security: implement SCRAM channel binding

[knz]

This is a derivative from #42519.

pg SQL supports an extension to SCRAM-SHA-256 called "channel binding".

What

Channel binding provides an additional layer of security, which makes the SCRAM handshake immune to MITM attacks, even using a malicious intermediate with a valid TLS certificate.

It achieves this by requiring the SCRAM handshake to include a hash of the TLS fingerprint of the server cert, so that the server can verify that the client is seeing its own TLS cert and not the one from the intermediary.

For more details see the pg sources, backend/libpq/auth-scram.c.

How

• A server announces that it supports channel binding by announcing SCRAM-SHA-256-PLUS as a supported method alongside SCRAM-SHA-256 in the initial authentication request.
• A client can then request channel binding by requesting SCRAM-SHA-256-PLUS in the initial password response.
• During the handshake, the client and server verify the p attribute in the SASL parameters.

Caveats

As of this writing, many client SQL drivers other than pg's own libpq do not support channel binding yet.

Epic CRDB-5349

Jira issue: CRDB-12022

[Neustradamus]

Linked to:

• State of Play scram-sasl/info#1
• security: support SCRAM-SHA-256 authentication method #42519
• changefeedccl: support SCRAM-SHA-256 and SCRAM-SHA-512 sasl authentication mechanisms #55788
• ccl: add support for additional sasl mechanisms (SCRAM-SHA-256 and SCRAM-SHA-512) #60150
• security: implement SCRAM channel binding #74300
• sql,server: support SCRAM authentication for SQL sessions #74301

[knz]

cc @jtsiros for tracking and triagee