auth.c File Reference
#include "postgres.h"#include <sys/param.h>#include <sys/select.h>#include <sys/socket.h>#include <netinet/in.h>#include <netdb.h>#include <pwd.h>#include <unistd.h>#include "commands/user.h"#include "common/ip.h"#include "common/md5.h"#include "libpq/auth.h"#include "libpq/crypt.h"#include "libpq/libpq.h"#include "libpq/oauth.h"#include "libpq/pqformat.h"#include "libpq/sasl.h"#include "libpq/scram.h"#include "miscadmin.h"#include "port/pg_bswap.h"#include "postmaster/postmaster.h"#include "replication/walsender.h"#include "storage/ipc.h"#include "tcop/backend_startup.h"#include "utils/memutils.h"
Include dependency graph for auth.c:
Go to the source code of this file.
Data Structures | |
| struct | radius_attribute |
| struct | radius_packet |
Macros | |
| #define | IDENT_USERNAME_MAX 512 |
| #define | IDENT_PORT 113 |
| #define | HOSTNAME_LOOKUP_DETAIL(port) |
| #define | RADIUS_VECTOR_LENGTH 16 |
| #define | RADIUS_HEADER_LENGTH 20 |
| #define | RADIUS_MAX_PASSWORD_LENGTH 128 |
| #define | RADIUS_BUFFER_SIZE 1024 |
| #define | RADIUS_ACCESS_REQUEST 1 |
| #define | RADIUS_ACCESS_ACCEPT 2 |
| #define | RADIUS_ACCESS_REJECT 3 |
| #define | RADIUS_USER_NAME 1 |
| #define | RADIUS_PASSWORD 2 |
| #define | RADIUS_SERVICE_TYPE 6 |
| #define | RADIUS_NAS_IDENTIFIER 32 |
| #define | RADIUS_AUTHENTICATE_ONLY 8 |
| #define | RADIUS_TIMEOUT 3 |
Functions | |
| static void | auth_failed (Port *port, int status, const char *logdetail) |
| static char * | recv_password_packet (Port *port) |
| static int | CheckPasswordAuth (Port *port, const char **logdetail) |
| static int | CheckPWChallengeAuth (Port *port, const char **logdetail) |
| static int | CheckMD5Auth (Port *port, char *shadow_pass, const char **logdetail) |
| static int | ident_inet (Port *port) |
| static int | auth_peer (Port *port) |
| static int | CheckRADIUSAuth (Port *port) |
| static int | PerformRadiusTransaction (const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd) |
| void | set_authn_id (Port *port, const char *id) |
| void | ClientAuthentication (Port *port) |
| void | sendAuthRequest (Port *port, AuthRequest areq, const void *extradata, int extralen) |
| static bool | is_ident_whitespace (const char c) |
| static bool | interpret_ident_response (const char *ident_response, char *ident_user) |
| static void | radius_add_attribute (radius_packet *packet, uint8 type, const unsigned char *data, int len) |
Variables | |
| char * | pg_krb_server_keyfile |
| bool | pg_krb_caseins_users |
| bool | pg_gss_accept_delegation |
| ClientAuthentication_hook_type | ClientAuthentication_hook = NULL |
Macro Definition Documentation
◆ HOSTNAME_LOOKUP_DETAIL
| #define HOSTNAME_LOOKUP_DETAIL | ( | port | ) |
Value:
(port->remote_hostname ? \
(port->remote_hostname_resolv == +1 ? \
errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
port->remote_hostname) : \
port->remote_hostname_resolv == 0 ? \
errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
port->remote_hostname) : \
port->remote_hostname_resolv == -1 ? \
errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
port->remote_hostname) : \
port->remote_hostname_resolv == -2 ? \
errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
port->remote_hostname, \
gai_strerror(port->remote_hostname_errcode)) : \
0) \
: (port->remote_hostname_resolv == -2 ? \
errdetail_log("Could not resolve client IP address to a host name: %s.", \
gai_strerror(port->remote_hostname_errcode)) : \
0))
◆ IDENT_PORT
◆ IDENT_USERNAME_MAX
◆ RADIUS_ACCESS_ACCEPT
◆ RADIUS_ACCESS_REJECT
◆ RADIUS_ACCESS_REQUEST
◆ RADIUS_AUTHENTICATE_ONLY
◆ RADIUS_BUFFER_SIZE
◆ RADIUS_HEADER_LENGTH
◆ RADIUS_MAX_PASSWORD_LENGTH
◆ RADIUS_NAS_IDENTIFIER
◆ RADIUS_PASSWORD
◆ RADIUS_SERVICE_TYPE
◆ RADIUS_TIMEOUT
◆ RADIUS_USER_NAME
◆ RADIUS_VECTOR_LENGTH
Function Documentation
◆ auth_failed()
|
static |
Definition at line 239 of file auth.c.
240{
241 const char *errstr;
242 char *cdetail;
243 int errcode_return = ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION;
244
245 /*
246 * If we failed due to EOF from client, just quit; there's no point in
247 * trying to send a message to the client, and not much point in logging
248 * the failure in the postmaster log. (Logging the failure might be
249 * desirable, were it not for the fact that libpq closes the connection
250 * unceremoniously if challenged for a password when it hasn't got one to
251 * send. We'll get a useless log entry for every psql connection under
252 * password auth, even if it's perfectly successful, if we log STATUS_EOF
253 * events.)
