auth.c File Reference

#include "postgres.h"
#include <sys/param.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <pwd.h>
#include <unistd.h>
#include "commands/user.h"
#include "common/ip.h"
#include "common/md5.h"
#include "libpq/auth.h"
#include "libpq/crypt.h"
#include "libpq/libpq.h"
#include "libpq/pqformat.h"
#include "libpq/sasl.h"
#include "libpq/scram.h"
#include "miscadmin.h"
#include "port/pg_bswap.h"
#include "postmaster/postmaster.h"
#include "replication/walsender.h"
#include "storage/ipc.h"
#include "utils/guc.h"
#include "utils/memutils.h"
#include "utils/timestamp.h"

Include dependency graph for auth.c:

Go to the source code of this file.

Data Structures
struct	radius_attribute
struct	radius_packet

Macros
#define	IDENT_USERNAME_MAX   512
#define	IDENT_PORT   113
#define	PG_MAX_AUTH_TOKEN_LENGTH   65535
#define	HOSTNAME_LOOKUP_DETAIL(port)
#define	RADIUS_VECTOR_LENGTH   16
#define	RADIUS_HEADER_LENGTH   20
#define	RADIUS_MAX_PASSWORD_LENGTH   128
#define	RADIUS_BUFFER_SIZE   1024
#define	RADIUS_ACCESS_REQUEST   1
#define	RADIUS_ACCESS_ACCEPT   2
#define	RADIUS_ACCESS_REJECT   3
#define	RADIUS_USER_NAME   1
#define	RADIUS_PASSWORD   2
#define	RADIUS_SERVICE_TYPE   6
#define	RADIUS_NAS_IDENTIFIER   32
#define	RADIUS_AUTHENTICATE_ONLY   8
#define	RADIUS_TIMEOUT   3

Functions
static void	auth_failed (Port *port, int status, const char *logdetail)
static char *	recv_password_packet (Port *port)
static void	set_authn_id (Port *port, const char *id)
static int	CheckPasswordAuth (Port *port, const char **logdetail)
static int	CheckPWChallengeAuth (Port *port, const char **logdetail)
static int	CheckMD5Auth (Port *port, char *shadow_pass, const char **logdetail)
static int	ident_inet (hbaPort *port)
static int	auth_peer (hbaPort *port)
static int	CheckRADIUSAuth (Port *port)
static int	PerformRadiusTransaction (const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd)
void	ClientAuthentication (Port *port)
void	sendAuthRequest (Port *port, AuthRequest areq, const char *extradata, int extralen)
static bool	interpret_ident_response (const char *ident_response, char *ident_user)
static void	radius_add_attribute (radius_packet *packet, uint8 type, const unsigned char *data, int len)

Variables
char *	pg_krb_server_keyfile
bool	pg_krb_caseins_users
bool	pg_gss_accept_delegation
ClientAuthentication_hook_type	ClientAuthentication_hook = NULL

Macro Definition Documentation

HOSTNAME_LOOKUP_DETAIL

#define HOSTNAME_LOOKUP_DETAIL

(

port

)

Value:

                (port->remote_hostname ? \
                 (port->remote_hostname_resolv == +1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == 0 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -2 ? \
                  errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
                                port->remote_hostname, \
                                gai_strerror(port->remote_hostname_errcode)) : \
                  0) \
                 : (port->remote_hostname_resolv == -2 ? \
                    errdetail_log("Could not resolve client IP address to a host name: %s.", \
                                  gai_strerror(port->remote_hostname_errcode)) : \
                    0))

IDENT_PORT

#define IDENT_PORT   113

Definition at line 72 of file auth.c.

IDENT_USERNAME_MAX

#define IDENT_USERNAME_MAX   512

Definition at line 69 of file auth.c.

PG_MAX_AUTH_TOKEN_LENGTH

#define PG_MAX_AUTH_TOKEN_LENGTH   65535

Definition at line 220 of file auth.c.

RADIUS_ACCESS_ACCEPT

#define RADIUS_ACCESS_ACCEPT   2

Definition at line 2801 of file auth.c.

RADIUS_ACCESS_REJECT

#define RADIUS_ACCESS_REJECT   3

Definition at line 2802 of file auth.c.

RADIUS_ACCESS_REQUEST

#define RADIUS_ACCESS_REQUEST   1

Definition at line 2800 of file auth.c.

RADIUS_AUTHENTICATE_ONLY

#define RADIUS_AUTHENTICATE_ONLY   8

Definition at line 2811 of file auth.c.

RADIUS_BUFFER_SIZE

#define RADIUS_BUFFER_SIZE   1024

Definition at line 2780 of file auth.c.

RADIUS_HEADER_LENGTH

#define RADIUS_HEADER_LENGTH   20

Definition at line 2776 of file auth.c.

RADIUS_MAX_PASSWORD_LENGTH

#define RADIUS_MAX_PASSWORD_LENGTH   128

Definition at line 2777 of file auth.c.

RADIUS_NAS_IDENTIFIER

#define RADIUS_NAS_IDENTIFIER   32

Definition at line 2808 of file auth.c.

RADIUS_PASSWORD

#define RADIUS_PASSWORD   2

Definition at line 2806 of file auth.c.

RADIUS_SERVICE_TYPE

#define RADIUS_SERVICE_TYPE   6

Definition at line 2807 of file auth.c.

RADIUS_TIMEOUT

#define RADIUS_TIMEOUT   3

Definition at line 2814 of file auth.c.

RADIUS_USER_NAME

#define RADIUS_USER_NAME   1

Definition at line 2805 of file auth.c.

RADIUS_VECTOR_LENGTH

#define RADIUS_VECTOR_LENGTH   16

Definition at line 2775 of file auth.c.

Function Documentation

auth_failed()

static void auth_failed ( Port *  port, int  status, const char *  logdetail  )

static

Definition at line 248 of file auth.c.

{
    const char *errstr;
    char       *cdetail;
    int         errcode_return = ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION;
 
