auth.c File Reference

#include "postgres.h"
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include "commands/user.h"
#include "common/ip.h"
#include "common/md5.h"
#include "common/scram-common.h"
#include "libpq/auth.h"
#include "libpq/crypt.h"
#include "libpq/libpq.h"
#include "libpq/pqformat.h"
#include "libpq/scram.h"
#include "miscadmin.h"
#include "port/pg_bswap.h"
#include "replication/walsender.h"
#include "storage/ipc.h"
#include "utils/memutils.h"
#include "utils/timestamp.h"

Include dependency graph for auth.c:

Go to the source code of this file.

Data Structures
struct	radius_attribute
struct	radius_packet

Macros
#define	IDENT_USERNAME_MAX   512
#define	IDENT_PORT   113
#define	PG_MAX_AUTH_TOKEN_LENGTH   65535
#define	PG_MAX_SASL_MESSAGE_LENGTH   1024
#define	HOSTNAME_LOOKUP_DETAIL(port)
#define	RADIUS_VECTOR_LENGTH   16
#define	RADIUS_HEADER_LENGTH   20
#define	RADIUS_MAX_PASSWORD_LENGTH   128
#define	RADIUS_BUFFER_SIZE   1024
#define	RADIUS_ACCESS_REQUEST   1
#define	RADIUS_ACCESS_ACCEPT   2
#define	RADIUS_ACCESS_REJECT   3
#define	RADIUS_USER_NAME   1
#define	RADIUS_PASSWORD   2
#define	RADIUS_SERVICE_TYPE   6
#define	RADIUS_NAS_IDENTIFIER   32
#define	RADIUS_AUTHENTICATE_ONLY   8
#define	RADIUS_TIMEOUT   3

Functions
static void	sendAuthRequest (Port *port, AuthRequest areq, const char *extradata, int extralen)
static void	auth_failed (Port *port, int status, char *logdetail)
static char *	recv_password_packet (Port *port)
static int	CheckPasswordAuth (Port *port, char **logdetail)
static int	CheckPWChallengeAuth (Port *port, char **logdetail)
static int	CheckMD5Auth (Port *port, char *shadow_pass, char **logdetail)
static int	CheckSCRAMAuth (Port *port, char *shadow_pass, char **logdetail)
static int	ident_inet (hbaPort *port)
static int	auth_peer (hbaPort *port)
static int	CheckRADIUSAuth (Port *port)
static int	PerformRadiusTransaction (const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd)
void	ClientAuthentication (Port *port)
static bool	interpret_ident_response (const char *ident_response, char *ident_user)
static void	radius_add_attribute (radius_packet *packet, uint8 type, const unsigned char *data, int len)

Variables
char *	pg_krb_server_keyfile
bool	pg_krb_caseins_users
ClientAuthentication_hook_type	ClientAuthentication_hook = NULL

Macro Definition Documentation

HOSTNAME_LOOKUP_DETAIL

#define HOSTNAME_LOOKUP_DETAIL

(

port

)

Value:

(port->remote_hostname ? \
                 (port->remote_hostname_resolv == +1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == 0 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -2 ? \
                  errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
                                port->remote_hostname, \
                                gai_strerror(port->remote_hostname_errcode)) : \
                  0) \
                 : (port->remote_hostname_resolv == -2 ? \
                    errdetail_log("Could not resolve client IP address to a host name: %s.", \
                                  gai_strerror(port->remote_hostname_errcode)) : \
                    0))

Referenced by ClientAuthentication().

IDENT_PORT

#define IDENT_PORT   113

Definition at line 71 of file auth.c.

Referenced by ident_inet().

IDENT_USERNAME_MAX

#define IDENT_USERNAME_MAX   512

Definition at line 68 of file auth.c.

Referenced by ident_inet(), and interpret_ident_response().

PG_MAX_AUTH_TOKEN_LENGTH

#define PG_MAX_AUTH_TOKEN_LENGTH   65535

Definition at line 221 of file auth.c.

Referenced by CheckSCRAMAuth().

PG_MAX_SASL_MESSAGE_LENGTH

#define PG_MAX_SASL_MESSAGE_LENGTH   1024

Definition at line 229 of file auth.c.

Referenced by CheckSCRAMAuth().

RADIUS_ACCESS_ACCEPT

#define RADIUS_ACCESS_ACCEPT   2

Definition at line 2941 of file auth.c.

Referenced by PerformRadiusTransaction().

RADIUS_ACCESS_REJECT

#define RADIUS_ACCESS_REJECT   3

Definition at line 2942 of file auth.c.

Referenced by PerformRadiusTransaction().

RADIUS_ACCESS_REQUEST

#define RADIUS_ACCESS_REQUEST   1

Definition at line 2940 of file auth.c.

Referenced by PerformRadiusTransaction().

RADIUS_AUTHENTICATE_ONLY

#define RADIUS_AUTHENTICATE_ONLY   8

Definition at line 2951 of file auth.c.

Referenced by PerformRadiusTransaction().

RADIUS_BUFFER_SIZE

#define RADIUS_BUFFER_SIZE   1024

Definition at line 2920 of file auth.c.

Referenced by PerformRadiusTransaction(), and radius_add_attribute().

RADIUS_HEADER_LENGTH

#define RADIUS_HEADER_LENGTH   20

Definition at line 2916 of file auth.c.

Referenced by PerformRadiusTransaction().

RADIUS_MAX_PASSWORD_LENGTH

#define RADIUS_MAX_PASSWORD_LENGTH   128

Definition at line 2917 of file auth.c.

Referenced by CheckRADIUSAuth(), and PerformRadiusTransaction().

RADIUS_NAS_IDENTIFIER

#define RADIUS_NAS_IDENTIFIER   32

Definition at line 2948 of file auth.c.

Referenced by PerformRadiusTransaction().

RADIUS_PASSWORD

#define RADIUS_PASSWORD   2

Definition at line 2946 of file auth.c.

Referenced by PerformRadiusTransaction().

RADIUS_SERVICE_TYPE

#define RADIUS_SERVICE_TYPE   6

Definition at line 2947 of file auth.c.

Referenced by PerformRadiusTransaction().

RADIUS_TIMEOUT

#define RADIUS_TIMEOUT   3

Definition at line 2954 of file auth.c.

Referenced by PerformRadiusTransaction().

RADIUS_USER_NAME

#define RADIUS_USER_NAME   1

Definition at line 2945 of file auth.c.

Referenced by PerformRadiusTransaction().

RADIUS_VECTOR_LENGTH

#define RADIUS_VECTOR_LENGTH   16

Definition at line 2915 of file auth.c.

Referenced by PerformRadiusTransaction().

Function Documentation

auth_failed()

static void auth_failed ( Port *  port, int  status, char *  logdetail  )

static

Definition at line 257 of file auth.c.

References _, HbaLine::auth_method, ereport, errcode(), ERRCODE_INVALID_PASSWORD, errdetail_log(), errmsg(), FATAL, gettext_noop, Port::hba, HbaLine::linenumber, proc_exit(), psprintf(), HbaLine::rawline, STATUS_EOF, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaPAM, uaPassword, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, and Port::user_name.

Referenced by ClientAuthentication().