254 */
256 proc_exit(0);
257
259 {
263 break;
266 break;
269 break;
272 break;
277 /* We use it to indicate if a .pgpass password failed. */
278 errcode_return = ERRCODE_INVALID_PASSWORD;
279 break;
282 break;
285 break;
288 break;
291 break;
294 break;
297 break;
300 break;
303 break;
304 default:
306 break;
307 }
308
311 port->hba->rawline);
312 if (logdetail)
314 else
315 logdetail = cdetail;
316
318 (errcode(errcode_return),
321
322 /* doesn't return */
323}
References _, ereport, errcode(), ERRCODE_INVALID_PASSWORD, errdetail_log(), errmsg(), FATAL, gettext_noop, port, proc_exit(), psprintf(), STATUS_EOF, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, and uaTrust.
Referenced by ClientAuthentication().
◆ auth_peer()
|
static |
Definition at line 1865 of file auth.c.
1866{
1867 uid_t uid;
1868 gid_t gid;
1869#ifndef WIN32
1870 struct passwd pwbuf;
1871 struct passwd *pw;
1873 int rc;
1874 int ret;
1875#endif
1876
1878 {
1879 /* Provide special error message if getpeereid is a stub */
1880 if (errno == ENOSYS)
1882 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1884 else
1886 (errcode_for_socket_access(),
1889 }
1890
1891#ifndef WIN32
1893 if (rc != 0)
1894 {
1895 errno = rc;
1899 }
1900 else if (!pw)
1901 {
1905 }
1906
1907 /*
1908 * Make a copy of static getpw*() result area; this is our authenticated
1909 * identity. Set it before calling check_usermap, because authentication
1910 * has already succeeded and we want the log file to reflect that.
1911 */
1913
1916
1917 return ret;
1918#else
1919 /* should have failed with ENOSYS above */
1922#endif
1923}
Assert(PointerIsAligned(start, uint64))
int check_usermap(const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive)
Definition: hba.c:2981
References Assert(), ClientConnectionInfo::authn_id, buf, check_usermap(), ereport, errcode(), errcode_for_socket_access(), errmsg(), getpeereid(), LOG, MyClientConnectionInfo, port, set_authn_id(), and STATUS_ERROR.
Referenced by ClientAuthentication().
◆ CheckMD5Auth()
|
static |
Definition at line 883 of file auth.c.
884{
886 char *passwd;
887 int result;
888
889 /* include the salt to use for computing the response */
891 {
895 }
896
898
900 if (passwd == NULL)
902
903 if (shadow_pass)
905 md5Salt, 4, logdetail);
906 else
907 result = STATUS_ERROR;
908
909 pfree(passwd);
910
911 return result;
912}
void sendAuthRequest(Port *port, AuthRequest areq, const void *extradata, int extralen)
Definition: auth.c:677
int md5_crypt_verify(const char *role, const char *shadow_pass, const char *client_pass, const uint8 *md5_salt, int md5_salt_len, const char **logdetail)
Definition: crypt.c:202
References AUTH_REQ_MD5, ereport, errmsg(), LOG, md5_crypt_verify(), pfree(), pg_strong_random(), port, recv_password_packet(), sendAuthRequest(), STATUS_EOF, and STATUS_ERROR.
Referenced by CheckPWChallengeAuth().
◆ CheckPasswordAuth()
|
static |
Definition at line 788 of file auth.c.
789{
790 char *passwd;
791 int result;
792 char *shadow_pass;
793
795
797 if (passwd == NULL)
799
801 if (shadow_pass)
802 {
804 logdetail);
805 }
806 else
807 result = STATUS_ERROR;
808
809 if (shadow_pass)
810 pfree(shadow_pass);
811 pfree(passwd);
812
815
816 return result;
817}
int plain_crypt_verify(const char *role, const char *shadow_pass, const char *client_pass, const char **logdetail)
Definition: crypt.c:256
char * get_role_password(const char *role, const char **logdetail)
Definition: crypt.c:38
References AUTH_REQ_PASSWORD, get_role_password(), pfree(), plain_crypt_verify(), port, recv_password_packet(), sendAuthRequest(), set_authn_id(), STATUS_EOF, STATUS_ERROR, and STATUS_OK.
Referenced by ClientAuthentication().
◆ CheckPWChallengeAuth()
|
static |
Definition at line 823 of file auth.c.
824{
825 int auth_result;
826 char *shadow_pass;
827 PasswordType pwtype;
828
831
832 /* First look up the user's password. */
834
835 /*
836 * If the user does not exist, or has no password or it's expired, we
837 * still go through the motions of authentication, to avoid revealing to
838 * the client that the user didn't exist. If 'md5' is allowed, we choose
839 * whether to use 'md5' or 'scram-sha-256' authentication based on current
840 * password_encryption setting. The idea is that most genuine users
841 * probably have a password of that type, and if we pretend that this user
842 * had a password of that type, too, it "blends in" best.
843 */
844 if (!shadow_pass)
845 pwtype = Password_encryption;
846 else
847 pwtype = get_password_type(shadow_pass);
848
849 /*
850 * If 'md5' authentication is allowed, decide whether to perform 'md5' or
851 * 'scram-sha-256' authentication based on the type of password the user
852 * has. If it's an MD5 hash, we must do MD5 authentication, and if it's a
853 * SCRAM secret, we must do SCRAM authentication.
