tls_finish_message;
+	int			tls_finish_len;
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -81,7 +85,11 @@ static bool pg_frontend_random(char *dst, int len);
  * Initialize SCRAM exchange status.
  */
 void *
-pg_fe_scram_init(const char *username, const char *password)
+pg_fe_scram_init(const char *username,
+				 const char *password,
+				 bool ssl_in_use,
+				 char *tls_finish_message,
+				 int tls_finish_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -93,6 +101,9 @@ pg_fe_scram_init(const char *username, const char *password)
 	memset(state, 0, sizeof(fe_scram_state));
 	state->state = FE_SCRAM_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->tls_finish_message = tls_finish_message;
+	state->tls_finish_len = tls_finish_len;
 
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
@@ -297,9 +308,10 @@ static char *
 build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 {
 	char		raw_nonce[SCRAM_RAW_NONCE_LEN + 1];
-	char	   *buf;
-	char		buflen;
+	char	   *result;
+	int			channel_info_len;
 	int			encoded_len;
+	PQExpBufferData buf;
 
 	/*
 	 * Generate a "raw" nonce.  This is converted to ASCII-printable form by
@@ -328,26 +340,55 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * prepared with SASLprep, the message parsing would fail if it includes
 	 * '=' or ',' characters.
 	 */
-	buflen = 8 + strlen(state->client_nonce) + 1;
-	buf = malloc(buflen);
-	if (buf == NULL)
-	{
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
-	}
-	snprintf(buf, buflen, "n,,n=,r=%s", state->client_nonce);
+	initPQExpBuffer(&buf);
 
-	state->client_first_message_bare = strdup(buf + 3);
+	/*
+	 * First build the query field for channel binding. If the client is not
+	 * built with SSL support, it cannot support channel binding so it needs
+	 * to use "n" to let the server know. If built with SSL support, client
+	 * needs to use "y" to let the server know that client has such support
+	 * but that it is not using it as a non-SSL connection is requested.
+	 * Finally if a SSL connection is done, use p=cb-name, for which only
+	 * "tls-unique" is supported now.
+	 */
+#ifdef USE_SSL
+	if (state->ssl_in_use)
+		appendPQExpBuffer(&buf, "p=%s", SCRAM_CHANNEL_TLS_UNIQUE);
+	else
+		appendPQExpBuffer(&buf, "y");
+#else
+	appendPQExpBuffer(&buf, "n");
+#endif
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	channel_info_len = buf.len;
+
+	appendPQExpBuffer(&buf, ",,n=,r=%s", state->client_nonce);
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	/*
+	 * The first message content needs to be saved without channel binding
+	 * information.
+	 */
+	state->client_first_message_bare = strdup(buf.data + channel_info_len + 2);
 	if (!state->client_first_message_bare)
-	{
-		free(buf);
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
-	}
+		goto oom_error;
 
-	return buf;
+	result = strdup(buf.data);
+	if (result == NULL)
+		goto oom_error;
+
+	termPQExpBuffer(&buf);
+	return result;
+
+oom_error:
+	termPQExpBuffer(&buf);
+	printfPQExpBuffer(errormessage,
+					  libpq_gettext("out of memory\n"));
+	return NULL;
 }
 
 /*
@@ -365,8 +406,30 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	/*
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
+	 * Client needs to provide a b64 encoded string of the TLS finish message
+	 * only if a SSL connection is attempted.
 	 */
-	appendPQExpBuffer(&buf, "c=biws,r=%s", state->nonce);
+#ifdef USE_SSL
+	if (state->ssl_in_use)
+	{
+		appendPQExpBuffer(&buf, "c=");
+		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(state->tls_finish_len)))
+			goto oom_error;
+		buf.len += pg_b64_encode(state->tls_finish_message,
+								 state->tls_finish_len,
+								 buf.data + buf.len);
+		buf.data[buf.len] = '\0';
+	}
+	else
+		appendPQExpBuffer(&buf, "c=biws");
+#else
+	appendPQExpBuffer(&buf, "c=biws");
+#endif
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	appendPQExpBuffer(&buf, ",r=%s", state->nonce);
 	if (PQExpBufferDataBroken(buf))
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 181eeea835..f5e1c27964 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -504,7 +504,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	/*
 	 * Parse the list of SASL authentication mechanisms in the
 	 * AuthenticationSASL message, and select the best mechanism that we
-	 * support.  (Only SCRAM-SHA-256 is supported at the moment.)
+	 * support.  SCRAM-SHA-256 and SCRAM-SHA-256-PLUS are the only ones
+	 * supported at the moment.
 	 */
 	selected_mechanism = NULL;
 	for (;;)
@@ -532,9 +533,12 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		/*
 		 * Do we support this mechanism?
 		 */
-		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0 ||
+			strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
 		{
 			char	   *password;
+			char	   *tls_finish = NULL;
+			int			tls_finish_len = 0;
 
 			conn->password_needed = true;
 			password = conn->connhost[conn->whichhost].password;
@@ -547,10 +551,41 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 				goto error;
 			}
 
-			conn->sasl_state = pg_fe_scram_init(conn->pguser, password);
+#ifdef USE_SSL
+			/* Fetch information about the TLS finish message */
+			if (conn->ssl_in_use)
+			{
+				tls_finish = pgtls_get_finish(conn, &tls_finish_len);
+				if (tls_finish == NULL)
+					goto oom_error;
+			}
+#endif
+
+			conn->sasl_state = pg_fe_scram_init(conn->pguser,
+												password,
+												conn->ssl_in_use,
+												tls_finish,
+												tls_finish_len);
 			if (!conn->sasl_state)
 				goto oom_error;
-			selected_mechanism = SCRAM_SHA256_NAME;
+
+			/*
+			 * Select the mechanism to use by default. If SSL connection
+			 * is attempted, the server will expect the -PLUS mechanism.
+			 * If not, fallback to SCRAM-SHA-256.
+			 */
+#ifdef USE_SSL
+			if (conn->ssl_in_use &&
+				strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_PLUS_NAME;
+			else if (!conn->ssl_in_use &&
+					 strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_NAME;
+#else
+			/* No channel binding can be selected without SSL support */
+			if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_NAME;
+#endif
 		}
 	}
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 9f4c2a50d8..2ee9c6c48c 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -23,7 +23,9 @@ extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn);
 extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
-extern void *pg_fe_scram_init(const char *username, const char *password);
+extern void *pg_fe_scram_init(const char *username, const char *password,
+					 bool ssl_in_use, char *tls_finish_message,
+					 int tls_finish_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index a7c3d7af64..2da0b27b71 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -393,6 +393,32 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
 	return n;
 }
 
+/*
+ *	Get the TLS finish message sent during last handshake
+ *
+ * This information is useful for callers doing channel binding during
+ * authentication.
+ */
+char *
+pgtls_get_finish(PGconn *conn, int *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the
+	 * TLS finish message sent, so first do a dummy call to grab this
+	 * information and then do an allocation with the correct size.
+	 */
+	*len = SSL_get_finished(conn->ssl, dummy, sizeof(dummy));
+	result = malloc(*len);
+	if (result == NULL)
+		return NULL;
+	(void) SSL_get_finished(conn->ssl, result, *len);
+	return result;
+}
+
+
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
 /* ------------------------------------------------------------ */
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 335568b790..6313d896b7 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -454,11 +454,13 @@ struct pg_conn
 	/* Assorted state for SASL, SSL, GSS, etc */
 	void	   *sasl_state;
 
+	/* SSL structures */
+	bool		ssl_in_use;
+
 #ifdef USE_SSL
 	bool		allow_ssl_try;	/* Allowed to try SSL negotiation */
 	bool		wait_ssl_try;	/* Delay SSL negotiation until after
 								 * attempting normal connection */
-	bool		ssl_in_use;
 #ifdef USE_OPENSSL
 	SSL		   *ssl;			/* SSL status, if have SSL connection */
 	X509	   *peer;			/* X509 cert of server */
@@ -669,6 +671,7 @@ extern void pgtls_close(PGconn *conn);
 extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
+extern char *pgtls_get_finish(PGconn *conn, int *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
-- 
2.13.1

From d1ede00d3e1ce086d0dd2ac7976c93a2f22dee77 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 20 Jun 2017 11:41:10 +0900
Subject: [PATCH 3/4] Add connection parameters "saslname" and
 "saslchannelbinding"

Those parameters can be used to respectively enforce the value of the
SASL mechanism name and the channel binding name sent to server during
a SASL message exchange.

A set of tests dedicated to SASL and channel binding is added as well
to the SSL test suite, which is handy to check the validity of a patch.
---
 doc/src/sgml/libpq.sgml              | 24 ++++++++++++++++
 src/backend/libpq/auth-scram.c       | 41 +++++++++++++++++++++-------
 src/interfaces/libpq/fe-auth-scram.c | 53 ++++++++++++++++++++++++++++++++----
 src/interfaces/libpq/fe-auth.c       |  8 ++++++
 src/interfaces/libpq/fe-auth.h       |  4 +--
 src/interfaces/libpq/fe-connect.c    | 13 +++++++++
 src/interfaces/libpq/libpq-int.h     |  2 ++
 src/test/ssl/ServerSetup.pm          | 19 +++++++++++--
 src/test/ssl/t/001_ssltests.pl       |  2 +-
 src/test/ssl/t/002_sasl.pl           | 52 +++++++++++++++++++++++++++++++++++
 10 files changed, 197 insertions(+), 21 deletions(-)
 create mode 100644 src/test/ssl/t/002_sasl.pl

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index c3bd4f9b9b..f5de09b0b4 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1171,6 +1171,30 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       </listitem>
      </varlistentry>
 
+     <varlistentry id="libpq-saslname" xreflabel="saslname">
+      <term><literal>saslname</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the SASL mechanism name sent to server when doing
+        a message exchange for a SASL authentication. The list of SASL
+        mechanisms supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="libpq-saslchannelbinding" xreflabel="saslchannelbinding">
+      <term><literal>saslchannelbinding</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the channel binding name sent to server when doing
+        a message exchange for a SASL authentication. The list of channel
+        binding names supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+     
      <varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
       <term><literal>sslmode</literal></term>
       <listitem>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 90c6b20b82..c46bef5bb5 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,7 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	char	   *channel_binding;
 
 	int			iterations;
 	char	   *salt;			/* base64-encoded */
@@ -185,6 +186,7 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
+	state->channel_binding = NULL;
 
 	/*
 	 * Parse the stored password verifier.
@@ -853,6 +855,9 @@ read_client_first_message(scram_state *state, char *input)
 					ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
 						 (errmsg("unexpected SCRAM channel-binding type"))));
+
+				/* Save the name for handling of subsequent messages */
+				state->channel_binding = pstrdup(channel_name);
 #else
 				/*
 				 * Client requires channel binding.  We don't support it.
@@ -1106,20 +1111,36 @@ read_client_final_message(scram_state *state, char *input)
 #ifdef USE_SSL
 	if (state->ssl_in_use)
 	{
-		char	   *enc_tls_message;
-		int			enc_tls_len;
+		char	   *b64_message, *raw_data;
+		int			b64_message_len, raw_data_len;
+
+		/* Fetch data for each channel binding type */
+		if (strcmp(state->channel_binding, SCRAM_CHANNEL_TLS_UNIQUE) == 0)
+		{
+			raw_data = state->tls_finish_message;
+			raw_data_len = state->tls_finish_len;
+		}
+		else
+		{
+			/* should not happen */
+			elog(ERROR, "invalid channel binding type");
+		}
+
+		/* should not happen, but better safe than sorry */
+		if (raw_data == NULL)
+			elog(ERROR, "empty binding data for channel name \"%s\"",
+				 state->channel_binding);
 
-		enc_tls_message = palloc(pg_b64_enc_len(state->tls_finish_len) + 1);
-		enc_tls_len = pg_b64_encode(state->tls_finish_message,
-									state->tls_finish_len,
-									enc_tls_message);
-		enc_tls_message[enc_tls_len] = '\0';
+		b64_message = palloc(pg_b64_enc_len(raw_data_len) + 1);
+		b64_message_len = pg_b64_encode(raw_data, raw_data_len,
+										b64_message);
+		b64_message[b64_message_len] = '\0';
 
 		/*
-		 * Compare the value sent by the client with the TLS finish message
-		 * expected by the server.
+		 * Compare the value sent by the client with the value expected by
+		 * the server.
 		 */
-		if (strcmp(channel_binding, enc_tls_message) != 0)
+		if (strcmp(channel_binding, b64_message) != 0)
 			ereport(ERROR,
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
 					 (errmsg("no match for SCRAM channel-binding attribute in client-final-message"))));
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 3a9fe4e057..b781349f42 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -48,6 +48,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	/* enforceable user parameters */
+	char	   *saslchannelbinding;	/* name of channel binding to use */
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -88,6 +90,7 @@ void *
 pg_fe_scram_init(const char *username,
 				 const char *password,
 				 bool ssl_in_use,
+				 char *saslchannelbinding,
 				 char *tls_finish_message,
 				 int tls_finish_len)
 {
@@ -105,6 +108,15 @@ pg_fe_scram_init(const char *username,
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
 
+	/*
+	 * If user has specified a channel binding to use, enforce the
+	 * channel binding sent to it.  The default is "tls-unique".
+	 */
+	if (saslchannelbinding && strlen(saslchannelbinding) > 0)
+		state->saslchannelbinding = strdup(saslchannelbinding);
+	else
+		state->saslchannelbinding = strdup(SCRAM_CHANNEL_TLS_UNIQUE);
+
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
 	if (rc == SASLPREP_OOM)
@@ -136,6 +148,10 @@ pg_fe_scram_free(void *opaq)
 
 	if (state->password)
 		free(state->password);
+	if (state->tls_finish_message)
+		free(state->tls_finish_message);
+	if (state->saslchannelbinding)
+		free(state->saslchannelbinding);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -353,7 +369,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 #ifdef USE_SSL
 	if (state->ssl_in_use)
-		appendPQExpBuffer(&buf, "p=%s", SCRAM_CHANNEL_TLS_UNIQUE);
+		appendPQExpBuffer(&buf, "p=%s", state->saslchannelbinding);
 	else
 		appendPQExpBuffer(&buf, "y");
 #else
@@ -412,12 +428,39 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 #ifdef USE_SSL
 	if (state->ssl_in_use)
 	{
+		char	   *raw_data;
+		int			raw_data_len;
+
+		if (strcmp(state->saslchannelbinding, SCRAM_CHANNEL_TLS_UNIQUE) == 0)
+		{
+			raw_data = state->tls_finish_message;
+			raw_data_len = state->tls_finish_len;
+		}
+		else
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("incorrect channel binding name\n"));
+			return NULL;
+		}
+
+		/* should not happen, but better safe than sorry */
+		if (raw_data == NULL)
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("empty binding data for channel name \"%s\"\n"),
+							  state->saslchannelbinding);
+			return NULL;
+		}
+
 		appendPQExpBuffer(&buf, "c=");
-		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(state->tls_finish_len)))
+
+		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(raw_data_len)))
 			goto oom_error;
-		buf.len += pg_b64_encode(state->tls_finish_message,
-								 state->tls_finish_len,
-								 buf.data + buf.len);
+		buf.len += pg_b64_encode(raw_data, raw_data_len, buf.data + buf.len);
 		buf.data[buf.len] = '\0';
 	}
 	else
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index f5e1c27964..96cbf93227 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -564,6 +564,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 			conn->sasl_state = pg_fe_scram_init(conn->pguser,
 												password,
 												conn->ssl_in_use,
+												conn->saslchannelbinding,
 												tls_finish,
 												tls_finish_len);
 			if (!conn->sasl_state)
@@ -589,6 +590,13 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		}
 	}
 
+	/*
+	 * If user has asked for a specific mechanism name, enforce the chosen
+	 * name to it.
+	 */
+	if (conn->saslname && strlen(conn->saslname) > 0)
+		selected_mechanism = conn->saslname;
+
 	if (!selected_mechanism)
 	{
 		printfPQExpBuffer(&conn->errorMessage,
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 2ee9c6c48c..56cafb86cc 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -24,8 +24,8 @@ extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
 extern void *pg_fe_scram_init(const char *username, const char *password,
-					 bool ssl_in_use, char *tls_finish_message,
-					 int tls_finish_len);
+					 bool ssl_in_use, char *saslchannelbinding,
+					 char *tls_finish_message, int tls_finish_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 02ec8f0cea..ed144cdb3d 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -243,6 +243,15 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"TCP-Keepalives-Count", "", 10, /* strlen(INT32_MAX) == 10 */
 	offsetof(struct pg_conn, keepalives_count)},
 
+	/* Set of options proper to SASL */
+	{"saslname", NULL, NULL, NULL,
+		"SASL-Name", "", 21,	/* maximum name size per IANA == 21 */
+	offsetof(struct pg_conn, saslname)},
+
+	{"saslchannelbinding", NULL, NULL, NULL,
+		"SASL-Channel", "", 22,	/* sizeof("tls-unique-for-telnet") == 22 */
+	offsetof(struct pg_conn, saslchannelbinding)},
+
 	/*
 	 * ssl options are allowed even without client SSL support because the
 	 * client can still handle SSL modes "disable" and "allow". Other
@@ -3387,6 +3396,10 @@ freePGconn(PGconn *conn)
 		free(conn->keepalives_interval);
 	if (conn->keepalives_count)
 		free(conn->keepalives_count);
+	if (conn->saslname)
+		free(conn->saslname);
+	if (conn->saslchannelbinding)
+		free(conn->saslchannelbinding);
 	if (conn->sslmode)
 		free(conn->sslmode);
 	if (conn->sslcert)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 6313d896b7..e2d3f1f4f4 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -348,6 +348,8 @@ struct pg_conn
 										 * retransmits */
 	char	   *keepalives_count;		/* maximum number of TCP keepalive
 										 * retransmits */
+	char	   *saslname;			/* SASL mechanism name */
+	char	   *saslchannelbinding;	/* channel binding used in SASL */
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
 	char	   *sslcompression; /* SSL compression (0 or 1) */
 	char	   *sslkey;			/* client key filename */
diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index ad2e036602..b71969ac75 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -91,6 +91,9 @@ sub configure_test_server_for_ssl
 {
 	my $node       = $_[0];
 	my $serverhost = $_[1];
+	my $sslmethod  = $_[2];
+	my $passwd     = $_[3];
+	my $passwdhash = $_[4];
 
 	my $pgdata = $node->data_dir;
 
@@ -100,6 +103,15 @@ sub configure_test_server_for_ssl
 	$node->psql('postgres', "CREATE DATABASE trustdb");
 	$node->psql('postgres', "CREATE DATABASE certdb");
 
+	# Update password of each user as needed.
+	if (defined($passwd))
+	{
+		$node->psql('postgres',
+"SET password_encryption='$passwdhash'; ALTER USER ssltestuser PASSWORD '$passwd';");
+		$node->psql('postgres',
+"SET password_encryption='$passwdhash'; ALTER USER anotheruser PASSWORD '$passwd';");
+	}
+
 	# enable logging etc.
 	open my $conf, '>>', "$pgdata/postgresql.conf";
 	print $conf "fsync=off\n";
@@ -129,7 +141,7 @@ sub configure_test_server_for_ssl
 	$node->restart;
 
 	# Change pg_hba after restart because hostssl requires ssl=on
-	configure_hba_for_ssl($node, $serverhost);
+	configure_hba_for_ssl($node, $serverhost, $sslmethod);
 }
 
 # Change the configuration to use given server cert file, and reload
@@ -159,6 +171,7 @@ sub configure_hba_for_ssl
 {
 	my $node       = $_[0];
 	my $serverhost = $_[1];
+	my $sslmethod  = $_[2];
 	my $pgdata     = $node->data_dir;
 
   # Only accept SSL connections from localhost. Our tests don't depend on this
@@ -169,9 +182,9 @@ sub configure_hba_for_ssl
 	print $hba
 "# TYPE  DATABASE        USER            ADDRESS                 METHOD\n";
 	print $hba
-"hostssl trustdb         ssltestuser     $serverhost/32            trust\n";
+"hostssl trustdb         ssltestuser     $serverhost/32          $sslmethod\n";
 	print $hba
-"hostssl trustdb         ssltestuser     ::1/128                 trust\n";
+"hostssl trustdb         ssltestuser     ::1/128                 $sslmethod\n";
 	print $hba
 "hostssl certdb          ssltestuser     $serverhost/32            cert\n";
 	print $hba
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 890e3051a2..e690c1fa15 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -32,7 +32,7 @@ $node->init;
 $ENV{PGHOST} = $node->host;
 $ENV{PGPORT} = $node->port;
 $node->start;
-configure_test_server_for_ssl($node, $SERVERHOSTADDR);
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "trust");
 switch_server_cert($node, 'server-cn-only');
 
 ### Part 1. Run client-side tests.
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
new file mode 100644
index 0000000000..a625f0d473
--- /dev/null
+++ b/src/test/ssl/t/002_sasl.pl
@@ -0,0 +1,52 @@
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 6;
+use ServerSetup;
+use File::Copy;
+
+# test combinations of SASL authentication for SCRAM mechanism:
+# - SCRAM-SHA-256 and SCRAM-SHA-256-PLUS
+# - Channel bindings
+
+# This is the hostname used to connect to the server.
+my $SERVERHOSTADDR = '127.0.0.1';
+
+# Allocation of base connection string shared among multiple tests.
+my $common_connstr;
+
+#### Part 0. Set up the server.
+
+note "setting up data directory";
+my $node = get_new_node('master');
+$node->init;
+
+# PGHOST is enforced here to set up the node, subsequent connections
+# will use a dedicated connection string.
+$ENV{PGHOST} = $node->host;
+$ENV{PGPORT} = $node->port;
+$node->start;
+
+# Configure server for SSL connections, with password handling.
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256",
+							  "pass", "scram-sha-256");
+switch_server_cert($node, 'server-cn-only');
+$ENV{PGPASSWORD} = "pass";
+$common_connstr =
+"user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
+
+# Tests with default channel binding and SASL mechanism names.
+# tls-unique is used here
+test_connect_ok($common_connstr, "saslname=SCRAM-SHA-256-PLUS");
+test_connect_fails($common_connstr, "saslname=not-exists");
+# Downgrade attack.
+test_connect_fails($common_connstr, "saslname=SCRAM-SHA-256");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-unique");
+
+# Channel bindings
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-unique");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=not-exists");
-- 
2.13.1

From 30cbfc05c4a3f0971d640310f80048f413c21c4c Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 20 Jun 2017 12:51:10 +0900
Subject: [PATCH 4/4] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend, this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  4 +-
 src/backend/libpq/auth-scram.c           | 21 ++++++++--
 src/backend/libpq/auth.c                 | 13 ++++--
 src/backend/libpq/be-secure-openssl.c    | 69 ++++++++++++++++++++++++++++++++
 src/include/libpq/libpq-be.h             |  1 +
 src/include/libpq/scram.h                |  4 +-
 src/interfaces/libpq/fe-auth-scram.c     | 20 ++++++++-
 src/interfaces/libpq/fe-auth.c           | 18 ++++++++-
 src/interfaces/libpq/fe-auth.h           |  3 +-
 src/interfaces/libpq/fe-secure-openssl.c | 66 ++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_sasl.pl               |  6 ++-
 12 files changed, 210 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 0a556ebdc6..ee25c0c4be 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1433,8 +1433,8 @@ the password is in.
   <para>
 <firstterm>Channel binding</> is supported in builds with SSL support, and
 uses as mechanism name <literal>SCRAM-SHA-256-PLUS</> for this purpose as
-defined per IANA. The only channel binding type supported by the server
-is <literal>tls-unique</>.
+defined per IANA. The channel binding types supported by the server
+are <literal>tls-unique</>, the default, and <literal>tls-server-end-point</>.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index c46bef5bb5..7b6aa8b704 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	char	   *certificate_hash;
+	int			certificate_hash_len;
 	char	   *channel_binding;
 
 	int			iterations;
@@ -175,7 +177,9 @@ pg_be_scram_init(const char *username,
 				 const char *shadow_pass,
 				 bool ssl_in_use,
 				 char *tls_finish_message,
-				 int tls_finish_len)
+				 int tls_finish_len,
+				 char *certificate_hash,
+				 int certificate_hash_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -186,6 +190,8 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding = NULL;
 
 	/*
@@ -847,11 +853,12 @@ read_client_first_message(scram_state *state, char *input)
 							 errmsg("client supports SCRAM channel binding, but server does not need it for non-SSL connections")));
 
 				/*
-				 * Read value provided by client, only tls-unique is supported
-				 * for now.
+				 * Read value provided by client, only tls-unique and
+				 * tls-server-end-point are supported for now.
 				 */
 				channel_name = read_attr_value(&input, 'p');
-				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0)
+				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0 &&
+					strcmp(channel_name, SCRAM_CHANNEL_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
 						 (errmsg("unexpected SCRAM channel-binding type"))));
@@ -1120,6 +1127,12 @@ read_client_final_message(scram_state *state, char *input)
 			raw_data = state->tls_finish_message;
 			raw_data_len = state->tls_finish_len;
 		}
+		else if (strcmp(state->channel_binding,
+						SCRAM_CHANNEL_TLS_ENDPOINT) == 0)
+		{
+			raw_data = state->certificate_hash;
+			raw_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 439e4e8ab9..f6b0a64863 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -849,6 +849,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	bool		initial;
 	char	   *tls_finish = NULL;
 	int			tls_finish_len = 0;
+	char	   *certificate_bash = NULL;
+	int			certificate_bash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -900,12 +902,15 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 #ifdef USE_SSL
 	/*
-	 * Fetch the data related to the SSL finish message to be used in the
-	 * exchange.
+	 * Fetch the data related to the SSL finish message and the client
+	 * certificate (if any) to be used in the exchange.
 	 */
 	if (port->ssl_in_use)
 	{
 		tls_finish = be_tls_get_peer_finish(port, &tls_finish_len);
+		certificate_bash =
+			be_tls_get_certificate_hash(port,
+										&certificate_bash_len);
 	}
 #endif
 
@@ -924,7 +929,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 								  shadow_pass,
 								  port->ssl_in_use,
 								  tls_finish,
-								  tls_finish_len);
+								  tls_finish_len,
+								  certificate_bash,
+								  certificate_bash_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 42c35800aa..0fa85aaeb1 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1299,6 +1299,75 @@ be_tls_get_peer_finish(Port *port, int *len)
 }
 
 /*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1. If SHA-256 or something else is used, the same hash as the
+ * signature algorithm is used.
+ * The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is nothing certificates available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, int *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_sha512:
+				algo_type = EVP_sha512();
+				break;
+
+			case NID_sha384:
+				algo_type = EVP_sha384();
+				break;
+
+			/*
+			 * Fallback to SHA-256 for weaker hashes, and keep them listed
+			 * here for reference.
+			 */
+			case NID_md5:
+			case NID_sha1:
+			case NID_sha224:
+			case NID_sha256:
+			default:
+				algo_type = EVP_sha256();
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
+/*
  * Convert an X509 subject name to a cstring.
  *
  */
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 3957d04702..274fd51b67 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finish(Port *port, int *len);
+extern char *be_tls_get_certificate_hash(Port *port, int *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 58eae11231..6f56aabca3 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -19,6 +19,7 @@
 
 /* Channel binding names */
 #define SCRAM_CHANNEL_TLS_UNIQUE	"tls-unique"
+#define SCRAM_CHANNEL_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -28,7 +29,8 @@
 /* Routines dedicated to authentication */
 extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
 					 bool ssl_in_use, char *tls_finish_message,
-					 int tls_finish_len);
+					 int tls_finish_len, char *certificate_hash,
+					 int certificate_hash_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index b781349f42..6b2215d0e9 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -48,6 +48,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	char	   *certificate_hash;
+	int			certificate_hash_len;
 	/* enforceable user parameters */
 	char	   *saslchannelbinding;	/* name of channel binding to use */
 
@@ -92,7 +94,9 @@ pg_fe_scram_init(const char *username,
 				 bool ssl_in_use,
 				 char *saslchannelbinding,
 				 char *tls_finish_message,
-				 int tls_finish_len)
+				 int tls_finish_len,
+				 char *certificate_hash,
+				 int certificate_hash_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -107,6 +111,8 @@ pg_fe_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 
 	/*
 	 * If user has specified a channel binding to use, enforce the
@@ -150,6 +156,8 @@ pg_fe_scram_free(void *opaq)
 		free(state->password);
 	if (state->tls_finish_message)
 		free(state->tls_finish_message);
+	if (state->certificate_hash)
+		free(state->certificate_hash);
 	if (state->saslchannelbinding)
 		free(state->saslchannelbinding);
 
@@ -423,7 +431,9 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
 	 * Client needs to provide a b64 encoded string of the TLS finish message
-	 * only if a SSL connection is attempted.
+	 * only if a SSL connection is attempted using "tls-unique" as channel
+	 * binding. For "tls-server-end-point", a hash of the client certificate
+	 * is sent instead.
 	 */
 #ifdef USE_SSL
 	if (state->ssl_in_use)
@@ -436,6 +446,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 			raw_data = state->tls_finish_message;
 			raw_data_len = state->tls_finish_len;
 		}
+		else if (strcmp(state->saslchannelbinding,
+						SCRAM_CHANNEL_TLS_ENDPOINT) == 0)
+		{
+			raw_data = state->certificate_hash;
+			raw_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 96cbf93227..928eef3cbb 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -539,6 +539,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 			char	   *password;
 			char	   *tls_finish = NULL;
 			int			tls_finish_len = 0;
+			char	   *certificate_hash = NULL;
+			int			certificate_hash_len = 0;
 
 			conn->password_needed = true;
 			password = conn->connhost[conn->whichhost].password;
@@ -552,12 +554,21 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 			}
 
 #ifdef USE_SSL
-			/* Fetch information about the TLS finish message */
+			/*
+			 * Fetch information about the TLS finish message and client
+			 * certificate if any.
+			 */
 			if (conn->ssl_in_use)
 			{
 				tls_finish = pgtls_get_finish(conn, &tls_finish_len);
 				if (tls_finish == NULL)
 					goto oom_error;
+
+				certificate_hash =
+					pgtls_get_peer_certificate_hash(conn,
+													&certificate_hash_len);
+				if (certificate_hash == NULL)
+					goto oom_error;
 			}
 #endif
 
@@ -566,7 +577,10 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 												conn->ssl_in_use,
 												conn->saslchannelbinding,
 												tls_finish,
-												tls_finish_len);
+												tls_finish_len,
+												certificate_hash,
+												certificate_hash_len);
+
 			if (!conn->sasl_state)
 				goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 56cafb86cc..7faa78fa22 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -25,7 +25,8 @@ extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 /* Prototypes for functions in fe-auth-scram.c */
 extern void *pg_fe_scram_init(const char *username, const char *password,
 					 bool ssl_in_use, char *saslchannelbinding,
-					 char *tls_finish_message, int tls_finish_len);
+					 char *tls_finish_message, int tls_finish_len,
+					 char *certificate_hash, int certificate_hash_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 2da0b27b71..f6e4ac9ed9 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -418,6 +418,72 @@ pgtls_get_finish(PGconn *conn, int *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where
+ * the client certificate hash is used as a link, per RFC 5929.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, int *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+			return NULL;
+
+		switch (algo_nid)
+		{
+			case NID_sha512:
+				algo_type = EVP_sha512();
+				break;
+
+			case NID_sha384:
+				algo_type = EVP_sha384();
+				break;
+
+			/*
+			 * Fallback to SHA-256 for weaker hashes, and keep them listed
+			 * here for reference.
+			 */
+			case NID_md5:
+			case NID_sha1:
+			case NID_sha224:
+			case NID_sha256:
+			default:
+				algo_type = EVP_sha256();
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			return NULL;
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+			return NULL;
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index e2d3f1f4f4..18a3175f05 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -674,6 +674,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finish(PGconn *conn, int *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, int *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
index a625f0d473..a4e6dfac3d 100644
--- a/src/test/ssl/t/002_sasl.pl
+++ b/src/test/ssl/t/002_sasl.pl
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 6;
+use Test::More tests => 8;
 use ServerSetup;
 use File::Copy;
 
@@ -44,9 +44,13 @@ test_connect_fails($common_connstr, "saslname=not-exists");
 test_connect_fails($common_connstr, "saslname=SCRAM-SHA-256");
 test_connect_fails($common_connstr,
 		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-unique");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-server-end-point");
 
 # Channel bindings
 test_connect_ok($common_connstr,
 		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-unique");
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-server-end-point");
 test_connect_fails($common_connstr,
 		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=not-exists");
-- 
2.13.1

From be3cf0785596aee4cfe2682cc19a6c31eba91f3f Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 16 Jun 2017 17:00:06 +0900
Subject: [PATCH 1/4] Refactor routine to test connection to SSL server

Move the sub-routines wrappers to check if a connection to a server is
fine or not into the test main module. This is useful for other tests
willing to check connectivity into a server.
---
 src/test/ssl/ServerSetup.pm    |  45 +++++++++++++-
 src/test/ssl/t/001_ssltests.pl | 132 +++++++++++++++++------------------------
 2 files changed, 100 insertions(+), 77 deletions(-)

diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index f63c81cfc6..ad2e036602 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -26,9 +26,52 @@ use Test::More;
 
 use Exporter 'import';
 our @EXPORT = qw(
-  configure_test_server_for_ssl switch_server_cert
+  configure_test_server_for_ssl
+  run_test_psql
+  switch_server_cert
+  test_connect_fails
+  test_connect_ok
 );
 
+# Define a couple of helper functions to test connecting to the server.
+
+# Attempt connection to server with given connection string.
+sub run_test_psql
+{
+	my $connstr   = $_[0];
+	my $logstring = $_[1];
+
+	my $cmd = [
+		'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
+		'-d', "$connstr" ];
+
+	my $result = run_log($cmd);
+	return $result;
+}
+
+#
+# The first argument is a base connection string to use for connection.
+# The second argument is a complementary connection string, and it's also
+# printed out as the test case name.
+sub test_connect_ok
+{
+	my $common_connstr = $_[0];
+	my $connstr = $_[1];
+
+	my $result =
+	  run_test_psql("$common_connstr $connstr", "(should succeed)");
+	ok($result, $connstr);
+}
+
+sub test_connect_fails
+{
+	my $common_connstr = $_[0];
+	my $connstr = $_[1];
+
+	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
+	ok(!$result, "$connstr (should fail)");
+}
+
 # Copy a set of files, taking into account wildcards
 sub copy_files
 {
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 32df273929..890e3051a2 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -13,44 +13,9 @@ use File::Copy;
 # postgresql-ssl-regression.test.
 my $SERVERHOSTADDR = '127.0.0.1';
 
-# Define a couple of helper functions to test connecting to the server.
-
+# Allocation of base connection string shared among multiple tests.
 my $common_connstr;
 
-sub run_test_psql
-{
-	my $connstr   = $_[0];
-	my $logstring = $_[1];
-
-	my $cmd = [
-		'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
-		'-d', "$connstr" ];
-
-	my $result = run_log($cmd);
-	return $result;
-}
-
-#
-# The first argument is a (part of a) connection string, and it's also printed
-# out as the test case name. It is appended to $common_connstr global variable,
-# which also contains a libpq connection string.
-sub test_connect_ok
-{
-	my $connstr = $_[0];
-
-	my $result =
-	  run_test_psql("$common_connstr $connstr", "(should succeed)");
-	ok($result, $connstr);
-}
-
-sub test_connect_fails
-{
-	my $connstr = $_[0];
-
-	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
-	ok(!$result, "$connstr (should fail)");
-}
-
 # The client's private key must not be world-readable, so take a copy
 # of the key stored in the code tree and update its permissions.
 copy("ssl/client.key", "ssl/client_tmp.key");
@@ -83,50 +48,59 @@ $common_connstr =
 
 # The server should not accept non-SSL connections
 note "test that the server doesn't accept non-SSL connections";
-test_connect_fails("sslmode=disable");
+test_connect_fails($common_connstr, "sslmode=disable");
 
 # Try without a root cert. In sslmode=require, this should work. In verify-ca
 # or verify-full mode it should fail
 note "connect without server root cert";
-test_connect_ok("sslrootcert=invalid sslmode=require");
-test_connect_fails("sslrootcert=invalid sslmode=verify-ca");
-test_connect_fails("sslrootcert=invalid sslmode=verify-full");
+test_connect_ok($common_connstr, "sslrootcert=invalid sslmode=require");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-ca");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-full");
 
 # Try with wrong root cert, should fail. (we're using the client CA as the
 # root, but the server's key is signed by the server CA)
 note "connect without wrong server root cert";
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=require");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-full");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=require");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-full");
 
 # Try with just the server CA's cert. This fails because the root file
 # must contain the whole chain up to the root CA.
 note "connect with server CA cert, without root CA";
-test_connect_fails("sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
 
 # And finally, with the correct root cert.
 note "connect with correct server CA cert file";
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=require");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
 
 # Test with cert root file that contains two certificates. The client should
 # be able to pick the right one, regardless of the order in the file.
-test_connect_ok("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
 
 note "testing sslcrl option with a non-revoked cert";
 
 # Invalid CRL filename is the same as no CRL, succeeds
-test_connect_ok(
+test_connect_ok($common_connstr,
 	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
 
 # A CRL belonging to a different CA is not accepted, fails
-test_connect_fails(
+test_connect_fails($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
 
 # With the correct CRL, succeeds (this cert is not revoked)
-test_connect_ok(
+test_connect_ok($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
 );
 
@@ -136,9 +110,9 @@ note "test mismatch between hostname and server certificate";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("sslmode=require host=wronghost.test");
-test_connect_ok("sslmode=verify-ca host=wronghost.test");
-test_connect_fails("sslmode=verify-full host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=require host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=verify-ca host=wronghost.test");
+test_connect_fails($common_connstr, "sslmode=verify-full host=wronghost.test");
 
 # Test Subject Alternative Names.
 switch_server_cert($node, 'server-multiple-alt-names');
@@ -147,12 +121,13 @@ note "test hostname matching with X.509 Subject Alternative Names";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_ok("host=foo.wildcard.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=foo.wildcard.pg-ssltest.test");
 
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"host=deep.subdomain.wildcard.pg-ssltest.test");
 
 # Test certificate with a single Subject Alternative Name. (this gives a
 # slightly different error message, that's all)
@@ -162,10 +137,11 @@ note "test hostname matching with a single X.509 Subject Alternative Name";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=single.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=single.alt-name.pg-ssltest.test");
 
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"host=deep.subdomain.wildcard.pg-ssltest.test");
 
 # Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
 # should be ignored when the certificate has both.
@@ -175,9 +151,9 @@ note "test certificate with both a CN and SANs";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_fails("host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=common-name.pg-ssltest.test");
 
 # Finally, test a server certificate that has no CN or SANs. Of course, that's
 # not a very sensible certificate, but libpq should handle it gracefully.
@@ -185,8 +161,10 @@ switch_server_cert($node, 'server-no-names');
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
-test_connect_ok("sslmode=verify-ca host=common-name.pg-ssltest.test");
-test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr,
+	"sslmode=verify-ca host=common-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"sslmode=verify-full host=common-name.pg-ssltest.test");
 
 # Test that the CRL works
 note "testing client-side CRL";
@@ -196,8 +174,9 @@ $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
 
 # Without the CRL, succeeds. With it, fails.
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_fails(
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
 );
 
@@ -210,18 +189,18 @@ $common_connstr =
 "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
 
 # no client cert
-test_connect_fails("user=ssltestuser sslcert=invalid");
+test_connect_fails($common_connstr, "user=ssltestuser sslcert=invalid");
 
 # correct client cert
-test_connect_ok(
+test_connect_ok($common_connstr,
 	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # client cert belonging to another user
-test_connect_fails(
+test_connect_fails($common_connstr,
 	"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # revoked client cert
-test_connect_fails(
+test_connect_fails($common_connstr,
 "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"
 );
 
@@ -230,8 +209,9 @@ switch_server_cert($node, 'server-cn-only', 'root_ca');
 $common_connstr =
 "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
-test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");
-test_connect_fails("sslmode=require sslcert=ssl/client.crt");
+test_connect_ok($common_connstr,
+	"sslmode=require sslcert=ssl/client+client_ca.crt");
+test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt");
 
 # clean up
 unlink "ssl/client_tmp.key";
-- 
2.14.1

From 0cdd0e849e673f2abd3ff2d5ebd144959574be69 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 20 Jun 2017 10:18:58 +0900
Subject: [PATCH 2/4] Support channel binding 'tls-unique' in SCRAM

This is the basic feature set using OpenSSL to support the feature.
In order to allow the frontend and the backend to fetch the sent and
expected TLS finish messages, a PG-like API is added to be able to
make the interface pluggable for other SSL implementations.
---
 doc/src/sgml/protocol.sgml               |  24 +++--
 src/backend/libpq/auth-scram.c           | 151 +++++++++++++++++++++++++------
 src/backend/libpq/auth.c                 |  86 +++++++++++++++---
 src/backend/libpq/be-secure-openssl.c    |  24 +++++
 src/include/libpq/libpq-be.h             |   1 +
 src/include/libpq/scram.h                |  10 +-
 src/interfaces/libpq/fe-auth-scram.c     | 105 ++++++++++++++++-----
 src/interfaces/libpq/fe-auth.c           |  43 ++++++++-
 src/interfaces/libpq/fe-auth.h           |   4 +-
 src/interfaces/libpq/fe-secure-openssl.c |  26 ++++++
 src/interfaces/libpq/libpq-int.h         |   5 +-
 11 files changed, 404 insertions(+), 75 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index c8b083c29c..1863c0905c 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1342,10 +1342,11 @@
 
 <para>
 <firstterm>SASL</> is a framework for authentication in connection-oriented
-protocols. At the moment, <productname>PostgreSQL</> implements only one SASL
-authentication mechanism, SCRAM-SHA-256, but more might be added in the
-future. The below steps illustrate how SASL authentication is performed in
-general, while the next subsection gives more details on SCRAM-SHA-256.
+protocols. At the moment, <productname>PostgreSQL</> implements only two SASL
+authentication mechanisms, SCRAM-SHA-256 and SCRAM-SHA-256-PLUS, but more
+might be added in the future. The below steps illustrate how SASL
+authentication is performed in general, while the next subsection gives
+more details on SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
 </para>
 
 <procedure>
@@ -1430,7 +1431,10 @@ the password is in.
   </para>
 
   <para>
-<firstterm>Channel binding</> has not been implemented yet.
+<firstterm>Channel binding</> is supported in builds with SSL support, and
+uses as mechanism name <literal>SCRAM-SHA-256-PLUS</> for this purpose as
+defined per IANA. The only channel binding type supported by the server
+is <literal>tls-unique</>.
   </para>
 
 <procedure>
@@ -1439,14 +1443,18 @@ the password is in.
 <para>
   The server sends an AuthenticationSASL message. It includes a list of
   SASL authentication mechanisms that the server can accept.
+  <literal>SCRAM-SHA-256</> and <literal>SCRAM-SHA-256-PLUS</> are the
+  two mechanism names that the server lists in this message. Support for
+  channel binding is not included if the server is built without SSL
+  support and if the connection attempt is done without SSL.
 </para>
 </step>
 <step id="scram-client-first">
 <para>
   The client responds by sending a SASLInitialResponse message, which
-  indicates the chosen mechanism, <literal>SCRAM-SHA-256</>. In the Initial
-  Client response field, the message contains the SCRAM
-  <structname>client-first-message</>.
+  indicates the chosen mechanism, <literal>SCRAM-SHA-256</> or
+  <literal>SCRAM-SHA-256-PLUS</>. In the Initial Client response field,
+  the message contains the SCRAM <structname>client-first-message</>.
 </para>
 </step>
 <step id="scram-server-first">
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 0b69f106f1..72333c8784 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -17,8 +17,6 @@
  *	 by the SASLprep profile, we skip the SASLprep pre-processing and use
  *	 the raw bytes in calculating the hash.
  *
- * - Channel binding is not supported yet.
- *
  *
  * The password stored in pg_authid consists of the iteration count, salt,
  * StoredKey and ServerKey.
@@ -112,6 +110,10 @@ typedef struct
 
 	const char *username;		/* username from startup packet */
 
+	bool		ssl_in_use;
+	char	   *tls_finish_message;
+	int			tls_finish_len;
+
 	int			iterations;
 	char	   *salt;			/* base64-encoded */
 	uint8		StoredKey[SCRAM_KEY_LEN];
@@ -168,7 +170,11 @@ static char *scram_mock_salt(const char *username);
  * it will fail, as if an incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username, const char *shadow_pass)
+pg_be_scram_init(const char *username,
+				 const char *shadow_pass,
+				 bool ssl_in_use,
+				 char *tls_finish_message,
+				 int tls_finish_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -176,6 +182,9 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 	state = (scram_state *) palloc0(sizeof(scram_state));
 	state->state = SCRAM_AUTH_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->tls_finish_message = tls_finish_message;
+	state->tls_finish_len = tls_finish_len;
 
 	/*
 	 * Parse the stored password verifier.
@@ -773,31 +782,93 @@ read_client_first_message(scram_state *state, char *input)
 	 *------
 	 */
 
-	/* read gs2-cbind-flag */
+	/*
+	 * Read gs2-cbind-flag. Server handles its value as described in RFC 5802,
+	 * section 6 dealing with channel binding.
+	 */
 	switch (*input)
 	{
 		case 'n':
-			/* Client does not support channel binding */
+			/*
+			 * Client does not support channel binding, this is authorized
+			 * only in builds not supporting SSL.  If SSL is supported, the
+			 * server cannot support this option either.
+			 */
+#ifdef USE_SSL
+			if (state->ssl_in_use)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client does not support SCRAM channel binding, but server needs it for SSL connections")));
+			else
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client does not support SCRAM channel binding, but server does")));
+#endif
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character %s.",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'y':
-			/* Client supports channel binding, but we're not doing it today */
+			/*
+			 * Client supports channel binding, but we're not doing it today
+			 * in the context of a non-SSL connection.  Complain though if
+			 * the client is trying to trick the server in not doing channel
+			 * binding with a downgrade attack if a SSL connection is
+			 * attempted.
+			 */
+			if (state->ssl_in_use)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client support SCRAM channel binding, but server needs it for SSL connections")));
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character %s.",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'p':
+			{
+#ifdef USE_SSL
+				char *channel_name;
 
-			/*
-			 * Client requires channel binding.  We don't support it.
-			 *
-			 * RFC 5802 specifies a particular error code,
-			 * e=server-does-support-channel-binding, for this.  But it can
-			 * only be sent in the server-final message, and we don't want to
-			 * go through the motions of the authentication, knowing it will
-			 * fail, just to send that error message.
-			 */
-			ereport(ERROR,
-					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
-					 errmsg("client requires SCRAM channel binding, but it is not supported")));
+				if (!state->ssl_in_use)
+					ereport(ERROR,
+							(errcode(ERRCODE_PROTOCOL_VIOLATION),
+							 errmsg("client supports SCRAM channel binding, but server does not need it for non-SSL connections")));
+
+				/*
+				 * Read value provided by client, only tls-unique is supported
+				 * for now.
+				 */
+				channel_name = read_attr_value(&input, 'p');
+				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0)
+					ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 (errmsg("unexpected SCRAM channel-binding type"))));
+#else
+				/*
+				 * Client requires channel binding.  We don't support it.
+				 *
+				 * RFC 5802 specifies a particular error code,
+				 * e=server-does-support-channel-binding, for this.  But it
+				 * can only be sent in the server-final message, and we don't
+				 * want to go through the motions of the authentication,
+				 * knowing it will fail, just to send that error message.
+				 */
+				ereport(ERROR,
+						(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+						 errmsg("client requires SCRAM channel binding, but it is not supported")));
+#endif
+			}
+			break;
 		default:
 			ereport(ERROR,
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
@@ -805,13 +876,6 @@ read_client_first_message(scram_state *state, char *input)
 					 errdetail("Unexpected channel-binding flag %s.",
 							   sanitize_char(*input))));
 	}
-	if (*input != ',')
-		ereport(ERROR,
-				(errcode(ERRCODE_PROTOCOL_VIOLATION),
-				 errmsg("malformed SCRAM message"),
-				 errdetail("Comma expected, but found character %s.",
-						   sanitize_char(*input))));
-	input++;
 
 	/*
 	 * Forbid optional authzid (authorization identity).  We don't support it.
@@ -1032,14 +1096,47 @@ read_client_final_message(scram_state *state, char *input)
 	 */
 
 	/*
-	 * Read channel-binding.  We don't support channel binding, so it's
-	 * expected to always be "biws", which is "n,,", base64-encoded.
+	 * Read channel-binding.  We don't support channel binding for builds
+	 * without SSL support, so it's expected to always be "biws" in this case,
+	 * which is "n,,", base64-encoded.  In builds supporting SSL, "biws" is
+	 * used for Non-SSL connection attempts, and for SSL connections the
+	 * client has to provide channel binding value.
 	 */
 	channel_binding = read_attr_value(&p, 'c');
+#ifdef USE_SSL
+	if (state->ssl_in_use)
+	{
+		char	   *enc_tls_message;
+		int			enc_tls_len;
+
+		enc_tls_message = palloc(pg_b64_enc_len(state->tls_finish_len) + 1);
+		enc_tls_len = pg_b64_encode(state->tls_finish_message,
+									state->tls_finish_len,
+									enc_tls_message);
+		enc_tls_message[enc_tls_len] = '\0';
+
+		/*
+		 * Compare the value sent by the client with the TLS finish message
+		 * expected by the server.
+		 */
+		if (strcmp(channel_binding, enc_tls_message) != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("no match for SCRAM channel-binding attribute in client-final-message"))));
+	}
+	else
+	{
+		if (strcmp(channel_binding, "biws") != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+	}
+#else
 	if (strcmp(channel_binding, "biws") != 0)
 		ereport(ERROR,
 				(errcode(ERRCODE_PROTOCOL_VIOLATION),
 				 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+#endif
 	state->client_final_nonce = read_attr_value(&p, 'r');
 
 	/* ignore optional extensions */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index cb30fc7b71..ee9bce03a2 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -859,10 +859,14 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	void	   *scram_opaq;
 	char	   *output = NULL;
 	int			outputlen = 0;
-	char	   *input;
+	char	   *input, *p;
+	char	   *sasl_mechs;
 	int			inputlen;
+	int			listlen = 0;
 	int			result;
 	bool		initial;
+	char	   *tls_finish = NULL;
+	int			tls_finish_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -879,12 +883,49 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 	/*
 	 * Send the SASL authentication request to user.  It includes the list of
-	 * authentication mechanisms (which is trivial, because we only support
-	 * SCRAM-SHA-256 at the moment).  The extra "\0" is for an empty string to
-	 * terminate the list.
+	 * authentication mechanisms that are supported:
+	 * - SCRAM-SHA-256, which is the mechanism with the same name.
+	 * - SCRAM-SHA-256-PLUS, which is SCRAM-SHA-256 with channel binding. This
+	 * is advertised to the client only if connection is attempted with SSL.
+	 * The order of mechanisms is advertised in decreasing order of importance.
+	 * The extra "\0" is for an empty string to terminate the list, and each
+	 * mechanism listed needs to be separated with "\0".
 	 */
-	sendAuthRequest(port, AUTH_REQ_SASL, SCRAM_SHA256_NAME "\0",
-					strlen(SCRAM_SHA256_NAME) + 2);
+	listlen = 0;
+	sasl_mechs = (char *) palloc(strlen(SCRAM_SHA256_PLUS_NAME) +
+								 strlen(SCRAM_SHA256_NAME) + 3);
+	p = sasl_mechs;
+
+	/* add SCRAM-SHA-256-PLUS, which depends on if SSL is in use */
+	if (port->ssl_in_use)
+	{
+		strcpy(p, SCRAM_SHA256_PLUS_NAME);
+		listlen += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+		p += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+	}
+
+	/* add generic SCRAM-SHA-256 */
+	strcpy(p, SCRAM_SHA256_NAME);
+	listlen += strlen(SCRAM_SHA256_NAME) + 1;
+	p += strlen(SCRAM_SHA256_NAME) + 1;
+
+	/* put "\0" to mark that list is finished */
+	p[0] = '\0';
+	listlen++;
+
+	sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, listlen);
+	pfree(sasl_mechs);
+
+#ifdef USE_SSL
+	/*
+	 * Fetch the data related to the SSL finish message to be used in the
+	 * exchange.
+	 */
+	if (port->ssl_in_use)
+	{
+		tls_finish = be_tls_get_peer_finish(port, &tls_finish_len);
+	}
+#endif
 
 	/*
 	 * Initialize the status tracker for message exchanges.
@@ -897,7 +938,11 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	scram_opaq = pg_be_scram_init(port->user_name, shadow_pass);
+	scram_opaq = pg_be_scram_init(port->user_name,
+								  shadow_pass,
+								  port->ssl_in_use,
+								  tls_finish,
+								  tls_finish_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
@@ -946,17 +991,36 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 			const char *selected_mech;
 
 			/*
-			 * We only support SCRAM-SHA-256 at the moment, so anything else
-			 * is an error.
+			 * We only support SCRAM-SHA-256 and SCRAM-SHA-256-PLUS at the
+			 * moment, so anything else is an error.
 			 */
 			selected_mech = pq_getmsgrawstring(&buf);
-			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0)
+			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0 &&
+				strcmp(selected_mech, SCRAM_SHA256_PLUS_NAME) != 0)
 			{
 				ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
-						 errmsg("client selected an invalid SASL authentication mechanism")));
+						 errmsg("client selected an invalid SASL authentication mechanism"),
+						 errdetail("Incorrect SASL mechanism name specified")));
 			}
 
+#ifdef USE_SSL
+			/*
+			 * If an SSL connection is attempted, check for downgrade attacks.
+			 * A connection is not allowed to specify SCRAM-SHA-256 if its
+			 * -PLUS version has been submitted back to the client, which is
+			 * the default.
+			 */
+			if (port->ssl_in_use &&
+				strcmp(selected_mech, SCRAM_SHA256_NAME) == 0)
+			{
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client selected invalid SASL authentication mechanism"),
+						 errdetail("Channel binding published to client but not selected.")));
+			}
+#endif
+
 			inputlen = pq_getmsgint(&buf, 4);
 			if (inputlen == -1)
 				input = NULL;
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index fe15227a77..d063a587d0 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1215,6 +1215,30 @@ be_tls_get_peerdn_name(Port *port, char *ptr, size_t len)
 		ptr[0] = '\0';
 }
 
+/*
+ * Routine to get the expected TLS finish message information from the
+ * client, useful for authorization when doing channel binding.
+ *
+ * Result is a palloc'd copy of the TLS finish message with its size.
+ */
+char *
+be_tls_get_peer_finish(Port *port, int *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the
+	 * expected TLS finish message, so just do a dummy call to grab this
+	 * information to allow caller to do an allocation with a correct size.
+	 */
+	*len = SSL_get_peer_finished(port->ssl, dummy, sizeof(dummy));
+	result = (char *) palloc(*len * sizeof(char));
+	(void) SSL_get_peer_finished(port->ssl, result, *len);
+
+	return result;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 7bde744d51..5d59d79822 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -209,6 +209,7 @@ extern bool be_tls_get_compression(Port *port);
 extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
+extern char *be_tls_get_peer_finish(Port *port, int *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 0166e1945d..91cebe9a9b 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -13,8 +13,12 @@
 #ifndef PG_SCRAM_H
 #define PG_SCRAM_H
 