{
    const char *errstr;
    char       *cdetail;
    int         errcode_return = ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION;

    /*
     * If we failed due to EOF from client, just quit; there's no point in
     * trying to send a message to the client, and not much point in logging
     * the failure in the postmaster log.  (Logging the failure might be
     * desirable, were it not for the fact that libpq closes the connection
     * unceremoniously if challenged for a password when it hasn't got one to
     * send.  We'll get a useless log entry for every psql connection under
     * password auth, even if it's perfectly successful, if we log STATUS_EOF
     * events.)
     */
    if (status == STATUS_EOF)
        proc_exit(0);

    switch (port->hba->auth_method)
    {
        case uaReject:
        case uaImplicitReject:
            errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
            break;
        case uaTrust:
            errstr = gettext_noop("\"trust\" authentication failed for user \"%s\"");
            break;
        case uaIdent:
            errstr = gettext_noop("Ident authentication failed for user \"%s\"");
            break;
        case uaPeer:
            errstr = gettext_noop("Peer authentication failed for user \"%s\"");
            break;
        case uaPassword:
        case uaMD5:
        case uaSCRAM:
            errstr = gettext_noop("password authentication failed for user \"%s\"");
            /* We use it to indicate if a .pgpass password failed. */
            errcode_return = ERRCODE_INVALID_PASSWORD;
            break;
        case uaGSS:
            errstr = gettext_noop("GSSAPI authentication failed for user \"%s\"");
            break;
        case uaSSPI:
            errstr = gettext_noop("SSPI authentication failed for user \"%s\"");
            break;
        case uaPAM:
            errstr = gettext_noop("PAM authentication failed for user \"%s\"");
            break;
        case uaBSD:
            errstr = gettext_noop("BSD authentication failed for user \"%s\"");
            break;
        case uaLDAP:
            errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
            break;
        case uaCert:
            errstr = gettext_noop("certificate authentication failed for user \"%s\"");
            break;
        case uaRADIUS:
            errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
            break;
        default:
            errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
            break;
    }

    cdetail = psprintf(_("Connection matched pg_hba.conf line %d: \"%s\""),
                       port->hba->linenumber, port->hba->rawline);
    if (logdetail)
        logdetail = psprintf("%s\n%s", logdetail, cdetail);
    else
        logdetail = cdetail;

    ereport(FATAL,
            (errcode(errcode_return),
             errmsg(errstr, port->user_name),
             logdetail ? errdetail_log("%s", logdetail) : 0));

    /* doesn't return */
}

auth_peer()

static int auth_peer ( hbaPort *  port )

static

Definition at line 1993 of file auth.c.

References _, SockAddr::addr, appendBinaryStringInfo(), appendStringInfo(), appendStringInfoChar(), appendStringInfoString(), Assert, HbaLine::auth_method, AUTH_REQ_PASSWORD, calloc, check_usermap(), HbaLine::clientcert, clientCertFull, HbaLine::conntype, ctLocal, StringInfoData::data, elog, ereport, errcode(), errcode_for_socket_access(), errdetail(), errdetail_plural(), errhint(), errmsg(), errmsg_internal(), error(), free, gai_strerror, getpeereid(), Port::hba, i, initStringInfo(), HbaLine::ldapbasedn, HbaLine::ldapbinddn, HbaLine::ldapbindpasswd, HbaLine::ldapport, HbaLine::ldapprefix, HbaLine::ldapscheme, HbaLine::ldapscope, HbaLine::ldapsearchattribute, HbaLine::ldapsearchfilter, HbaLine::ldapserver, HbaLine::ldapsuffix, HbaLine::ldaptls, StringInfoData::len, LOG, NI_MAXHOST, NI_NUMERICHOST, NI_NUMERICSERV, output(), HbaLine::pam_use_hostname, HbaLine::pamservice, password, Port::peer_cn, pfree(), pg_getnameinfo_all(), port, psprintf(), pstrdup(), Port::raddr, recv_password_packet(), SockAddr::salen, sendAuthRequest(), Port::sock, STATUS_EOF, STATUS_ERROR, STATUS_OK, strerror, uaCert, unconstify, user, Port::user_name, HbaLine::usermap, and WARNING.

Referenced by ClientAuthentication().

{
    uid_t       uid;
    gid_t       gid;
#ifndef WIN32
    struct passwd *pw;
    char       *peer_user;
    int         ret;
#endif

    if (getpeereid(port->sock, &uid, &gid) != 0)
    {
        /* Provide special error message if getpeereid is a stub */
        if (errno == ENOSYS)
            ereport(LOG,
                    (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                     errmsg("peer authentication is not supported on this platform")));
        else
            ereport(LOG,
                    (errcode_for_socket_access(),
                     errmsg("could not get peer credentials: %m")));
        return STATUS_ERROR;
    }

#ifndef WIN32
    errno = 0;                  /* clear errno before call */
    pw = getpwuid(uid);
    if (!pw)
    {
        int         save_errno = errno;

        ereport(LOG,
                (errmsg("could not look up local user ID %ld: %s",
                        (long) uid,
                        save_errno ? strerror(save_errno) : _("user does not exist"))));
        return STATUS_ERROR;
    }

    /* Make a copy of static getpw*() result area. */
    peer_user = pstrdup(pw->pw_name);

    ret = check_usermap(port->hba->usermap, port->user_name, peer_user, false);

    pfree(peer_user);

    return ret;
#else
    /* should have failed with ENOSYS above */
    Assert(false);
    return STATUS_ERROR;
#endif
}

CheckMD5Auth()

static int CheckMD5Auth ( Port *  port, char *  shadow_pass, char **  logdetail  )

static

Definition at line 845 of file auth.c.

References AUTH_REQ_MD5, Db_user_namespace, ereport, errcode(), errmsg(), FATAL, LOG, md5_crypt_verify(), pfree(), pg_strong_random(), recv_password_packet(), sendAuthRequest(), STATUS_EOF, STATUS_ERROR, and Port::user_name.

Referenced by CheckPWChallengeAuth().

{
    char        md5Salt[4];     /* Password salt */
    char       *passwd;
    int         result;

    if (Db_user_namespace)
        ereport(FATAL,
                (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                 errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));

    /* include the salt to use for computing the response */
    if (!pg_strong_random(md5Salt, 4))
    {
        ereport(LOG,
                (errmsg("could not generate random MD5 salt")));
        return STATUS_ERROR;
    }

    sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4);

    passwd = recv_password_packet(port);
    if (passwd == NULL)
        return STATUS_EOF;      /* client wouldn't send password */

    if (shadow_pass)
        result = md5_crypt_verify(port->user_name, shadow_pass, passwd,
                                  md5Salt, 4, logdetail);
    else
        result = STATUS_ERROR;

    pfree(passwd);

    return result;
}

CheckPasswordAuth()

static int CheckPasswordAuth ( Port *  port, char **  logdetail  )

static

Definition at line 757 of file auth.c.

References AUTH_REQ_PASSWORD, get_role_password(), pfree(), plain_crypt_verify(), recv_password_packet(), sendAuthRequest(), STATUS_EOF, STATUS_ERROR, and Port::user_name.

Referenced by ClientAuthentication().

{
    char       *passwd;
    int         result;
    char       *shadow_pass;

    sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);

    passwd = recv_password_packet(port);
    if (passwd == NULL)
        return STATUS_EOF;      /* client wouldn't send password */

    shadow_pass = get_role_password(port->user_name, logdetail);
    if (shadow_pass)
    {
        result = plain_crypt_verify(port->user_name, shadow_pass, passwd,
                                    logdetail);
    }
    else
        result = STATUS_ERROR;

    if (shadow_pass)
        pfree(shadow_pass);
    pfree(passwd);

    return result;
}

CheckPWChallengeAuth()

static int CheckPWChallengeAuth ( Port *  port, char **  logdetail  )

static

Definition at line 789 of file auth.c.

References Assert, HbaLine::auth_method, CheckMD5Auth(), CheckSCRAMAuth(), get_password_type(), get_role_password(), Port::hba, Password_encryption, PASSWORD_TYPE_MD5, pfree(), STATUS_ERROR, STATUS_OK, uaMD5, uaSCRAM, and Port::user_name.

Referenced by ClientAuthentication().