854 *
855 * If MD5 authentication is not allowed, always use SCRAM. If the user
856 * had an MD5 password, CheckSASLAuth() with the SCRAM mechanism will
857 * fail.
858 */
861 else
863 logdetail);
864
865 if (shadow_pass)
866 pfree(shadow_pass);
867 else
868 {
869 /*
870 * If get_role_password() returned error, authentication better not
871 * have succeeded.
872 */
874 }
875
878
879 return auth_result;
880}
int CheckSASLAuth(const pg_be_sasl_mech *mech, Port *port, char *shadow_pass, const char **logdetail)
Definition: auth-sasl.c:44
static int CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
Definition: auth.c:883
References Assert(), CheckMD5Auth(), CheckSASLAuth(), get_password_type(), get_role_password(), Password_encryption, PASSWORD_TYPE_MD5, pfree(), pg_be_scram_mech, port, set_authn_id(), STATUS_OK, uaMD5, and uaSCRAM.
Referenced by ClientAuthentication().
◆ CheckRADIUSAuth()
|
static |
Definition at line 2854 of file auth.c.
2855{
2856 char *passwd;
2857 ListCell *server,
2858 *secrets,
2859 *radiusports,
2860 *identifiers;
2861
2862 /* Make sure struct alignment is correct */
2864
2865 /* Verify parameters */
2867 {
2871 }
2872
2874 {
2878 }
2879
2880 /* Send regular password request to client, and get the response */
2882
2884 if (passwd == NULL)
2886
2888 {
2890 (errmsg("RADIUS authentication does not support passwords longer than %d characters", RADIUS_MAX_PASSWORD_LENGTH)));
2891 pfree(passwd);
2893 }
2894
2895 /*
2896 * Loop over and try each server in order.
2897 */
2902 {
2904 lfirst(secrets),
2905 radiusports ? lfirst(radiusports) : NULL,
2906 identifiers ? lfirst(identifiers) : NULL,
2907 port->user_name,
2908 passwd);
2909
2910 /*------
2911 * STATUS_OK = Login OK
2912 * STATUS_ERROR = Login not OK, but try next server
2913 * STATUS_EOF = Login not OK, and don't try next server
2914 *------
2915 */
2917 {
2919
2920 pfree(passwd);
2922 }
2924 {
2925 pfree(passwd);
2927 }
2928
2929 /*
2930 * secret, port and identifiers either have length 0 (use default),
2931 * length 1 (use the same everywhere) or the same length as servers.
2932 * So if the length is >1, we advance one step. In other cases, we
2933 * don't and will then reuse the correct value.
2934 */
2941 }
2942
2943 /* No servers left to try, so give up */
2944 pfree(passwd);
2946}
static int PerformRadiusTransaction(const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd)
Definition: auth.c:2949
Definition: auth.c:2801
Definition: pg_list.h:46
References Assert(), AUTH_REQ_PASSWORD, ereport, errmsg(), lfirst, list_head(), list_length(), lnext(), LOG, NIL, PerformRadiusTransaction(), pfree(), port, RADIUS_MAX_PASSWORD_LENGTH, recv_password_packet(), sendAuthRequest(), set_authn_id(), STATUS_EOF, STATUS_ERROR, and STATUS_OK.
Referenced by ClientAuthentication().
◆ ClientAuthentication()
| void ClientAuthentication | ( | Port * | port | ) |
Definition at line 379 of file auth.c.
380{
382 const char *logdetail = NULL;
383
384 /*
385 * Get the authentication method to use for this frontend/database
386 * combination. Note: we do not parse the file at this point; this has
387 * already been done elsewhere. hba.c dropped an error message into the
388 * server logfile if parsing the hba config file failed.
389 */
391
392 CHECK_FOR_INTERRUPTS();
393
394 /*
395 * This is the first point where we have access to the hba record for the
396 * current connection, so perform any verifications based on the hba
397 * options field that should be done *before* the authentication here.
398 */
400 {
401 /* If we haven't loaded a root certificate store, fail */
404 (errcode(ERRCODE_CONFIG_FILE_ERROR),
406
407 /*
408 * If we loaded a root certificate store, and if a certificate is
409 * present on the client, then it has been verified against our root
410 * certificate store, and the connection would have been aborted
411 * already if it didn't verify ok.
412 */
415 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
417 }
418
419 /*
420 * Now proceed to do the actual authentication check
421 */
423 {
425
426 /*
427 * An explicit "reject" entry in pg_hba.conf. This report exposes
428 * the fact that there's an explicit reject entry, which is
429 * perhaps not so desirable from a security standpoint; but the
430 * message for an implicit reject could confuse the DBA a lot when
431 * the true situation is a match to an explicit reject. And we
432 * don't want to change the message for an implicit reject. As
433 * noted below, the additional information shown here doesn't
434 * expose anything not known to an attacker.
435 */
436 {
437 char hostinfo[NI_MAXHOST];
438 const char *encryption_state;
439
441 hostinfo, sizeof(hostinfo),
442 NULL, 0,
443 NI_NUMERICHOST);
444
445 encryption_state =
446#ifdef ENABLE_GSS
448#endif
449#ifdef USE_SSL
451#endif
453
456 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
457 /* translator: last %s describes encryption state */
459 hostinfo, port->user_name,
460 encryption_state)));
461 else
463 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
464 /* translator: last %s describes encryption state */
466 hostinfo, port->user_name,
467 port->database_name,
468 encryption_state)));
469 break;
470 }
471
473
474 /*
475 * No matching entry, so tell the user we fell through.