-/* Name of SCRAM-SHA-256 per IANA */
+/* Name of SCRAM mechanisms per IANA */
 #define SCRAM_SHA256_NAME "SCRAM-SHA-256"
+#define SCRAM_SHA256_PLUS_NAME "SCRAM-SHA-256-PLUS"	/* with channel binding */
+
+/* Channel binding names */
+#define SCRAM_CHANNEL_TLS_UNIQUE	"tls-unique"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -22,7 +26,9 @@
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
+extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
+					 bool ssl_in_use, char *tls_finish_message,
+					 int tls_finish_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index d1c7037101..8b2a64f213 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -17,6 +17,7 @@
 #include "common/base64.h"
 #include "common/saslprep.h"
 #include "common/scram-common.h"
+#include "libpq/scram.h"
 #include "fe-auth.h"
 
 /* These are needed for getpid(), in the fallback implementation */
@@ -44,6 +45,9 @@ typedef struct
 	/* These are supplied by the user */
 	const char *username;
 	char	   *password;
+	bool		ssl_in_use;
+	char	   *tls_finish_message;
+	int			tls_finish_len;
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -81,7 +85,11 @@ static bool pg_frontend_random(char *dst, int len);
  * Initialize SCRAM exchange status.
  */
 void *
-pg_fe_scram_init(const char *username, const char *password)
+pg_fe_scram_init(const char *username,
+				 const char *password,
+				 bool ssl_in_use,
+				 char *tls_finish_message,
+				 int tls_finish_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -93,6 +101,9 @@ pg_fe_scram_init(const char *username, const char *password)
 	memset(state, 0, sizeof(fe_scram_state));
 	state->state = FE_SCRAM_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->tls_finish_message = tls_finish_message;
+	state->tls_finish_len = tls_finish_len;
 
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
@@ -297,9 +308,10 @@ static char *
 build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 {
 	char		raw_nonce[SCRAM_RAW_NONCE_LEN + 1];
-	char	   *buf;
-	char		buflen;
+	char	   *result;
+	int			channel_info_len;
 	int			encoded_len;
+	PQExpBufferData buf;
 
 	/*
 	 * Generate a "raw" nonce.  This is converted to ASCII-printable form by
@@ -328,26 +340,55 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * prepared with SASLprep, the message parsing would fail if it includes
 	 * '=' or ',' characters.
 	 */
-	buflen = 8 + strlen(state->client_nonce) + 1;
-	buf = malloc(buflen);
-	if (buf == NULL)
-	{
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
-	}
-	snprintf(buf, buflen, "n,,n=,r=%s", state->client_nonce);
+	initPQExpBuffer(&buf);
 
-	state->client_first_message_bare = strdup(buf + 3);
+	/*
+	 * First build the query field for channel binding. If the client is not
+	 * built with SSL support, it cannot support channel binding so it needs
+	 * to use "n" to let the server know. If built with SSL support, client
+	 * needs to use "y" to let the server know that client has such support
+	 * but that it is not using it as a non-SSL connection is requested.
+	 * Finally if a SSL connection is done, use p=cb-name, for which only
+	 * "tls-unique" is supported now.
+	 */
+#ifdef USE_SSL
+	if (state->ssl_in_use)
+		appendPQExpBuffer(&buf, "p=%s", SCRAM_CHANNEL_TLS_UNIQUE);
+	else
+		appendPQExpBuffer(&buf, "y");
+#else
+	appendPQExpBuffer(&buf, "n");
+#endif
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	channel_info_len = buf.len;
+
+	appendPQExpBuffer(&buf, ",,n=,r=%s", state->client_nonce);
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	/*
+	 * The first message content needs to be saved without channel binding
+	 * information.
+	 */
+	state->client_first_message_bare = strdup(buf.data + channel_info_len + 2);
 	if (!state->client_first_message_bare)
-	{
-		free(buf);
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
-	}
+		goto oom_error;
 
-	return buf;
+	result = strdup(buf.data);
+	if (result == NULL)
+		goto oom_error;
+
+	termPQExpBuffer(&buf);
+	return result;
+
+oom_error:
+	termPQExpBuffer(&buf);
+	printfPQExpBuffer(errormessage,
+					  libpq_gettext("out of memory\n"));
+	return NULL;
 }
 
 /*
@@ -365,8 +406,30 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	/*
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
+	 * Client needs to provide a b64 encoded string of the TLS finish message
+	 * only if a SSL connection is attempted.
 	 */
-	appendPQExpBuffer(&buf, "c=biws,r=%s", state->nonce);
+#ifdef USE_SSL
+	if (state->ssl_in_use)
+	{
+		appendPQExpBuffer(&buf, "c=");
+		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(state->tls_finish_len)))
+			goto oom_error;
+		buf.len += pg_b64_encode(state->tls_finish_message,
+								 state->tls_finish_len,
+								 buf.data + buf.len);
+		buf.data[buf.len] = '\0';
+	}
+	else
+		appendPQExpBuffer(&buf, "c=biws");
+#else
+	appendPQExpBuffer(&buf, "c=biws");
+#endif
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	appendPQExpBuffer(&buf, ",r=%s", state->nonce);
 	if (PQExpBufferDataBroken(buf))
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 382558f3f8..05f04be10a 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -504,7 +504,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	/*
 	 * Parse the list of SASL authentication mechanisms in the
 	 * AuthenticationSASL message, and select the best mechanism that we
-	 * support.  (Only SCRAM-SHA-256 is supported at the moment.)
+	 * support.  SCRAM-SHA-256 and SCRAM-SHA-256-PLUS are the only ones
+	 * supported at the moment.
 	 */
 	selected_mechanism = NULL;
 	for (;;)
@@ -532,9 +533,12 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		/*
 		 * Do we support this mechanism?
 		 */
-		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0 ||
+			strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
 		{
 			char	   *password;
+			char	   *tls_finish = NULL;
+			int			tls_finish_len = 0;
 
 			conn->password_needed = true;
 			password = conn->connhost[conn->whichhost].password;
@@ -547,10 +551,41 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 				goto error;
 			}
 
-			conn->sasl_state = pg_fe_scram_init(conn->pguser, password);
+#ifdef USE_SSL
+			/* Fetch information about the TLS finish message */
+			if (conn->ssl_in_use)
+			{
+				tls_finish = pgtls_get_finish(conn, &tls_finish_len);
+				if (tls_finish == NULL)
+					goto oom_error;
+			}
+#endif
+
+			conn->sasl_state = pg_fe_scram_init(conn->pguser,
+												password,
+												conn->ssl_in_use,
+												tls_finish,
+												tls_finish_len);
 			if (!conn->sasl_state)
 				goto oom_error;
-			selected_mechanism = SCRAM_SHA256_NAME;
+
+			/*
+			 * Select the mechanism to use by default. If SSL connection
+			 * is attempted, the server will expect the -PLUS mechanism.
+			 * If not, fallback to SCRAM-SHA-256.
+			 */
+#ifdef USE_SSL
+			if (conn->ssl_in_use &&
+				strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_PLUS_NAME;
+			else if (!conn->ssl_in_use &&
+					 strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_NAME;
+#else
+			/* No channel binding can be selected without SSL support */
+			if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_NAME;
+#endif
 		}
 	}
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 5dc6bb5341..ee3dd7f96c 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -23,7 +23,9 @@ extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn);
 extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
-extern void *pg_fe_scram_init(const char *username, const char *password);
+extern void *pg_fe_scram_init(const char *username, const char *password,
+					 bool ssl_in_use, char *tls_finish_message,
+					 int tls_finish_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 2f29820e82..84a6e3c322 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -393,6 +393,32 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
 	return n;
 }
 
+/*
+ *	Get the TLS finish message sent during last handshake
+ *
+ * This information is useful for callers doing channel binding during
+ * authentication.
+ */
+char *
+pgtls_get_finish(PGconn *conn, int *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the
+	 * TLS finish message sent, so first do a dummy call to grab this
+	 * information and then do an allocation with the correct size.
+	 */
+	*len = SSL_get_finished(conn->ssl, dummy, sizeof(dummy));
+	result = malloc(*len);
+	if (result == NULL)
+		return NULL;
+	(void) SSL_get_finished(conn->ssl, result, *len);
+	return result;
+}
+
+
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
 /* ------------------------------------------------------------ */
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 42913604e3..0eb8b60c95 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -453,11 +453,13 @@ struct pg_conn
 	/* Assorted state for SASL, SSL, GSS, etc */
 	void	   *sasl_state;
 
+	/* SSL structures */
+	bool		ssl_in_use;
+
 #ifdef USE_SSL
 	bool		allow_ssl_try;	/* Allowed to try SSL negotiation */
 	bool		wait_ssl_try;	/* Delay SSL negotiation until after
 								 * attempting normal connection */
-	bool		ssl_in_use;
 #ifdef USE_OPENSSL
 	SSL		   *ssl;			/* SSL status, if have SSL connection */
 	X509	   *peer;			/* X509 cert of server */
@@ -668,6 +670,7 @@ extern void pgtls_close(PGconn *conn);
 extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
+extern char *pgtls_get_finish(PGconn *conn, int *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
-- 
2.14.1

From 3ab83fc7f28f6590ae8fa1d1115665c91501e76d Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 20 Jun 2017 11:41:10 +0900
Subject: [PATCH 3/4] Add connection parameters "saslname" and
 "saslchannelbinding"

Those parameters can be used to respectively enforce the value of the
SASL mechanism name and the channel binding name sent to server during
a SASL message exchange.

A set of tests dedicated to SASL and channel binding is added as well
to the SSL test suite, which is handy to check the validity of a patch.
---
 doc/src/sgml/libpq.sgml              | 24 ++++++++++++++++
 src/backend/libpq/auth-scram.c       | 41 +++++++++++++++++++++-------
 src/interfaces/libpq/fe-auth-scram.c | 53 ++++++++++++++++++++++++++++++++----
 src/interfaces/libpq/fe-auth.c       |  8 ++++++
 src/interfaces/libpq/fe-auth.h       |  4 +--
 src/interfaces/libpq/fe-connect.c    | 13 +++++++++
 src/interfaces/libpq/libpq-int.h     |  2 ++
 src/test/ssl/ServerSetup.pm          | 19 +++++++++++--
 src/test/ssl/t/001_ssltests.pl       |  2 +-
 src/test/ssl/t/002_sasl.pl           | 52 +++++++++++++++++++++++++++++++++++
 10 files changed, 197 insertions(+), 21 deletions(-)
 create mode 100644 src/test/ssl/t/002_sasl.pl

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 8e0b0b8586..5f78fb2f46 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1220,6 +1220,30 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       </listitem>
      </varlistentry>
 
+     <varlistentry id="libpq-saslname" xreflabel="saslname">
+      <term><literal>saslname</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the SASL mechanism name sent to server when doing
+        a message exchange for a SASL authentication. The list of SASL
+        mechanisms supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="libpq-saslchannelbinding" xreflabel="saslchannelbinding">
+      <term><literal>saslchannelbinding</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the channel binding name sent to server when doing
+        a message exchange for a SASL authentication. The list of channel
+        binding names supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+     
      <varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
       <term><literal>sslmode</literal></term>
       <listitem>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 72333c8784..f32cf26a37 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,7 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	char	   *channel_binding;
 
 	int			iterations;
 	char	   *salt;			/* base64-encoded */
@@ -185,6 +186,7 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
+	state->channel_binding = NULL;
 
 	/*
 	 * Parse the stored password verifier.
@@ -853,6 +855,9 @@ read_client_first_message(scram_state *state, char *input)
 					ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
 						 (errmsg("unexpected SCRAM channel-binding type"))));
+
+				/* Save the name for handling of subsequent messages */
+				state->channel_binding = pstrdup(channel_name);
 #else
 				/*
 				 * Client requires channel binding.  We don't support it.
@@ -1106,20 +1111,36 @@ read_client_final_message(scram_state *state, char *input)
 #ifdef USE_SSL
 	if (state->ssl_in_use)
 	{
-		char	   *enc_tls_message;
-		int			enc_tls_len;
+		char	   *b64_message, *raw_data;
+		int			b64_message_len, raw_data_len;
+
+		/* Fetch data for each channel binding type */
+		if (strcmp(state->channel_binding, SCRAM_CHANNEL_TLS_UNIQUE) == 0)
+		{
+			raw_data = state->tls_finish_message;
+			raw_data_len = state->tls_finish_len;
+		}
+		else
+		{
+			/* should not happen */
+			elog(ERROR, "invalid channel binding type");
+		}
+
+		/* should not happen, but better safe than sorry */
+		if (raw_data == NULL)
+			elog(ERROR, "empty binding data for channel name \"%s\"",
+				 state->channel_binding);
 
-		enc_tls_message = palloc(pg_b64_enc_len(state->tls_finish_len) + 1);
-		enc_tls_len = pg_b64_encode(state->tls_finish_message,
-									state->tls_finish_len,
-									enc_tls_message);
-		enc_tls_message[enc_tls_len] = '\0';
+		b64_message = palloc(pg_b64_enc_len(raw_data_len) + 1);
+		b64_message_len = pg_b64_encode(raw_data, raw_data_len,
+										b64_message);
+		b64_message[b64_message_len] = '\0';
 
 		/*
-		 * Compare the value sent by the client with the TLS finish message
-		 * expected by the server.
+		 * Compare the value sent by the client with the value expected by
+		 * the server.
 		 */
-		if (strcmp(channel_binding, enc_tls_message) != 0)
+		if (strcmp(channel_binding, b64_message) != 0)
 			ereport(ERROR,
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
 					 (errmsg("no match for SCRAM channel-binding attribute in client-final-message"))));
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 8b2a64f213..9be876eac6 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -48,6 +48,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	/* enforceable user parameters */
+	char	   *saslchannelbinding;	/* name of channel binding to use */
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -88,6 +90,7 @@ void *
 pg_fe_scram_init(const char *username,
 				 const char *password,
 				 bool ssl_in_use,
+				 char *saslchannelbinding,
 				 char *tls_finish_message,
 				 int tls_finish_len)
 {
@@ -105,6 +108,15 @@ pg_fe_scram_init(const char *username,
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
 
+	/*
+	 * If user has specified a channel binding to use, enforce the
+	 * channel binding sent to it.  The default is "tls-unique".
+	 */
+	if (saslchannelbinding && strlen(saslchannelbinding) > 0)
+		state->saslchannelbinding = strdup(saslchannelbinding);
+	else
+		state->saslchannelbinding = strdup(SCRAM_CHANNEL_TLS_UNIQUE);
+
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
 	if (rc == SASLPREP_OOM)
@@ -136,6 +148,10 @@ pg_fe_scram_free(void *opaq)
 
 	if (state->password)
 		free(state->password);
+	if (state->tls_finish_message)
+		free(state->tls_finish_message);
+	if (state->saslchannelbinding)
+		free(state->saslchannelbinding);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -353,7 +369,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 #ifdef USE_SSL
 	if (state->ssl_in_use)
-		appendPQExpBuffer(&buf, "p=%s", SCRAM_CHANNEL_TLS_UNIQUE);
+		appendPQExpBuffer(&buf, "p=%s", state->saslchannelbinding);
 	else
 		appendPQExpBuffer(&buf, "y");
 #else
@@ -412,12 +428,39 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 #ifdef USE_SSL
 	if (state->ssl_in_use)
 	{
+		char	   *raw_data;
+		int			raw_data_len;
+
+		if (strcmp(state->saslchannelbinding, SCRAM_CHANNEL_TLS_UNIQUE) == 0)
+		{
+			raw_data = state->tls_finish_message;
+			raw_data_len = state->tls_finish_len;
+		}
+		else
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("incorrect channel binding name\n"));
+			return NULL;
+		}
+
+		/* should not happen, but better safe than sorry */
+		if (raw_data == NULL)
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("empty binding data for channel name \"%s\"\n"),
+							  state->saslchannelbinding);
+			return NULL;
+		}
+
 		appendPQExpBuffer(&buf, "c=");
-		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(state->tls_finish_len)))
+
+		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(raw_data_len)))
 			goto oom_error;
-		buf.len += pg_b64_encode(state->tls_finish_message,
-								 state->tls_finish_len,
-								 buf.data + buf.len);
+		buf.len += pg_b64_encode(raw_data, raw_data_len, buf.data + buf.len);
 		buf.data[buf.len] = '\0';
 	}
 	else
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 05f04be10a..4b26018f65 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -564,6 +564,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 			conn->sasl_state = pg_fe_scram_init(conn->pguser,
 												password,
 												conn->ssl_in_use,
+												conn->saslchannelbinding,
 												tls_finish,
 												tls_finish_len);
 			if (!conn->sasl_state)
@@ -589,6 +590,13 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		}
 	}
 
+	/*
+	 * If user has asked for a specific mechanism name, enforce the chosen
+	 * name to it.
+	 */
+	if (conn->saslname && strlen(conn->saslname) > 0)
+		selected_mechanism = conn->saslname;
+
 	if (!selected_mechanism)
 	{
 		printfPQExpBuffer(&conn->errorMessage,
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index ee3dd7f96c..3c699959e0 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -24,8 +24,8 @@ extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
 extern void *pg_fe_scram_init(const char *username, const char *password,
-					 bool ssl_in_use, char *tls_finish_message,
-					 int tls_finish_len);
+					 bool ssl_in_use, char *saslchannelbinding,
+					 char *tls_finish_message, int tls_finish_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index d0e97ecdd4..9abbdcd4d7 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -262,6 +262,15 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"TCP-Keepalives-Count", "", 10, /* strlen(INT32_MAX) == 10 */
 	offsetof(struct pg_conn, keepalives_count)},
 
+	/* Set of options proper to SASL */
+	{"saslname", NULL, NULL, NULL,
+		"SASL-Name", "", 21,	/* maximum name size per IANA == 21 */
+	offsetof(struct pg_conn, saslname)},
+
+	{"saslchannelbinding", NULL, NULL, NULL,
+		"SASL-Channel", "", 22,	/* sizeof("tls-unique-for-telnet") == 22 */
+	offsetof(struct pg_conn, saslchannelbinding)},
+
 	/*
 	 * ssl options are allowed even without client SSL support because the
 	 * client can still handle SSL modes "disable" and "allow". Other
@@ -3470,6 +3479,10 @@ freePGconn(PGconn *conn)
 		free(conn->keepalives_interval);
 	if (conn->keepalives_count)
 		free(conn->keepalives_count);
+	if (conn->saslname)
+		free(conn->saslname);
+	if (conn->saslchannelbinding)
+		free(conn->saslchannelbinding);
 	if (conn->sslmode)
 		free(conn->sslmode);
 	if (conn->sslcert)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 0eb8b60c95..6d500aa5db 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -349,6 +349,8 @@ struct pg_conn
 										 * retransmits */
 	char	   *keepalives_count;	/* maximum number of TCP keepalive
 									 * retransmits */
+	char	   *saslname;			/* SASL mechanism name */
+	char	   *saslchannelbinding;	/* channel binding used in SASL */
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
 	char	   *sslcompression; /* SSL compression (0 or 1) */
 	char	   *sslkey;			/* client key filename */
diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index ad2e036602..b71969ac75 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -91,6 +91,9 @@ sub configure_test_server_for_ssl
 {
 	my $node       = $_[0];
 	my $serverhost = $_[1];
+	my $sslmethod  = $_[2];
+	my $passwd     = $_[3];
+	my $passwdhash = $_[4];
 
 	my $pgdata = $node->data_dir;
 
@@ -100,6 +103,15 @@ sub configure_test_server_for_ssl
 	$node->psql('postgres', "CREATE DATABASE trustdb");
 	$node->psql('postgres', "CREATE DATABASE certdb");
 
+	# Update password of each user as needed.
+	if (defined($passwd))
+	{
+		$node->psql('postgres',
+"SET password_encryption='$passwdhash'; ALTER USER ssltestuser PASSWORD '$passwd';");
+		$node->psql('postgres',
+"SET password_encryption='$passwdhash'; ALTER USER anotheruser PASSWORD '$passwd';");
+	}
+
 	# enable logging etc.
 	open my $conf, '>>', "$pgdata/postgresql.conf";
 	print $conf "fsync=off\n";
@@ -129,7 +141,7 @@ sub configure_test_server_for_ssl
 	$node->restart;
 
 	# Change pg_hba after restart because hostssl requires ssl=on
-	configure_hba_for_ssl($node, $serverhost);
+	configure_hba_for_ssl($node, $serverhost, $sslmethod);
 }
 
 # Change the configuration to use given server cert file, and reload
@@ -159,6 +171,7 @@ sub configure_hba_for_ssl
 {
 	my $node       = $_[0];
 	my $serverhost = $_[1];
+	my $sslmethod  = $_[2];
 	my $pgdata     = $node->data_dir;
 
   # Only accept SSL connections from localhost. Our tests don't depend on this
@@ -169,9 +182,9 @@ sub configure_hba_for_ssl
 	print $hba
 "# TYPE  DATABASE        USER            ADDRESS                 METHOD\n";
 	print $hba
-"hostssl trustdb         ssltestuser     $serverhost/32            trust\n";
+"hostssl trustdb         ssltestuser     $serverhost/32          $sslmethod\n";
 	print $hba
-"hostssl trustdb         ssltestuser     ::1/128                 trust\n";
+"hostssl trustdb         ssltestuser     ::1/128                 $sslmethod\n";
 	print $hba
 "hostssl certdb          ssltestuser     $serverhost/32            cert\n";
 	print $hba
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 890e3051a2..e690c1fa15 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -32,7 +32,7 @@ $node->init;
 $ENV{PGHOST} = $node->host;
 $ENV{PGPORT} = $node->port;
 $node->start;
-configure_test_server_for_ssl($node, $SERVERHOSTADDR);
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "trust");
 switch_server_cert($node, 'server-cn-only');
 
 ### Part 1. Run client-side tests.
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
new file mode 100644
index 0000000000..a625f0d473
--- /dev/null
+++ b/src/test/ssl/t/002_sasl.pl
@@ -0,0 +1,52 @@
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 6;
+use ServerSetup;
+use File::Copy;
+
+# test combinations of SASL authentication for SCRAM mechanism:
+# - SCRAM-SHA-256 and SCRAM-SHA-256-PLUS
+# - Channel bindings
+
+# This is the hostname used to connect to the server.
+my $SERVERHOSTADDR = '127.0.0.1';
+
+# Allocation of base connection string shared among multiple tests.
+my $common_connstr;
+
+#### Part 0. Set up the server.
+
+note "setting up data directory";
+my $node = get_new_node('master');
+$node->init;
+
+# PGHOST is enforced here to set up the node, subsequent connections
+# will use a dedicated connection string.
+$ENV{PGHOST} = $node->host;
+$ENV{PGPORT} = $node->port;
+$node->start;
+
+# Configure server for SSL connections, with password handling.
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256",
+							  "pass", "scram-sha-256");
+switch_server_cert($node, 'server-cn-only');
+$ENV{PGPASSWORD} = "pass";
+$common_connstr =
+"user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
+
+# Tests with default channel binding and SASL mechanism names.
+# tls-unique is used here
+test_connect_ok($common_connstr, "saslname=SCRAM-SHA-256-PLUS");
+test_connect_fails($common_connstr, "saslname=not-exists");
+# Downgrade attack.
+test_connect_fails($common_connstr, "saslname=SCRAM-SHA-256");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-unique");
+
+# Channel bindings
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-unique");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=not-exists");
-- 
2.14.1

From 5da12f90e4c4577933f95205d71f62f906694693 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 20 Jun 2017 12:51:10 +0900
Subject: [PATCH 4/4] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend, this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  4 +-
 src/backend/libpq/auth-scram.c           | 21 ++++++++--
 src/backend/libpq/auth.c                 | 13 ++++--
 src/backend/libpq/be-secure-openssl.c    | 69 ++++++++++++++++++++++++++++++++
 src/include/libpq/libpq-be.h             |  1 +
 src/include/libpq/scram.h                |  4 +-
 src/interfaces/libpq/fe-auth-scram.c     | 20 ++++++++-
 src/interfaces/libpq/fe-auth.c           | 18 ++++++++-
 src/interfaces/libpq/fe-auth.h           |  3 +-
 src/interfaces/libpq/fe-secure-openssl.c | 66 ++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_sasl.pl               |  6 ++-
 12 files changed, 210 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 1863c0905c..1eebcbffa7 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1433,8 +1433,8 @@ the password is in.
   <para>
 <firstterm>Channel binding</> is supported in builds with SSL support, and
 uses as mechanism name <literal>SCRAM-SHA-256-PLUS</> for this purpose as
-defined per IANA. The only channel binding type supported by the server
-is <literal>tls-unique</>.
+defined per IANA. The channel binding types supported by the server
+are <literal>tls-unique</>, the default, and <literal>tls-server-end-point</>.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index f32cf26a37..8bd5cdace5 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	char	   *certificate_hash;
+	int			certificate_hash_len;
 	char	   *channel_binding;
 
 	int			iterations;
@@ -175,7 +177,9 @@ pg_be_scram_init(const char *username,
 				 const char *shadow_pass,
 				 bool ssl_in_use,
 				 char *tls_finish_message,
-				 int tls_finish_len)
+				 int tls_finish_len,
+				 char *certificate_hash,
+				 int certificate_hash_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -186,6 +190,8 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding = NULL;
 
 	/*
@@ -847,11 +853,12 @@ read_client_first_message(scram_state *state, char *input)
 							 errmsg("client supports SCRAM channel binding, but server does not need it for non-SSL connections")));
 
 				/*
-				 * Read value provided by client, only tls-unique is supported
-				 * for now.
+				 * Read value provided by client, only tls-unique and
+				 * tls-server-end-point are supported for now.
 				 */
 				channel_name = read_attr_value(&input, 'p');
-				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0)
+				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0 &&
+					strcmp(channel_name, SCRAM_CHANNEL_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
 						 (errmsg("unexpected SCRAM channel-binding type"))));
@@ -1120,6 +1127,12 @@ read_client_final_message(scram_state *state, char *input)
 			raw_data = state->tls_finish_message;
 			raw_data_len = state->tls_finish_len;
 		}
+		else if (strcmp(state->channel_binding,
+						SCRAM_CHANNEL_TLS_ENDPOINT) == 0)
+		{
+			raw_data = state->certificate_hash;
+			raw_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index ee9bce03a2..bbab65b64b 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -867,6 +867,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	bool		initial;
 	char	   *tls_finish = NULL;
 	int			tls_finish_len = 0;
+	char	   *certificate_bash = NULL;
+	int			certificate_bash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -918,12 +920,15 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 #ifdef USE_SSL
 	/*
-	 * Fetch the data related to the SSL finish message to be used in the
-	 * exchange.
+	 * Fetch the data related to the SSL finish message and the client
+	 * certificate (if any) to be used in the exchange.
 	 */
 	if (port->ssl_in_use)
 	{
 		tls_finish = be_tls_get_peer_finish(port, &tls_finish_len);
+		certificate_bash =
+			be_tls_get_certificate_hash(port,
+										&certificate_bash_len);
 	}
 #endif
 
@@ -942,7 +947,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 								  shadow_pass,
 								  port->ssl_in_use,
 								  tls_finish,
-								  tls_finish_len);
+								  tls_finish_len,
+								  certificate_bash,
+								  certificate_bash_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index d063a587d0..cea60c6741 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1239,6 +1239,75 @@ be_tls_get_peer_finish(Port *port, int *len)
 	return result;
 }
 
+/*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1. If SHA-256 or something else is used, the same hash as the
+ * signature algorithm is used.
+ * The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is nothing certificates available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, int *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_sha512:
+				algo_type = EVP_sha512();
+				break;
+
+			case NID_sha384:
+				algo_type = EVP_sha384();
+				break;
+
+			/*
+			 * Fallback to SHA-256 for weaker hashes, and keep them listed
+			 * here for reference.
+			 */
+			case NID_md5:
+			case NID_sha1:
+			case NID_sha224:
+			case NID_sha256:
+			default:
+				algo_type = EVP_sha256();
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 5d59d79822..0392860a87 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finish(Port *port, int *len);
+extern char *be_tls_get_certificate_hash(Port *port, int *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 91cebe9a9b..55d0568d43 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -19,6 +19,7 @@
 
 /* Channel binding names */
 #define SCRAM_CHANNEL_TLS_UNIQUE	"tls-unique"
+#define SCRAM_CHANNEL_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -28,7 +29,8 @@
 /* Routines dedicated to authentication */
 extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
 					 bool ssl_in_use, char *tls_finish_message,
-					 int tls_finish_len);
+					 int tls_finish_len, char *certificate_hash,
+					 int certificate_hash_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 9be876eac6..d9a403de8a 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -48,6 +48,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	char	   *certificate_hash;
+	int			certificate_hash_len;
 	/* enforceable user parameters */
 	char	   *saslchannelbinding;	/* name of channel binding to use */
 
@@ -92,7 +94,9 @@ pg_fe_scram_init(const char *username,
 				 bool ssl_in_use,
 				 char *saslchannelbinding,
 				 char *tls_finish_message,
-				 int tls_finish_len)
+				 int tls_finish_len,
+				 char *certificate_hash,
+				 int certificate_hash_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -107,6 +111,8 @@ pg_fe_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 
 	/*
 	 * If user has specified a channel binding to use, enforce the
@@ -150,6 +156,8 @@ pg_fe_scram_free(void *opaq)
 		free(state->password);
 	if (state->tls_finish_message)
 		free(state->tls_finish_message);
+	if (state->certificate_hash)
+		free(state->certificate_hash);
 	if (state->saslchannelbinding)
 		free(state->saslchannelbinding);
 
@@ -423,7 +431,9 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
 	 * Client needs to provide a b64 encoded string of the TLS finish message
-	 * only if a SSL connection is attempted.
+	 * only if a SSL connection is attempted using "tls-unique" as channel
+	 * binding. For "tls-server-end-point", a hash of the client certificate
+	 * is sent instead.
 	 */
 #ifdef USE_SSL
 	if (state->ssl_in_use)
@@ -436,6 +446,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 			raw_data = state->tls_finish_message;
 			raw_data_len = state->tls_finish_len;
 		}
+		else if (strcmp(state->saslchannelbinding,
+						SCRAM_CHANNEL_TLS_ENDPOINT) == 0)
+		{
+			raw_data = state->certificate_hash;
+			raw_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 4b26018f65..d72d35670f 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -539,6 +539,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 			char	   *password;
 			char	   *tls_finish = NULL;
 			int			tls_finish_len = 0;
+			char	   *certificate_hash = NULL;
+			int			certificate_hash_len = 0;
 
 			conn->password_needed = true;
 			password = conn->connhost[conn->whichhost].password;
@@ -552,12 +554,21 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 			}
 
 #ifdef USE_SSL
-			/* Fetch information about the TLS finish message */
+			/*
+			 * Fetch information about the TLS finish message and client
+			 * certificate if any.
+			 */
 			if (conn->ssl_in_use)
 			{
 				tls_finish = pgtls_get_finish(conn, &tls_finish_len);
 				if (tls_finish == NULL)
 					goto oom_error;
+
+				certificate_hash =
+					pgtls_get_peer_certificate_hash(conn,
+													&certificate_hash_len);
+				if (certificate_hash == NULL)
+					goto oom_error;
 			}
 #endif
 
@@ -566,7 +577,10 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 												conn->ssl_in_use,
 												conn->saslchannelbinding,
 												tls_finish,
-												tls_finish_len);
+												tls_finish_len,
+												certificate_hash,
+												certificate_hash_len);
+
 			if (!conn->sasl_state)
 				goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 3c699959e0..8db86f8bcc 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -25,7 +25,8 @@ extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 /* Prototypes for functions in fe-auth-scram.c */
 extern void *pg_fe_scram_init(const char *username, const char *password,
 					 bool ssl_in_use, char *saslchannelbinding,
-					 char *tls_finish_message, int tls_finish_len);
+					 char *tls_finish_message, int tls_finish_len,
+					 char *certificate_hash, int certificate_hash_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 84a6e3c322..00a14289e4 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -418,6 +418,72 @@ pgtls_get_finish(PGconn *conn, int *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where
+ * the client certificate hash is used as a link, per RFC 5929.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, int *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+			return NULL;
+
+		switch (algo_nid)
+		{
+			case NID_sha512:
+				algo_type = EVP_sha512();
+				break;
+
+			case NID_sha384:
+				algo_type = EVP_sha384();
+				break;
+
+			/*
+			 * Fallback to SHA-256 for weaker hashes, and keep them listed
+			 * here for reference.
+			 */
+			case NID_md5:
+			case NID_sha1:
+			case NID_sha224:
+			case NID_sha256:
+			default:
+				algo_type = EVP_sha256();
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			return NULL;
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+			return NULL;
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 6d500aa5db..f1e2c0bb3c 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -673,6 +673,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finish(PGconn *conn, int *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, int *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
index a625f0d473..a4e6dfac3d 100644
--- a/src/test/ssl/t/002_sasl.pl
+++ b/src/test/ssl/t/002_sasl.pl
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 6;
+use Test::More tests => 8;
 use ServerSetup;
 use File::Copy;
 
@@ -44,9 +44,13 @@ test_connect_fails($common_connstr, "saslname=not-exists");
 test_connect_fails($common_connstr, "saslname=SCRAM-SHA-256");
 test_connect_fails($common_connstr,
 		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-unique");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-server-end-point");
 
 # Channel bindings
 test_connect_ok($common_connstr,
 		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-unique");
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-server-end-point");
 test_connect_fails($common_connstr,
 		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=not-exists");
-- 
2.14.1

From d64e877ff762dd5cf2c47dbce00576dfa070e1f5 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 16 Jun 2017 17:00:06 +0900
Subject: [PATCH 1/4] Refactor routine to test connection to SSL server

Move the sub-routines wrappers to check if a connection to a server is
fine or not into the test main module. This is useful for other tests
willing to check connectivity into a server.
---
 src/test/ssl/ServerSetup.pm    |  45 +++++++++++++-
 src/test/ssl/t/001_ssltests.pl | 132 +++++++++++++++++------------------------
 2 files changed, 100 insertions(+), 77 deletions(-)

diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index f63c81cfc6..ad2e036602 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -26,9 +26,52 @@ use Test::More;
 
 use Exporter 'import';
 our @EXPORT = qw(
-  configure_test_server_for_ssl switch_server_cert
+  configure_test_server_for_ssl
+  run_test_psql
+  switch_server_cert
+  test_connect_fails
+  test_connect_ok
 );
 
+# Define a couple of helper functions to test connecting to the server.
+
+# Attempt connection to server with given connection string.
+sub run_test_psql
+{
+	my $connstr   = $_[0];
+	my $logstring = $_[1];
+
+	my $cmd = [
+		'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
+		'-d', "$connstr" ];
+
+	my $result = run_log($cmd);
+	return $result;
+}
+
+#
+# The first argument is a base connection string to use for connection.
+# The second argument is a complementary connection string, and it's also
+# printed out as the test case name.
+sub test_connect_ok
+{
+	my $common_connstr = $_[0];
+	my $connstr = $_[1];
+
+	my $result =
+	  run_test_psql("$common_connstr $connstr", "(should succeed)");
+	ok($result, $connstr);
+}
+
+sub test_connect_fails
+{
+	my $common_connstr = $_[0];
+	my $connstr = $_[1];
+
+	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
+	ok(!$result, "$connstr (should fail)");
+}
+
 # Copy a set of files, taking into account wildcards
 sub copy_files
 {
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 32df273929..890e3051a2 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -13,44 +13,9 @@ use File::Copy;
 # postgresql-ssl-regression.test.
 my $SERVERHOSTADDR = '127.0.0.1';
 
-# Define a couple of helper functions to test connecting to the server.
-
+# Allocation of base connection string shared among multiple tests.
 my $common_connstr;
 
-sub run_test_psql
-{
-	my $connstr   = $_[0];
-	my $logstring = $_[1];
-
-	my $cmd = [
-		'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
-		'-d', "$connstr" ];
-
-	my $result = run_log($cmd);
-	return $result;
-}
-
-#
-# The first argument is a (part of a) connection string, and it's also printed
-# out as the test case name. It is appended to $common_connstr global variable,
-# which also contains a libpq connection string.
-sub test_connect_ok
-{
-	my $connstr = $_[0];
-
-	my $result =
-	  run_test_psql("$common_connstr $connstr", "(should succeed)");
-	ok($result, $connstr);
-}
-
-sub test_connect_fails
-{
-	my $connstr = $_[0];
-
-	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
-	ok(!$result, "$connstr (should fail)");
-}
-
 # The client's private key must not be world-readable, so take a copy
 # of the key stored in the code tree and update its permissions.
 copy("ssl/client.key", "ssl/client_tmp.key");
@@ -83,50 +48,59 @@ $common_connstr =
 
 # The server should not accept non-SSL connections
 note "test that the server doesn't accept non-SSL connections";
-test_connect_fails("sslmode=disable");
+test_connect_fails($common_connstr, "sslmode=disable");
 
 # Try without a root cert. In sslmode=require, this should work. In verify-ca
 # or verify-full mode it should fail
 note "connect without server root cert";
-test_connect_ok("sslrootcert=invalid sslmode=require");
-test_connect_fails("sslrootcert=invalid sslmode=verify-ca");
-test_connect_fails("sslrootcert=invalid sslmode=verify-full");
+test_connect_ok($common_connstr, "sslrootcert=invalid sslmode=require");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-ca");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-full");
 
 # Try with wrong root cert, should fail. (we're using the client CA as the
 # root, but the server's key is signed by the server CA)
 note "connect without wrong server root cert";
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=require");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-full");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=require");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-full");
 
 # Try with just the server CA's cert. This fails because the root file
 # must contain the whole chain up to the root CA.
 note "connect with server CA cert, without root CA";
-test_connect_fails("sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
 
 # And finally, with the correct root cert.
 note "connect with correct server CA cert file";
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=require");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
 
 # Test with cert root file that contains two certificates. The client should
 # be able to pick the right one, regardless of the order in the file.
-test_connect_ok("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
 
 note "testing sslcrl option with a non-revoked cert";
 
 # Invalid CRL filename is the same as no CRL, succeeds
-test_connect_ok(
+test_connect_ok($common_connstr,
 	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
 
 # A CRL belonging to a different CA is not accepted, fails
-test_connect_fails(
+test_connect_fails($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
 
 # With the correct CRL, succeeds (this cert is not revoked)
-test_connect_ok(
+test_connect_ok($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
 );
 
@@ -136,9 +110,9 @@ note "test mismatch between hostname and server certificate";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("sslmode=require host=wronghost.test");
-test_connect_ok("sslmode=verify-ca host=wronghost.test");
-test_connect_fails("sslmode=verify-full host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=require host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=verify-ca host=wronghost.test");
+test_connect_fails($common_connstr, "sslmode=verify-full host=wronghost.test");
 
 # Test Subject Alternative Names.
 switch_server_cert($node, 'server-multiple-alt-names');
@@ -147,12 +121,13 @@ note "test hostname matching with X.509 Subject Alternative Names";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_ok("host=foo.wildcard.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=foo.wildcard.pg-ssltest.test");
 
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"host=deep.subdomain.wildcard.pg-ssltest.test");
 
 # Test certificate with a single Subject Alternative Name. (this gives a
 # slightly different error message, that's all)
@@ -162,10 +137,11 @@ note "test hostname matching with a single X.509 Subject Alternative Name";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=single.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=single.alt-name.pg-ssltest.test");
 
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"host=deep.subdomain.wildcard.pg-ssltest.test");
 
 # Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
 # should be ignored when the certificate has both.
@@ -175,9 +151,9 @@ note "test certificate with both a CN and SANs";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_fails("host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=common-name.pg-ssltest.test");
 
 # Finally, test a server certificate that has no CN or SANs. Of course, that's
 # not a very sensible certificate, but libpq should handle it gracefully.
@@ -185,8 +161,10 @@ switch_server_cert($node, 'server-no-names');
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
-test_connect_ok("sslmode=verify-ca host=common-name.pg-ssltest.test");
-test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr,
+	"sslmode=verify-ca host=common-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"sslmode=verify-full host=common-name.pg-ssltest.test");
 
 # Test that the CRL works
 note "testing client-side CRL";
@@ -196,8 +174,9 @@ $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
 
 # Without the CRL, succeeds. With it, fails.
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_fails(
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
 );
 
@@ -210,18 +189,18 @@ $common_connstr =
 "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
 
 # no client cert
-test_connect_fails("user=ssltestuser sslcert=invalid");
+test_connect_fails($common_connstr, "user=ssltestuser sslcert=invalid");
 
 # correct client cert
-test_connect_ok(
+test_connect_ok($common_connstr,
 	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # client cert belonging to another user
-test_connect_fails(
+test_connect_fails($common_connstr,
 	"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # revoked client cert
-test_connect_fails(
+test_connect_fails($common_connstr,
 "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"
 );
 
@@ -230,8 +209,9 @@ switch_server_cert($node, 'server-cn-only', 'root_ca');
 $common_connstr =
 "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
-test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");
-test_connect_fails("sslmode=require sslcert=ssl/client.crt");
+test_connect_ok($common_connstr,
+	"sslmode=require sslcert=ssl/client+client_ca.crt");
+test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt");
 
 # clean up
 unlink "ssl/client_tmp.key";
-- 
2.14.1

From 43bbbdf9613c46bf1059b92c844e9bc41837f525 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 20 Jun 2017 10:18:58 +0900
Subject: [PATCH 2/4] Support channel binding 'tls-unique' in SCRAM

This is the basic feature set using OpenSSL to support the feature.
In order to allow the frontend and the backend to fetch the sent and
expected TLS finish messages, a PG-like API is added to be able to
make the interface pluggable for other SSL implementations.
---
 doc/src/sgml/protocol.sgml               |  24 +++--
 src/backend/libpq/auth-scram.c           | 151 +++++++++++++++++++++++++------
 src/backend/libpq/auth.c                 |  86 +++++++++++++++---
 src/backend/libpq/be-secure-openssl.c    |  24 +++++
 src/include/libpq/libpq-be.h             |   1 +
 src/include/libpq/scram.h                |  10 +-
 src/interfaces/libpq/fe-auth-scram.c     | 105 ++++++++++++++++-----
 src/interfaces/libpq/fe-auth.c           |  43 ++++++++-
 src/interfaces/libpq/fe-auth.h           |   4 +-
 src/interfaces/libpq/fe-secure-openssl.c |  26 ++++++
 src/interfaces/libpq/libpq-int.h         |   5 +-
 11 files changed, 404 insertions(+), 75 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 76d1c13cc4..37ae7276e5 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1461,10 +1461,11 @@ SELCT 1/0;
 
 <para>
 <firstterm>SASL</> is a framework for authentication in connection-oriented
-protocols. At the moment, <productname>PostgreSQL</> implements only one SASL
-authentication mechanism, SCRAM-SHA-256, but more might be added in the
-future. The below steps illustrate how SASL authentication is performed in
-general, while the next subsection gives more details on SCRAM-SHA-256.
+protocols. At the moment, <productname>PostgreSQL</> implements only two SASL
+authentication mechanisms, SCRAM-SHA-256 and SCRAM-SHA-256-PLUS, but more
+might be added in the future. The below steps illustrate how SASL
+authentication is performed in general, while the next subsection gives
+more details on SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
 </para>
 
 <procedure>
@@ -1549,7 +1550,10 @@ the password is in.
   </para>
 
   <para>
-<firstterm>Channel binding</> has not been implemented yet.
+<firstterm>Channel binding</> is supported in builds with SSL support, and
+uses as mechanism name <literal>SCRAM-SHA-256-PLUS</> for this purpose as
+defined per IANA. The only channel binding type supported by the server
+is <literal>tls-unique</>.
   </para>
 
 <procedure>
@@ -1558,14 +1562,18 @@ the password is in.
 <para>
   The server sends an AuthenticationSASL message. It includes a list of
   SASL authentication mechanisms that the server can accept.
+  <literal>SCRAM-SHA-256</> and <literal>SCRAM-SHA-256-PLUS</> are the
+  two mechanism names that the server lists in this message. Support for
+  channel binding is not included if the server is built without SSL
+  support and if the connection attempt is done without SSL.
 </para>
 </step>
 <step id="scram-client-first">
 <para>
   The client responds by sending a SASLInitialResponse message, which
-  indicates the chosen mechanism, <literal>SCRAM-SHA-256</>. In the Initial
-  Client response field, the message contains the SCRAM
-  <structname>client-first-message</>.
+  indicates the chosen mechanism, <literal>SCRAM-SHA-256</> or
+  <literal>SCRAM-SHA-256-PLUS</>. In the Initial Client response field,
+  the message contains the SCRAM <structname>client-first-message</>.
 </para>
 </step>
 <step id="scram-server-first">
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 9161c885e1..c90fa2981a 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -17,8 +17,6 @@
  *	 by the SASLprep profile, we skip the SASLprep pre-processing and use
  *	 the raw bytes in calculating the hash.
  *
- * - Channel binding is not supported yet.
- *
  *
  * The password stored in pg_authid consists of the iteration count, salt,
  * StoredKey and ServerKey.
@@ -112,6 +110,10 @@ typedef struct
 
 	const char *username;		/* username from startup packet */
 
+	bool		ssl_in_use;
+	char	   *tls_finish_message;
+	int			tls_finish_len;
+
 	int			iterations;
 	char	   *salt;			/* base64-encoded */
 	uint8		StoredKey[SCRAM_KEY_LEN];
@@ -168,7 +170,11 @@ static char *scram_mock_salt(const char *username);
  * it will fail, as if an incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username, const char *shadow_pass)
+pg_be_scram_init(const char *username,
+				 const char *shadow_pass,
+				 bool ssl_in_use,
+				 char *tls_finish_message,
+				 int tls_finish_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -176,6 +182,9 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 	state = (scram_state *) palloc0(sizeof(scram_state));
 	state->state = SCRAM_AUTH_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->tls_finish_message = tls_finish_message;
+	state->tls_finish_len = tls_finish_len;
 
 	/*
 	 * Parse the stored password verifier.
@@ -773,31 +782,93 @@ read_client_first_message(scram_state *state, char *input)
 	 *------
 	 */
 
-	/* read gs2-cbind-flag */
+	/*
+	 * Read gs2-cbind-flag. Server handles its value as described in RFC 5802,
+	 * section 6 dealing with channel binding.
+	 */
 	switch (*input)
 	{
 		case 'n':
-			/* Client does not support channel binding */
+			/*
+			 * Client does not support channel binding, this is authorized
+			 * only in builds not supporting SSL.  If SSL is supported, the
+			 * server cannot support this option either.
+			 */
+#ifdef USE_SSL
+			if (state->ssl_in_use)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client does not support SCRAM channel binding, but server needs it for SSL connections")));
+			else
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client does not support SCRAM channel binding, but server does")));
+#endif
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character \"%s\".",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'y':
-			/* Client supports channel binding, but we're not doing it today */
+			/*
+			 * Client supports channel binding, but we're not doing it today
+			 * in the context of a non-SSL connection.  Complain though if
+			 * the client is trying to trick the server in not doing channel
+			 * binding with a downgrade attack if a SSL connection is
+			 * attempted.
+			 */
+			if (state->ssl_in_use)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client support SCRAM channel binding, but server needs it for SSL connections")));
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character \"%s\".",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'p':
+			{
+#ifdef USE_SSL
+				char *channel_name;
 
-			/*
-			 * Client requires channel binding.  We don't support it.
-			 *
-			 * RFC 5802 specifies a particular error code,
-			 * e=server-does-support-channel-binding, for this.  But it can
-			 * only be sent in the server-final message, and we don't want to
-			 * go through the motions of the authentication, knowing it will
-			 * fail, just to send that error message.
-			 */
-			ereport(ERROR,
-					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
-					 errmsg("client requires SCRAM channel binding, but it is not supported")));
+				if (!state->ssl_in_use)
+					ereport(ERROR,
+							(errcode(ERRCODE_PROTOCOL_VIOLATION),
+							 errmsg("client supports SCRAM channel binding, but server does not need it for non-SSL connections")));
+
+				/*
+				 * Read value provided by client, only tls-unique is supported
+				 * for now.
+				 */
+				channel_name = read_attr_value(&input, 'p');
+				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0)
+					ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 (errmsg("unexpected SCRAM channel-binding type"))));
+#else
+				/*
+				 * Client requires channel binding.  We don't support it.
+				 *
+				 * RFC 5802 specifies a particular error code,
+				 * e=server-does-support-channel-binding, for this.  But it
+				 * can only be sent in the server-final message, and we don't
+				 * want to go through the motions of the authentication,
+				 * knowing it will fail, just to send that error message.
+				 */
+				ereport(ERROR,
+						(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+						 errmsg("client requires SCRAM channel binding, but it is not supported")));
+#endif
+			}
+			break;
 		default:
 			ereport(ERROR,
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
@@ -805,13 +876,6 @@ read_client_first_message(scram_state *state, char *input)
 					 errdetail("Unexpected channel-binding flag \"%s\".",
 							   sanitize_char(*input))));
 	}
-	if (*input != ',')
-		ereport(ERROR,
-				(errcode(ERRCODE_PROTOCOL_VIOLATION),
-				 errmsg("malformed SCRAM message"),
-				 errdetail("Comma expected, but found character \"%s\".",
-						   sanitize_char(*input))));
-	input++;
 
 	/*
 	 * Forbid optional authzid (authorization identity).  We don't support it.
@@ -1032,14 +1096,47 @@ read_client_final_message(scram_state *state, char *input)
 	 */
 
 	/*
-	 * Read channel-binding.  We don't support channel binding, so it's
-	 * expected to always be "biws", which is "n,,", base64-encoded.
+	 * Read channel-binding.  We don't support channel binding for builds
+	 * without SSL support, so it's expected to always be "biws" in this case,
+	 * which is "n,,", base64-encoded.  In builds supporting SSL, "biws" is
+	 * used for Non-SSL connection attempts, and for SSL connections the
+	 * client has to provide channel binding value.
 	 */
 	channel_binding = read_attr_value(&p, 'c');
+#ifdef USE_SSL
+	if (state->ssl_in_use)
+	{
+		char	   *enc_tls_message;
+		int			enc_tls_len;
+
+		enc_tls_message = palloc(pg_b64_enc_len(state->tls_finish_len) + 1);
+		enc_tls_len = pg_b64_encode(state->tls_finish_message,
+									state->tls_finish_len,
+									enc_tls_message);
+		enc_tls_message[enc_tls_len] = '\0';
+
+		/*
+		 * Compare the value sent by the client with the TLS finish message
+		 * expected by the server.
+		 */
+		if (strcmp(channel_binding, enc_tls_message) != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("no match for SCRAM channel-binding attribute in client-final-message"))));
+	}
+	else
+	{
+		if (strcmp(channel_binding, "biws") != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+	}
+#else
 	if (strcmp(channel_binding, "biws") != 0)
 		ereport(ERROR,
 				(errcode(ERRCODE_PROTOCOL_VIOLATION),
 				 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+#endif
 	state->client_final_nonce = read_attr_value(&p, 'r');
 
 	/* ignore optional extensions */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index cb30fc7b71..ee9bce03a2 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -859,10 +859,14 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	void	   *scram_opaq;
 	char	   *output = NULL;
 	int			outputlen = 0;
-	char	   *input;
+	char	   *input, *p;
+	char	   *sasl_mechs;
 	int			inputlen;
+	int			listlen = 0;
 	int			result;
 	bool		initial;
+	char	   *tls_finish = NULL;
+	int			tls_finish_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -879,12 +883,49 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 	/*
 	 * Send the SASL authentication request to user.  It includes the list of
-	 * authentication mechanisms (which is trivial, because we only support
-	 * SCRAM-SHA-256 at the moment).  The extra "\0" is for an empty string to
-	 * terminate the list.
+	 * authentication mechanisms that are supported:
+	 * - SCRAM-SHA-256, which is the mechanism with the same name.
+	 * - SCRAM-SHA-256-PLUS, which is SCRAM-SHA-256 with channel binding. This
+	 * is advertised to the client only if connection is attempted with SSL.
+	 * The order of mechanisms is advertised in decreasing order of importance.
+	 * The extra "\0" is for an empty string to terminate the list, and each
+	 * mechanism listed needs to be separated with "\0".
 	 */
-	sendAuthRequest(port, AUTH_REQ_SASL, SCRAM_SHA256_NAME "\0",
-					strlen(SCRAM_SHA256_NAME) + 2);
+	listlen = 0;
+	sasl_mechs = (char *) palloc(strlen(SCRAM_SHA256_PLUS_NAME) +
+								 strlen(SCRAM_SHA256_NAME) + 3);
+	p = sasl_mechs;
+
+	/* add SCRAM-SHA-256-PLUS, which depends on if SSL is in use */
+	if (port->ssl_in_use)
+	{
+		strcpy(p, SCRAM_SHA256_PLUS_NAME);
+		listlen += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+		p += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+	}
+
+	/* add generic SCRAM-SHA-256 */
+	strcpy(p, SCRAM_SHA256_NAME);
+	listlen += strlen(SCRAM_SHA256_NAME) + 1;
+	p += strlen(SCRAM_SHA256_NAME) + 1;
+
+	/* put "\0" to mark that list is finished */
+	p[0] = '\0';
+	listlen++;
+
+	sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, listlen);
+	pfree(sasl_mechs);
+
+#ifdef USE_SSL
+	/*
+	 * Fetch the data related to the SSL finish message to be used in the
+	 * exchange.
+	 */
+	if (port->ssl_in_use)
+	{
+		tls_finish = be_tls_get_peer_finish(port, &tls_finish_len);
+	}
+#endif
 
 	/*
 	 * Initialize the status tracker for message exchanges.
@@ -897,7 +938,11 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	scram_opaq = pg_be_scram_init(port->user_name, shadow_pass);
+	scram_opaq = pg_be_scram_init(port->user_name,
+								  shadow_pass,
+								  port->ssl_in_use,
+								  tls_finish,
+								  tls_finish_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
@@ -946,17 +991,36 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 			const char *selected_mech;
 
 			/*
-			 * We only support SCRAM-SHA-256 at the moment, so anything else
-			 * is an error.
+			 * We only support SCRAM-SHA-256 and SCRAM-SHA-256-PLUS at the
+			 * moment, so anything else is an error.
 			 */
 			selected_mech = pq_getmsgrawstring(&buf);
-			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0)
+			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0 &&
+				strcmp(selected_mech, SCRAM_SHA256_PLUS_NAME) != 0)
 			{
 				ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
-						 errmsg("client selected an invalid SASL authentication mechanism")));
+						 errmsg("client selected an invalid SASL authentication mechanism"),
+						 errdetail("Incorrect SASL mechanism name specified")));
 			}
 
+#ifdef USE_SSL
+			/*
+			 * If an SSL connection is attempted, check for downgrade attacks.
+			 * A connection is not allowed to specify SCRAM-SHA-256 if its
+			 * -PLUS version has been submitted back to the client, which is
+			 * the default.
+			 */
+			if (port->ssl_in_use &&
+				strcmp(selected_mech, SCRAM_SHA256_NAME) == 0)
+			{
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client selected invalid SASL authentication mechanism"),
+						 errdetail("Channel binding published to client but not selected.")));
+			}
+#endif
+
 			inputlen = pq_getmsgint(&buf, 4);
 			if (inputlen == -1)
 				input = NULL;
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index fe15227a77..d063a587d0 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1215,6 +1215,30 @@ be_tls_get_peerdn_name(Port *port, char *ptr, size_t len)
 		ptr[0] = '\0';
 }
 