{
    int         auth_result;
    char       *shadow_pass;
    PasswordType pwtype;

    Assert(port->hba->auth_method == uaSCRAM ||
           port->hba->auth_method == uaMD5);

    /* First look up the user's password. */
    shadow_pass = get_role_password(port->user_name, logdetail);

    /*
     * If the user does not exist, or has no password or it's expired, we
     * still go through the motions of authentication, to avoid revealing to
     * the client that the user didn't exist.  If 'md5' is allowed, we choose
     * whether to use 'md5' or 'scram-sha-256' authentication based on current
     * password_encryption setting.  The idea is that most genuine users
     * probably have a password of that type, and if we pretend that this user
     * had a password of that type, too, it "blends in" best.
     */
    if (!shadow_pass)
        pwtype = Password_encryption;
    else
        pwtype = get_password_type(shadow_pass);

    /*
     * If 'md5' authentication is allowed, decide whether to perform 'md5' or
     * 'scram-sha-256' authentication based on the type of password the user
     * has.  If it's an MD5 hash, we must do MD5 authentication, and if it's a
     * SCRAM secret, we must do SCRAM authentication.
     *
     * If MD5 authentication is not allowed, always use SCRAM.  If the user
     * had an MD5 password, CheckSCRAMAuth() will fail.
     */
    if (port->hba->auth_method == uaMD5 && pwtype == PASSWORD_TYPE_MD5)
        auth_result = CheckMD5Auth(port, shadow_pass, logdetail);
    else
        auth_result = CheckSCRAMAuth(port, shadow_pass, logdetail);

    if (shadow_pass)
        pfree(shadow_pass);

    /*
     * If get_role_password() returned error, return error, even if the
     * authentication succeeded.
     */
    if (!shadow_pass)
    {
        Assert(auth_result != STATUS_OK);
        return STATUS_ERROR;
    }
    return auth_result;
}

CheckRADIUSAuth()

static int CheckRADIUSAuth ( Port *  port )

static

Definition at line 2983 of file auth.c.

References Assert, AUTH_REQ_PASSWORD, ereport, errmsg(), Port::hba, lfirst, list_head(), list_length(), lnext(), LOG, offsetof, PerformRadiusTransaction(), pfree(), RADIUS_MAX_PASSWORD_LENGTH, HbaLine::radiusidentifiers, HbaLine::radiusports, HbaLine::radiussecrets, HbaLine::radiusservers, recv_password_packet(), sendAuthRequest(), STATUS_EOF, STATUS_ERROR, STATUS_OK, and Port::user_name.

Referenced by ClientAuthentication().

{
    char       *passwd;
    ListCell   *server,
               *secrets,
               *radiusports,
               *identifiers;

    /* Make sure struct alignment is correct */
    Assert(offsetof(radius_packet, vector) == 4);

    /* Verify parameters */
    if (list_length(port->hba->radiusservers) < 1)
    {
        ereport(LOG,
                (errmsg("RADIUS server not specified")));
        return STATUS_ERROR;
    }

    if (list_length(port->hba->radiussecrets) < 1)
    {
        ereport(LOG,
                (errmsg("RADIUS secret not specified")));
        return STATUS_ERROR;
    }

    /* Send regular password request to client, and get the response */
    sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);

    passwd = recv_password_packet(port);
    if (passwd == NULL)
        return STATUS_EOF;      /* client wouldn't send password */

    if (strlen(passwd) > RADIUS_MAX_PASSWORD_LENGTH)
    {
        ereport(LOG,
                (errmsg("RADIUS authentication does not support passwords longer than %d characters", RADIUS_MAX_PASSWORD_LENGTH)));
        pfree(passwd);
        return STATUS_ERROR;
    }

    /*
     * Loop over and try each server in order.
     */
    secrets = list_head(port->hba->radiussecrets);
    radiusports = list_head(port->hba->radiusports);
    identifiers = list_head(port->hba->radiusidentifiers);
    foreach(server, port->hba->radiusservers)
    {
        int         ret = PerformRadiusTransaction(lfirst(server),
                                                   lfirst(secrets),
                                                   radiusports ? lfirst(radiusports) : NULL,
                                                   identifiers ? lfirst(identifiers) : NULL,
                                                   port->user_name,
                                                   passwd);

        /*------
         * STATUS_OK = Login OK
         * STATUS_ERROR = Login not OK, but try next server
         * STATUS_EOF = Login not OK, and don't try next server
         *------
         */
        if (ret == STATUS_OK)
        {
            pfree(passwd);
            return STATUS_OK;
        }
        else if (ret == STATUS_EOF)
        {
            pfree(passwd);
            return STATUS_ERROR;
        }

        /*
         * secret, port and identifiers either have length 0 (use default),
         * length 1 (use the same everywhere) or the same length as servers.
         * So if the length is >1, we advance one step. In other cases, we
         * don't and will then reuse the correct value.
         */
        if (list_length(port->hba->radiussecrets) > 1)
            secrets = lnext(port->hba->radiussecrets, secrets);
        if (list_length(port->hba->radiusports) > 1)
            radiusports = lnext(port->hba->radiusports, radiusports);
        if (list_length(port->hba->radiusidentifiers) > 1)
            identifiers = lnext(port->hba->radiusidentifiers, identifiers);
    }

    /* No servers left to try, so give up */
    pfree(passwd);
    return STATUS_ERROR;
}

CheckSCRAMAuth()

static int CheckSCRAMAuth ( Port *  port, char *  shadow_pass, char **  logdetail  )

static

Definition at line 882 of file auth.c.

References _, appendStringInfoChar(), Assert, AUTH_REQ_GSS_CONT, AUTH_REQ_SASL, AUTH_REQ_SASL_CONT, AUTH_REQ_SASL_FIN, buf, CHECK_FOR_INTERRUPTS, check_usermap(), HbaLine::compat_realm, StringInfoData::data, DEBUG2, DEBUG4, DEBUG5, elog, ereport, errcode(), errdetail_internal(), errmsg(), errmsg_internal(), ERROR, FATAL, free, FrontendProtocol, Port::gss, Port::hba, HbaLine::include_realm, initStringInfo(), HbaLine::krb_realm, StringInfoData::len, LOG, malloc, MAXPGPATH, MemoryContextStrdup(), output(), palloc(), pfree(), pg_be_scram_exchange(), pg_be_scram_get_mechanisms(), pg_be_scram_init(), pg_GSS_error(), pg_krb_caseins_users, pg_krb_server_keyfile, PG_MAX_AUTH_TOKEN_LENGTH, PG_MAX_SASL_MESSAGE_LENGTH, PG_PROTOCOL_MAJOR, pg_strcasecmp(), port, pq_getbyte(), pq_getmessage(), pq_getmsgbytes(), pq_getmsgend(), pq_getmsgint(), pq_getmsgrawstring(), pq_startmsgread(), psprintf(), putenv, SASL_EXCHANGE_CONTINUE, SASL_EXCHANGE_SUCCESS, sendAuthRequest(), snprintf, status(), STATUS_EOF, STATUS_ERROR, STATUS_OK, TopMemoryContext, HbaLine::upn_username, Port::user_name, and HbaLine::usermap.

Referenced by CheckPWChallengeAuth().