476 *
477 * NOTE: the extra info reported here is not a security breach,
478 * because all that info is known at the frontend and must be
479 * assumed known to bad guys. We're merely helping out the less
480 * clueful good guys.
481 */
482 {
483 char hostinfo[NI_MAXHOST];
484 const char *encryption_state;
485
487 hostinfo, sizeof(hostinfo),
488 NULL, 0,
489 NI_NUMERICHOST);
490
491 encryption_state =
492#ifdef ENABLE_GSS
494#endif
495#ifdef USE_SSL
497#endif
499
500#define HOSTNAME_LOOKUP_DETAIL(port) \
501 (port->remote_hostname ? \
502 (port->remote_hostname_resolv == +1 ? \
503 errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
504 port->remote_hostname) : \
505 port->remote_hostname_resolv == 0 ? \
506 errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
507 port->remote_hostname) : \
508 port->remote_hostname_resolv == -1 ? \
509 errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
510 port->remote_hostname) : \
511 port->remote_hostname_resolv == -2 ? \
512 errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
513 port->remote_hostname, \
514 gai_strerror(port->remote_hostname_errcode)) : \
515 0) \
516 : (port->remote_hostname_resolv == -2 ? \
517 errdetail_log("Could not resolve client IP address to a host name: %s.", \
518 gai_strerror(port->remote_hostname_errcode)) : \
519 0))
520
523 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
524 /* translator: last %s describes encryption state */
526 hostinfo, port->user_name,
527 encryption_state),
529 else
531 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
532 /* translator: last %s describes encryption state */
534 hostinfo, port->user_name,
535 port->database_name,
536 encryption_state),
538 break;
539 }
540
542#ifdef ENABLE_GSS
543 /* We might or might not have the gss workspace already */
545 port->gss = (pg_gssinfo *)
547 sizeof(pg_gssinfo));
549
550 /*
551 * If GSS state was set up while enabling encryption, we can just
552 * check the client's principal. Otherwise, ask for it.
553 */
555 status = pg_GSS_checkauth(port);
556 else
557 {
559 status = pg_GSS_recvauth(port);
560 }
561#else
563#endif
564 break;
565
567#ifdef ENABLE_SSPI
569 port->gss = (pg_gssinfo *)
571 sizeof(pg_gssinfo));
573 status = pg_SSPI_recvauth(port);
574#else
576#endif
577 break;
578
581 break;
582
585 break;
586
590 break;
591
594 break;
595
597#ifdef USE_PAM
599#else
601#endif /* USE_PAM */
602 break;
603
605#ifdef USE_BSD_AUTH
607#else
609#endif /* USE_BSD_AUTH */
610 break;
611
613#ifdef USE_LDAP
614 status = CheckLDAPAuth(port);
615#else
617#endif
618 break;
621 break;
623 /* uaCert will be treated as if clientcert=verify-full (uaTrust) */
625 status = STATUS_OK;
626 break;
629 break;
630 }
631
634 {
635 /*
636 * Make sure we only check the certificate if we use the cert method
637 * or verify-full option.
638 */
639#ifdef USE_SSL
640 status = CheckCertAuth(port);
641#else
643#endif
644 }
645
647 status == STATUS_OK &&
649 {
650 /*
651 * Normally, if log_connections is set, the call to set_authn_id()
652 * will log the connection. However, if that function is never
653 * called, perhaps because the trust method is in use, then we handle
654 * the logging here instead.
655 */
658 "(%s:%d)",
661 }
662
664 (*ClientAuthentication_hook) (port, status);
665
668 else
670}
static int CheckPWChallengeAuth(Port *port, const char **logdetail)
Definition: auth.c:823
static void auth_failed(Port *port, int status, const char *logdetail)
Definition: auth.c:239
ClientAuthentication_hook_type ClientAuthentication_hook
Definition: auth.c:223
#define HOSTNAME_LOOKUP_DETAIL(port)
static int CheckPasswordAuth(Port *port, const char **logdetail)
Definition: auth.c:788
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:117
void * MemoryContextAllocZero(MemoryContext context, Size size)
Definition: mcxt.c:1263
References _, am_db_walsender, am_walsender, Assert(), auth_failed(), auth_peer(), AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, ClientConnectionInfo::authn_id, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), CheckSASLAuth(), ClientAuthentication_hook, clientCertFull, clientCertOff, ereport, errcode(), errmsg(), FATAL, hba_authname(), hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), LOG, LOG_CONNECTION_AUTHENTICATION, log_connections, MemoryContextAllocZero(), MyClientConnectionInfo, pg_be_oauth_mech, pg_getnameinfo_all(), port, secure_loaded_verify_locations(), sendAuthRequest(), STATUS_ERROR, STATUS_OK, TopMemoryContext, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, and uaTrust.
Referenced by PerformAuthentication().
◆ ident_inet()
|
static |
Definition at line 1680 of file auth.c.
1681{
1686 int rc; /* Return code from a locally called function */
1687 bool ident_return;
1688 char remote_addr_s[NI_MAXHOST];
1689 char remote_port[NI_MAXSERV];
1690 char local_addr_s[NI_MAXHOST];
1691 char local_port[NI_MAXSERV];
1692 char ident_port[NI_MAXSERV];
1693 char ident_query[80];
1695 struct addrinfo *ident_serv = NULL,
1696 *la = NULL,
1697 hints;
1698
1699 /*
1700 * Might look a little weird to first convert it to text and then back to
1701 * sockaddr, but it's protocol independent.
