You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{"payload":{"commit":{"oid":"77291139c7c1dffac61e8db88cef98933677db18","url":"/postgres/postgres/commit/77291139c7c1dffac61e8db88cef98933677db18","authoredDate":"2018-08-05T13:44:21.000+03:00","committedDate":"2018-08-05T13:44:21.000+03:00","shortMessage":null,"shortMessageMarkdown":"\u003cdiv\u003eRemove support for tls-unique channel binding.\u003c/div\u003e","shortMessageMarkdownLink":null,"bodyMessageHtml":"There are some problems with the tls-unique channel binding type. It's not\nsupported by all SSL libraries, and strictly speaking it's not defined for\nTLS 1.3 at all, even though at least in OpenSSL, the functions used for it\nstill seem to work with TLS 1.3 connections. And since we had no\nmechanism to negotiate what channel binding type to use, there would be\nawkward interoperability issues if a server only supported some channel\nbinding types. tls-server-end-point seems feasible to support with any SSL\nlibrary, so let's just stick to that.\n\nThis removes the scram_channel_binding libpq option altogether, since there\nis now only one supported channel binding type.\n\nThis also removes all the channel binding tests from the SSL test suite.\nThey were really just testing the scram_channel_binding option, which\nis now gone. Channel binding is used if both client and server support it,\nso it is used in the existing tests. It would be good to have some tests\nspecifically for channel binding, to make sure it really is used, and the\ndifferent combinations of a client and a server that support or doesn't\nsupport it. The current set of settings we have make it hard to write such\ntests, but I did test those things manually, by disabling\nHAVE_BE_TLS_GET_CERTIFICATE_HASH and/or\nHAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.\n\nI also removed the SCRAM_CHANNEL_BINDING_TLS_END_POINT constant. This is a\nmatter of taste, but IMO it's more readable to just use the\n\"tls-server-end-point\" string.\n\nRefactor the checks on whether the SSL library supports the functions\nneeded for tls-server-end-point channel binding. Now the server won't\nadvertise, and the client won't choose, the SCRAM-SHA-256-PLUS variant, if\ncompiled with an OpenSSL version too old to support it.\n\nIn the passing, add some sanity checks to check that the chosen SASL\nmechanism, SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, matches whether the SCRAM\nexchange used channel binding or not. For example, if the client selects\nthe non-channel-binding variant SCRAM-SHA-256, but in the SCRAM message\nuses channel binding anyway. It's harmless from a security point of view,\nI believe, and I'm not sure if there are some other conditions that would\ncause the connection to fail, but it seems better to be strict about these\nthings and check explicitly.\n\nDiscussion: \u003ca href=\"https://www.postgresql.org/message-id/ec787074-2305-c6f4-86aa-6902f98485a4%40iki.fi\" rel=\"nofollow\"\u003ehttps://www.postgresql.org/message-id/ec787074-2305-c6f4-86aa-6902f98485a4%40iki.fi\u003c/a\u003e","authors":[{"login":"hlinnaka","displayName":"Heikki Linnakangas","avatarUrl":"https://avatars.githubusercontent.com/u/191602?v=4","path":"/hlinnaka","isGitHub":false}],"committerAttribution":false,"committer":{"login":"hlinnaka","displayName":"Heikki Linnakangas","avatarUrl":"https://avatars.githubusercontent.com/u/191602?v=4","path":"/hlinnaka","isGitHub":false},"parents":["7a46068f47a2e407d80d9d552727dc102188bec2"],"globalRelayId":"MDY6Q29tbWl0OTI3NDQyOjc3MjkxMTM5YzdjMWRmZmFjNjFlOGRiODhjZWY5ODkzMzY3N2RiMTg=","sha1":"7a46068f47a2e407d80d9d552727dc102188bec2","sha2":"77291139c7c1dffac61e8db88cef98933677db18"},"currentUser":null,"repo":{"id":927442,"defaultBranch":"master","name":"postgres","ownerLogin":"postgres","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2010-09-21T11:35:45.