From 69dcf31f5ce5938f9f56a94bf55c8439ea53ed27 Mon Sep 17 00:00:00 2001 From: Michael Paquier Date: Fri, 22 Dec 2017 10:49:10 +0900 Subject: [PATCH 1/2] Implement channel binding tls-server-end-point for SCRAM As referenced in RFC 5929, this channel binding is not the default value and uses a hash of the certificate as binding data. On the frontend, this can be resumed in getting the data from SSL_get_peer_certificate() and on the backend SSL_get_certificate(). The hashing algorithm needs also to switch to SHA-256 if the signature algorithm is MD5 or SHA-1, so let's be careful about that. --- doc/src/sgml/protocol.sgml | 5 +- src/backend/libpq/auth-scram.c | 26 ++++++++--- src/backend/libpq/auth.c | 8 +++- src/backend/libpq/be-secure-openssl.c | 61 +++++++++++++++++++++++++ src/include/common/scram-common.h | 1 + src/include/libpq/libpq-be.h | 1 + src/include/libpq/scram.h | 3 +- src/interfaces/libpq/fe-auth-scram.c | 18 ++++++-- src/interfaces/libpq/fe-auth.c | 12 ++++- src/interfaces/libpq/fe-auth.h | 4 +- src/interfaces/libpq/fe-secure-openssl.c | 78 ++++++++++++++++++++++++++++++++ src/interfaces/libpq/libpq-int.h | 1 + src/test/ssl/t/002_scram.pl | 5 +- 13 files changed, 207 insertions(+), 16 deletions(-) diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 8174e3defa..365f72b51d 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -1576,8 +1576,9 @@ the password is in. Channel binding is supported in PostgreSQL builds with SSL support. The SASL mechanism name for SCRAM with channel binding -is SCRAM-SHA-256-PLUS. The only channel binding type -supported at the moment is tls-unique, defined in RFC 5929. +is SCRAM-SHA-256-PLUS. Two channel binding types are +supported at the moment: tls-unique, which is the default, +and tls-server-end-point, both defined in RFC 5929. diff --git a/src/backend/libpq/auth-scram.c b/src/backend/libpq/auth-scram.c index d52a763457..849587d141 100644 --- a/src/backend/libpq/auth-scram.c +++ b/src/backend/libpq/auth-scram.c @@ -114,6 +114,8 @@ typedef struct bool ssl_in_use; const char *tls_finished_message; size_t tls_finished_len; + const char *certificate_hash; + size_t certificate_hash_len; char *channel_binding_type; int iterations; @@ -176,7 +178,9 @@ pg_be_scram_init(const char *username, const char *shadow_pass, bool ssl_in_use, const char *tls_finished_message, - size_t tls_finished_len) + size_t tls_finished_len, + const char *certificate_hash, + size_t certificate_hash_len) { scram_state *state; bool got_verifier; @@ -187,6 +191,8 @@ pg_be_scram_init(const char *username, state->ssl_in_use = ssl_in_use; state->tls_finished_message = tls_finished_message; state->tls_finished_len = tls_finished_len; + state->certificate_hash = certificate_hash; + state->certificate_hash_len = certificate_hash_len; state->channel_binding_type = NULL; /* @@ -857,13 +863,15 @@ read_client_first_message(scram_state *state, char *input) } /* - * Read value provided by client; only tls-unique is supported - * for now. (It is not safe to print the name of an - * unsupported binding type in the error message. Pranksters - * could print arbitrary strings into the log that way.) + * Read value provided by client; only tls-unique and + * tls-server-end-point are supported for now. (It is + * not safe to print the name of an unsupported binding + * type in the error message. Pranksters could print + * arbitrary strings into the log that way.) */ channel_binding_type = read_attr_value(&input, 'p'); - if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0) + if (strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_UNIQUE) != 0 && + strcmp(channel_binding_type, SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) != 0) ereport(ERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), (errmsg("unsupported SCRAM channel-binding type")))); @@ -1123,6 +1131,12 @@ read_client_final_message(scram_state *state, char *input) cbind_data = state->tls_finished_message; cbind_data_len = state->tls_finished_len; } + else if (strcmp(state->channel_binding_type, + SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0) + { + cbind_data = state->certificate_hash; + cbind_data_len = state->certificate_hash_len; + } else { /* should not happen */ diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index b7f9bb1669..700a3bffa4 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -875,6 +875,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail) bool initial; char *tls_finished = NULL; size_t tls_finished_len = 0; + char *certificate_hash = NULL; + size_t certificate_hash_len = 0; /* * SASL auth is not supported for protocol versions before 3, because it @@ -923,6 +925,8 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail) if (port->ssl_in_use) { tls_finished = be_tls_get_peer_finished(port, &tls_finished_len); + certificate_hash = be_tls_get_certificate_hash(port, + &certificate_hash_len); } #endif @@ -941,7 +945,9 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail) shadow_pass, port->ssl_in_use, tls_finished, - tls_finished_len); + tls_finished_len, + certificate_hash, + certificate_hash_len); /* * Loop through SASL message exchange. This exchange can consist of diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 1e3e19f5e0..e3e8a535c8 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -1239,6 +1239,67 @@ be_tls_get_peer_finished(Port *port, size_t *len) return result; } +/* + * Get the server certificate hash for authentication purposes. Per + * RFC 5929 and tls-server-end-point, the TLS server's certificate bytes + * need to be hashed with SHA-256 if its signature algorithm is MD5 or + * SHA-1 as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1). + * If something else is used, the same hash as the signature algorithm is + * used. The result is a palloc'd hash of the server certificate with its + * size, and NULL if there is no certificate available. + */ +char * +be_tls_get_certificate_hash(Port *port, size_t *len) +{ + char *cert_hash = NULL; + X509 *server_cert; + + *len = 0; + server_cert = SSL_get_certificate(port->ssl); + + if (server_cert != NULL) + { + const EVP_MD *algo_type = NULL; + char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */ + unsigned int hash_size; + int algo_nid; + + /* + * Get the signature algorithm of the certificate to determine the + * hash algorithm to use for the result. + */ + if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert), + &algo_nid, NULL)) + elog(ERROR, "could not find signature algorithm"); + + switch (algo_nid) + { + case NID_md5: + case NID_sha1: + algo_type = EVP_sha256(); + break; + + default: + algo_type = EVP_get_digestbynid(algo_nid); + if (algo_type == NULL) + elog(ERROR, "could not find digest for NID %s", + OBJ_nid2sn(algo_nid)); + break; + } + + /* generate and save the certificate hash */ + if (!X509_digest(server_cert, algo_type, (unsigned char *) hash, + &hash_size)) + elog(ERROR, "could not generate server certificate hash"); + + cert_hash = (char *) palloc(hash_size); + memcpy(cert_hash, hash, hash_size); + *len = hash_size; + } + + return cert_hash; +} + /* * Convert an X509 subject name to a cstring. * diff --git a/src/include/common/scram-common.h b/src/include/common/scram-common.h index 857a60e71f..5aec5cadb8 100644 --- a/src/include/common/scram-common.h +++ b/src/include/common/scram-common.h @@ -21,6 +21,7 @@ /* Channel binding types */ #define SCRAM_CHANNEL_BINDING_TLS_UNIQUE "tls-unique" +#define SCRAM_CHANNEL_BINDING_TLS_ENDPOINT "tls-server-end-point" /* Length of SCRAM keys (client and server) */ #define SCRAM_KEY_LEN PG_SHA256_DIGEST_LENGTH diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index 856e0439d5..cf9d8b7870 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -210,6 +210,7 @@ extern void be_tls_get_version(Port *port, char *ptr, size_t len); extern