1702 */
1704 remote_addr_s, sizeof(remote_addr_s),
1705 remote_port, sizeof(remote_port),
1706 NI_NUMERICHOST | NI_NUMERICSERV);
1708 local_addr_s, sizeof(local_addr_s),
1709 local_port, sizeof(local_port),
1710 NI_NUMERICHOST | NI_NUMERICSERV);
1711
1713 hints.ai_flags = AI_NUMERICHOST;
1714 hints.ai_family = remote_addr.addr.ss_family;
1715 hints.ai_socktype = SOCK_STREAM;
1716 hints.ai_protocol = 0;
1717 hints.ai_addrlen = 0;
1718 hints.ai_canonname = NULL;
1719 hints.ai_addr = NULL;
1720 hints.ai_next = NULL;
1721 rc = pg_getaddrinfo_all(remote_addr_s, ident_port, &hints, &ident_serv);
1722 if (rc || !ident_serv)
1723 {
1724 /* we don't expect this to happen */
1725 ident_return = false;
1726 goto ident_inet_done;
1727 }
1728
1729 hints.ai_flags = AI_NUMERICHOST;
1730 hints.ai_family = local_addr.addr.ss_family;
1731 hints.ai_socktype = SOCK_STREAM;
1732 hints.ai_protocol = 0;
1733 hints.ai_addrlen = 0;
1734 hints.ai_canonname = NULL;
1735 hints.ai_addr = NULL;
1736 hints.ai_next = NULL;
1737 rc = pg_getaddrinfo_all(local_addr_s, NULL, &hints, &la);
1738 if (rc || !la)
1739 {
1740 /* we don't expect this to happen */
1741 ident_return = false;
1742 goto ident_inet_done;
1743 }
1744
1745 sock_fd = socket(ident_serv->ai_family, ident_serv->ai_socktype,
1746 ident_serv->ai_protocol);
1748 {
1750 (errcode_for_socket_access(),
1752 ident_return = false;
1753 goto ident_inet_done;
1754 }
1755
1756 /*
1757 * Bind to the address which the client originally contacted, otherwise
1758 * the ident server won't be able to match up the right connection. This
1759 * is necessary if the PostgreSQL server is running on an IP alias.
1760 */
1761 rc = bind(sock_fd, la->ai_addr, la->ai_addrlen);
1762 if (rc != 0)
1763 {
1765 (errcode_for_socket_access(),
1767 local_addr_s)));
1768 ident_return = false;
1769 goto ident_inet_done;
1770 }
1771
1772 rc = connect(sock_fd, ident_serv->ai_addr,
1773 ident_serv->ai_addrlen);
1774 if (rc != 0)
1775 {
1777 (errcode_for_socket_access(),
1779 remote_addr_s, ident_port)));
1780 ident_return = false;
1781 goto ident_inet_done;
1782 }
1783
1784 /* The query we send to the Ident server */
1786 remote_port, local_port);
1787
1788 /* loop in case send is interrupted */
1789 do
1790 {
1791 CHECK_FOR_INTERRUPTS();
1792
1793 rc = send(sock_fd, ident_query, strlen(ident_query), 0);
1795
1796 if (rc < 0)
1797 {
1799 (errcode_for_socket_access(),
1801 remote_addr_s, ident_port)));
1802 ident_return = false;
1803 goto ident_inet_done;
1804 }
1805
1806 do
1807 {
1808 CHECK_FOR_INTERRUPTS();
1809
1812
1813 if (rc < 0)
1814 {
1816 (errcode_for_socket_access(),
1818 remote_addr_s, ident_port)));
1819 ident_return = false;
1820 goto ident_inet_done;
1821 }
1822
1823 ident_response[rc] = '\0';
1824 ident_return = interpret_ident_response(ident_response, ident_user);
1825 if (!ident_return)
1828 ident_response)));
1829
1830ident_inet_done:
1832 closesocket(sock_fd);
1833 if (ident_serv)
1835 if (la)
1837
1838 if (ident_return)
1839 {
1840 /*
1841 * Success! Store the identity, then check the usermap. Note that
1842 * setting the authenticated identity is done before checking the
1843 * usermap, because at this point authentication has succeeded.
1844 */
1847 }
1849}
static bool interpret_ident_response(const char *ident_response, char *ident_user)
Definition: auth.c:1599
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition: ip.c:85
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition: ip.c:56
Definition: pqcomm.h:31
References SockAddr::addr, bind, CHECK_FOR_INTERRUPTS, check_usermap(), closesocket, connect, EINTR, ereport, errcode_for_socket_access(), errmsg(), IDENT_PORT, IDENT_USERNAME_MAX, interpret_ident_response(), LOG, pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_getnameinfo_all(), PGINVALID_SOCKET, port, recv, SockAddr::salen, send, set_authn_id(), snprintf, socket, and STATUS_ERROR.
Referenced by ClientAuthentication().
◆ interpret_ident_response()
|
static |
Definition at line 1599 of file auth.c.
1601{
1603
1604 /*
1605 * Ident's response, in the telnet tradition, should end in crlf (\r\n).