{
    StringInfoData sasl_mechs;
    int         mtype;
    StringInfoData buf;
    void       *scram_opaq = NULL;
    char       *output = NULL;
    int         outputlen = 0;
    const char *input;
    int         inputlen;
    int         result;
    bool        initial;

    /*
     * SASL auth is not supported for protocol versions before 3, because it
     * relies on the overall message length word to determine the SASL payload
     * size in AuthenticationSASLContinue and PasswordMessage messages.  (We
     * used to have a hard rule that protocol messages must be parsable
     * without relying on the length word, but we hardly care about older
     * protocol version anymore.)
     */
    if (PG_PROTOCOL_MAJOR(FrontendProtocol) < 3)
        ereport(FATAL,
                (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
                 errmsg("SASL authentication is not supported in protocol version 2")));

    /*
     * Send the SASL authentication request to user.  It includes the list of
     * authentication mechanisms that are supported.
     */
    initStringInfo(&sasl_mechs);

    pg_be_scram_get_mechanisms(port, &sasl_mechs);
    /* Put another '\0' to mark that list is finished. */
    appendStringInfoChar(&sasl_mechs, '\0');

    sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs.data, sasl_mechs.len);
    pfree(sasl_mechs.data);

    /*
     * Loop through SASL message exchange.  This exchange can consist of
     * multiple messages sent in both directions.  First message is always
     * from the client.  All messages from client to server are password
     * packets (type 'p').
     */
    initial = true;
    do
    {
        pq_startmsgread();
        mtype = pq_getbyte();
        if (mtype != 'p')
        {
            /* Only log error if client didn't disconnect. */
            if (mtype != EOF)
            {
                ereport(ERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("expected SASL response, got message type %d",
                                mtype)));
            }
            else
                return STATUS_EOF;
        }

        /* Get the actual SASL message */
        initStringInfo(&buf);
        if (pq_getmessage(&buf, PG_MAX_SASL_MESSAGE_LENGTH))
        {
            /* EOF - pq_getmessage already logged error */
            pfree(buf.data);
            return STATUS_ERROR;
        }

        elog(DEBUG4, "processing received SASL response of length %d", buf.len);

        /*
         * The first SASLInitialResponse message is different from the others.
         * It indicates which SASL mechanism the client selected, and contains
         * an optional Initial Client Response payload.  The subsequent
         * SASLResponse messages contain just the SASL payload.
         */
        if (initial)
        {
            const char *selected_mech;

            selected_mech = pq_getmsgrawstring(&buf);

            /*
             * Initialize the status tracker for message exchanges.
             *
             * If the user doesn't exist, or doesn't have a valid password, or
             * it's expired, we still go through the motions of SASL
             * authentication, but tell the authentication method that the
             * authentication is "doomed". That is, it's going to fail, no
             * matter what.
             *
             * This is because we don't want to reveal to an attacker what
             * usernames are valid, nor which users have a valid password.
             */
            scram_opaq = pg_be_scram_init(port, selected_mech, shadow_pass);

            inputlen = pq_getmsgint(&buf, 4);
            if (inputlen == -1)
                input = NULL;
            else
                input = pq_getmsgbytes(&buf, inputlen);

            initial = false;
        }
        else
        {
            inputlen = buf.len;
            input = pq_getmsgbytes(&buf, buf.len);
        }
        pq_getmsgend(&buf);

        /*
         * The StringInfo guarantees that there's a \0 byte after the
         * response.
         */
        Assert(input == NULL || input[inputlen] == '\0');

        /*
         * we pass 'logdetail' as NULL when doing a mock authentication,
         * because we should already have a better error message in that case
         */
        result = pg_be_scram_exchange(scram_opaq, input, inputlen,
                                      &output, &outputlen,
                                      logdetail);

        /* input buffer no longer used */
        pfree(buf.data);

        if (output)
        {
            /*
             * Negotiation generated data to be sent to the client.
             */
            elog(DEBUG4, "sending SASL challenge of length %u", outputlen);

            if (result == SASL_EXCHANGE_SUCCESS)
                sendAuthRequest(port, AUTH_REQ_SASL_FIN, output, outputlen);
            else
                sendAuthRequest(port, AUTH_REQ_SASL_CONT, output, outputlen);

            pfree(output);
        }
    } while (result == SASL_EXCHANGE_CONTINUE);

    /* Oops, Something bad happened */
    if (result != SASL_EXCHANGE_SUCCESS)
    {
        return STATUS_ERROR;
    }

    return STATUS_OK;
}

ClientAuthentication()

void ClientAuthentication

(

Port *

port

)

Definition at line 345 of file auth.c.

References _, SockAddr::addr, am_walsender, Assert, auth_failed(), HbaLine::auth_method, auth_peer(), AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), ClientAuthentication_hook, HbaLine::clientcert, clientCertFull, clientCertOff, Port::database_name, ereport, errcode(), errmsg(), FATAL, Port::gss, Port::hba, hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), NI_MAXHOST, NI_NUMERICHOST, Port::peer_cert_valid, pg_getnameinfo_all(), port, Port::raddr, SockAddr::salen, secure_loaded_verify_locations(), sendAuthRequest(), Port::ssl_in_use, status(), STATUS_ERROR, STATUS_OK, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaPAM, uaPassword, uaRADIUS, uaReject, uaSCRAM, uaSSPI, uaTrust, and Port::user_name.

Referenced by PerformAuthentication().

{
    int         status = STATUS_ERROR;
    char       *logdetail = NULL;

    /*
     * Get the authentication method to use for this frontend/database
     * combination.  Note: we do not parse the file at this point; this has
     * already been done elsewhere.  hba.c dropped an error message into the
     * server logfile if parsing the hba config file failed.
     */
    hba_getauthmethod(port);

    CHECK_FOR_INTERRUPTS();

    /*
     * This is the first point where we have access to the hba record for the
     * current connection, so perform any verifications based on the hba
     * options field that should be done *before* the authentication here.
     */
    if (port->hba->clientcert != clientCertOff)
    {
        /* If we haven't loaded a root certificate store, fail */
        if (!secure_loaded_verify_locations())
            ereport(FATAL,
                    (errcode(ERRCODE_CONFIG_FILE_ERROR),
                     errmsg("client certificates can only be checked if a root certificate store is available")));

        /*
         * If we loaded a root certificate store, and if a certificate is
         * present on the client, then it has been verified against our root
         * certificate store, and the connection would have been aborted
         * already if it didn't verify ok.
         */
        if (!port->peer_cert_valid)
            ereport(FATAL,
                    (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                     errmsg("connection requires a valid client certificate")));
    }

#ifdef ENABLE_GSS
    if (port->gss->enc && port->hba->auth_method != uaReject &&
        port->hba->auth_method != uaImplicitReject &&
        port->hba->auth_method != uaTrust &&
        port->hba->auth_method != uaGSS)
    {
        ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                        errmsg("GSSAPI encryption can only be used with gss, trust, or reject authentication methods")));
    }
#endif

    /*
     * Now proceed to do the actual authentication check
     */
    switch (port->hba->auth_method)
    {
        case uaReject:

            /*
             * An explicit "reject" entry in pg_hba.conf.  This report exposes
             * the fact that there's an explicit reject entry, which is
             * perhaps not so desirable from a security standpoint; but the
             * message for an implicit reject could confuse the DBA a lot when
             * the true situation is a match to an explicit reject.  And we
             * don't want to change the message for an implicit reject.  As
             * noted below, the additional information shown here doesn't
             * expose anything not known to an attacker.
             */
            {
                char        hostinfo[NI_MAXHOST];

                pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
                                   hostinfo, sizeof(hostinfo),
                                   NULL, 0,
                                   NI_NUMERICHOST);

                if (am_walsender)
                {
#ifdef USE_SSL
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                             errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
                                    hostinfo, port->user_name,
                                    port->ssl_in_use ? _("SSL on") : _("SSL off"))));
#else
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                             errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"",
                                    hostinfo, port->user_name)));
#endif
                }
                else
                {
#ifdef USE_SSL
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                             errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
                                    hostinfo, port->user_name,
                                    port->database_name,
                                    port->ssl_in_use ? _("SSL on") : _("SSL off"))));
#else
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                             errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"",
                                    hostinfo, port->user_name,
                                    port->database_name)));
#endif
                }
                break;
            }

        case uaImplicitReject:

            /*
             * No matching entry, so tell the user we fell through.
             *
             * NOTE: the extra info reported here is not a security breach,
             * because all that info is known at the frontend and must be
             * assumed known to bad guys.  We're merely helping out the less
             * clueful good guys.
             */
            {
                char        hostinfo[NI_MAXHOST];

                pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
                                   hostinfo, sizeof(hostinfo),
                                   NULL, 0,
                                   NI_NUMERICHOST);