    /*
     * If we failed due to EOF from client, just quit; there's no point in
     * trying to send a message to the client, and not much point in logging
     * the failure in the postmaster log.  (Logging the failure might be
     * desirable, were it not for the fact that libpq closes the connection
     * unceremoniously if challenged for a password when it hasn't got one to
     * send.  We'll get a useless log entry for every psql connection under
     * password auth, even if it's perfectly successful, if we log STATUS_EOF
     * events.)
     */
    if (status == STATUS_EOF)
        proc_exit(0);
 
    switch (port->hba->auth_method)
    {
        case uaReject:
        case uaImplicitReject:
            errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
            break;
        case uaTrust:
            errstr = gettext_noop("\"trust\" authentication failed for user \"%s\"");
            break;
        case uaIdent:
            errstr = gettext_noop("Ident authentication failed for user \"%s\"");
            break;
        case uaPeer:
            errstr = gettext_noop("Peer authentication failed for user \"%s\"");
            break;
        case uaPassword:
        case uaMD5:
        case uaSCRAM:
            errstr = gettext_noop("password authentication failed for user \"%s\"");
            /* We use it to indicate if a .pgpass password failed. */
            errcode_return = ERRCODE_INVALID_PASSWORD;
            break;
        case uaGSS:
            errstr = gettext_noop("GSSAPI authentication failed for user \"%s\"");
            break;
        case uaSSPI:
            errstr = gettext_noop("SSPI authentication failed for user \"%s\"");
            break;
        case uaPAM:
            errstr = gettext_noop("PAM authentication failed for user \"%s\"");
            break;
        case uaBSD:
            errstr = gettext_noop("BSD authentication failed for user \"%s\"");
            break;
        case uaLDAP:
            errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
            break;
        case uaCert:
            errstr = gettext_noop("certificate authentication failed for user \"%s\"");
            break;
        case uaRADIUS:
            errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
            break;
        default:
            errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
            break;
    }
 
    cdetail = psprintf(_("Connection matched file \"%s\" line %d: \"%s\""),
                       port->hba->sourcefile, port->hba->linenumber,
                       port->hba->rawline);
    if (logdetail)
        logdetail = psprintf("%s\n%s", logdetail, cdetail);
    else
        logdetail = cdetail;
 
    ereport(FATAL,
            (errcode(errcode_return),
             errmsg(errstr, port->user_name),
             logdetail ? errdetail_log("%s", logdetail) : 0));
 
    /* doesn't return */
}

References _, ereport, errcode(), ERRCODE_INVALID_PASSWORD, errdetail_log(), errmsg(), FATAL, gettext_noop, port, proc_exit(), psprintf(), STATUS_EOF, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, and uaTrust.

Referenced by ClientAuthentication().

auth_peer()

static int auth_peer ( hbaPort *  port )

static

Definition at line 1859 of file auth.c.

{
    uid_t       uid;
    gid_t       gid;
#ifndef WIN32
    struct passwd *pw;
    int         ret;
#endif
 
    if (getpeereid(port->sock, &uid, &gid) != 0)
    {
        /* Provide special error message if getpeereid is a stub */
        if (errno == ENOSYS)
            ereport(LOG,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("peer authentication is not supported on this platform")));
        else
            ereport(LOG,
                    (errcode_for_socket_access(),
                     errmsg("could not get peer credentials: %m")));
        return STATUS_ERROR;
    }
 
#ifndef WIN32
    errno = 0;                  /* clear errno before call */
    pw = getpwuid(uid);
    if (!pw)
    {
        int         save_errno = errno;
 
        ereport(LOG,
                (errmsg("could not look up local user ID %ld: %s",
                        (long) uid,
                        save_errno ? strerror(save_errno) : _("user does not exist"))));
        return STATUS_ERROR;
    }
 
    /*
     * Make a copy of static getpw*() result area; this is our authenticated
     * identity.  Set it before calling check_usermap, because authentication
     * has already succeeded and we want the log file to reflect that.
     */
    set_authn_id(port, pw->pw_name);
 
    ret = check_usermap(port->hba->usermap, port->user_name,
                        MyClientConnectionInfo.authn_id, false);
 
    return ret;
#else
    /* should have failed with ENOSYS above */
    Assert(false);
    return STATUS_ERROR;
#endif
}

References _, Assert(), ClientConnectionInfo::authn_id, check_usermap(), ereport, errcode(), errcode_for_socket_access(), errmsg(), getpeereid(), LOG, MyClientConnectionInfo, port, set_authn_id(), STATUS_ERROR, and strerror.

Referenced by ClientAuthentication().

CheckMD5Auth()

static int CheckMD5Auth ( Port *  port, char *  shadow_pass, const char **  logdetail  )

static

Definition at line 886 of file auth.c.

{
    char        md5Salt[4];     /* Password salt */
    char       *passwd;
    int         result;
 
    /* include the salt to use for computing the response */
    if (!pg_strong_random(md5Salt, 4))
    {
        ereport(LOG,
                (errmsg("could not generate random MD5 salt")));
        return STATUS_ERROR;
    }
 
    sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4);
 
    passwd = recv_password_packet(port);
    if (passwd == NULL)
        return STATUS_EOF;      /* client wouldn't send password */
 
    if (shadow_pass)
        result = md5_crypt_verify(port->user_name, shadow_pass, passwd,
                                  md5Salt, 4, logdetail);
    else
        result = STATUS_ERROR;
 
    pfree(passwd);
 
    return result;
}

References AUTH_REQ_MD5, ereport, errmsg(), LOG, md5_crypt_verify(), pfree(), pg_strong_random(), port, recv_password_packet(), sendAuthRequest(), STATUS_EOF, and STATUS_ERROR.

Referenced by CheckPWChallengeAuth().

CheckPasswordAuth()

static int CheckPasswordAuth ( Port *  port, const char **  logdetail  )

static

Definition at line 789 of file auth.c.

{
    char       *passwd;
    int         result;
    char       *shadow_pass;
 
    sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
 
    passwd = recv_password_packet(port);
    if (passwd == NULL)
        return STATUS_EOF;      /* client wouldn't send password */
 
    shadow_pass = get_role_password(port->user_name, logdetail);
    if (shadow_pass)
    {
        result = plain_crypt_verify(port->user_name, shadow_pass, passwd,
                                    logdetail);
    }
    else
        result = STATUS_ERROR;
 
    if (shadow_pass)
        pfree(shadow_pass);
    pfree(passwd);
 
    if (result == STATUS_OK)
        set_authn_id(port, port->user_name);
 
    return result;
}

References AUTH_REQ_PASSWORD, get_role_password(), pfree(), plain_crypt_verify(), port, recv_password_packet(), sendAuthRequest(), set_authn_id(), STATUS_EOF, STATUS_ERROR, and STATUS_OK.

Referenced by ClientAuthentication().

CheckPWChallengeAuth()

static int CheckPWChallengeAuth ( Port *  port, const char **  logdetail  )

static

Definition at line 824 of file auth.c.

