Added support for SCRAM-SHA-256-PLUS i.e. channel binding

Author: jawj

packages/pg/lib/client.js

@@ -20,6 +20,7 @@ class Client extends EventEmitter {
     this.database = this.connectionParameters.database
     this.port = this.connectionParameters.port
     this.host = this.connectionParameters.host
+    this.enableChannelBinding = true
 
     // "hiding" the password so it doesn't show up in stack traces
     // or if the client is console.logged
@@ -258,7 +259,7 @@ class Client extends EventEmitter {
   _handleAuthSASL(msg) {
     this._checkPgPass(() => {
       try {
-        this.saslSession = sasl.startSession(msg.mechanisms)
+        this.saslSession = sasl.startSession(msg.mechanisms, this.enableChannelBinding && this.connection.stream)
         this.connection.sendSASLInitialResponseMessage(this.saslSession.mechanism, this.saslSession.response)
       } catch (err) {
         this.connection.emit('error', err)
@@ -268,7 +269,7 @@ class Client extends EventEmitter {
 
   async _handleAuthSASLContinue(msg) {
     try {
-      await sasl.continueSession(this.saslSession, this.password, msg.data)
+      await sasl.continueSession(this.saslSession, this.password, msg.data, this.enableChannelBinding && this.connection.stream)
       this.connection.sendSCRAMClientFinalMessage(this.saslSession.response)
     } catch (err) {
       this.connection.emit('error', err)

packages/pg/lib/crypto/sasl.js

@@ -1,22 +1,40 @@
 'use strict'
 const crypto = require('./utils')
+const tls = require('tls');
 
-function startSession(mechanisms) {
-  if (mechanisms.indexOf('SCRAM-SHA-256') === -1) {
-    throw new Error('SASL: Only mechanism SCRAM-SHA-256 is currently supported')
+function startSession(mechanisms, stream) {
+  const candidates = ['SCRAM-SHA-256']
+  if (stream) candidates.unshift('SCRAM-SHA-256-PLUS')  // higher-priority, so placed first
+
+  let mechanism
+  for (const candidate of candidates) {
+    if (mechanisms.indexOf(candidate) !== -1) {
+      mechanism = candidate
+      break
+    }
+  }
+
+  if (!mechanism) {
+    throw new Error('SASL: Only mechanisms ' + candidates.join(' and ') + ' are supported')
+  }
+
+  if (mechanism === 'SCRAM-SHA-256-PLUS' && !(stream instanceof tls.TLSSocket)) {
+    // this should never happen if we are really talking to a Postgres server
+    throw new Error('SASL: Mechanism SCRAM-SHA-256-PLUS requires a secure connection')
   }
 
   const clientNonce = crypto.randomBytes(18).toString('base64')
+  const gs2Header = mechanism === 'SCRAM-SHA-256-PLUS' ? 'p=tls-server-end-point' : stream ? 'y' : 'n'
 
   return {
-    mechanism: 'SCRAM-SHA-256',
+    mechanism,
     clientNonce,
-    response: 'n,,n=*,r=' + clientNonce,
+    response: gs2Header + ',,n=*,r=' + clientNonce,
     message: 'SASLInitialResponse',
   }
 }
 
-async function continueSession(session, password, serverData) {
+async function continueSession(session, password, serverData, stream) {
   if (session.message !== 'SASLInitialResponse') {
     throw new Error('SASL: Last message was not SASLInitialResponse')
   }
@@ -40,7 +58,34 @@ async function continueSession(session, password, serverData) {
 