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/177543?v=4","public":true,"private":false,"isOrgOwned":true},"diffEntryData":[{"diffLines":[{"stylingDirective":null,"type":"HUNK","blobLineNumber":1244,"text":"@@ -1245,34 +1245,6 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname","html":"@@ -1245,34 +1245,6 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname","displayNoNewLineWarning":false,"position":0,"left":1244,"right":1244},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1245,"text":" \u003c/listitem\u003e","html":" \u0026lt;/listitem\u0026gt;","displayNoNewLineWarning":false,"position":1,"left":1245,"right":1245},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1246,"text":" \u003c/varlistentry\u003e","html":" \u0026lt;/varlistentry\u0026gt;","displayNoNewLineWarning":false,"position":2,"left":1246,"right":1246},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1247,"text":" ","html":"\u003cbr\u003e","displayNoNewLineWarning":false,"position":3,"left":1247,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1248,"text":"- \u003cvarlistentry id=\"libpq-scram-channel-binding\" xreflabel=\"scram_channel_binding\"\u003e","html":"- \u0026lt;varlistentry id=\u0026quot;libpq-scram-channel-binding\u0026quot; xreflabel=\u0026quot;scram_channel_binding\u0026quot;\u0026gt;","displayNoNewLineWarning":false,"position":4,"left":1248,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1249,"text":"- \u003cterm\u003e\u003cliteral\u003escram_channel_binding\u003c/literal\u003e\u003c/term\u003e","html":"- \u0026lt;term\u0026gt;\u0026lt;literal\u0026gt;scram_channel_binding\u0026lt;/literal\u0026gt;\u0026lt;/term\u0026gt;","displayNoNewLineWarning":false,"position":5,"left":1249,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1250,"text":"- \u003clistitem\u003e","html":"- \u0026lt;listitem\u0026gt;","displayNoNewLineWarning":false,"position":6,"left":1250,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1251,"text":"- \u003cpara\u003e","html":"- \u0026lt;para\u0026gt;","displayNoNewLineWarning":false,"position":7,"left":1251,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1252,"text":"- Specifies the channel binding type to use with SCRAM","html":"- Specifies the channel binding type to use with SCRAM","displayNoNewLineWarning":false,"position":8,"left":1252,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1253,"text":"- authentication. While \u003cacronym\u003eSCRAM\u003c/acronym\u003e alone prevents","html":"- authentication. While \u0026lt;acronym\u0026gt;SCRAM\u0026lt;/acronym\u0026gt; alone prevents","displayNoNewLineWarning":false,"position":9,"left":1253,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1254,"text":"- the replay of transmitted hashed passwords, channel binding also","html":"- the replay of transmitted hashed passwords, channel binding also","displayNoNewLineWarning":false,"position":10,"left":1254,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1255,"text":"- prevents man-in-the-middle attacks.","html":"- prevents man-in-the-middle attacks.","displayNoNewLineWarning":false,"position":11,"left":1255,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1256,"text":"- \u003c/para\u003e","html":"- \u0026lt;/para\u0026gt;","displayNoNewLineWarning":false,"position":12,"left":1256,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1257,"text":"-","html":"-","displayNoNewLineWarning":false,"position":13,"left":1257,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1258,"text":"- \u003cpara\u003e","html":"- \u0026lt;para\u0026gt;","displayNoNewLineWarning":false,"position":14,"left":1258,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1259,"text":"- The list of channel binding types supported by the server are","html":"- The list of channel binding types supported by the server are","displayNoNewLineWarning":false,"position":15,"left":1259,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1260,"text":"- listed in \u003cxref linkend=\"sasl-authentication\"/\u003e. An empty value","html":"- listed in \u0026lt;xref linkend=\u0026quot;sasl-authentication\u0026quot;/\u0026gt;. An empty value","displayNoNewLineWarning":false,"position":16,"left":1260,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1261,"text":"- specifies that the client will not use channel binding. If this","html":"- specifies that the client will not use channel binding. If this","displayNoNewLineWarning":false,"position":17,"left":1261,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1262,"text":"- parameter is not specified, \u003cliteral\u003etls-unique\u003c/literal\u003e is used,","html":"- parameter is not specified, \u0026lt;literal\u0026gt;tls-unique\u0026lt;/literal\u0026gt; is used,","displayNoNewLineWarning":false,"position":18,"left":1262,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1263,"text":"- if