{
    int         auth_result;
    char       *shadow_pass;
    PasswordType pwtype;
 
    Assert(port->hba->auth_method == uaSCRAM ||
           port->hba->auth_method == uaMD5);
 
    /* First look up the user's password. */
    shadow_pass = get_role_password(port->user_name, logdetail);
 
    /*
     * If the user does not exist, or has no password or it's expired, we
     * still go through the motions of authentication, to avoid revealing to
     * the client that the user didn't exist.  If 'md5' is allowed, we choose
     * whether to use 'md5' or 'scram-sha-256' authentication based on current
     * password_encryption setting.  The idea is that most genuine users
     * probably have a password of that type, and if we pretend that this user
     * had a password of that type, too, it "blends in" best.
     */
    if (!shadow_pass)
        pwtype = Password_encryption;
    else
        pwtype = get_password_type(shadow_pass);
 
    /*
     * If 'md5' authentication is allowed, decide whether to perform 'md5' or
     * 'scram-sha-256' authentication based on the type of password the user
     * has.  If it's an MD5 hash, we must do MD5 authentication, and if it's a
     * SCRAM secret, we must do SCRAM authentication.
     *
     * If MD5 authentication is not allowed, always use SCRAM.  If the user
     * had an MD5 password, CheckSASLAuth() with the SCRAM mechanism will
     * fail.
     */
    if (port->hba->auth_method == uaMD5 && pwtype == PASSWORD_TYPE_MD5)
        auth_result = CheckMD5Auth(port, shadow_pass, logdetail);
    else
        auth_result = CheckSASLAuth(&pg_be_scram_mech, port, shadow_pass,
                                    logdetail);
 
    if (shadow_pass)
        pfree(shadow_pass);
 
    /*
     * If get_role_password() returned error, return error, even if the
     * authentication succeeded.
     */
    if (!shadow_pass)
    {
        Assert(auth_result != STATUS_OK);
        return STATUS_ERROR;
    }
 
    if (auth_result == STATUS_OK)
        set_authn_id(port, port->user_name);
 
    return auth_result;
}

References Assert(), CheckMD5Auth(), CheckSASLAuth(), get_password_type(), get_role_password(), Password_encryption, PASSWORD_TYPE_MD5, pfree(), pg_be_scram_mech, port, set_authn_id(), STATUS_ERROR, STATUS_OK, uaMD5, and uaSCRAM.

Referenced by ClientAuthentication().

CheckRADIUSAuth()

static int CheckRADIUSAuth ( Port *  port )

static

Definition at line 2843 of file auth.c.

{
    char       *passwd;
    ListCell   *server,
               *secrets,
               *radiusports,
               *identifiers;
 
    /* Make sure struct alignment is correct */
    Assert(offsetof(radius_packet, vector) == 4);
 
    /* Verify parameters */
    if (port->hba->radiusservers == NIL)
    {
        ereport(LOG,
                (errmsg("RADIUS server not specified")));
        return STATUS_ERROR;
    }
 
    if (port->hba->radiussecrets == NIL)
    {
        ereport(LOG,
                (errmsg("RADIUS secret not specified")));
        return STATUS_ERROR;
    }
 
    /* Send regular password request to client, and get the response */
    sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
 
    passwd = recv_password_packet(port);
    if (passwd == NULL)
        return STATUS_EOF;      /* client wouldn't send password */
 
    if (strlen(passwd) > RADIUS_MAX_PASSWORD_LENGTH)
    {
        ereport(LOG,
                (errmsg("RADIUS authentication does not support passwords longer than %d characters", RADIUS_MAX_PASSWORD_LENGTH)));
        pfree(passwd);
        return STATUS_ERROR;
    }
 
    /*
     * Loop over and try each server in order.
     */
    secrets = list_head(port->hba->radiussecrets);
    radiusports = list_head(port->hba->radiusports);
    identifiers = list_head(port->hba->radiusidentifiers);
    foreach(server, port->hba->radiusservers)
    {
        int         ret = PerformRadiusTransaction(lfirst(server),
                                                   lfirst(secrets),
                                                   radiusports ? lfirst(radiusports) : NULL,
                                                   identifiers ? lfirst(identifiers) : NULL,
                                                   port->user_name,
                                                   passwd);
 
        /*------
         * STATUS_OK = Login OK
         * STATUS_ERROR = Login not OK, but try next server
         * STATUS_EOF = Login not OK, and don't try next server
         *------
         */
        if (ret == STATUS_OK)
        {
            set_authn_id(port, port->user_name);
 
            pfree(passwd);
            return STATUS_OK;
        }
        else if (ret == STATUS_EOF)
        {
            pfree(passwd);
            return STATUS_ERROR;
        }
 
        /*
         * secret, port and identifiers either have length 0 (use default),
         * length 1 (use the same everywhere) or the same length as servers.
         * So if the length is >1, we advance one step. In other cases, we
         * don't and will then reuse the correct value.
         */
        if (list_length(port->hba->radiussecrets) > 1)
            secrets = lnext(port->hba->radiussecrets, secrets);
        if (list_length(port->hba->radiusports) > 1)
            radiusports = lnext(port->hba->radiusports, radiusports);
        if (list_length(port->hba->radiusidentifiers) > 1)
            identifiers = lnext(port->hba->radiusidentifiers, identifiers);
    }
 
    /* No servers left to try, so give up */
    pfree(passwd);
    return STATUS_ERROR;
}

References Assert(), AUTH_REQ_PASSWORD, ereport, errmsg(), lfirst, list_head(), list_length(), lnext(), LOG, NIL, PerformRadiusTransaction(), pfree(), port, RADIUS_MAX_PASSWORD_LENGTH, recv_password_packet(), sendAuthRequest(), set_authn_id(), STATUS_EOF, STATUS_ERROR, and STATUS_OK.

Referenced by ClientAuthentication().

ClientAuthentication()

void ClientAuthentication

(

Port *

port

)

Definition at line 384 of file auth.c.

{
    int         status = STATUS_ERROR;
    const char *logdetail = NULL;
 
    /*
     * Get the authentication method to use for this frontend/database
     * combination.  Note: we do not parse the file at this point; this has
     * already been done elsewhere.  hba.c dropped an error message into the
     * server logfile if parsing the hba config file failed.
     */
    hba_getauthmethod(port);
 
    CHECK_FOR_INTERRUPTS();
 
    /*
     * This is the first point where we have access to the hba record for the
     * current connection, so perform any verifications based on the hba
     * options field that should be done *before* the authentication here.
     */
    if (port->hba->clientcert != clientCertOff)
    {
        /* If we haven't loaded a root certificate store, fail */
        if (!secure_loaded_verify_locations())
            ereport(FATAL,
                    (errcode(ERRCODE_CONFIG_FILE_ERROR),
                     errmsg("client certificates can only be checked if a root certificate store is available")));
 
        /*
         * If we loaded a root certificate store, and if a certificate is
         * present on the client, then it has been verified against our root
         * certificate store, and the connection would have been aborted
         * already if it didn't verify ok.
         */
        if (!port->peer_cert_valid)
            ereport(FATAL,
                    (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                     errmsg("connection requires a valid client certificate")));
    }
 
    /*
     * Now proceed to do the actual authentication check
     */
    switch (port->hba->auth_method)
    {
        case uaReject:
 
            /*
             * An explicit "reject" entry in pg_hba.conf.  This report exposes
             * the fact that there's an explicit reject entry, which is
             * perhaps not so desirable from a security standpoint; but the
             * message for an implicit reject could confuse the DBA a lot when
             * the true situation is a match to an explicit reject.  And we
             * don't want to change the message for an implicit reject.  As
             * noted below, the additional information shown here doesn't
             * expose anything not known to an attacker.
             */
            {
                char        hostinfo[NI_MAXHOST];
                const char *encryption_state;
 
                pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
                                   hostinfo, sizeof(hostinfo),
                                   NULL, 0,
                                   NI_NUMERICHOST);
 
                encryption_state =
#ifdef ENABLE_GSS
                    (port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL
                    port->ssl_in_use ? _("SSL encryption") :
#endif
                    _("no encryption");
 
                if (am_walsender && !am_db_walsender)
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
                                    hostinfo, port->user_name,
                                    encryption_state)));
                else
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
                                    hostinfo, port->user_name,
                                    port->database_name,
                                    encryption_state)));
                break;
            }
 
        case uaImplicitReject:
 