   var clientFirstMessageBare = 'n=*,r=' + session.clientNonce
   var serverFirstMessage = 'r=' + sv.nonce + ',s=' + sv.salt + ',i=' + sv.iteration
-  var clientFinalMessageWithoutProof = 'c=biws,r=' + sv.nonce
+
+  // without channel binding:
+  let channelBinding = stream ? 'eSws' : 'biws' // 'y,,' or 'n,,', base64-encoded
+
+  // override if channel binding is in use:
+  if (session.mechanism === 'SCRAM-SHA-256-PLUS') {
+    const peerCert = stream.getPeerCertificate().raw
+    const x509 = await import('@peculiar/x509')
+    const parsedCert = new x509.X509Certificate(peerCert)
+    const sigAlgo = parsedCert.signatureAlgorithm
+    if (!sigAlgo) {
+      throw new Error('Could not extract signature algorithm from certificate')
+    }
+    const hash = sigAlgo.hash
+    if (!hash) {
+      throw new Error('Could not extract hash from certificate signature algorithm')
+    }
+    let hashName = hash.name
+    if (!hashName) {
+      throw new Error('Could not extract name from certificate signature algorithm hash')
+    }
+    if (/^(md5)|(sha-?1)$/i.test(hashName)) hashName = 'SHA-256'  // for MD5 and SHA-1, we substitute SHA-256
+    const certHash = await crypto.hashByName(hashName, peerCert)
+    const bindingData = Buffer.concat([Buffer.from('p=tls-server-end-point,,'), Buffer.from(certHash)])
+    channelBinding = bindingData.toString('base64')
+  }
+
+  var clientFinalMessageWithoutProof = 'c=' + channelBinding + ',r=' + sv.nonce
   var authMessage = clientFirstMessageBare + ',' + serverFirstMessage + ',' + clientFinalMessageWithoutProof
 
   var saltBytes = Buffer.from(sv.salt, 'base64')

packages/pg/lib/crypto/utils-legacy.js

@@ -19,6 +19,10 @@ function sha256(text) {
   return nodeCrypto.createHash('sha256').update(text).digest()
 }
 
+function hashByName(hashName, text) {
+  return nodeCrypto.createHash(hashName).update(text).digest()
+}
+
 function hmacSha256(key, msg) {
   return nodeCrypto.createHmac('sha256', key).update(msg).digest()
 }
@@ -32,6 +36,7 @@ module.exports = {
   randomBytes: nodeCrypto.randomBytes,
   deriveKey,
   sha256,
+  hashByName,
   hmacSha256,
   md5,
 }

packages/pg/lib/crypto/utils-webcrypto.js

@@ -5,6 +5,7 @@ module.exports = {
   randomBytes,
   deriveKey,
   sha256,
+  hashByName,
   hmacSha256,
   md5,
 }
@@ -60,6 +61,10 @@ async function sha256(text) {
   return await subtleCrypto.digest('SHA-256', text)
 }
 
+async function hashByName(hashName, text) {
+  return await subtleCrypto.digest(hashName, text)
+}
+
 /**
  * Sign the message with the given key
  * @param {ArrayBuffer} keyBuffer

packages/pg/package.json

@@ -20,6 +20,7 @@
   "author": "Brian Carlson <[email protected]>",
   "main": "./lib",
   "dependencies": {
+    "@peculiar/x509": "^1.12.3",
     "pg-connection-string": "^2.7.0",
     "pg-pool": "^3.7.0",
     "pg-protocol": "^1.7.0",

packages/pg/test/integration/client/sasl-scram-tests.js

@@ -45,12 +45,25 @@ if (!config.user || !config.password) {
   return
 }
 
-suite.testAsync('can connect using sasl/scram', async () => {
+suite.testAsync('can connect using sasl/scram (channel binding enabled)', async () => {
   const client = new pg.Client(config)
   let usingSasl = false
   client.connection.once('authenticationSASL', () => {
     usingSasl = true
   })
+  client.enableChannelBinding = true // default
+  await client.connect()
+  assert.ok(usingSasl, 'Should be using SASL for authentication')
+  await client.end()
+})
+
+suite.testAsync('can connect using sasl/scram (channel binding disabled)', async () => {
+  const client = new pg.Client(config)
+  let usingSasl = false
+  client.connection.once('authenticationSASL', () => {
+    usingSasl = true
+  })
+  client.enableChannelBinding = false
   await client.connect()
   assert.ok(usingSasl, 'Should be using SASL for authentication')
   await client.end()