supported by both server and client.","html":"- if supported by both server and client.","displayNoNewLineWarning":false,"position":19,"left":1263,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1264,"text":"- Channel binding is only supported on SSL connections. If the","html":"- Channel binding is only supported on SSL connections. If the","displayNoNewLineWarning":false,"position":20,"left":1264,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1265,"text":"- connection is not using SSL, then this setting is ignored.","html":"- connection is not using SSL, then this setting is ignored.","displayNoNewLineWarning":false,"position":21,"left":1265,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1266,"text":"- \u003c/para\u003e","html":"- \u0026lt;/para\u0026gt;","displayNoNewLineWarning":false,"position":22,"left":1266,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1267,"text":"-","html":"-","displayNoNewLineWarning":false,"position":23,"left":1267,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1268,"text":"- \u003cpara\u003e","html":"- \u0026lt;para\u0026gt;","displayNoNewLineWarning":false,"position":24,"left":1268,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1269,"text":"- This parameter is mainly intended for protocol testing. In normal","html":"- This parameter is mainly intended for protocol testing. In normal","displayNoNewLineWarning":false,"position":25,"left":1269,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1270,"text":"- use, there should not be a need to choose a channel binding type other","html":"- use, there should not be a need to choose a channel binding type other","displayNoNewLineWarning":false,"position":26,"left":1270,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1271,"text":"- than the default one.","html":"- than the default one.","displayNoNewLineWarning":false,"position":27,"left":1271,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1272,"text":"- \u003c/para\u003e","html":"- \u0026lt;/para\u0026gt;","displayNoNewLineWarning":false,"position":28,"left":1272,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1273,"text":"- \u003c/listitem\u003e","html":"- \u0026lt;/listitem\u0026gt;","displayNoNewLineWarning":false,"position":29,"left":1273,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1274,"text":"- \u003c/varlistentry\u003e","html":"- \u0026lt;/varlistentry\u0026gt;","displayNoNewLineWarning":false,"position":30,"left":1274,"right":1247},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1275,"text":"-","html":"-","displayNoNewLineWarning":false,"position":31,"left":1275,"right":1247},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1248,"text":" \u003cvarlistentry id=\"libpq-connect-replication\" xreflabel=\"replication\"\u003e","html":" \u0026lt;varlistentry id=\u0026quot;libpq-connect-replication\u0026quot; xreflabel=\u0026quot;replication\u0026quot;\u0026gt;","displayNoNewLineWarning":false,"position":32,"left":1276,"right":1248},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1249,"text":" \u003cterm\u003e\u003cliteral\u003ereplication\u003c/literal\u003e\u003c/term\u003e","html":" \u0026lt;term\u0026gt;\u0026lt;literal\u0026gt;replication\u0026lt;/literal\u0026gt;\u0026lt;/term\u0026gt;","displayNoNewLineWarning":false,"position":33,"left":1277,"right":1249},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1250,"text":" \u003clistitem\u003e","html":" \u0026lt;listitem\u0026gt;","displayNoNewLineWarning":false,"position":34,"left":1278,"right":1250}],"diffNumber":0,"diffSize":"0 Bytes","isBinary":false,"isTooBig":false,"collapsed":false,"isSubmodule":false,"lineCount":8923,"linesChanged":28,"newTreeEntry":{"lineCount":8923,"path":"doc/src/sgml/libpq.sgml","mode":100644,"isGenerated":false},"oldTreeEntry":{"lineCount":0,"path":"doc/src/sgml/libpq.sgml","mode":100644},"linesAdded":0,"linesDeleted":28,"path":"doc/src/sgml/libpq.sgml","pathDigest":"66bf98128702c8fd0063e6989416d0d1739556d12f772d38a1845b83bd0acada","status":"MODIFIED","truncatedReason":null,"oldOid":"7a46068f47a2e407d80d9d552727dc102188bec2","newOid":"77291139c7c1dffac61e8db88cef98933677db18","copilotChatReference":null,"deletedSha":"7a46068f47a2e407d80d9d552727dc102188bec2","canToggleRichDiff":false,"defaultToRichDiff":false,"proseDifffHtml":null,"renderInfo":null,"dependencyDiffPath":null,"submodule":null},{"diffLines":[{"stylingDirective":null,"type":"HUNK","blobLineNumber":1575,"text":"@@ -1576,12 +1576,8 @@ the password is in.","html":"@@ -1576,12 +1576,8 @@ the password is in.","displayNoNewLineWarning":false,"position":0,"left":1575,"right":1575},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1576,"text":" \u003cpara\u003e","html":" \u0026lt;para\u0026gt;","displayNoNewLineWarning":false,"position":1,"left":1576,"right":1576},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1577,"text":" \u003cfirstterm\u003eChannel binding\u003c/firstterm\u003e is supported in PostgreSQL builds with","html":" \u0026lt;firstterm\u0026gt;Channel binding\u0026lt;/firstterm\u0026gt; is supported in PostgreSQL builds with","displayNoNewLineWarning":false,"position":2,"left":1577,"right":1577},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1578,"text":" SSL support. The SASL mechanism name for SCRAM with channel binding is","html":" SSL support. The SASL mechanism name for SCRAM with channel binding is","displayNoNewLineWarning":false,"position":3,"left":1578,"right":1578},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1579,"text":"-\u003cliteral\u003eSCRAM-SHA-256-PLUS\u003c/literal\u003e. Two channel binding types are","html":"-\u0026lt;literal\u0026gt;SCRAM-SHA-256-PLUS\u0026lt;/literal\u0026gt;. Two channel binding types are","displayNoNewLineWarning":false,"position":4,"left":1579,"right":1578},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1580,"text":"-supported: \u003cliteral\u003etls-unique\u003c/literal\u003e and","html":"-supported: \u0026lt;literal\u0026gt;tls-unique\u0026lt;/literal\u0026gt; and","displayNoNewLineWarning":false,"position":5,"left":1580,"right":1578},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1581,"text":"-\u003cliteral\u003etls-server-end-point\u003c/literal\u003e, both defined in RFC 5929. Clients","html":"-\u0026lt;literal\u0026gt;tls-server-end-point\u0026lt;/literal\u0026gt;, both defined in RFC 5929. Clients","displayNoNewLineWarning":false,"position":6,"left":1581,"right":1578},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1582,"text":"-should use \u003cliteral\u003etls-unique\u003c/literal\u003e if they can support it.","html":"-should use \u0026lt;literal\u0026gt;tls-unique\u0026lt;/literal\u0026gt; if they can support it.","displayNoNewLineWarning":false,"position":7,"left":1582,"right":1578},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1583,"text":"-\u003cliteral\u003etls-server-end-point\u003c/literal\u003e is intended for third-party clients","html":"-\u0026lt;literal\u0026gt;tls-server-end-point\u0026lt;/literal\u0026gt; is intended for third-party clients","displayNoNewLineWarning":false,"position":8,"left":1583,"right":1578},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1584,"text":"-that cannot support \u003cliteral\u003etls-unique\u003c/literal\u003e for some reason.","html":"-that cannot support \u0026lt;literal\u0026gt;tls-unique\u0026lt;/literal\u0026gt; for some reason.","displayNoNewLineWarning":false,"position":9,"left":1584,"right":1578},{"stylingDirective":null,"type":"ADDITION","blobLineNumber":1579,"text":"+\u003cliteral\u003eSCRAM-SHA-256-PLUS\u003c/literal\u003e. The channel binding type used by","html":"+\u0026lt;literal\u0026gt;SCRAM-SHA-256-PLUS\u0026lt;/literal\u0026gt;. The channel binding type used by","displayNoNewLineWarning":false,"position":10,"left":1584,"right":1579},{"stylingDirective":null,"type":"ADDITION","blobLineNumber":1580,"text":"+PostgreSQL is \u003cliteral\u003etls-server-end-point\u003c/literal\u003e.","html":"+PostgreSQL is \u0026lt;literal\u0026gt;tls-server-end-point\u0026lt;/literal\u0026gt;.","displayNoNewLineWarning":false,"position":11,"left":1584,"right":1580},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1581,"text":" \u003c/para\u003e","html":" \u0026lt;/para\u0026gt;","displayNoNewLineWarning":false,"position":12,"left":1585,"right":1581},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1582,"text":" ","html":"\u003cbr\u003e","displayNoNewLineWarning":false,"position":13,"left":1586,"right":1582},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1583,"text":" \u003cpara\u003e","html":" \u0026lt;para\u0026gt;","displayNoNewLineWarning":false,"position":14,"left":1587,"right":1583},{"stylingDirective":null,"type":"HUNK","blobLineNumber":1591,"text":"@@ -1596,19 +1592,11 @@ that cannot support \u003cliteral\u003etls-unique\u003c/literal\u003e for some reason.","html":"@@ -1596,19 +1592,11 @@ that cannot support \u0026lt;literal\u0026gt;tls-unique\u0026lt;/literal\u0026gt; for some reason.","displayNoNewLineWarning":false,"position":15,"left":1595,"right":1591},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1592,"text":" ","html":"\u003cbr\u003e","displayNoNewLineWarning":false,"position":16,"left":1596,"right":1592},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1593,"text":" \u003cpara\u003e","html":" \u0026lt;para\u0026gt;","displayNoNewLineWarning":false,"position":17,"left":1597,"right":1593},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1594,"text":" \u003cacronym\u003eSCRAM\u003c/acronym\u003e with channel binding prevents such","html":" \u0026lt;acronym\u0026gt;SCRAM\u0026lt;/acronym\u0026gt; with channel binding prevents such","displayNoNewLineWarning":false,"position":18,"left":1598,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1599,"text":"- man-in-the-middle attacks by mixing a value into the transmitted","html":"- man-in-the-middle attacks by mixing a value into the transmitted","displayNoNewLineWarning":false,"position":19,"left":1599,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1600,"text":"- password hash that cannot be retransmitted by a fake server.","html":"- password hash that cannot be retransmitted by a fake server.","displayNoNewLineWarning":false,"position":20,"left":1600,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1601,"text":"- In \u003cacronym\u003eSCRAM\u003c/acronym\u003e with \u003cliteral\u003etls-unique\u003c/literal\u003e","html":"- In \u0026lt;acronym\u0026gt;SCRAM\u0026lt;/acronym\u0026gt; with \u0026lt;literal\u0026gt;tls-unique\u0026lt;/literal\u0026gt;","displayNoNewLineWarning":false,"position":21,"left":1601,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1602,"text":"- channel binding, the shared secret negotiated during the SSL session","html":"- channel binding, the shared secret negotiated during the SSL session","displayNoNewLineWarning":false,"position":22,"left":1602,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1603,"text":"- is mixed into the user-supplied password hash. The shared secret","html":"- is mixed into the user-supplied password hash. The shared secret","displayNoNewLineWarning":false,"position":23,"left":1603,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1604,"text":"- is partly chosen by the server, but not directly transmitted, making","html":"- is partly chosen by the server, but not directly transmitted, making","displayNoNewLineWarning":false,"position":24,"left":1604,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1605,"text":"- it impossible for a fake server to create an SSL connection with the","html":"- it impossible for a fake server to create an SSL connection with the","displayNoNewLineWarning":false,"position":25,"left":1605,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1606,"text":"- client that has the same shared secret it has with the real server.","html":"- client that has the same shared secret it has with the real server.","displayNoNewLineWarning":false,"position":26,"left":1606,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1607,"text":"- \u003cacronym\u003eSCRAM\u003c/acronym\u003e with \u003cliteral\u003etls-server-end-point\u003c/literal\u003e","html":"- \u0026lt;acronym\u0026gt;SCRAM\u0026lt;/acronym\u0026gt; with \u0026lt;literal\u0026gt;tls-server-end-point\u0026lt;/literal\u0026gt;","displayNoNewLineWarning":false,"position":27,"left":1607,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1608,"text":"- mixes a hash of the server's certificate into the user-supplied password","html":"- mixes a hash of the server\u0026#39;s certificate into the user-supplied password","displayNoNewLineWarning":false,"position":28,"left":1608,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1609,"text":"- hash. While a fake server can retransmit the real server's certificate,","html":"- hash. While a fake server can retransmit the real server\u0026#39;s certificate,","displayNoNewLineWarning":false,"position":29,"left":1609,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1610,"text":"- it doesn't have access to the private key matching that certificate, and","html":"- it