            /*
             * No matching entry, so tell the user we fell through.
             *
             * NOTE: the extra info reported here is not a security breach,
             * because all that info is known at the frontend and must be
             * assumed known to bad guys.  We're merely helping out the less
             * clueful good guys.
             */
            {
                char        hostinfo[NI_MAXHOST];
                const char *encryption_state;
 
                pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
                                   hostinfo, sizeof(hostinfo),
                                   NULL, 0,
                                   NI_NUMERICHOST);
 
                encryption_state =
#ifdef ENABLE_GSS
                    (port->gss && port->gss->enc) ? _("GSS encryption") :
#endif
#ifdef USE_SSL
                    port->ssl_in_use ? _("SSL encryption") :
#endif
                    _("no encryption");
 
#define HOSTNAME_LOOKUP_DETAIL(port) \
                (port->remote_hostname ? \
                 (port->remote_hostname_resolv == +1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == 0 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -2 ? \
                  errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
                                port->remote_hostname, \
                                gai_strerror(port->remote_hostname_errcode)) : \
                  0) \
                 : (port->remote_hostname_resolv == -2 ? \
                    errdetail_log("Could not resolve client IP address to a host name: %s.", \
                                  gai_strerror(port->remote_hostname_errcode)) : \
                    0))
 
                if (am_walsender && !am_db_walsender)
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
                                    hostinfo, port->user_name,
                                    encryption_state),
                             HOSTNAME_LOOKUP_DETAIL(port)));
                else
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                    /* translator: last %s describes encryption state */
                             errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
                                    hostinfo, port->user_name,
                                    port->database_name,
                                    encryption_state),
                             HOSTNAME_LOOKUP_DETAIL(port)));
                break;
            }
 
        case uaGSS:
#ifdef ENABLE_GSS
            /* We might or might not have the gss workspace already */
            if (port->gss == NULL)
                port->gss = (pg_gssinfo *)
                    MemoryContextAllocZero(TopMemoryContext,
                                           sizeof(pg_gssinfo));
            port->gss->auth = true;
 
            /*
             * If GSS state was set up while enabling encryption, we can just
             * check the client's principal.  Otherwise, ask for it.
             */
            if (port->gss->enc)
                status = pg_GSS_checkauth(port);
            else
            {
                sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
                status = pg_GSS_recvauth(port);
            }
#else
            Assert(false);
#endif
            break;
 
        case uaSSPI:
#ifdef ENABLE_SSPI
            if (port->gss == NULL)
                port->gss = (pg_gssinfo *)
                    MemoryContextAllocZero(TopMemoryContext,
                                           sizeof(pg_gssinfo));
            sendAuthRequest(port, AUTH_REQ_SSPI, NULL, 0);
            status = pg_SSPI_recvauth(port);
#else
            Assert(false);
#endif
            break;
 
        case uaPeer:
            status = auth_peer(port);
            break;
 
        case uaIdent:
            status = ident_inet(port);
            break;
 
        case uaMD5:
        case uaSCRAM:
            status = CheckPWChallengeAuth(port, &logdetail);
            break;
 
        case uaPassword:
            status = CheckPasswordAuth(port, &logdetail);
            break;
 
        case uaPAM:
#ifdef USE_PAM
            status = CheckPAMAuth(port, port->user_name, "");
#else
            Assert(false);
#endif                          /* USE_PAM */
            break;
 
        case uaBSD:
#ifdef USE_BSD_AUTH
            status = CheckBSDAuth(port, port->user_name);
#else
            Assert(false);
#endif                          /* USE_BSD_AUTH */
            break;
 
        case uaLDAP:
#ifdef USE_LDAP
            status = CheckLDAPAuth(port);
#else
            Assert(false);
#endif
            break;
        case uaRADIUS:
            status = CheckRADIUSAuth(port);
            break;
        case uaCert:
            /* uaCert will be treated as if clientcert=verify-full (uaTrust) */
        case uaTrust:
            status = STATUS_OK;
            break;
    }
 
    if ((status == STATUS_OK && port->hba->clientcert == clientCertFull)
        || port->hba->auth_method == uaCert)
    {
        /*
         * Make sure we only check the certificate if we use the cert method
         * or verify-full option.
         */
#ifdef USE_SSL
        status = CheckCertAuth(port);
#else
        Assert(false);
#endif
    }
 
    if (Log_connections && status == STATUS_OK &&
        !MyClientConnectionInfo.authn_id)
    {
        /*
         * Normally, if log_connections is set, the call to set_authn_id()
         * will log the connection.  However, if that function is never
         * called, perhaps because the trust method is in use, then we handle
         * the logging here instead.
         */
        ereport(LOG,
                errmsg("connection authenticated: user=\"%s\" method=%s "
                       "(%s:%d)",
                       port->user_name, hba_authname(port->hba->auth_method),
                       port->hba->sourcefile, port->hba->linenumber));
    }
 
    if (ClientAuthentication_hook)
        (*ClientAuthentication_hook) (port, status);
 
    if (status == STATUS_OK)
        sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
    else
        auth_failed(port, status, logdetail);
}

References _, am_db_walsender, am_walsender, Assert(), auth_failed(), auth_peer(), AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, ClientConnectionInfo::authn_id, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), ClientAuthentication_hook, clientCertFull, clientCertOff, ereport, errcode(), errmsg(), FATAL, hba_authname(), hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), LOG, Log_connections, MemoryContextAllocZero(), MyClientConnectionInfo, pg_getnameinfo_all(), port, secure_loaded_verify_locations(), sendAuthRequest(), STATUS_ERROR, STATUS_OK, TopMemoryContext, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, and uaTrust.

Referenced by PerformAuthentication().

ident_inet()

static int ident_inet ( hbaPort *  port )

static

Definition at line 1674 of file auth.c.