1606 */
1607 if (strlen(ident_response) < 2)
1608 return false;
1609 else if (ident_response[strlen(ident_response) - 2] != '\r')
1610 return false;
1611 else
1612 {
1615
1617 return false;
1618 else
1619 {
1620 /* We're positioned to colon before response type field */
1621 char response_type[80];
1623
1627 i = 0;
1634 if (strcmp(response_type, "USERID") != 0)
1635 return false;
1636 else
1637 {
1638 /*
1639 * It's a USERID response. Good. "cursor" should be pointing
1640 * to the colon that precedes the operating system type.
1641 */
1643 return false;
1644 else
1645 {
1647 /* Skip over operating system field. */
1649 cursor++;
1651 return false;
1652 else
1653 {
1657 /* Rest of line is user name. Copy it over. */
1658 i = 0;
1662 return true;
1663 }
1664 }
1665 }
1666 }
1667 }
1668}
Definition: type.h:138
References i, IDENT_USERNAME_MAX, and is_ident_whitespace().
Referenced by ident_inet().
◆ is_ident_whitespace()
|
static |
Definition at line 1587 of file auth.c.
Referenced by interpret_ident_response().
◆ PerformRadiusTransaction()
|
static |
Definition at line 2949 of file auth.c.
2950{
2951 radius_packet radius_send_pack;
2952 radius_packet radius_recv_pack;
2953 radius_packet *packet = &radius_send_pack;
2954 radius_packet *receivepacket = &radius_recv_pack;
2955 void *radius_buffer = &radius_send_pack;
2956 void *receive_buffer = &radius_recv_pack;
2958 uint8 *cryptvector;
2959 int encryptedpasswordlen;
2961 uint8 *md5trailer;
2962 int packetlength;
2963 pgsocket sock;
2964
2965 struct sockaddr_in6 localaddr;
2966 struct sockaddr_in6 remoteaddr;
2967 struct addrinfo hint;
2968 struct addrinfo *serveraddrs;
2970 socklen_t addrsize;
2971 fd_set fdset;
2972 struct timeval endtime;
2974 j,
2975 r;
2976
2977 /* Assign default values */
2980 if (identifier == NULL)
2981 identifier = "postgresql";
2982
2984 hint.ai_socktype = SOCK_DGRAM;
2985 hint.ai_family = AF_UNSPEC;
2987
2989 if (r || !serveraddrs)
2990 {
2993 server, gai_strerror(r))));
2994 if (serveraddrs)
2995 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
2997 }
2998 /* XXX: add support for multiple returned addresses? */
2999
3000 /* Construct RADIUS packet */
3004 {
3007 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3009 }
3011 radius_add_attribute(packet, RADIUS_SERVICE_TYPE, (const unsigned char *) &service, sizeof(service));
3012 radius_add_attribute(packet, RADIUS_USER_NAME, (const unsigned char *) user_name, strlen(user_name));
3013 radius_add_attribute(packet, RADIUS_NAS_IDENTIFIER, (const unsigned char *) identifier, strlen(identifier));
3014
3015 /*
3016 * RADIUS password attributes are calculated as: e[0] = p[0] XOR
3017 * MD5(secret + Request Authenticator) for the first group of 16 octets,
3018 * and then: e[i] = p[i] XOR MD5(secret + e[i-1]) for the following ones
3019 * (if necessary)
3020 */
3021 encryptedpasswordlen = ((strlen(passwd) + RADIUS_VECTOR_LENGTH - 1) / RADIUS_VECTOR_LENGTH) * RADIUS_VECTOR_LENGTH;
3023 memcpy(cryptvector, secret, strlen(secret));
3024
3025 /* for the first iteration, we use the Request Authenticator vector */
3026 md5trailer = packet->vector;
3028 {
3029 const char *errstr = NULL;
3030
3031 memcpy(cryptvector + strlen(secret), md5trailer, RADIUS_VECTOR_LENGTH);
3032
3033 /*
3034 * .. and for subsequent iterations the result of the previous XOR
3035 * (calculated below)
3036 */
3037 md5trailer = encryptedpassword + i;
3038
3040 encryptedpassword + i, &errstr))
3041 {
3044 errstr)));
3045 pfree(cryptvector);
3046 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3048 }
3049
3051 {
3054 else
3056 }
3057 }
3058 pfree(cryptvector);
3059
3061
3062 /* Length needs to be in network order on the wire */
3063 packetlength = packet->length;
3065
3066 sock = socket(serveraddrs[0].ai_family, SOCK_DGRAM, 0);
3068 {
3071 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3073 }
3074
3075 memset(&localaddr, 0, sizeof(localaddr));
3076 localaddr.sin6_family = serveraddrs[0].ai_family;
3077 localaddr.sin6_addr = in6addr_any;
3078 if (localaddr.sin6_family == AF_INET6)
3079 addrsize = sizeof(struct sockaddr_in6);
3080 else
3081 addrsize = sizeof(struct sockaddr_in);
3082
3084 {
3087 closesocket(sock);
3088 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3090 }
3091
3092 if (sendto(sock, radius_buffer, packetlength, 0,
3093 serveraddrs[0].ai_addr, serveraddrs[0].ai_addrlen) < 0)
3094 {
3097 closesocket(sock);
3098 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3100 }
3101
3102 /* Don't need the server address anymore */
3103 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3104
3105 /*
3106 * Figure out at what time we should time out. We can't just use a single
3107 * call to select() with a timeout, since somebody can be sending invalid
3108 * packets to our port thus causing us to retry in a loop and never time
3109 * out.