+/*
+ * Routine to get the expected TLS finish message information from the
+ * client, useful for authorization when doing channel binding.
+ *
+ * Result is a palloc'd copy of the TLS finish message with its size.
+ */
+char *
+be_tls_get_peer_finish(Port *port, int *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the
+	 * expected TLS finish message, so just do a dummy call to grab this
+	 * information to allow caller to do an allocation with a correct size.
+	 */
+	*len = SSL_get_peer_finished(port->ssl, dummy, sizeof(dummy));
+	result = (char *) palloc(*len * sizeof(char));
+	(void) SSL_get_peer_finished(port->ssl, result, *len);
+
+	return result;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 7bde744d51..5d59d79822 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -209,6 +209,7 @@ extern bool be_tls_get_compression(Port *port);
 extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
+extern char *be_tls_get_peer_finish(Port *port, int *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 0166e1945d..91cebe9a9b 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -13,8 +13,12 @@
 #ifndef PG_SCRAM_H
 #define PG_SCRAM_H
 
-/* Name of SCRAM-SHA-256 per IANA */
+/* Name of SCRAM mechanisms per IANA */
 #define SCRAM_SHA256_NAME "SCRAM-SHA-256"
+#define SCRAM_SHA256_PLUS_NAME "SCRAM-SHA-256-PLUS"	/* with channel binding */
+
+/* Channel binding names */
+#define SCRAM_CHANNEL_TLS_UNIQUE	"tls-unique"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -22,7 +26,9 @@
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
+extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
+					 bool ssl_in_use, char *tls_finish_message,
+					 int tls_finish_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index edfd42df85..e37a0cce27 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -17,6 +17,7 @@
 #include "common/base64.h"
 #include "common/saslprep.h"
 #include "common/scram-common.h"
+#include "libpq/scram.h"
 #include "fe-auth.h"
 
 /* These are needed for getpid(), in the fallback implementation */
@@ -44,6 +45,9 @@ typedef struct
 	/* These are supplied by the user */
 	const char *username;
 	char	   *password;
+	bool		ssl_in_use;
+	char	   *tls_finish_message;
+	int			tls_finish_len;
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -81,7 +85,11 @@ static bool pg_frontend_random(char *dst, int len);
  * Initialize SCRAM exchange status.
  */
 void *
-pg_fe_scram_init(const char *username, const char *password)
+pg_fe_scram_init(const char *username,
+				 const char *password,
+				 bool ssl_in_use,
+				 char *tls_finish_message,
+				 int tls_finish_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -93,6 +101,9 @@ pg_fe_scram_init(const char *username, const char *password)
 	memset(state, 0, sizeof(fe_scram_state));
 	state->state = FE_SCRAM_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->tls_finish_message = tls_finish_message;
+	state->tls_finish_len = tls_finish_len;
 
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
@@ -297,9 +308,10 @@ static char *
 build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 {
 	char		raw_nonce[SCRAM_RAW_NONCE_LEN + 1];
-	char	   *buf;
-	char		buflen;
+	char	   *result;
+	int			channel_info_len;
 	int			encoded_len;
+	PQExpBufferData buf;
 
 	/*
 	 * Generate a "raw" nonce.  This is converted to ASCII-printable form by
@@ -328,26 +340,55 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * prepared with SASLprep, the message parsing would fail if it includes
 	 * '=' or ',' characters.
 	 */
-	buflen = 8 + strlen(state->client_nonce) + 1;
-	buf = malloc(buflen);
-	if (buf == NULL)
-	{
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
-	}
-	snprintf(buf, buflen, "n,,n=,r=%s", state->client_nonce);
+	initPQExpBuffer(&buf);
 
-	state->client_first_message_bare = strdup(buf + 3);
+	/*
+	 * First build the query field for channel binding. If the client is not
+	 * built with SSL support, it cannot support channel binding so it needs
+	 * to use "n" to let the server know. If built with SSL support, client
+	 * needs to use "y" to let the server know that client has such support
+	 * but that it is not using it as a non-SSL connection is requested.
+	 * Finally if a SSL connection is done, use p=cb-name, for which only
+	 * "tls-unique" is supported now.
+	 */
+#ifdef USE_SSL
+	if (state->ssl_in_use)
+		appendPQExpBuffer(&buf, "p=%s", SCRAM_CHANNEL_TLS_UNIQUE);
+	else
+		appendPQExpBuffer(&buf, "y");
+#else
+	appendPQExpBuffer(&buf, "n");
+#endif
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	channel_info_len = buf.len;
+
+	appendPQExpBuffer(&buf, ",,n=,r=%s", state->client_nonce);
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	/*
+	 * The first message content needs to be saved without channel binding
+	 * information.
+	 */
+	state->client_first_message_bare = strdup(buf.data + channel_info_len + 2);
 	if (!state->client_first_message_bare)
-	{
-		free(buf);
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
-	}
+		goto oom_error;
 
-	return buf;
+	result = strdup(buf.data);
+	if (result == NULL)
+		goto oom_error;
+
+	termPQExpBuffer(&buf);
+	return result;
+
+oom_error:
+	termPQExpBuffer(&buf);
+	printfPQExpBuffer(errormessage,
+					  libpq_gettext("out of memory\n"));
+	return NULL;
 }
 
 /*
@@ -365,8 +406,30 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	/*
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
+	 * Client needs to provide a b64 encoded string of the TLS finish message
+	 * only if a SSL connection is attempted.
 	 */
-	appendPQExpBuffer(&buf, "c=biws,r=%s", state->nonce);
+#ifdef USE_SSL
+	if (state->ssl_in_use)
+	{
+		appendPQExpBuffer(&buf, "c=");
+		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(state->tls_finish_len)))
+			goto oom_error;
+		buf.len += pg_b64_encode(state->tls_finish_message,
+								 state->tls_finish_len,
+								 buf.data + buf.len);
+		buf.data[buf.len] = '\0';
+	}
+	else
+		appendPQExpBuffer(&buf, "c=biws");
+#else
+	appendPQExpBuffer(&buf, "c=biws");
+#endif
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	appendPQExpBuffer(&buf, ",r=%s", state->nonce);
 	if (PQExpBufferDataBroken(buf))
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 382558f3f8..05f04be10a 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -504,7 +504,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	/*
 	 * Parse the list of SASL authentication mechanisms in the
 	 * AuthenticationSASL message, and select the best mechanism that we
-	 * support.  (Only SCRAM-SHA-256 is supported at the moment.)
+	 * support.  SCRAM-SHA-256 and SCRAM-SHA-256-PLUS are the only ones
+	 * supported at the moment.
 	 */
 	selected_mechanism = NULL;
 	for (;;)
@@ -532,9 +533,12 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		/*
 		 * Do we support this mechanism?
 		 */
-		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0 ||
+			strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
 		{
 			char	   *password;
+			char	   *tls_finish = NULL;
+			int			tls_finish_len = 0;
 
 			conn->password_needed = true;
 			password = conn->connhost[conn->whichhost].password;
@@ -547,10 +551,41 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 				goto error;
 			}
 
-			conn->sasl_state = pg_fe_scram_init(conn->pguser, password);
+#ifdef USE_SSL
+			/* Fetch information about the TLS finish message */
+			if (conn->ssl_in_use)
+			{
+				tls_finish = pgtls_get_finish(conn, &tls_finish_len);
+				if (tls_finish == NULL)
+					goto oom_error;
+			}
+#endif
+
+			conn->sasl_state = pg_fe_scram_init(conn->pguser,
+												password,
+												conn->ssl_in_use,
+												tls_finish,
+												tls_finish_len);
 			if (!conn->sasl_state)
 				goto oom_error;
-			selected_mechanism = SCRAM_SHA256_NAME;
+
+			/*
+			 * Select the mechanism to use by default. If SSL connection
+			 * is attempted, the server will expect the -PLUS mechanism.
+			 * If not, fallback to SCRAM-SHA-256.
+			 */
+#ifdef USE_SSL
+			if (conn->ssl_in_use &&
+				strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_PLUS_NAME;
+			else if (!conn->ssl_in_use &&
+					 strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_NAME;
+#else
+			/* No channel binding can be selected without SSL support */
+			if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_NAME;
+#endif
 		}
 	}
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 5dc6bb5341..ee3dd7f96c 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -23,7 +23,9 @@ extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn);
 extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
-extern void *pg_fe_scram_init(const char *username, const char *password);
+extern void *pg_fe_scram_init(const char *username, const char *password,
+					 bool ssl_in_use, char *tls_finish_message,
+					 int tls_finish_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 2f29820e82..84a6e3c322 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -393,6 +393,32 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
 	return n;
 }
 
+/*
+ *	Get the TLS finish message sent during last handshake
+ *
+ * This information is useful for callers doing channel binding during
+ * authentication.
+ */
+char *
+pgtls_get_finish(PGconn *conn, int *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the
+	 * TLS finish message sent, so first do a dummy call to grab this
+	 * information and then do an allocation with the correct size.
+	 */
+	*len = SSL_get_finished(conn->ssl, dummy, sizeof(dummy));
+	result = malloc(*len);
+	if (result == NULL)
+		return NULL;
+	(void) SSL_get_finished(conn->ssl, result, *len);
+	return result;
+}
+
+
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
 /* ------------------------------------------------------------ */
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 42913604e3..0eb8b60c95 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -453,11 +453,13 @@ struct pg_conn
 	/* Assorted state for SASL, SSL, GSS, etc */
 	void	   *sasl_state;
 
+	/* SSL structures */
+	bool		ssl_in_use;
+
 #ifdef USE_SSL
 	bool		allow_ssl_try;	/* Allowed to try SSL negotiation */
 	bool		wait_ssl_try;	/* Delay SSL negotiation until after
 								 * attempting normal connection */
-	bool		ssl_in_use;
 #ifdef USE_OPENSSL
 	SSL		   *ssl;			/* SSL status, if have SSL connection */
 	X509	   *peer;			/* X509 cert of server */
@@ -668,6 +670,7 @@ extern void pgtls_close(PGconn *conn);
 extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
+extern char *pgtls_get_finish(PGconn *conn, int *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
-- 
2.14.1

From 2d8148c3cf62e0e155553fb65efaf5b4c508f8f9 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 20 Jun 2017 11:41:10 +0900
Subject: [PATCH 3/4] Add connection parameters "saslname" and
 "saslchannelbinding"

Those parameters can be used to respectively enforce the value of the
SASL mechanism name and the channel binding name sent to server during
a SASL message exchange.

A set of tests dedicated to SASL and channel binding is added as well
to the SSL test suite, which is handy to check the validity of a patch.
---
 doc/src/sgml/libpq.sgml              | 24 ++++++++++++++++
 src/backend/libpq/auth-scram.c       | 41 +++++++++++++++++++++-------
 src/interfaces/libpq/fe-auth-scram.c | 53 ++++++++++++++++++++++++++++++++----
 src/interfaces/libpq/fe-auth.c       |  8 ++++++
 src/interfaces/libpq/fe-auth.h       |  4 +--
 src/interfaces/libpq/fe-connect.c    | 13 +++++++++
 src/interfaces/libpq/libpq-int.h     |  2 ++
 src/test/ssl/ServerSetup.pm          | 19 +++++++++++--
 src/test/ssl/t/001_ssltests.pl       |  2 +-
 src/test/ssl/t/002_sasl.pl           | 52 +++++++++++++++++++++++++++++++++++
 10 files changed, 197 insertions(+), 21 deletions(-)
 create mode 100644 src/test/ssl/t/002_sasl.pl

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 096a8be605..cfcf6ee7c2 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1220,6 +1220,30 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       </listitem>
      </varlistentry>
 
+     <varlistentry id="libpq-saslname" xreflabel="saslname">
+      <term><literal>saslname</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the SASL mechanism name sent to server when doing
+        a message exchange for a SASL authentication. The list of SASL
+        mechanisms supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="libpq-saslchannelbinding" xreflabel="saslchannelbinding">
+      <term><literal>saslchannelbinding</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the channel binding name sent to server when doing
+        a message exchange for a SASL authentication. The list of channel
+        binding names supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+     
      <varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
       <term><literal>sslmode</literal></term>
       <listitem>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index c90fa2981a..d5371a2708 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,7 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	char	   *channel_binding;
 
 	int			iterations;
 	char	   *salt;			/* base64-encoded */
@@ -185,6 +186,7 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
+	state->channel_binding = NULL;
 
 	/*
 	 * Parse the stored password verifier.
@@ -853,6 +855,9 @@ read_client_first_message(scram_state *state, char *input)
 					ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
 						 (errmsg("unexpected SCRAM channel-binding type"))));
+
+				/* Save the name for handling of subsequent messages */
+				state->channel_binding = pstrdup(channel_name);
 #else
 				/*
 				 * Client requires channel binding.  We don't support it.
@@ -1106,20 +1111,36 @@ read_client_final_message(scram_state *state, char *input)
 #ifdef USE_SSL
 	if (state->ssl_in_use)
 	{
-		char	   *enc_tls_message;
-		int			enc_tls_len;
+		char	   *b64_message, *raw_data;
+		int			b64_message_len, raw_data_len;
+
+		/* Fetch data for each channel binding type */
+		if (strcmp(state->channel_binding, SCRAM_CHANNEL_TLS_UNIQUE) == 0)
+		{
+			raw_data = state->tls_finish_message;
+			raw_data_len = state->tls_finish_len;
+		}
+		else
+		{
+			/* should not happen */
+			elog(ERROR, "invalid channel binding type");
+		}
+
+		/* should not happen, but better safe than sorry */
+		if (raw_data == NULL)
+			elog(ERROR, "empty binding data for channel name \"%s\"",
+				 state->channel_binding);
 
-		enc_tls_message = palloc(pg_b64_enc_len(state->tls_finish_len) + 1);
-		enc_tls_len = pg_b64_encode(state->tls_finish_message,
-									state->tls_finish_len,
-									enc_tls_message);
-		enc_tls_message[enc_tls_len] = '\0';
+		b64_message = palloc(pg_b64_enc_len(raw_data_len) + 1);
+		b64_message_len = pg_b64_encode(raw_data, raw_data_len,
+										b64_message);
+		b64_message[b64_message_len] = '\0';
 
 		/*
-		 * Compare the value sent by the client with the TLS finish message
-		 * expected by the server.
+		 * Compare the value sent by the client with the value expected by
+		 * the server.
 		 */
-		if (strcmp(channel_binding, enc_tls_message) != 0)
+		if (strcmp(channel_binding, b64_message) != 0)
 			ereport(ERROR,
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
 					 (errmsg("no match for SCRAM channel-binding attribute in client-final-message"))));
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index e37a0cce27..5b8522391d 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -48,6 +48,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	/* enforceable user parameters */
+	char	   *saslchannelbinding;	/* name of channel binding to use */
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -88,6 +90,7 @@ void *
 pg_fe_scram_init(const char *username,
 				 const char *password,
 				 bool ssl_in_use,
+				 char *saslchannelbinding,
 				 char *tls_finish_message,
 				 int tls_finish_len)
 {
@@ -105,6 +108,15 @@ pg_fe_scram_init(const char *username,
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
 
+	/*
+	 * If user has specified a channel binding to use, enforce the
+	 * channel binding sent to it.  The default is "tls-unique".
+	 */
+	if (saslchannelbinding && strlen(saslchannelbinding) > 0)
+		state->saslchannelbinding = strdup(saslchannelbinding);
+	else
+		state->saslchannelbinding = strdup(SCRAM_CHANNEL_TLS_UNIQUE);
+
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
 	if (rc == SASLPREP_OOM)
@@ -136,6 +148,10 @@ pg_fe_scram_free(void *opaq)
 
 	if (state->password)
 		free(state->password);
+	if (state->tls_finish_message)
+		free(state->tls_finish_message);
+	if (state->saslchannelbinding)
+		free(state->saslchannelbinding);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -353,7 +369,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 #ifdef USE_SSL
 	if (state->ssl_in_use)
-		appendPQExpBuffer(&buf, "p=%s", SCRAM_CHANNEL_TLS_UNIQUE);
+		appendPQExpBuffer(&buf, "p=%s", state->saslchannelbinding);
 	else
 		appendPQExpBuffer(&buf, "y");
 #else
@@ -412,12 +428,39 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 #ifdef USE_SSL
 	if (state->ssl_in_use)
 	{
+		char	   *raw_data;
+		int			raw_data_len;
+
+		if (strcmp(state->saslchannelbinding, SCRAM_CHANNEL_TLS_UNIQUE) == 0)
+		{
+			raw_data = state->tls_finish_message;
+			raw_data_len = state->tls_finish_len;
+		}
+		else
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("incorrect channel binding name\n"));
+			return NULL;
+		}
+
+		/* should not happen, but better safe than sorry */
+		if (raw_data == NULL)
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("empty binding data for channel name \"%s\"\n"),
+							  state->saslchannelbinding);
+			return NULL;
+		}
+
 		appendPQExpBuffer(&buf, "c=");
-		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(state->tls_finish_len)))
+
+		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(raw_data_len)))
 			goto oom_error;
-		buf.len += pg_b64_encode(state->tls_finish_message,
-								 state->tls_finish_len,
-								 buf.data + buf.len);
+		buf.len += pg_b64_encode(raw_data, raw_data_len, buf.data + buf.len);
 		buf.data[buf.len] = '\0';
 	}
 	else
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 05f04be10a..4b26018f65 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -564,6 +564,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 			conn->sasl_state = pg_fe_scram_init(conn->pguser,
 												password,
 												conn->ssl_in_use,
+												conn->saslchannelbinding,
 												tls_finish,
 												tls_finish_len);
 			if (!conn->sasl_state)
@@ -589,6 +590,13 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		}
 	}
 
+	/*
+	 * If user has asked for a specific mechanism name, enforce the chosen
+	 * name to it.
+	 */
+	if (conn->saslname && strlen(conn->saslname) > 0)
+		selected_mechanism = conn->saslname;
+
 	if (!selected_mechanism)
 	{
 		printfPQExpBuffer(&conn->errorMessage,
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index ee3dd7f96c..3c699959e0 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -24,8 +24,8 @@ extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
 extern void *pg_fe_scram_init(const char *username, const char *password,
-					 bool ssl_in_use, char *tls_finish_message,
-					 int tls_finish_len);
+					 bool ssl_in_use, char *saslchannelbinding,
+					 char *tls_finish_message, int tls_finish_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index c580d91135..27139579e9 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -262,6 +262,15 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"TCP-Keepalives-Count", "", 10, /* strlen(INT32_MAX) == 10 */
 	offsetof(struct pg_conn, keepalives_count)},
 
+	/* Set of options proper to SASL */
+	{"saslname", NULL, NULL, NULL,
+		"SASL-Name", "", 21,	/* maximum name size per IANA == 21 */
+	offsetof(struct pg_conn, saslname)},
+
+	{"saslchannelbinding", NULL, NULL, NULL,
+		"SASL-Channel", "", 22,	/* sizeof("tls-unique-for-telnet") == 22 */
+	offsetof(struct pg_conn, saslchannelbinding)},
+
 	/*
 	 * ssl options are allowed even without client SSL support because the
 	 * client can still handle SSL modes "disable" and "allow". Other
@@ -3470,6 +3479,10 @@ freePGconn(PGconn *conn)
 		free(conn->keepalives_interval);
 	if (conn->keepalives_count)
 		free(conn->keepalives_count);
+	if (conn->saslname)
+		free(conn->saslname);
+	if (conn->saslchannelbinding)
+		free(conn->saslchannelbinding);
 	if (conn->sslmode)
 		free(conn->sslmode);
 	if (conn->sslcert)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 0eb8b60c95..6d500aa5db 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -349,6 +349,8 @@ struct pg_conn
 										 * retransmits */
 	char	   *keepalives_count;	/* maximum number of TCP keepalive
 									 * retransmits */
+	char	   *saslname;			/* SASL mechanism name */
+	char	   *saslchannelbinding;	/* channel binding used in SASL */
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
 	char	   *sslcompression; /* SSL compression (0 or 1) */
 	char	   *sslkey;			/* client key filename */
diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index ad2e036602..b71969ac75 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -91,6 +91,9 @@ sub configure_test_server_for_ssl
 {
 	my $node       = $_[0];
 	my $serverhost = $_[1];
+	my $sslmethod  = $_[2];
+	my $passwd     = $_[3];
+	my $passwdhash = $_[4];
 
 	my $pgdata = $node->data_dir;
 
@@ -100,6 +103,15 @@ sub configure_test_server_for_ssl
 	$node->psql('postgres', "CREATE DATABASE trustdb");
 	$node->psql('postgres', "CREATE DATABASE certdb");
 
+	# Update password of each user as needed.
+	if (defined($passwd))
+	{
+		$node->psql('postgres',
+"SET password_encryption='$passwdhash'; ALTER USER ssltestuser PASSWORD '$passwd';");
+		$node->psql('postgres',
+"SET password_encryption='$passwdhash'; ALTER USER anotheruser PASSWORD '$passwd';");
+	}
+
 	# enable logging etc.
 	open my $conf, '>>', "$pgdata/postgresql.conf";
 	print $conf "fsync=off\n";
@@ -129,7 +141,7 @@ sub configure_test_server_for_ssl
 	$node->restart;
 
 	# Change pg_hba after restart because hostssl requires ssl=on
-	configure_hba_for_ssl($node, $serverhost);
+	configure_hba_for_ssl($node, $serverhost, $sslmethod);
 }
 
 # Change the configuration to use given server cert file, and reload
@@ -159,6 +171,7 @@ sub configure_hba_for_ssl
 {
 	my $node       = $_[0];
 	my $serverhost = $_[1];
+	my $sslmethod  = $_[2];
 	my $pgdata     = $node->data_dir;
 
   # Only accept SSL connections from localhost. Our tests don't depend on this
@@ -169,9 +182,9 @@ sub configure_hba_for_ssl
 	print $hba
 "# TYPE  DATABASE        USER            ADDRESS                 METHOD\n";
 	print $hba
-"hostssl trustdb         ssltestuser     $serverhost/32            trust\n";
+"hostssl trustdb         ssltestuser     $serverhost/32          $sslmethod\n";
 	print $hba
-"hostssl trustdb         ssltestuser     ::1/128                 trust\n";
+"hostssl trustdb         ssltestuser     ::1/128                 $sslmethod\n";
 	print $hba
 "hostssl certdb          ssltestuser     $serverhost/32            cert\n";
 	print $hba
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 890e3051a2..e690c1fa15 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -32,7 +32,7 @@ $node->init;
 $ENV{PGHOST} = $node->host;
 $ENV{PGPORT} = $node->port;
 $node->start;
-configure_test_server_for_ssl($node, $SERVERHOSTADDR);
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "trust");
 switch_server_cert($node, 'server-cn-only');
 
 ### Part 1. Run client-side tests.
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
new file mode 100644
index 0000000000..a625f0d473
--- /dev/null
+++ b/src/test/ssl/t/002_sasl.pl
@@ -0,0 +1,52 @@
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 6;
+use ServerSetup;
+use File::Copy;
+
+# test combinations of SASL authentication for SCRAM mechanism:
+# - SCRAM-SHA-256 and SCRAM-SHA-256-PLUS
+# - Channel bindings
+
+# This is the hostname used to connect to the server.
+my $SERVERHOSTADDR = '127.0.0.1';
+
+# Allocation of base connection string shared among multiple tests.
+my $common_connstr;
+
+#### Part 0. Set up the server.
+
+note "setting up data directory";
+my $node = get_new_node('master');
+$node->init;
+
+# PGHOST is enforced here to set up the node, subsequent connections
+# will use a dedicated connection string.
+$ENV{PGHOST} = $node->host;
+$ENV{PGPORT} = $node->port;
+$node->start;
+
+# Configure server for SSL connections, with password handling.
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256",
+							  "pass", "scram-sha-256");
+switch_server_cert($node, 'server-cn-only');
+$ENV{PGPASSWORD} = "pass";
+$common_connstr =
+"user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
+
+# Tests with default channel binding and SASL mechanism names.
+# tls-unique is used here
+test_connect_ok($common_connstr, "saslname=SCRAM-SHA-256-PLUS");
+test_connect_fails($common_connstr, "saslname=not-exists");
+# Downgrade attack.
+test_connect_fails($common_connstr, "saslname=SCRAM-SHA-256");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-unique");
+
+# Channel bindings
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-unique");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=not-exists");
-- 
2.14.1

From df079495c20779a7294a8ced2b62641a3aeebb64 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 20 Jun 2017 12:51:10 +0900
Subject: [PATCH 4/4] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend, this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  4 +-
 src/backend/libpq/auth-scram.c           | 21 ++++++++--
 src/backend/libpq/auth.c                 | 13 ++++--
 src/backend/libpq/be-secure-openssl.c    | 69 ++++++++++++++++++++++++++++++++
 src/include/libpq/libpq-be.h             |  1 +
 src/include/libpq/scram.h                |  4 +-
 src/interfaces/libpq/fe-auth-scram.c     | 20 ++++++++-
 src/interfaces/libpq/fe-auth.c           | 18 ++++++++-
 src/interfaces/libpq/fe-auth.h           |  3 +-
 src/interfaces/libpq/fe-secure-openssl.c | 66 ++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_sasl.pl               |  6 ++-
 12 files changed, 210 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 37ae7276e5..62a958ed1d 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1552,8 +1552,8 @@ the password is in.
   <para>
 <firstterm>Channel binding</> is supported in builds with SSL support, and
 uses as mechanism name <literal>SCRAM-SHA-256-PLUS</> for this purpose as
-defined per IANA. The only channel binding type supported by the server
-is <literal>tls-unique</>.
+defined per IANA. The channel binding types supported by the server
+are <literal>tls-unique</>, the default, and <literal>tls-server-end-point</>.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index d5371a2708..89b659942b 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	char	   *certificate_hash;
+	int			certificate_hash_len;
 	char	   *channel_binding;
 
 	int			iterations;
@@ -175,7 +177,9 @@ pg_be_scram_init(const char *username,
 				 const char *shadow_pass,
 				 bool ssl_in_use,
 				 char *tls_finish_message,
-				 int tls_finish_len)
+				 int tls_finish_len,
+				 char *certificate_hash,
+				 int certificate_hash_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -186,6 +190,8 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding = NULL;
 
 	/*
@@ -847,11 +853,12 @@ read_client_first_message(scram_state *state, char *input)
 							 errmsg("client supports SCRAM channel binding, but server does not need it for non-SSL connections")));
 
 				/*
-				 * Read value provided by client, only tls-unique is supported
-				 * for now.
+				 * Read value provided by client, only tls-unique and
+				 * tls-server-end-point are supported for now.
 				 */
 				channel_name = read_attr_value(&input, 'p');
-				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0)
+				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0 &&
+					strcmp(channel_name, SCRAM_CHANNEL_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
 						 (errmsg("unexpected SCRAM channel-binding type"))));
@@ -1120,6 +1127,12 @@ read_client_final_message(scram_state *state, char *input)
 			raw_data = state->tls_finish_message;
 			raw_data_len = state->tls_finish_len;
 		}
+		else if (strcmp(state->channel_binding,
+						SCRAM_CHANNEL_TLS_ENDPOINT) == 0)
+		{
+			raw_data = state->certificate_hash;
+			raw_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index ee9bce03a2..bbab65b64b 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -867,6 +867,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	bool		initial;
 	char	   *tls_finish = NULL;
 	int			tls_finish_len = 0;
+	char	   *certificate_bash = NULL;
+	int			certificate_bash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -918,12 +920,15 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 #ifdef USE_SSL
 	/*
-	 * Fetch the data related to the SSL finish message to be used in the
-	 * exchange.
+	 * Fetch the data related to the SSL finish message and the client
+	 * certificate (if any) to be used in the exchange.
 	 */
 	if (port->ssl_in_use)
 	{
 		tls_finish = be_tls_get_peer_finish(port, &tls_finish_len);
+		certificate_bash =
+			be_tls_get_certificate_hash(port,
+										&certificate_bash_len);
 	}
 #endif
 
@@ -942,7 +947,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 								  shadow_pass,
 								  port->ssl_in_use,
 								  tls_finish,
-								  tls_finish_len);
+								  tls_finish_len,
+								  certificate_bash,
+								  certificate_bash_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index d063a587d0..cea60c6741 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1239,6 +1239,75 @@ be_tls_get_peer_finish(Port *port, int *len)
 	return result;
 }
 
+/*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1. If SHA-256 or something else is used, the same hash as the
+ * signature algorithm is used.
+ * The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is nothing certificates available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, int *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_sha512:
+				algo_type = EVP_sha512();
+				break;
+
+			case NID_sha384:
+				algo_type = EVP_sha384();
+				break;
+
+			/*
+			 * Fallback to SHA-256 for weaker hashes, and keep them listed
+			 * here for reference.
+			 */
+			case NID_md5:
+			case NID_sha1:
+			case NID_sha224:
+			case NID_sha256:
+			default:
+				algo_type = EVP_sha256();
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 5d59d79822..0392860a87 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finish(Port *port, int *len);
+extern char *be_tls_get_certificate_hash(Port *port, int *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 91cebe9a9b..55d0568d43 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -19,6 +19,7 @@
 
 /* Channel binding names */
 #define SCRAM_CHANNEL_TLS_UNIQUE	"tls-unique"
+#define SCRAM_CHANNEL_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -28,7 +29,8 @@
 /* Routines dedicated to authentication */
 extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
 					 bool ssl_in_use, char *tls_finish_message,
-					 int tls_finish_len);
+					 int tls_finish_len, char *certificate_hash,
+					 int certificate_hash_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 5b8522391d..10517d16e5 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -48,6 +48,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finish_message;
 	int			tls_finish_len;
+	char	   *certificate_hash;
+	int			certificate_hash_len;
 	/* enforceable user parameters */
 	char	   *saslchannelbinding;	/* name of channel binding to use */
 
@@ -92,7 +94,9 @@ pg_fe_scram_init(const char *username,
 				 bool ssl_in_use,
 				 char *saslchannelbinding,
 				 char *tls_finish_message,
-				 int tls_finish_len)
+				 int tls_finish_len,
+				 char *certificate_hash,
+				 int certificate_hash_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -107,6 +111,8 @@ pg_fe_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finish_message = tls_finish_message;
 	state->tls_finish_len = tls_finish_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 
 	/*
 	 * If user has specified a channel binding to use, enforce the
@@ -150,6 +156,8 @@ pg_fe_scram_free(void *opaq)
 		free(state->password);
 	if (state->tls_finish_message)
 		free(state->tls_finish_message);
+	if (state->certificate_hash)
+		free(state->certificate_hash);
 	if (state->saslchannelbinding)
 		free(state->saslchannelbinding);
 
@@ -423,7 +431,9 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
 	 * Client needs to provide a b64 encoded string of the TLS finish message
-	 * only if a SSL connection is attempted.
+	 * only if a SSL connection is attempted using "tls-unique" as channel
+	 * binding. For "tls-server-end-point", a hash of the client certificate
+	 * is sent instead.
 	 */
 #ifdef USE_SSL
 	if (state->ssl_in_use)
@@ -436,6 +446,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 			raw_data = state->tls_finish_message;
 			raw_data_len = state->tls_finish_len;
 		}
+		else if (strcmp(state->saslchannelbinding,
+						SCRAM_CHANNEL_TLS_ENDPOINT) == 0)
+		{
+			raw_data = state->certificate_hash;
+			raw_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 4b26018f65..d72d35670f 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -539,6 +539,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 			char	   *password;
 			char	   *tls_finish = NULL;
 			int			tls_finish_len = 0;
+			char	   *certificate_hash = NULL;
+			int			certificate_hash_len = 0;
 
 			conn->password_needed = true;
 			password = conn->connhost[conn->whichhost].password;
@@ -552,12 +554,21 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 			}
 
 #ifdef USE_SSL
-			/* Fetch information about the TLS finish message */
+			/*
+			 * Fetch information about the TLS finish message and client
+			 * certificate if any.
+			 */
 			if (conn->ssl_in_use)
 			{
 				tls_finish = pgtls_get_finish(conn, &tls_finish_len);
 				if (tls_finish == NULL)
 					goto oom_error;
+
+				certificate_hash =
+					pgtls_get_peer_certificate_hash(conn,
+													&certificate_hash_len);
+				if (certificate_hash == NULL)
+					goto oom_error;
 			}
 #endif
 
@@ -566,7 +577,10 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 												conn->ssl_in_use,
 												conn->saslchannelbinding,
 												tls_finish,
-												tls_finish_len);
+												tls_finish_len,
+												certificate_hash,
+												certificate_hash_len);
+
 			if (!conn->sasl_state)
 				goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 3c699959e0..8db86f8bcc 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -25,7 +25,8 @@ extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 /* Prototypes for functions in fe-auth-scram.c */
 extern void *pg_fe_scram_init(const char *username, const char *password,
 					 bool ssl_in_use, char *saslchannelbinding,
-					 char *tls_finish_message, int tls_finish_len);
+					 char *tls_finish_message, int tls_finish_len,
+					 char *certificate_hash, int certificate_hash_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 84a6e3c322..00a14289e4 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -418,6 +418,72 @@ pgtls_get_finish(PGconn *conn, int *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where
+ * the client certificate hash is used as a link, per RFC 5929.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, int *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+			return NULL;
+
+		switch (algo_nid)
+		{
+			case NID_sha512:
+				algo_type = EVP_sha512();
+				break;
+
+			case NID_sha384:
+				algo_type = EVP_sha384();
+				break;
+
+			/*
+			 * Fallback to SHA-256 for weaker hashes, and keep them listed
+			 * here for reference.
+			 */
+			case NID_md5:
+			case NID_sha1:
+			case NID_sha224:
+			case NID_sha256:
+			default:
+				algo_type = EVP_sha256();
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			return NULL;
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+			return NULL;
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 6d500aa5db..f1e2c0bb3c 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -673,6 +673,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finish(PGconn *conn, int *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, int *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
index a625f0d473..a4e6dfac3d 100644
--- a/src/test/ssl/t/002_sasl.pl
+++ b/src/test/ssl/t/002_sasl.pl
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 6;
+use Test::More tests => 8;
 use ServerSetup;
 use File::Copy;
 
@@ -44,9 +44,13 @@ test_connect_fails($common_connstr, "saslname=not-exists");
 test_connect_fails($common_connstr, "saslname=SCRAM-SHA-256");
 test_connect_fails($common_connstr,
 		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-unique");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-server-end-point");
 
 # Channel bindings
 test_connect_ok($common_connstr,
 		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-unique");
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-server-end-point");
 test_connect_fails($common_connstr,
 		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=not-exists");
-- 
2.14.1

From b148bd1fdfee1cdc94ac936a381c3eb085e70821 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 16 Jun 2017 17:00:06 +0900
Subject: [PATCH 1/4] Refactor routine to test connection to SSL server

Move the sub-routines wrappers to check if a connection to a server is
fine or not into the test main module. This is useful for other tests
willing to check connectivity into a server.
---
 src/test/ssl/ServerSetup.pm    |  45 +++++++++++++-
 src/test/ssl/t/001_ssltests.pl | 132 +++++++++++++++++------------------------
 2 files changed, 100 insertions(+), 77 deletions(-)

diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index f63c81cfc6..ad2e036602 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -26,9 +26,52 @@ use Test::More;
 
 use Exporter 'import';
 our @EXPORT = qw(
-  configure_test_server_for_ssl switch_server_cert
+  configure_test_server_for_ssl
+  run_test_psql
+  switch_server_cert
+  test_connect_fails
+  test_connect_ok
 );
 
+# Define a couple of helper functions to test connecting to the server.
+
+# Attempt connection to server with given connection string.
+sub run_test_psql
+{
+	my $connstr   = $_[0];
+	my $logstring = $_[1];
+
+	my $cmd = [
+		'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
+		'-d', "$connstr" ];
+
+	my $result = run_log($cmd);
+	return $result;
+}
+
+#
+# The first argument is a base connection string to use for connection.
+# The second argument is a complementary connection string, and it's also
+# printed out as the test case name.
+sub test_connect_ok
+{
+	my $common_connstr = $_[0];
+	my $connstr = $_[1];
+
+	my $result =
+	  run_test_psql("$common_connstr $connstr", "(should succeed)");
+	ok($result, $connstr);
+}
+
+sub test_connect_fails
+{
+	my $common_connstr = $_[0];
+	my $connstr = $_[1];
+
+	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
+	ok(!$result, "$connstr (should fail)");
+}
+
 # Copy a set of files, taking into account wildcards
 sub copy_files
 {
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 32df273929..890e3051a2 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -13,44 +13,9 @@ use File::Copy;
 # postgresql-ssl-regression.test.
 my $SERVERHOSTADDR = '127.0.0.1';
 
-# Define a couple of helper functions to test connecting to the server.
-
+# Allocation of base connection string shared among multiple tests.
 my $common_connstr;
 
-sub run_test_psql
-{
-	my $connstr   = $_[0];
-	my $logstring = $_[1];
-
-	my $cmd = [
-		'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
-		'-d', "$connstr" ];
-
-	my $result = run_log($cmd);
-	return $result;
-}
-
-#
-# The first argument is a (part of a) connection string, and it's also printed
-# out as the test case name. It is appended to $common_connstr global variable,
-# which also contains a libpq connection string.
-sub test_connect_ok
-{
-	my $connstr = $_[0];
-
-	my $result =
-	  run_test_psql("$common_connstr $connstr", "(should succeed)");
-	ok($result, $connstr);
-}
-
-sub test_connect_fails
-{
-	my $connstr = $_[0];
-
-	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
-	ok(!$result, "$connstr (should fail)");
-}
-
 # The client's private key must not be world-readable, so take a copy
 # of the key stored in the code tree and update its permissions.
 copy("ssl/client.key", "ssl/client_tmp.key");
@@ -83,50 +48,59 @@ $common_connstr =
 
 # The server should not accept non-SSL connections
 note "test that the server doesn't accept non-SSL connections";
-test_connect_fails("sslmode=disable");
+test_connect_fails($common_connstr, "sslmode=disable");
 
 # Try without a root cert. In sslmode=require, this should work. In verify-ca
 # or verify-full mode it should fail
 note "connect without server root cert";
-test_connect_ok("sslrootcert=invalid sslmode=require");
-test_connect_fails("sslrootcert=invalid sslmode=verify-ca");
-test_connect_fails("sslrootcert=invalid sslmode=verify-full");
+test_connect_ok($common_connstr, "sslrootcert=invalid sslmode=require");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-ca");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-full");
 
 # Try with wrong root cert, should fail. (we're using the client CA as the
 # root, but the server's key is signed by the server CA)
 note "connect without wrong server root cert";
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=require");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-full");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=require");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-full");
 
 # Try with just the server CA's cert. This fails because the root file
 # must contain the whole chain up to the root CA.
 note "connect with server CA cert, without root CA";
-test_connect_fails("sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
 
 # And finally, with the correct root cert.
 note "connect with correct server CA cert file";
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=require");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
 
 # Test with cert root file that contains two certificates. The client should
 # be able to pick the right one, regardless of the order in the file.
-test_connect_ok("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
 
 note "testing sslcrl option with a non-revoked cert";
 
 # Invalid CRL filename is the same as no CRL, succeeds
-test_connect_ok(
+test_connect_ok($common_connstr,
 	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
 
 # A CRL belonging to a different CA is not accepted, fails
-test_connect_fails(
+test_connect_fails($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
 
 # With the correct CRL, succeeds (this cert is not revoked)
-test_connect_ok(
+test_connect_ok($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
 );
 
@@ -136,9 +110,9 @@ note "test mismatch between hostname and server certificate";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("sslmode=require host=wronghost.test");
-test_connect_ok("sslmode=verify-ca host=wronghost.test");
-test_connect_fails("sslmode=verify-full host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=require host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=verify-ca host=wronghost.test");
+test_connect_fails($common_connstr, "sslmode=verify-full host=wronghost.test");
 
 # Test Subject Alternative Names.
 switch_server_cert($node, 'server-multiple-alt-names');
@@ -147,12 +121,13 @@ note "test hostname matching with X.509 Subject Alternative Names";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_ok("host=foo.wildcard.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=foo.wildcard.pg-ssltest.test");
 
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"host=deep.subdomain.wildcard.pg-ssltest.test");
 
 # Test certificate with a single Subject Alternative Name. (this gives a
 # slightly different error message, that's all)
@@ -162,10 +137,11 @@ note "test hostname matching with a single X.509 Subject Alternative Name";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=single.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=single.alt-name.pg-ssltest.test");
 
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"host=deep.subdomain.wildcard.pg-ssltest.test");
 
 # Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
 # should be ignored when the certificate has both.
@@ -175,9 +151,9 @@ note "test certificate with both a CN and SANs";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_fails("host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=common-name.pg-ssltest.test");
 
 # Finally, test a server certificate that has no CN or SANs. Of course, that's
 # not a very sensible certificate, but libpq should handle it gracefully.
@@ -185,8 +161,10 @@ switch_server_cert($node, 'server-no-names');
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
-test_connect_ok("sslmode=verify-ca host=common-name.pg-ssltest.test");
-test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr,
+	"sslmode=verify-ca host=common-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"sslmode=verify-full host=common-name.pg-ssltest.test");
 
 # Test that the CRL works
 note "testing client-side CRL";
@@ -196,8 +174,9 @@ $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
 
 # Without the CRL, succeeds. With it, fails.
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_fails(
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
 );
 
@@ -210,18 +189,18 @@ $common_connstr =
 "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
 
 # no client cert
-test_connect_fails("user=ssltestuser sslcert=invalid");
+test_connect_fails($common_connstr, "user=ssltestuser sslcert=invalid");
 
 # correct client cert
-test_connect_ok(
+test_connect_ok($common_connstr,
 	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # client cert belonging to another user
-test_connect_fails(
+test_connect_fails($common_connstr,
 	"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # revoked client cert
-test_connect_fails(
+test_connect_fails($common_connstr,
 "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"
 );
 
@@ -230,8 +209,9 @@ switch_server_cert($node, 'server-cn-only', 'root_ca');
 $common_connstr =
 "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
-test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");
-test_connect_fails("sslmode=require sslcert=ssl/client.crt");
+test_connect_ok($common_connstr,
+	"sslmode=require sslcert=ssl/client+client_ca.crt");
+test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt");
 
 # clean up
 unlink "ssl/client_tmp.key";
-- 
2.14.2

From bb80b82d16597f725b4dc79d6b539715b27a2cf0 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 10 Oct 2017 21:51:18 +0900
Subject: [PATCH 2/4] Support channel binding 'tls-unique' in SCRAM

This is the basic feature set using OpenSSL to support the feature.
In order to allow the frontend and the backend to fetch the sent and
expected TLS finish messages, a PG-like API is added to be able to
make the interface pluggable for other SSL implementations.

This commit also adds a lot of basic infrastructure to facilitate the
addition of future channel binding types as well as libpq parameters
to control the SASL mechanism names and channel binding names. Those
will be added by upcoming commits.

A set of basic tests to stress default channel binding handling is
added as well, though those are part of the SSL suite.
---
 doc/src/sgml/protocol.sgml               |  25 +++--
 src/backend/libpq/auth-scram.c           | 162 +++++++++++++++++++++-----
 src/backend/libpq/auth.c                 |  69 ++++++++++--
 src/backend/libpq/be-secure-openssl.c    |  24 ++++
 src/include/libpq/libpq-be.h             |   1 +
 src/include/libpq/scram.h                |  10 +-
 src/interfaces/libpq/fe-auth-scram.c     | 187 +++++++++++++++++++++++++++----
 src/interfaces/libpq/fe-auth.c           | 100 +++++++++++++----
 src/interfaces/libpq/fe-auth.h           |   5 +-
 src/interfaces/libpq/fe-secure-openssl.c |  26 +++++
 src/interfaces/libpq/libpq-int.h         |   5 +-
 src/test/ssl/ServerSetup.pm              |  19 +++-
 src/test/ssl/t/001_ssltests.pl           |   2 +-
 src/test/ssl/t/002_sasl.pl               |  41 +++++++
 14 files changed, 584 insertions(+), 92 deletions(-)
 create mode 100644 src/test/ssl/t/002_sasl.pl

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 526e8011de..3ba8575fba 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1461,10 +1461,11 @@ SELCT 1/0;
 
 <para>
 <firstterm>SASL</> is a framework for authentication in connection-oriented
-protocols. At the moment, <productname>PostgreSQL</> implements only one SASL
-authentication mechanism, SCRAM-SHA-256, but more might be added in the
-future. The below steps illustrate how SASL authentication is performed in
-general, while the next subsection gives more details on SCRAM-SHA-256.
+protocols. At the moment, <productname>PostgreSQL</> implements only two SASL
+authentication mechanisms, SCRAM-SHA-256 and SCRAM-SHA-256-PLUS, but more
+might be added in the future. The below steps illustrate how SASL
+authentication is performed in general, while the next subsection gives
+more details on SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
 </para>
 
 <procedure>
@@ -1547,7 +1548,10 @@ the password is in.
   </para>
 
   <para>
-<firstterm>Channel binding</> has not been implemented yet.
+<firstterm>Channel binding</> is supported in builds with SSL support, and
+uses as mechanism name <literal>SCRAM-SHA-256-PLUS</> for this purpose as
+defined per IANA. The only channel binding type supported by the server
+is <literal>tls-unique</>.
   </para>
 
 <procedure>
@@ -1556,14 +1560,19 @@ the password is in.
 <para>
   The server sends an AuthenticationSASL message. It includes a list of
   SASL authentication mechanisms that the server can accept.
+  <literal>SCRAM-SHA-256</> and <literal>SCRAM-SHA-256-PLUS</> are the
+  two mechanism names that the server lists in this message. Support for
+  channel binding is not included if the server is built without SSL
+  support. The client can still choose to not use channel binding for
+  a connection attempt with SSL.
 </para>
 </step>
 <step id="scram-client-first">
 <para>
   The client responds by sending a SASLInitialResponse message, which
-  indicates the chosen mechanism, <literal>SCRAM-SHA-256</>. In the Initial
-  Client response field, the message contains the SCRAM
-  <structname>client-first-message</>.
+  indicates the chosen mechanism, <literal>SCRAM-SHA-256</> or
+  <literal>SCRAM-SHA-256-PLUS</>. In the Initial Client response field,
+  the message contains the SCRAM <structname>client-first-message</>.
 </para>
 </step>
 <step id="scram-server-first">
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 9161c885e1..2efc198459 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -17,8 +17,6 @@
  *	 by the SASLprep profile, we skip the SASLprep pre-processing and use
  *	 the raw bytes in calculating the hash.
  *
- * - Channel binding is not supported yet.
- *
  *
  * The password stored in pg_authid consists of the iteration count, salt,
  * StoredKey and ServerKey.
@@ -112,6 +110,11 @@ typedef struct
 
 	const char *username;		/* username from startup packet */
 
+	bool		ssl_in_use;
+	char	   *tls_finished_message;
+	int			tls_finished_len;
+	char	   *channel_binding;
+
 	int			iterations;
 	char	   *salt;			/* base64-encoded */
 	uint8		StoredKey[SCRAM_KEY_LEN];
@@ -168,7 +171,11 @@ static char *scram_mock_salt(const char *username);
  * it will fail, as if an incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username, const char *shadow_pass)
+pg_be_scram_init(const char *username,
+				 const char *shadow_pass,
+				 bool ssl_in_use,
+				 char *tls_finished_message,
+				 int tls_finished_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -176,6 +183,10 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 	state = (scram_state *) palloc0(sizeof(scram_state));
 	state->state = SCRAM_AUTH_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->tls_finished_message = tls_finished_message;
+	state->tls_finished_len = tls_finished_len;
+	state->channel_binding = NULL;
 
 	/*
 	 * Parse the stored password verifier.
@@ -773,31 +784,84 @@ read_client_first_message(scram_state *state, char *input)
 	 *------
 	 */
 
-	/* read gs2-cbind-flag */
+	/*
+	 * Read gs2-cbind-flag. Server handles its value as described in RFC 5802,
+	 * section 6 dealing with channel binding.
+	 */
 	switch (*input)
 	{
 		case 'n':
-			/* Client does not support channel binding */
+			/*
+			 * The client does not support channel binding, or has simply
+			 * decided to not use it. In this case just let go.
+			 */
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character \"%s\".",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'y':
-			/* Client supports channel binding, but we're not doing it today */
+			/*
+			 * Client supports channel binding and thinks that the server does
+			 * not. In this case, the server must fail authentication if it
+			 * supports channel binding, which is only the case if a connection
+			 * is done when SSL is used.
+			 */
+			if (state->ssl_in_use)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client supports SCRAM channel binding, but server needs it for SSL connections")));
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character \"%s\".",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'p':
+			{
+#ifdef USE_SSL
+				char *channel_name;
 
-			/*
-			 * Client requires channel binding.  We don't support it.
-			 *
-			 * RFC 5802 specifies a particular error code,
-			 * e=server-does-support-channel-binding, for this.  But it can
-			 * only be sent in the server-final message, and we don't want to
-			 * go through the motions of the authentication, knowing it will
-			 * fail, just to send that error message.
-			 */
-			ereport(ERROR,
-					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
-					 errmsg("client requires SCRAM channel binding, but it is not supported")));
+				if (!state->ssl_in_use)
+					ereport(ERROR,
+							(errcode(ERRCODE_PROTOCOL_VIOLATION),
+							 errmsg("client requires SCRAM channel binding, but it is not supported")));
+
+				/*
+				 * Read value provided by client, only tls-unique is supported
+				 * for now.
+				 */
+				channel_name = read_attr_value(&input, 'p');
+				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0)
+					ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 (errmsg("unexpected SCRAM channel-binding type"))));
+
+				/* Save the name for handling of subsequent messages */
+				state->channel_binding = pstrdup(channel_name);
+#else
+				/*
+				 * Client requires channel binding.  We don't support it.
+				 *
+				 * RFC 5802 specifies a particular error code,
+				 * e=server-does-support-channel-binding, for this.  But it
+				 * can only be sent in the server-final message, and we don't
+				 * want to go through the motions of the authentication,
+				 * knowing it will fail, just to send that error message.
+				 */
+				ereport(ERROR,
+						(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+						 errmsg("client requires SCRAM channel binding, but it is not supported")));
+#endif
+			}
+			break;
 		default:
 			ereport(ERROR,
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
@@ -805,13 +869,6 @@ read_client_first_message(scram_state *state, char *input)
 					 errdetail("Unexpected channel-binding flag \"%s\".",
 							   sanitize_char(*input))));
 	}
-	if (*input != ',')
-		ereport(ERROR,
-				(errcode(ERRCODE_PROTOCOL_VIOLATION),
-				 errmsg("malformed SCRAM message"),
-				 errdetail("Comma expected, but found character \"%s\".",
-						   sanitize_char(*input))));
-	input++;
 
 	/*
 	 * Forbid optional authzid (authorization identity).  We don't support it.
@@ -1032,14 +1089,65 @@ read_client_final_message(scram_state *state, char *input)
 	 */
 
 	/*
-	 * Read channel-binding.  We don't support channel binding, so it's
-	 * expected to always be "biws", which is "n,,", base64-encoded.
+	 * Read channel-binding.  We don't support channel binding for builds
+	 * without SSL support or if the client does not want to use channel
+	 * binding, so it's expected to always be "biws" in this case, which
+	 * is "n,,", base64-encoded.  In builds supporting SSL, "biws" is
+	 * used for Non-SSL connection attempts, and for SSL connections the
+	 * client has to provide channel binding value if needed.
 	 */
 	channel_binding = read_attr_value(&p, 'c');
+#ifdef USE_SSL
+	if (state->ssl_in_use &&
+		state->channel_binding)
+	{
+		char	   *b64_message, *raw_data;
+		int			b64_message_len, raw_data_len;
+
+		/* Fetch data for each channel binding type */
+		if (strcmp(state->channel_binding, SCRAM_CHANNEL_TLS_UNIQUE) == 0)
+		{
+			raw_data = state->tls_finished_message;
+			raw_data_len = state->tls_finished_len;
+		}
+		else
+		{
+			/* should not happen */
+			elog(ERROR, "invalid channel binding type");
+		}
+
+		/* should not happen, but better safe than sorry */
+		if (raw_data == NULL)
+			elog(ERROR, "empty binding data for channel name \"%s\"",
+				 state->channel_binding);
+
+		b64_message = palloc(pg_b64_enc_len(raw_data_len) + 1);
+		b64_message_len = pg_b64_encode(raw_data, raw_data_len,
+										b64_message);
+		b64_message[b64_message_len] = '\0';
+
+		/*
+		 * Compare the value sent by the client with the value expected by
+		 * the server.
+		 */
+		if (strcmp(channel_binding, b64_message) != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("no match for SCRAM channel-binding attribute in client-final-message"))));
+	}
+	else
+	{
+		if (strcmp(channel_binding, "biws") != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+	}
+#else
 	if (strcmp(channel_binding, "biws") != 0)
 		ereport(ERROR,
 				(errcode(ERRCODE_PROTOCOL_VIOLATION),
 				 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+#endif
 	state->client_final_nonce = read_attr_value(&p, 'r');
 
 	/* ignore optional extensions */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 480e344eb3..5bceae2162 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -859,10 +859,14 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	void	   *scram_opaq;
 	char	   *output = NULL;
 	int			outputlen = 0;
-	char	   *input;
+	char	   *input, *p;
+	char	   *sasl_mechs;
 	int			inputlen;
+	int			listlen = 0;
 	int			result;
 	bool		initial;
+	char	   *tls_finished = NULL;
+	int			tls_finished_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -879,12 +883,49 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 	/*
 	 * Send the SASL authentication request to user.  It includes the list of
-	 * authentication mechanisms (which is trivial, because we only support
-	 * SCRAM-SHA-256 at the moment).  The extra "\0" is for an empty string to
-	 * terminate the list.
+	 * authentication mechanisms that are supported:
+	 * - SCRAM-SHA-256, which is the mechanism with the same name.
+	 * - SCRAM-SHA-256-PLUS, which is SCRAM-SHA-256 with channel binding. This
+	 * is advertised to the client only if connection is attempted with SSL.
+	 * The order of mechanisms is advertised in decreasing order of importance.
+	 * The extra "\0" is for an empty string to terminate the list, and each
+	 * mechanism listed needs to be separated with "\0".
 	 */
-	sendAuthRequest(port, AUTH_REQ_SASL, SCRAM_SHA256_NAME "\0",
-					strlen(SCRAM_SHA256_NAME) + 2);
+	listlen = 0;
+	sasl_mechs = (char *) palloc(strlen(SCRAM_SHA256_PLUS_NAME) +
+								 strlen(SCRAM_SHA256_NAME) + 3);
+	p = sasl_mechs;
+
+	/* add SCRAM-SHA-256-PLUS, which depends on if SSL is in use */
+	if (port->ssl_in_use)
+	{
+		strcpy(p, SCRAM_SHA256_PLUS_NAME);
+		listlen += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+		p += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+	}
+
+	/* add generic SCRAM-SHA-256 */
+	strcpy(p, SCRAM_SHA256_NAME);
+	listlen += strlen(SCRAM_SHA256_NAME) + 1;
+	p += strlen(SCRAM_SHA256_NAME) + 1;
+
+	/* put "\0" to mark that list is finished */
+	p[0] = '\0';
+	listlen++;
+
+	sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, listlen);
+	pfree(sasl_mechs);
+
+#ifdef USE_SSL
+	/*
+	 * Fetch the data related to the SSL finish message to be used in the
+	 * exchange.
+	 */
+	if (port->ssl_in_use)
+	{
+		tls_finished = be_tls_get_peer_finish(port, &tls_finished_len);
+	}
+#endif
 