doesn\u0026#39;t have access to the private key matching that certificate, and","displayNoNewLineWarning":false,"position":30,"left":1610,"right":1594},{"stylingDirective":null,"type":"DELETION","blobLineNumber":1611,"text":"- therefore cannot prove it is the owner, causing SSL connection failure.","html":"- therefore cannot prove it is the owner, causing SSL connection failure.","displayNoNewLineWarning":false,"position":31,"left":1611,"right":1594},{"stylingDirective":null,"type":"ADDITION","blobLineNumber":1595,"text":"+ man-in-the-middle attacks by mixing the signature of the server's","html":"+ man-in-the-middle attacks by mixing the signature of the server\u0026#39;s","displayNoNewLineWarning":false,"position":32,"left":1611,"right":1595},{"stylingDirective":null,"type":"ADDITION","blobLineNumber":1596,"text":"+ certificate into the transmitted password hash. While a fake server can","html":"+ certificate into the transmitted password hash. While a fake server can","displayNoNewLineWarning":false,"position":33,"left":1611,"right":1596},{"stylingDirective":null,"type":"ADDITION","blobLineNumber":1597,"text":"+ retransmit the real server's certificate, it doesn't have access to the","html":"+ retransmit the real server\u0026#39;s certificate, it doesn\u0026#39;t have access to the","displayNoNewLineWarning":false,"position":34,"left":1611,"right":1597},{"stylingDirective":null,"type":"ADDITION","blobLineNumber":1598,"text":"+ private key matching that certificate, and therefore cannot prove it is","html":"+ private key matching that certificate, and therefore cannot prove it is","displayNoNewLineWarning":false,"position":35,"left":1611,"right":1598},{"stylingDirective":null,"type":"ADDITION","blobLineNumber":1599,"text":"+ the owner, causing SSL connection failure.","html":"+ the owner, causing SSL connection failure.","displayNoNewLineWarning":false,"position":36,"left":1611,"right":1599},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1600,"text":" \u003c/para\u003e","html":" \u0026lt;/para\u0026gt;","displayNoNewLineWarning":false,"position":37,"left":1612,"right":1600},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1601,"text":" ","html":"\u003cbr\u003e","displayNoNewLineWarning":false,"position":38,"left":1613,"right":1601},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":1602,"text":" \u003cprocedure\u003e","html":" \u0026lt;procedure\u0026gt;","displayNoNewLineWarning":false,"position":39,"left":1614,"right":1602}],"diffNumber":1,"diffSize":"0 Bytes","isBinary":false,"isTooBig":false,"collapsed":false,"isSubmodule":false,"lineCount":7053,"linesChanged":26,"newTreeEntry":{"lineCount":7053,"path":"doc/src/sgml/protocol.sgml","mode":100644,"isGenerated":false},"oldTreeEntry":{"lineCount":0,"path":"doc/src/sgml/protocol.sgml","mode":100644},"linesAdded":7,"linesDeleted":19,"path":"doc/src/sgml/protocol.sgml","pathDigest":"331c33fd11c3ed85f9dbfead93f139c20ff3a25176651fc2ed37c486b97630e6","status":"MODIFIED","truncatedReason":null,"oldOid":"7a46068f47a2e407d80d9d552727dc102188bec2","newOid":"77291139c7c1dffac61e8db88cef98933677db18","copilotChatReference":null,"deletedSha":"7a46068f47a2e407d80d9d552727dc102188bec2","canToggleRichDiff":false,"defaultToRichDiff":false,"proseDifffHtml":null,"renderInfo":null,"dependencyDiffPath":null,"submodule":null},{"diffLines":[{"stylingDirective":null,"type":"HUNK","blobLineNumber":2692,"text":"@@ -2693,10 +2693,7 @@ same commits as above","html":"@@ -2693,10 +2693,7 @@ same commits as above","displayNoNewLineWarning":false,"position":0,"left":2692,"right":2692},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":2693,"text":" the feature currently does not prevent man-in-the-middle","html":" the feature currently does not prevent man-in-the-middle","displayNoNewLineWarning":false,"position":1,"left":2693,"right":2693},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":2694,"text":" attacks when using libpq and interfaces built using it. It is","html":" attacks when using libpq and interfaces built using it. It is","displayNoNewLineWarning":false,"position":2,"left":2694,"right":2694},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":2695,"text":" expected that future versions of libpq and interfaces not built","html":" expected that future versions of libpq and interfaces not