#define HOSTNAME_LOOKUP_DETAIL(port) \
                (port->remote_hostname ? \
                 (port->remote_hostname_resolv == +1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == 0 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -1 ? \
                  errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
                                port->remote_hostname) : \
                  port->remote_hostname_resolv == -2 ? \
                  errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
                                port->remote_hostname, \
                                gai_strerror(port->remote_hostname_errcode)) : \
                  0) \
                 : (port->remote_hostname_resolv == -2 ? \
                    errdetail_log("Could not resolve client IP address to a host name: %s.", \
                                  gai_strerror(port->remote_hostname_errcode)) : \
                    0))

                if (am_walsender)
                {
#ifdef USE_SSL
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                             errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
                                    hostinfo, port->user_name,
                                    port->ssl_in_use ? _("SSL on") : _("SSL off")),
                             HOSTNAME_LOOKUP_DETAIL(port)));
#else
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                             errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
                                    hostinfo, port->user_name),
                             HOSTNAME_LOOKUP_DETAIL(port)));
#endif
                }
                else
                {
#ifdef USE_SSL
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                             errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
                                    hostinfo, port->user_name,
                                    port->database_name,
                                    port->ssl_in_use ? _("SSL on") : _("SSL off")),
                             HOSTNAME_LOOKUP_DETAIL(port)));
#else
                    ereport(FATAL,
                            (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                             errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
                                    hostinfo, port->user_name,
                                    port->database_name),
                             HOSTNAME_LOOKUP_DETAIL(port)));
#endif
                }
                break;
            }

        case uaGSS:
#ifdef ENABLE_GSS
            port->gss->auth = true;
            if (port->gss->enc)
                status = pg_GSS_checkauth(port);
            else
            {
                sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
                status = pg_GSS_recvauth(port);
            }
#else
            Assert(false);
#endif
            break;

        case uaSSPI:
#ifdef ENABLE_SSPI
            sendAuthRequest(port, AUTH_REQ_SSPI, NULL, 0);
            status = pg_SSPI_recvauth(port);
#else
            Assert(false);
#endif
            break;

        case uaPeer:
            status = auth_peer(port);
            break;

        case uaIdent:
            status = ident_inet(port);
            break;

        case uaMD5:
        case uaSCRAM:
            status = CheckPWChallengeAuth(port, &logdetail);
            break;

        case uaPassword:
            status = CheckPasswordAuth(port, &logdetail);
            break;

        case uaPAM:
#ifdef USE_PAM
            status = CheckPAMAuth(port, port->user_name, "");
#else
            Assert(false);
#endif                          /* USE_PAM */
            break;

        case uaBSD:
#ifdef USE_BSD_AUTH
            status = CheckBSDAuth(port, port->user_name);
#else
            Assert(false);
#endif                          /* USE_BSD_AUTH */
            break;

        case uaLDAP:
#ifdef USE_LDAP
            status = CheckLDAPAuth(port);
#else
            Assert(false);
#endif
            break;
        case uaRADIUS:
            status = CheckRADIUSAuth(port);
            break;
        case uaCert:
            /* uaCert will be treated as if clientcert=verify-full (uaTrust) */
        case uaTrust:
            status = STATUS_OK;
            break;
    }

    if ((status == STATUS_OK && port->hba->clientcert == clientCertFull)
        || port->hba->auth_method == uaCert)
    {
        /*
         * Make sure we only check the certificate if we use the cert method
         * or verify-full option.
         */
#ifdef USE_SSL
        status = CheckCertAuth(port);
#else
        Assert(false);
#endif
    }

    if (ClientAuthentication_hook)
        (*ClientAuthentication_hook) (port, status);

    if (status == STATUS_OK)
        sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
    else
        auth_failed(port, status, logdetail);
}

ident_inet()

static int ident_inet ( hbaPort *  port )

static

Definition at line 1815 of file auth.c.

References SockAddr::addr, addrinfo::ai_addr, addrinfo::ai_addrlen, addrinfo::ai_family, AI_NUMERICHOST, addrinfo::ai_protocol, addrinfo::ai_socktype, bind, CHECK_FOR_INTERRUPTS, check_usermap(), closesocket, connect, EINTR, ereport, errcode_for_socket_access(), errmsg(), Port::hba, IDENT_PORT, IDENT_USERNAME_MAX, interpret_ident_response(), Port::laddr, LOG, NI_MAXHOST, NI_MAXSERV, NI_NUMERICHOST, NI_NUMERICSERV, pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_getnameinfo_all(), PGINVALID_SOCKET, Port::raddr, recv, SockAddr::salen, send, snprintf, socket, STATUS_ERROR, Port::user_name, and HbaLine::usermap.

Referenced by ClientAuthentication().

{
    const SockAddr remote_addr = port->raddr;
    const SockAddr local_addr = port->laddr;
    char        ident_user[IDENT_USERNAME_MAX + 1];
    pgsocket    sock_fd = PGINVALID_SOCKET; /* for talking to Ident server */
    int         rc;             /* Return code from a locally called function */
    bool        ident_return;
    char        remote_addr_s[NI_MAXHOST];
    char        remote_port[NI_MAXSERV];
    char        local_addr_s[NI_MAXHOST];
    char        local_port[NI_MAXSERV];
    char        ident_port[NI_MAXSERV];
    char        ident_query[80];
    char        ident_response[80 + IDENT_USERNAME_MAX];
    struct addrinfo *ident_serv = NULL,
               *la = NULL,
                hints;

    /*
     * Might look a little weird to first convert it to text and then back to
     * sockaddr, but it's protocol independent.
     */
    pg_getnameinfo_all(&remote_addr.addr, remote_addr.salen,
                       remote_addr_s, sizeof(remote_addr_s),
                       remote_port, sizeof(remote_port),
                       NI_NUMERICHOST | NI_NUMERICSERV);
    pg_getnameinfo_all(&local_addr.addr, local_addr.salen,
                       local_addr_s, sizeof(local_addr_s),
                       local_port, sizeof(local_port),
                       NI_NUMERICHOST | NI_NUMERICSERV);

    snprintf(ident_port, sizeof(ident_port), "%d", IDENT_PORT);
    hints.ai_flags = AI_NUMERICHOST;
    hints.ai_family = remote_addr.addr.ss_family;
    hints.ai_socktype = SOCK_STREAM;
    hints.ai_protocol = 0;
    hints.ai_addrlen = 0;
    hints.ai_canonname = NULL;
    hints.ai_addr = NULL;
    hints.ai_next = NULL;
    rc = pg_getaddrinfo_all(remote_addr_s, ident_port, &hints, &ident_serv);
    if (rc || !ident_serv)
    {
        /* we don't expect this to happen */
        ident_return = false;
        goto ident_inet_done;
    }

    hints.ai_flags = AI_NUMERICHOST;
    hints.ai_family = local_addr.addr.ss_family;
    hints.ai_socktype = SOCK_STREAM;
    hints.ai_protocol = 0;
    hints.ai_addrlen = 0;
    hints.ai_canonname = NULL;
    hints.ai_addr = NULL;
    hints.ai_next = NULL;
    rc = pg_getaddrinfo_all(local_addr_s, NULL, &hints, &la);
    if (rc || !la)
    {
        /* we don't expect this to happen */
        ident_return = false;
        goto ident_inet_done;
    }

    sock_fd = socket(ident_serv->ai_family, ident_serv->ai_socktype,
                     ident_serv->ai_protocol);
    if (sock_fd == PGINVALID_SOCKET)
    {
        ereport(LOG,
                (errcode_for_socket_access(),
                 errmsg("could not create socket for Ident connection: %m")));
        ident_return = false;
        goto ident_inet_done;
    }