{
    const SockAddr remote_addr = port->raddr;
    const SockAddr local_addr = port->laddr;
    char        ident_user[IDENT_USERNAME_MAX + 1];
    pgsocket    sock_fd = PGINVALID_SOCKET; /* for talking to Ident server */
    int         rc;             /* Return code from a locally called function */
    bool        ident_return;
    char        remote_addr_s[NI_MAXHOST];
    char        remote_port[NI_MAXSERV];
    char        local_addr_s[NI_MAXHOST];
    char        local_port[NI_MAXSERV];
    char        ident_port[NI_MAXSERV];
    char        ident_query[80];
    char        ident_response[80 + IDENT_USERNAME_MAX];
    struct addrinfo *ident_serv = NULL,
               *la = NULL,
                hints;
 
    /*
     * Might look a little weird to first convert it to text and then back to
     * sockaddr, but it's protocol independent.
     */
    pg_getnameinfo_all(&remote_addr.addr, remote_addr.salen,
                       remote_addr_s, sizeof(remote_addr_s),
                       remote_port, sizeof(remote_port),
                       NI_NUMERICHOST | NI_NUMERICSERV);
    pg_getnameinfo_all(&local_addr.addr, local_addr.salen,
                       local_addr_s, sizeof(local_addr_s),
                       local_port, sizeof(local_port),
                       NI_NUMERICHOST | NI_NUMERICSERV);
 
    snprintf(ident_port, sizeof(ident_port), "%d", IDENT_PORT);
    hints.ai_flags = AI_NUMERICHOST;
    hints.ai_family = remote_addr.addr.ss_family;
    hints.ai_socktype = SOCK_STREAM;
    hints.ai_protocol = 0;
    hints.ai_addrlen = 0;
    hints.ai_canonname = NULL;
    hints.ai_addr = NULL;
    hints.ai_next = NULL;
    rc = pg_getaddrinfo_all(remote_addr_s, ident_port, &hints, &ident_serv);
    if (rc || !ident_serv)
    {
        /* we don't expect this to happen */
        ident_return = false;
        goto ident_inet_done;
    }
 
    hints.ai_flags = AI_NUMERICHOST;
    hints.ai_family = local_addr.addr.ss_family;
    hints.ai_socktype = SOCK_STREAM;
    hints.ai_protocol = 0;
    hints.ai_addrlen = 0;
    hints.ai_canonname = NULL;
    hints.ai_addr = NULL;
    hints.ai_next = NULL;
    rc = pg_getaddrinfo_all(local_addr_s, NULL, &hints, &la);
    if (rc || !la)
    {
        /* we don't expect this to happen */
        ident_return = false;
        goto ident_inet_done;
    }
 
    sock_fd = socket(ident_serv->ai_family, ident_serv->ai_socktype,
                     ident_serv->ai_protocol);
    if (sock_fd == PGINVALID_SOCKET)
    {
        ereport(LOG,
                (errcode_for_socket_access(),
                 errmsg("could not create socket for Ident connection: %m")));
        ident_return = false;
        goto ident_inet_done;
    }
 
    /*
     * Bind to the address which the client originally contacted, otherwise
     * the ident server won't be able to match up the right connection. This
     * is necessary if the PostgreSQL server is running on an IP alias.
     */
    rc = bind(sock_fd, la->ai_addr, la->ai_addrlen);
    if (rc != 0)
    {
        ereport(LOG,
                (errcode_for_socket_access(),
                 errmsg("could not bind to local address \"%s\": %m",
                        local_addr_s)));
        ident_return = false;
        goto ident_inet_done;
    }
 
    rc = connect(sock_fd, ident_serv->ai_addr,
                 ident_serv->ai_addrlen);
    if (rc != 0)
    {
        ereport(LOG,
                (errcode_for_socket_access(),
                 errmsg("could not connect to Ident server at address \"%s\", port %s: %m",
                        remote_addr_s, ident_port)));
        ident_return = false;
        goto ident_inet_done;
    }
 
    /* The query we send to the Ident server */
    snprintf(ident_query, sizeof(ident_query), "%s,%s\r\n",
             remote_port, local_port);
 
    /* loop in case send is interrupted */
    do
    {
        CHECK_FOR_INTERRUPTS();
 
        rc = send(sock_fd, ident_query, strlen(ident_query), 0);
    } while (rc < 0 && errno == EINTR);
 
    if (rc < 0)
    {
        ereport(LOG,
                (errcode_for_socket_access(),
                 errmsg("could not send query to Ident server at address \"%s\", port %s: %m",
                        remote_addr_s, ident_port)));
        ident_return = false;
        goto ident_inet_done;
    }
 
    do
    {
        CHECK_FOR_INTERRUPTS();
 
        rc = recv(sock_fd, ident_response, sizeof(ident_response) - 1, 0);
    } while (rc < 0 && errno == EINTR);
 
    if (rc < 0)
    {
        ereport(LOG,
                (errcode_for_socket_access(),
                 errmsg("could not receive response from Ident server at address \"%s\", port %s: %m",
                        remote_addr_s, ident_port)));
        ident_return = false;
        goto ident_inet_done;
    }
 
    ident_response[rc] = '\0';
    ident_return = interpret_ident_response(ident_response, ident_user);
    if (!ident_return)
        ereport(LOG,
                (errmsg("invalidly formatted response from Ident server: \"%s\"",
                        ident_response)));
 
ident_inet_done:
    if (sock_fd != PGINVALID_SOCKET)
        closesocket(sock_fd);
    if (ident_serv)
        pg_freeaddrinfo_all(remote_addr.addr.ss_family, ident_serv);
    if (la)
        pg_freeaddrinfo_all(local_addr.addr.ss_family, la);
 
    if (ident_return)
    {
        /*
         * Success!  Store the identity, then check the usermap. Note that
         * setting the authenticated identity is done before checking the
         * usermap, because at this point authentication has succeeded.
         */
        set_authn_id(port, ident_user);
        return check_usermap(port->hba->usermap, port->user_name, ident_user, false);
    }
    return STATUS_ERROR;
}

References SockAddr::addr, bind, CHECK_FOR_INTERRUPTS, check_usermap(), closesocket, connect, EINTR, ereport, errcode_for_socket_access(), errmsg(), IDENT_PORT, IDENT_USERNAME_MAX, interpret_ident_response(), LOG, pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_getnameinfo_all(), PGINVALID_SOCKET, port, recv, SockAddr::salen, send, set_authn_id(), snprintf, socket, and STATUS_ERROR.

Referenced by ClientAuthentication().

interpret_ident_response()

static bool interpret_ident_response ( const char *  ident_response, char *  ident_user  )

static

Definition at line 1593 of file auth.c.

{
    const char *cursor = ident_response;    /* Cursor into *ident_response */
 
    /*
     * Ident's response, in the telnet tradition, should end in crlf (\r\n).
     */
    if (strlen(ident_response) < 2)
        return false;
    else if (ident_response[strlen(ident_response) - 2] != '\r')
        return false;
    else
    {
        while (*cursor != ':' && *cursor != '\r')
            cursor++;           /* skip port field */
 
        if (*cursor != ':')
            return false;
        else
        {
            /* We're positioned to colon before response type field */
            char        response_type[80];
            int         i;      /* Index into *response_type */
 
            cursor++;           /* Go over colon */
            while (pg_isblank(*cursor))
                cursor++;       /* skip blanks */
            i = 0;
            while (*cursor != ':' && *cursor != '\r' && !pg_isblank(*cursor) &&
                   i < (int) (sizeof(response_type) - 1))
                response_type[i++] = *cursor++;
            response_type[i] = '\0';
            while (pg_isblank(*cursor))
                cursor++;       /* skip blanks */
            if (strcmp(response_type, "USERID") != 0)
                return false;
            else
            {
                /*
                 * It's a USERID response.  Good.  "cursor" should be pointing
                 * to the colon that precedes the operating system type.
                 */
                if (*cursor != ':')
                    return false;
                else
                {
                    cursor++;   /* Go over colon */
                    /* Skip over operating system field. */
                    while (*cursor != ':' && *cursor != '\r')
                        cursor++;
                    if (*cursor != ':')
                        return false;
                    else
                    {
                        cursor++;   /* Go over colon */
                        while (pg_isblank(*cursor))
                            cursor++;   /* skip blanks */
                        /* Rest of line is user name.  Copy it over. */
                        i = 0;
                        while (*cursor != '\r' && i < IDENT_USERNAME_MAX)
                            ident_user[i++] = *cursor++;
                        ident_user[i] = '\0';
                        return true;
                    }
                }
            }
        }
    }
}

References i, IDENT_USERNAME_MAX, and pg_isblank().

