From db3c278177ded3a37431585bc85f60f646b976a8 Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Thu, 28 Dec 2017 16:12:54 +0900 Subject: [PATCH 2/2] Implement channel binding tls-server-end-point for SCRAM As referenced in RFC 5929, this channel binding is not the default value and uses a hash of the certificate as binding data. On the frontend, this can be resumed in getting the data from SSL_get_peer_certificate() and on the backend SSL_get_certificate(). The hashing algorithm needs also to switch to SHA-256 if the signature algorithm is MD5 or SHA-1, so let's be careful about that. --- doc/src/sgml/protocol.sgml | 5 +- src/backend/libpq/auth-scram.c | 21 +++++++-- src/backend/libpq/be-secure-openssl.c | 61 +++++++++++++++++++++++++ src/include/common/scram-common.h | 1 + src/include/libpq/libpq-be.h | 1 + src/interfaces/libpq/fe-auth-scram.c | 15 ++++++ src/interfaces/libpq/fe-secure-openssl.c | 78 ++++++++++++++++++++++++++++++++ src/interfaces/libpq/libpq-int.h | 1 + src/test/ssl/t/002_scram.pl | 5 +- 9 files changed, 180 insertions(+), 8 deletions(-) diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 8174e3defa..365f72b51d 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -1576,8 +1576,9 @@ the password is in. Channel binding is supported in PostgreSQL builds with SSL support. The SASL mechanism name for SCRAM with channel binding -is SCRAM-SHA-256-PLUS. The only channel binding type -supported at the moment is tls-unique, defined in RFC 5929. +is SCRAM-SHA-256-PLUS. Two channel binding types are +supported at the moment: tls-unique, which is the default, +and tls-server-end-point, both defined in RFC 5929. diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c index 72973d3789..0a50f815ab 100644 --- a/src/backend/libpq/auth-scram.c +++ b/src/backend/libpq/auth-scram.c @@ -849,13 +849,15 @@ read_client_first_message(scram_state *state, char *input) } /* - * Read value provided by client; only tls-unique is supported - * for now. (It is not safe to print the name of an - * unsupported binding type in the error message. Pranksters - * could print arbitrary strings into the log that way.) + * Read value provided by client; only tls-unique and + * tls-server-end-point are supported for now. (It is + * not safe to print the name of an unsupported binding + * type in the error message. Pranksters could print + * arbitrary strings into the log that way.) */ channel_binding_type = read_attr_value(&input, 'p'); - if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0) + if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0 && + strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) != 0) ereport(ERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), (errmsg("unsupported SCRAM channel-binding type")))); @@ -1115,6 +1117,15 @@ read_client_final_message(scram_state *state, char *input) /* Fetch data from TLS finished message */ #ifdef USE_SSL cbind_data = be_tls_get_peer_finished(state->port, &cbind_data_len); +#endif + } + else if (strcmp(state->channel_binding_type, + SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0) + { + /* Fetch hash data of server's SSL certificate */ +#ifdef USE_SSL + cbind_data = be_tls_get_certificate_hash(state->port, + &cbind_data_len); #endif } else diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 1e3e19f5e0..e3e8a535c8 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -1239,6 +1239,67 @@ be_tls_get_peer_finished(Port *port, size_t *len) return result; } +/* + * Get the server certificate hash for authentication purposes. Per + * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes + * need to be hashed with SHA-256 if its signature algorithm is MD5 or + * SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1). + * If something else is used, the same hash as the signature algorithm is + * used. The result is a palloc'd hash of the server certificate with its + * size, and NULL if there is no certificate available. + */ +char * +be_tls_get_certificate_hash(Port *port, size_t *len) +{ + char *cert_hash = NULL; + X509 *server_cert; + + *len = 0; + server_cert = SSL_get_certificate(port->ssl); + + if (server_cert != NULL) + { + const EVP_MD *algo_type = NULL; + char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */ + unsigned int hash_size; + int algo_nid; + + /* + * Get the signature algorithm of the certificate to determine the + * hash algorithm to use for the result. + */ + if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert), + &algo_nid, NULL)) + elog(ERROR, "could not find signature algorithm"); + + switch (algo_nid) + { + case NID_md5: + case NID_sha1: + algo_type = EVP_sha256(); + break; + + default: + algo_type = EVP_get_digestbynid(algo_nid); + if (algo_type == NULL) + elog(ERROR, "could not find digest for NID %s", + OBJ_nid2sn(algo_nid)); + break; + } + + /* generate and save the certificate hash */ + if (!X509_digest(server_cert, algo_type, (unsigned char *) hash, + &hash_size)) + elog(ERROR, "could not generate server certificate hash"); + + cert_hash = (char *) palloc(hash_size); + memcpy(cert_hash, hash, hash_size); + *len = hash_size; + } + + return cert_hash; +} + /* * Convert an X509 subject name to a cstring. * diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h index 857a60e71f..5aec5cadb8 100644 --- a/src/include/common/scram-common.h +++ b/src/include/common/scram-common.h @@ -21,6 +21,7 @@ /* Channel binding types */ #define SCRAM_CHANNEL_BINDING_TLS_UNIQUE "tls-unique" +#define SCRAM_CHANNEL_BINDING_TLS_ENDPOINT "tls-server-end-point" /* Length of SCRAM keys (client and server) */ #define SCRAM_KEY_LEN PG_SHA256_DIGEST_LENGTH diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index 856e0439d5..cf9d8b7870 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len); extern void be_tls_get_cipher(Port *port, char *ptr, size_t len); extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len); extern char *be_tls_get_peer_finished(Port *port, size_t *len); +extern char *be_tls_get_certificate_hash(Port *port, size_t *len); #endif extern ProtocolVersion FrontendProtocol; diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c index e8fc33c72f..65817411b1 100644 --- a/src/interfaces/libpq/fe-auth-scram.c +++ b/src/interfaces/libpq/fe-auth-scram.c @@ -446,6 +446,21 @@ build_client_final_message(fe_scram_state *state) cbind_data = pgtls_get_finished(state->conn, &cbind_data_len); if (cbind_data == NULL) goto oom_error; +#endif + } + else if (strcmp(conn->scram_channel_binding, + SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0) + { + /* Fetch hash data of server's SSL certificate */ +#ifdef USE_SSL + cbind_data = + pgtls_get_peer_certificate_hash(state->conn, + &cbind_data_len); + if (cbind_data == NULL) + { + /* error message is already set on error */ + return NULL; + } #endif } else diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 61d161b367..99077c3d9a 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -419,6 +419,84 @@ pgtls_get_finished(PGconn *conn, size_t *len) return result; } +/* + * Get the hash of the server certificate + * + * This information is useful for end-point channel binding, where the + * client certificate hash is used as a link, per RFC 5929. If the + * signature hash algorithm is MD5 or SHA-1, fall back to SHA-256, + * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1). + * NULL is sent back to the caller in the event of an error, with an + * error message for the caller to consume. + */ +char * +pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len) +{ + char *cert_hash = NULL; + + *len = 0; + + if (conn->peer) + { + X509 *peer_cert = conn->peer; + const EVP_MD *algo_type = NULL; + char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */ + unsigned int hash_size; + int algo_nid; + + /* + * Get the signature algorithm of the certificate to determine the + * hash algorithm to use for the result. + */ + if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert), + &algo_nid, NULL)) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("could not find signature algorithm\n")); + return NULL; + } + + switch (algo_nid) + { + case NID_md5: + case NID_sha1: + algo_type = EVP_sha256(); + break; + + default: + algo_type = EVP_get_digestbynid(algo_nid); + if (algo_type == NULL) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("could not find digest for NID %s\n"), + OBJ_nid2sn(algo_nid)); + return NULL; + } + break; + } + + if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash, + &hash_size)) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("could not generate peer certificate hash\n")); + return NULL; + } + + /* save result */ + cert_hash = (char *) malloc(hash_size); + if (cert_hash == NULL) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("out of memory\n")); + return NULL; + } + memcpy(cert_hash, hash, hash_size); + *len = hash_size; + } + + return cert_hash; +} /* ------------------------------------------------------------ */ /* OpenSSL specific code */ diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index f6c1023f37..756c4d61e1 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -672,6 +672,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len); extern bool pgtls_read_pending(PGconn *conn); extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len); extern char *pgtls_get_finished(PGconn *conn, size_t *len); +extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len); /* * this is so that we can check if a connection is non-blocking internally diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 324b4888d4..3f425e00f0 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -4,7 +4,7 @@ use strict; use warnings; use PostgresNode; use TestLib; -use Test::More tests => 4; +use Test::More tests => 5; use ServerSetup; use File::Copy; @@ -45,6 +45,9 @@ test_connect_ok($common_connstr, test_connect_ok($common_connstr, "scram_channel_binding=''", "SCRAM authentication without channel binding"); +test_connect_ok($common_connstr, + "scram_channel_binding=tls-server-end-point", + "SCRAM authentication with tls-server-end-point as channel binding"); test_connect_fails($common_connstr, "scram_channel_binding=not-exists", "SCRAM authentication with invalid channel binding"); -- 2.15.1