 	/*
 	 * Initialize the status tracker for message exchanges.
@@ -897,7 +938,11 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	scram_opaq = pg_be_scram_init(port->user_name, shadow_pass);
+	scram_opaq = pg_be_scram_init(port->user_name,
+								  shadow_pass,
+								  port->ssl_in_use,
+								  tls_finished,
+								  tls_finished_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
@@ -946,15 +991,17 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 			const char *selected_mech;
 
 			/*
-			 * We only support SCRAM-SHA-256 at the moment, so anything else
-			 * is an error.
+			 * We only support SCRAM-SHA-256 and SCRAM-SHA-256-PLUS at the
+			 * moment, so anything else is an error.
 			 */
 			selected_mech = pq_getmsgrawstring(&buf);
-			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0)
+			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0 &&
+				strcmp(selected_mech, SCRAM_SHA256_PLUS_NAME) != 0)
 			{
 				ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
-						 errmsg("client selected an invalid SASL authentication mechanism")));
+						 errmsg("client selected an invalid SASL authentication mechanism"),
+						 errdetail("Incorrect SASL mechanism name specified")));
 			}
 
 			inputlen = pq_getmsgint(&buf, 4);
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index fe15227a77..d063a587d0 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1215,6 +1215,30 @@ be_tls_get_peerdn_name(Port *port, char *ptr, size_t len)
 		ptr[0] = '\0';
 }
 
+/*
+ * Routine to get the expected TLS finish message information from the
+ * client, useful for authorization when doing channel binding.
+ *
+ * Result is a palloc'd copy of the TLS finish message with its size.
+ */
+char *
+be_tls_get_peer_finish(Port *port, int *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the
+	 * expected TLS finish message, so just do a dummy call to grab this
+	 * information to allow caller to do an allocation with a correct size.
+	 */
+	*len = SSL_get_peer_finished(port->ssl, dummy, sizeof(dummy));
+	result = (char *) palloc(*len * sizeof(char));
+	(void) SSL_get_peer_finished(port->ssl, result, *len);
+
+	return result;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 7bde744d51..5d59d79822 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -209,6 +209,7 @@ extern bool be_tls_get_compression(Port *port);
 extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
+extern char *be_tls_get_peer_finish(Port *port, int *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 0166e1945d..43cde0e46e 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -13,8 +13,12 @@
 #ifndef PG_SCRAM_H
 #define PG_SCRAM_H
 
-/* Name of SCRAM-SHA-256 per IANA */
+/* Name of SCRAM mechanisms per IANA */
 #define SCRAM_SHA256_NAME "SCRAM-SHA-256"
+#define SCRAM_SHA256_PLUS_NAME "SCRAM-SHA-256-PLUS"	/* with channel binding */
+
+/* Channel binding names */
+#define SCRAM_CHANNEL_TLS_UNIQUE	"tls-unique"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -22,7 +26,9 @@
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
+extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
+					 bool ssl_in_use, char *tls_finished_message,
+					 int tls_finished_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index edfd42df85..9bce4d980a 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -17,6 +17,7 @@
 #include "common/base64.h"
 #include "common/saslprep.h"
 #include "common/scram-common.h"
+#include "libpq/scram.h"
 #include "fe-auth.h"
 
 /* These are needed for getpid(), in the fallback implementation */
@@ -44,6 +45,13 @@ typedef struct
 	/* These are supplied by the user */
 	const char *username;
 	char	   *password;
+	bool		ssl_in_use;
+	bool		channel_binding_advertised;
+	char	   *tls_finished_message;
+	int			tls_finished_len;
+	/* enforce-able user parameters */
+	char	   *saslmechanism;		/* name of mechanism used */
+	char	   *saslchannelbinding;	/* name of channel binding to use */
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -81,18 +89,41 @@ static bool pg_frontend_random(char *dst, int len);
  * Initialize SCRAM exchange status.
  */
 void *
-pg_fe_scram_init(const char *username, const char *password)
+pg_fe_scram_init(const char *username,
+				 const char *password,
+				 bool ssl_in_use,
+				 bool channel_binding_advertised,
+				 const char *saslmechanism,
+				 char *saslchannelbinding,
+				 char *tls_finished_message,
+				 int tls_finished_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
 	pg_saslprep_rc rc;
 
+	Assert(saslmechanism != NULL);
+
 	state = (fe_scram_state *) malloc(sizeof(fe_scram_state));
 	if (!state)
 		return NULL;
 	memset(state, 0, sizeof(fe_scram_state));
 	state->state = FE_SCRAM_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->channel_binding_advertised = channel_binding_advertised;
+	state->tls_finished_message = tls_finished_message;
+	state->tls_finished_len = tls_finished_len;
+	state->saslmechanism = strdup(saslmechanism);
+
+	/*
+	 * If user has specified a channel binding to use, enforce the
+	 * channel binding sent to it.  The default is "tls-unique".
+	 */
+	if (saslchannelbinding && strlen(saslchannelbinding) > 0)
+		state->saslchannelbinding = strdup(saslchannelbinding);
+	else
+		state->saslchannelbinding = strdup(SCRAM_CHANNEL_TLS_UNIQUE);
 
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
@@ -125,6 +156,12 @@ pg_fe_scram_free(void *opaq)
 
 	if (state->password)
 		free(state->password);
+	if (state->tls_finished_message)
+		free(state->tls_finished_message);
+	if (state->saslmechanism)
+		free(state->saslmechanism);
+	if (state->saslchannelbinding)
+		free(state->saslchannelbinding);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -297,9 +334,10 @@ static char *
 build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 {
 	char		raw_nonce[SCRAM_RAW_NONCE_LEN + 1];
-	char	   *buf;
-	char		buflen;
+	char	   *result;
+	int			channel_info_len;
 	int			encoded_len;
+	PQExpBufferData buf;
 
 	/*
 	 * Generate a "raw" nonce.  This is converted to ASCII-printable form by
@@ -328,26 +366,88 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * prepared with SASLprep, the message parsing would fail if it includes
 	 * '=' or ',' characters.
 	 */
-	buflen = 8 + strlen(state->client_nonce) + 1;
-	buf = malloc(buflen);
-	if (buf == NULL)
+	initPQExpBuffer(&buf);
+
+	/*
+	 * First build the query field for channel binding.  Conditions used for
+	 * the decision-making are described in more details below.
+	 */
+#ifdef USE_SSL
+	if (strcmp(state->saslmechanism, SCRAM_SHA256_PLUS_NAME) == 0)
 	{
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
-	}
-	snprintf(buf, buflen, "n,,n=,r=%s", state->client_nonce);
+		if (!state->ssl_in_use)
+		{
+			/*
+			 * Attempting to use channel binding, but this is not supported
+			 * in non-SSL contexts, so complain.
+			 */
+			printfPQExpBuffer(errormessage,
+				  libpq_gettext("channel binding not supported in non-SSL context.\n"));
+			return NULL;
+		}
 
-	state->client_first_message_bare = strdup(buf + 3);
-	if (!state->client_first_message_bare)
+		if (state->channel_binding_advertised)
+		{
+			/*
+			 * Channel binding is wanted by client and server supports it
+			 * so allow its use.
+			 */
+			appendPQExpBuffer(&buf, "p=%s", state->saslchannelbinding);
+		}
+		else
+		{
+			/*
+			 * Client supports channel binding and expects the server to
+			 * do so as well, so let the server know about that. Note that
+			 * as authentication is not complete yet, we do not know the
+			 * backend version, so there is not much we can do about it.
+			 */
+			appendPQExpBuffer(&buf, "y");
+			return NULL;
+		}
+	}
+	else
 	{
-		free(buf);
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
+		/*
+		 * Caller may not wish to use channel binding, so let server know
+		 * that.
+		 */
+		appendPQExpBuffer(&buf, "n");
 	}
+#else
+	/* Build does not support SSL, so it does not support channel binding */
+	appendPQExpBuffer(&buf, "n");
+#endif
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
 
-	return buf;
+	channel_info_len = buf.len;
+
+	appendPQExpBuffer(&buf, ",,n=,r=%s", state->client_nonce);
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	/*
+	 * The first message content needs to be saved without channel binding
+	 * information.
+	 */
+	state->client_first_message_bare = strdup(buf.data + channel_info_len + 2);
+	if (!state->client_first_message_bare)
+		goto oom_error;
+
+	result = strdup(buf.data);
+	if (result == NULL)
+		goto oom_error;
+
+	termPQExpBuffer(&buf);
+	return result;
+
+oom_error:
+	termPQExpBuffer(&buf);
+	printfPQExpBuffer(errormessage,
+					  libpq_gettext("out of memory\n"));
+	return NULL;
 }
 
 /*
@@ -365,8 +465,57 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	/*
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
+	 * Client needs to provide a b64 encoded string of the TLS finish message
+	 * only if a SSL connection is attempted.
 	 */
-	appendPQExpBuffer(&buf, "c=biws,r=%s", state->nonce);
+#ifdef USE_SSL
+	if (strcmp(state->saslmechanism, SCRAM_SHA256_PLUS_NAME) == 0)
+	{
+		char	   *raw_data;
+		int			raw_data_len;
+
+		if (strcmp(state->saslchannelbinding, SCRAM_CHANNEL_TLS_UNIQUE) == 0)
+		{
+			raw_data = state->tls_finished_message;
+			raw_data_len = state->tls_finished_len;
+		}
+		else
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("incorrect channel binding name\n"));
+			return NULL;
+		}
+
+		/* should not happen, but better safe than sorry */
+		if (raw_data == NULL)
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("empty binding data for channel name \"%s\"\n"),
+							  state->saslchannelbinding);
+			return NULL;
+		}
+
+		appendPQExpBuffer(&buf, "c=");
+
+		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(raw_data_len)))
+			goto oom_error;
+		buf.len += pg_b64_encode(raw_data, raw_data_len, buf.data + buf.len);
+		buf.data[buf.len] = '\0';
+	}
+	else
+		appendPQExpBuffer(&buf, "c=biws");
+#else
+	appendPQExpBuffer(&buf, "c=biws");
+#endif
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	appendPQExpBuffer(&buf, ",r=%s", state->nonce);
 	if (PQExpBufferDataBroken(buf))
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 382558f3f8..fa24c88522 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -491,6 +491,10 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		success;
 	const char *selected_mechanism;
 	PQExpBufferData mechanism_buf;
+	bool		channel_binding_advertised = false;
+	char	   *tls_finished = NULL;
+	int			tls_finished_len = 0;
+	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
 
@@ -504,7 +508,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	/*
 	 * Parse the list of SASL authentication mechanisms in the
 	 * AuthenticationSASL message, and select the best mechanism that we
-	 * support.  (Only SCRAM-SHA-256 is supported at the moment.)
+	 * support.  SCRAM-SHA-256-PLUS and SCRAM-SHA-256 are the only ones
+	 * supported at the moment, listed by order of decreasing importance.
 	 */
 	selected_mechanism = NULL;
 	for (;;)
@@ -522,6 +527,15 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		if (mechanism_buf.data[0] == '\0')
 			break;
 
+		/*
+		 * The SASL exchange needs to know if channel binding has been
+		 * advertized. This prevents attacks from rogue servers that
+		 * may have the correct version but are not telling clients that
+		 * about channel binding.
+		 */
+		if (strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
+			channel_binding_advertised = true;
+
 		/*
 		 * If we have already selected a mechanism, just skip through the rest
 		 * of the list.
@@ -532,25 +546,26 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		/*
 		 * Do we support this mechanism?
 		 */
-		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0 ||
+			strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
 		{
-			char	   *password;
-
-			conn->password_needed = true;
-			password = conn->connhost[conn->whichhost].password;
-			if (password == NULL)
-				password = conn->pgpass;
-			if (password == NULL || password[0] == '\0')
-			{
-				printfPQExpBuffer(&conn->errorMessage,
-								  PQnoPasswordSupplied);
-				goto error;
-			}
-
-			conn->sasl_state = pg_fe_scram_init(conn->pguser, password);
-			if (!conn->sasl_state)
-				goto oom_error;
-			selected_mechanism = SCRAM_SHA256_NAME;
+			/*
+			 * Select the mechanism to use by default. If SSL connection
+			 * is attempted, the server will expect the -PLUS mechanism.
+			 * If not, fallback to SCRAM-SHA-256.
+			 */
+#ifdef USE_SSL
+			if (conn->ssl_in_use &&
+				strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_PLUS_NAME;
+			else if (!conn->ssl_in_use &&
+					 strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_NAME;
+#else
+			/* No channel binding can be selected without SSL support */
+			if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_NAME;
+#endif
 		}
 	}
 
@@ -561,6 +576,53 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		goto error;
 	}
 
+	/*
+	 * Now that the SASL mechanism has been chosen for the exchange,
+	 * initialize its state information. First select the password to
+	 * use for the exchange protocol, complaining back if none are
+	 * provided.
+	 */
+	conn->password_needed = true;
+	password = conn->connhost[conn->whichhost].password;
+	if (password == NULL)
+		password = conn->pgpass;
+	if (password == NULL || password[0] == '\0')
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  PQnoPasswordSupplied);
+		goto error;
+	}
+
+#ifdef USE_SSL
+	/*
+	 * Fetch information about the TLS finish message and client
+	 * certificate if any.
+	 */
+	if (conn->ssl_in_use)
+	{
+		tls_finished = pgtls_get_finish(conn, &tls_finished_len);
+		if (tls_finished == NULL)
+			goto oom_error;
+	}
+#endif
+
+	/*
+	 * Initialize the SASL state information with all the information
+	 * gathered during the initial exchange.
+	 *
+	 * Note: Only tls-unique is supported for the moment.
+	 */
+	conn->sasl_state = pg_fe_scram_init(conn->pguser,
+										password,
+										conn->ssl_in_use,
+										channel_binding_advertised,
+										selected_mechanism,
+										NULL,	/* default channel binding */
+										tls_finished,
+										tls_finished_len);
+	if (!conn->sasl_state)
+		goto oom_error;
+
 	/* Get the mechanism-specific Initial Client Response, if any */
 	pg_fe_scram_exchange(conn->sasl_state,
 						 NULL, -1,
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 5dc6bb5341..81378d0008 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -23,7 +23,10 @@ extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn);
 extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
-extern void *pg_fe_scram_init(const char *username, const char *password);
+extern void *pg_fe_scram_init(const char *username, const char *password,
+					 bool ssl_in_use, bool channel_binding_advertised,
+					 const char *saslmechanism,char *saslchannelbinding,
+					 char *tls_finished_message, int tls_finished_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 2f29820e82..84a6e3c322 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -393,6 +393,32 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
 	return n;
 }
 
+/*
+ *	Get the TLS finish message sent during last handshake
+ *
+ * This information is useful for callers doing channel binding during
+ * authentication.
+ */
+char *
+pgtls_get_finish(PGconn *conn, int *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the
+	 * TLS finish message sent, so first do a dummy call to grab this
+	 * information and then do an allocation with the correct size.
+	 */
+	*len = SSL_get_finished(conn->ssl, dummy, sizeof(dummy));
+	result = malloc(*len);
+	if (result == NULL)
+		return NULL;
+	(void) SSL_get_finished(conn->ssl, result, *len);
+	return result;
+}
+
+
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
 /* ------------------------------------------------------------ */
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 42913604e3..0eb8b60c95 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -453,11 +453,13 @@ struct pg_conn
 	/* Assorted state for SASL, SSL, GSS, etc */
 	void	   *sasl_state;
 
+	/* SSL structures */
+	bool		ssl_in_use;
+
 #ifdef USE_SSL
 	bool		allow_ssl_try;	/* Allowed to try SSL negotiation */
 	bool		wait_ssl_try;	/* Delay SSL negotiation until after
 								 * attempting normal connection */
-	bool		ssl_in_use;
 #ifdef USE_OPENSSL
 	SSL		   *ssl;			/* SSL status, if have SSL connection */
 	X509	   *peer;			/* X509 cert of server */
@@ -668,6 +670,7 @@ extern void pgtls_close(PGconn *conn);
 extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
+extern char *pgtls_get_finish(PGconn *conn, int *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index ad2e036602..b71969ac75 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -91,6 +91,9 @@ sub configure_test_server_for_ssl
 {
 	my $node       = $_[0];
 	my $serverhost = $_[1];
+	my $sslmethod  = $_[2];
+	my $passwd     = $_[3];
+	my $passwdhash = $_[4];
 
 	my $pgdata = $node->data_dir;
 
@@ -100,6 +103,15 @@ sub configure_test_server_for_ssl
 	$node->psql('postgres', "CREATE DATABASE trustdb");
 	$node->psql('postgres', "CREATE DATABASE certdb");
 
+	# Update password of each user as needed.
+	if (defined($passwd))
+	{
+		$node->psql('postgres',
+"SET password_encryption='$passwdhash'; ALTER USER ssltestuser PASSWORD '$passwd';");
+		$node->psql('postgres',
+"SET password_encryption='$passwdhash'; ALTER USER anotheruser PASSWORD '$passwd';");
+	}
+
 	# enable logging etc.
 	open my $conf, '>>', "$pgdata/postgresql.conf";
 	print $conf "fsync=off\n";
@@ -129,7 +141,7 @@ sub configure_test_server_for_ssl
 	$node->restart;
 
 	# Change pg_hba after restart because hostssl requires ssl=on
-	configure_hba_for_ssl($node, $serverhost);
+	configure_hba_for_ssl($node, $serverhost, $sslmethod);
 }
 
 # Change the configuration to use given server cert file, and reload
@@ -159,6 +171,7 @@ sub configure_hba_for_ssl
 {
 	my $node       = $_[0];
 	my $serverhost = $_[1];
+	my $sslmethod  = $_[2];
 	my $pgdata     = $node->data_dir;
 
   # Only accept SSL connections from localhost. Our tests don't depend on this
@@ -169,9 +182,9 @@ sub configure_hba_for_ssl
 	print $hba
 "# TYPE  DATABASE        USER            ADDRESS                 METHOD\n";
 	print $hba
-"hostssl trustdb         ssltestuser     $serverhost/32            trust\n";
+"hostssl trustdb         ssltestuser     $serverhost/32          $sslmethod\n";
 	print $hba
-"hostssl trustdb         ssltestuser     ::1/128                 trust\n";
+"hostssl trustdb         ssltestuser     ::1/128                 $sslmethod\n";
 	print $hba
 "hostssl certdb          ssltestuser     $serverhost/32            cert\n";
 	print $hba
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 890e3051a2..e690c1fa15 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -32,7 +32,7 @@ $node->init;
 $ENV{PGHOST} = $node->host;
 $ENV{PGPORT} = $node->port;
 $node->start;
-configure_test_server_for_ssl($node, $SERVERHOSTADDR);
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "trust");
 switch_server_cert($node, 'server-cn-only');
 
 ### Part 1. Run client-side tests.
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
new file mode 100644
index 0000000000..d43a970b55
--- /dev/null
+++ b/src/test/ssl/t/002_sasl.pl
@@ -0,0 +1,41 @@
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 1;
+use ServerSetup;
+use File::Copy;
+
+# test combinations of SASL authentication for SCRAM mechanism:
+# - SCRAM-SHA-256 and SCRAM-SHA-256-PLUS
+# - Channel bindings
+
+# This is the hostname used to connect to the server.
+my $SERVERHOSTADDR = '127.0.0.1';
+
+# Allocation of base connection string shared among multiple tests.
+my $common_connstr;
+
+#### Part 0. Set up the server.
+
+note "setting up data directory";
+my $node = get_new_node('master');
+$node->init;
+
+# PGHOST is enforced here to set up the node, subsequent connections
+# will use a dedicated connection string.
+$ENV{PGHOST} = $node->host;
+$ENV{PGPORT} = $node->port;
+$node->start;
+
+# Configure server for SSL connections, with password handling.
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256",
+							  "pass", "scram-sha-256");
+switch_server_cert($node, 'server-cn-only');
+$ENV{PGPASSWORD} = "pass";
+$common_connstr =
+"user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
+
+# Tests with default channel binding and SASL mechanism names.
+# tls-unique is used here with channel binding.
+test_connect_ok($common_connstr, "");
-- 
2.14.2

From d9214f8a63608369bc1e70b8468799dcc8ab718a Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 10 Oct 2017 21:49:37 +0900
Subject: [PATCH 3/4] Add connection parameters "saslname" and
 "saslchannelbinding"

Those parameters can be used to respectively enforce the value of the
SASL mechanism name and the channel binding name sent to server during
a SASL message exchange.

A set of tests dedicated to SASL and channel binding is added as well
to the SSL test suite, which is handy to check the validity of a patch.
---
 doc/src/sgml/libpq.sgml           | 24 ++++++++++++++++++++++++
 src/backend/libpq/auth-scram.c    |  1 +
 src/interfaces/libpq/fe-auth.c    |  9 ++++++++-
 src/interfaces/libpq/fe-connect.c | 13 +++++++++++++
 src/interfaces/libpq/libpq-int.h  |  2 ++
 src/test/ssl/t/002_sasl.pl        | 18 +++++++++++++++---
 6 files changed, 63 insertions(+), 4 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 0aedd837dc..5709f4098c 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1222,6 +1222,30 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       </listitem>
      </varlistentry>
 
+     <varlistentry id="libpq-saslname" xreflabel="saslname">
+      <term><literal>saslname</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the SASL mechanism name sent to server when doing
+        a message exchange for a SASL authentication. The list of SASL
+        mechanisms supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="libpq-saslchannelbinding" xreflabel="saslchannelbinding">
+      <term><literal>saslchannelbinding</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the channel binding name sent to server when doing
+        a message exchange for a SASL authentication. The list of channel
+        binding names supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+     
      <varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
       <term><literal>sslmode</literal></term>
       <listitem>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 2efc198459..a90abf4c3b 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -1097,6 +1097,7 @@ read_client_final_message(scram_state *state, char *input)
 	 * client has to provide channel binding value if needed.
 	 */
 	channel_binding = read_attr_value(&p, 'c');
+
 #ifdef USE_SSL
 	if (state->ssl_in_use &&
 		state->channel_binding)
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index fa24c88522..97de9a0a30 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -569,6 +569,13 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		}
 	}
 
+	/*
+	 * If user has asked for a specific mechanism name, enforce the chosen
+	 * name to it.
+	 */
+	if (conn->saslname && strlen(conn->saslname) > 0)
+		selected_mechanism = conn->saslname;
+
 	if (!selected_mechanism)
 	{
 		printfPQExpBuffer(&conn->errorMessage,
@@ -617,7 +624,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										conn->ssl_in_use,
 										channel_binding_advertised,
 										selected_mechanism,
-										NULL,	/* default channel binding */
+										conn->saslchannelbinding,
 										tls_finished,
 										tls_finished_len);
 	if (!conn->sasl_state)
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 5f79803607..1d964b0ca0 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -262,6 +262,15 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"TCP-Keepalives-Count", "", 10, /* strlen(INT32_MAX) == 10 */
 	offsetof(struct pg_conn, keepalives_count)},
 
+	/* Set of options proper to SASL */
+	{"saslname", NULL, NULL, NULL,
+		"SASL-Name", "", 21,	/* maximum name size per IANA == 21 */
+	offsetof(struct pg_conn, saslname)},
+
+	{"saslchannelbinding", NULL, NULL, NULL,
+		"SASL-Channel", "", 22,	/* sizeof("tls-unique-for-telnet") == 22 */
+	offsetof(struct pg_conn, saslchannelbinding)},
+
 	/*
 	 * ssl options are allowed even without client SSL support because the
 	 * client can still handle SSL modes "disable" and "allow". Other
@@ -3470,6 +3479,10 @@ freePGconn(PGconn *conn)
 		free(conn->keepalives_interval);
 	if (conn->keepalives_count)
 		free(conn->keepalives_count);
+	if (conn->saslname)
+		free(conn->saslname);
+	if (conn->saslchannelbinding)
+		free(conn->saslchannelbinding);
 	if (conn->sslmode)
 		free(conn->sslmode);
 	if (conn->sslcert)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 0eb8b60c95..6d500aa5db 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -349,6 +349,8 @@ struct pg_conn
 										 * retransmits */
 	char	   *keepalives_count;	/* maximum number of TCP keepalive
 									 * retransmits */
+	char	   *saslname;			/* SASL mechanism name */
+	char	   *saslchannelbinding;	/* channel binding used in SASL */
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
 	char	   *sslcompression; /* SSL compression (0 or 1) */
 	char	   *sslkey;			/* client key filename */
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
index d43a970b55..e9226903ca 100644
--- a/src/test/ssl/t/002_sasl.pl
+++ b/src/test/ssl/t/002_sasl.pl
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 1;
+use Test::More tests => 6;
 use ServerSetup;
 use File::Copy;
 
@@ -37,5 +37,17 @@ $common_connstr =
 "user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
 
 # Tests with default channel binding and SASL mechanism names.
-# tls-unique is used here with channel binding.
-test_connect_ok($common_connstr, "");
+# tls-unique is used here
+test_connect_ok($common_connstr, "saslname=SCRAM-SHA-256-PLUS");
+test_connect_fails($common_connstr, "saslname=not-exists");
+# Having a client willing to not use channel binding should work, and
+# so should this series.
+test_connect_ok($common_connstr, "saslname=SCRAM-SHA-256");
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-unique");
+
+# Channel bindings
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-unique");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=not-exists");
-- 
2.14.2

From 2dbffc90b29f1c7d87978d9f8d8177e70b6c9b1f Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 10 Oct 2017 22:04:22 +0900
Subject: [PATCH 4/4] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend, this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  4 +-
 src/backend/libpq/auth-scram.c           | 21 +++++++--
 src/backend/libpq/auth.c                 | 13 ++++--
 src/backend/libpq/be-secure-openssl.c    | 61 +++++++++++++++++++++++++
 src/include/libpq/libpq-be.h             |  1 +
 src/include/libpq/scram.h                |  4 +-
 src/interfaces/libpq/fe-auth-scram.c     | 20 +++++++-
 src/interfaces/libpq/fe-auth.c           | 12 ++++-
 src/interfaces/libpq/fe-auth.h           |  3 +-
 src/interfaces/libpq/fe-secure-openssl.c | 78 ++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_sasl.pl               |  6 ++-
 12 files changed, 209 insertions(+), 15 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 3ba8575fba..d86d354397 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1550,8 +1550,8 @@ the password is in.
   <para>
 <firstterm>Channel binding</> is supported in builds with SSL support, and
 uses as mechanism name <literal>SCRAM-SHA-256-PLUS</> for this purpose as
-defined per IANA. The only channel binding type supported by the server
-is <literal>tls-unique</>.
+defined per IANA. The channel binding types supported by the server
+are <literal>tls-unique</>, the default, and <literal>tls-server-end-point</>.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index a90abf4c3b..02fd3332ac 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finished_message;
 	int			tls_finished_len;
+	char	   *certificate_hash;
+	int			certificate_hash_len;
 	char	   *channel_binding;
 
 	int			iterations;
@@ -175,7 +177,9 @@ pg_be_scram_init(const char *username,
 				 const char *shadow_pass,
 				 bool ssl_in_use,
 				 char *tls_finished_message,
-				 int tls_finished_len)
+				 int tls_finished_len,
+				 char *certificate_hash,
+				 int certificate_hash_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -186,6 +190,8 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding = NULL;
 
 	/*
@@ -835,11 +841,12 @@ read_client_first_message(scram_state *state, char *input)
 							 errmsg("client requires SCRAM channel binding, but it is not supported")));
 
 				/*
-				 * Read value provided by client, only tls-unique is supported
-				 * for now.
+				 * Read value provided by client, only tls-unique and
+				 * tls-server-end-point are supported for now.
 				 */
 				channel_name = read_attr_value(&input, 'p');
-				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0)
+				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0 &&
+					strcmp(channel_name, SCRAM_CHANNEL_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
 						 (errmsg("unexpected SCRAM channel-binding type"))));
@@ -1111,6 +1118,12 @@ read_client_final_message(scram_state *state, char *input)
 			raw_data = state->tls_finished_message;
 			raw_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding,
+						SCRAM_CHANNEL_TLS_ENDPOINT) == 0)
+		{
+			raw_data = state->certificate_hash;
+			raw_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 5bceae2162..338e3d7a0d 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -867,6 +867,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	bool		initial;
 	char	   *tls_finished = NULL;
 	int			tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	int			certificate_hash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -918,12 +920,15 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 #ifdef USE_SSL
 	/*
-	 * Fetch the data related to the SSL finish message to be used in the
-	 * exchange.
+	 * Fetch the data related to the SSL finish message and the client
+	 * certificate (if any) to be used in the exchange.
 	 */
 	if (port->ssl_in_use)
 	{
 		tls_finished = be_tls_get_peer_finish(port, &tls_finished_len);
+		certificate_hash =
+			be_tls_get_certificate_hash(port,
+										&certificate_hash_len);
 	}
 #endif
 
@@ -942,7 +947,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 								  shadow_pass,
 								  port->ssl_in_use,
 								  tls_finished,
-								  tls_finished_len);
+								  tls_finished_len,
+								  certificate_hash,
+								  certificate_hash_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index d063a587d0..bf9cef7f15 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1239,6 +1239,67 @@ be_tls_get_peer_finish(Port *port, int *len)
 	return result;
 }
 
+/*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * If something else is used, the same hash as the signature algorithm is
+ * used. The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is no certificate available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, int *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+					elog(ERROR, "could not find digest for NID %s",
+						 OBJ_nid2sn(algo_nid));
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 5d59d79822..0392860a87 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finish(Port *port, int *len);
+extern char *be_tls_get_certificate_hash(Port *port, int *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 43cde0e46e..6329e111ba 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -19,6 +19,7 @@
 
 /* Channel binding names */
 #define SCRAM_CHANNEL_TLS_UNIQUE	"tls-unique"
+#define SCRAM_CHANNEL_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -28,7 +29,8 @@
 /* Routines dedicated to authentication */
 extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
 					 bool ssl_in_use, char *tls_finished_message,
-					 int tls_finished_len);
+					 int tls_finished_len, char *certificate_hash,
+					 int certificate_hash_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 9bce4d980a..307e58f586 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -49,6 +49,8 @@ typedef struct
 	bool		channel_binding_advertised;
 	char	   *tls_finished_message;
 	int			tls_finished_len;
+	char	   *certificate_hash;
+	int			certificate_hash_len;
 	/* enforce-able user parameters */
 	char	   *saslmechanism;		/* name of mechanism used */
 	char	   *saslchannelbinding;	/* name of channel binding to use */
@@ -96,7 +98,9 @@ pg_fe_scram_init(const char *username,
 				 const char *saslmechanism,
 				 char *saslchannelbinding,
 				 char *tls_finished_message,
-				 int tls_finished_len)
+				 int tls_finished_len,
+				 char *certificate_hash,
+				 int certificate_hash_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -115,6 +119,8 @@ pg_fe_scram_init(const char *username,
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
 	state->saslmechanism = strdup(saslmechanism);
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 
 	/*
 	 * If user has specified a channel binding to use, enforce the
@@ -158,6 +164,8 @@ pg_fe_scram_free(void *opaq)
 		free(state->password);
 	if (state->tls_finished_message)
 		free(state->tls_finished_message);
+	if (state->certificate_hash)
+		free(state->certificate_hash);
 	if (state->saslmechanism)
 		free(state->saslmechanism);
 	if (state->saslchannelbinding)
@@ -466,7 +474,9 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
 	 * Client needs to provide a b64 encoded string of the TLS finish message
-	 * only if a SSL connection is attempted.
+	 * only if a SSL connection is attempted using "tls-unique" as channel
+	 * binding. For "tls-server-end-point", a hash of the client certificate
+	 * is sent instead.
 	 */
 #ifdef USE_SSL
 	if (strcmp(state->saslmechanism, SCRAM_SHA256_PLUS_NAME) == 0)
@@ -479,6 +489,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 			raw_data = state->tls_finished_message;
 			raw_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->saslchannelbinding,
+						SCRAM_CHANNEL_TLS_ENDPOINT) == 0)
+		{
+			raw_data = state->certificate_hash;
+			raw_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 97de9a0a30..56dbe2be28 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -494,6 +494,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		channel_binding_advertised = false;
 	char	   *tls_finished = NULL;
 	int			tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	int			certificate_hash_len = 0;
 	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
@@ -610,6 +612,12 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		tls_finished = pgtls_get_finish(conn, &tls_finished_len);
 		if (tls_finished == NULL)
 			goto oom_error;
+
+		certificate_hash =
+			pgtls_get_peer_certificate_hash(conn,
+											&certificate_hash_len);
+		if (certificate_hash == NULL)
+			goto error;		/* error message is set */
 	}
 #endif
 
@@ -626,7 +634,9 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										selected_mechanism,
 										conn->saslchannelbinding,
 										tls_finished,
-										tls_finished_len);
+										tls_finished_len,
+										certificate_hash,
+										certificate_hash_len);
 	if (!conn->sasl_state)
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 81378d0008..ed574d39e5 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -26,7 +26,8 @@ extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 extern void *pg_fe_scram_init(const char *username, const char *password,
 					 bool ssl_in_use, bool channel_binding_advertised,
 					 const char *saslmechanism,char *saslchannelbinding,
-					 char *tls_finished_message, int tls_finished_len);
+					 char *tls_finished_message, int tls_finished_len,
+					 char *certificate_hash, int certificate_hash_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 84a6e3c322..301bde0799 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -418,6 +418,84 @@ pgtls_get_finish(PGconn *conn, int *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where
+ * the client certificate hash is used as a link, per RFC 5929. If
+ * the signature hash algorithm is MD5 or SHA-1, fall back to SHA-256,
+ * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * NULL is sent back to the caller in the event of an error, with an
+ * error message for the caller to consume.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, int *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not find signature algorithm\n"));
+			return NULL;
+		}
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+				{
+					printfPQExpBuffer(&conn->errorMessage,
+									  libpq_gettext("could not find digest for NID %s\n"),
+									  OBJ_nid2sn(algo_nid));
+					return NULL;
+				}
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not generate peer certificate hash\n"));
+			return NULL;
+		}
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("out of memory\n"));
+			return NULL;
+		}
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 6d500aa5db..f1e2c0bb3c 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -673,6 +673,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finish(PGconn *conn, int *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, int *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
index e9226903ca..fa3cca24a2 100644
--- a/src/test/ssl/t/002_sasl.pl
+++ b/src/test/ssl/t/002_sasl.pl
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 6;
+use Test::More tests => 8;
 use ServerSetup;
 use File::Copy;
 
@@ -45,9 +45,13 @@ test_connect_fails($common_connstr, "saslname=not-exists");
 test_connect_ok($common_connstr, "saslname=SCRAM-SHA-256");
 test_connect_ok($common_connstr,
 		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-unique");
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-server-end-point");
 
 # Channel bindings
 test_connect_ok($common_connstr,
 		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-unique");
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-server-end-point");
 test_connect_fails($common_connstr,
 		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=not-exists");
-- 
2.14.2

From 92bdd0b20786cb1e8353e4fe1d1d67e7ceb48870 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 16 Jun 2017 17:00:06 +0900
Subject: [PATCH 1/4] Refactor routine to test connection to SSL server

Move the sub-routines wrappers to check if a connection to a server is
fine or not into the test main module. This is useful for other tests
willing to check connectivity into a server.
---
 src/test/ssl/ServerSetup.pm    |  45 +++++++++++++-
 src/test/ssl/t/001_ssltests.pl | 132 +++++++++++++++++------------------------
 2 files changed, 100 insertions(+), 77 deletions(-)

diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index f63c81cfc6..ad2e036602 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -26,9 +26,52 @@ use Test::More;
 
 use Exporter 'import';
 our @EXPORT = qw(
-  configure_test_server_for_ssl switch_server_cert
+  configure_test_server_for_ssl
+  run_test_psql
+  switch_server_cert
+  test_connect_fails
+  test_connect_ok
 );
 
+# Define a couple of helper functions to test connecting to the server.
+
+# Attempt connection to server with given connection string.
+sub run_test_psql
+{
+	my $connstr   = $_[0];
+	my $logstring = $_[1];
+
+	my $cmd = [
+		'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
+		'-d', "$connstr" ];
+
+	my $result = run_log($cmd);
+	return $result;
+}
+
+#
+# The first argument is a base connection string to use for connection.
+# The second argument is a complementary connection string, and it's also
+# printed out as the test case name.
+sub test_connect_ok
+{
+	my $common_connstr = $_[0];
+	my $connstr = $_[1];
+
+	my $result =
+	  run_test_psql("$common_connstr $connstr", "(should succeed)");
+	ok($result, $connstr);
+}
+
+sub test_connect_fails
+{
+	my $common_connstr = $_[0];
+	my $connstr = $_[1];
+
+	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
+	ok(!$result, "$connstr (should fail)");
+}
+
 # Copy a set of files, taking into account wildcards
 sub copy_files
 {
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 32df273929..890e3051a2 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -13,44 +13,9 @@ use File::Copy;
 # postgresql-ssl-regression.test.
 my $SERVERHOSTADDR = '127.0.0.1';
 
-# Define a couple of helper functions to test connecting to the server.
-
+# Allocation of base connection string shared among multiple tests.
 my $common_connstr;
 
-sub run_test_psql
-{
-	my $connstr   = $_[0];
-	my $logstring = $_[1];
-
-	my $cmd = [
-		'psql', '-X', '-A', '-t', '-c', "SELECT 'connected with $connstr'",
-		'-d', "$connstr" ];
-
-	my $result = run_log($cmd);
-	return $result;
-}
-
-#
-# The first argument is a (part of a) connection string, and it's also printed
-# out as the test case name. It is appended to $common_connstr global variable,
-# which also contains a libpq connection string.
-sub test_connect_ok
-{
-	my $connstr = $_[0];
-
-	my $result =
-	  run_test_psql("$common_connstr $connstr", "(should succeed)");
-	ok($result, $connstr);
-}
-
-sub test_connect_fails
-{
-	my $connstr = $_[0];
-
-	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
-	ok(!$result, "$connstr (should fail)");
-}
-
 # The client's private key must not be world-readable, so take a copy
 # of the key stored in the code tree and update its permissions.
 copy("ssl/client.key", "ssl/client_tmp.key");
@@ -83,50 +48,59 @@ $common_connstr =
 
 # The server should not accept non-SSL connections
 note "test that the server doesn't accept non-SSL connections";
-test_connect_fails("sslmode=disable");
+test_connect_fails($common_connstr, "sslmode=disable");
 
 # Try without a root cert. In sslmode=require, this should work. In verify-ca
 # or verify-full mode it should fail
 note "connect without server root cert";
-test_connect_ok("sslrootcert=invalid sslmode=require");
-test_connect_fails("sslrootcert=invalid sslmode=verify-ca");
-test_connect_fails("sslrootcert=invalid sslmode=verify-full");
+test_connect_ok($common_connstr, "sslrootcert=invalid sslmode=require");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-ca");
+test_connect_fails($common_connstr, "sslrootcert=invalid sslmode=verify-full");
 
 # Try with wrong root cert, should fail. (we're using the client CA as the
 # root, but the server's key is signed by the server CA)
 note "connect without wrong server root cert";
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=require");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
-test_connect_fails("sslrootcert=ssl/client_ca.crt sslmode=verify-full");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=require");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/client_ca.crt sslmode=verify-full");
 
 # Try with just the server CA's cert. This fails because the root file
 # must contain the whole chain up to the root CA.
 note "connect with server CA cert, without root CA";
-test_connect_fails("sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
+	"sslrootcert=ssl/server_ca.crt sslmode=verify-ca");
 
 # And finally, with the correct root cert.
 note "connect with correct server CA cert file";
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=require");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=require");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-full");
 
 # Test with cert root file that contains two certificates. The client should
 # be able to pick the right one, regardless of the order in the file.
-test_connect_ok("sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
-test_connect_ok("sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/both-cas-1.crt sslmode=verify-ca");
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/both-cas-2.crt sslmode=verify-ca");
 
 note "testing sslcrl option with a non-revoked cert";
 
 # Invalid CRL filename is the same as no CRL, succeeds
-test_connect_ok(
+test_connect_ok($common_connstr,
 	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=invalid");
 
 # A CRL belonging to a different CA is not accepted, fails
-test_connect_fails(
+test_connect_fails($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/client.crl");
 
 # With the correct CRL, succeeds (this cert is not revoked)
-test_connect_ok(
+test_connect_ok($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
 );
 
@@ -136,9 +110,9 @@ note "test mismatch between hostname and server certificate";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("sslmode=require host=wronghost.test");
-test_connect_ok("sslmode=verify-ca host=wronghost.test");
-test_connect_fails("sslmode=verify-full host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=require host=wronghost.test");
+test_connect_ok($common_connstr, "sslmode=verify-ca host=wronghost.test");
+test_connect_fails($common_connstr, "sslmode=verify-full host=wronghost.test");
 
 # Test Subject Alternative Names.
 switch_server_cert($node, 'server-multiple-alt-names');
@@ -147,12 +121,13 @@ note "test hostname matching with X.509 Subject Alternative Names";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_ok("host=foo.wildcard.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=foo.wildcard.pg-ssltest.test");
 
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"host=deep.subdomain.wildcard.pg-ssltest.test");
 
 # Test certificate with a single Subject Alternative Name. (this gives a
 # slightly different error message, that's all)
@@ -162,10 +137,11 @@ note "test hostname matching with a single X.509 Subject Alternative Name";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=single.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=single.alt-name.pg-ssltest.test");
 
-test_connect_fails("host=wronghost.alt-name.pg-ssltest.test");
-test_connect_fails("host=deep.subdomain.wildcard.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=wronghost.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"host=deep.subdomain.wildcard.pg-ssltest.test");
 
 # Test server certificate with a CN and SANs. Per RFCs 2818 and 6125, the CN
 # should be ignored when the certificate has both.
@@ -175,9 +151,9 @@ note "test certificate with both a CN and SANs";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR sslmode=verify-full";
 
-test_connect_ok("host=dns1.alt-name.pg-ssltest.test");
-test_connect_ok("host=dns2.alt-name.pg-ssltest.test");
-test_connect_fails("host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns1.alt-name.pg-ssltest.test");
+test_connect_ok($common_connstr, "host=dns2.alt-name.pg-ssltest.test");
+test_connect_fails($common_connstr, "host=common-name.pg-ssltest.test");
 
 # Finally, test a server certificate that has no CN or SANs. Of course, that's
 # not a very sensible certificate, but libpq should handle it gracefully.
@@ -185,8 +161,10 @@ switch_server_cert($node, 'server-no-names');
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
-test_connect_ok("sslmode=verify-ca host=common-name.pg-ssltest.test");
-test_connect_fails("sslmode=verify-full host=common-name.pg-ssltest.test");
+test_connect_ok($common_connstr,
+	"sslmode=verify-ca host=common-name.pg-ssltest.test");
+test_connect_fails($common_connstr,
+	"sslmode=verify-full host=common-name.pg-ssltest.test");
 
 # Test that the CRL works
 note "testing client-side CRL";
@@ -196,8 +174,9 @@ $common_connstr =
 "user=ssltestuser dbname=trustdb sslcert=invalid hostaddr=$SERVERHOSTADDR host=common-name.pg-ssltest.test";
 
 # Without the CRL, succeeds. With it, fails.
-test_connect_ok("sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
-test_connect_fails(
+test_connect_ok($common_connstr,
+	"sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca");
+test_connect_fails($common_connstr,
 "sslrootcert=ssl/root+server_ca.crt sslmode=verify-ca sslcrl=ssl/root+server.crl"
 );
 
@@ -210,18 +189,18 @@ $common_connstr =
 "sslrootcert=ssl/root+server_ca.crt sslmode=require dbname=certdb hostaddr=$SERVERHOSTADDR";
 
 # no client cert
-test_connect_fails("user=ssltestuser sslcert=invalid");
+test_connect_fails($common_connstr, "user=ssltestuser sslcert=invalid");
 
 # correct client cert
-test_connect_ok(
+test_connect_ok($common_connstr,
 	"user=ssltestuser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # client cert belonging to another user
-test_connect_fails(
+test_connect_fails($common_connstr,
 	"user=anotheruser sslcert=ssl/client.crt sslkey=ssl/client_tmp.key");
 
 # revoked client cert
-test_connect_fails(
+test_connect_fails($common_connstr,
 "user=ssltestuser sslcert=ssl/client-revoked.crt sslkey=ssl/client-revoked.key"
 );
 
@@ -230,8 +209,9 @@ switch_server_cert($node, 'server-cn-only', 'root_ca');
 $common_connstr =
 "user=ssltestuser dbname=certdb sslkey=ssl/client_tmp.key sslrootcert=ssl/root+server_ca.crt hostaddr=$SERVERHOSTADDR";
 
-test_connect_ok("sslmode=require sslcert=ssl/client+client_ca.crt");
-test_connect_fails("sslmode=require sslcert=ssl/client.crt");
+test_connect_ok($common_connstr,
+	"sslmode=require sslcert=ssl/client+client_ca.crt");
+test_connect_fails($common_connstr, "sslmode=require sslcert=ssl/client.crt");
 
 # clean up
 unlink "ssl/client_tmp.key";
-- 
2.15.0

From 5d9b1106be98d16a9945c4dab19867b164e5cb88 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 14 Nov 2017 17:53:24 +0900
Subject: [PATCH 2/4] Support channel binding 'tls-unique' in SCRAM

This is the basic feature set using OpenSSL to support the feature.
In order to allow the frontend and the backend to fetch the sent and
expected TLS finish messages, a PG-like API is added to be able to
make the interface pluggable for other SSL implementations.

This commit also adds a lot of basic infrastructure to facilitate the
addition of future channel binding types as well as libpq parameters
to control the SASL mechanism names and channel binding names. Those
will be added by upcoming commits.

A set of basic tests to stress default channel binding handling is
added as well, though those are part of the SSL suite.
---
 doc/src/sgml/protocol.sgml               |  24 ++--
 src/backend/libpq/auth-scram.c           | 162 +++++++++++++++++++++-----
 src/backend/libpq/auth.c                 |  69 ++++++++++--
 src/backend/libpq/be-secure-openssl.c    |  24 ++++
 src/include/libpq/libpq-be.h             |   1 +
 src/include/libpq/scram.h                |  10 +-
 src/interfaces/libpq/fe-auth-scram.c     | 187 +++++++++++++++++++++++++++----
 src/interfaces/libpq/fe-auth.c           | 100 +++++++++++++----
 src/interfaces/libpq/fe-auth.h           |   5 +-
 src/interfaces/libpq/fe-secure-openssl.c |  26 +++++
 src/interfaces/libpq/libpq-int.h         |   5 +-
 src/test/ssl/ServerSetup.pm              |  19 +++-
 src/test/ssl/t/001_ssltests.pl           |   2 +-
 src/test/ssl/t/002_sasl.pl               |  41 +++++++
 14 files changed, 584 insertions(+), 91 deletions(-)
 create mode 100644 src/test/ssl/t/002_sasl.pl

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 6d4dcf83ac..e2a3d8f4d5 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1461,10 +1461,11 @@ SELCT 1/0;
 
 <para>
 <firstterm>SASL</firstterm> is a framework for authentication in connection-oriented
-protocols. At the moment, <productname>PostgreSQL</productname> implements only one SASL
-authentication mechanism, SCRAM-SHA-256, but more might be added in the
-future. The below steps illustrate how SASL authentication is performed in
-general, while the next subsection gives more details on SCRAM-SHA-256.
+protocols. At the moment, <productname>PostgreSQL</productname> implements only two SASL
+authentication mechanisms, SCRAM-SHA-256 and SCRAM-SHA-256-PLUS, but more
+might be added in the future. The below steps illustrate how SASL
+authentication is performed in general, while the next subsection gives
+more details on SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
 </para>
 
 <procedure>
@@ -1547,7 +1548,10 @@ the password is in.
   </para>
 
   <para>
-<firstterm>Channel binding</firstterm> has not been implemented yet.
+<firstterm>Channel binding</firstterm> is supported in builds with SSL
+support, and uses as mechanism name <literal>SCRAM-SHA-256-PLUS</literal>
+for this purpose as defined per IANA. The only channel binding type
+supported by the server is <literal>tls-unique</literal>.
   </para>
 
 <procedure>
@@ -1556,13 +1560,19 @@ the password is in.
 <para>
   The server sends an AuthenticationSASL message. It includes a list of
   SASL authentication mechanisms that the server can accept.
+  <literal>SCRAM-SHA-256</literal> and <literal>SCRAM-SHA-256-PLUS</literal>
+  are the two mechanism names that the server lists in this message. Support
+  for channel binding is not included if the server is built without SSL
+  support. The client can still choose to not use channel binding for
+  a connection attempt with SSL.
 </para>
 </step>
 <step id="scram-client-first">
 <para>
   The client responds by sending a SASLInitialResponse message, which
-  indicates the chosen mechanism, <literal>SCRAM-SHA-256</literal>. In the Initial
-  Client response field, the message contains the SCRAM
+  indicates the chosen mechanism, <literal>SCRAM-SHA-256</literal> or
+  <literal>SCRAM-SHA-256-PLUS</literal>. In the Initial Client response field,
+  the message contains the SCRAM
   <structname>client-first-message</structname>.
 </para>
 </step>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index ec4bb9a88e..b326c8a39e 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -17,8 +17,6 @@
  *	 by the SASLprep profile, we skip the SASLprep pre-processing and use
  *	 the raw bytes in calculating the hash.
  *
- * - Channel binding is not supported yet.
- *
  *
  * The password stored in pg_authid consists of the iteration count, salt,
  * StoredKey and ServerKey.
@@ -112,6 +110,11 @@ typedef struct
 
 	const char *username;		/* username from startup packet */
 
+	bool		ssl_in_use;
+	char	   *tls_finished_message;
+	int			tls_finished_len;
+	char	   *channel_binding;
+
 	int			iterations;
 	char	   *salt;			/* base64-encoded */
 	uint8		StoredKey[SCRAM_KEY_LEN];
@@ -168,7 +171,11 @@ static char *scram_mock_salt(const char *username);
  * it will fail, as if an incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username, const char *shadow_pass)
+pg_be_scram_init(const char *username,
+				 const char *shadow_pass,
+				 bool ssl_in_use,
+				 char *tls_finished_message,
+				 int tls_finished_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -176,6 +183,10 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 	state = (scram_state *) palloc0(sizeof(scram_state));
 	state->state = SCRAM_AUTH_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->tls_finished_message = tls_finished_message;
+	state->tls_finished_len = tls_finished_len;
+	state->channel_binding = NULL;
 
 	/*
 	 * Parse the stored password verifier.
@@ -773,31 +784,84 @@ read_client_first_message(scram_state *state, char *input)
 	 *------
 	 */
 
-	/* read gs2-cbind-flag */
+	/*
+	 * Read gs2-cbind-flag. Server handles its value as described in RFC 5802,
+	 * section 6 dealing with channel binding.
+	 */
 	switch (*input)
 	{
 		case 'n':
-			/* Client does not support channel binding */
+			/*
+			 * The client does not support channel binding, or has simply
+			 * decided to not use it. In this case just let go.
+			 */
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character \"%s\".",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'y':
-			/* Client supports channel binding, but we're not doing it today */
+			/*
+			 * Client supports channel binding and thinks that the server does
+			 * not. In this case, the server must fail authentication if it
+			 * supports channel binding, which is only the case if a connection
+			 * is done when SSL is used.
+			 */
+			if (state->ssl_in_use)
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("client supports SCRAM channel binding, but server needs it for SSL connections")));
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character \"%s\".",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'p':
+			{
+#ifdef USE_SSL
+				char *channel_name;
 
-			/*
-			 * Client requires channel binding.  We don't support it.
-			 *
-			 * RFC 5802 specifies a particular error code,
-			 * e=server-does-support-channel-binding, for this.  But it can
-			 * only be sent in the server-final message, and we don't want to
-			 * go through the motions of the authentication, knowing it will
-			 * fail, just to send that error message.
-			 */
-			ereport(ERROR,
-					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
-					 errmsg("client requires SCRAM channel binding, but it is not supported")));
+				if (!state->ssl_in_use)
+					ereport(ERROR,
+							(errcode(ERRCODE_PROTOCOL_VIOLATION),
+							 errmsg("client requires SCRAM channel binding, but it is not supported")));
+
+				/*
+				 * Read value provided by client, only tls-unique is supported
+				 * for now.
+				 */
+				channel_name = read_attr_value(&input, 'p');
+				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0)
+					ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 (errmsg("unexpected SCRAM channel-binding type"))));
+
+				/* Save the name for handling of subsequent messages */
+				state->channel_binding = pstrdup(channel_name);
+#else
+				/*
+				 * Client requires channel binding.  We don't support it.
+				 *
+				 * RFC 5802 specifies a particular error code,
+				 * e=server-does-support-channel-binding, for this.  But it
+				 * can only be sent in the server-final message, and we don't
+				 * want to go through the motions of the authentication,
+				 * knowing it will fail, just to send that error message.
+				 */
+				ereport(ERROR,
+						(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
+						 errmsg("client requires SCRAM channel binding, but it is not supported")));
+#endif
+			}
+			break;
 		default:
 			ereport(ERROR,
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
@@ -805,13 +869,6 @@ read_client_first_message(scram_state *state, char *input)
 					 errdetail("Unexpected channel-binding flag \"%s\".",
 							   sanitize_char(*input))));
 	}
-	if (*input != ',')
-		ereport(ERROR,
-				(errcode(ERRCODE_PROTOCOL_VIOLATION),
-				 errmsg("malformed SCRAM message"),
-				 errdetail("Comma expected, but found character \"%s\".",
-						   sanitize_char(*input))));
-	input++;
 
 	/*
 	 * Forbid optional authzid (authorization identity).  We don't support it.
@@ -1032,14 +1089,65 @@ read_client_final_message(scram_state *state, char *input)
 	 */
 
 	/*
-	 * Read channel-binding.  We don't support channel binding, so it's
-	 * expected to always be "biws", which is "n,,", base64-encoded.
+	 * Read channel-binding.  We don't support channel binding for builds
+	 * without SSL support or if the client does not want to use channel
+	 * binding, so it's expected to always be "biws" in this case, which
+	 * is "n,,", base64-encoded.  In builds supporting SSL, "biws" is
+	 * used for Non-SSL connection attempts, and for SSL connections the
+	 * client has to provide channel binding value if needed.
 	 */
 	channel_binding = read_attr_value(&p, 'c');
+#ifdef USE_SSL
+	if (state->ssl_in_use &&
+		state->channel_binding)
+	{
+		char	   *b64_message, *raw_data;
+		int			b64_message_len, raw_data_len;
+
+		/* Fetch data for each channel binding type */
+		if (strcmp(state->channel_binding, SCRAM_CHANNEL_TLS_UNIQUE) == 0)
+		{
+			raw_data = state->tls_finished_message;
+			raw_data_len = state->tls_finished_len;
+		}
+		else
+		{
+			/* should not happen */
+			elog(ERROR, "invalid channel binding type");
+		}
+
+		/* should not happen, but better safe than sorry */
+		if (raw_data == NULL)
+			elog(ERROR, "empty binding data for channel name \"%s\"",
+				 state->channel_binding);
+
+		b64_message = palloc(pg_b64_enc_len(raw_data_len) + 1);
+		b64_message_len = pg_b64_encode(raw_data, raw_data_len,
+										b64_message);
+		b64_message[b64_message_len] = '\0';
+
+		/*
+		 * Compare the value sent by the client with the value expected by
+		 * the server.
+		 */
+		if (strcmp(channel_binding, b64_message) != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("no match for SCRAM channel-binding attribute in client-final-message"))));
+	}
+	else
+	{
+		if (strcmp(channel_binding, "biws") != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+	}
+#else
 	if (strcmp(channel_binding, "biws") != 0)
 		ereport(ERROR,
 				(errcode(ERRCODE_PROTOCOL_VIOLATION),
 				 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+#endif
 	state->client_final_nonce = read_attr_value(&p, 'r');
 