3110 *
3111 * XXX: Using WaitLatchOrSocket() and doing a CHECK_FOR_INTERRUPTS() if
3112 * the latch was set would improve the responsiveness to
3113 * timeouts/cancellations.
3114 */
3115 gettimeofday(&endtime, NULL);
3116 endtime.tv_sec += RADIUS_TIMEOUT;
3117
3118 while (true)
3119 {
3120 struct timeval timeout;
3122 int64 timeoutval;
3123 const char *errstr = NULL;
3124
3126 timeoutval = (endtime.tv_sec * 1000000 + endtime.tv_usec) - (now.tv_sec * 1000000 + now.tv_usec);
3127 if (timeoutval <= 0)
3128 {
3131 server)));
3132 closesocket(sock);
3134 }
3135 timeout.tv_sec = timeoutval / 1000000;
3136 timeout.tv_usec = timeoutval % 1000000;
3137
3138 FD_ZERO(&fdset);
3139 FD_SET(sock, &fdset);
3140
3141 r = select(sock + 1, &fdset, NULL, NULL, &timeout);
3142 if (r < 0)
3143 {
3145 continue;
3146
3147 /* Anything else is an actual error */
3150 closesocket(sock);
3152 }
3153 if (r == 0)
3154 {
3157 server)));
3158 closesocket(sock);
3160 }
3161
3162 /*
3163 * Attempt to read the response packet, and verify the contents.
3164 *
3165 * Any packet that's not actually a RADIUS packet, or otherwise does
3166 * not validate as an explicit reject, is just ignored and we retry
3167 * for another packet (until we reach the timeout). This is to avoid
3168 * the possibility to denial-of-service the login by flooding the
3169 * server with invalid packets on the port that we're expecting the
3170 * RADIUS response on.
3171 */
3172
3173 addrsize = sizeof(remoteaddr);
3174 packetlength = recvfrom(sock, receive_buffer, RADIUS_BUFFER_SIZE, 0,
3175 (struct sockaddr *) &remoteaddr, &addrsize);
3176 if (packetlength < 0)
3177 {
3180 closesocket(sock);
3182 }
3183
3185 {
3188 server, pg_ntoh16(remoteaddr.sin6_port))));
3189 continue;
3190 }
3191
3193 {
3196 continue;
3197 }
3198
3200 {
3204 continue;
3205 }
3206
3208 {
3212 continue;
3213 }
3214
3215 /*
3216 * Verify the response authenticator, which is calculated as
3217 * MD5(Code+ID+Length+RequestAuthenticator+Attributes+Secret)
3218 */
3219 cryptvector = palloc(packetlength + strlen(secret));
3220
3221 memcpy(cryptvector, receivepacket, 4); /* code+id+length */
3223 * authenticator, from
3224 * original packet */
3226 * attributes at all */
3227 memcpy(cryptvector + RADIUS_HEADER_LENGTH,
3229 packetlength - RADIUS_HEADER_LENGTH);
3230 memcpy(cryptvector + packetlength, secret, strlen(secret));
3231
3233 packetlength + strlen(secret),
3234 encryptedpassword, &errstr))
3235 {
3238 errstr)));
3239 pfree(cryptvector);
3240 continue;
3241 }
3242 pfree(cryptvector);
3243
3245 {
3248 server)));
3249 continue;
3250 }
3251
3253 {
3254 closesocket(sock);
3256 }
3258 {
3259 closesocket(sock);
3261 }
3262 else
3263 {
3266 server, receivepacket->code, user_name)));
3267 continue;
3268 }
3269 } /* while (true) */
3270}
static void radius_add_attribute(radius_packet *packet, uint8 type, const unsigned char *data, int len)
Definition: auth.c:2828
bool pg_md5_binary(const void *buff, size_t len, uint8 *outbuf, const char **errstr)
Definition: md5_common.c:108
References bind, closesocket, radius_packet::code, EINTR, ereport, errmsg(), gai_strerror(), gettimeofday(), i, radius_packet::id, j, radius_packet::length, LOG, MemSet, now(), palloc(), pfree(), pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_hton16, pg_hton32, pg_md5_binary(), pg_ntoh16, pg_strong_random(), PGINVALID_SOCKET, port, portstr, RADIUS_ACCESS_ACCEPT, RADIUS_ACCESS_REJECT, RADIUS_ACCESS_REQUEST, radius_add_attribute(), RADIUS_AUTHENTICATE_ONLY, RADIUS_BUFFER_SIZE, RADIUS_HEADER_LENGTH, RADIUS_MAX_PASSWORD_LENGTH, RADIUS_NAS_IDENTIFIER, RADIUS_PASSWORD, RADIUS_SERVICE_TYPE, RADIUS_TIMEOUT, RADIUS_USER_NAME, RADIUS_VECTOR_LENGTH, select, socket, STATUS_EOF, STATUS_ERROR, STATUS_OK, and radius_packet::vector.
Referenced by CheckRADIUSAuth().
◆ radius_add_attribute()
|
static |
Definition at line 2828 of file auth.c.
2829{
2830 radius_attribute *attr;
2831
2833 {
2834 /*
2835 * With remotely realistic data, this can never happen. But catch it
2836 * just to make sure we don't overrun a buffer. We'll just skip adding
2837 * the broken attribute, which will in the end cause authentication to
2838 * fail.
