Channel binding for post-quantum cryptography

Filip Janus <fjanus@redhat.com>

From: Filip Janus <fjanus@redhat.com>
To: Pgsql Hackers <pgsql-hackers@postgresql.org>
Date: 2025-10-20T07:12:52Z
Lists: pgsql-hackers

Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Fix handling of SCRAM-SHA-256's channel binding with RSA-PSS certificates

Attachments

Hi hackers,

While working on testing post-quantum cryptography integration in my
system, I discovered that PostgreSQL has an issue with channel binding when
using ML-DSA cryptographic algorithms.

The problem is caused by a difference between the currently used algorithms
and post-quantum ones. For example, commonly used algorithms like RSA have
a defined digest algorithm, but ML-DSA does not.

PostgreSQL's channel binding implementation expects all signature
algorithms to have a traditional digest mapping, but post-quantum
algorithms such as ML-DSA use their hash function internally as part of the
signature process.

As a result, the connection fails with the following error:

could not find digest for NID UNDEF

The issue can be worked around by disabling channel binding.

Although the RFC is not entirely clear on how to handle this situation, in
my patch I propose using SHA-256 as the default digest in such cases.


    -Filip-