built","displayNoNewLineWarning":false,"position":3,"left":2695,"right":2695},{"stylingDirective":null,"type":"DELETION","blobLineNumber":2696,"text":"- using libpq, e.g. JDBC, will allow this capability. The libpq","html":"- using libpq, e.g. JDBC, will allow this capability. The libpq","displayNoNewLineWarning":false,"position":4,"left":2696,"right":2695},{"stylingDirective":null,"type":"DELETION","blobLineNumber":2697,"text":"- options to control the optional channel binding type are \u003clink","html":"- options to control the optional channel binding type are \u0026lt;link","displayNoNewLineWarning":false,"position":5,"left":2697,"right":2695},{"stylingDirective":null,"type":"DELETION","blobLineNumber":2698,"text":"- linkend=\"libpq-scram-channel-binding\"\u003e\u003coption\u003escram_channel_binding=tls-unique\u003c/option\u003e\u003c/link\u003e","html":"- linkend=\u0026quot;libpq-scram-channel-binding\u0026quot;\u0026gt;\u0026lt;option\u0026gt;scram_channel_binding=tls-unique\u0026lt;/option\u0026gt;\u0026lt;/link\u0026gt;","displayNoNewLineWarning":false,"position":6,"left":2698,"right":2695},{"stylingDirective":null,"type":"DELETION","blobLineNumber":2699,"text":"- and \u003coption\u003escram_channel_binding=tls-server-end-point\u003c/option\u003e.","html":"- and \u0026lt;option\u0026gt;scram_channel_binding=tls-server-end-point\u0026lt;/option\u0026gt;.","displayNoNewLineWarning":false,"position":7,"left":2699,"right":2695},{"stylingDirective":null,"type":"ADDITION","blobLineNumber":2696,"text":"+ using libpq, e.g. JDBC, will allow this capability.","html":"+ using libpq, e.g. JDBC, will allow this capability.","displayNoNewLineWarning":false,"position":8,"left":2699,"right":2696},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":2697,"text":" \u003c/para\u003e","html":" \u0026lt;/para\u0026gt;","displayNoNewLineWarning":false,"position":9,"left":2700,"right":2697},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":2698,"text":" \u003c/listitem\u003e","html":" \u0026lt;/listitem\u0026gt;","displayNoNewLineWarning":false,"position":10,"left":2701,"right":2698},{"stylingDirective":null,"type":"CONTEXT","blobLineNumber":2699,"text":" ","html":"\u003cbr\u003e","displayNoNewLineWarning":false,"position":11,"left":2702,"right":2699}],"diffNumber":2,"diffSize":"0 Bytes","isBinary":false,"isTooBig":false,"collapsed":false,"isSubmodule":false,"lineCount":3041,"linesChanged":5,"newTreeEntry":{"lineCount":3041,"path":"doc/src/sgml/release-11.sgml","mode":100644,"isGenerated":false},"oldTreeEntry":{"lineCount":0,"path":"doc/src/sgml/release-11.sgml","mode":100644},"linesAdded":1,"linesDeleted":4,"path":"doc/src/sgml/release-11.sgml","pathDigest":"3cf83c70745d7690b8364e0010a107c08ec6ac64223e2e58da0a7707f1898fee","status":"MODIFIED","truncatedReason":null,"oldOid":"7a46068f47a2e407d80d9d552727dc102188bec2","newOid":"77291139c7c1dffac61e8db88cef98933677db18","copilotChatReference":null,"deletedSha":"7a46068f47a2e407d80d9d552727dc102188bec2","canToggleRichDiff":false,"defaultToRichDiff":false,"proseDifffHtml":null,"renderInfo":null,"dependencyDiffPath":null,"submodule":null},{"path":"src/backend/libpq/auth-scram.c","pathDigest":"999cd3e9853776a9ce8c01610796bb1325360f1bee7e6c76fb73be8f240ff7bc","status":"MODIFIED"},{"path":"src/backend/libpq/auth.c","pathDigest":"f7b3586e5625122376793d34b3ca05b199c0d34ef808b3fed72bf8d981a8b3af","status":"MODIFIED"},{"path":"src/backend/libpq/be-secure-openssl.c","pathDigest":"7c0366bbcdf1480228938f5ed9b229b7e595475613108fc6968de65be7cf0ea5","status":"MODIFIED"},{"path":"src/include/common/scram-common.h","pathDigest":"1c43eead16d71e4c980aa7b6c8f2d3016dafbd1f0d2babe843b5f96b4a4087b9","status":"MODIFIED"},{"path":"src/include/libpq/libpq-be.h","pathDigest":"409460a7da7ece9e83f3e4e7fcc89e557ad38dca573ae1409986cebd0b22ce31","status":"MODIFIED"},{"path":"src/include/libpq/scram.h","pathDigest":"fbfb94b5970d29b693bff2a87930cb8c82063582a7a6d8b8f94e67699a55797f","status":"MODIFIED"},{"path":"src/interfaces/libpq/fe-auth-scram.c","pathDigest":"93284672bb47444bdd761f91a15178c04558ccf7053ddfdf8cd2957b937ba830","status":"MODIFIED"},{"path":"src/interfaces/libpq/fe-auth.c","pathDigest":"673cc67fd251cd264c5e8f6a392782141ed126d72860c434a08ed70b1674cd0d","status":"MODIFIED"},{"path":"src/interfaces/libpq/fe-connect.c","pathDigest":"8d819454e061b9d4cdae9c8922ded05753a629d70f2ac1de1d4f6d5a4aeb7f68","status":"MODIFIED"},{"path":"src/interfaces/libpq/fe-secure-openssl.c","pathDigest":"ec0d8fba2a139a0ee1827f9b8dd0466d4a20f150a5072ea3bd3cd1d41448f36c","status":"MODIFIED"},{"path":"src/interfaces/libpq/libpq-int.h","pathDigest":"79b513b2c480c8234a836295a323fb1f9319157a93b97933c49f79b663998a71","status":"MODIFIED"},{"path":"src/test/ssl/t/002_scram.pl","pathDigest":"fce58290b91df7a96ef1edd8be2c811e77254a3c0ed24803e64fe8b37f6d3623","status":"MODIFIED"}],"splitViewPreference":"unified","ignoreWhitespace":false,"repoOwnerGlobalRelayId":"MDEyOk9yZ2FuaXphdGlvbjE3NzU0Mw==","commentsPreference":