Referenced by ident_inet().

PerformRadiusTransaction()

static int PerformRadiusTransaction ( const char *  server, const char *  secret, const char *  portstr, const char *  identifier, const char *  user_name, const char *  passwd  )

static

Definition at line 2938 of file auth.c.

{
    radius_packet radius_send_pack;
    radius_packet radius_recv_pack;
    radius_packet *packet = &radius_send_pack;
    radius_packet *receivepacket = &radius_recv_pack;
    char       *radius_buffer = (char *) &radius_send_pack;
    char       *receive_buffer = (char *) &radius_recv_pack;
    int32       service = pg_hton32(RADIUS_AUTHENTICATE_ONLY);
    uint8      *cryptvector;
    int         encryptedpasswordlen;
    uint8       encryptedpassword[RADIUS_MAX_PASSWORD_LENGTH];
    uint8      *md5trailer;
    int         packetlength;
    pgsocket    sock;
 
    struct sockaddr_in6 localaddr;
    struct sockaddr_in6 remoteaddr;
    struct addrinfo hint;
    struct addrinfo *serveraddrs;
    int         port;
    socklen_t   addrsize;
    fd_set      fdset;
    struct timeval endtime;
    int         i,
                j,
                r;
 
    /* Assign default values */
    if (portstr == NULL)
        portstr = "1812";
    if (identifier == NULL)
        identifier = "postgresql";
 
    MemSet(&hint, 0, sizeof(hint));
    hint.ai_socktype = SOCK_DGRAM;
    hint.ai_family = AF_UNSPEC;
    port = atoi(portstr);
 
    r = pg_getaddrinfo_all(server, portstr, &hint, &serveraddrs);
    if (r || !serveraddrs)
    {
        ereport(LOG,
                (errmsg("could not translate RADIUS server name \"%s\" to address: %s",
                        server, gai_strerror(r))));
        if (serveraddrs)
            pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
        return STATUS_ERROR;
    }
    /* XXX: add support for multiple returned addresses? */
 
    /* Construct RADIUS packet */
    packet->code = RADIUS_ACCESS_REQUEST;
    packet->length = RADIUS_HEADER_LENGTH;
    if (!pg_strong_random(packet->vector, RADIUS_VECTOR_LENGTH))
    {
        ereport(LOG,
                (errmsg("could not generate random encryption vector")));
        pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
        return STATUS_ERROR;
    }
    packet->id = packet->vector[0];
    radius_add_attribute(packet, RADIUS_SERVICE_TYPE, (const unsigned char *) &service, sizeof(service));
    radius_add_attribute(packet, RADIUS_USER_NAME, (const unsigned char *) user_name, strlen(user_name));
    radius_add_attribute(packet, RADIUS_NAS_IDENTIFIER, (const unsigned char *) identifier, strlen(identifier));
 
    /*
     * RADIUS password attributes are calculated as: e[0] = p[0] XOR
     * MD5(secret + Request Authenticator) for the first group of 16 octets,
     * and then: e[i] = p[i] XOR MD5(secret + e[i-1]) for the following ones
     * (if necessary)
     */
    encryptedpasswordlen = ((strlen(passwd) + RADIUS_VECTOR_LENGTH - 1) / RADIUS_VECTOR_LENGTH) * RADIUS_VECTOR_LENGTH;
    cryptvector = palloc(strlen(secret) + RADIUS_VECTOR_LENGTH);
    memcpy(cryptvector, secret, strlen(secret));
 
    /* for the first iteration, we use the Request Authenticator vector */
    md5trailer = packet->vector;
    for (i = 0; i < encryptedpasswordlen; i += RADIUS_VECTOR_LENGTH)
    {
        const char *errstr = NULL;
 
        memcpy(cryptvector + strlen(secret), md5trailer, RADIUS_VECTOR_LENGTH);
 
        /*
         * .. and for subsequent iterations the result of the previous XOR
         * (calculated below)
         */
        md5trailer = encryptedpassword + i;
 
        if (!pg_md5_binary(cryptvector, strlen(secret) + RADIUS_VECTOR_LENGTH,
                           encryptedpassword + i, &errstr))
        {
            ereport(LOG,
                    (errmsg("could not perform MD5 encryption of password: %s",
                            errstr)));
            pfree(cryptvector);
            pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
            return STATUS_ERROR;
        }
 
        for (j = i; j < i + RADIUS_VECTOR_LENGTH; j++)
        {
            if (j < strlen(passwd))
                encryptedpassword[j] = passwd[j] ^ encryptedpassword[j];
            else
                encryptedpassword[j] = '\0' ^ encryptedpassword[j];
        }
    }
    pfree(cryptvector);
 
    radius_add_attribute(packet, RADIUS_PASSWORD, encryptedpassword, encryptedpasswordlen);
 
    /* Length needs to be in network order on the wire */
    packetlength = packet->length;
    packet->length = pg_hton16(packet->length);
 
    sock = socket(serveraddrs[0].ai_family, SOCK_DGRAM, 0);
    if (sock == PGINVALID_SOCKET)
    {
        ereport(LOG,
                (errmsg("could not create RADIUS socket: %m")));
        pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
        return STATUS_ERROR;
    }
 
    memset(&localaddr, 0, sizeof(localaddr));
    localaddr.sin6_family = serveraddrs[0].ai_family;
    localaddr.sin6_addr = in6addr_any;
    if (localaddr.sin6_family == AF_INET6)
        addrsize = sizeof(struct sockaddr_in6);
    else
        addrsize = sizeof(struct sockaddr_in);
 
    if (bind(sock, (struct sockaddr *) &localaddr, addrsize))
    {
        ereport(LOG,
                (errmsg("could not bind local RADIUS socket: %m")));
        closesocket(sock);
        pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
        return STATUS_ERROR;
    }
 
    if (sendto(sock, radius_buffer, packetlength, 0,
               serveraddrs[0].ai_addr, serveraddrs[0].ai_addrlen) < 0)
    {
        ereport(LOG,
                (errmsg("could not send RADIUS packet: %m")));
        closesocket(sock);
        pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
        return STATUS_ERROR;
    }
 