void be_tls_get_cipher(Port *port, char *ptr, size_t len); extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len); extern char *be_tls_get_peer_finished(Port *port, size_t *len); +extern char *be_tls_get_certificate_hash(Port *port, size_t *len); #endif extern ProtocolVersion FrontendProtocol; diff --git a/src/include/libpq/scram.h b/src/include/libpq/scram.h index 2c245813d6..7c8f009a3b 100644 --- a/src/include/libpq/scram.h +++ b/src/include/libpq/scram.h @@ -21,7 +21,8 @@ /* Routines dedicated to authentication */ extern void *pg_be_scram_init(const char *username, const char *shadow_pass, bool ssl_in_use, const char *tls_finished_message, - size_t tls_finished_len); + size_t tls_finished_len, const char *certificate_hash, + size_t certificate_hash_len); extern int pg_be_scram_exchange(void *opaq, char *input, int inputlen, char **output, int *outputlen, char **logdetail); diff --git a/src/interfaces/libpq/fe-auth-scram.c b/src/interfaces/libpq/fe-auth-scram.c index b8f7a6b5be..a56fccf12e 100644 --- a/src/interfaces/libpq/fe-auth-scram.c +++ b/src/interfaces/libpq/fe-auth-scram.c @@ -47,6 +47,8 @@ typedef struct bool ssl_in_use; char *tls_finished_message; size_t tls_finished_len; + char *certificate_hash; + size_t certificate_hash_len; char *sasl_mechanism; const char *channel_binding_type; @@ -95,7 +97,9 @@ pg_fe_scram_init(const char *username, const char *sasl_mechanism, const char *channel_binding_type, char *tls_finished_message, - size_t tls_finished_len) + size_t tls_finished_len, + char *certificate_hash, + size_t certificate_hash_len) { fe_scram_state *state; char *prep_password; @@ -112,6 +116,8 @@ pg_fe_scram_init(const char *username, state->ssl_in_use = ssl_in_use; state->tls_finished_message = tls_finished_message; state->tls_finished_len = tls_finished_len; + state->certificate_hash = certificate_hash; + state->certificate_hash_len = certificate_hash_len; state->sasl_mechanism = strdup(sasl_mechanism); state->channel_binding_type = channel_binding_type; @@ -156,8 +162,8 @@ pg_fe_scram_free(void *opaq) free(state->password); if (state->tls_finished_message) free(state->tls_finished_message); - if (state->sasl_mechanism) - free(state->sasl_mechanism); + if (state->certificate_hash) + free(state->certificate_hash); /* client messages */ if (state->client_nonce) @@ -461,6 +467,12 @@ build_client_final_message(fe_scram_state *state, PQExpBuffer errormessage) cbind_data = state->tls_finished_message; cbind_data_len = state->tls_finished_len; } + else if (strcmp(state->channel_binding_type, + SCRAM_CHANNEL_BINDING_TLS_ENDPOINT) == 0) + { + cbind_data = state->certificate_hash; + cbind_data_len = state->certificate_hash_len; + } else { /* should not happen */ diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 3340a9ad93..bb9b0573d1 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -493,6 +493,8 @@ pg_SASL_init(PGconn *conn, int payloadlen) PQExpBufferData mechanism_buf; char *tls_finished = NULL; size_t tls_finished_len = 0; + char *certificate_hash = NULL; + size_t certificate_hash_len = 0; char *password; initPQExpBuffer(&mechanism_buf); @@ -580,6 +582,12 @@ pg_SASL_init(PGconn *conn, int payloadlen) tls_finished = pgtls_get_finished(conn, &tls_finished_len); if (tls_finished == NULL) goto oom_error; + + certificate_hash = + pgtls_get_peer_certificate_hash(conn, + &certificate_hash_len); + if (certificate_hash == NULL) + goto error; /* error message is set */ } #endif @@ -595,7 +603,9 @@ pg_SASL_init(PGconn *conn, int payloadlen) selected_mechanism, conn->scram_channel_binding, tls_finished, - tls_finished_len); + tls_finished_len, + certificate_hash, + certificate_hash_len); if (!conn->sasl_state) goto oom_error; diff --git a/src/interfaces/libpq/fe-auth.h b/src/interfaces/libpq/fe-auth.h index db319ac071..68de8b6e32 100644 --- a/src/interfaces/libpq/fe-auth.h +++ b/src/interfaces/libpq/fe-auth.h @@ -29,7 +29,9 @@ extern void *pg_fe_scram_init(const char *username, const char *sasl_mechanism, const char *channel_binding_type, char *tls_finished_message, - size_t tls_finished_len); + size_t tls_finished_len, + char *certificate_hash, + size_t certificate_hash_len); extern void pg_fe_scram_free(void *opaq); extern void pg_fe_scram_exchange(void *opaq, char *input, int inputlen, char **output, int *outputlen, diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 61d161b367..99077c3d9a 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -419,6 +419,84 @@ pgtls_get_finished(PGconn *conn, size_t *len) return result; } +/* + * Get the hash of the server certificate + * + * This information is useful for end-point channel binding, where the + * client certificate hash is used as a link, per RFC 5929. If the + * signature hash algorithm is MD5 or SHA-1, fall back to SHA-256, + * as per RFC 5929 (https://tools.ietf.org/html/rfc5929#section-4.1). + * NULL is sent back to the caller in the event of an error, with an + * error message for the caller to consume. + */ +char * +pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len) +{ + char *cert_hash = NULL; + + *len = 0; + + if (conn->peer) + { + X509 *peer_cert = conn->peer; + const EVP_MD *algo_type = NULL; + char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */ + unsigned int hash_size; + int algo_nid; + + /* + * Get the signature algorithm of the certificate to determine the + * hash algorithm to use for the result. + */ + if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert), + &algo_nid, NULL)) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("could not find signature algorithm\n")); + return NULL; + } + + switch (algo_nid) + { + case NID_md5: + case NID_sha1: + algo_type = EVP_sha256(); + break; + + default: + algo_type = EVP_get_digestbynid(algo_nid); + if (algo_type == NULL) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("could not find digest for NID %s\n"), + OBJ_nid2sn(algo_nid)); + return NULL; + } + break; + } + + if (!X509_digest(peer_cert, algo_type, (unsigned char *) hash, + &hash_size)) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("could not generate peer certificate hash\n")); + return NULL; + } + + /* save result */ + cert_hash = (char *) malloc(hash_size); + if (cert_hash == NULL) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("out of memory\n")); + return NULL; + } + memcpy(cert_hash, hash, hash_size); + *len = hash_size; + } + + return cert_hash; +} /* ------------------------------------------------------------ */ /* OpenSSL specific code */ diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index f6c1023f37..756c4d61e1 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -672,6 +672,7 @@ extern ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len); extern bool pgtls_read_pending(PGconn *conn); extern ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len); extern char *pgtls_get_finished(PGconn *conn, size_t *len); +extern char *pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len); /* * this is so that we can check if a connection is non-blocking internally diff --git a/src/test/ssl/t/002_scram.pl b/src/test/ssl/t/002_scram.pl index 324b4888d4..3f425e00f0 100644 --- a/src/test/ssl/t/002_scram.pl +++ b/src/test/ssl/t/002_scram.pl @@ -4,7 +4,7 @@ use strict; use warnings; use PostgresNode; use TestLib; -use Test::More tests => 4; +use Test::More tests => 5; use ServerSetup; use File::Copy; @@ -45,6 +45,9 @@ test_connect_ok($common_connstr, test_connect_ok($common_connstr, "scram_channel_binding=''", "SCRAM authentication without channel binding"); +test_connect_ok($common_connstr, + "scram_channel_binding=tls-server-end-point", + "SCRAM authentication with tls-server-end-point as channel binding"); test_connect_fails($common_connstr, "scram_channel_binding=not-exists", "SCRAM authentication with invalid channel binding"); -- 2.15.1