 	/* ignore optional extensions */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 6c915a7289..055c619cb9 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -865,10 +865,14 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	void	   *scram_opaq;
 	char	   *output = NULL;
 	int			outputlen = 0;
-	char	   *input;
+	char	   *input, *p;
+	char	   *sasl_mechs;
 	int			inputlen;
+	int			listlen = 0;
 	int			result;
 	bool		initial;
+	char	   *tls_finished = NULL;
+	int			tls_finished_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -885,12 +889,49 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 	/*
 	 * Send the SASL authentication request to user.  It includes the list of
-	 * authentication mechanisms (which is trivial, because we only support
-	 * SCRAM-SHA-256 at the moment).  The extra "\0" is for an empty string to
-	 * terminate the list.
+	 * authentication mechanisms that are supported:
+	 * - SCRAM-SHA-256, which is the mechanism with the same name.
+	 * - SCRAM-SHA-256-PLUS, which is SCRAM-SHA-256 with channel binding. This
+	 * is advertised to the client only if connection is attempted with SSL.
+	 * The order of mechanisms is advertised in decreasing order of importance.
+	 * The extra "\0" is for an empty string to terminate the list, and each
+	 * mechanism listed needs to be separated with "\0".
 	 */
-	sendAuthRequest(port, AUTH_REQ_SASL, SCRAM_SHA256_NAME "\0",
-					strlen(SCRAM_SHA256_NAME) + 2);
+	listlen = 0;
+	sasl_mechs = (char *) palloc(strlen(SCRAM_SHA256_PLUS_NAME) +
+								 strlen(SCRAM_SHA256_NAME) + 3);
+	p = sasl_mechs;
+
+	/* add SCRAM-SHA-256-PLUS, which depends on if SSL is in use */
+	if (port->ssl_in_use)
+	{
+		strcpy(p, SCRAM_SHA256_PLUS_NAME);
+		listlen += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+		p += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+	}
+
+	/* add generic SCRAM-SHA-256 */
+	strcpy(p, SCRAM_SHA256_NAME);
+	listlen += strlen(SCRAM_SHA256_NAME) + 1;
+	p += strlen(SCRAM_SHA256_NAME) + 1;
+
+	/* put "\0" to mark that list is finished */
+	p[0] = '\0';
+	listlen++;
+
+	sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, listlen);
+	pfree(sasl_mechs);
+
+#ifdef USE_SSL
+	/*
+	 * Fetch the data related to the SSL finish message to be used in the
+	 * exchange.
+	 */
+	if (port->ssl_in_use)
+	{
+		tls_finished = be_tls_get_peer_finish(port, &tls_finished_len);
+	}
+#endif
 
 	/*
 	 * Initialize the status tracker for message exchanges.
@@ -903,7 +944,11 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	scram_opaq = pg_be_scram_init(port->user_name, shadow_pass);
+	scram_opaq = pg_be_scram_init(port->user_name,
+								  shadow_pass,
+								  port->ssl_in_use,
+								  tls_finished,
+								  tls_finished_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
@@ -952,15 +997,17 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 			const char *selected_mech;
 
 			/*
-			 * We only support SCRAM-SHA-256 at the moment, so anything else
-			 * is an error.
+			 * We only support SCRAM-SHA-256 and SCRAM-SHA-256-PLUS at the
+			 * moment, so anything else is an error.
 			 */
 			selected_mech = pq_getmsgrawstring(&buf);
-			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0)
+			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0 &&
+				strcmp(selected_mech, SCRAM_SHA256_PLUS_NAME) != 0)
 			{
 				ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
-						 errmsg("client selected an invalid SASL authentication mechanism")));
+						 errmsg("client selected an invalid SASL authentication mechanism"),
+						 errdetail("Incorrect SASL mechanism name specified")));
 			}
 
 			inputlen = pq_getmsgint(&buf, 4);
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index fe15227a77..d063a587d0 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1215,6 +1215,30 @@ be_tls_get_peerdn_name(Port *port, char *ptr, size_t len)
 		ptr[0] = '\0';
 }
 
+/*
+ * Routine to get the expected TLS finish message information from the
+ * client, useful for authorization when doing channel binding.
+ *
+ * Result is a palloc'd copy of the TLS finish message with its size.
+ */
+char *
+be_tls_get_peer_finish(Port *port, int *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the
+	 * expected TLS finish message, so just do a dummy call to grab this
+	 * information to allow caller to do an allocation with a correct size.
+	 */
+	*len = SSL_get_peer_finished(port->ssl, dummy, sizeof(dummy));
+	result = (char *) palloc(*len * sizeof(char));
+	(void) SSL_get_peer_finished(port->ssl, result, *len);
+
+	return result;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 7bde744d51..5d59d79822 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -209,6 +209,7 @@ extern bool be_tls_get_compression(Port *port);
 extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
+extern char *be_tls_get_peer_finish(Port *port, int *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 0166e1945d..43cde0e46e 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -13,8 +13,12 @@
 #ifndef PG_SCRAM_H
 #define PG_SCRAM_H
 
-/* Name of SCRAM-SHA-256 per IANA */
+/* Name of SCRAM mechanisms per IANA */
 #define SCRAM_SHA256_NAME "SCRAM-SHA-256"
+#define SCRAM_SHA256_PLUS_NAME "SCRAM-SHA-256-PLUS"	/* with channel binding */
+
+/* Channel binding names */
+#define SCRAM_CHANNEL_TLS_UNIQUE	"tls-unique"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -22,7 +26,9 @@
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
+extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
+					 bool ssl_in_use, char *tls_finished_message,
+					 int tls_finished_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index edfd42df85..9bce4d980a 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -17,6 +17,7 @@
 #include "common/base64.h"
 #include "common/saslprep.h"
 #include "common/scram-common.h"
+#include "libpq/scram.h"
 #include "fe-auth.h"
 
 /* These are needed for getpid(), in the fallback implementation */
@@ -44,6 +45,13 @@ typedef struct
 	/* These are supplied by the user */
 	const char *username;
 	char	   *password;
+	bool		ssl_in_use;
+	bool		channel_binding_advertised;
+	char	   *tls_finished_message;
+	int			tls_finished_len;
+	/* enforce-able user parameters */
+	char	   *saslmechanism;		/* name of mechanism used */
+	char	   *saslchannelbinding;	/* name of channel binding to use */
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -81,18 +89,41 @@ static bool pg_frontend_random(char *dst, int len);
  * Initialize SCRAM exchange status.
  */
 void *
-pg_fe_scram_init(const char *username, const char *password)
+pg_fe_scram_init(const char *username,
+				 const char *password,
+				 bool ssl_in_use,
+				 bool channel_binding_advertised,
+				 const char *saslmechanism,
+				 char *saslchannelbinding,
+				 char *tls_finished_message,
+				 int tls_finished_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
 	pg_saslprep_rc rc;
 
+	Assert(saslmechanism != NULL);
+
 	state = (fe_scram_state *) malloc(sizeof(fe_scram_state));
 	if (!state)
 		return NULL;
 	memset(state, 0, sizeof(fe_scram_state));
 	state->state = FE_SCRAM_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->channel_binding_advertised = channel_binding_advertised;
+	state->tls_finished_message = tls_finished_message;
+	state->tls_finished_len = tls_finished_len;
+	state->saslmechanism = strdup(saslmechanism);
+
+	/*
+	 * If user has specified a channel binding to use, enforce the
+	 * channel binding sent to it.  The default is "tls-unique".
+	 */
+	if (saslchannelbinding && strlen(saslchannelbinding) > 0)
+		state->saslchannelbinding = strdup(saslchannelbinding);
+	else
+		state->saslchannelbinding = strdup(SCRAM_CHANNEL_TLS_UNIQUE);
 
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
@@ -125,6 +156,12 @@ pg_fe_scram_free(void *opaq)
 
 	if (state->password)
 		free(state->password);
+	if (state->tls_finished_message)
+		free(state->tls_finished_message);
+	if (state->saslmechanism)
+		free(state->saslmechanism);
+	if (state->saslchannelbinding)
+		free(state->saslchannelbinding);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -297,9 +334,10 @@ static char *
 build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 {
 	char		raw_nonce[SCRAM_RAW_NONCE_LEN + 1];
-	char	   *buf;
-	char		buflen;
+	char	   *result;
+	int			channel_info_len;
 	int			encoded_len;
+	PQExpBufferData buf;
 
 	/*
 	 * Generate a "raw" nonce.  This is converted to ASCII-printable form by
@@ -328,26 +366,88 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * prepared with SASLprep, the message parsing would fail if it includes
 	 * '=' or ',' characters.
 	 */
-	buflen = 8 + strlen(state->client_nonce) + 1;
-	buf = malloc(buflen);
-	if (buf == NULL)
+	initPQExpBuffer(&buf);
+
+	/*
+	 * First build the query field for channel binding.  Conditions used for
+	 * the decision-making are described in more details below.
+	 */
+#ifdef USE_SSL
+	if (strcmp(state->saslmechanism, SCRAM_SHA256_PLUS_NAME) == 0)
 	{
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
-	}
-	snprintf(buf, buflen, "n,,n=,r=%s", state->client_nonce);
+		if (!state->ssl_in_use)
+		{
+			/*
+			 * Attempting to use channel binding, but this is not supported
+			 * in non-SSL contexts, so complain.
+			 */
+			printfPQExpBuffer(errormessage,
+				  libpq_gettext("channel binding not supported in non-SSL context.\n"));
+			return NULL;
+		}
 
-	state->client_first_message_bare = strdup(buf + 3);
-	if (!state->client_first_message_bare)
+		if (state->channel_binding_advertised)
+		{
+			/*
+			 * Channel binding is wanted by client and server supports it
+			 * so allow its use.
+			 */
+			appendPQExpBuffer(&buf, "p=%s", state->saslchannelbinding);
+		}
+		else
+		{
+			/*
+			 * Client supports channel binding and expects the server to
+			 * do so as well, so let the server know about that. Note that
+			 * as authentication is not complete yet, we do not know the
+			 * backend version, so there is not much we can do about it.
+			 */
+			appendPQExpBuffer(&buf, "y");
+			return NULL;
+		}
+	}
+	else
 	{
-		free(buf);
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
+		/*
+		 * Caller may not wish to use channel binding, so let server know
+		 * that.
+		 */
+		appendPQExpBuffer(&buf, "n");
 	}
+#else
+	/* Build does not support SSL, so it does not support channel binding */
+	appendPQExpBuffer(&buf, "n");
+#endif
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
 
-	return buf;
+	channel_info_len = buf.len;
+
+	appendPQExpBuffer(&buf, ",,n=,r=%s", state->client_nonce);
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	/*
+	 * The first message content needs to be saved without channel binding
+	 * information.
+	 */
+	state->client_first_message_bare = strdup(buf.data + channel_info_len + 2);
+	if (!state->client_first_message_bare)
+		goto oom_error;
+
+	result = strdup(buf.data);
+	if (result == NULL)
+		goto oom_error;
+
+	termPQExpBuffer(&buf);
+	return result;
+
+oom_error:
+	termPQExpBuffer(&buf);
+	printfPQExpBuffer(errormessage,
+					  libpq_gettext("out of memory\n"));
+	return NULL;
 }
 
 /*
@@ -365,8 +465,57 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	/*
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
+	 * Client needs to provide a b64 encoded string of the TLS finish message
+	 * only if a SSL connection is attempted.
 	 */
-	appendPQExpBuffer(&buf, "c=biws,r=%s", state->nonce);
+#ifdef USE_SSL
+	if (strcmp(state->saslmechanism, SCRAM_SHA256_PLUS_NAME) == 0)
+	{
+		char	   *raw_data;
+		int			raw_data_len;
+
+		if (strcmp(state->saslchannelbinding, SCRAM_CHANNEL_TLS_UNIQUE) == 0)
+		{
+			raw_data = state->tls_finished_message;
+			raw_data_len = state->tls_finished_len;
+		}
+		else
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("incorrect channel binding name\n"));
+			return NULL;
+		}
+
+		/* should not happen, but better safe than sorry */
+		if (raw_data == NULL)
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("empty binding data for channel name \"%s\"\n"),
+							  state->saslchannelbinding);
+			return NULL;
+		}
+
+		appendPQExpBuffer(&buf, "c=");
+
+		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(raw_data_len)))
+			goto oom_error;
+		buf.len += pg_b64_encode(raw_data, raw_data_len, buf.data + buf.len);
+		buf.data[buf.len] = '\0';
+	}
+	else
+		appendPQExpBuffer(&buf, "c=biws");
+#else
+	appendPQExpBuffer(&buf, "c=biws");
+#endif
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	appendPQExpBuffer(&buf, ",r=%s", state->nonce);
 	if (PQExpBufferDataBroken(buf))
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 382558f3f8..fa24c88522 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -491,6 +491,10 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		success;
 	const char *selected_mechanism;
 	PQExpBufferData mechanism_buf;
+	bool		channel_binding_advertised = false;
+	char	   *tls_finished = NULL;
+	int			tls_finished_len = 0;
+	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
 
@@ -504,7 +508,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	/*
 	 * Parse the list of SASL authentication mechanisms in the
 	 * AuthenticationSASL message, and select the best mechanism that we
-	 * support.  (Only SCRAM-SHA-256 is supported at the moment.)
+	 * support.  SCRAM-SHA-256-PLUS and SCRAM-SHA-256 are the only ones
+	 * supported at the moment, listed by order of decreasing importance.
 	 */
 	selected_mechanism = NULL;
 	for (;;)
@@ -522,6 +527,15 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		if (mechanism_buf.data[0] == '\0')
 			break;
 
+		/*
+		 * The SASL exchange needs to know if channel binding has been
+		 * advertized. This prevents attacks from rogue servers that
+		 * may have the correct version but are not telling clients that
+		 * about channel binding.
+		 */
+		if (strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
+			channel_binding_advertised = true;
+
 		/*
 		 * If we have already selected a mechanism, just skip through the rest
 		 * of the list.
@@ -532,25 +546,26 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		/*
 		 * Do we support this mechanism?
 		 */
-		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0 ||
+			strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
 		{
-			char	   *password;
-
-			conn->password_needed = true;
-			password = conn->connhost[conn->whichhost].password;
-			if (password == NULL)
-				password = conn->pgpass;
-			if (password == NULL || password[0] == '\0')
-			{
-				printfPQExpBuffer(&conn->errorMessage,
-								  PQnoPasswordSupplied);
-				goto error;
-			}
-
-			conn->sasl_state = pg_fe_scram_init(conn->pguser, password);
-			if (!conn->sasl_state)
-				goto oom_error;
-			selected_mechanism = SCRAM_SHA256_NAME;
+			/*
+			 * Select the mechanism to use by default. If SSL connection
+			 * is attempted, the server will expect the -PLUS mechanism.
+			 * If not, fallback to SCRAM-SHA-256.
+			 */
+#ifdef USE_SSL
+			if (conn->ssl_in_use &&
+				strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_PLUS_NAME;
+			else if (!conn->ssl_in_use &&
+					 strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_NAME;
+#else
+			/* No channel binding can be selected without SSL support */
+			if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_NAME;
+#endif
 		}
 	}
 
@@ -561,6 +576,53 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		goto error;
 	}
 
+	/*
+	 * Now that the SASL mechanism has been chosen for the exchange,
+	 * initialize its state information. First select the password to
+	 * use for the exchange protocol, complaining back if none are
+	 * provided.
+	 */
+	conn->password_needed = true;
+	password = conn->connhost[conn->whichhost].password;
+	if (password == NULL)
+		password = conn->pgpass;
+	if (password == NULL || password[0] == '\0')
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  PQnoPasswordSupplied);
+		goto error;
+	}
+
+#ifdef USE_SSL
+	/*
+	 * Fetch information about the TLS finish message and client
+	 * certificate if any.
+	 */
+	if (conn->ssl_in_use)
+	{
+		tls_finished = pgtls_get_finish(conn, &tls_finished_len);
+		if (tls_finished == NULL)
+			goto oom_error;
+	}
+#endif
+
+	/*
+	 * Initialize the SASL state information with all the information
+	 * gathered during the initial exchange.
+	 *
+	 * Note: Only tls-unique is supported for the moment.
+	 */
+	conn->sasl_state = pg_fe_scram_init(conn->pguser,
+										password,
+										conn->ssl_in_use,
+										channel_binding_advertised,
+										selected_mechanism,
+										NULL,	/* default channel binding */
+										tls_finished,
+										tls_finished_len);
+	if (!conn->sasl_state)
+		goto oom_error;
+
 	/* Get the mechanism-specific Initial Client Response, if any */
 	pg_fe_scram_exchange(conn->sasl_state,
 						 NULL, -1,
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 5dc6bb5341..81378d0008 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -23,7 +23,10 @@ extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn);
 extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
-extern void *pg_fe_scram_init(const char *username, const char *password);
+extern void *pg_fe_scram_init(const char *username, const char *password,
+					 bool ssl_in_use, bool channel_binding_advertised,
+					 const char *saslmechanism,char *saslchannelbinding,
+					 char *tls_finished_message, int tls_finished_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 2f29820e82..84a6e3c322 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -393,6 +393,32 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
 	return n;
 }
 
+/*
+ *	Get the TLS finish message sent during last handshake
+ *
+ * This information is useful for callers doing channel binding during
+ * authentication.
+ */
+char *
+pgtls_get_finish(PGconn *conn, int *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the
+	 * TLS finish message sent, so first do a dummy call to grab this
+	 * information and then do an allocation with the correct size.
+	 */
+	*len = SSL_get_finished(conn->ssl, dummy, sizeof(dummy));
+	result = malloc(*len);
+	if (result == NULL)
+		return NULL;
+	(void) SSL_get_finished(conn->ssl, result, *len);
+	return result;
+}
+
+
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
 /* ------------------------------------------------------------ */
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 42913604e3..0eb8b60c95 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -453,11 +453,13 @@ struct pg_conn
 	/* Assorted state for SASL, SSL, GSS, etc */
 	void	   *sasl_state;
 
+	/* SSL structures */
+	bool		ssl_in_use;
+
 #ifdef USE_SSL
 	bool		allow_ssl_try;	/* Allowed to try SSL negotiation */
 	bool		wait_ssl_try;	/* Delay SSL negotiation until after
 								 * attempting normal connection */
-	bool		ssl_in_use;
 #ifdef USE_OPENSSL
 	SSL		   *ssl;			/* SSL status, if have SSL connection */
 	X509	   *peer;			/* X509 cert of server */
@@ -668,6 +670,7 @@ extern void pgtls_close(PGconn *conn);
 extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
+extern char *pgtls_get_finish(PGconn *conn, int *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index ad2e036602..b71969ac75 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -91,6 +91,9 @@ sub configure_test_server_for_ssl
 {
 	my $node       = $_[0];
 	my $serverhost = $_[1];
+	my $sslmethod  = $_[2];
+	my $passwd     = $_[3];
+	my $passwdhash = $_[4];
 
 	my $pgdata = $node->data_dir;
 
@@ -100,6 +103,15 @@ sub configure_test_server_for_ssl
 	$node->psql('postgres', "CREATE DATABASE trustdb");
 	$node->psql('postgres', "CREATE DATABASE certdb");
 
+	# Update password of each user as needed.
+	if (defined($passwd))
+	{
+		$node->psql('postgres',
+"SET password_encryption='$passwdhash'; ALTER USER ssltestuser PASSWORD '$passwd';");
+		$node->psql('postgres',
+"SET password_encryption='$passwdhash'; ALTER USER anotheruser PASSWORD '$passwd';");
+	}
+
 	# enable logging etc.
 	open my $conf, '>>', "$pgdata/postgresql.conf";
 	print $conf "fsync=off\n";
@@ -129,7 +141,7 @@ sub configure_test_server_for_ssl
 	$node->restart;
 
 	# Change pg_hba after restart because hostssl requires ssl=on
-	configure_hba_for_ssl($node, $serverhost);
+	configure_hba_for_ssl($node, $serverhost, $sslmethod);
 }
 
 # Change the configuration to use given server cert file, and reload
@@ -159,6 +171,7 @@ sub configure_hba_for_ssl
 {
 	my $node       = $_[0];
 	my $serverhost = $_[1];
+	my $sslmethod  = $_[2];
 	my $pgdata     = $node->data_dir;
 
   # Only accept SSL connections from localhost. Our tests don't depend on this
@@ -169,9 +182,9 @@ sub configure_hba_for_ssl
 	print $hba
 "# TYPE  DATABASE        USER            ADDRESS                 METHOD\n";
 	print $hba
-"hostssl trustdb         ssltestuser     $serverhost/32            trust\n";
+"hostssl trustdb         ssltestuser     $serverhost/32          $sslmethod\n";
 	print $hba
-"hostssl trustdb         ssltestuser     ::1/128                 trust\n";
+"hostssl trustdb         ssltestuser     ::1/128                 $sslmethod\n";
 	print $hba
 "hostssl certdb          ssltestuser     $serverhost/32            cert\n";
 	print $hba
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 890e3051a2..e690c1fa15 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -32,7 +32,7 @@ $node->init;
 $ENV{PGHOST} = $node->host;
 $ENV{PGPORT} = $node->port;
 $node->start;
-configure_test_server_for_ssl($node, $SERVERHOSTADDR);
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "trust");
 switch_server_cert($node, 'server-cn-only');
 
 ### Part 1. Run client-side tests.
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
new file mode 100644
index 0000000000..d43a970b55
--- /dev/null
+++ b/src/test/ssl/t/002_sasl.pl
@@ -0,0 +1,41 @@
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 1;
+use ServerSetup;
+use File::Copy;
+
+# test combinations of SASL authentication for SCRAM mechanism:
+# - SCRAM-SHA-256 and SCRAM-SHA-256-PLUS
+# - Channel bindings
+
+# This is the hostname used to connect to the server.
+my $SERVERHOSTADDR = '127.0.0.1';
+
+# Allocation of base connection string shared among multiple tests.
+my $common_connstr;
+
+#### Part 0. Set up the server.
+
+note "setting up data directory";
+my $node = get_new_node('master');
+$node->init;
+
+# PGHOST is enforced here to set up the node, subsequent connections
+# will use a dedicated connection string.
+$ENV{PGHOST} = $node->host;
+$ENV{PGPORT} = $node->port;
+$node->start;
+
+# Configure server for SSL connections, with password handling.
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256",
+							  "pass", "scram-sha-256");
+switch_server_cert($node, 'server-cn-only');
+$ENV{PGPASSWORD} = "pass";
+$common_connstr =
+"user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
+
+# Tests with default channel binding and SASL mechanism names.
+# tls-unique is used here with channel binding.
+test_connect_ok($common_connstr, "");
-- 
2.15.0

From 2873e223b78eafb2f6168154d4f95161343c57c7 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 10 Oct 2017 21:49:37 +0900
Subject: [PATCH 3/4] Add connection parameters "saslname" and
 "saslchannelbinding"

Those parameters can be used to respectively enforce the value of the
SASL mechanism name and the channel binding name sent to server during
a SASL message exchange.

A set of tests dedicated to SASL and channel binding is added as well
to the SSL test suite, which is handy to check the validity of a patch.
---
 doc/src/sgml/libpq.sgml           | 24 ++++++++++++++++++++++++
 src/backend/libpq/auth-scram.c    |  1 +
 src/interfaces/libpq/fe-auth.c    |  9 ++++++++-
 src/interfaces/libpq/fe-connect.c | 13 +++++++++++++
 src/interfaces/libpq/libpq-int.h  |  2 ++
 src/test/ssl/t/002_sasl.pl        | 18 +++++++++++++++---
 6 files changed, 63 insertions(+), 4 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 694921f212..432589b815 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1222,6 +1222,30 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       </listitem>
      </varlistentry>
 
+     <varlistentry id="libpq-saslname" xreflabel="saslname">
+      <term><literal>saslname</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the SASL mechanism name sent to server when doing
+        a message exchange for a SASL authentication. The list of SASL
+        mechanisms supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="libpq-saslchannelbinding" xreflabel="saslchannelbinding">
+      <term><literal>saslchannelbinding</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the channel binding name sent to server when doing
+        a message exchange for a SASL authentication. The list of channel
+        binding names supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+     
      <varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
       <term><literal>sslmode</literal></term>
       <listitem>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index b326c8a39e..b90be7f1ae 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -1097,6 +1097,7 @@ read_client_final_message(scram_state *state, char *input)
 	 * client has to provide channel binding value if needed.
 	 */
 	channel_binding = read_attr_value(&p, 'c');
+
 #ifdef USE_SSL
 	if (state->ssl_in_use &&
 		state->channel_binding)
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index fa24c88522..97de9a0a30 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -569,6 +569,13 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		}
 	}
 
+	/*
+	 * If user has asked for a specific mechanism name, enforce the chosen
+	 * name to it.
+	 */
+	if (conn->saslname && strlen(conn->saslname) > 0)
+		selected_mechanism = conn->saslname;
+
 	if (!selected_mechanism)
 	{
 		printfPQExpBuffer(&conn->errorMessage,
@@ -617,7 +624,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										conn->ssl_in_use,
 										channel_binding_advertised,
 										selected_mechanism,
-										NULL,	/* default channel binding */
+										conn->saslchannelbinding,
 										tls_finished,
 										tls_finished_len);
 	if (!conn->sasl_state)
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 2c175a2a24..b092fa6d70 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -262,6 +262,15 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"TCP-Keepalives-Count", "", 10, /* strlen(INT32_MAX) == 10 */
 	offsetof(struct pg_conn, keepalives_count)},
 
+	/* Set of options proper to SASL */
+	{"saslname", NULL, NULL, NULL,
+		"SASL-Name", "", 21,	/* maximum name size per IANA == 21 */
+	offsetof(struct pg_conn, saslname)},
+
+	{"saslchannelbinding", NULL, NULL, NULL,
+		"SASL-Channel", "", 22,	/* sizeof("tls-unique-for-telnet") == 22 */
+	offsetof(struct pg_conn, saslchannelbinding)},
+
 	/*
 	 * ssl options are allowed even without client SSL support because the
 	 * client can still handle SSL modes "disable" and "allow". Other
@@ -3469,6 +3478,10 @@ freePGconn(PGconn *conn)
 		free(conn->keepalives_interval);
 	if (conn->keepalives_count)
 		free(conn->keepalives_count);
+	if (conn->saslname)
+		free(conn->saslname);
+	if (conn->saslchannelbinding)
+		free(conn->saslchannelbinding);
 	if (conn->sslmode)
 		free(conn->sslmode);
 	if (conn->sslcert)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 0eb8b60c95..6d500aa5db 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -349,6 +349,8 @@ struct pg_conn
 										 * retransmits */
 	char	   *keepalives_count;	/* maximum number of TCP keepalive
 									 * retransmits */
+	char	   *saslname;			/* SASL mechanism name */
+	char	   *saslchannelbinding;	/* channel binding used in SASL */
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
 	char	   *sslcompression; /* SSL compression (0 or 1) */
 	char	   *sslkey;			/* client key filename */
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
index d43a970b55..e9226903ca 100644
--- a/src/test/ssl/t/002_sasl.pl
+++ b/src/test/ssl/t/002_sasl.pl
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 1;
+use Test::More tests => 6;
 use ServerSetup;
 use File::Copy;
 
@@ -37,5 +37,17 @@ $common_connstr =
 "user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
 
 # Tests with default channel binding and SASL mechanism names.
-# tls-unique is used here with channel binding.
-test_connect_ok($common_connstr, "");
+# tls-unique is used here
+test_connect_ok($common_connstr, "saslname=SCRAM-SHA-256-PLUS");
+test_connect_fails($common_connstr, "saslname=not-exists");
+# Having a client willing to not use channel binding should work, and
+# so should this series.
+test_connect_ok($common_connstr, "saslname=SCRAM-SHA-256");
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-unique");
+
+# Channel bindings
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-unique");
+test_connect_fails($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=not-exists");
-- 
2.15.0

From c86373764a0c7344eddf898a27a0ee3c28265b65 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 10 Oct 2017 22:04:22 +0900
Subject: [PATCH 4/4] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend, this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  3 +-
 src/backend/libpq/auth-scram.c           | 21 +++++++--
 src/backend/libpq/auth.c                 | 13 ++++--
 src/backend/libpq/be-secure-openssl.c    | 61 +++++++++++++++++++++++++
 src/include/libpq/libpq-be.h             |  1 +
 src/include/libpq/scram.h                |  4 +-
 src/interfaces/libpq/fe-auth-scram.c     | 20 +++++++-
 src/interfaces/libpq/fe-auth.c           | 12 ++++-
 src/interfaces/libpq/fe-auth.h           |  3 +-
 src/interfaces/libpq/fe-secure-openssl.c | 78 ++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_sasl.pl               |  6 ++-
 12 files changed, 209 insertions(+), 14 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index e2a3d8f4d5..9c3b8b1ded 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1551,7 +1551,8 @@ the password is in.
 <firstterm>Channel binding</firstterm> is supported in builds with SSL
 support, and uses as mechanism name <literal>SCRAM-SHA-256-PLUS</literal>
 for this purpose as defined per IANA. The only channel binding type
-supported by the server is <literal>tls-unique</literal>.
+supported by the server is <literal>tls-unique</literal> and
+<literal>tls-server-end-point</literal>.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index b90be7f1ae..ab2ff2f676 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finished_message;
 	int			tls_finished_len;
+	char	   *certificate_hash;
+	int			certificate_hash_len;
 	char	   *channel_binding;
 
 	int			iterations;
@@ -175,7 +177,9 @@ pg_be_scram_init(const char *username,
 				 const char *shadow_pass,
 				 bool ssl_in_use,
 				 char *tls_finished_message,
-				 int tls_finished_len)
+				 int tls_finished_len,
+				 char *certificate_hash,
+				 int certificate_hash_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -186,6 +190,8 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding = NULL;
 
 	/*
@@ -835,11 +841,12 @@ read_client_first_message(scram_state *state, char *input)
 							 errmsg("client requires SCRAM channel binding, but it is not supported")));
 
 				/*
-				 * Read value provided by client, only tls-unique is supported
-				 * for now.
+				 * Read value provided by client, only tls-unique and
+				 * tls-server-end-point are supported for now.
 				 */
 				channel_name = read_attr_value(&input, 'p');
-				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0)
+				if (strcmp(channel_name, SCRAM_CHANNEL_TLS_UNIQUE) != 0 &&
+					strcmp(channel_name, SCRAM_CHANNEL_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
 						 (errmsg("unexpected SCRAM channel-binding type"))));
@@ -1111,6 +1118,12 @@ read_client_final_message(scram_state *state, char *input)
 			raw_data = state->tls_finished_message;
 			raw_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding,
+						SCRAM_CHANNEL_TLS_ENDPOINT) == 0)
+		{
+			raw_data = state->certificate_hash;
+			raw_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 055c619cb9..e2571da438 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,6 +873,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	bool		initial;
 	char	   *tls_finished = NULL;
 	int			tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	int			certificate_hash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -924,12 +926,15 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 #ifdef USE_SSL
 	/*
-	 * Fetch the data related to the SSL finish message to be used in the
-	 * exchange.
+	 * Fetch the data related to the SSL finish message and the client
+	 * certificate (if any) to be used in the exchange.
 	 */
 	if (port->ssl_in_use)
 	{
 		tls_finished = be_tls_get_peer_finish(port, &tls_finished_len);
+		certificate_hash =
+			be_tls_get_certificate_hash(port,
+										&certificate_hash_len);
 	}
 #endif
 
@@ -948,7 +953,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 								  shadow_pass,
 								  port->ssl_in_use,
 								  tls_finished,
-								  tls_finished_len);
+								  tls_finished_len,
+								  certificate_hash,
+								  certificate_hash_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index d063a587d0..bf9cef7f15 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1239,6 +1239,67 @@ be_tls_get_peer_finish(Port *port, int *len)
 	return result;
 }
 
+/*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * If something else is used, the same hash as the signature algorithm is
+ * used. The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is no certificate available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, int *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+					elog(ERROR, "could not find digest for NID %s",
+						 OBJ_nid2sn(algo_nid));
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 5d59d79822..0392860a87 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finish(Port *port, int *len);
+extern char *be_tls_get_certificate_hash(Port *port, int *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 43cde0e46e..6329e111ba 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -19,6 +19,7 @@
 
 /* Channel binding names */
 #define SCRAM_CHANNEL_TLS_UNIQUE	"tls-unique"
+#define SCRAM_CHANNEL_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -28,7 +29,8 @@
 /* Routines dedicated to authentication */
 extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
 					 bool ssl_in_use, char *tls_finished_message,
-					 int tls_finished_len);
+					 int tls_finished_len, char *certificate_hash,
+					 int certificate_hash_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 9bce4d980a..307e58f586 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -49,6 +49,8 @@ typedef struct
 	bool		channel_binding_advertised;
 	char	   *tls_finished_message;
 	int			tls_finished_len;
+	char	   *certificate_hash;
+	int			certificate_hash_len;
 	/* enforce-able user parameters */
 	char	   *saslmechanism;		/* name of mechanism used */
 	char	   *saslchannelbinding;	/* name of channel binding to use */
@@ -96,7 +98,9 @@ pg_fe_scram_init(const char *username,
 				 const char *saslmechanism,
 				 char *saslchannelbinding,
 				 char *tls_finished_message,
-				 int tls_finished_len)
+				 int tls_finished_len,
+				 char *certificate_hash,
+				 int certificate_hash_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -115,6 +119,8 @@ pg_fe_scram_init(const char *username,
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
 	state->saslmechanism = strdup(saslmechanism);
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 
 	/*
 	 * If user has specified a channel binding to use, enforce the
@@ -158,6 +164,8 @@ pg_fe_scram_free(void *opaq)
 		free(state->password);
 	if (state->tls_finished_message)
 		free(state->tls_finished_message);
+	if (state->certificate_hash)
+		free(state->certificate_hash);
 	if (state->saslmechanism)
 		free(state->saslmechanism);
 	if (state->saslchannelbinding)
@@ -466,7 +474,9 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
 	 * Client needs to provide a b64 encoded string of the TLS finish message
-	 * only if a SSL connection is attempted.
+	 * only if a SSL connection is attempted using "tls-unique" as channel
+	 * binding. For "tls-server-end-point", a hash of the client certificate
+	 * is sent instead.
 	 */
 #ifdef USE_SSL
 	if (strcmp(state->saslmechanism, SCRAM_SHA256_PLUS_NAME) == 0)
@@ -479,6 +489,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 			raw_data = state->tls_finished_message;
 			raw_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->saslchannelbinding,
+						SCRAM_CHANNEL_TLS_ENDPOINT) == 0)
+		{
+			raw_data = state->certificate_hash;
+			raw_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 97de9a0a30..56dbe2be28 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -494,6 +494,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		channel_binding_advertised = false;
 	char	   *tls_finished = NULL;
 	int			tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	int			certificate_hash_len = 0;
 	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
@@ -610,6 +612,12 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		tls_finished = pgtls_get_finish(conn, &tls_finished_len);
 		if (tls_finished == NULL)
 			goto oom_error;
+
+		certificate_hash =
+			pgtls_get_peer_certificate_hash(conn,
+											&certificate_hash_len);
+		if (certificate_hash == NULL)
+			goto error;		/* error message is set */
 	}
 #endif
 
@@ -626,7 +634,9 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										selected_mechanism,
 										conn->saslchannelbinding,
 										tls_finished,
-										tls_finished_len);
+										tls_finished_len,
+										certificate_hash,
+										certificate_hash_len);
 	if (!conn->sasl_state)
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 81378d0008..ed574d39e5 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -26,7 +26,8 @@ extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 extern void *pg_fe_scram_init(const char *username, const char *password,
 					 bool ssl_in_use, bool channel_binding_advertised,
 					 const char *saslmechanism,char *saslchannelbinding,
-					 char *tls_finished_message, int tls_finished_len);
+					 char *tls_finished_message, int tls_finished_len,
+					 char *certificate_hash, int certificate_hash_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 84a6e3c322..301bde0799 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -418,6 +418,84 @@ pgtls_get_finish(PGconn *conn, int *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where
+ * the client certificate hash is used as a link, per RFC 5929. If
+ * the signature hash algorithm is MD5 or SHA-1, fall back to SHA-256,
+ * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * NULL is sent back to the caller in the event of an error, with an
+ * error message for the caller to consume.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, int *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not find signature algorithm\n"));
+			return NULL;
+		}
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+				{
+					printfPQExpBuffer(&conn->errorMessage,
+									  libpq_gettext("could not find digest for NID %s\n"),
+									  OBJ_nid2sn(algo_nid));
+					return NULL;
+				}
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not generate peer certificate hash\n"));
+			return NULL;
+		}
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("out of memory\n"));
+			return NULL;
+		}
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 6d500aa5db..f1e2c0bb3c 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -673,6 +673,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finish(PGconn *conn, int *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, int *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_sasl.pl b/src/test/ssl/t/002_sasl.pl
index e9226903ca..fa3cca24a2 100644
--- a/src/test/ssl/t/002_sasl.pl
+++ b/src/test/ssl/t/002_sasl.pl
@@ -2,7 +2,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 6;
+use Test::More tests => 8;
 use ServerSetup;
 use File::Copy;
 
@@ -45,9 +45,13 @@ test_connect_fails($common_connstr, "saslname=not-exists");
 test_connect_ok($common_connstr, "saslname=SCRAM-SHA-256");
 test_connect_ok($common_connstr,
 		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-unique");
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256 saslchannelbinding=tls-server-end-point");
 
 # Channel bindings
 test_connect_ok($common_connstr,
 		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-unique");
+test_connect_ok($common_connstr,
+		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=tls-server-end-point");
 test_connect_fails($common_connstr,
 		"saslname=SCRAM-SHA-256-PLUS saslchannelbinding=not-exists");
-- 
2.15.0

From ae28f935473afe9f754a7a0ec2a6eca0162ab445 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <peter_e@gmx.net>
Date: Fri, 17 Nov 2017 14:15:50 -0500
Subject: [PATCH] Support channel binding 'tls-unique' in SCRAM

This is the basic feature set using OpenSSL to support the feature.  In
order to allow the frontend and the backend to fetch the sent and
expected TLS finish messages, a PG-like API is added to be able to make
the interface pluggable for other SSL implementations.

This commit also adds a lot of basic infrastructure to facilitate the
addition of future channel binding types as well as libpq parameters to
control the SASL mechanism names and channel binding names. Those will
be added by upcoming commits.

A set of basic tests to stress default channel binding handling is added
as well, though those are part of the SSL suite.
---
 doc/src/sgml/protocol.sgml               |  31 ++++--
 src/backend/libpq/auth-scram.c           | 180 +++++++++++++++++++++++++------
 src/backend/libpq/auth.c                 |  54 ++++++++--
 src/backend/libpq/be-secure-openssl.c    |  24 +++++
 src/include/libpq/libpq-be.h             |   1 +
 src/include/libpq/scram.h                |  10 +-
 src/interfaces/libpq/fe-auth-scram.c     | 170 +++++++++++++++++++++++++----
 src/interfaces/libpq/fe-auth.c           |  90 +++++++++++-----
 src/interfaces/libpq/fe-auth.h           |   7 +-
 src/interfaces/libpq/fe-secure-openssl.c |  27 +++++
 src/interfaces/libpq/libpq-int.h         |   5 +-
 src/test/ssl/ServerSetup.pm              |  27 +++--
 src/test/ssl/t/001_ssltests.pl           |   2 +-
 src/test/ssl/t/002_scram.pl              |  38 +++++++
 14 files changed, 554 insertions(+), 112 deletions(-)
 create mode 100644 src/test/ssl/t/002_scram.pl

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 6d4dcf83ac..4d3b6446c4 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1461,10 +1461,11 @@ <title>SASL Authentication</title>
 
 <para>
 <firstterm>SASL</firstterm> is a framework for authentication in connection-oriented
-protocols. At the moment, <productname>PostgreSQL</productname> implements only one SASL
-authentication mechanism, SCRAM-SHA-256, but more might be added in the
-future. The below steps illustrate how SASL authentication is performed in
-general, while the next subsection gives more details on SCRAM-SHA-256.
+protocols. At the moment, <productname>PostgreSQL</productname> implements two SASL
+authentication mechanisms, SCRAM-SHA-256 and SCRAM-SHA-256-PLUS. More
+might be added in the future. The below steps illustrate how SASL
+authentication is performed in general, while the next subsection gives
+more details on SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
 </para>
 
 <procedure>
@@ -1518,9 +1519,10 @@ <title>SASL Authentication Message Flow</title>
   <title>SCRAM-SHA-256 authentication</title>
 
   <para>
-    <firstterm>SCRAM-SHA-256</firstterm> (called just <firstterm>SCRAM</firstterm> from now on) is
-    the only implemented SASL mechanism, at the moment. It is described in detail
-    in RFC 7677 and RFC 5802.
+   The implemented SASL mechanisms at the moment
+   are <literal>SCRAM-SHA-256</literal> and its variant with channel
+   binding <literal>SCRAM-SHA-256-PLUS</literal>. They are described in
+   detail in RFC 7677 and RFC 5802.
   </para>
 
   <para>
@@ -1547,7 +1549,10 @@ <title>SCRAM-SHA-256 authentication</title>
   </para>
 
   <para>
-<firstterm>Channel binding</firstterm> has not been implemented yet.
+<firstterm>Channel binding</firstterm> is supported in PostgreSQL builds with
+SSL support. The SASL mechanism name for SCRAM with channel binding
+is <literal>SCRAM-SHA-256-PLUS</literal>.  The only channel binding type
+supported at the moment is <literal>tls-unique</literal>, defined in RFC 5929.
   </para>
 
 <procedure>
@@ -1556,13 +1561,19 @@ <title>Example</title>
 <para>
   The server sends an AuthenticationSASL message. It includes a list of
   SASL authentication mechanisms that the server can accept.
+  This will be <literal>SCRAM-SHA-256-PLUS</literal>
+  and <literal>SCRAM-SHA-256</literal> if the server is built with SSL
+  support, or else just the latter.
 </para>
 </step>
 <step id="scram-client-first">
 <para>
   The client responds by sending a SASLInitialResponse message, which
-  indicates the chosen mechanism, <literal>SCRAM-SHA-256</literal>. In the Initial
-  Client response field, the message contains the SCRAM
+  indicates the chosen mechanism, <literal>SCRAM-SHA-256</literal> or
+  <literal>SCRAM-SHA-256-PLUS</literal>. (A client is free to choose either
+  mechanism, but for better security it should choose the channel-binding
+  variant if it can support it.) In the Initial Client response field,
+  the message contains the SCRAM
   <structname>client-first-message</structname>.
 </para>
 </step>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index ec4bb9a88e..62c8d67e56 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -17,8 +17,6 @@
  *	 by the SASLprep profile, we skip the SASLprep pre-processing and use
  *	 the raw bytes in calculating the hash.
  *
- * - Channel binding is not supported yet.
- *
  *
  * The password stored in pg_authid consists of the iteration count, salt,
  * StoredKey and ServerKey.
@@ -112,6 +110,11 @@ typedef struct
 
 	const char *username;		/* username from startup packet */
 
+	bool		ssl_in_use;
+	const char *tls_finished_message;
+	size_t		tls_finished_len;
+	char	   *channel_binding_type;
+
 	int			iterations;
 	char	   *salt;			/* base64-encoded */
 	uint8		StoredKey[SCRAM_KEY_LEN];
@@ -168,7 +171,11 @@ static char *scram_mock_salt(const char *username);
  * it will fail, as if an incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username, const char *shadow_pass)
+pg_be_scram_init(const char *username,
+				 const char *shadow_pass,
+				 bool ssl_in_use,
+				 const char *tls_finished_message,
+				 size_t tls_finished_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -176,6 +183,10 @@ pg_be_scram_init(const char *username, const char *shadow_pass)
 	state = (scram_state *) palloc0(sizeof(scram_state));
 	state->state = SCRAM_AUTH_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->tls_finished_message = tls_finished_message;
+	state->tls_finished_len = tls_finished_len;
+	state->channel_binding_type = NULL;
 
 	/*
 	 * Parse the stored password verifier.
@@ -773,31 +784,88 @@ read_client_first_message(scram_state *state, char *input)
 	 *------
 	 */
 
-	/* read gs2-cbind-flag */
+	/*
+	 * Read gs2-cbind-flag.  (For details see also RFC 5802 Section 6 "Channel
+	 * Binding".)
+	 */
 	switch (*input)
 	{
 		case 'n':
-			/* Client does not support channel binding */
+			/*
+			 * The client does not support channel binding or has simply
+			 * decided to not use it.  In that case just let it go.
+			 */
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character \"%s\".",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'y':
-			/* Client supports channel binding, but we're not doing it today */
+			/*
+			 * The client supports channel binding and thinks that the server
+			 * does not.  In this case, the server must fail authentication if
+			 * it supports channel binding, which in this implementation is
+			 * the case if a connection is using SSL.
+			 */
+			if (state->ssl_in_use)
+				ereport(ERROR,
+						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+						 errmsg("SCRAM channel binding negotiation error"),
+						 errdetail("The client supports SCRAM channel binding but thinks the server does not.  "
+								   "However, this server does support channel binding.")));
+			input++;
+			if (*input != ',')
+				ereport(ERROR,
+						(errcode(ERRCODE_PROTOCOL_VIOLATION),
+						 errmsg("malformed SCRAM message"),
+						 errdetail("Comma expected, but found character \"%s\".",
+								   sanitize_char(*input))));
 			input++;
 			break;
 		case 'p':
-
 			/*
-			 * Client requires channel binding.  We don't support it.
-			 *
-			 * RFC 5802 specifies a particular error code,
-			 * e=server-does-support-channel-binding, for this.  But it can
-			 * only be sent in the server-final message, and we don't want to
-			 * go through the motions of the authentication, knowing it will
-			 * fail, just to send that error message.
+			 * The client requires channel biding.  Channel binding type
+			 * follows, e.g., "p=tls-unique".
 			 */
-			ereport(ERROR,
-					(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
-					 errmsg("client requires SCRAM channel binding, but it is not supported")));
+			{
+				char *channel_binding_type;
+
+				if (!state->ssl_in_use)
+					/*
+					 * Without SSL, we don't support channel binding.
+					 *
+					 * RFC 5802 specifies a particular error code,
+					 * e=server-does-support-channel-binding, for this.  But
+					 * it can only be sent in the server-final message, and we
+					 * don't want to go through the motions of the
+					 * authentication, knowing it will fail, just to send that
+					 * error message.
+					 */
+					ereport(ERROR,
+							(errcode(ERRCODE_PROTOCOL_VIOLATION),
+							 errmsg("client requires SCRAM channel binding, but it is not supported")));
+
+				/*
+				 * Read value provided by client; only tls-unique is supported
+				 * for now.  XXX Not sure whether it would be safe to print
+				 * the name of an unsupported binding type in the error
+				 * message.  Pranksters could print arbitrary strings into the
+				 * log that way.
+				 */
+				channel_binding_type = read_attr_value(&input, 'p');
+				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0)
+					ereport(ERROR,
+							(errcode(ERRCODE_PROTOCOL_VIOLATION),
+							 (errmsg("unsupported SCRAM channel-binding type"))));
+
+				/* Save the name for handling of subsequent messages */
+				state->channel_binding_type = pstrdup(channel_binding_type);
+			}
+			break;
 		default:
 			ereport(ERROR,
 					(errcode(ERRCODE_PROTOCOL_VIOLATION),
@@ -805,13 +873,6 @@ read_client_first_message(scram_state *state, char *input)
 					 errdetail("Unexpected channel-binding flag \"%s\".",
 							   sanitize_char(*input))));
 	}
-	if (*input != ',')
-		ereport(ERROR,
-				(errcode(ERRCODE_PROTOCOL_VIOLATION),
-				 errmsg("malformed SCRAM message"),
-				 errdetail("Comma expected, but found character \"%s\".",
-						   sanitize_char(*input))));
-	input++;
 
 	/*
 	 * Forbid optional authzid (authorization identity).  We don't support it.
@@ -1032,14 +1093,73 @@ read_client_final_message(scram_state *state, char *input)
 	 */
 
 	/*
-	 * Read channel-binding.  We don't support channel binding, so it's
-	 * expected to always be "biws", which is "n,,", base64-encoded.
+	 * Read channel binding.  This repeats the channel-binding flags and is
+	 * then followed by the actual binding data depending on the type.
 	 */
 	channel_binding = read_attr_value(&p, 'c');
-	if (strcmp(channel_binding, "biws") != 0)
-		ereport(ERROR,
-				(errcode(ERRCODE_PROTOCOL_VIOLATION),
-				 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+	if (state->channel_binding_type)
+	{
+		const char *cbind_data = NULL;
+		size_t		cbind_data_len = 0;
+		size_t		cbind_header_len;
+		char	   *cbind_input;
+		size_t		cbind_input_len;
+		char	   *b64_message;
+		int			b64_message_len;
+
+		/*
+		 * Fetch data appropriate for channel binding type
+		 */
+		if (strcmp(state->channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
+		{
+			cbind_data = state->tls_finished_message;
+			cbind_data_len = state->tls_finished_len;
+		}
+		else
+		{
+			/* should not happen */
+			elog(ERROR, "invalid channel binding type");
+		}
+
+		/* should not happen */
+		if (cbind_data == NULL || cbind_data_len == 0)
+			elog(ERROR, "empty channel binding data for channel binding type \"%s\"",
+				 state->channel_binding_type);
+
+		cbind_header_len = 4 + strlen(state->channel_binding_type); /* p=type,, */
+		cbind_input_len = cbind_header_len + cbind_data_len;
+		cbind_input = palloc(cbind_input_len);
+		snprintf(cbind_input, cbind_input_len, "p=%s", state->channel_binding_type);
+		memcpy(cbind_input + cbind_header_len, cbind_data, cbind_data_len);
+
+		b64_message = palloc(pg_b64_enc_len(cbind_input_len) + 1);
+		b64_message_len = pg_b64_encode(cbind_input, cbind_input_len,
+										b64_message);
+		b64_message[b64_message_len] = '\0';
+
+		/*
+		 * Compare the value sent by the client with the value expected by
+		 * the server.
+		 */
+		if (strcmp(channel_binding, b64_message) != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+					 (errmsg("SCRAM channel binding check failed"))));
+	}
+	else
+	{
+		/*
+		 * If we are not using channel binding, the binding data is expected
+		 * to always be "biws", which is "n,," base64-encoded, or "eSws",
+		 * which is "y,,".
+		 */
+		if (strcmp(channel_binding, "biws") != 0 &&
+			strcmp(channel_binding, "eSws") != 0)
+			ereport(ERROR,
+					(errcode(ERRCODE_PROTOCOL_VIOLATION),
+					 (errmsg("unexpected SCRAM channel-binding attribute in client-final-message"))));
+	}
+
 	state->client_final_nonce = read_attr_value(&p, 'r');
 
 	/* ignore optional extensions */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 6c915a7289..2dd3328d71 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -860,6 +860,8 @@ CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail)
 static int
 CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 {
+	char	   *sasl_mechs;
+	char	   *p;
 	int			mtype;
 	StringInfoData buf;
 	void	   *scram_opaq;
@@ -869,6 +871,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	int			inputlen;
 	int			result;
 	bool		initial;
+	char	   *tls_finished = NULL;
+	size_t		tls_finished_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -885,12 +889,39 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 
 	/*
 	 * Send the SASL authentication request to user.  It includes the list of
-	 * authentication mechanisms (which is trivial, because we only support
-	 * SCRAM-SHA-256 at the moment).  The extra "\0" is for an empty string to
-	 * terminate the list.
+	 * authentication mechanisms that are supported.  The order of mechanisms
+	 * is advertised in decreasing order of importance.  So the
+	 * channel-binding variants go first, if they are supported.  Channel
+	 * binding is only supported in SSL builds.
 	 */
-	sendAuthRequest(port, AUTH_REQ_SASL, SCRAM_SHA256_NAME "\0",
-					strlen(SCRAM_SHA256_NAME) + 2);
+	sasl_mechs = palloc(strlen(SCRAM_SHA256_PLUS_NAME) +
+						strlen(SCRAM_SHA256_NAME) + 3);
+	p = sasl_mechs;
+
+	if (port->ssl_in_use)
+	{
+		strcpy(p, SCRAM_SHA256_PLUS_NAME);
+		p += strlen(SCRAM_SHA256_PLUS_NAME) + 1;
+	}
+
+	strcpy(p, SCRAM_SHA256_NAME);
+	p += strlen(SCRAM_SHA256_NAME) + 1;
+
+	/* Put another '\0' to mark that list is finished. */
+	p[0] = '\0';
+
+	sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, p - sasl_mechs + 1);
+	pfree(sasl_mechs);
+
+#ifdef USE_SSL
+	/*
+	 * Get data for channel binding.
+	 */
+	if (port->ssl_in_use)
+	{
+		tls_finished = be_tls_get_peer_finished(port, &tls_finished_len);
+	}
+#endif
 
 	/*
 	 * Initialize the status tracker for message exchanges.
@@ -903,7 +934,11 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	scram_opaq = pg_be_scram_init(port->user_name, shadow_pass);
+	scram_opaq = pg_be_scram_init(port->user_name,
+								  shadow_pass,
+								  port->ssl_in_use,
+								  tls_finished,
+								  tls_finished_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
@@ -951,12 +986,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 		{
 			const char *selected_mech;
 
-			/*
-			 * We only support SCRAM-SHA-256 at the moment, so anything else
-			 * is an error.
-			 */
 			selected_mech = pq_getmsgrawstring(&buf);
-			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0)
+			if (strcmp(selected_mech, SCRAM_SHA256_NAME) != 0 &&
+				strcmp(selected_mech, SCRAM_SHA256_PLUS_NAME) != 0)
 			{
 				ereport(ERROR,
 						(errcode(ERRCODE_PROTOCOL_VIOLATION),
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index fe15227a77..1e3e19f5e0 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1215,6 +1215,30 @@ be_tls_get_peerdn_name(Port *port, char *ptr, size_t len)
 		ptr[0] = '\0';
 }
 
+/*
+ * Routine to get the expected TLS Finished message information from the
+ * client, useful for authorization when doing channel binding.
+ *
+ * Result is a palloc'd copy of the TLS Finished message with its size.
+ */
+char *
+be_tls_get_peer_finished(Port *port, size_t *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to directly get the length of the
+	 * expected TLS Finished message, so just do a dummy call to grab this
+	 * information to allow caller to do an allocation with a correct size.
+	 */
+	*len = SSL_get_peer_finished(port->ssl, dummy, sizeof(dummy));
+	result = palloc(*len);
+	(void) SSL_get_peer_finished(port->ssl, result, *len);
+
+	return result;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 7bde744d51..856e0439d5 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -209,6 +209,7 @@ extern bool be_tls_get_compression(Port *port);
 extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
+extern char *be_tls_get_peer_finished(Port *port, size_t *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 0166e1945d..99560d3d2f 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -13,8 +13,12 @@
 #ifndef PG_SCRAM_H
 #define PG_SCRAM_H
 