    /* Don't need the server address anymore */
    pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
 
    /*
     * Figure out at what time we should time out. We can't just use a single
     * call to select() with a timeout, since somebody can be sending invalid
     * packets to our port thus causing us to retry in a loop and never time
     * out.
     *
     * XXX: Using WaitLatchOrSocket() and doing a CHECK_FOR_INTERRUPTS() if
     * the latch was set would improve the responsiveness to
     * timeouts/cancellations.
     */
    gettimeofday(&endtime, NULL);
    endtime.tv_sec += RADIUS_TIMEOUT;
 
    while (true)
    {
        struct timeval timeout;
        struct timeval now;
        int64       timeoutval;
        const char *errstr = NULL;
 
        gettimeofday(&now, NULL);
        timeoutval = (endtime.tv_sec * 1000000 + endtime.tv_usec) - (now.tv_sec * 1000000 + now.tv_usec);
        if (timeoutval <= 0)
        {
            ereport(LOG,
                    (errmsg("timeout waiting for RADIUS response from %s",
                            server)));
            closesocket(sock);
            return STATUS_ERROR;
        }
        timeout.tv_sec = timeoutval / 1000000;
        timeout.tv_usec = timeoutval % 1000000;
 
        FD_ZERO(&fdset);
        FD_SET(sock, &fdset);
 
        r = select(sock + 1, &fdset, NULL, NULL, &timeout);
        if (r < 0)
        {
            if (errno == EINTR)
                continue;
 
            /* Anything else is an actual error */
            ereport(LOG,
                    (errmsg("could not check status on RADIUS socket: %m")));
            closesocket(sock);
            return STATUS_ERROR;
        }
        if (r == 0)
        {
            ereport(LOG,
                    (errmsg("timeout waiting for RADIUS response from %s",
                            server)));
            closesocket(sock);
            return STATUS_ERROR;
        }
 
        /*
         * Attempt to read the response packet, and verify the contents.
         *
         * Any packet that's not actually a RADIUS packet, or otherwise does
         * not validate as an explicit reject, is just ignored and we retry
         * for another packet (until we reach the timeout). This is to avoid
         * the possibility to denial-of-service the login by flooding the
         * server with invalid packets on the port that we're expecting the
         * RADIUS response on.
         */
 
        addrsize = sizeof(remoteaddr);
        packetlength = recvfrom(sock, receive_buffer, RADIUS_BUFFER_SIZE, 0,
                                (struct sockaddr *) &remoteaddr, &addrsize);
        if (packetlength < 0)
        {
            ereport(LOG,
                    (errmsg("could not read RADIUS response: %m")));
            closesocket(sock);
            return STATUS_ERROR;
        }
 
        if (remoteaddr.sin6_port != pg_hton16(port))
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s was sent from incorrect port: %d",
                            server, pg_ntoh16(remoteaddr.sin6_port))));
            continue;
        }
 
        if (packetlength < RADIUS_HEADER_LENGTH)
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s too short: %d", server, packetlength)));
            continue;
        }
 
        if (packetlength != pg_ntoh16(receivepacket->length))
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s has corrupt length: %d (actual length %d)",
                            server, pg_ntoh16(receivepacket->length), packetlength)));
            continue;
        }
 
        if (packet->id != receivepacket->id)
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s is to a different request: %d (should be %d)",
                            server, receivepacket->id, packet->id)));
            continue;
        }
 
        /*
         * Verify the response authenticator, which is calculated as
         * MD5(Code+ID+Length+RequestAuthenticator+Attributes+Secret)
         */
        cryptvector = palloc(packetlength + strlen(secret));
 
        memcpy(cryptvector, receivepacket, 4);  /* code+id+length */
        memcpy(cryptvector + 4, packet->vector, RADIUS_VECTOR_LENGTH);  /* request
                                                                         * authenticator, from
                                                                         * original packet */
        if (packetlength > RADIUS_HEADER_LENGTH)    /* there may be no
                                                     * attributes at all */
            memcpy(cryptvector + RADIUS_HEADER_LENGTH, receive_buffer + RADIUS_HEADER_LENGTH, packetlength - RADIUS_HEADER_LENGTH);
        memcpy(cryptvector + packetlength, secret, strlen(secret));
 
        if (!pg_md5_binary(cryptvector,
                           packetlength + strlen(secret),
                           encryptedpassword, &errstr))
        {
            ereport(LOG,
                    (errmsg("could not perform MD5 encryption of received packet: %s",
                            errstr)));
            pfree(cryptvector);
            continue;
        }
        pfree(cryptvector);
 
        if (memcmp(receivepacket->vector, encryptedpassword, RADIUS_VECTOR_LENGTH) != 0)
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s has incorrect MD5 signature",
                            server)));
            continue;
        }
 
        if (receivepacket->code == RADIUS_ACCESS_ACCEPT)
        {
            closesocket(sock);
            return STATUS_OK;
        }
        else if (receivepacket->code == RADIUS_ACCESS_REJECT)
        {
            closesocket(sock);
            return STATUS_EOF;
        }
        else
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s has invalid code (%d) for user \"%s\"",
                            server, receivepacket->code, user_name)));
            continue;
        }
    }                           /* while (true) */
}

References bind, closesocket, radius_packet::code, EINTR, ereport, errmsg(), gettimeofday(), i, radius_packet::id, j, radius_packet::length, LOG, MemSet, now(), palloc(), pfree(), pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_hton16, pg_hton32, pg_md5_binary(), pg_ntoh16, pg_strong_random(), PGINVALID_SOCKET, port, portstr, RADIUS_ACCESS_ACCEPT, RADIUS_ACCESS_REJECT, RADIUS_ACCESS_REQUEST, radius_add_attribute(), RADIUS_AUTHENTICATE_ONLY, RADIUS_BUFFER_SIZE, RADIUS_HEADER_LENGTH, RADIUS_MAX_PASSWORD_LENGTH, RADIUS_NAS_IDENTIFIER, RADIUS_PASSWORD, RADIUS_SERVICE_TYPE, RADIUS_TIMEOUT, RADIUS_USER_NAME, RADIUS_VECTOR_LENGTH, select, socket, STATUS_EOF, STATUS_ERROR, STATUS_OK, and radius_packet::vector.

Referenced by CheckRADIUSAuth().

radius_add_attribute()

static void radius_add_attribute ( radius_packet *  packet, uint8  type, const unsigned char *  data, int  len  )

static

Definition at line 2817 of file auth.c.