    /*
     * Bind to the address which the client originally contacted, otherwise
     * the ident server won't be able to match up the right connection. This
     * is necessary if the PostgreSQL server is running on an IP alias.
     */
    rc = bind(sock_fd, la->ai_addr, la->ai_addrlen);
    if (rc != 0)
    {
        ereport(LOG,
                (errcode_for_socket_access(),
                 errmsg("could not bind to local address \"%s\": %m",
                        local_addr_s)));
        ident_return = false;
        goto ident_inet_done;
    }

    rc = connect(sock_fd, ident_serv->ai_addr,
                 ident_serv->ai_addrlen);
    if (rc != 0)
    {
        ereport(LOG,
                (errcode_for_socket_access(),
                 errmsg("could not connect to Ident server at address \"%s\", port %s: %m",
                        remote_addr_s, ident_port)));
        ident_return = false;
        goto ident_inet_done;
    }

    /* The query we send to the Ident server */
    snprintf(ident_query, sizeof(ident_query), "%s,%s\r\n",
             remote_port, local_port);

    /* loop in case send is interrupted */
    do
    {
        CHECK_FOR_INTERRUPTS();

        rc = send(sock_fd, ident_query, strlen(ident_query), 0);
    } while (rc < 0 && errno == EINTR);

    if (rc < 0)
    {
        ereport(LOG,
                (errcode_for_socket_access(),
                 errmsg("could not send query to Ident server at address \"%s\", port %s: %m",
                        remote_addr_s, ident_port)));
        ident_return = false;
        goto ident_inet_done;
    }

    do
    {
        CHECK_FOR_INTERRUPTS();

        rc = recv(sock_fd, ident_response, sizeof(ident_response) - 1, 0);
    } while (rc < 0 && errno == EINTR);

    if (rc < 0)
    {
        ereport(LOG,
                (errcode_for_socket_access(),
                 errmsg("could not receive response from Ident server at address \"%s\", port %s: %m",
                        remote_addr_s, ident_port)));
        ident_return = false;
        goto ident_inet_done;
    }

    ident_response[rc] = '\0';
    ident_return = interpret_ident_response(ident_response, ident_user);
    if (!ident_return)
        ereport(LOG,
                (errmsg("invalidly formatted response from Ident server: \"%s\"",
                        ident_response)));

ident_inet_done:
    if (sock_fd != PGINVALID_SOCKET)
        closesocket(sock_fd);
    if (ident_serv)
        pg_freeaddrinfo_all(remote_addr.addr.ss_family, ident_serv);
    if (la)
        pg_freeaddrinfo_all(local_addr.addr.ss_family, la);

    if (ident_return)
        /* Success! Check the usermap */
        return check_usermap(port->hba->usermap, port->user_name, ident_user, false);
    return STATUS_ERROR;
}

interpret_ident_response()

static bool interpret_ident_response ( const char *  ident_response, char *  ident_user  )

static

Definition at line 1732 of file auth.c.

References i, IDENT_USERNAME_MAX, and pg_isblank().

Referenced by ident_inet().

{
    const char *cursor = ident_response;    /* Cursor into *ident_response */

    /*
     * Ident's response, in the telnet tradition, should end in crlf (\r\n).
     */
    if (strlen(ident_response) < 2)
        return false;
    else if (ident_response[strlen(ident_response) - 2] != '\r')
        return false;
    else
    {
        while (*cursor != ':' && *cursor != '\r')
            cursor++;           /* skip port field */

        if (*cursor != ':')
            return false;
        else
        {
            /* We're positioned to colon before response type field */
            char        response_type[80];
            int         i;      /* Index into *response_type */

            cursor++;           /* Go over colon */
            while (pg_isblank(*cursor))
                cursor++;       /* skip blanks */
            i = 0;
            while (*cursor != ':' && *cursor != '\r' && !pg_isblank(*cursor) &&
                   i < (int) (sizeof(response_type) - 1))
                response_type[i++] = *cursor++;
            response_type[i] = '\0';
            while (pg_isblank(*cursor))
                cursor++;       /* skip blanks */
            if (strcmp(response_type, "USERID") != 0)
                return false;
            else
            {
                /*
                 * It's a USERID response.  Good.  "cursor" should be pointing
                 * to the colon that precedes the operating system type.
                 */
                if (*cursor != ':')
                    return false;
                else
                {
                    cursor++;   /* Go over colon */
                    /* Skip over operating system field. */
                    while (*cursor != ':' && *cursor != '\r')
                        cursor++;
                    if (*cursor != ':')
                        return false;
                    else
                    {
                        int         i;  /* Index into *ident_user */

                        cursor++;   /* Go over colon */
                        while (pg_isblank(*cursor))
                            cursor++;   /* skip blanks */
                        /* Rest of line is user name.  Copy it over. */
                        i = 0;
                        while (*cursor != '\r' && i < IDENT_USERNAME_MAX)
                            ident_user[i++] = *cursor++;
                        ident_user[i] = '\0';
                        return true;
                    }
                }
            }
        }
    }
}

PerformRadiusTransaction()

static int PerformRadiusTransaction ( const char *  server, const char *  secret, const char *  portstr, const char *  identifier, const char *  user_name, const char *  passwd  )

static

Definition at line 3076 of file auth.c.

References addrinfo::ai_family, addrinfo::ai_socktype, bind, closesocket, radius_packet::code, EINTR, ereport, errmsg(), gai_strerror, gettimeofday(), i, radius_packet::id, radius_packet::length, LOG, MemSet, palloc(), pfree(), pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_hton16, pg_hton32, pg_md5_binary(), pg_ntoh16, pg_strong_random(), PGINVALID_SOCKET, port, RADIUS_ACCESS_ACCEPT, RADIUS_ACCESS_REJECT, RADIUS_ACCESS_REQUEST, radius_add_attribute(), RADIUS_AUTHENTICATE_ONLY, RADIUS_BUFFER_SIZE, RADIUS_HEADER_LENGTH, RADIUS_MAX_PASSWORD_LENGTH, RADIUS_NAS_IDENTIFIER, RADIUS_PASSWORD, RADIUS_SERVICE_TYPE, RADIUS_TIMEOUT, RADIUS_USER_NAME, RADIUS_VECTOR_LENGTH, select, socket, STATUS_EOF, STATUS_ERROR, STATUS_OK, and radius_packet::vector.

Referenced by CheckRADIUSAuth().

{
    radius_packet radius_send_pack;
    radius_packet radius_recv_pack;
    radius_packet *packet = &radius_send_pack;
    radius_packet *receivepacket = &radius_recv_pack;
    char       *radius_buffer = (char *) &radius_send_pack;
    char       *receive_buffer = (char *) &radius_recv_pack;
    int32       service = pg_hton32(RADIUS_AUTHENTICATE_ONLY);
    uint8      *cryptvector;
    int         encryptedpasswordlen;
    uint8       encryptedpassword[RADIUS_MAX_PASSWORD_LENGTH];
    uint8      *md5trailer;
    int         packetlength;
    pgsocket    sock;

#ifdef HAVE_IPV6
    struct sockaddr_in6 localaddr;
    struct sockaddr_in6 remoteaddr;
#else
    struct sockaddr_in localaddr;
    struct sockaddr_in remoteaddr;
#endif
    struct addrinfo hint;
    struct addrinfo *serveraddrs;
    int         port;
    ACCEPT_TYPE_ARG3 addrsize;
    fd_set      fdset;
    struct timeval endtime;
    int         i,
                j,
                r;

    /* Assign default values */
    if (portstr == NULL)
        portstr = "1812";
    if (identifier == NULL)
        identifier = "postgresql";

    MemSet(&hint, 0, sizeof(hint));
    hint.ai_socktype = SOCK_DGRAM;
    hint.ai_family = AF_UNSPEC;
    port = atoi(portstr);

    r = pg_getaddrinfo_all(server, portstr, &hint, &serveraddrs);
    if (r || !serveraddrs)
    {
        ereport(LOG,
                (errmsg("could not translate RADIUS server name \"%s\" to address: %s",
                        server, gai_strerror(r))));
        if (serveraddrs)
            pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
        return STATUS_ERROR;
    }
    /* XXX: add support for multiple returned addresses? */