-/* Name of SCRAM-SHA-256 per IANA */
+/* Name of SCRAM mechanisms per IANA */
 #define SCRAM_SHA256_NAME "SCRAM-SHA-256"
+#define SCRAM_SHA256_PLUS_NAME "SCRAM-SHA-256-PLUS"	/* with channel binding */
+
+/* Channel binding types */
+#define SCRAM_CHANNEL_BINDING_TLS_UNIQUE	"tls-unique"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -22,7 +26,9 @@
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass);
+extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
+					 bool ssl_in_use, const char *tls_finished_message,
+					 size_t tls_finished_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index edfd42df85..e633e56434 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -17,6 +17,7 @@
 #include "common/base64.h"
 #include "common/saslprep.h"
 #include "common/scram-common.h"
+#include "libpq/scram.h"
 #include "fe-auth.h"
 
 /* These are needed for getpid(), in the fallback implementation */
@@ -44,6 +45,11 @@ typedef struct
 	/* These are supplied by the user */
 	const char *username;
 	char	   *password;
+	bool		ssl_in_use;
+	char	   *tls_finished_message;
+	size_t		tls_finished_len;
+	char	   *sasl_mechanism;
+	const char *channel_binding_type;
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -79,25 +85,50 @@ static bool pg_frontend_random(char *dst, int len);
 
 /*
  * Initialize SCRAM exchange status.
+ *
+ * The non-const char* arguments should be passed in malloc'ed.  They will be
+ * freed by pg_fe_scram_free().
  */
 void *
-pg_fe_scram_init(const char *username, const char *password)
+pg_fe_scram_init(const char *username,
+				 const char *password,
+				 bool ssl_in_use,
+				 const char *sasl_mechanism,
+				 char *tls_finished_message,
+				 size_t tls_finished_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
 	pg_saslprep_rc rc;
 
+	Assert(sasl_mechanism != NULL);
+
 	state = (fe_scram_state *) malloc(sizeof(fe_scram_state));
 	if (!state)
 		return NULL;
 	memset(state, 0, sizeof(fe_scram_state));
 	state->state = FE_SCRAM_INIT;
 	state->username = username;
+	state->ssl_in_use = ssl_in_use;
+	state->tls_finished_message = tls_finished_message;
+	state->tls_finished_len = tls_finished_len;
+	state->sasl_mechanism = strdup(sasl_mechanism);
+	if (!state->sasl_mechanism)
+	{
+		free(state);
+		return NULL;
+	}
+
+	/*
+	 * Store channel binding type.  Only one type is currently supported.
+	 */
+	state->channel_binding_type = SCRAM_CHANNEL_BINDING_TLS_UNIQUE;
 
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
 	if (rc == SASLPREP_OOM)
 	{
+		free(state->sasl_mechanism);
 		free(state);
 		return NULL;
 	}
@@ -106,6 +137,7 @@ pg_fe_scram_init(const char *username, const char *password)
 		prep_password = strdup(password);
 		if (!prep_password)
 		{
+			free(state->sasl_mechanism);
 			free(state);
 			return NULL;
 		}
@@ -125,6 +157,10 @@ pg_fe_scram_free(void *opaq)
 
 	if (state->password)
 		free(state->password);
+	if (state->tls_finished_message)
+		free(state->tls_finished_message);
+	if (state->sasl_mechanism)
+		free(state->sasl_mechanism);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -297,9 +333,10 @@ static char *
 build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 {
 	char		raw_nonce[SCRAM_RAW_NONCE_LEN + 1];
-	char	   *buf;
-	char		buflen;
+	char	   *result;
+	int			channel_info_len;
 	int			encoded_len;
+	PQExpBufferData buf;
 
 	/*
 	 * Generate a "raw" nonce.  This is converted to ASCII-printable form by
@@ -328,26 +365,61 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * prepared with SASLprep, the message parsing would fail if it includes
 	 * '=' or ',' characters.
 	 */
-	buflen = 8 + strlen(state->client_nonce) + 1;
-	buf = malloc(buflen);
-	if (buf == NULL)
+
+	initPQExpBuffer(&buf);
+
+	/*
+	 * First build the gs2-header with channel binding information.
+	 */
+	if (strcmp(state->sasl_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
 	{
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
+		Assert(state->ssl_in_use);
+		appendPQExpBuffer(&buf, "p=%s", state->channel_binding_type);
 	}
-	snprintf(buf, buflen, "n,,n=,r=%s", state->client_nonce);
-
-	state->client_first_message_bare = strdup(buf + 3);
-	if (!state->client_first_message_bare)
+	else if (state->ssl_in_use)
 	{
-		free(buf);
-		printfPQExpBuffer(errormessage,
-						  libpq_gettext("out of memory\n"));
-		return NULL;
+		/*
+		 * Client supports channel binding, but thinks the server does not.
+		 */
+		appendPQExpBuffer(&buf, "y");
 	}
+	else
+	{
+		/*
+		 * Client does not support channel binding.
+		 */
+		appendPQExpBuffer(&buf, "n");
+	}
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	channel_info_len = buf.len;
+
+	appendPQExpBuffer(&buf, ",,n=,r=%s", state->client_nonce);
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	/*
+	 * The first message content needs to be saved without channel binding
+	 * information.
+	 */
+	state->client_first_message_bare = strdup(buf.data + channel_info_len + 2);
+	if (!state->client_first_message_bare)
+		goto oom_error;
+
+	result = strdup(buf.data);
+	if (result == NULL)
+		goto oom_error;
+
+	termPQExpBuffer(&buf);
+	return result;
 
-	return buf;
+oom_error:
+	termPQExpBuffer(&buf);
+	printfPQExpBuffer(errormessage,
+					  libpq_gettext("out of memory\n"));
+	return NULL;
 }
 
 /*
@@ -366,7 +438,67 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 * Construct client-final-message-without-proof.  We need to remember it
 	 * for verifying the server proof in the final step of authentication.
 	 */
-	appendPQExpBuffer(&buf, "c=biws,r=%s", state->nonce);
+	if (strcmp(state->sasl_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
+	{
+		char	   *cbind_data;
+		size_t		cbind_data_len;
+		size_t		cbind_header_len;
+		char	   *cbind_input;
+		size_t		cbind_input_len;
+
+		if (strcmp(state->channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
+		{
+			cbind_data = state->tls_finished_message;
+			cbind_data_len = state->tls_finished_len;
+		}
+		else
+		{
+			/* should not happen */
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("invalid channel binding type\n"));
+			return NULL;
+		}
+
+		/* should not happen */
+		if (cbind_data == NULL || cbind_data_len == 0)
+		{
+			termPQExpBuffer(&buf);
+			printfPQExpBuffer(errormessage,
+							  libpq_gettext("empty channel binding data for channel binding type \"%s\"\n"),
+							  state->channel_binding_type);
+			return NULL;
+		}
+
+		appendPQExpBuffer(&buf, "c=");
+
+		cbind_header_len = 4 + strlen(state->channel_binding_type); /* p=type,, */
+		cbind_input_len = cbind_header_len + cbind_data_len;
+		cbind_input = malloc(cbind_input_len);
+		if (!cbind_input)
+			goto oom_error;
+		snprintf(cbind_input, cbind_input_len, "p=%s", state->channel_binding_type);
+		memcpy(cbind_input + cbind_header_len, cbind_data, cbind_data_len);
+
+		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(cbind_input_len)))
+		{
+			free(cbind_input);
+			goto oom_error;
+		}
+		buf.len += pg_b64_encode(cbind_input, cbind_input_len, buf.data + buf.len);
+		buf.data[buf.len] = '\0';
+
+		free(cbind_input);
+	}
+	else if (state->ssl_in_use)
+		appendPQExpBuffer(&buf, "c=eSws"); /* base64 of "y,," */
+	else
+		appendPQExpBuffer(&buf, "c=biws"); /* base64 of "n,," */
+
+	if (PQExpBufferDataBroken(buf))
+		goto oom_error;
+
+	appendPQExpBuffer(&buf, ",r=%s", state->nonce);
 	if (PQExpBufferDataBroken(buf))
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 382558f3f8..9d394919ef 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -491,6 +491,9 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		success;
 	const char *selected_mechanism;
 	PQExpBufferData mechanism_buf;
+	char	   *tls_finished = NULL;
+	size_t		tls_finished_len = 0;
+	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
 
@@ -504,7 +507,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	/*
 	 * Parse the list of SASL authentication mechanisms in the
 	 * AuthenticationSASL message, and select the best mechanism that we
-	 * support.  (Only SCRAM-SHA-256 is supported at the moment.)
+	 * support.  SCRAM-SHA-256-PLUS and SCRAM-SHA-256 are the only ones
+	 * supported at the moment, listed by order of decreasing importance.
 	 */
 	selected_mechanism = NULL;
 	for (;;)
@@ -523,35 +527,17 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 			break;
 
 		/*
-		 * If we have already selected a mechanism, just skip through the rest
-		 * of the list.
+		 * Select the mechanism to use.  Pick SCRAM-SHA-256-PLUS over anything
+		 * else.  Pick SCRAM-SHA-256 if nothing else has already been picked.
+		 * If we add more mechanisms, a more refined priority mechanism might
+		 * become necessary.
 		 */
-		if (selected_mechanism)
-			continue;
-
-		/*
-		 * Do we support this mechanism?
-		 */
-		if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0)
-		{
-			char	   *password;
-
-			conn->password_needed = true;
-			password = conn->connhost[conn->whichhost].password;
-			if (password == NULL)
-				password = conn->pgpass;
-			if (password == NULL || password[0] == '\0')
-			{
-				printfPQExpBuffer(&conn->errorMessage,
-								  PQnoPasswordSupplied);
-				goto error;
-			}
-
-			conn->sasl_state = pg_fe_scram_init(conn->pguser, password);
-			if (!conn->sasl_state)
-				goto oom_error;
+		if (conn->ssl_in_use &&
+			strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
+				selected_mechanism = SCRAM_SHA256_PLUS_NAME;
+		else if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0 &&
+				 !selected_mechanism)
 			selected_mechanism = SCRAM_SHA256_NAME;
-		}
 	}
 
 	if (!selected_mechanism)
@@ -561,6 +547,54 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		goto error;
 	}
 
+	/*
+	 * Now that the SASL mechanism has been chosen for the exchange,
+	 * initialize its state information.
+	 */
+
+	/*
+	 * First, select the password to use for the exchange, complaining if
+	 * there isn't one.  Currently, all supported SASL mechanisms require a
+	 * password, so we can just go ahead here without further distinction.
+	 */
+	conn->password_needed = true;
+	password = conn->connhost[conn->whichhost].password;
+	if (password == NULL)
+		password = conn->pgpass;
+	if (password == NULL || password[0] == '\0')
+	{
+		printfPQExpBuffer(&conn->errorMessage,
+						  PQnoPasswordSupplied);
+		goto error;
+	}
+
+#ifdef USE_SSL
+	/*
+	 * Get data for channel binding.
+	 */
+	if (strcmp(selected_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
+	{
+		tls_finished = pgtls_get_finished(conn, &tls_finished_len);
+		if (tls_finished == NULL)
+			goto oom_error;
+	}
+#endif
+
+	/*
+	 * Initialize the SASL state information with all the information
+	 * gathered during the initial exchange.
+	 *
+	 * Note: Only tls-unique is supported for the moment.
+	 */
+	conn->sasl_state = pg_fe_scram_init(conn->pguser,
+										password,
+										conn->ssl_in_use,
+										selected_mechanism,
+										tls_finished,
+										tls_finished_len);
+	if (!conn->sasl_state)
+		goto oom_error;
+
 	/* Get the mechanism-specific Initial Client Response, if any */
 	pg_fe_scram_exchange(conn->sasl_state,
 						 NULL, -1,
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 5dc6bb5341..1525a52742 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -23,7 +23,12 @@ extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn);
 extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
-extern void *pg_fe_scram_init(const char *username, const char *password);
+extern void *pg_fe_scram_init(const char *username,
+							  const char *password,
+							  bool ssl_in_use,
+							  const char *sasl_mechanism,
+							  char *tls_finished_message,
+							  size_t tls_finished_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 2f29820e82..61d161b367 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -393,6 +393,33 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
 	return n;
 }
 
+/*
+ *	Get the TLS finish message sent during last handshake
+ *
+ * This information is useful for callers doing channel binding during
+ * authentication.
+ */
+char *
+pgtls_get_finished(PGconn *conn, size_t *len)
+{
+	char		dummy[1];
+	char	   *result;
+
+	/*
+	 * OpenSSL does not offer an API to get directly the length of the TLS
+	 * Finished message sent, so first do a dummy call to grab this
+	 * information and then do an allocation with the correct size.
+	 */
+	*len = SSL_get_finished(conn->ssl, dummy, sizeof(dummy));
+	result = malloc(*len);
+	if (result == NULL)
+		return NULL;
+	(void) SSL_get_finished(conn->ssl, result, *len);
+
+	return result;
+}
+
+
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
 /* ------------------------------------------------------------ */
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 42913604e3..8412ee8160 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -453,11 +453,13 @@ struct pg_conn
 	/* Assorted state for SASL, SSL, GSS, etc */
 	void	   *sasl_state;
 
+	/* SSL structures */
+	bool		ssl_in_use;
+
 #ifdef USE_SSL
 	bool		allow_ssl_try;	/* Allowed to try SSL negotiation */
 	bool		wait_ssl_try;	/* Delay SSL negotiation until after
 								 * attempting normal connection */
-	bool		ssl_in_use;
 #ifdef USE_OPENSSL
 	SSL		   *ssl;			/* SSL status, if have SSL connection */
 	X509	   *peer;			/* X509 cert of server */
@@ -668,6 +670,7 @@ extern void pgtls_close(PGconn *conn);
 extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
+extern char *pgtls_get_finished(PGconn *conn, size_t *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/ServerSetup.pm b/src/test/ssl/ServerSetup.pm
index ad2e036602..02f8028b2b 100644
--- a/src/test/ssl/ServerSetup.pm
+++ b/src/test/ssl/ServerSetup.pm
@@ -57,19 +57,21 @@ sub test_connect_ok
 {
 	my $common_connstr = $_[0];
 	my $connstr = $_[1];
+	my $test_name = $_[2];
 
 	my $result =
 	  run_test_psql("$common_connstr $connstr", "(should succeed)");
-	ok($result, $connstr);
+	ok($result, $test_name || $connstr);
 }
 
 sub test_connect_fails
 {
 	my $common_connstr = $_[0];
 	my $connstr = $_[1];
+	my $test_name = $_[2];
 
 	my $result = run_test_psql("$common_connstr $connstr", "(should fail)");
-	ok(!$result, "$connstr (should fail)");
+	ok(!$result, $test_name || "$connstr (should fail)");
 }
 
 # Copy a set of files, taking into account wildcards
@@ -89,8 +91,7 @@ sub copy_files
 
 sub configure_test_server_for_ssl
 {
-	my $node       = $_[0];
-	my $serverhost = $_[1];
+	my ($node, $serverhost, $authmethod, $password, $password_enc) = @_;
 
 	my $pgdata = $node->data_dir;
 
@@ -100,6 +101,15 @@ sub configure_test_server_for_ssl
 	$node->psql('postgres', "CREATE DATABASE trustdb");
 	$node->psql('postgres', "CREATE DATABASE certdb");
 
+	# Update password of each user as needed.
+	if (defined($password))
+	{
+		$node->psql('postgres',
+"SET password_encryption='$password_enc'; ALTER USER ssltestuser PASSWORD '$password';");
+		$node->psql('postgres',
+"SET password_encryption='$password_enc'; ALTER USER anotheruser PASSWORD '$password';");
+	}
+
 	# enable logging etc.
 	open my $conf, '>>', "$pgdata/postgresql.conf";
 	print $conf "fsync=off\n";
@@ -129,7 +139,7 @@ sub configure_test_server_for_ssl
 	$node->restart;
 
 	# Change pg_hba after restart because hostssl requires ssl=on
-	configure_hba_for_ssl($node, $serverhost);
+	configure_hba_for_ssl($node, $serverhost, $authmethod);
 }
 
 # Change the configuration to use given server cert file, and reload
@@ -157,8 +167,7 @@ sub switch_server_cert
 
 sub configure_hba_for_ssl
 {
-	my $node       = $_[0];
-	my $serverhost = $_[1];
+	my ($node, $serverhost, $authmethod) = @_;
 	my $pgdata     = $node->data_dir;
 
   # Only accept SSL connections from localhost. Our tests don't depend on this
@@ -169,9 +178,9 @@ sub configure_hba_for_ssl
 	print $hba
 "# TYPE  DATABASE        USER            ADDRESS                 METHOD\n";
 	print $hba
-"hostssl trustdb         ssltestuser     $serverhost/32            trust\n";
+"hostssl trustdb         ssltestuser     $serverhost/32            $authmethod\n";
 	print $hba
-"hostssl trustdb         ssltestuser     ::1/128                 trust\n";
+"hostssl trustdb         ssltestuser     ::1/128                 $authmethod\n";
 	print $hba
 "hostssl certdb          ssltestuser     $serverhost/32            cert\n";
 	print $hba
diff --git a/src/test/ssl/t/001_ssltests.pl b/src/test/ssl/t/001_ssltests.pl
index 890e3051a2..a0a06825c6 100644
--- a/src/test/ssl/t/001_ssltests.pl
+++ b/src/test/ssl/t/001_ssltests.pl
@@ -32,7 +32,7 @@
 $ENV{PGHOST} = $node->host;
 $ENV{PGPORT} = $node->port;
 $node->start;
-configure_test_server_for_ssl($node, $SERVERHOSTADDR);
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, 'trust');
 switch_server_cert($node, 'server-cn-only');
 
 ### Part 1. Run client-side tests.
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
new file mode 100644
index 0000000000..25f75bd52a
--- /dev/null
+++ b/src/test/ssl/t/002_scram.pl
@@ -0,0 +1,38 @@
+# Test SCRAM authentication and TLS channel binding types
+
+use strict;
+use warnings;
+use PostgresNode;
+use TestLib;
+use Test::More tests => 1;
+use ServerSetup;
+use File::Copy;
+
+# This is the hostname used to connect to the server.
+my $SERVERHOSTADDR = '127.0.0.1';
+
+# Allocation of base connection string shared among multiple tests.
+my $common_connstr;
+
+# Set up the server.
+
+note "setting up data directory";
+my $node = get_new_node('master');
+$node->init;
+
+# PGHOST is enforced here to set up the node, subsequent connections
+# will use a dedicated connection string.
+$ENV{PGHOST} = $node->host;
+$ENV{PGPORT} = $node->port;
+$node->start;
+
+# Configure server for SSL connections, with password handling.
+configure_test_server_for_ssl($node, $SERVERHOSTADDR, "scram-sha-256",
+							  "pass", "scram-sha-256");
+switch_server_cert($node, 'server-cn-only');
+$ENV{PGPASSWORD} = "pass";
+$common_connstr =
+"user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
+
+test_connect_ok($common_connstr, '',
+				"SCRAM authentication with default channel binding");
-- 
2.15.0

From 03a55729f3581d6962c59de82e0e3cc41138f021 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 10 Oct 2017 22:04:22 +0900
Subject: [PATCH 2/2] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend, this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  5 +-
 src/backend/libpq/auth-scram.c           | 26 ++++++++---
 src/backend/libpq/auth.c                 |  8 +++-
 src/backend/libpq/be-secure-openssl.c    | 61 +++++++++++++++++++++++++
 src/include/libpq/libpq-be.h             |  1 +
 src/include/libpq/scram.h                |  4 +-
 src/interfaces/libpq/fe-auth-scram.c     | 24 +++++++---
 src/interfaces/libpq/fe-auth.c           | 12 ++++-
 src/interfaces/libpq/fe-auth.h           |  4 +-
 src/interfaces/libpq/fe-secure-openssl.c | 78 ++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_scram.pl              |  5 +-
 12 files changed, 210 insertions(+), 19 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 4d3b6446c4..b00a51a8ca 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1551,8 +1551,9 @@ the password is in.
   <para>
 <firstterm>Channel binding</firstterm> is supported in PostgreSQL builds with
 SSL support. The SASL mechanism name for SCRAM with channel binding
-is <literal>SCRAM-SHA-256-PLUS</literal>.  The only channel binding type
-supported at the moment is <literal>tls-unique</literal>, defined in RFC 5929.
+is <literal>SCRAM-SHA-256-PLUS</literal>.  Two channel binding types are
+supported at the moment: <literal>tls-unique</literal>, which is the default,
+and <literal>tls-server-end-point</literal>, both defined in RFC 5929.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 22103ce479..8f96e3927e 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,8 @@ typedef struct
 	bool		ssl_in_use;
 	const char *tls_finished_message;
 	size_t		tls_finished_len;
+	const char *certificate_hash;
+	size_t		certificate_hash_len;
 	char	   *channel_binding_type;
 
 	int			iterations;
@@ -175,7 +177,9 @@ pg_be_scram_init(const char *username,
 				 const char *shadow_pass,
 				 bool ssl_in_use,
 				 const char *tls_finished_message,
-				 size_t tls_finished_len)
+				 size_t tls_finished_len,
+				 const char *certificate_hash,
+				 size_t certificate_hash_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -186,6 +190,8 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding_type = NULL;
 
 	/*
@@ -852,13 +858,15 @@ read_client_first_message(scram_state *state, char *input)
 				}
 
 				/*
-				 * Read value provided by client; only tls-unique is supported
-				 * for now.  (It is not safe to print the name of an
-				 * unsupported binding type in the error message.  Pranksters
-				 * could print arbitrary strings into the log that way.)
+				 * Read value provided by client; only tls-unique and
+				 * tls-server-end-point are supported for now.  (It is
+				 * not safe to print the name of an unsupported binding
+				 * type in the error message.  Pranksters could print
+				 * arbitrary strings into the log that way.)
 				 */
 				channel_binding_type = read_attr_value(&input, 'p');
-				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0)
+				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0 &&
+					strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 							(errcode(ERRCODE_PROTOCOL_VIOLATION),
 							 (errmsg("unsupported SCRAM channel-binding type"))));
@@ -1116,6 +1124,12 @@ read_client_final_message(scram_state *state, char *input)
 			cbind_data = state->tls_finished_message;
 			cbind_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			cbind_data = state->certificate_hash;
+			cbind_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 2dd3328d71..76fe2645b9 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,6 +873,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	bool		initial;
 	char	   *tls_finished = NULL;
 	size_t		tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	size_t		certificate_hash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -920,6 +922,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	if (port->ssl_in_use)
 	{
 		tls_finished = be_tls_get_peer_finished(port, &tls_finished_len);
+		certificate_hash = be_tls_get_certificate_hash(port,
+													   &certificate_hash_len);
 	}
 #endif
 
@@ -938,7 +942,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 								  shadow_pass,
 								  port->ssl_in_use,
 								  tls_finished,
-								  tls_finished_len);
+								  tls_finished_len,
+								  certificate_hash,
+								  certificate_hash_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 1e3e19f5e0..e3e8a535c8 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1239,6 +1239,67 @@ be_tls_get_peer_finished(Port *port, size_t *len)
 	return result;
 }
 
+/*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * If something else is used, the same hash as the signature algorithm is
+ * used. The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is no certificate available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, size_t *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+					elog(ERROR, "could not find digest for NID %s",
+						 OBJ_nid2sn(algo_nid));
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 856e0439d5..cf9d8b7870 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finished(Port *port, size_t *len);
+extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 99560d3d2f..d4e585b3bf 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -19,6 +19,7 @@
 
 /* Channel binding types */
 #define SCRAM_CHANNEL_BINDING_TLS_UNIQUE	"tls-unique"
+#define SCRAM_CHANNEL_BINDING_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -28,7 +29,8 @@
 /* Routines dedicated to authentication */
 extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
 					 bool ssl_in_use, const char *tls_finished_message,
-					 size_t tls_finished_len);
+					 size_t tls_finished_len, const char *certificate_hash,
+					 size_t certificate_hash_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 9860f6b15e..38de1f14cb 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -48,6 +48,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finished_message;
 	size_t		tls_finished_len;
+	char	   *certificate_hash;
+	size_t		certificate_hash_len;
 	char	   *sasl_mechanism;
 	const char *channel_binding_type;
 
@@ -96,7 +98,9 @@ pg_fe_scram_init(const char *username,
 				 const char *sasl_mechanism,
 				 const char *channel_binding_type,
 				 char *tls_finished_message,
-				 size_t tls_finished_len)
+				 size_t tls_finished_len,
+				 char *certificate_hash,
+				 size_t certificate_hash_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -113,6 +117,8 @@ pg_fe_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->sasl_mechanism = strdup(sasl_mechanism);
 	if (!state->sasl_mechanism)
 	{
@@ -121,9 +127,9 @@ pg_fe_scram_init(const char *username,
 	}
 
 	/*
-	 * Store channel binding type.  Only one type is currently supported,
-	 * tls-unique, which is also the default.  Anything defined by the caller
-	 * is forcibly used.
+	 * Store channel binding type.  Two types are currently supported,
+	 * tls-unique, which is also the default, and tls-server-end-point.
+	 * Anything defined by the caller is forcibly used.
 	 */
 	if (channel_binding_type && strlen(channel_binding_type) > 0)
 		state->channel_binding_type = channel_binding_type;
@@ -165,8 +171,8 @@ pg_fe_scram_free(void *opaq)
 		free(state->password);
 	if (state->tls_finished_message)
 		free(state->tls_finished_message);
-	if (state->sasl_mechanism)
-		free(state->sasl_mechanism);
+	if (state->certificate_hash)
+		free(state->certificate_hash);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -457,6 +463,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 			cbind_data = state->tls_finished_message;
 			cbind_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			cbind_data = state->certificate_hash;
+			cbind_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 2f34340f45..38cde81d55 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -493,6 +493,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	PQExpBufferData mechanism_buf;
 	char	   *tls_finished = NULL;
 	size_t		tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	size_t		certificate_hash_len = 0;
 	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
@@ -577,6 +579,12 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		tls_finished = pgtls_get_finished(conn, &tls_finished_len);
 		if (tls_finished == NULL)
 			goto oom_error;
+
+		certificate_hash =
+			pgtls_get_peer_certificate_hash(conn,
+											&certificate_hash_len);
+		if (certificate_hash == NULL)
+			goto error;		/* error message is set */
 	}
 #endif
 
@@ -592,7 +600,9 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										selected_mechanism,
 										conn->saslchannelbinding,
 										tls_finished,
-										tls_finished_len);
+										tls_finished_len,
+										certificate_hash,
+										certificate_hash_len);
 	if (!conn->sasl_state)
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 96094b0c1e..17e85d90f4 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -29,7 +29,9 @@ extern void *pg_fe_scram_init(const char *username,
 							  const char *sasl_mechanism,
 							  const char *channel_binding_type,
 							  char *tls_finished_message,
-							  size_t tls_finished_len);
+							  size_t tls_finished_len,
+							  char *certificate_hash,
+							  size_t certificate_hash_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 61d161b367..99077c3d9a 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -419,6 +419,84 @@ pgtls_get_finished(PGconn *conn, size_t *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where the
+ * client certificate hash is used as a link, per RFC 5929. If the
+ * signature hash algorithm is MD5 or SHA-1, fall back to SHA-256,
+ * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * NULL is sent back to the caller in the event of an error, with an
+ * error message for the caller to consume.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not find signature algorithm\n"));
+			return NULL;
+		}
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+				{
+					printfPQExpBuffer(&conn->errorMessage,
+									  libpq_gettext("could not find digest for NID %s\n"),
+									  OBJ_nid2sn(algo_nid));
+					return NULL;
+				}
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not generate peer certificate hash\n"));
+			return NULL;
+		}
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("out of memory\n"));
+			return NULL;
+		}
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 1cb096f1ef..df37fc9b7f 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -672,6 +672,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finished(PGconn *conn, size_t *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index c0b9599920..5a2a24164e 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 3;
+use Test::More tests => 4;
 use ServerSetup;
 use File::Copy;
 
@@ -42,6 +42,9 @@ test_connect_ok($common_connstr, '',
 test_connect_ok($common_connstr,
 	"saslchannelbinding=tls-unique",
 	"SCRAM authentication with tls-unique as channel binding");
+test_connect_ok($common_connstr,
+	"saslchannelbinding=tls-server-end-point",
+	"SCRAM authentication with tls-server-end-point as channel binding");
 test_connect_fails($common_connstr,
 	"saslchannelbinding=not-exists",
 	"SCRAM authentication with invalid channel binding");
-- 
2.15.0

From 19b5728a5452d99c7ee6108ab5033d7a483351e2 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 21 Nov 2017 12:55:29 +0900
Subject: [PATCH 1/2] Add connection parameter "saslchannelbinding"

This parameter can be used to enforce the value of the type of channel
binding used during a SASL message exchange. This proves to be useful
now to check code paths where an invalid channel binding type is used
by a client, which is limited, but will be more useful to allow clients
to enforce the channel binding type to tls-enpoint once it gets added.

More tests dedicated to SASL and channel binding are added as well to
the SSL test suite, which is handy to check the validity of this patch.
---
 doc/src/sgml/libpq.sgml              | 12 ++++++++++++
 src/interfaces/libpq/fe-auth-scram.c | 10 ++++++++--
 src/interfaces/libpq/fe-auth.c       |  1 +
 src/interfaces/libpq/fe-auth.h       |  1 +
 src/interfaces/libpq/fe-connect.c    |  7 +++++++
 src/interfaces/libpq/libpq-int.h     |  1 +
 src/test/ssl/t/002_scram.pl          | 11 ++++++++++-
 7 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 694921f212..5db947b2b5 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1222,6 +1222,18 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       </listitem>
      </varlistentry>
 
+     <varlistentry id="libpq-saslchannelbinding" xreflabel="saslchannelbinding">
+      <term><literal>saslchannelbinding</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the channel binding type sent to server when doing
+        a message exchange for a SASL authentication. The list of channel
+        binding names supported by server are listed in
+        <xref linkend="sasl-authentication">.
+       </para>
+      </listitem>
+     </varlistentry>
+     
      <varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
       <term><literal>sslmode</literal></term>
       <listitem>
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index f2403147ca..9860f6b15e 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -94,6 +94,7 @@ pg_fe_scram_init(const char *username,
 				 const char *password,
 				 bool ssl_in_use,
 				 const char *sasl_mechanism,
+				 const char *channel_binding_type,
 				 char *tls_finished_message,
 				 size_t tls_finished_len)
 {
@@ -120,9 +121,14 @@ pg_fe_scram_init(const char *username,
 	}
 
 	/*
-	 * Store channel binding type.  Only one type is currently supported.
+	 * Store channel binding type.  Only one type is currently supported,
+	 * tls-unique, which is also the default.  Anything defined by the caller
+	 * is forcibly used.
 	 */
-	state->channel_binding_type = SCRAM_CHANNEL_BINDING_TLS_UNIQUE;
+	if (channel_binding_type && strlen(channel_binding_type) > 0)
+		state->channel_binding_type = channel_binding_type;
+	else
+		state->channel_binding_type = SCRAM_CHANNEL_BINDING_TLS_UNIQUE;
 
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 9d394919ef..2f34340f45 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -590,6 +590,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										password,
 										conn->ssl_in_use,
 										selected_mechanism,
+										conn->saslchannelbinding,
 										tls_finished,
 										tls_finished_len);
 	if (!conn->sasl_state)
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 1525a52742..96094b0c1e 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -27,6 +27,7 @@ extern void *pg_fe_scram_init(const char *username,
 							  const char *password,
 							  bool ssl_in_use,
 							  const char *sasl_mechanism,
+							  const char *channel_binding_type,
 							  char *tls_finished_message,
 							  size_t tls_finished_len);
 extern void pg_fe_scram_free(void *opaq);
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 2c175a2a24..3c85501754 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -262,6 +262,11 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"TCP-Keepalives-Count", "", 10, /* strlen(INT32_MAX) == 10 */
 	offsetof(struct pg_conn, keepalives_count)},
 
+	/* Set of options proper to SASL */
+	{"saslchannelbinding", NULL, NULL, NULL,
+		"SASL-Channel", "", 22,	/* sizeof("tls-unique-for-telnet") == 22 */
+	offsetof(struct pg_conn, saslchannelbinding)},
+
 	/*
 	 * ssl options are allowed even without client SSL support because the
 	 * client can still handle SSL modes "disable" and "allow". Other
@@ -3469,6 +3474,8 @@ freePGconn(PGconn *conn)
 		free(conn->keepalives_interval);
 	if (conn->keepalives_count)
 		free(conn->keepalives_count);
+	if (conn->saslchannelbinding)
+		free(conn->saslchannelbinding);
 	if (conn->sslmode)
 		free(conn->sslmode);
 	if (conn->sslcert)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 8412ee8160..1cb096f1ef 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -349,6 +349,7 @@ struct pg_conn
 										 * retransmits */
 	char	   *keepalives_count;	/* maximum number of TCP keepalive
 									 * retransmits */
+	char	   *saslchannelbinding;	/* channel binding type used in SASL */
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
 	char	   *sslcompression; /* SSL compression (0 or 1) */
 	char	   *sslkey;			/* client key filename */
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 25f75bd52a..c0b9599920 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 1;
+use Test::More tests => 3;
 use ServerSetup;
 use File::Copy;
 
@@ -34,5 +34,14 @@ $ENV{PGPASSWORD} = "pass";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
 
+# Defaut settings
 test_connect_ok($common_connstr, '',
 				"SCRAM authentication with default channel binding");
+
+# Channel bindings
+test_connect_ok($common_connstr,
+	"saslchannelbinding=tls-unique",
+	"SCRAM authentication with tls-unique as channel binding");
+test_connect_fails($common_connstr,
+	"saslchannelbinding=not-exists",
+	"SCRAM authentication with invalid channel binding");
-- 
2.15.0

From bdd25121ba7c1916d280f97c8e1a280ad26ea60c Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 10 Oct 2017 22:04:22 +0900
Subject: [PATCH 2/2] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend, this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  5 +-
 src/backend/libpq/auth-scram.c           | 26 ++++++++---
 src/backend/libpq/auth.c                 |  8 +++-
 src/backend/libpq/be-secure-openssl.c    | 61 +++++++++++++++++++++++++
 src/include/libpq/libpq-be.h             |  1 +
 src/include/libpq/scram.h                |  4 +-
 src/interfaces/libpq/fe-auth-scram.c     | 24 +++++++---
 src/interfaces/libpq/fe-auth.c           | 12 ++++-
 src/interfaces/libpq/fe-auth.h           |  4 +-
 src/interfaces/libpq/fe-secure-openssl.c | 78 ++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_scram.pl              |  5 +-
 12 files changed, 210 insertions(+), 19 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 8174e3defa..365f72b51d 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1576,8 +1576,9 @@ the password is in.
   <para>
 <firstterm>Channel binding</firstterm> is supported in PostgreSQL builds with
 SSL support. The SASL mechanism name for SCRAM with channel binding
-is <literal>SCRAM-SHA-256-PLUS</literal>.  The only channel binding type
-supported at the moment is <literal>tls-unique</literal>, defined in RFC 5929.
+is <literal>SCRAM-SHA-256-PLUS</literal>.  Two channel binding types are
+supported at the moment: <literal>tls-unique</literal>, which is the default,
+and <literal>tls-server-end-point</literal>, both defined in RFC 5929.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 22103ce479..8f96e3927e 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,8 @@ typedef struct
 	bool		ssl_in_use;
 	const char *tls_finished_message;
 	size_t		tls_finished_len;
+	const char *certificate_hash;
+	size_t		certificate_hash_len;
 	char	   *channel_binding_type;
 
 	int			iterations;
@@ -175,7 +177,9 @@ pg_be_scram_init(const char *username,
 				 const char *shadow_pass,
 				 bool ssl_in_use,
 				 const char *tls_finished_message,
-				 size_t tls_finished_len)
+				 size_t tls_finished_len,
+				 const char *certificate_hash,
+				 size_t certificate_hash_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -186,6 +190,8 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding_type = NULL;
 
 	/*
@@ -852,13 +858,15 @@ read_client_first_message(scram_state *state, char *input)
 				}
 
 				/*
-				 * Read value provided by client; only tls-unique is supported
-				 * for now.  (It is not safe to print the name of an
-				 * unsupported binding type in the error message.  Pranksters
-				 * could print arbitrary strings into the log that way.)
+				 * Read value provided by client; only tls-unique and
+				 * tls-server-end-point are supported for now.  (It is
+				 * not safe to print the name of an unsupported binding
+				 * type in the error message.  Pranksters could print
+				 * arbitrary strings into the log that way.)
 				 */
 				channel_binding_type = read_attr_value(&input, 'p');
-				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0)
+				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0 &&
+					strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 							(errcode(ERRCODE_PROTOCOL_VIOLATION),
 							 (errmsg("unsupported SCRAM channel-binding type"))));
@@ -1116,6 +1124,12 @@ read_client_final_message(scram_state *state, char *input)
 			cbind_data = state->tls_finished_message;
 			cbind_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			cbind_data = state->certificate_hash;
+			cbind_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 2dd3328d71..76fe2645b9 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,6 +873,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	bool		initial;
 	char	   *tls_finished = NULL;
 	size_t		tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	size_t		certificate_hash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -920,6 +922,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	if (port->ssl_in_use)
 	{
 		tls_finished = be_tls_get_peer_finished(port, &tls_finished_len);
+		certificate_hash = be_tls_get_certificate_hash(port,
+													   &certificate_hash_len);
 	}
 #endif
 
@@ -938,7 +942,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 								  shadow_pass,
 								  port->ssl_in_use,
 								  tls_finished,
-								  tls_finished_len);
+								  tls_finished_len,
+								  certificate_hash,
+								  certificate_hash_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 1e3e19f5e0..e3e8a535c8 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1239,6 +1239,67 @@ be_tls_get_peer_finished(Port *port, size_t *len)
 	return result;
 }
 
+/*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * If something else is used, the same hash as the signature algorithm is
+ * used. The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is no certificate available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, size_t *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+					elog(ERROR, "could not find digest for NID %s",
+						 OBJ_nid2sn(algo_nid));
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 856e0439d5..cf9d8b7870 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finished(Port *port, size_t *len);
+extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 99560d3d2f..d4e585b3bf 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -19,6 +19,7 @@
 
 /* Channel binding types */
 #define SCRAM_CHANNEL_BINDING_TLS_UNIQUE	"tls-unique"
+#define SCRAM_CHANNEL_BINDING_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
@@ -28,7 +29,8 @@
 /* Routines dedicated to authentication */
 extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
 					 bool ssl_in_use, const char *tls_finished_message,
-					 size_t tls_finished_len);
+					 size_t tls_finished_len, const char *certificate_hash,
+					 size_t certificate_hash_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 9860f6b15e..38de1f14cb 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -48,6 +48,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finished_message;
 	size_t		tls_finished_len;
+	char	   *certificate_hash;
+	size_t		certificate_hash_len;
 	char	   *sasl_mechanism;
 	const char *channel_binding_type;
 
@@ -96,7 +98,9 @@ pg_fe_scram_init(const char *username,
 				 const char *sasl_mechanism,
 				 const char *channel_binding_type,
 				 char *tls_finished_message,
-				 size_t tls_finished_len)
+				 size_t tls_finished_len,
+				 char *certificate_hash,
+				 size_t certificate_hash_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -113,6 +117,8 @@ pg_fe_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->sasl_mechanism = strdup(sasl_mechanism);
 	if (!state->sasl_mechanism)
 	{
@@ -121,9 +127,9 @@ pg_fe_scram_init(const char *username,
 	}
 
 	/*
-	 * Store channel binding type.  Only one type is currently supported,
-	 * tls-unique, which is also the default.  Anything defined by the caller
-	 * is forcibly used.
+	 * Store channel binding type.  Two types are currently supported,
+	 * tls-unique, which is also the default, and tls-server-end-point.
+	 * Anything defined by the caller is forcibly used.
 	 */
 	if (channel_binding_type && strlen(channel_binding_type) > 0)
 		state->channel_binding_type = channel_binding_type;
@@ -165,8 +171,8 @@ pg_fe_scram_free(void *opaq)
 		free(state->password);
 	if (state->tls_finished_message)
 		free(state->tls_finished_message);
-	if (state->sasl_mechanism)
-		free(state->sasl_mechanism);
+	if (state->certificate_hash)
+		free(state->certificate_hash);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -457,6 +463,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 			cbind_data = state->tls_finished_message;
 			cbind_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			cbind_data = state->certificate_hash;
+			cbind_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 2f34340f45..38cde81d55 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -493,6 +493,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	PQExpBufferData mechanism_buf;
 	char	   *tls_finished = NULL;
 	size_t		tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	size_t		certificate_hash_len = 0;
 	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
@@ -577,6 +579,12 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		tls_finished = pgtls_get_finished(conn, &tls_finished_len);
 		if (tls_finished == NULL)
 			goto oom_error;
+
+		certificate_hash =
+			pgtls_get_peer_certificate_hash(conn,
+											&certificate_hash_len);
+		if (certificate_hash == NULL)
+			goto error;		/* error message is set */
 	}
 #endif
 
@@ -592,7 +600,9 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										selected_mechanism,
 										conn->saslchannelbinding,
 										tls_finished,
-										tls_finished_len);
+										tls_finished_len,
+										certificate_hash,
+										certificate_hash_len);
 	if (!conn->sasl_state)
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 96094b0c1e..17e85d90f4 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -29,7 +29,9 @@ extern void *pg_fe_scram_init(const char *username,
 							  const char *sasl_mechanism,
 							  const char *channel_binding_type,
 							  char *tls_finished_message,
-							  size_t tls_finished_len);
+							  size_t tls_finished_len,
+							  char *certificate_hash,
+							  size_t certificate_hash_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 61d161b367..99077c3d9a 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -419,6 +419,84 @@ pgtls_get_finished(PGconn *conn, size_t *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where the
+ * client certificate hash is used as a link, per RFC 5929. If the
+ * signature hash algorithm is MD5 or SHA-1, fall back to SHA-256,
+ * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * NULL is sent back to the caller in the event of an error, with an
+ * error message for the caller to consume.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not find signature algorithm\n"));
+			return NULL;
+		}
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+				{
+					printfPQExpBuffer(&conn->errorMessage,
+									  libpq_gettext("could not find digest for NID %s\n"),
+									  OBJ_nid2sn(algo_nid));
+					return NULL;
+				}
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not generate peer certificate hash\n"));
+			return NULL;
+		}
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("out of memory\n"));
+			return NULL;
+		}
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 1cb096f1ef..df37fc9b7f 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -672,6 +672,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finished(PGconn *conn, size_t *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index c0b9599920..5a2a24164e 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 3;
+use Test::More tests => 4;
 use ServerSetup;
 use File::Copy;
 
@@ -42,6 +42,9 @@ test_connect_ok($common_connstr, '',
 test_connect_ok($common_connstr,
 	"saslchannelbinding=tls-unique",
 	"SCRAM authentication with tls-unique as channel binding");
+test_connect_ok($common_connstr,
+	"saslchannelbinding=tls-server-end-point",
+	"SCRAM authentication with tls-server-end-point as channel binding");
 test_connect_fails($common_connstr,
 	"saslchannelbinding=not-exists",
 	"SCRAM authentication with invalid channel binding");
-- 
2.15.0

From b9ee2d9432a0f16cdd59c9789a064d68f0220ad0 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 21 Nov 2017 12:55:29 +0900
Subject: [PATCH 1/2] Add connection parameter "saslchannelbinding"

This parameter can be used to enforce the value of the type of channel
binding used during a SASL message exchange. This proves to be useful
now to check code paths where an invalid channel binding type is used
by a client, which is limited, but will be more useful to allow clients
to enforce the channel binding type to tls-enpoint once it gets added.

More tests dedicated to SASL and channel binding are added as well to
the SSL test suite, which is handy to check the validity of this patch.
---
 doc/src/sgml/libpq.sgml              | 12 ++++++++++++
 src/interfaces/libpq/fe-auth-scram.c | 10 ++++++++--
 src/interfaces/libpq/fe-auth.c       |  1 +
 src/interfaces/libpq/fe-auth.h       |  1 +
 src/interfaces/libpq/fe-connect.c    |  7 +++++++
 src/interfaces/libpq/libpq-int.h     |  1 +
 src/test/ssl/t/002_scram.pl          | 11 ++++++++++-
 7 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 4703309254..2ad2061e9e 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1222,6 +1222,18 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       </listitem>
      </varlistentry>
 
+     <varlistentry id="libpq-saslchannelbinding" xreflabel="saslchannelbinding">
+      <term><literal>saslchannelbinding</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the channel binding type sent to server when doing
+        a message exchange for a SASL authentication. The list of channel
+        binding names supported by server are listed in
+        <xref linkend="sasl-authentication"/>.
+       </para>
+      </listitem>
+     </varlistentry>
+     
      <varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
       <term><literal>sslmode</literal></term>
       <listitem>
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index f2403147ca..9860f6b15e 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -94,6 +94,7 @@ pg_fe_scram_init(const char *username,
 				 const char *password,
 				 bool ssl_in_use,
 				 const char *sasl_mechanism,
+				 const char *channel_binding_type,
 				 char *tls_finished_message,
 				 size_t tls_finished_len)
 {
@@ -120,9 +121,14 @@ pg_fe_scram_init(const char *username,
 	}
 
 	/*
-	 * Store channel binding type.  Only one type is currently supported.
+	 * Store channel binding type.  Only one type is currently supported,
+	 * tls-unique, which is also the default.  Anything defined by the caller
+	 * is forcibly used.
 	 */
-	state->channel_binding_type = SCRAM_CHANNEL_BINDING_TLS_UNIQUE;
+	if (channel_binding_type && strlen(channel_binding_type) > 0)
+		state->channel_binding_type = channel_binding_type;
+	else
+		state->channel_binding_type = SCRAM_CHANNEL_BINDING_TLS_UNIQUE;
 
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 9d394919ef..2f34340f45 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -590,6 +590,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										password,
 										conn->ssl_in_use,
 										selected_mechanism,
+										conn->saslchannelbinding,
 										tls_finished,
 										tls_finished_len);
 	if (!conn->sasl_state)
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 1525a52742..96094b0c1e 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -27,6 +27,7 @@ extern void *pg_fe_scram_init(const char *username,
 							  const char *password,
 							  bool ssl_in_use,
 							  const char *sasl_mechanism,
+							  const char *channel_binding_type,
 							  char *tls_finished_message,
 							  size_t tls_finished_len);
 extern void pg_fe_scram_free(void *opaq);
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 2c175a2a24..3c85501754 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -262,6 +262,11 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"TCP-Keepalives-Count", "", 10, /* strlen(INT32_MAX) == 10 */
 	offsetof(struct pg_conn, keepalives_count)},
 
+	/* Set of options proper to SASL */
+	{"saslchannelbinding", NULL, NULL, NULL,
+		"SASL-Channel", "", 22,	/* sizeof("tls-unique-for-telnet") == 22 */
+	offsetof(struct pg_conn, saslchannelbinding)},
+
 	/*
 	 * ssl options are allowed even without client SSL support because the
 	 * client can still handle SSL modes "disable" and "allow". Other
@@ -3469,6 +3474,8 @@ freePGconn(PGconn *conn)
 		free(conn->keepalives_interval);
 	if (conn->keepalives_count)
 		free(conn->keepalives_count);
+	if (conn->saslchannelbinding)
+		free(conn->saslchannelbinding);
 	if (conn->sslmode)
 		free(conn->sslmode);
 	if (conn->sslcert)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 8412ee8160..1cb096f1ef 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -349,6 +349,7 @@ struct pg_conn
 										 * retransmits */
 	char	   *keepalives_count;	/* maximum number of TCP keepalive
 									 * retransmits */
+	char	   *saslchannelbinding;	/* channel binding type used in SASL */
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
 	char	   *sslcompression; /* SSL compression (0 or 1) */
 	char	   *sslkey;			/* client key filename */
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 25f75bd52a..c0b9599920 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 1;
+use Test::More tests => 3;
 use ServerSetup;
 use File::Copy;
 
@@ -34,5 +34,14 @@ $ENV{PGPASSWORD} = "pass";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
 
+# Defaut settings
 test_connect_ok($common_connstr, '',
 				"SCRAM authentication with default channel binding");
+
+# Channel bindings
+test_connect_ok($common_connstr,
+	"saslchannelbinding=tls-unique",
+	"SCRAM authentication with tls-unique as channel binding");
+test_connect_fails($common_connstr,
+	"saslchannelbinding=not-exists",
+	"SCRAM authentication with invalid channel binding");
-- 
2.15.0

From e1f98fdbaa1debf932c874af47b5d635f2ab0531 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 1 Dec 2017 09:59:35 +0900
Subject: [PATCH 1/3] Move SCRAM-related name definitions to scram-common.h

Mechanism names for SCRAM and channel binding names have been included
in scram.h by the libpq frontend code, and this header references a set
of routines which are only used by the backend. scram-common.h is on the
contrary usable by both the backend and libpq, so referencing those
names there is more adapted.
---
 src/backend/libpq/auth.c             | 1 +
 src/include/common/scram-common.h    | 7 +++++++
 src/include/libpq/scram.h            | 7 -------
 src/interfaces/libpq/fe-auth-scram.c | 1 -
 src/interfaces/libpq/fe-auth.c       | 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 19a91ca67d..b7f9bb1669 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -26,6 +26,7 @@
 #include "commands/user.h"
 #include "common/ip.h"
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq/auth.h"
 #include "libpq/crypt.h"
 #include "libpq/libpq.h"
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 0c5ee04f26..857a60e71f 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -15,6 +15,13 @@
 
 #include "common/sha2.h"
 
+/* Name of SCRAM mechanisms per IANA */
+#define SCRAM_SHA256_NAME "SCRAM-SHA-256"
+#define SCRAM_SHA256_PLUS_NAME "SCRAM-SHA-256-PLUS" /* with channel binding */
+
+/* Channel binding types */
+#define SCRAM_CHANNEL_BINDING_TLS_UNIQUE    "tls-unique"
+
 /* Length of SCRAM keys (client and server) */
 #define SCRAM_KEY_LEN				PG_SHA256_DIGEST_LENGTH
 
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 91f1e0f2c7..2c245813d6 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -13,13 +13,6 @@
 #ifndef PG_SCRAM_H
 #define PG_SCRAM_H
 
-/* Name of SCRAM mechanisms per IANA */
-#define SCRAM_SHA256_NAME "SCRAM-SHA-256"
-#define SCRAM_SHA256_PLUS_NAME "SCRAM-SHA-256-PLUS" /* with channel binding */
-
-/* Channel binding types */
-#define SCRAM_CHANNEL_BINDING_TLS_UNIQUE	"tls-unique"
-
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
 #define SASL_EXCHANGE_SUCCESS		1
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 97db0b1faa..8acad6f150 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -17,7 +17,6 @@
 #include "common/base64.h"
 #include "common/saslprep.h"
 #include "common/scram-common.h"
-#include "libpq/scram.h"
 #include "fe-auth.h"
 
 /* These are needed for getpid(), in the fallback implementation */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index f54ad8e0cc..2cfdb7c125 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -39,8 +39,8 @@
 #endif
 
 #include "common/md5.h"
+#include "common/scram-common.h"
 #include "libpq-fe.h"
-#include "libpq/scram.h"
 #include "fe-auth.h"
 
 
-- 
2.15.0

From 8649faeff121d4e7d11030c62056609e401b3e55 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 1 Dec 2017 10:47:51 +0900
Subject: [PATCH 2/3] Add connection parameter "scramchannelbinding"

This parameter can be used to enforce the value of the type of channel
binding used during a SASL message exchange. This proves to be useful
now to check code paths where an invalid channel binding type is used
by a client, which is limited, but will be more useful to allow clients
to enforce the channel binding type to tls-enpoint once it gets added.

The default value is tls-unique, which is what RFC 5802 specifies. Clients
can optionally specify an empty value which has as effect to not use
channel binding and use SCRAM-SHA-256 as SASL mechanism chosen.

