add support for scram-sha-256 with channel binding

[ghost]

add support for scram-sha-256 with channel binding

Setting password_encryption to scram-sha-256 in postgresql.conf will encrypt the password with SCRAM-SHA-256. The default is md5, which will encrypt the password with MD5.

If the password was encrypted with SCRAM-SHA-256 in postgres (by setting password_enc56 in postgresql.conf), then postgres clients can authenticate to the postgres server by setting the ff the password was encrypted with SCRAM-SHA-256 in postgres (by setting password_encryption to scram-sha-256 in postgresql.conf), then postgres cl ients can authenticate to the postgres server by setting the authentication method specification to scram-sha-256 in pg_hba.conf.

The problem is that the pgmoon client doesn't support the SCRAM-SHA-256 authentication method. So the postgres server supports SCRAM-SHA-256, but the client doesn't. If the password is encrypted with SCRAM-SHA-256 (by setting password_encryption to scram-sha-256 in postgresql.conf) and if the postgres method authentication is set to SCRAM-SHA-256 (by setting the authentication method specification to scram-sha-256 in pg_hba.conf) then pgmoon won't be able to authenticate to postgres because the password will be sent as SCRAM-SHA-256 encrypted and not MD5 or plaintext (the ones supported by pgmoon).

Here we are implementing the client-side support for SCRAM-SHA-256 as defined by [3]. Per the postgres docs [2] only SASL is supported as per the RFC 7677 [3]. So the client implementation should be conformant to that RFC only, not for the HTTP version of SCRAM-SHA-256 (RFC 7804).

Implementation details:

• Support for channel binding is implemented as per RFC 5929 [4]
  • Only 'tls-server-end-point' is implemented because it's the only channel binding type used by postgres
  • Requires LuaSec release >= v1.0 for socket type luasocket
  • Requires lua-resty-openssl release >= 0.6.10 for socket type nginx
• There is no support for authzid since postgres doesn't support it [1]
• Right now we are relying on luaossl to provide all the crypto things such as HMAC, PBKDF2, SHA-256 hash function, random bytes generation, etc. It would be nice if in the future we create a compatibility layer to use both the luaossl and resty-openssl libraries for this purpose

[1] https://github.com/postgres/postgres/blob/REL_13_1/src/backend/libpq/auth-scram.c#L1011-L1013 [2] https://www.postgresql.org/docs/13/auth-password.html [3] https://www.rfcreader.com/#rfc7677 [4] https://www.rfcreader.com/#rfc5929

[leafo]

Sorry this hasn't been merged yet, the source code changes are in Lua, but this repository is written in MoonScript, so someone will have to port the code before the changes can be merged. I'm willing to do that, but I just haven't had time yet.

[ozsoyler]

Hello. Is it possible to merge these commits for being able to use in updated kong. Thanks.

[tingeltangelthomas]

+1

[leafo]

This has been rewritten into MoonScript with some minor changes and merged into master. Thanks for the contribution!