    /* Construct RADIUS packet */
    packet->code = RADIUS_ACCESS_REQUEST;
    packet->length = RADIUS_HEADER_LENGTH;
    if (!pg_strong_random(packet->vector, RADIUS_VECTOR_LENGTH))
    {
        ereport(LOG,
                (errmsg("could not generate random encryption vector")));
        pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
        return STATUS_ERROR;
    }
    packet->id = packet->vector[0];
    radius_add_attribute(packet, RADIUS_SERVICE_TYPE, (const unsigned char *) &service, sizeof(service));
    radius_add_attribute(packet, RADIUS_USER_NAME, (const unsigned char *) user_name, strlen(user_name));
    radius_add_attribute(packet, RADIUS_NAS_IDENTIFIER, (const unsigned char *) identifier, strlen(identifier));

    /*
     * RADIUS password attributes are calculated as: e[0] = p[0] XOR
     * MD5(secret + Request Authenticator) for the first group of 16 octets,
     * and then: e[i] = p[i] XOR MD5(secret + e[i-1]) for the following ones
     * (if necessary)
     */
    encryptedpasswordlen = ((strlen(passwd) + RADIUS_VECTOR_LENGTH - 1) / RADIUS_VECTOR_LENGTH) * RADIUS_VECTOR_LENGTH;
    cryptvector = palloc(strlen(secret) + RADIUS_VECTOR_LENGTH);
    memcpy(cryptvector, secret, strlen(secret));

    /* for the first iteration, we use the Request Authenticator vector */
    md5trailer = packet->vector;
    for (i = 0; i < encryptedpasswordlen; i += RADIUS_VECTOR_LENGTH)
    {
        memcpy(cryptvector + strlen(secret), md5trailer, RADIUS_VECTOR_LENGTH);

        /*
         * .. and for subsequent iterations the result of the previous XOR
         * (calculated below)
         */
        md5trailer = encryptedpassword + i;

        if (!pg_md5_binary(cryptvector, strlen(secret) + RADIUS_VECTOR_LENGTH, encryptedpassword + i))
        {
            ereport(LOG,
                    (errmsg("could not perform MD5 encryption of password")));
            pfree(cryptvector);
            pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
            return STATUS_ERROR;
        }

        for (j = i; j < i + RADIUS_VECTOR_LENGTH; j++)
        {
            if (j < strlen(passwd))
                encryptedpassword[j] = passwd[j] ^ encryptedpassword[j];
            else
                encryptedpassword[j] = '\0' ^ encryptedpassword[j];
        }
    }
    pfree(cryptvector);

    radius_add_attribute(packet, RADIUS_PASSWORD, encryptedpassword, encryptedpasswordlen);

    /* Length needs to be in network order on the wire */
    packetlength = packet->length;
    packet->length = pg_hton16(packet->length);

    sock = socket(serveraddrs[0].ai_family, SOCK_DGRAM, 0);
    if (sock == PGINVALID_SOCKET)
    {
        ereport(LOG,
                (errmsg("could not create RADIUS socket: %m")));
        pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
        return STATUS_ERROR;
    }

    memset(&localaddr, 0, sizeof(localaddr));
#ifdef HAVE_IPV6
    localaddr.sin6_family = serveraddrs[0].ai_family;
    localaddr.sin6_addr = in6addr_any;
    if (localaddr.sin6_family == AF_INET6)
        addrsize = sizeof(struct sockaddr_in6);
    else
        addrsize = sizeof(struct sockaddr_in);
#else
    localaddr.sin_family = serveraddrs[0].ai_family;
    localaddr.sin_addr.s_addr = INADDR_ANY;
    addrsize = sizeof(struct sockaddr_in);
#endif

    if (bind(sock, (struct sockaddr *) &localaddr, addrsize))
    {
        ereport(LOG,
                (errmsg("could not bind local RADIUS socket: %m")));
        closesocket(sock);
        pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
        return STATUS_ERROR;
    }

    if (sendto(sock, radius_buffer, packetlength, 0,
               serveraddrs[0].ai_addr, serveraddrs[0].ai_addrlen) < 0)
    {
        ereport(LOG,
                (errmsg("could not send RADIUS packet: %m")));
        closesocket(sock);
        pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
        return STATUS_ERROR;
    }

    /* Don't need the server address anymore */
    pg_freeaddrinfo_all(hint.ai_family, serveraddrs);

    /*
     * Figure out at what time we should time out. We can't just use a single
     * call to select() with a timeout, since somebody can be sending invalid
     * packets to our port thus causing us to retry in a loop and never time
     * out.
     *
     * XXX: Using WaitLatchOrSocket() and doing a CHECK_FOR_INTERRUPTS() if
     * the latch was set would improve the responsiveness to
     * timeouts/cancellations.
     */
    gettimeofday(&endtime, NULL);
    endtime.tv_sec += RADIUS_TIMEOUT;

    while (true)
    {
        struct timeval timeout;
        struct timeval now;
        int64       timeoutval;

        gettimeofday(&now, NULL);
        timeoutval = (endtime.tv_sec * 1000000 + endtime.tv_usec) - (now.tv_sec * 1000000 + now.tv_usec);
        if (timeoutval <= 0)
        {
            ereport(LOG,
                    (errmsg("timeout waiting for RADIUS response from %s",
                            server)));
            closesocket(sock);
            return STATUS_ERROR;
        }
        timeout.tv_sec = timeoutval / 1000000;
        timeout.tv_usec = timeoutval % 1000000;

        FD_ZERO(&fdset);
        FD_SET(sock, &fdset);

        r = select(sock + 1, &fdset, NULL, NULL, &timeout);
        if (r < 0)
        {
            if (errno == EINTR)
                continue;

            /* Anything else is an actual error */
            ereport(LOG,
                    (errmsg("could not check status on RADIUS socket: %m")));
            closesocket(sock);
            return STATUS_ERROR;
        }
        if (r == 0)
        {
            ereport(LOG,
                    (errmsg("timeout waiting for RADIUS response from %s",
                            server)));
            closesocket(sock);
            return STATUS_ERROR;
        }

        /*
         * Attempt to read the response packet, and verify the contents.
         *
         * Any packet that's not actually a RADIUS packet, or otherwise does
         * not validate as an explicit reject, is just ignored and we retry
         * for another packet (until we reach the timeout). This is to avoid
         * the possibility to denial-of-service the login by flooding the
         * server with invalid packets on the port that we're expecting the
         * RADIUS response on.
         */

        addrsize = sizeof(remoteaddr);
        packetlength = recvfrom(sock, receive_buffer, RADIUS_BUFFER_SIZE, 0,
                                (struct sockaddr *) &remoteaddr, &addrsize);
        if (packetlength < 0)
        {
            ereport(LOG,
                    (errmsg("could not read RADIUS response: %m")));
            closesocket(sock);
            return STATUS_ERROR;
        }

#ifdef HAVE_IPV6
        if (remoteaddr.sin6_port != pg_hton16(port))
#else
        if (remoteaddr.sin_port != pg_hton16(port))
#endif
        {
#ifdef HAVE_IPV6
            ereport(LOG,
                    (errmsg("RADIUS response from %s was sent from incorrect port: %d",
                            server, pg_ntoh16(remoteaddr.sin6_port))));
#else
            ereport(LOG,
                    (errmsg("RADIUS response from %s was sent from incorrect port: %d",
                            server, pg_ntoh16(remoteaddr.sin_port))));
#endif
            continue;
        }

        if (packetlength < RADIUS_HEADER_LENGTH)
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s too short: %d", server, packetlength)));
            continue;
        }

        if (packetlength != pg_ntoh16(receivepacket->length))
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s has corrupt length: %d (actual length %d)",
                            server, pg_ntoh16(receivepacket->length), packetlength)));
            continue;
        }

        if (packet->id != receivepacket->id)
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s is to a different request: %d (should be %d)",
                            server, receivepacket->id, packet->id)));
            continue;
        }