{
    radius_attribute *attr;
 
    if (packet->length + len > RADIUS_BUFFER_SIZE)
    {
        /*
         * With remotely realistic data, this can never happen. But catch it
         * just to make sure we don't overrun a buffer. We'll just skip adding
         * the broken attribute, which will in the end cause authentication to
         * fail.
         */
        elog(WARNING,
             "adding attribute code %d with length %d to radius packet would create oversize packet, ignoring",
             type, len);
        return;
    }
 
    attr = (radius_attribute *) ((unsigned char *) packet + packet->length);
    attr->attribute = type;
    attr->length = len + 2;     /* total size includes type and length */
    memcpy(attr->data, data, len);
    packet->length += attr->length;
}

References radius_attribute::attribute, radius_attribute::data, data, elog(), len, radius_attribute::length, radius_packet::length, RADIUS_BUFFER_SIZE, type, and WARNING.

Referenced by PerformRadiusTransaction().

recv_password_packet()

static char * recv_password_packet ( Port *  port )

static

Definition at line 708 of file auth.c.

{
    StringInfoData buf;
    int         mtype;
 
    pq_startmsgread();
 
    /* Expect 'p' message type */
    mtype = pq_getbyte();
    if (mtype != PqMsg_PasswordMessage)
    {
        /*
         * If the client just disconnects without offering a password, don't
         * make a log entry.  This is legal per protocol spec and in fact
         * commonly done by psql, so complaining just clutters the log.
         */
        if (mtype != EOF)
            ereport(ERROR,
                    (errcode(ERRCODE_PROTOCOL_VIOLATION),
                     errmsg("expected password response, got message type %d",
                            mtype)));
        return NULL;            /* EOF or bad message type */
    }
 
    initStringInfo(&buf);
    if (pq_getmessage(&buf, PG_MAX_AUTH_TOKEN_LENGTH))  /* receive password */
    {
        /* EOF - pq_getmessage already logged a suitable message */
        pfree(buf.data);
        return NULL;
    }
 
    /*
     * Apply sanity check: password packet length should agree with length of
     * contained string.  Note it is safe to use strlen here because
     * StringInfo is guaranteed to have an appended '\0'.
     */
    if (strlen(buf.data) + 1 != buf.len)
        ereport(ERROR,
                (errcode(ERRCODE_PROTOCOL_VIOLATION),
                 errmsg("invalid password packet size")));
 
    /*
     * Don't allow an empty password. Libpq treats an empty password the same
     * as no password at all, and won't even try to authenticate. But other
     * clients might, so allowing it would be confusing.
     *
     * Note that this only catches an empty password sent by the client in
     * plaintext. There's also a check in CREATE/ALTER USER that prevents an
     * empty string from being stored as a user's password in the first place.
     * We rely on that for MD5 and SCRAM authentication, but we still need
     * this check here, to prevent an empty password from being used with
     * authentication methods that check the password against an external
     * system, like PAM, LDAP and RADIUS.
     */
    if (buf.len == 1)
        ereport(ERROR,
                (errcode(ERRCODE_INVALID_PASSWORD),
                 errmsg("empty password returned by client")));
 
    /* Do not echo password to logs, for security. */
    elog(DEBUG5, "received password packet");
 
    /*
     * Return the received string.  Note we do not attempt to do any
     * character-set conversion on it; since we don't yet know the client's
     * encoding, there wouldn't be much point.
     */
    return buf.data;
}

References buf, DEBUG5, elog(), ereport, errcode(), ERRCODE_INVALID_PASSWORD, errmsg(), ERROR, initStringInfo(), pfree(), PG_MAX_AUTH_TOKEN_LENGTH, pq_getbyte(), pq_getmessage(), pq_startmsgread(), and PqMsg_PasswordMessage.

Referenced by CheckMD5Auth(), CheckPasswordAuth(), and CheckRADIUSAuth().

sendAuthRequest()

void sendAuthRequest	(	Port *	port,
		AuthRequest	areq,
		const char *	extradata,
		int	extralen
	)

Definition at line 678 of file auth.c.

{
    StringInfoData buf;
 
    CHECK_FOR_INTERRUPTS();
 
    pq_beginmessage(&buf, PqMsg_AuthenticationRequest);
    pq_sendint32(&buf, (int32) areq);
    if (extralen > 0)
        pq_sendbytes(&buf, extradata, extralen);
 
    pq_endmessage(&buf);
 
    /*
     * Flush message so client will see it, except for AUTH_REQ_OK and
     * AUTH_REQ_SASL_FIN, which need not be sent until we are ready for
     * queries.
     */
    if (areq != AUTH_REQ_OK && areq != AUTH_REQ_SASL_FIN)
        pq_flush();
 
    CHECK_FOR_INTERRUPTS();
}

References AUTH_REQ_OK, AUTH_REQ_SASL_FIN, buf, CHECK_FOR_INTERRUPTS, pq_beginmessage(), pq_endmessage(), pq_flush, pq_sendbytes(), pq_sendint32(), and PqMsg_AuthenticationRequest.

Referenced by CheckMD5Auth(), CheckPasswordAuth(), CheckRADIUSAuth(), CheckSASLAuth(), and ClientAuthentication().

set_authn_id()

static void set_authn_id ( Port *  port, const char *  id  )

static

Definition at line 346 of file auth.c.

{
    Assert(id);
 
    if (MyClientConnectionInfo.authn_id)
    {
        /*
         * An existing authn_id should never be overwritten; that means two
         * authentication providers are fighting (or one is fighting itself).
         * Don't leak any authn details to the client, but don't let the
         * connection continue, either.
         */
        ereport(FATAL,
                (errmsg("authentication identifier set more than once"),
                 errdetail_log("previous identifier: \"%s\"; new identifier: \"%s\"",
                               MyClientConnectionInfo.authn_id, id)));
    }
 
    MyClientConnectionInfo.authn_id = MemoryContextStrdup(TopMemoryContext, id);
    MyClientConnectionInfo.auth_method = port->hba->auth_method;
 
    if (Log_connections)
    {
        ereport(LOG,
                errmsg("connection authenticated: identity=\"%s\" method=%s "
                       "(%s:%d)",
                       MyClientConnectionInfo.authn_id,
                       hba_authname(MyClientConnectionInfo.auth_method),
                       port->hba->sourcefile, port->hba->linenumber));
    }
}

References Assert(), ClientConnectionInfo::auth_method, ClientConnectionInfo::authn_id, ereport, errdetail_log(), errmsg(), FATAL, hba_authname(), LOG, Log_connections, MemoryContextStrdup(), MyClientConnectionInfo, port, and TopMemoryContext.

Referenced by auth_peer(), CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), and ident_inet().

Variable Documentation

ClientAuthentication_hook

ClientAuthentication_hook_type ClientAuthentication_hook = NULL

Definition at line 232 of file auth.c.

Referenced by _PG_init(), ClientAuthentication(), and sepgsql_init_client_label().

pg_gss_accept_delegation

bool pg_gss_accept_delegation

Definition at line 168 of file auth.c.

Referenced by secure_open_gssapi().

pg_krb_caseins_users

bool pg_krb_caseins_users

Definition at line 167 of file auth.c.

pg_krb_server_keyfile

char* pg_krb_server_keyfile

Definition at line 166 of file auth.c.

Referenced by secure_open_gssapi().