8000
"visible","diffLineSpacingPreference":"relaxed","useMonospaceFont":false,"pasteUrlLinkAsPlainText":false,"userNotices":[],"path":"/postgres/postgres/commit/77291139c7c1dffac61e8db88cef98933677db18","fileTreeExpanded":true,"headerInfo":{"additions":246,"deletions":336,"filesChanged":15,"filesChangedString":"15"},"moreDiffsToLoad":true,"asyncDiffLoadInfo":{"startIndex":3,"truncated":false,"byteCount":4403,"lineShownCount":87},"commentInfo":{"canComment":false,"locked":false,"canLock":false,"repoArchived":false},"csrf_tokens":{"/users/diffview?diff=split":{"post":"vGhmV1VTEkvBRP_3XxXjSJAK2IHMXqpbIasr_zevbCD42fG4MvCd4znqlPh_6Irhs7SzffWUT1RvOtPoxiLKzg"},"/users/diffview?diff=unified":{"post":"JjTERM4z_SyvznVLGB7GZBsFFZlr4oaM8aovoB1nkA5ihVOrqZByhFdgHkQ446_NOLt-ZVIoY4O_O9e37Oo24A"},"/notifications/thread":{"post":"gPlJOVCa5lS8LDwA-7YXDBfUMEUQMqlH3CmuAHhgyAH2YPr_fwXuYPHEKSgRF-FWMHdH0SWhwkibHhhZfF7BEg"}}},"title":"Remove support for tls-unique channel binding. · postgres/postgres@7729113","appPayload":{"helpUrl":"https://docs.github.com","findInDiffWorkerPath":"/assets-cdn/worker/find-in-diff-worker-2bfe39677d14.js","enabled_features":{"diff_ux_refresh_beta":false,"diff_inline_comments":true,"diff_ux_refresh_ssr_five":false,"diff_ux_refresh_ssr_ten":false,"react_diff_line_type_character_correction":true}}}
There are some problems with the tls-unique channel binding type. It's not
supported by all SSL libraries, and strictly speaking it's not defined for
TLS 1.3 at all, even though at least in OpenSSL, the functions used for it
still seem to work with TLS 1.3 connections. And since we had no
mechanism to negotiate what channel binding type to use, there would be
awkward interoperability issues if a server only supported some channel
binding types. tls-server-end-point seems feasible to support with any SSL
library, so let's just stick to that.
This removes the scram_channel_binding libpq option altogether, since there
is now only one supported channel binding type.
This also removes all the channel binding tests from the SSL test suite.
They were really just testing the scram_channel_binding option, which
is now gone. Channel binding is used if both client and server support it,
so it is used in the existing tests. It would be good to have some tests
specifically for channel binding, to make sure it really is used, and the
different combinations of a client and a server that support or doesn't
support it. The current set of settings we have make it hard to write such
tests, but I did test those things manually, by disabling
HAVE_BE_TLS_GET_CERTIFICATE_HASH and/or
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.
I also removed the SCRAM_CHANNEL_BINDING_TLS_END_POINT constant. This is a
matter of taste, but IMO it's more readable to just use the
"tls-server-end-point" string.
Refactor the checks on whether the SSL library supports the functions
needed for tls-server-end-point channel binding. Now the server won't
advertise, and the client won't choose, the SCRAM-SHA-256-PLUS variant, if
compiled with an OpenSSL version too old to support it.
In the passing, add some sanity checks to check that the chosen SASL
mechanism, SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, matches whether the SCRAM
exchange used channel binding or not. For example, if the client selects
the non-channel-binding variant SCRAM-SHA-256, but in the SCRAM message
uses channel binding anyway. It's harmless from a security point of view,
I believe, and I'm not sure if there are some other conditions that would
cause the connection to fail, but it seems better to be strict about these
things and check explicitly.
Discussion: https://www.postgresql.org/message-id/ec787074-2305-c6f4-86aa-6902f98485a4%40iki.fi
0 commit comments