        /*
         * Verify the response authenticator, which is calculated as
         * MD5(Code+ID+Length+RequestAuthenticator+Attributes+Secret)
         */
        cryptvector = palloc(packetlength + strlen(secret));

        memcpy(cryptvector, receivepacket, 4);  /* code+id+length */
        memcpy(cryptvector + 4, packet->vector, RADIUS_VECTOR_LENGTH);  /* request
                                                                         * authenticator, from
                                                                         * original packet */
        if (packetlength > RADIUS_HEADER_LENGTH)    /* there may be no
                                                     * attributes at all */
            memcpy(cryptvector + RADIUS_HEADER_LENGTH, receive_buffer + RADIUS_HEADER_LENGTH, packetlength - RADIUS_HEADER_LENGTH);
        memcpy(cryptvector + packetlength, secret, strlen(secret));

        if (!pg_md5_binary(cryptvector,
                           packetlength + strlen(secret),
                           encryptedpassword))
        {
            ereport(LOG,
                    (errmsg("could not perform MD5 encryption of received packet")));
            pfree(cryptvector);
            continue;
        }
        pfree(cryptvector);

        if (memcmp(receivepacket->vector, encryptedpassword, RADIUS_VECTOR_LENGTH) != 0)
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s has incorrect MD5 signature",
                            server)));
            continue;
        }

        if (receivepacket->code == RADIUS_ACCESS_ACCEPT)
        {
            closesocket(sock);
            return STATUS_OK;
        }
        else if (receivepacket->code == RADIUS_ACCESS_REJECT)
        {
            closesocket(sock);
            return STATUS_EOF;
        }
        else
        {
            ereport(LOG,
                    (errmsg("RADIUS response from %s has invalid code (%d) for user \"%s\"",
                            server, receivepacket->code, user_name)));
            continue;
        }
    }                           /* while (true) */
}

radius_add_attribute()

static void radius_add_attribute ( radius_packet *  packet, uint8  type, const unsigned char *  data, int  len  )

static

Definition at line 2957 of file auth.c.

References radius_attribute::attribute, radius_attribute::data, elog, radius_attribute::length, radius_packet::length, RADIUS_BUFFER_SIZE, generate_unaccent_rules::type, and WARNING.

Referenced by PerformRadiusTransaction().

{
    radius_attribute *attr;

    if (packet->length + len > RADIUS_BUFFER_SIZE)
    {
        /*
         * With remotely realistic data, this can never happen. But catch it
         * just to make sure we don't overrun a buffer. We'll just skip adding
         * the broken attribute, which will in the end cause authentication to
         * fail.
         */
        elog(WARNING,
             "adding attribute code %d with length %d to radius packet would create oversize packet, ignoring",
             type, len);
        return;
    }

    attr = (radius_attribute *) ((unsigned char *) packet + packet->length);
    attr->attribute = type;
    attr->length = len + 2;     /* total size includes type and length */
    memcpy(attr->data, data, len);
    packet->length += attr->length;
}

recv_password_packet()

static char * recv_password_packet ( Port *  port )

static

Definition at line 666 of file auth.c.

References buf, StringInfoData::data, DEBUG5, elog, ereport, errcode(), ERRCODE_INVALID_PASSWORD, errmsg(), ERROR, initStringInfo(), StringInfoData::len, pfree(), PG_PROTOCOL_MAJOR, pq_getbyte(), pq_getmessage(), pq_peekbyte(), pq_startmsgread(), and Port::proto.

Referenced by auth_peer(), CheckMD5Auth(), CheckPasswordAuth(), and CheckRADIUSAuth().

{
    StringInfoData buf;

    pq_startmsgread();
    if (PG_PROTOCOL_MAJOR(port->proto) >= 3)
    {
        /* Expect 'p' message type */
        int         mtype;

        mtype = pq_getbyte();
        if (mtype != 'p')
        {
            /*
             * If the client just disconnects without offering a password,
             * don't make a log entry.  This is legal per protocol spec and in
             * fact commonly done by psql, so complaining just clutters the
             * log.
             */
            if (mtype != EOF)
                ereport(ERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("expected password response, got message type %d",
                                mtype)));
            return NULL;        /* EOF or bad message type */
        }
    }
    else
    {
        /* For pre-3.0 clients, avoid log entry if they just disconnect */
        if (pq_peekbyte() == EOF)
            return NULL;        /* EOF */
    }

    initStringInfo(&buf);
    if (pq_getmessage(&buf, 1000))  /* receive password */
    {
        /* EOF - pq_getmessage already logged a suitable message */
        pfree(buf.data);
        return NULL;
    }

    /*
     * Apply sanity check: password packet length should agree with length of
     * contained string.  Note it is safe to use strlen here because
     * StringInfo is guaranteed to have an appended '\0'.
     */
    if (strlen(buf.data) + 1 != buf.len)
        ereport(ERROR,
                (errcode(ERRCODE_PROTOCOL_VIOLATION),
                 errmsg("invalid password packet size")));

    /*
     * Don't allow an empty password. Libpq treats an empty password the same
     * as no password at all, and won't even try to authenticate. But other
     * clients might, so allowing it would be confusing.
     *
     * Note that this only catches an empty password sent by the client in
     * plaintext. There's also a check in CREATE/ALTER USER that prevents an
     * empty string from being stored as a user's password in the first place.
     * We rely on that for MD5 and SCRAM authentication, but we still need
     * this check here, to prevent an empty password from being used with
     * authentication methods that check the password against an external
     * system, like PAM, LDAP and RADIUS.
     */
    if (buf.len == 1)
        ereport(ERROR,
                (errcode(ERRCODE_INVALID_PASSWORD),
                 errmsg("empty password returned by client")));

    /* Do not echo password to logs, for security. */
    elog(DEBUG5, "received password packet");

    /*
     * Return the received string.  Note we do not attempt to do any
     * character-set conversion on it; since we don't yet know the client's
     * encoding, there wouldn't be much point.
     */
    return buf.data;
}

sendAuthRequest()

static void sendAuthRequest ( Port *  port, AuthRequest  areq, const char *  extradata, int  extralen  )

static

Definition at line 636 of file auth.c.

References AUTH_REQ_OK, AUTH_REQ_SASL_FIN, buf, CHECK_FOR_INTERRUPTS, pq_beginmessage(), pq_endmessage(), pq_flush, pq_sendbytes(), and pq_sendint32().

Referenced by auth_peer(), CheckMD5Auth(), CheckPasswordAuth(), CheckRADIUSAuth(), CheckSCRAMAuth(), and ClientAuthentication().

{
    StringInfoData buf;

    CHECK_FOR_INTERRUPTS();

    pq_beginmessage(&buf, 'R');
    pq_sendint32(&buf, (int32) areq);
    if (extralen > 0)
        pq_sendbytes(&buf, extradata, extralen);

    pq_endmessage(&buf);

    /*
     * Flush message so client will see it, except for AUTH_REQ_OK and
     * AUTH_REQ_SASL_FIN, which need not be sent until we are ready for
     * queries.
     */
    if (areq != AUTH_REQ_OK && areq != AUTH_REQ_SASL_FIN)
        pq_flush();

    CHECK_FOR_INTERRUPTS();
}

Variable Documentation

ClientAuthentication_hook

ClientAuthentication_hook_type ClientAuthentication_hook = NULL

Definition at line 241 of file auth.c.

Referenced by _PG_init(), ClientAuthentication(), and sepgsql_init_client_label().

pg_krb_caseins_users

bool pg_krb_caseins_users

Definition at line 170 of file auth.c.

Referenced by CheckSCRAMAuth().

pg_krb_server_keyfile

char* pg_krb_server_keyfile

Definition at line 169 of file auth.c.

Referenced by CheckSCRAMAuth(), and secure_open_gssapi().