More tests dedicated to SASL and channel binding are added as well to
the SSL test suite, which is handy to check the validity of this patch.
---
 doc/src/sgml/libpq.sgml              | 14 ++++++++++++++
 src/interfaces/libpq/fe-auth-scram.c | 20 +++++++++++++++-----
 src/interfaces/libpq/fe-auth.c       |  9 ++++++---
 src/interfaces/libpq/fe-auth.h       |  1 +
 src/interfaces/libpq/fe-connect.c    | 10 ++++++++++
 src/interfaces/libpq/libpq-int.h     |  1 +
 src/test/ssl/t/002_scram.pl          | 14 +++++++++++++-
 7 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 4703309254..8f1588d0c6 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1222,6 +1222,20 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       </listitem>
      </varlistentry>
 
+     <varlistentry id="libpq-scramchannelbinding" xreflabel="scramchannelbinding">
+      <term><literal>scramchannelbinding</literal></term>
+      <listitem>
+       <para>
+        Controls the name of the channel binding type sent to server when doing
+        a message exchange for a SCRAM authentication. The list of channel
+        binding names supported by server are listed in
+        <xref linkend="sasl-authentication"/>. An empty value allows client
+        to not use channel binding. The default value is
+        <literal>tls-unique</literal>.
+       </para>
+      </listitem>
+     </varlistentry>
+     
      <varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
       <term><literal>sslmode</literal></term>
       <listitem>
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 8acad6f150..66e01aefaa 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -93,6 +93,7 @@ pg_fe_scram_init(const char *username,
 				 const char *password,
 				 bool ssl_in_use,
 				 const char *sasl_mechanism,
+				 const char *channel_binding_type,
 				 char *tls_finished_message,
 				 size_t tls_finished_len)
 {
@@ -112,17 +113,14 @@ pg_fe_scram_init(const char *username,
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
 	state->sasl_mechanism = strdup(sasl_mechanism);
+	state->channel_binding_type = channel_binding_type;
+
 	if (!state->sasl_mechanism)
 	{
 		free(state);
 		return NULL;
 	}
 
-	/*
-	 * Store channel binding type.  Only one type is currently supported.
-	 */
-	state->channel_binding_type = SCRAM_CHANNEL_BINDING_TLS_UNIQUE;
-
 	/* Normalize the password with SASLprep, if possible */
 	rc = pg_saslprep(password, &prep_password);
 	if (rc == SASLPREP_OOM)
@@ -375,6 +373,15 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 		Assert(state->ssl_in_use);
 		appendPQExpBuffer(&buf, "p=%s", state->channel_binding_type);
 	}
+	else if (state->channel_binding_type == NULL ||
+			 strlen(state->channel_binding_type) == 0)
+	{
+		/*
+		 * Client has chosen to not show to server that it supports channel
+		 * binding.
+		 */
+		appendPQExpBuffer(&buf, "n");
+	}
 	else if (state->ssl_in_use)
 	{
 		/*
@@ -489,6 +496,9 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 
 		free(cbind_input);
 	}
+	else if (state->channel_binding_type == NULL ||
+			 strlen(state->channel_binding_type) == 0)
+		appendPQExpBuffer(&buf, "c=biws");	/* base64 of "n,," */
 	else if (state->ssl_in_use)
 		appendPQExpBuffer(&buf, "c=eSws");	/* base64 of "y,," */
 	else
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 2cfdb7c125..5828d4207c 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -528,11 +528,13 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 
 		/*
 		 * Select the mechanism to use.  Pick SCRAM-SHA-256-PLUS over anything
-		 * else.  Pick SCRAM-SHA-256 if nothing else has already been picked.
-		 * If we add more mechanisms, a more refined priority mechanism might
-		 * become necessary.
+		 * else if a channel binding type is defined.  Pick SCRAM-SHA-256 if
+		 * nothing else has already been picked. If we add more mechanisms, a
+		 * more refined priority mechanism might become necessary.
 		 */
 		if (conn->ssl_in_use &&
+			conn->scramchannelbinding &&
+			strlen(conn->scramchannelbinding) > 0 &&
 			strcmp(mechanism_buf.data, SCRAM_SHA256_PLUS_NAME) == 0)
 			selected_mechanism = SCRAM_SHA256_PLUS_NAME;
 		else if (strcmp(mechanism_buf.data, SCRAM_SHA256_NAME) == 0 &&
@@ -591,6 +593,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										password,
 										conn->ssl_in_use,
 										selected_mechanism,
+										conn->scramchannelbinding,
 										tls_finished,
 										tls_finished_len);
 	if (!conn->sasl_state)
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 3e92410eae..db319ac071 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -27,6 +27,7 @@ extern void *pg_fe_scram_init(const char *username,
 				 const char *password,
 				 bool ssl_in_use,
 				 const char *sasl_mechanism,
+				 const char *channel_binding_type,
 				 char *tls_finished_message,
 				 size_t tls_finished_len);
 extern void pg_fe_scram_free(void *opaq);
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 2c175a2a24..ecaa7a541e 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -71,6 +71,7 @@ static int ldapServiceLookup(const char *purl, PQconninfoOption *options,
 #endif
 
 #include "common/ip.h"
+#include "common/scram-common.h"
 #include "mb/pg_wchar.h"
 #include "port/pg_bswap.h"
 
@@ -122,6 +123,7 @@ static int ldapServiceLookup(const char *purl, PQconninfoOption *options,
 #define DefaultOption	""
 #define DefaultAuthtype		  ""
 #define DefaultTargetSessionAttrs	"any"
+#define DefaultSCRAMChannelBinding	SCRAM_CHANNEL_BINDING_TLS_UNIQUE
 #ifdef USE_SSL
 #define DefaultSSLMode "prefer"
 #else
@@ -262,6 +264,12 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"TCP-Keepalives-Count", "", 10, /* strlen(INT32_MAX) == 10 */
 	offsetof(struct pg_conn, keepalives_count)},
 
+	/* Set of options proper to SCRAM */
+	{"scramchannelbinding", NULL, DefaultSCRAMChannelBinding, NULL,
+		"SCRAM-Channel-Binding", "",
+		22,	/* sizeof("tls-unique-for-telnet") == 22 */
+	offsetof(struct pg_conn, scramchannelbinding)},
+
 	/*
 	 * ssl options are allowed even without client SSL support because the
 	 * client can still handle SSL modes "disable" and "allow". Other
@@ -3469,6 +3477,8 @@ freePGconn(PGconn *conn)
 		free(conn->keepalives_interval);
 	if (conn->keepalives_count)
 		free(conn->keepalives_count);
+	if (conn->scramchannelbinding)
+		free(conn->scramchannelbinding);
 	if (conn->sslmode)
 		free(conn->sslmode);
 	if (conn->sslcert)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 8412ee8160..b116ff8032 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -349,6 +349,7 @@ struct pg_conn
 										 * retransmits */
 	char	   *keepalives_count;	/* maximum number of TCP keepalive
 									 * retransmits */
+	char	   *scramchannelbinding; /* channel binding type used in SASL */
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
 	char	   *sslcompression; /* SSL compression (0 or 1) */
 	char	   *sslkey;			/* client key filename */
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 25f75bd52a..c8e9114d64 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 1;
+use Test::More tests => 4;
 use ServerSetup;
 use File::Copy;
 
@@ -34,5 +34,17 @@ $ENV{PGPASSWORD} = "pass";
 $common_connstr =
 "user=ssltestuser dbname=trustdb sslmode=require hostaddr=$SERVERHOSTADDR";
 
+# Default settings
 test_connect_ok($common_connstr, '',
 				"SCRAM authentication with default channel binding");
+
+# Channel bindings
+test_connect_ok($common_connstr,
+	"scramchannelbinding=tls-unique",
+	"SCRAM authentication with tls-unique as channel binding");
+test_connect_ok($common_connstr,
+	"scramchannelbinding=''",
+	"SCRAM authentication without channel binding");
+test_connect_fails($common_connstr,
+	"scramchannelbinding=not-exists",
+	"SCRAM authentication with invalid channel binding");
-- 
2.15.0

From 806c0e4d574513fc33e7bc108b0e393f5973d172 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Tue, 10 Oct 2017 22:04:22 +0900
Subject: [PATCH 3/3] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend, this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  5 +-
 src/backend/libpq/auth-scram.c           | 26 ++++++++---
 src/backend/libpq/auth.c                 |  8 +++-
 src/backend/libpq/be-secure-openssl.c    | 61 +++++++++++++++++++++++++
 src/include/common/scram-common.h        |  1 +
 src/include/libpq/libpq-be.h             |  1 +
 src/include/libpq/scram.h                |  3 +-
 src/interfaces/libpq/fe-auth-scram.c     | 18 ++++++--
 src/interfaces/libpq/fe-auth.c           | 12 ++++-
 src/interfaces/libpq/fe-auth.h           |  4 +-
 src/interfaces/libpq/fe-secure-openssl.c | 78 ++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_scram.pl              |  5 +-
 13 files changed, 207 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 8174e3defa..365f72b51d 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1576,8 +1576,9 @@ the password is in.
   <para>
 <firstterm>Channel binding</firstterm> is supported in PostgreSQL builds with
 SSL support. The SASL mechanism name for SCRAM with channel binding
-is <literal>SCRAM-SHA-256-PLUS</literal>.  The only channel binding type
-supported at the moment is <literal>tls-unique</literal>, defined in RFC 5929.
+is <literal>SCRAM-SHA-256-PLUS</literal>.  Two channel binding types are
+supported at the moment: <literal>tls-unique</literal>, which is the default,
+and <literal>tls-server-end-point</literal>, both defined in RFC 5929.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 15c3857f57..76a5fcbd65 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -113,6 +113,8 @@ typedef struct
 	bool		ssl_in_use;
 	const char *tls_finished_message;
 	size_t		tls_finished_len;
+	const char *certificate_hash;
+	size_t		certificate_hash_len;
 	char	   *channel_binding_type;
 
 	int			iterations;
@@ -175,7 +177,9 @@ pg_be_scram_init(const char *username,
 				 const char *shadow_pass,
 				 bool ssl_in_use,
 				 const char *tls_finished_message,
-				 size_t tls_finished_len)
+				 size_t tls_finished_len,
+				 const char *certificate_hash,
+				 size_t certificate_hash_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -186,6 +190,8 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding_type = NULL;
 
 	/*
@@ -855,13 +861,15 @@ read_client_first_message(scram_state *state, char *input)
 				}
 
 				/*
-				 * Read value provided by client; only tls-unique is supported
-				 * for now.  (It is not safe to print the name of an
-				 * unsupported binding type in the error message.  Pranksters
-				 * could print arbitrary strings into the log that way.)
+				 * Read value provided by client; only tls-unique and
+				 * tls-server-end-point are supported for now.  (It is
+				 * not safe to print the name of an unsupported binding
+				 * type in the error message.  Pranksters could print
+				 * arbitrary strings into the log that way.)
 				 */
 				channel_binding_type = read_attr_value(&input, 'p');
-				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0)
+				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0 &&
+					strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 							(errcode(ERRCODE_PROTOCOL_VIOLATION),
 							 (errmsg("unsupported SCRAM channel-binding type"))));
@@ -1119,6 +1127,12 @@ read_client_final_message(scram_state *state, char *input)
 			cbind_data = state->tls_finished_message;
 			cbind_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			cbind_data = state->certificate_hash;
+			cbind_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index b7f9bb1669..700a3bffa4 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -875,6 +875,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	bool		initial;
 	char	   *tls_finished = NULL;
 	size_t		tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	size_t		certificate_hash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -923,6 +925,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	if (port->ssl_in_use)
 	{
 		tls_finished = be_tls_get_peer_finished(port, &tls_finished_len);
+		certificate_hash = be_tls_get_certificate_hash(port,
+													   &certificate_hash_len);
 	}
 #endif
 
@@ -941,7 +945,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 								  shadow_pass,
 								  port->ssl_in_use,
 								  tls_finished,
-								  tls_finished_len);
+								  tls_finished_len,
+								  certificate_hash,
+								  certificate_hash_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 1e3e19f5e0..e3e8a535c8 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1239,6 +1239,67 @@ be_tls_get_peer_finished(Port *port, size_t *len)
 	return result;
 }
 
+/*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * If something else is used, the same hash as the signature algorithm is
+ * used. The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is no certificate available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, size_t *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+					elog(ERROR, "could not find digest for NID %s",
+						 OBJ_nid2sn(algo_nid));
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 857a60e71f..5aec5cadb8 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -21,6 +21,7 @@
 
 /* Channel binding types */
 #define SCRAM_CHANNEL_BINDING_TLS_UNIQUE    "tls-unique"
+#define SCRAM_CHANNEL_BINDING_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Length of SCRAM keys (client and server) */
 #define SCRAM_KEY_LEN				PG_SHA256_DIGEST_LENGTH
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 856e0439d5..cf9d8b7870 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finished(Port *port, size_t *len);
+extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 2c245813d6..7c8f009a3b 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -21,7 +21,8 @@
 /* Routines dedicated to authentication */
 extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
 				 bool ssl_in_use, const char *tls_finished_message,
-				 size_t tls_finished_len);
+				 size_t tls_finished_len, const char *certificate_hash,
+				 size_t certificate_hash_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index 66e01aefaa..6e037df20c 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -47,6 +47,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finished_message;
 	size_t		tls_finished_len;
+	char	   *certificate_hash;
+	size_t		certificate_hash_len;
 	char	   *sasl_mechanism;
 	const char *channel_binding_type;
 
@@ -95,7 +97,9 @@ pg_fe_scram_init(const char *username,
 				 const char *sasl_mechanism,
 				 const char *channel_binding_type,
 				 char *tls_finished_message,
-				 size_t tls_finished_len)
+				 size_t tls_finished_len,
+				 char *certificate_hash,
+				 size_t certificate_hash_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -112,6 +116,8 @@ pg_fe_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->sasl_mechanism = strdup(sasl_mechanism);
 	state->channel_binding_type = channel_binding_type;
 
@@ -156,8 +162,8 @@ pg_fe_scram_free(void *opaq)
 		free(state->password);
 	if (state->tls_finished_message)
 		free(state->tls_finished_message);
-	if (state->sasl_mechanism)
-		free(state->sasl_mechanism);
+	if (state->certificate_hash)
+		free(state->certificate_hash);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -457,6 +463,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 			cbind_data = state->tls_finished_message;
 			cbind_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			cbind_data = state->certificate_hash;
+			cbind_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 5828d4207c..a2cfc12691 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -493,6 +493,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	PQExpBufferData mechanism_buf;
 	char	   *tls_finished = NULL;
 	size_t		tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	size_t		certificate_hash_len = 0;
 	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
@@ -580,6 +582,12 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		tls_finished = pgtls_get_finished(conn, &tls_finished_len);
 		if (tls_finished == NULL)
 			goto oom_error;
+
+		certificate_hash =
+			pgtls_get_peer_certificate_hash(conn,
+											&certificate_hash_len);
+		if (certificate_hash == NULL)
+			goto error;		/* error message is set */
 	}
 #endif
 
@@ -595,7 +603,9 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										selected_mechanism,
 										conn->scramchannelbinding,
 										tls_finished,
-										tls_finished_len);
+										tls_finished_len,
+										certificate_hash,
+										certificate_hash_len);
 	if (!conn->sasl_state)
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index db319ac071..68de8b6e32 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -29,7 +29,9 @@ extern void *pg_fe_scram_init(const char *username,
 				 const char *sasl_mechanism,
 				 const char *channel_binding_type,
 				 char *tls_finished_message,
-				 size_t tls_finished_len);
+				 size_t tls_finished_len,
+				 char *certificate_hash,
+				 size_t certificate_hash_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 61d161b367..99077c3d9a 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -419,6 +419,84 @@ pgtls_get_finished(PGconn *conn, size_t *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where the
+ * client certificate hash is used as a link, per RFC 5929. If the
+ * signature hash algorithm is MD5 or SHA-1, fall back to SHA-256,
+ * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * NULL is sent back to the caller in the event of an error, with an
+ * error message for the caller to consume.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not find signature algorithm\n"));
+			return NULL;
+		}
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+				{
+					printfPQExpBuffer(&conn->errorMessage,
+									  libpq_gettext("could not find digest for NID %s\n"),
+									  OBJ_nid2sn(algo_nid));
+					return NULL;
+				}
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not generate peer certificate hash\n"));
+			return NULL;
+		}
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("out of memory\n"));
+			return NULL;
+		}
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index b116ff8032..bea8b9da06 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -672,6 +672,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finished(PGconn *conn, size_t *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index c8e9114d64..b56116fc34 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 4;
+use Test::More tests => 5;
 use ServerSetup;
 use File::Copy;
 
@@ -45,6 +45,9 @@ test_connect_ok($common_connstr,
 test_connect_ok($common_connstr,
 	"scramchannelbinding=''",
 	"SCRAM authentication without channel binding");
+test_connect_ok($common_connstr,
+	"scramchannelbinding=tls-server-end-point",
+	"SCRAM authentication with tls-server-end-point as channel binding");
 test_connect_fails($common_connstr,
 	"scramchannelbinding=not-exists",
 	"SCRAM authentication with invalid channel binding");
-- 
2.15.0

From 69dcf31f5ce5938f9f56a94bf55c8439ea53ed27 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 22 Dec 2017 10:49:10 +0900
Subject: [PATCH 1/2] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend, this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  5 +-
 src/backend/libpq/auth-scram.c           | 26 ++++++++---
 src/backend/libpq/auth.c                 |  8 +++-
 src/backend/libpq/be-secure-openssl.c    | 61 +++++++++++++++++++++++++
 src/include/common/scram-common.h        |  1 +
 src/include/libpq/libpq-be.h             |  1 +
 src/include/libpq/scram.h                |  3 +-
 src/interfaces/libpq/fe-auth-scram.c     | 18 ++++++--
 src/interfaces/libpq/fe-auth.c           | 12 ++++-
 src/interfaces/libpq/fe-auth.h           |  4 +-
 src/interfaces/libpq/fe-secure-openssl.c | 78 ++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_scram.pl              |  5 +-
 13 files changed, 207 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 8174e3defa..365f72b51d 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1576,8 +1576,9 @@ the password is in.
   <para>
 <firstterm>Channel binding</firstterm> is supported in PostgreSQL builds with
 SSL support. The SASL mechanism name for SCRAM with channel binding
-is <literal>SCRAM-SHA-256-PLUS</literal>.  The only channel binding type
-supported at the moment is <literal>tls-unique</literal>, defined in RFC 5929.
+is <literal>SCRAM-SHA-256-PLUS</literal>.  Two channel binding types are
+supported at the moment: <literal>tls-unique</literal>, which is the default,
+and <literal>tls-server-end-point</literal>, both defined in RFC 5929.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index d52a763457..849587d141 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -114,6 +114,8 @@ typedef struct
 	bool		ssl_in_use;
 	const char *tls_finished_message;
 	size_t		tls_finished_len;
+	const char *certificate_hash;
+	size_t		certificate_hash_len;
 	char	   *channel_binding_type;
 
 	int			iterations;
@@ -176,7 +178,9 @@ pg_be_scram_init(const char *username,
 				 const char *shadow_pass,
 				 bool ssl_in_use,
 				 const char *tls_finished_message,
-				 size_t tls_finished_len)
+				 size_t tls_finished_len,
+				 const char *certificate_hash,
+				 size_t certificate_hash_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -187,6 +191,8 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding_type = NULL;
 
 	/*
@@ -857,13 +863,15 @@ read_client_first_message(scram_state *state, char *input)
 				}
 
 				/*
-				 * Read value provided by client; only tls-unique is supported
-				 * for now.  (It is not safe to print the name of an
-				 * unsupported binding type in the error message.  Pranksters
-				 * could print arbitrary strings into the log that way.)
+				 * Read value provided by client; only tls-unique and
+				 * tls-server-end-point are supported for now.  (It is
+				 * not safe to print the name of an unsupported binding
+				 * type in the error message.  Pranksters could print
+				 * arbitrary strings into the log that way.)
 				 */
 				channel_binding_type = read_attr_value(&input, 'p');
-				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0)
+				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0 &&
+					strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 							(errcode(ERRCODE_PROTOCOL_VIOLATION),
 							 (errmsg("unsupported SCRAM channel-binding type"))));
@@ -1123,6 +1131,12 @@ read_client_final_message(scram_state *state, char *input)
 			cbind_data = state->tls_finished_message;
 			cbind_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			cbind_data = state->certificate_hash;
+			cbind_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index b7f9bb1669..700a3bffa4 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -875,6 +875,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	bool		initial;
 	char	   *tls_finished = NULL;
 	size_t		tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	size_t		certificate_hash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -923,6 +925,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	if (port->ssl_in_use)
 	{
 		tls_finished = be_tls_get_peer_finished(port, &tls_finished_len);
+		certificate_hash = be_tls_get_certificate_hash(port,
+													   &certificate_hash_len);
 	}
 #endif
 
@@ -941,7 +945,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 								  shadow_pass,
 								  port->ssl_in_use,
 								  tls_finished,
-								  tls_finished_len);
+								  tls_finished_len,
+								  certificate_hash,
+								  certificate_hash_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 1e3e19f5e0..e3e8a535c8 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1239,6 +1239,67 @@ be_tls_get_peer_finished(Port *port, size_t *len)
 	return result;
 }
 
+/*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * If something else is used, the same hash as the signature algorithm is
+ * used. The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is no certificate available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, size_t *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+					elog(ERROR, "could not find digest for NID %s",
+						 OBJ_nid2sn(algo_nid));
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 857a60e71f..5aec5cadb8 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -21,6 +21,7 @@
 
 /* Channel binding types */
 #define SCRAM_CHANNEL_BINDING_TLS_UNIQUE    "tls-unique"
+#define SCRAM_CHANNEL_BINDING_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Length of SCRAM keys (client and server) */
 #define SCRAM_KEY_LEN				PG_SHA256_DIGEST_LENGTH
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 856e0439d5..cf9d8b7870 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finished(Port *port, size_t *len);
+extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 2c245813d6..7c8f009a3b 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -21,7 +21,8 @@
 /* Routines dedicated to authentication */
 extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
 				 bool ssl_in_use, const char *tls_finished_message,
-				 size_t tls_finished_len);
+				 size_t tls_finished_len, const char *certificate_hash,
+				 size_t certificate_hash_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index b8f7a6b5be..a56fccf12e 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -47,6 +47,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finished_message;
 	size_t		tls_finished_len;
+	char	   *certificate_hash;
+	size_t		certificate_hash_len;
 	char	   *sasl_mechanism;
 	const char *channel_binding_type;
 
@@ -95,7 +97,9 @@ pg_fe_scram_init(const char *username,
 				 const char *sasl_mechanism,
 				 const char *channel_binding_type,
 				 char *tls_finished_message,
-				 size_t tls_finished_len)
+				 size_t tls_finished_len,
+				 char *certificate_hash,
+				 size_t certificate_hash_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -112,6 +116,8 @@ pg_fe_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->sasl_mechanism = strdup(sasl_mechanism);
 	state->channel_binding_type = channel_binding_type;
 
@@ -156,8 +162,8 @@ pg_fe_scram_free(void *opaq)
 		free(state->password);
 	if (state->tls_finished_message)
 		free(state->tls_finished_message);
-	if (state->sasl_mechanism)
-		free(state->sasl_mechanism);
+	if (state->certificate_hash)
+		free(state->certificate_hash);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -461,6 +467,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 			cbind_data = state->tls_finished_message;
 			cbind_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			cbind_data = state->certificate_hash;
+			cbind_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 3340a9ad93..bb9b0573d1 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -493,6 +493,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	PQExpBufferData mechanism_buf;
 	char	   *tls_finished = NULL;
 	size_t		tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	size_t		certificate_hash_len = 0;
 	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
@@ -580,6 +582,12 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		tls_finished = pgtls_get_finished(conn, &tls_finished_len);
 		if (tls_finished == NULL)
 			goto oom_error;
+
+		certificate_hash =
+			pgtls_get_peer_certificate_hash(conn,
+											&certificate_hash_len);
+		if (certificate_hash == NULL)
+			goto error;		/* error message is set */
 	}
 #endif
 
@@ -595,7 +603,9 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										selected_mechanism,
 										conn->scram_channel_binding,
 										tls_finished,
-										tls_finished_len);
+										tls_finished_len,
+										certificate_hash,
+										certificate_hash_len);
 	if (!conn->sasl_state)
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index db319ac071..68de8b6e32 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -29,7 +29,9 @@ extern void *pg_fe_scram_init(const char *username,
 				 const char *sasl_mechanism,
 				 const char *channel_binding_type,
 				 char *tls_finished_message,
-				 size_t tls_finished_len);
+				 size_t tls_finished_len,
+				 char *certificate_hash,
+				 size_t certificate_hash_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 61d161b367..99077c3d9a 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -419,6 +419,84 @@ pgtls_get_finished(PGconn *conn, size_t *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where the
+ * client certificate hash is used as a link, per RFC 5929. If the
+ * signature hash algorithm is MD5 or SHA-1, fall back to SHA-256,
+ * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * NULL is sent back to the caller in the event of an error, with an
+ * error message for the caller to consume.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not find signature algorithm\n"));
+			return NULL;
+		}
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+				{
+					printfPQExpBuffer(&conn->errorMessage,
+									  libpq_gettext("could not find digest for NID %s\n"),
+									  OBJ_nid2sn(algo_nid));
+					return NULL;
+				}
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not generate peer certificate hash\n"));
+			return NULL;
+		}
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("out of memory\n"));
+			return NULL;
+		}
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index f6c1023f37..756c4d61e1 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -672,6 +672,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finished(PGconn *conn, size_t *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 324b4888d4..3f425e00f0 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 4;
+use Test::More tests => 5;
 use ServerSetup;
 use File::Copy;
 
@@ -45,6 +45,9 @@ test_connect_ok($common_connstr,
 test_connect_ok($common_connstr,
 	"scram_channel_binding=''",
 	"SCRAM authentication without channel binding");
+test_connect_ok($common_connstr,
+	"scram_channel_binding=tls-server-end-point",
+	"SCRAM authentication with tls-server-end-point as channel binding");
 test_connect_fails($common_connstr,
 	"scram_channel_binding=not-exists",
 	"SCRAM authentication with invalid channel binding");
-- 
2.15.1

From d175df57f8df1f0ff497ae61b0c768f3bc9ca0a2 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 22 Dec 2017 11:46:16 +0900
Subject: [PATCH 2/2] Refactor channel binding code to fetch cbind_data only
 when necessary

As things stand now, channel binding data is fetched from OpenSSL and saved
into the SASL exchange context for any SSL connection attempted for a SCRAM
authentication, resulting in data fetched but not used if no channel binding
is used or if a different channel binding type is used than what the data
is here for.

Refactor the code in such a way that binding data is only fetched from the
SSL stack only when a specific channel binding is used for both the frontend
and the backend. In order to achieve that, save the libpq connection context
directly in the SCRAM exchange state, and add a dependency to SSL in the
low-level SCRAM routines.

This makes the interface in charge of initializing the SCRAM context cleaner
as all its data comes from either PGconn* (for frontend) or Port* (for the
backend).
---
 src/backend/libpq/auth-scram.c           | 47 +++++++----------
 src/backend/libpq/auth.c                 | 25 +--------
 src/include/libpq/scram.h                |  7 ++-
 src/interfaces/libpq/fe-auth-scram.c     | 91 ++++++++++++++++----------------
 src/interfaces/libpq/fe-auth.c           | 33 +-----------
 src/interfaces/libpq/fe-auth.h           | 10 +---
 src/interfaces/libpq/fe-secure-openssl.c | 14 +++--
 src/interfaces/libpq/libpq-int.h         |  3 +-
 8 files changed, 84 insertions(+), 146 deletions(-)

diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 849587d141..0a50f815ab 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -110,12 +110,8 @@ typedef struct
 
 	const char *username;		/* username from startup packet */
 
+	Port	   *port;
 	char		cbind_flag;
-	bool		ssl_in_use;
-	const char *tls_finished_message;
-	size_t		tls_finished_len;
-	const char *certificate_hash;
-	size_t		certificate_hash_len;
 	char	   *channel_binding_type;
 
 	int			iterations;
@@ -174,25 +170,15 @@ static char *scram_mock_salt(const char *username);
  * it will fail, as if an incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username,
-				 const char *shadow_pass,
-				 bool ssl_in_use,
-				 const char *tls_finished_message,
-				 size_t tls_finished_len,
-				 const char *certificate_hash,
-				 size_t certificate_hash_len)
+pg_be_scram_init(Port *port,
+				 const char *shadow_pass)
 {
 	scram_state *state;
 	bool		got_verifier;
 
 	state = (scram_state *) palloc0(sizeof(scram_state));
+	state->port = port;
 	state->state = SCRAM_AUTH_INIT;
-	state->username = username;
-	state->ssl_in_use = ssl_in_use;
-	state->tls_finished_message = tls_finished_message;
-	state->tls_finished_len = tls_finished_len;
-	state->certificate_hash = certificate_hash;
-	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding_type = NULL;
 
 	/*
@@ -215,7 +201,7 @@ pg_be_scram_init(const char *username,
 				 */
 				ereport(LOG,
 						(errmsg("invalid SCRAM verifier for user \"%s\"",
-								username)));
+								state->port->user_name)));
 				got_verifier = false;
 			}
 		}
@@ -226,7 +212,7 @@ pg_be_scram_init(const char *username,
 			 * authentication with an MD5 hash.)
 			 */
 			state->logdetail = psprintf(_("User \"%s\" does not have a valid SCRAM verifier."),
-										state->username);
+										state->port->user_name);
 			got_verifier = false;
 		}
 	}
@@ -248,8 +234,8 @@ pg_be_scram_init(const char *username,
 	 */
 	if (!got_verifier)
 	{
-		mock_scram_verifier(username, &state->iterations, &state->salt,
-							state->StoredKey, state->ServerKey);
+		mock_scram_verifier(state->port->user_name, &state->iterations,
+							&state->salt, state->StoredKey, state->ServerKey);
 		state->doomed = true;
 	}
 
@@ -821,7 +807,7 @@ read_client_first_message(scram_state *state, char *input)
 			 * it supports channel binding, which in this implementation is
 			 * the case if a connection is using SSL.
 			 */
-			if (state->ssl_in_use)
+			if (state->port->ssl_in_use)
 				ereport(ERROR,
 						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
 						 errmsg("SCRAM channel binding negotiation error"),
@@ -845,7 +831,7 @@ read_client_first_message(scram_state *state, char *input)
 			{
 				char	   *channel_binding_type;
 
-				if (!state->ssl_in_use)
+				if (!state->port->ssl_in_use)
 				{
 					/*
 					 * Without SSL, we don't support channel binding.
@@ -1128,14 +1114,19 @@ read_client_final_message(scram_state *state, char *input)
 		 */
 		if (strcmp(state->channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
 		{
-			cbind_data = state->tls_finished_message;
-			cbind_data_len = state->tls_finished_len;
+			/* Fetch data from TLS finished message */
+#ifdef USE_SSL
+			cbind_data = be_tls_get_peer_finished(state->port, &cbind_data_len);
+#endif
 		}
 		else if (strcmp(state->channel_binding_type,
 						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
 		{
-			cbind_data = state->certificate_hash;
-			cbind_data_len = state->certificate_hash_len;
+			/* Fetch hash data of server's SSL certificate */
+#ifdef USE_SSL
+			cbind_data = be_tls_get_certificate_hash(state->port,
+													 &cbind_data_len);
+#endif
 		}
 		else
 		{
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 700a3bffa4..bd91e1cd18 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,10 +873,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	int			inputlen;
 	int			result;
 	bool		initial;
-	char	   *tls_finished = NULL;
-	size_t		tls_finished_len = 0;
-	char	   *certificate_hash = NULL;
-	size_t		certificate_hash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -917,19 +913,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, p - sasl_mechs + 1);
 	pfree(sasl_mechs);
 
-#ifdef USE_SSL
-
-	/*
-	 * Get data for channel binding.
-	 */
-	if (port->ssl_in_use)
-	{
-		tls_finished = be_tls_get_peer_finished(port, &tls_finished_len);
-		certificate_hash = be_tls_get_certificate_hash(port,
-													   &certificate_hash_len);
-	}
-#endif
-
 	/*
 	 * Initialize the status tracker for message exchanges.
 	 *
@@ -941,13 +924,7 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	scram_opaq = pg_be_scram_init(port->user_name,
-								  shadow_pass,
-								  port->ssl_in_use,
-								  tls_finished,
-								  tls_finished_len,
-								  certificate_hash,
-								  certificate_hash_len);
+	scram_opaq = pg_be_scram_init(port, shadow_pass);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 7c8f009a3b..f404f57253 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -13,16 +13,15 @@
 #ifndef PG_SCRAM_H
 #define PG_SCRAM_H
 
+#include "libpq/libpq-be.h"
+
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
 #define SASL_EXCHANGE_SUCCESS		1
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
-				 bool ssl_in_use, const char *tls_finished_message,
-				 size_t tls_finished_len, const char *certificate_hash,
-				 size_t certificate_hash_len);
+extern void *pg_be_scram_init(Port *port, const char *shadow_pass);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index a56fccf12e..a44338f0f9 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -42,15 +42,9 @@ typedef struct
 	fe_scram_state_enum state;
 
 	/* These are supplied by the user */
-	const char *username;
+	PGconn	   *conn;
 	char	   *password;
-	bool		ssl_in_use;
-	char	   *tls_finished_message;
-	size_t		tls_finished_len;
-	char	   *certificate_hash;
-	size_t		certificate_hash_len;
 	char	   *sasl_mechanism;
-	const char *channel_binding_type;
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -91,15 +85,9 @@ static bool pg_frontend_random(char *dst, int len);
  * freed by pg_fe_scram_free().
  */
 void *
-pg_fe_scram_init(const char *username,
+pg_fe_scram_init(PGconn *conn,
 				 const char *password,
-				 bool ssl_in_use,
-				 const char *sasl_mechanism,
-				 const char *channel_binding_type,
-				 char *tls_finished_message,
-				 size_t tls_finished_len,
-				 char *certificate_hash,
-				 size_t certificate_hash_len)
+				 const char *sasl_mechanism)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -111,15 +99,9 @@ pg_fe_scram_init(const char *username,
 	if (!state)
 		return NULL;
 	memset(state, 0, sizeof(fe_scram_state));
+	state->conn = conn;
 	state->state = FE_SCRAM_INIT;
-	state->username = username;
-	state->ssl_in_use = ssl_in_use;
-	state->tls_finished_message = tls_finished_message;
-	state->tls_finished_len = tls_finished_len;
-	state->certificate_hash = certificate_hash;
-	state->certificate_hash_len = certificate_hash_len;
 	state->sasl_mechanism = strdup(sasl_mechanism);
-	state->channel_binding_type = channel_binding_type;
 
 	if (!state->sasl_mechanism)
 	{
@@ -160,10 +142,6 @@ pg_fe_scram_free(void *opaq)
 
 	if (state->password)
 		free(state->password);
-	if (state->tls_finished_message)
-		free(state->tls_finished_message);
-	if (state->certificate_hash)
-		free(state->certificate_hash);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -376,11 +354,11 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 	if (strcmp(state->sasl_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
 	{
-		Assert(state->ssl_in_use);
-		appendPQExpBuffer(&buf, "p=%s", state->channel_binding_type);
+		Assert(state->conn->ssl_in_use);
+		appendPQExpBuffer(&buf, "p=%s", state->conn->scram_channel_binding);
 	}
-	else if (state->channel_binding_type == NULL ||
-			 strlen(state->channel_binding_type) == 0)
+	else if (state->conn->scram_channel_binding == NULL ||
+			 strlen(state->conn->scram_channel_binding) == 0)
 	{
 		/*
 		 * Client has chosen to not show to server that it supports channel
@@ -388,7 +366,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 		 */
 		appendPQExpBuffer(&buf, "n");
 	}
-	else if (state->ssl_in_use)
+	else if (state->conn->ssl_in_use)
 	{
 		/*
 		 * Client supports channel binding, but thinks the server does not.
@@ -456,22 +434,36 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 	if (strcmp(state->sasl_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
 	{
-		char	   *cbind_data;
-		size_t		cbind_data_len;
+		char	   *cbind_data = NULL;
+		size_t		cbind_data_len = 0;
 		size_t		cbind_header_len;
 		char	   *cbind_input;
 		size_t		cbind_input_len;
 
-		if (strcmp(state->channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
+		if (strcmp(state->conn->scram_channel_binding, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
 		{
-			cbind_data = state->tls_finished_message;
-			cbind_data_len = state->tls_finished_len;
+			/* Fetch data from TLS finished message */
+#ifdef USE_SSL
+			cbind_data = pgtls_get_finished(state->conn, &cbind_data_len);
+			if (cbind_data == NULL)
+				goto oom_error;
+#endif
 		}
-		else if (strcmp(state->channel_binding_type,
+		else if (strcmp(state->conn->scram_channel_binding,
 						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
 		{
-			cbind_data = state->certificate_hash;
-			cbind_data_len = state->certificate_hash_len;
+			/* Fetch hash data of server's SSL certificate */
+#ifdef USE_SSL
+			cbind_data =
+				pgtls_get_peer_certificate_hash(state->conn,
+												&cbind_data_len,
+												errormessage);
+			if (cbind_data == NULL)
+			{
+				/* error message is already set on error */
+				return NULL;
+			}
+#endif
 		}
 		else
 		{
@@ -485,37 +477,46 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 		/* should not happen */
 		if (cbind_data == NULL || cbind_data_len == 0)
 		{
+			if (cbind_data != NULL)
+				free(cbind_data);
 			termPQExpBuffer(&buf);
 			printfPQExpBuffer(errormessage,
 							  libpq_gettext("empty channel binding data for channel binding type \"%s\"\n"),
-							  state->channel_binding_type);
+							  state->conn->scram_channel_binding);
 			return NULL;
 		}
 
 		appendPQExpBuffer(&buf, "c=");
 
-		cbind_header_len = 4 + strlen(state->channel_binding_type); /* p=type,, */
+		/* p=type,, */
+		cbind_header_len = 4 + strlen(state->conn->scram_channel_binding);
 		cbind_input_len = cbind_header_len + cbind_data_len;
 		cbind_input = malloc(cbind_input_len);
 		if (!cbind_input)
+		{
+			free(cbind_data);
 			goto oom_error;
-		snprintf(cbind_input, cbind_input_len, "p=%s,,", state->channel_binding_type);
+		}
+		snprintf(cbind_input, cbind_input_len, "p=%s,,",
+				 state->conn->scram_channel_binding);
 		memcpy(cbind_input + cbind_header_len, cbind_data, cbind_data_len);
 
 		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(cbind_input_len)))
 		{
+			free(cbind_data);
 			free(cbind_input);
 			goto oom_error;
 		}
 		buf.len += pg_b64_encode(cbind_input, cbind_input_len, buf.data + buf.len);
 		buf.data[buf.len] = '\0';
 
+		free(cbind_data);
 		free(cbind_input);
 	}
-	else if (state->channel_binding_type == NULL ||
-			 strlen(state->channel_binding_type) == 0)
+	else if (state->conn->scram_channel_binding == NULL ||
+			 strlen(state->conn->scram_channel_binding) == 0)
 		appendPQExpBuffer(&buf, "c=biws");	/* base64 of "n,," */
-	else if (state->ssl_in_use)
+	else if (state->conn->ssl_in_use)
 		appendPQExpBuffer(&buf, "c=eSws");	/* base64 of "y,," */
 	else
 		appendPQExpBuffer(&buf, "c=biws");	/* base64 of "n,," */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index bb9b0573d1..b1ea0e7cef 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -491,10 +491,6 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		success;
 	const char *selected_mechanism;
 	PQExpBufferData mechanism_buf;
-	char	   *tls_finished = NULL;
-	size_t		tls_finished_len = 0;
-	char	   *certificate_hash = NULL;
-	size_t		certificate_hash_len = 0;
 	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
@@ -572,40 +568,15 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		goto error;
 	}
 
-#ifdef USE_SSL
-
-	/*
-	 * Get data for channel binding.
-	 */
-	if (strcmp(selected_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
-	{
-		tls_finished = pgtls_get_finished(conn, &tls_finished_len);
-		if (tls_finished == NULL)
-			goto oom_error;
-
-		certificate_hash =
-			pgtls_get_peer_certificate_hash(conn,
-											&certificate_hash_len);
-		if (certificate_hash == NULL)
-			goto error;		/* error message is set */
-	}
-#endif
-
 	/*
 	 * Initialize the SASL state information with all the information gathered
 	 * during the initial exchange.
 	 *
 	 * Note: Only tls-unique is supported for the moment.
 	 */
-	conn->sasl_state = pg_fe_scram_init(conn->pguser,
+	conn->sasl_state = pg_fe_scram_init(conn,
 										password,
-										conn->ssl_in_use,
-										selected_mechanism,
-										conn->scram_channel_binding,
-										tls_finished,
-										tls_finished_len,
-										certificate_hash,
-										certificate_hash_len);
+										selected_mechanism);
 	if (!conn->sasl_state)
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 68de8b6e32..4658a12837 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -23,15 +23,9 @@ extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn);
 extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
-extern void *pg_fe_scram_init(const char *username,
+extern void *pg_fe_scram_init(PGconn *conn,
 				 const char *password,
-				 bool ssl_in_use,
-				 const char *sasl_mechanism,
-				 const char *channel_binding_type,
-				 char *tls_finished_message,
-				 size_t tls_finished_len,
-				 char *certificate_hash,
-				 size_t certificate_hash_len);
+				 const char *sasl_mechanism);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 99077c3d9a..1acaffc488 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -428,9 +428,13 @@ pgtls_get_finished(PGconn *conn, size_t *len)
  * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
  * NULL is sent back to the caller in the event of an error, with an
  * error message for the caller to consume.
+ * If an error happens while processing, fill in errorMessage but do
+ * not append it to the connection's error message buffer as this
+ * gets passed down later on.
  */
 char *
-pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
+pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len,
+								PQExpBuffer errorMessage)
 {
 	char	   *cert_hash = NULL;
 
@@ -451,7 +455,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
 		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
 								 &algo_nid, NULL))
 		{
-			printfPQExpBuffer(&conn->errorMessage,
+			printfPQExpBuffer(errorMessage,
 							  libpq_gettext("could not find signature algorithm\n"));
 			return NULL;
 		}
@@ -467,7 +471,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
 				algo_type = EVP_get_digestbynid(algo_nid);
 				if (algo_type == NULL)
 				{
-					printfPQExpBuffer(&conn->errorMessage,
+					printfPQExpBuffer(errorMessage,
 									  libpq_gettext("could not find digest for NID %s\n"),
 									  OBJ_nid2sn(algo_nid));
 					return NULL;
@@ -478,7 +482,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
 		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
 						 &hash_size))
 		{
-			printfPQExpBuffer(&conn->errorMessage,
+			printfPQExpBuffer(errorMessage,
 							  libpq_gettext("could not generate peer certificate hash\n"));
 			return NULL;
 		}
@@ -487,7 +491,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
 		cert_hash = (char *) malloc(hash_size);
 		if (cert_hash == NULL)
 		{
-			printfPQExpBuffer(&conn->errorMessage,
+			printfPQExpBuffer(errorMessage,
 							  libpq_gettext("out of memory\n"));
 			return NULL;
 		}
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 756c4d61e1..a946aa4048 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -672,7 +672,8 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finished(PGconn *conn, size_t *len);
-extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len,
+											 PQExpBuffer errorMessage);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
-- 
2.15.1

From 69dcf31f5ce5938f9f56a94bf55c8439ea53ed27 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 22 Dec 2017 10:49:10 +0900
Subject: [PATCH 1/2] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend, this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  5 +-
 src/backend/libpq/auth-scram.c           | 26 ++++++++---
 src/backend/libpq/auth.c                 |  8 +++-
 src/backend/libpq/be-secure-openssl.c    | 61 +++++++++++++++++++++++++
 src/include/common/scram-common.h        |  1 +
 src/include/libpq/libpq-be.h             |  1 +
 src/include/libpq/scram.h                |  3 +-
 src/interfaces/libpq/fe-auth-scram.c     | 18 ++++++--
 src/interfaces/libpq/fe-auth.c           | 12 ++++-
 src/interfaces/libpq/fe-auth.h           |  4 +-
 src/interfaces/libpq/fe-secure-openssl.c | 78 ++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_scram.pl              |  5 +-
 13 files changed, 207 insertions(+), 16 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 8174e3defa..365f72b51d 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1576,8 +1576,9 @@ the password is in.
   <para>
 <firstterm>Channel binding</firstterm> is supported in PostgreSQL builds with
 SSL support. The SASL mechanism name for SCRAM with channel binding
-is <literal>SCRAM-SHA-256-PLUS</literal>.  The only channel binding type
-supported at the moment is <literal>tls-unique</literal>, defined in RFC 5929.
+is <literal>SCRAM-SHA-256-PLUS</literal>.  Two channel binding types are
+supported at the moment: <literal>tls-unique</literal>, which is the default,
+and <literal>tls-server-end-point</literal>, both defined in RFC 5929.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index d52a763457..849587d141 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -114,6 +114,8 @@ typedef struct
 	bool		ssl_in_use;
 	const char *tls_finished_message;
 	size_t		tls_finished_len;
+	const char *certificate_hash;
+	size_t		certificate_hash_len;
 	char	   *channel_binding_type;
 
 	int			iterations;
@@ -176,7 +178,9 @@ pg_be_scram_init(const char *username,
 				 const char *shadow_pass,
 				 bool ssl_in_use,
 				 const char *tls_finished_message,
-				 size_t tls_finished_len)
+				 size_t tls_finished_len,
+				 const char *certificate_hash,
+				 size_t certificate_hash_len)
 {
 	scram_state *state;
 	bool		got_verifier;
@@ -187,6 +191,8 @@ pg_be_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding_type = NULL;
 
 	/*
@@ -857,13 +863,15 @@ read_client_first_message(scram_state *state, char *input)
 				}
 
 				/*
-				 * Read value provided by client; only tls-unique is supported
-				 * for now.  (It is not safe to print the name of an
-				 * unsupported binding type in the error message.  Pranksters
-				 * could print arbitrary strings into the log that way.)
+				 * Read value provided by client; only tls-unique and
+				 * tls-server-end-point are supported for now.  (It is
+				 * not safe to print the name of an unsupported binding
+				 * type in the error message.  Pranksters could print
+				 * arbitrary strings into the log that way.)
 				 */
 				channel_binding_type = read_attr_value(&input, 'p');
-				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0)
+				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0 &&
+					strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 							(errcode(ERRCODE_PROTOCOL_VIOLATION),
 							 (errmsg("unsupported SCRAM channel-binding type"))));
@@ -1123,6 +1131,12 @@ read_client_final_message(scram_state *state, char *input)
 			cbind_data = state->tls_finished_message;
 			cbind_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			cbind_data = state->certificate_hash;
+			cbind_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index b7f9bb1669..700a3bffa4 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -875,6 +875,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	bool		initial;
 	char	   *tls_finished = NULL;
 	size_t		tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	size_t		certificate_hash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -923,6 +925,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	if (port->ssl_in_use)
 	{
 		tls_finished = be_tls_get_peer_finished(port, &tls_finished_len);
+		certificate_hash = be_tls_get_certificate_hash(port,
+													   &certificate_hash_len);
 	}
 #endif
 
@@ -941,7 +945,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 								  shadow_pass,
 								  port->ssl_in_use,
 								  tls_finished,
-								  tls_finished_len);
+								  tls_finished_len,
+								  certificate_hash,
+								  certificate_hash_len);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 1e3e19f5e0..e3e8a535c8 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1239,6 +1239,67 @@ be_tls_get_peer_finished(Port *port, size_t *len)
 	return result;
 }
 
+/*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * If something else is used, the same hash as the signature algorithm is
+ * used. The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is no certificate available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, size_t *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+					elog(ERROR, "could not find digest for NID %s",
+						 OBJ_nid2sn(algo_nid));
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 857a60e71f..5aec5cadb8 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -21,6 +21,7 @@
 
 /* Channel binding types */
 #define SCRAM_CHANNEL_BINDING_TLS_UNIQUE    "tls-unique"
+#define SCRAM_CHANNEL_BINDING_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Length of SCRAM keys (client and server) */
 #define SCRAM_KEY_LEN				PG_SHA256_DIGEST_LENGTH
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 856e0439d5..cf9d8b7870 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finished(Port *port, size_t *len);
+extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 2c245813d6..7c8f009a3b 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -21,7 +21,8 @@
 /* Routines dedicated to authentication */
 extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
 				 bool ssl_in_use, const char *tls_finished_message,
-				 size_t tls_finished_len);
+				 size_t tls_finished_len, const char *certificate_hash,
+				 size_t certificate_hash_len);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index b8f7a6b5be..a56fccf12e 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -47,6 +47,8 @@ typedef struct
 	bool		ssl_in_use;
 	char	   *tls_finished_message;
 	size_t		tls_finished_len;
+	char	   *certificate_hash;
+	size_t		certificate_hash_len;
 	char	   *sasl_mechanism;
 	const char *channel_binding_type;
 
@@ -95,7 +97,9 @@ pg_fe_scram_init(const char *username,
 				 const char *sasl_mechanism,
 				 const char *channel_binding_type,
 				 char *tls_finished_message,
-				 size_t tls_finished_len)
+				 size_t tls_finished_len,
+				 char *certificate_hash,
+				 size_t certificate_hash_len)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -112,6 +116,8 @@ pg_fe_scram_init(const char *username,
 	state->ssl_in_use = ssl_in_use;
 	state->tls_finished_message = tls_finished_message;
 	state->tls_finished_len = tls_finished_len;
+	state->certificate_hash = certificate_hash;
+	state->certificate_hash_len = certificate_hash_len;
 	state->sasl_mechanism = strdup(sasl_mechanism);
 	state->channel_binding_type = channel_binding_type;
 
@@ -156,8 +162,8 @@ pg_fe_scram_free(void *opaq)
 		free(state->password);
 	if (state->tls_finished_message)
 		free(state->tls_finished_message);
-	if (state->sasl_mechanism)
-		free(state->sasl_mechanism);
+	if (state->certificate_hash)
+		free(state->certificate_hash);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -461,6 +467,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 			cbind_data = state->tls_finished_message;
 			cbind_data_len = state->tls_finished_len;
 		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			cbind_data = state->certificate_hash;
+			cbind_data_len = state->certificate_hash_len;
+		}
 		else
 		{
 			/* should not happen */
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 3340a9ad93..bb9b0573d1 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -493,6 +493,8 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	PQExpBufferData mechanism_buf;
 	char	   *tls_finished = NULL;
 	size_t		tls_finished_len = 0;
+	char	   *certificate_hash = NULL;
+	size_t		certificate_hash_len = 0;
 	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
@@ -580,6 +582,12 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		tls_finished = pgtls_get_finished(conn, &tls_finished_len);
 		if (tls_finished == NULL)
 			goto oom_error;
+
+		certificate_hash =
+			pgtls_get_peer_certificate_hash(conn,
+											&certificate_hash_len);
+		if (certificate_hash == NULL)
+			goto error;		/* error message is set */
 	}
 #endif
 
@@ -595,7 +603,9 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 										selected_mechanism,
 										conn->scram_channel_binding,
 										tls_finished,
-										tls_finished_len);
+										tls_finished_len,
+										certificate_hash,
+										certificate_hash_len);
 	if (!conn->sasl_state)
 		goto oom_error;
 
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index db319ac071..68de8b6e32 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -29,7 +29,9 @@ extern void *pg_fe_scram_init(const char *username,
 				 const char *sasl_mechanism,
 				 const char *channel_binding_type,
 				 char *tls_finished_message,
-				 size_t tls_finished_len);
+				 size_t tls_finished_len,
+				 char *certificate_hash,
+				 size_t certificate_hash_len);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 61d161b367..99077c3d9a 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -419,6 +419,84 @@ pgtls_get_finished(PGconn *conn, size_t *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where the
+ * client certificate hash is used as a link, per RFC 5929. If the
+ * signature hash algorithm is MD5 or SHA-1, fall back to SHA-256,
+ * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * NULL is sent back to the caller in the event of an error, with an
+ * error message for the caller to consume.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not find signature algorithm\n"));
+			return NULL;
+		}
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+				{
+					printfPQExpBuffer(&conn->errorMessage,
+									  libpq_gettext("could not find digest for NID %s\n"),
+									  OBJ_nid2sn(algo_nid));
+					return NULL;
+				}
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not generate peer certificate hash\n"));
+			return NULL;
+		}
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("out of memory\n"));
+			return NULL;
+		}
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index f6c1023f37..756c4d61e1 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -672,6 +672,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finished(PGconn *conn, size_t *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 324b4888d4..3f425e00f0 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 4;
+use Test::More tests => 5;
 use ServerSetup;
 use File::Copy;
 
@@ -45,6 +45,9 @@ test_connect_ok($common_connstr,
 test_connect_ok($common_connstr,
 	"scram_channel_binding=''",
 	"SCRAM authentication without channel binding");
+test_connect_ok($common_connstr,
+	"scram_channel_binding=tls-server-end-point",
+	"SCRAM authentication with tls-server-end-point as channel binding");
 test_connect_fails($common_connstr,
 	"scram_channel_binding=not-exists",
 	"SCRAM authentication with invalid channel binding");
-- 
2.15.1

From 006093fc8bf27e1bfe142dbcd79dadea4257909f Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 22 Dec 2017 17:04:19 +0900
Subject: [PATCH 2/2] Refactor channel binding code to fetch cbind_data only
 when necessary

As things stand now, channel binding data is fetched from OpenSSL and saved
into the SASL exchange context for any SSL connection attempted for a SCRAM
authentication, resulting in data fetched but not used if no channel binding
is used or if a different channel binding type is used than what the data
is here for.

Refactor the code in such a way that binding data is only fetched from the
SSL stack only when a specific channel binding is used for both the frontend
and the backend. In order to achieve that, save the libpq connection context
directly in the SCRAM exchange state, and add a dependency to SSL in the
low-level SCRAM routines.