2839 */
2841 "adding attribute code %d with length %d to radius packet would create oversize packet, ignoring",
2843 return;
2844 }
2845
2851}
Definition: auth.c:2794
References radius_attribute::attribute, radius_attribute::data, data, elog, len, radius_attribute::length, radius_packet::length, RADIUS_BUFFER_SIZE, type, and WARNING.
Referenced by PerformRadiusTransaction().
◆ recv_password_packet()
|
static |
Definition at line 707 of file auth.c.
708{
710 int mtype;
711
712 pq_startmsgread();
713
714 /* Expect 'p' message type */
715 mtype = pq_getbyte();
717 {
718 /*
719 * If the client just disconnects without offering a password, don't
720 * make a log entry. This is legal per protocol spec and in fact
721 * commonly done by psql, so complaining just clutters the log.
722 */
723 if (mtype != EOF)
725 (errcode(ERRCODE_PROTOCOL_VIOLATION),
727 mtype)));
728 return NULL; /* EOF or bad message type */
729 }
730
733 {
734 /* EOF - pq_getmessage already logged a suitable message */
736 return NULL;
737 }
738
739 /*
740 * Apply sanity check: password packet length should agree with length of
741 * contained string. Note it is safe to use strlen here because
742 * StringInfo is guaranteed to have an appended '\0'.
743 */
746 (errcode(ERRCODE_PROTOCOL_VIOLATION),
748
749 /*
750 * Don't allow an empty password. Libpq treats an empty password the same
751 * as no password at all, and won't even try to authenticate. But other
752 * clients might, so allowing it would be confusing.
753 *
754 * Note that this only catches an empty password sent by the client in
755 * plaintext. There's also a check in CREATE/ALTER USER that prevents an
756 * empty string from being stored as a user's password in the first place.
757 * We rely on that for MD5 and SCRAM authentication, but we still need
758 * this check here, to prevent an empty password from being used with
759 * authentication methods that check the password against an external
760 * system, like PAM, LDAP and RADIUS.
761 */
766
767 /* Do not echo password to logs, for security. */
769
770 /*
771 * Return the received string. Note we do not attempt to do any
772 * character-set conversion on it; since we don't yet know the client's
773 * encoding, there wouldn't be much point.
774 */
776}
Definition: stringinfo.h:47
References buf, DEBUG5, elog, ereport, errcode(), ERRCODE_INVALID_PASSWORD, errmsg(), ERROR, initStringInfo(), pfree(), PG_MAX_AUTH_TOKEN_LENGTH, pq_getbyte(), pq_getmessage(), pq_startmsgread(), and PqMsg_PasswordMessage.
Referenced by CheckMD5Auth(), CheckPasswordAuth(), and CheckRADIUSAuth().
◆ sendAuthRequest()
| void sendAuthRequest | ( | Port * | port, |
| AuthRequest | areq, | ||
| const void * | extradata, | ||
| int | extralen | ||
| ) |
Definition at line 677 of file auth.c.
678{
680
681 CHECK_FOR_INTERRUPTS();
682
685 if (extralen > 0)
687
689
690 /*
691 * Flush message so client will see it, except for AUTH_REQ_OK and
692 * AUTH_REQ_SASL_FIN, which need not be sent until we are ready for
693 * queries.
694 */
696 pq_flush();
697
698 CHECK_FOR_INTERRUPTS();
699}
void pq_sendbytes(StringInfo buf, const void *data, int datalen)
Definition: pqformat.c:126
References AUTH_REQ_OK, AUTH_REQ_SASL_FIN, buf, CHECK_FOR_INTERRUPTS, pq_beginmessage(), pq_endmessage(), pq_flush, pq_sendbytes(), pq_sendint32(), and PqMsg_AuthenticationRequest.
Referenced by CheckMD5Auth(), CheckPasswordAuth(), CheckRADIUSAuth(), CheckSASLAuth(), and ClientAuthentication().
◆ set_authn_id()
| void set_authn_id | ( | Port * | port, |
| const char * | id | ||
| ) |
Definition at line 341 of file auth.c.
342{
344
346 {
347 /*
348 * An existing authn_id should never be overwritten; that means two
349 * authentication providers are fighting (or one is fighting itself).
350 * Don't leak any authn details to the client, but don't let the
351 * connection continue, either.
352 */
357 }
358
361
363 {
366 "(%s:%d)",
370 }
371}
char * MemoryContextStrdup(MemoryContext context, const char *string)
Definition: mcxt.c:1746
References Assert(), ClientConnectionInfo::auth_method, ClientConnectionInfo::authn_id, ereport, errdetail_log(), errmsg(), FATAL, hba_authname(), LOG, LOG_CONNECTION_AUTHENTICATION, log_connections, MemoryContextStrdup(), MyClientConnectionInfo, port, and TopMemoryContext.
Referenced by auth_peer(), CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), ident_inet(), and validate().
Variable Documentation
◆ ClientAuthentication_hook
| ClientAuthentication_hook_type ClientAuthentication_hook = NULL |
Definition at line 223 of file auth.c.
Referenced by _PG_init(), ClientAuthentication(), and sepgsql_init_client_label().
◆ pg_gss_accept_delegation
| bool pg_gss_accept_delegation |
Definition at line 175 of file auth.c.
Referenced by secure_open_gssapi().
◆ pg_krb_caseins_users
◆ pg_krb_server_keyfile
| char* pg_krb_server_keyfile |
Definition at line 173 of file auth.c.
Referenced by secure_open_gssapi().