This makes the interface in charge of initializing the SCRAM context cleaner
as all its data comes from either PGconn* (for frontend) or Port* (for the
backend).
---
 src/backend/libpq/auth-scram.c       |  47 ++++-----
 src/backend/libpq/auth.c             |  25 +----
 src/include/libpq/scram.h            |   7 +-
 src/interfaces/libpq/fe-auth-scram.c | 180 ++++++++++++++++++-----------------
 src/interfaces/libpq/fe-auth.c       |  37 +------
 src/interfaces/libpq/fe-auth.h       |  12 +--
 6 files changed, 121 insertions(+), 187 deletions(-)

diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 849587d141..0a50f815ab 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -110,12 +110,8 @@ typedef struct
 
 	const char *username;		/* username from startup packet */
 
+	Port	   *port;
 	char		cbind_flag;
-	bool		ssl_in_use;
-	const char *tls_finished_message;
-	size_t		tls_finished_len;
-	const char *certificate_hash;
-	size_t		certificate_hash_len;
 	char	   *channel_binding_type;
 
 	int			iterations;
@@ -174,25 +170,15 @@ static char *scram_mock_salt(const char *username);
  * it will fail, as if an incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username,
-				 const char *shadow_pass,
-				 bool ssl_in_use,
-				 const char *tls_finished_message,
-				 size_t tls_finished_len,
-				 const char *certificate_hash,
-				 size_t certificate_hash_len)
+pg_be_scram_init(Port *port,
+				 const char *shadow_pass)
 {
 	scram_state *state;
 	bool		got_verifier;
 
 	state = (scram_state *) palloc0(sizeof(scram_state));
+	state->port = port;
 	state->state = SCRAM_AUTH_INIT;
-	state->username = username;
-	state->ssl_in_use = ssl_in_use;
-	state->tls_finished_message = tls_finished_message;
-	state->tls_finished_len = tls_finished_len;
-	state->certificate_hash = certificate_hash;
-	state->certificate_hash_len = certificate_hash_len;
 	state->channel_binding_type = NULL;
 
 	/*
@@ -215,7 +201,7 @@ pg_be_scram_init(const char *username,
 				 */
 				ereport(LOG,
 						(errmsg("invalid SCRAM verifier for user \"%s\"",
-								username)));
+								state->port->user_name)));
 				got_verifier = false;
 			}
 		}
@@ -226,7 +212,7 @@ pg_be_scram_init(const char *username,
 			 * authentication with an MD5 hash.)
 			 */
 			state->logdetail = psprintf(_("User \"%s\" does not have a valid SCRAM verifier."),
-										state->username);
+										state->port->user_name);
 			got_verifier = false;
 		}
 	}
@@ -248,8 +234,8 @@ pg_be_scram_init(const char *username,
 	 */
 	if (!got_verifier)
 	{
-		mock_scram_verifier(username, &state->iterations, &state->salt,
-							state->StoredKey, state->ServerKey);
+		mock_scram_verifier(state->port->user_name, &state->iterations,
+							&state->salt, state->StoredKey, state->ServerKey);
 		state->doomed = true;
 	}
 
@@ -821,7 +807,7 @@ read_client_first_message(scram_state *state, char *input)
 			 * it supports channel binding, which in this implementation is
 			 * the case if a connection is using SSL.
 			 */
-			if (state->ssl_in_use)
+			if (state->port->ssl_in_use)
 				ereport(ERROR,
 						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
 						 errmsg("SCRAM channel binding negotiation error"),
@@ -845,7 +831,7 @@ read_client_first_message(scram_state *state, char *input)
 			{
 				char	   *channel_binding_type;
 
-				if (!state->ssl_in_use)
+				if (!state->port->ssl_in_use)
 				{
 					/*
 					 * Without SSL, we don't support channel binding.
@@ -1128,14 +1114,19 @@ read_client_final_message(scram_state *state, char *input)
 		 */
 		if (strcmp(state->channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
 		{
-			cbind_data = state->tls_finished_message;
-			cbind_data_len = state->tls_finished_len;
+			/* Fetch data from TLS finished message */
+#ifdef USE_SSL
+			cbind_data = be_tls_get_peer_finished(state->port, &cbind_data_len);
+#endif
 		}
 		else if (strcmp(state->channel_binding_type,
 						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
 		{
-			cbind_data = state->certificate_hash;
-			cbind_data_len = state->certificate_hash_len;
+			/* Fetch hash data of server's SSL certificate */
+#ifdef USE_SSL
+			cbind_data = be_tls_get_certificate_hash(state->port,
+													 &cbind_data_len);
+#endif
 		}
 		else
 		{
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 700a3bffa4..bd91e1cd18 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,10 +873,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	int			inputlen;
 	int			result;
 	bool		initial;
-	char	   *tls_finished = NULL;
-	size_t		tls_finished_len = 0;
-	char	   *certificate_hash = NULL;
-	size_t		certificate_hash_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -917,19 +913,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, p - sasl_mechs + 1);
 	pfree(sasl_mechs);
 
-#ifdef USE_SSL
-
-	/*
-	 * Get data for channel binding.
-	 */
-	if (port->ssl_in_use)
-	{
-		tls_finished = be_tls_get_peer_finished(port, &tls_finished_len);
-		certificate_hash = be_tls_get_certificate_hash(port,
-													   &certificate_hash_len);
-	}
-#endif
-
 	/*
 	 * Initialize the status tracker for message exchanges.
 	 *
@@ -941,13 +924,7 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	scram_opaq = pg_be_scram_init(port->user_name,
-								  shadow_pass,
-								  port->ssl_in_use,
-								  tls_finished,
-								  tls_finished_len,
-								  certificate_hash,
-								  certificate_hash_len);
+	scram_opaq = pg_be_scram_init(port, shadow_pass);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 7c8f009a3b..f404f57253 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -13,16 +13,15 @@
 #ifndef PG_SCRAM_H
 #define PG_SCRAM_H
 
+#include "libpq/libpq-be.h"
+
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
 #define SASL_EXCHANGE_SUCCESS		1
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
-				 bool ssl_in_use, const char *tls_finished_message,
-				 size_t tls_finished_len, const char *certificate_hash,
-				 size_t certificate_hash_len);
+extern void *pg_be_scram_init(Port *port, const char *shadow_pass);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index a56fccf12e..65817411b1 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -42,15 +42,9 @@ typedef struct
 	fe_scram_state_enum state;
 
 	/* These are supplied by the user */
-	const char *username;
+	PGconn	   *conn;
 	char	   *password;
-	bool		ssl_in_use;
-	char	   *tls_finished_message;
-	size_t		tls_finished_len;
-	char	   *certificate_hash;
-	size_t		certificate_hash_len;
 	char	   *sasl_mechanism;
-	const char *channel_binding_type;
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -70,14 +64,10 @@ typedef struct
 	char		ServerSignature[SCRAM_KEY_LEN];
 } fe_scram_state;
 
-static bool read_server_first_message(fe_scram_state *state, char *input,
-						  PQExpBuffer errormessage);
-static bool read_server_final_message(fe_scram_state *state, char *input,
-						  PQExpBuffer errormessage);
-static char *build_client_first_message(fe_scram_state *state,
-						   PQExpBuffer errormessage);
-static char *build_client_final_message(fe_scram_state *state,
-						   PQExpBuffer errormessage);
+static bool read_server_first_message(fe_scram_state *state, char *input);
+static bool read_server_final_message(fe_scram_state *state, char *input);
+static char *build_client_first_message(fe_scram_state *state);
+static char *build_client_final_message(fe_scram_state *state);
 static bool verify_server_signature(fe_scram_state *state);
 static void calculate_client_proof(fe_scram_state *state,
 					   const char *client_final_message_without_proof,
@@ -91,15 +81,9 @@ static bool pg_frontend_random(char *dst, int len);
  * freed by pg_fe_scram_free().
  */
 void *
-pg_fe_scram_init(const char *username,
+pg_fe_scram_init(PGconn *conn,
 				 const char *password,
-				 bool ssl_in_use,
-				 const char *sasl_mechanism,
-				 const char *channel_binding_type,
-				 char *tls_finished_message,
-				 size_t tls_finished_len,
-				 char *certificate_hash,
-				 size_t certificate_hash_len)
+				 const char *sasl_mechanism)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -111,15 +95,9 @@ pg_fe_scram_init(const char *username,
 	if (!state)
 		return NULL;
 	memset(state, 0, sizeof(fe_scram_state));
+	state->conn = conn;
 	state->state = FE_SCRAM_INIT;
-	state->username = username;
-	state->ssl_in_use = ssl_in_use;
-	state->tls_finished_message = tls_finished_message;
-	state->tls_finished_len = tls_finished_len;
-	state->certificate_hash = certificate_hash;
-	state->certificate_hash_len = certificate_hash_len;
 	state->sasl_mechanism = strdup(sasl_mechanism);
-	state->channel_binding_type = channel_binding_type;
 
 	if (!state->sasl_mechanism)
 	{
@@ -160,10 +138,6 @@ pg_fe_scram_free(void *opaq)
 
 	if (state->password)
 		free(state->password);
-	if (state->tls_finished_message)
-		free(state->tls_finished_message);
-	if (state->certificate_hash)
-		free(state->certificate_hash);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -194,9 +168,10 @@ pg_fe_scram_free(void *opaq)
 void
 pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
-					 bool *done, bool *success, PQExpBuffer errorMessage)
+					 bool *done, bool *success)
 {
 	fe_scram_state *state = (fe_scram_state *) opaq;
+	PGconn	   *conn = state->conn;
 
 	*done = false;
 	*success = false;
@@ -211,13 +186,13 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 	{
 		if (inputlen == 0)
 		{
-			printfPQExpBuffer(errorMessage,
+			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("malformed SCRAM message (empty message)\n"));
 			goto error;
 		}
 		if (inputlen != strlen(input))
 		{
-			printfPQExpBuffer(errorMessage,
+			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("malformed SCRAM message (length mismatch)\n"));
 			goto error;
 		}
@@ -227,7 +202,7 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 	{
 		case FE_SCRAM_INIT:
 			/* Begin the SCRAM handshake, by sending client nonce */
-			*output = build_client_first_message(state, errorMessage);
+			*output = build_client_first_message(state);
 			if (*output == NULL)
 				goto error;
 
@@ -238,10 +213,10 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 
 		case FE_SCRAM_NONCE_SENT:
 			/* Receive salt and server nonce, send response. */
-			if (!read_server_first_message(state, input, errorMessage))
+			if (!read_server_first_message(state, input))
 				goto error;
 
-			*output = build_client_final_message(state, errorMessage);
+			*output = build_client_final_message(state);
 			if (*output == NULL)
 				goto error;
 
@@ -252,7 +227,7 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 
 		case FE_SCRAM_PROOF_SENT:
 			/* Receive server signature */
-			if (!read_server_final_message(state, input, errorMessage))
+			if (!read_server_final_message(state, input))
 				goto error;
 
 			/*
@@ -266,7 +241,7 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 			else
 			{
 				*success = false;
-				printfPQExpBuffer(errorMessage,
+				printfPQExpBuffer(&conn->errorMessage,
 								  libpq_gettext("incorrect server signature\n"));
 			}
 			*done = true;
@@ -275,7 +250,7 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 
 		default:
 			/* shouldn't happen */
-			printfPQExpBuffer(errorMessage,
+			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("invalid SCRAM exchange state\n"));
 			goto error;
 	}
@@ -333,8 +308,9 @@ read_attr_value(char **input, char attr, PQExpBuffer errorMessage)
  * Build the first exchange message sent by the client.
  */
 static char *
-build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
+build_client_first_message(fe_scram_state *state)
 {
+	PGconn	   *conn = state->conn;
 	char		raw_nonce[SCRAM_RAW_NONCE_LEN + 1];
 	char	   *result;
 	int			channel_info_len;
@@ -347,7 +323,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 	if (!pg_frontend_random(raw_nonce, SCRAM_RAW_NONCE_LEN))
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("could not generate nonce\n"));
 		return NULL;
 	}
@@ -355,7 +331,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	state->client_nonce = malloc(pg_b64_enc_len(SCRAM_RAW_NONCE_LEN) + 1);
 	if (state->client_nonce == NULL)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("out of memory\n"));
 		return NULL;
 	}
@@ -376,11 +352,11 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 	if (strcmp(state->sasl_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
 	{
-		Assert(state->ssl_in_use);
-		appendPQExpBuffer(&buf, "p=%s", state->channel_binding_type);
+		Assert(conn->ssl_in_use);
+		appendPQExpBuffer(&buf, "p=%s", conn->scram_channel_binding);
 	}
-	else if (state->channel_binding_type == NULL ||
-			 strlen(state->channel_binding_type) == 0)
+	else if (conn->scram_channel_binding == NULL ||
+			 strlen(conn->scram_channel_binding) == 0)
 	{
 		/*
 		 * Client has chosen to not show to server that it supports channel
@@ -388,7 +364,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 		 */
 		appendPQExpBuffer(&buf, "n");
 	}
-	else if (state->ssl_in_use)
+	else if (conn->ssl_in_use)
 	{
 		/*
 		 * Client supports channel binding, but thinks the server does not.
@@ -429,7 +405,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 
 oom_error:
 	termPQExpBuffer(&buf);
-	printfPQExpBuffer(errormessage,
+	printfPQExpBuffer(&conn->errorMessage,
 					  libpq_gettext("out of memory\n"));
 	return NULL;
 }
@@ -438,9 +414,10 @@ oom_error:
  * Build the final exchange message sent from the client.
  */
 static char *
-build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
+build_client_final_message(fe_scram_state *state)
 {
 	PQExpBufferData buf;
+	PGconn	   *conn = state->conn;
 	uint8		client_proof[SCRAM_KEY_LEN];
 	char	   *result;
 
@@ -456,28 +433,41 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 	if (strcmp(state->sasl_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
 	{
-		char	   *cbind_data;
-		size_t		cbind_data_len;
+		char	   *cbind_data = NULL;
+		size_t		cbind_data_len = 0;
 		size_t		cbind_header_len;
 		char	   *cbind_input;
 		size_t		cbind_input_len;
 
-		if (strcmp(state->channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
+		if (strcmp(conn->scram_channel_binding, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
 		{
-			cbind_data = state->tls_finished_message;
-			cbind_data_len = state->tls_finished_len;
+			/* Fetch data from TLS finished message */
+#ifdef USE_SSL
+			cbind_data = pgtls_get_finished(state->conn, &cbind_data_len);
+			if (cbind_data == NULL)
+				goto oom_error;
+#endif
 		}
-		else if (strcmp(state->channel_binding_type,
+		else if (strcmp(conn->scram_channel_binding,
 						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
 		{
-			cbind_data = state->certificate_hash;
-			cbind_data_len = state->certificate_hash_len;
+			/* Fetch hash data of server's SSL certificate */
+#ifdef USE_SSL
+			cbind_data =
+				pgtls_get_peer_certificate_hash(state->conn,
+												&cbind_data_len);
+			if (cbind_data == NULL)
+			{
+				/* error message is already set on error */
+				return NULL;
+			}
+#endif
 		}
 		else
 		{
 			/* should not happen */
 			termPQExpBuffer(&buf);
-			printfPQExpBuffer(errormessage,
+			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("invalid channel binding type\n"));
 			return NULL;
 		}
@@ -485,37 +475,46 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 		/* should not happen */
 		if (cbind_data == NULL || cbind_data_len == 0)
 		{
+			if (cbind_data != NULL)
+				free(cbind_data);
 			termPQExpBuffer(&buf);
-			printfPQExpBuffer(errormessage,
+			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("empty channel binding data for channel binding type \"%s\"\n"),
-							  state->channel_binding_type);
+							  conn->scram_channel_binding);
 			return NULL;
 		}
 
 		appendPQExpBuffer(&buf, "c=");
 
-		cbind_header_len = 4 + strlen(state->channel_binding_type); /* p=type,, */
+		/* p=type,, */
+		cbind_header_len = 4 + strlen(conn->scram_channel_binding);
 		cbind_input_len = cbind_header_len + cbind_data_len;
 		cbind_input = malloc(cbind_input_len);
 		if (!cbind_input)
+		{
+			free(cbind_data);
 			goto oom_error;
-		snprintf(cbind_input, cbind_input_len, "p=%s,,", state->channel_binding_type);
+		}
+		snprintf(cbind_input, cbind_input_len, "p=%s,,",
+				 conn->scram_channel_binding);
 		memcpy(cbind_input + cbind_header_len, cbind_data, cbind_data_len);
 
 		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(cbind_input_len)))
 		{
+			free(cbind_data);
 			free(cbind_input);
 			goto oom_error;
 		}
 		buf.len += pg_b64_encode(cbind_input, cbind_input_len, buf.data + buf.len);
 		buf.data[buf.len] = '\0';
 
+		free(cbind_data);
 		free(cbind_input);
 	}
-	else if (state->channel_binding_type == NULL ||
-			 strlen(state->channel_binding_type) == 0)
+	else if (conn->scram_channel_binding == NULL ||
+			 strlen(conn->scram_channel_binding) == 0)
 		appendPQExpBuffer(&buf, "c=biws");	/* base64 of "n,," */
-	else if (state->ssl_in_use)
+	else if (conn->ssl_in_use)
 		appendPQExpBuffer(&buf, "c=eSws");	/* base64 of "y,," */
 	else
 		appendPQExpBuffer(&buf, "c=biws");	/* base64 of "n,," */
@@ -553,7 +552,7 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 
 oom_error:
 	termPQExpBuffer(&buf);
-	printfPQExpBuffer(errormessage,
+	printfPQExpBuffer(&conn->errorMessage,
 					  libpq_gettext("out of memory\n"));
 	return NULL;
 }
@@ -562,9 +561,9 @@ oom_error:
  * Read the first exchange message coming from the server.
  */
 static bool
-read_server_first_message(fe_scram_state *state, char *input,
-						  PQExpBuffer errormessage)
+read_server_first_message(fe_scram_state *state, char *input)
 {
+	PGconn	   *conn = state->conn;
 	char	   *iterations_str;
 	char	   *endptr;
 	char	   *encoded_salt;
@@ -573,13 +572,14 @@ read_server_first_message(fe_scram_state *state, char *input,
 	state->server_first_message = strdup(input);
 	if (state->server_first_message == NULL)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("out of memory\n"));
 		return false;
 	}
 
 	/* parse the message */
-	nonce = read_attr_value(&input, 'r', errormessage);
+	nonce = read_attr_value(&input, 'r',
+							&conn->errorMessage);
 	if (nonce == NULL)
 	{
 		/* read_attr_value() has generated an error string */
@@ -590,7 +590,7 @@ read_server_first_message(fe_scram_state *state, char *input,
 	if (strlen(nonce) < strlen(state->client_nonce) ||
 		memcmp(nonce, state->client_nonce, strlen(state->client_nonce)) != 0)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("invalid SCRAM response (nonce mismatch)\n"));
 		return false;
 	}
@@ -598,12 +598,12 @@ read_server_first_message(fe_scram_state *state, char *input,
 	state->nonce = strdup(nonce);
 	if (state->nonce == NULL)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("out of memory\n"));
 		return false;
 	}
 
-	encoded_salt = read_attr_value(&input, 's', errormessage);
+	encoded_salt = read_attr_value(&input, 's', &conn->errorMessage);
 	if (encoded_salt == NULL)
 	{
 		/* read_attr_value() has generated an error string */
@@ -612,7 +612,7 @@ read_server_first_message(fe_scram_state *state, char *input,
 	state->salt = malloc(pg_b64_dec_len(strlen(encoded_salt)));
 	if (state->salt == NULL)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("out of memory\n"));
 		return false;
 	}
@@ -620,7 +620,7 @@ read_server_first_message(fe_scram_state *state, char *input,
 								   strlen(encoded_salt),
 								   state->salt);
 
-	iterations_str = read_attr_value(&input, 'i', errormessage);
+	iterations_str = read_attr_value(&input, 'i', &conn->errorMessage);
 	if (iterations_str == NULL)
 	{
 		/* read_attr_value() has generated an error string */
@@ -629,13 +629,13 @@ read_server_first_message(fe_scram_state *state, char *input,
 	state->iterations = strtol(iterations_str, &endptr, 10);
 	if (*endptr != '\0' || state->iterations < 1)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("malformed SCRAM message (invalid iteration count)\n"));
 		return false;
 	}
 
 	if (*input != '\0')
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("malformed SCRAM message (garbage at end of server-first-message)\n"));
 
 	return true;
@@ -645,16 +645,16 @@ read_server_first_message(fe_scram_state *state, char *input,
  * Read the final exchange message coming from the server.
  */
 static bool
-read_server_final_message(fe_scram_state *state, char *input,
-						  PQExpBuffer errormessage)
+read_server_final_message(fe_scram_state *state, char *input)
 {
+	PGconn	   *conn = state->conn;
 	char	   *encoded_server_signature;
 	int			server_signature_len;
 
 	state->server_final_message = strdup(input);
 	if (!state->server_final_message)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("out of memory\n"));
 		return false;
 	}
@@ -662,16 +662,18 @@ read_server_final_message(fe_scram_state *state, char *input,
 	/* Check for error result. */
 	if (*input == 'e')
 	{
-		char	   *errmsg = read_attr_value(&input, 'e', errormessage);
+		char	   *errmsg = read_attr_value(&input, 'e',
+											 &conn->errorMessage);
 
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("error received from server in SCRAM exchange: %s\n"),
 						  errmsg);
 		return false;
 	}
 
 	/* Parse the message. */
-	encoded_server_signature = read_attr_value(&input, 'v', errormessage);
+	encoded_server_signature = read_attr_value(&input, 'v',
+											   &conn->errorMessage);
 	if (encoded_server_signature == NULL)
 	{
 		/* read_attr_value() has generated an error message */
@@ -679,7 +681,7 @@ read_server_final_message(fe_scram_state *state, char *input,
 	}
 
 	if (*input != '\0')
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("malformed SCRAM message (garbage at end of server-final-message)\n"));
 
 	server_signature_len = pg_b64_decode(encoded_server_signature,
@@ -687,7 +689,7 @@ read_server_final_message(fe_scram_state *state, char *input,
 										 state->ServerSignature);
 	if (server_signature_len != SCRAM_KEY_LEN)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("malformed SCRAM message (invalid server signature)\n"));
 		return false;
 	}
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index bb9b0573d1..9c3524e553 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -491,10 +491,6 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		success;
 	const char *selected_mechanism;
 	PQExpBufferData mechanism_buf;
-	char	   *tls_finished = NULL;
-	size_t		tls_finished_len = 0;
-	char	   *certificate_hash = NULL;
-	size_t		certificate_hash_len = 0;
 	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
@@ -572,40 +568,15 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		goto error;
 	}
 
-#ifdef USE_SSL
-
-	/*
-	 * Get data for channel binding.
-	 */
-	if (strcmp(selected_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
-	{
-		tls_finished = pgtls_get_finished(conn, &tls_finished_len);
-		if (tls_finished == NULL)
-			goto oom_error;
-
-		certificate_hash =
-			pgtls_get_peer_certificate_hash(conn,
-											&certificate_hash_len);
-		if (certificate_hash == NULL)
-			goto error;		/* error message is set */
-	}
-#endif
-
 	/*
 	 * Initialize the SASL state information with all the information gathered
 	 * during the initial exchange.
 	 *
 	 * Note: Only tls-unique is supported for the moment.
 	 */
-	conn->sasl_state = pg_fe_scram_init(conn->pguser,
+	conn->sasl_state = pg_fe_scram_init(conn,
 										password,
-										conn->ssl_in_use,
-										selected_mechanism,
-										conn->scram_channel_binding,
-										tls_finished,
-										tls_finished_len,
-										certificate_hash,
-										certificate_hash_len);
+										selected_mechanism);
 	if (!conn->sasl_state)
 		goto oom_error;
 
@@ -613,7 +584,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	pg_fe_scram_exchange(conn->sasl_state,
 						 NULL, -1,
 						 &initialresponse, &initialresponselen,
-						 &done, &success, &conn->errorMessage);
+						 &done, &success);
 
 	if (done && !success)
 		goto error;
@@ -694,7 +665,7 @@ pg_SASL_continue(PGconn *conn, int payloadlen, bool final)
 	pg_fe_scram_exchange(conn->sasl_state,
 						 challenge, payloadlen,
 						 &output, &outputlen,
-						 &done, &success, &conn->errorMessage);
+						 &done, &success);
 	free(challenge);			/* don't need the input anymore */
 
 	if (final && !done)
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index 68de8b6e32..1265d0d2f7 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -23,19 +23,13 @@ extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn);
 extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
-extern void *pg_fe_scram_init(const char *username,
+extern void *pg_fe_scram_init(PGconn *conn,
 				 const char *password,
-				 bool ssl_in_use,
-				 const char *sasl_mechanism,
-				 const char *channel_binding_type,
-				 char *tls_finished_message,
-				 size_t tls_finished_len,
-				 char *certificate_hash,
-				 size_t certificate_hash_len);
+				 const char *sasl_mechanism);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
-					 bool *done, bool *success, PQExpBuffer errorMessage);
+					 bool *done, bool *success);
 extern char *pg_fe_scram_build_verifier(const char *password);
 
 #endif							/* FE_AUTH_H */
-- 
2.15.1

From 551f9a037d6e38036998337f703758b41d2e1c72 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Fri, 22 Dec 2017 17:04:19 +0900
Subject: [PATCH 1/2] Refactor channel binding code to fetch cbind_data only
 when necessary

As things stand now, channel binding data is fetched from OpenSSL and
saved into the SASL exchange context for any SSL connection attempted
for a SCRAM authentication, resulting in data fetched but not used if no
channel binding is used or if a different channel binding type is used
than what the data is here for.

Refactor the code in such a way that binding data is only fetched from
the SSL stack only when a specific channel binding is used for both the
frontend and the backend. In order to achieve that, save the libpq
connection context directly in the SCRAM exchange state, and add a
dependency to SSL in the low-level SCRAM routines.

This makes the interface in charge of initializing the SCRAM context
cleaner as all its data comes from either PGconn* (for frontend) or
Port* (for the backend).
---
 src/backend/libpq/auth-scram.c       |  34 +++-----
 src/backend/libpq/auth.c             |  19 +----
 src/include/libpq/scram.h            |   6 +-
 src/interfaces/libpq/fe-auth-scram.c | 159 +++++++++++++++++------------------
 src/interfaces/libpq/fe-auth.c       |  27 +-----
 src/interfaces/libpq/fe-auth.h       |  10 +--
 6 files changed, 104 insertions(+), 151 deletions(-)

diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index d52a763457..72973d3789 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -110,10 +110,8 @@ typedef struct
 
 	const char *username;		/* username from startup packet */
 
+	Port	   *port;
 	char		cbind_flag;
-	bool		ssl_in_use;
-	const char *tls_finished_message;
-	size_t		tls_finished_len;
 	char	   *channel_binding_type;
 
 	int			iterations;
@@ -172,21 +170,15 @@ static char *scram_mock_salt(const char *username);
  * it will fail, as if an incorrect password was given.
  */
 void *
-pg_be_scram_init(const char *username,
-				 const char *shadow_pass,
-				 bool ssl_in_use,
-				 const char *tls_finished_message,
-				 size_t tls_finished_len)
+pg_be_scram_init(Port *port,
+				 const char *shadow_pass)
 {
 	scram_state *state;
 	bool		got_verifier;
 
 	state = (scram_state *) palloc0(sizeof(scram_state));
+	state->port = port;
 	state->state = SCRAM_AUTH_INIT;
-	state->username = username;
-	state->ssl_in_use = ssl_in_use;
-	state->tls_finished_message = tls_finished_message;
-	state->tls_finished_len = tls_finished_len;
 	state->channel_binding_type = NULL;
 
 	/*
@@ -209,7 +201,7 @@ pg_be_scram_init(const char *username,
 				 */
 				ereport(LOG,
 						(errmsg("invalid SCRAM verifier for user \"%s\"",
-								username)));
+								state->port->user_name)));
 				got_verifier = false;
 			}
 		}
@@ -220,7 +212,7 @@ pg_be_scram_init(const char *username,
 			 * authentication with an MD5 hash.)
 			 */
 			state->logdetail = psprintf(_("User \"%s\" does not have a valid SCRAM verifier."),
-										state->username);
+										state->port->user_name);
 			got_verifier = false;
 		}
 	}
@@ -242,8 +234,8 @@ pg_be_scram_init(const char *username,
 	 */
 	if (!got_verifier)
 	{
-		mock_scram_verifier(username, &state->iterations, &state->salt,
-							state->StoredKey, state->ServerKey);
+		mock_scram_verifier(state->port->user_name, &state->iterations,
+							&state->salt, state->StoredKey, state->ServerKey);
 		state->doomed = true;
 	}
 
@@ -815,7 +807,7 @@ read_client_first_message(scram_state *state, char *input)
 			 * it supports channel binding, which in this implementation is
 			 * the case if a connection is using SSL.
 			 */
-			if (state->ssl_in_use)
+			if (state->port->ssl_in_use)
 				ereport(ERROR,
 						(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
 						 errmsg("SCRAM channel binding negotiation error"),
@@ -839,7 +831,7 @@ read_client_first_message(scram_state *state, char *input)
 			{
 				char	   *channel_binding_type;
 
-				if (!state->ssl_in_use)
+				if (!state->port->ssl_in_use)
 				{
 					/*
 					 * Without SSL, we don't support channel binding.
@@ -1120,8 +1112,10 @@ read_client_final_message(scram_state *state, char *input)
 		 */
 		if (strcmp(state->channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
 		{
-			cbind_data = state->tls_finished_message;
-			cbind_data_len = state->tls_finished_len;
+			/* Fetch data from TLS finished message */
+#ifdef USE_SSL
+			cbind_data = be_tls_get_peer_finished(state->port, &cbind_data_len);
+#endif
 		}
 		else
 		{
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index b7f9bb1669..bd91e1cd18 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -873,8 +873,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	int			inputlen;
 	int			result;
 	bool		initial;
-	char	   *tls_finished = NULL;
-	size_t		tls_finished_len = 0;
 
 	/*
 	 * SASL auth is not supported for protocol versions before 3, because it
@@ -915,17 +913,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs, p - sasl_mechs + 1);
 	pfree(sasl_mechs);
 
-#ifdef USE_SSL
-
-	/*
-	 * Get data for channel binding.
-	 */
-	if (port->ssl_in_use)
-	{
-		tls_finished = be_tls_get_peer_finished(port, &tls_finished_len);
-	}
-#endif
-
 	/*
 	 * Initialize the status tracker for message exchanges.
 	 *
@@ -937,11 +924,7 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
 	 * This is because we don't want to reveal to an attacker what usernames
 	 * are valid, nor which users have a valid password.
 	 */
-	scram_opaq = pg_be_scram_init(port->user_name,
-								  shadow_pass,
-								  port->ssl_in_use,
-								  tls_finished,
-								  tls_finished_len);
+	scram_opaq = pg_be_scram_init(port, shadow_pass);
 
 	/*
 	 * Loop through SASL message exchange.  This exchange can consist of
diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h
index 2c245813d6..f404f57253 100644
--- a/src/include/libpq/scram.h
+++ b/src/include/libpq/scram.h
@@ -13,15 +13,15 @@
 #ifndef PG_SCRAM_H
 #define PG_SCRAM_H
 
+#include "libpq/libpq-be.h"
+
 /* Status codes for message exchange */
 #define SASL_EXCHANGE_CONTINUE		0
 #define SASL_EXCHANGE_SUCCESS		1
 #define SASL_EXCHANGE_FAILURE		2
 
 /* Routines dedicated to authentication */
-extern void *pg_be_scram_init(const char *username, const char *shadow_pass,
-				 bool ssl_in_use, const char *tls_finished_message,
-				 size_t tls_finished_len);
+extern void *pg_be_scram_init(Port *port, const char *shadow_pass);
 extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen, char **logdetail);
 
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index b8f7a6b5be..e8fc33c72f 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -42,13 +42,9 @@ typedef struct
 	fe_scram_state_enum state;
 
 	/* These are supplied by the user */
-	const char *username;
+	PGconn	   *conn;
 	char	   *password;
-	bool		ssl_in_use;
-	char	   *tls_finished_message;
-	size_t		tls_finished_len;
 	char	   *sasl_mechanism;
-	const char *channel_binding_type;
 
 	/* We construct these */
 	uint8		SaltedPassword[SCRAM_KEY_LEN];
@@ -68,14 +64,10 @@ typedef struct
 	char		ServerSignature[SCRAM_KEY_LEN];
 } fe_scram_state;
 
-static bool read_server_first_message(fe_scram_state *state, char *input,
-						  PQExpBuffer errormessage);
-static bool read_server_final_message(fe_scram_state *state, char *input,
-						  PQExpBuffer errormessage);
-static char *build_client_first_message(fe_scram_state *state,
-						   PQExpBuffer errormessage);
-static char *build_client_final_message(fe_scram_state *state,
-						   PQExpBuffer errormessage);
+static bool read_server_first_message(fe_scram_state *state, char *input);
+static bool read_server_final_message(fe_scram_state *state, char *input);
+static char *build_client_first_message(fe_scram_state *state);
+static char *build_client_final_message(fe_scram_state *state);
 static bool verify_server_signature(fe_scram_state *state);
 static void calculate_client_proof(fe_scram_state *state,
 					   const char *client_final_message_without_proof,
@@ -89,13 +81,9 @@ static bool pg_frontend_random(char *dst, int len);
  * freed by pg_fe_scram_free().
  */
 void *
-pg_fe_scram_init(const char *username,
+pg_fe_scram_init(PGconn *conn,
 				 const char *password,
-				 bool ssl_in_use,
-				 const char *sasl_mechanism,
-				 const char *channel_binding_type,
-				 char *tls_finished_message,
-				 size_t tls_finished_len)
+				 const char *sasl_mechanism)
 {
 	fe_scram_state *state;
 	char	   *prep_password;
@@ -107,13 +95,9 @@ pg_fe_scram_init(const char *username,
 	if (!state)
 		return NULL;
 	memset(state, 0, sizeof(fe_scram_state));
+	state->conn = conn;
 	state->state = FE_SCRAM_INIT;
-	state->username = username;
-	state->ssl_in_use = ssl_in_use;
-	state->tls_finished_message = tls_finished_message;
-	state->tls_finished_len = tls_finished_len;
 	state->sasl_mechanism = strdup(sasl_mechanism);
-	state->channel_binding_type = channel_binding_type;
 
 	if (!state->sasl_mechanism)
 	{
@@ -154,10 +138,6 @@ pg_fe_scram_free(void *opaq)
 
 	if (state->password)
 		free(state->password);
-	if (state->tls_finished_message)
-		free(state->tls_finished_message);
-	if (state->sasl_mechanism)
-		free(state->sasl_mechanism);
 
 	/* client messages */
 	if (state->client_nonce)
@@ -188,9 +168,10 @@ pg_fe_scram_free(void *opaq)
 void
 pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
-					 bool *done, bool *success, PQExpBuffer errorMessage)
+					 bool *done, bool *success)
 {
 	fe_scram_state *state = (fe_scram_state *) opaq;
+	PGconn	   *conn = state->conn;
 
 	*done = false;
 	*success = false;
@@ -205,13 +186,13 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 	{
 		if (inputlen == 0)
 		{
-			printfPQExpBuffer(errorMessage,
+			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("malformed SCRAM message (empty message)\n"));
 			goto error;
 		}
 		if (inputlen != strlen(input))
 		{
-			printfPQExpBuffer(errorMessage,
+			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("malformed SCRAM message (length mismatch)\n"));
 			goto error;
 		}
@@ -221,7 +202,7 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 	{
 		case FE_SCRAM_INIT:
 			/* Begin the SCRAM handshake, by sending client nonce */
-			*output = build_client_first_message(state, errorMessage);
+			*output = build_client_first_message(state);
 			if (*output == NULL)
 				goto error;
 
@@ -232,10 +213,10 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 
 		case FE_SCRAM_NONCE_SENT:
 			/* Receive salt and server nonce, send response. */
-			if (!read_server_first_message(state, input, errorMessage))
+			if (!read_server_first_message(state, input))
 				goto error;
 
-			*output = build_client_final_message(state, errorMessage);
+			*output = build_client_final_message(state);
 			if (*output == NULL)
 				goto error;
 
@@ -246,7 +227,7 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 
 		case FE_SCRAM_PROOF_SENT:
 			/* Receive server signature */
-			if (!read_server_final_message(state, input, errorMessage))
+			if (!read_server_final_message(state, input))
 				goto error;
 
 			/*
@@ -260,7 +241,7 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 			else
 			{
 				*success = false;
-				printfPQExpBuffer(errorMessage,
+				printfPQExpBuffer(&conn->errorMessage,
 								  libpq_gettext("incorrect server signature\n"));
 			}
 			*done = true;
@@ -269,7 +250,7 @@ pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 
 		default:
 			/* shouldn't happen */
-			printfPQExpBuffer(errorMessage,
+			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("invalid SCRAM exchange state\n"));
 			goto error;
 	}
@@ -327,8 +308,9 @@ read_attr_value(char **input, char attr, PQExpBuffer errorMessage)
  * Build the first exchange message sent by the client.
  */
 static char *
-build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
+build_client_first_message(fe_scram_state *state)
 {
+	PGconn	   *conn = state->conn;
 	char		raw_nonce[SCRAM_RAW_NONCE_LEN + 1];
 	char	   *result;
 	int			channel_info_len;
@@ -341,7 +323,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 	if (!pg_frontend_random(raw_nonce, SCRAM_RAW_NONCE_LEN))
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("could not generate nonce\n"));
 		return NULL;
 	}
@@ -349,7 +331,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	state->client_nonce = malloc(pg_b64_enc_len(SCRAM_RAW_NONCE_LEN) + 1);
 	if (state->client_nonce == NULL)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("out of memory\n"));
 		return NULL;
 	}
@@ -370,11 +352,11 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 	if (strcmp(state->sasl_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
 	{
-		Assert(state->ssl_in_use);
-		appendPQExpBuffer(&buf, "p=%s", state->channel_binding_type);
+		Assert(conn->ssl_in_use);
+		appendPQExpBuffer(&buf, "p=%s", conn->scram_channel_binding);
 	}
-	else if (state->channel_binding_type == NULL ||
-			 strlen(state->channel_binding_type) == 0)
+	else if (conn->scram_channel_binding == NULL ||
+			 strlen(conn->scram_channel_binding) == 0)
 	{
 		/*
 		 * Client has chosen to not show to server that it supports channel
@@ -382,7 +364,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 		 */
 		appendPQExpBuffer(&buf, "n");
 	}
-	else if (state->ssl_in_use)
+	else if (conn->ssl_in_use)
 	{
 		/*
 		 * Client supports channel binding, but thinks the server does not.
@@ -423,7 +405,7 @@ build_client_first_message(fe_scram_state *state, PQExpBuffer errormessage)
 
 oom_error:
 	termPQExpBuffer(&buf);
-	printfPQExpBuffer(errormessage,
+	printfPQExpBuffer(&conn->errorMessage,
 					  libpq_gettext("out of memory\n"));
 	return NULL;
 }
@@ -432,9 +414,10 @@ oom_error:
  * Build the final exchange message sent from the client.
  */
 static char *
-build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
+build_client_final_message(fe_scram_state *state)
 {
 	PQExpBufferData buf;
+	PGconn	   *conn = state->conn;
 	uint8		client_proof[SCRAM_KEY_LEN];
 	char	   *result;
 
@@ -450,22 +433,26 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 	 */
 	if (strcmp(state->sasl_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
 	{
-		char	   *cbind_data;
-		size_t		cbind_data_len;
+		char	   *cbind_data = NULL;
+		size_t		cbind_data_len = 0;
 		size_t		cbind_header_len;
 		char	   *cbind_input;
 		size_t		cbind_input_len;
 
-		if (strcmp(state->channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
+		if (strcmp(conn->scram_channel_binding, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) == 0)
 		{
-			cbind_data = state->tls_finished_message;
-			cbind_data_len = state->tls_finished_len;
+			/* Fetch data from TLS finished message */
+#ifdef USE_SSL
+			cbind_data = pgtls_get_finished(state->conn, &cbind_data_len);
+			if (cbind_data == NULL)
+				goto oom_error;
+#endif
 		}
 		else
 		{
 			/* should not happen */
 			termPQExpBuffer(&buf);
-			printfPQExpBuffer(errormessage,
+			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("invalid channel binding type\n"));
 			return NULL;
 		}
@@ -473,37 +460,46 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 		/* should not happen */
 		if (cbind_data == NULL || cbind_data_len == 0)
 		{
+			if (cbind_data != NULL)
+				free(cbind_data);
 			termPQExpBuffer(&buf);
-			printfPQExpBuffer(errormessage,
+			printfPQExpBuffer(&conn->errorMessage,
 							  libpq_gettext("empty channel binding data for channel binding type \"%s\"\n"),
-							  state->channel_binding_type);
+							  conn->scram_channel_binding);
 			return NULL;
 		}
 
 		appendPQExpBuffer(&buf, "c=");
 
-		cbind_header_len = 4 + strlen(state->channel_binding_type); /* p=type,, */
+		/* p=type,, */
+		cbind_header_len = 4 + strlen(conn->scram_channel_binding);
 		cbind_input_len = cbind_header_len + cbind_data_len;
 		cbind_input = malloc(cbind_input_len);
 		if (!cbind_input)
+		{
+			free(cbind_data);
 			goto oom_error;
-		snprintf(cbind_input, cbind_input_len, "p=%s,,", state->channel_binding_type);
+		}
+		snprintf(cbind_input, cbind_input_len, "p=%s,,",
+				 conn->scram_channel_binding);
 		memcpy(cbind_input + cbind_header_len, cbind_data, cbind_data_len);
 
 		if (!enlargePQExpBuffer(&buf, pg_b64_enc_len(cbind_input_len)))
 		{
+			free(cbind_data);
 			free(cbind_input);
 			goto oom_error;
 		}
 		buf.len += pg_b64_encode(cbind_input, cbind_input_len, buf.data + buf.len);
 		buf.data[buf.len] = '\0';
 
+		free(cbind_data);
 		free(cbind_input);
 	}
-	else if (state->channel_binding_type == NULL ||
-			 strlen(state->channel_binding_type) == 0)
+	else if (conn->scram_channel_binding == NULL ||
+			 strlen(conn->scram_channel_binding) == 0)
 		appendPQExpBuffer(&buf, "c=biws");	/* base64 of "n,," */
-	else if (state->ssl_in_use)
+	else if (conn->ssl_in_use)
 		appendPQExpBuffer(&buf, "c=eSws");	/* base64 of "y,," */
 	else
 		appendPQExpBuffer(&buf, "c=biws");	/* base64 of "n,," */
@@ -541,7 +537,7 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage)
 
 oom_error:
 	termPQExpBuffer(&buf);
-	printfPQExpBuffer(errormessage,
+	printfPQExpBuffer(&conn->errorMessage,
 					  libpq_gettext("out of memory\n"));
 	return NULL;
 }
@@ -550,9 +546,9 @@ oom_error:
  * Read the first exchange message coming from the server.
  */
 static bool
-read_server_first_message(fe_scram_state *state, char *input,
-						  PQExpBuffer errormessage)
+read_server_first_message(fe_scram_state *state, char *input)
 {
+	PGconn	   *conn = state->conn;
 	char	   *iterations_str;
 	char	   *endptr;
 	char	   *encoded_salt;
@@ -561,13 +557,14 @@ read_server_first_message(fe_scram_state *state, char *input,
 	state->server_first_message = strdup(input);
 	if (state->server_first_message == NULL)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("out of memory\n"));
 		return false;
 	}
 
 	/* parse the message */
-	nonce = read_attr_value(&input, 'r', errormessage);
+	nonce = read_attr_value(&input, 'r',
+							&conn->errorMessage);
 	if (nonce == NULL)
 	{
 		/* read_attr_value() has generated an error string */
@@ -578,7 +575,7 @@ read_server_first_message(fe_scram_state *state, char *input,
 	if (strlen(nonce) < strlen(state->client_nonce) ||
 		memcmp(nonce, state->client_nonce, strlen(state->client_nonce)) != 0)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("invalid SCRAM response (nonce mismatch)\n"));
 		return false;
 	}
@@ -586,12 +583,12 @@ read_server_first_message(fe_scram_state *state, char *input,
 	state->nonce = strdup(nonce);
 	if (state->nonce == NULL)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("out of memory\n"));
 		return false;
 	}
 
-	encoded_salt = read_attr_value(&input, 's', errormessage);
+	encoded_salt = read_attr_value(&input, 's', &conn->errorMessage);
 	if (encoded_salt == NULL)
 	{
 		/* read_attr_value() has generated an error string */
@@ -600,7 +597,7 @@ read_server_first_message(fe_scram_state *state, char *input,
 	state->salt = malloc(pg_b64_dec_len(strlen(encoded_salt)));
 	if (state->salt == NULL)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("out of memory\n"));
 		return false;
 	}
@@ -608,7 +605,7 @@ read_server_first_message(fe_scram_state *state, char *input,
 								   strlen(encoded_salt),
 								   state->salt);
 
-	iterations_str = read_attr_value(&input, 'i', errormessage);
+	iterations_str = read_attr_value(&input, 'i', &conn->errorMessage);
 	if (iterations_str == NULL)
 	{
 		/* read_attr_value() has generated an error string */
@@ -617,13 +614,13 @@ read_server_first_message(fe_scram_state *state, char *input,
 	state->iterations = strtol(iterations_str, &endptr, 10);
 	if (*endptr != '\0' || state->iterations < 1)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("malformed SCRAM message (invalid iteration count)\n"));
 		return false;
 	}
 
 	if (*input != '\0')
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("malformed SCRAM message (garbage at end of server-first-message)\n"));
 
 	return true;
@@ -633,16 +630,16 @@ read_server_first_message(fe_scram_state *state, char *input,
  * Read the final exchange message coming from the server.
  */
 static bool
-read_server_final_message(fe_scram_state *state, char *input,
-						  PQExpBuffer errormessage)
+read_server_final_message(fe_scram_state *state, char *input)
 {
+	PGconn	   *conn = state->conn;
 	char	   *encoded_server_signature;
 	int			server_signature_len;
 
 	state->server_final_message = strdup(input);
 	if (!state->server_final_message)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("out of memory\n"));
 		return false;
 	}
@@ -650,16 +647,18 @@ read_server_final_message(fe_scram_state *state, char *input,
 	/* Check for error result. */
 	if (*input == 'e')
 	{
-		char	   *errmsg = read_attr_value(&input, 'e', errormessage);
+		char	   *errmsg = read_attr_value(&input, 'e',
+											 &conn->errorMessage);
 
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("error received from server in SCRAM exchange: %s\n"),
 						  errmsg);
 		return false;
 	}
 
 	/* Parse the message. */
-	encoded_server_signature = read_attr_value(&input, 'v', errormessage);
+	encoded_server_signature = read_attr_value(&input, 'v',
+											   &conn->errorMessage);
 	if (encoded_server_signature == NULL)
 	{
 		/* read_attr_value() has generated an error message */
@@ -667,7 +666,7 @@ read_server_final_message(fe_scram_state *state, char *input,
 	}
 
 	if (*input != '\0')
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("malformed SCRAM message (garbage at end of server-final-message)\n"));
 
 	server_signature_len = pg_b64_decode(encoded_server_signature,
@@ -675,7 +674,7 @@ read_server_final_message(fe_scram_state *state, char *input,
 										 state->ServerSignature);
 	if (server_signature_len != SCRAM_KEY_LEN)
 	{
-		printfPQExpBuffer(errormessage,
+		printfPQExpBuffer(&conn->errorMessage,
 						  libpq_gettext("malformed SCRAM message (invalid server signature)\n"));
 		return false;
 	}
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 3340a9ad93..9c3524e553 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -491,8 +491,6 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	bool		success;
 	const char *selected_mechanism;
 	PQExpBufferData mechanism_buf;
-	char	   *tls_finished = NULL;
-	size_t		tls_finished_len = 0;
 	char	   *password;
 
 	initPQExpBuffer(&mechanism_buf);
@@ -570,32 +568,15 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 		goto error;
 	}
 
-#ifdef USE_SSL
-
-	/*
-	 * Get data for channel binding.
-	 */
-	if (strcmp(selected_mechanism, SCRAM_SHA256_PLUS_NAME) == 0)
-	{
-		tls_finished = pgtls_get_finished(conn, &tls_finished_len);
-		if (tls_finished == NULL)
-			goto oom_error;
-	}
-#endif
-
 	/*
 	 * Initialize the SASL state information with all the information gathered
 	 * during the initial exchange.
 	 *
 	 * Note: Only tls-unique is supported for the moment.
 	 */
-	conn->sasl_state = pg_fe_scram_init(conn->pguser,
+	conn->sasl_state = pg_fe_scram_init(conn,
 										password,
-										conn->ssl_in_use,
-										selected_mechanism,
-										conn->scram_channel_binding,
-										tls_finished,
-										tls_finished_len);
+										selected_mechanism);
 	if (!conn->sasl_state)
 		goto oom_error;
 
@@ -603,7 +584,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
 	pg_fe_scram_exchange(conn->sasl_state,
 						 NULL, -1,
 						 &initialresponse, &initialresponselen,
-						 &done, &success, &conn->errorMessage);
+						 &done, &success);
 
 	if (done && !success)
 		goto error;
@@ -684,7 +665,7 @@ pg_SASL_continue(PGconn *conn, int payloadlen, bool final)
 	pg_fe_scram_exchange(conn->sasl_state,
 						 challenge, payloadlen,
 						 &output, &outputlen,
-						 &done, &success, &conn->errorMessage);
+						 &done, &success);
 	free(challenge);			/* don't need the input anymore */
 
 	if (final && !done)
diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h
index db319ac071..1265d0d2f7 100644
--- a/src/interfaces/libpq/fe-auth.h
+++ b/src/interfaces/libpq/fe-auth.h
@@ -23,17 +23,13 @@ extern int	pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn);
 extern char *pg_fe_getauthname(PQExpBuffer errorMessage);
 
 /* Prototypes for functions in fe-auth-scram.c */
-extern void *pg_fe_scram_init(const char *username,
+extern void *pg_fe_scram_init(PGconn *conn,
 				 const char *password,
-				 bool ssl_in_use,
-				 const char *sasl_mechanism,
-				 const char *channel_binding_type,
-				 char *tls_finished_message,
-				 size_t tls_finished_len);
+				 const char *sasl_mechanism);
 extern void pg_fe_scram_free(void *opaq);
 extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen,
 					 char **output, int *outputlen,
-					 bool *done, bool *success, PQExpBuffer errorMessage);
+					 bool *done, bool *success);
 extern char *pg_fe_scram_build_verifier(const char *password);
 
 #endif							/* FE_AUTH_H */
-- 
2.15.1

From db3c278177ded3a37431585bc85f60f646b976a8 Mon Sep 17 00:00:00 2001
From: Michael Paquier <michael@paquier.xyz>
Date: Thu, 28 Dec 2017 16:12:54 +0900
Subject: [PATCH 2/2] Implement channel binding tls-server-end-point for SCRAM

As referenced in RFC 5929, this channel binding is not the default value
and uses a hash of the certificate as binding data. On the frontend,
this
can be resumed in getting the data from SSL_get_peer_certificate() and
on the backend SSL_get_certificate().

The hashing algorithm needs also to switch to SHA-256 if the signature
algorithm is MD5 or SHA-1, so let's be careful about that.
---
 doc/src/sgml/protocol.sgml               |  5 +-
 src/backend/libpq/auth-scram.c           | 21 +++++++--
 src/backend/libpq/be-secure-openssl.c    | 61 +++++++++++++++++++++++++
 src/include/common/scram-common.h        |  1 +
 src/include/libpq/libpq-be.h             |  1 +
 src/interfaces/libpq/fe-auth-scram.c     | 15 ++++++
 src/interfaces/libpq/fe-secure-openssl.c | 78 ++++++++++++++++++++++++++++++++
 src/interfaces/libpq/libpq-int.h         |  1 +
 src/test/ssl/t/002_scram.pl              |  5 +-
 9 files changed, 180 insertions(+), 8 deletions(-)

diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml
index 8174e3defa..365f72b51d 100644
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@@ -1576,8 +1576,9 @@ the password is in.
   <para>
 <firstterm>Channel binding</firstterm> is supported in PostgreSQL builds with
 SSL support. The SASL mechanism name for SCRAM with channel binding
-is <literal>SCRAM-SHA-256-PLUS</literal>.  The only channel binding type
-supported at the moment is <literal>tls-unique</literal>, defined in RFC 5929.
+is <literal>SCRAM-SHA-256-PLUS</literal>.  Two channel binding types are
+supported at the moment: <literal>tls-unique</literal>, which is the default,
+and <literal>tls-server-end-point</literal>, both defined in RFC 5929.
   </para>
 
 <procedure>
diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c
index 72973d3789..0a50f815ab 100644
--- a/src/backend/libpq/auth-scram.c
+++ b/src/backend/libpq/auth-scram.c
@@ -849,13 +849,15 @@ read_client_first_message(scram_state *state, char *input)
 				}
 
 				/*
-				 * Read value provided by client; only tls-unique is supported
-				 * for now.  (It is not safe to print the name of an
-				 * unsupported binding type in the error message.  Pranksters
-				 * could print arbitrary strings into the log that way.)
+				 * Read value provided by client; only tls-unique and
+				 * tls-server-end-point are supported for now.  (It is
+				 * not safe to print the name of an unsupported binding
+				 * type in the error message.  Pranksters could print
+				 * arbitrary strings into the log that way.)
 				 */
 				channel_binding_type = read_attr_value(&input, 'p');
-				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0)
+				if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0 &&
+					strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) != 0)
 					ereport(ERROR,
 							(errcode(ERRCODE_PROTOCOL_VIOLATION),
 							 (errmsg("unsupported SCRAM channel-binding type"))));
@@ -1115,6 +1117,15 @@ read_client_final_message(scram_state *state, char *input)
 			/* Fetch data from TLS finished message */
 #ifdef USE_SSL
 			cbind_data = be_tls_get_peer_finished(state->port, &cbind_data_len);
+#endif
+		}
+		else if (strcmp(state->channel_binding_type,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			/* Fetch hash data of server's SSL certificate */
+#ifdef USE_SSL
+			cbind_data = be_tls_get_certificate_hash(state->port,
+													 &cbind_data_len);
 #endif
 		}
 		else
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 1e3e19f5e0..e3e8a535c8 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1239,6 +1239,67 @@ be_tls_get_peer_finished(Port *port, size_t *len)
 	return result;
 }
 
+/*
+ * Get the server certificate hash for authentication purposes. Per
+ * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes
+ * need to be hashed with SHA-256 if its signature algorithm is MD5 or
+ * SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * If something else is used, the same hash as the signature algorithm is
+ * used. The result is a palloc'd hash of the server certificate with its
+ * size, and NULL if there is no certificate available.
+ */
+char *
+be_tls_get_certificate_hash(Port *port, size_t *len)
+{
+	char	*cert_hash = NULL;
+	X509	*server_cert;
+
+	*len = 0;
+	server_cert = SSL_get_certificate(port->ssl);
+
+	if (server_cert != NULL)
+	{
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
+								 &algo_nid, NULL))
+			elog(ERROR, "could not find signature algorithm");
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+					elog(ERROR, "could not find digest for NID %s",
+						 OBJ_nid2sn(algo_nid));
+				break;
+		}
+
+		/* generate and save the certificate hash */
+		if (!X509_digest(server_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+			elog(ERROR, "could not generate server certificate hash");
+
+		cert_hash = (char *) palloc(hash_size);
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
+
 /*
  * Convert an X509 subject name to a cstring.
  *
diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h
index 857a60e71f..5aec5cadb8 100644
--- a/src/include/common/scram-common.h
+++ b/src/include/common/scram-common.h
@@ -21,6 +21,7 @@
 
 /* Channel binding types */
 #define SCRAM_CHANNEL_BINDING_TLS_UNIQUE    "tls-unique"
+#define SCRAM_CHANNEL_BINDING_TLS_ENDPOINT	"tls-server-end-point"
 
 /* Length of SCRAM keys (client and server) */
 #define SCRAM_KEY_LEN				PG_SHA256_DIGEST_LENGTH
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 856e0439d5..cf9d8b7870 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len);
 extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 extern char *be_tls_get_peer_finished(Port *port, size_t *len);
+extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
 #endif
 
 extern ProtocolVersion FrontendProtocol;
diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c
index e8fc33c72f..65817411b1 100644
--- a/src/interfaces/libpq/fe-auth-scram.c
+++ b/src/interfaces/libpq/fe-auth-scram.c
@@ -446,6 +446,21 @@ build_client_final_message(fe_scram_state *state)
 			cbind_data = pgtls_get_finished(state->conn, &cbind_data_len);
 			if (cbind_data == NULL)
 				goto oom_error;
+#endif
+		}
+		else if (strcmp(conn->scram_channel_binding,
+						SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0)
+		{
+			/* Fetch hash data of server's SSL certificate */
+#ifdef USE_SSL
+			cbind_data =
+				pgtls_get_peer_certificate_hash(state->conn,
+												&cbind_data_len);
+			if (cbind_data == NULL)
+			{
+				/* error message is already set on error */
+				return NULL;
+			}
 #endif
 		}
 		else
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 61d161b367..99077c3d9a 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -419,6 +419,84 @@ pgtls_get_finished(PGconn *conn, size_t *len)
 	return result;
 }
 
+/*
+ *	Get the hash of the server certificate
+ *
+ * This information is useful for end-point channel binding, where the
+ * client certificate hash is used as a link, per RFC 5929. If the
+ * signature hash algorithm is MD5 or SHA-1, fall back to SHA-256,
+ * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1).
+ * NULL is sent back to the caller in the event of an error, with an
+ * error message for the caller to consume.
+ */
+char *
+pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
+{
+	char	   *cert_hash = NULL;
+
+	*len = 0;
+
+	if (conn->peer)
+	{
+		X509		   *peer_cert = conn->peer;
+		const EVP_MD   *algo_type = NULL;
+		char			hash[EVP_MAX_MD_SIZE];	/* size for SHA-512 */
+		unsigned int	hash_size;
+		int				algo_nid;
+
+		/*
+		 * Get the signature algorithm of the certificate to determine the
+		 * hash algorithm to use for the result.
+		 */
+		if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
+								 &algo_nid, NULL))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not find signature algorithm\n"));
+			return NULL;
+		}
+
+		switch (algo_nid)
+		{
+			case NID_md5:
+			case NID_sha1:
+				algo_type = EVP_sha256();
+				break;
+
+			default:
+				algo_type = EVP_get_digestbynid(algo_nid);
+				if (algo_type == NULL)
+				{
+					printfPQExpBuffer(&conn->errorMessage,
+									  libpq_gettext("could not find digest for NID %s\n"),
+									  OBJ_nid2sn(algo_nid));
+					return NULL;
+				}
+				break;
+		}
+
+		if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash,
+						 &hash_size))
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("could not generate peer certificate hash\n"));
+			return NULL;
+		}
+
+		/* save result */
+		cert_hash = (char *) malloc(hash_size);
+		if (cert_hash == NULL)
+		{
+			printfPQExpBuffer(&conn->errorMessage,
+							  libpq_gettext("out of memory\n"));
+			return NULL;
+		}
+		memcpy(cert_hash, hash, hash_size);
+		*len = hash_size;
+	}
+
+	return cert_hash;
+}
 
 /* ------------------------------------------------------------ */
 /*						OpenSSL specific code					*/
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index f6c1023f37..756c4d61e1 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -672,6 +672,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len);
 extern bool pgtls_read_pending(PGconn *conn);
 extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len);
 extern char *pgtls_get_finished(PGconn *conn, size_t *len);
+extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len);
 
 /*
  * this is so that we can check if a connection is non-blocking internally
diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl
index 324b4888d4..3f425e00f0 100644
--- a/src/test/ssl/t/002_scram.pl
+++ b/src/test/ssl/t/002_scram.pl
@@ -4,7 +4,7 @@ use strict;
 use warnings;
 use PostgresNode;
 use TestLib;
-use Test::More tests => 4;
+use Test::More tests => 5;
 use ServerSetup;
 use File::Copy;
 
@@ -45,6 +45,9 @@ test_connect_ok($common_connstr,
 test_connect_ok($common_connstr,
 	"scram_channel_binding=''",
 	"SCRAM authentication without channel binding");
+test_connect_ok($common_connstr,
+	"scram_channel_binding=tls-server-end-point",
+	"SCRAM authentication with tls-server-end-point as channel binding");
 test_connect_fails($common_connstr,
 	"scram_channel_binding=not-exists",
 	"SCRAM authentication with invalid channel binding");
-- 
2.15.1