#include "libpq/libpq-be.h"

Include dependency graph for auth.h:

This graph shows which files directly or indirectly include this file:

Typedefs
typedef void(*	ClientAuthentication_hook_type) (Port *, int)

typedef char (	auth_password_hook_typ) (char *input)

Functions
void	ClientAuthentication (Port *port)

void	sendAuthRequest (Port port, AuthRequest areq, const char extradata, int extralen)

Variables
PGDLLIMPORT char *	pg_krb_server_keyfile

PGDLLIMPORT bool	pg_krb_caseins_users

PGDLLIMPORT bool	pg_gss_accept_delegation

PGDLLIMPORT ClientAuthentication_hook_type	ClientAuthentication_hook

PGDLLIMPORT auth_password_hook_typ	ldap_password_hook

Typedef Documentation

◆ auth_password_hook_typ

typedef char*(* auth_password_hook_typ) (char *input)

Definition at line 32 of file auth.h.

◆ ClientAuthentication_hook_type

typedef void(* ClientAuthentication_hook_type) (Port *, int)

Definition at line 28 of file auth.h.

Function Documentation

◆ ClientAuthentication()

void ClientAuthentication ( Port * port )

Definition at line 382 of file auth.c.

 {
     int         status = STATUS_ERROR;
     const char *logdetail = NULL;
  
     /*
      * Get the authentication method to use for this frontend/database
      * combination.  Note: we do not parse the file at this point; this has
      * already been done elsewhere.  hba.c dropped an error message into the
      * server logfile if parsing the hba config file failed.
      */
     hba_getauthmethod(port);
  
     CHECK_FOR_INTERRUPTS();
  
     /*
      * This is the first point where we have access to the hba record for the
      * current connection, so perform any verifications based on the hba
      * options field that should be done *before* the authentication here.
      */
     if (port->hba->clientcert != clientCertOff)
     {
         /* If we haven't loaded a root certificate store, fail */
         if (!secure_loaded_verify_locations())
             ereport(FATAL,
                     (errcode(ERRCODE_CONFIG_FILE_ERROR),
                      errmsg("client certificates can only be checked if a root certificate store is available")));
  
         /*
          * If we loaded a root certificate store, and if a certificate is
          * present on the client, then it has been verified against our root
          * certificate store, and the connection would have been aborted
          * already if it didn't verify ok.
          */
         if (!port->peer_cert_valid)
             ereport(FATAL,
                     (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                      errmsg("connection requires a valid client certificate")));
     }
  
     /*
      * Now proceed to do the actual authentication check
      */
     switch (port->hba->auth_method)
     {
         case uaReject:
  
             /*
              * An explicit "reject" entry in pg_hba.conf.  This report exposes
              * the fact that there's an explicit reject entry, which is
              * perhaps not so desirable from a security standpoint; but the
              * message for an implicit reject could confuse the DBA a lot when
              * the true situation is a match to an explicit reject.  And we
              * don't want to change the message for an implicit reject.  As
              * noted below, the additional information shown here doesn't
              * expose anything not known to an attacker.
              */
             {
                 char        hostinfo[NI_MAXHOST];
                 const char *encryption_state;
  
                 pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
                                    hostinfo, sizeof(hostinfo),
                                    NULL, 0,
                                    NI_NUMERICHOST);
  
                 encryption_state =
 #ifdef ENABLE_GSS
                     (port->gss && port->gss->enc) ? _("GSS encryption") :
 #endif
 #ifdef USE_SSL
                     port->ssl_in_use ? _("SSL encryption") :
 #endif
                     _("no encryption");
  
                 if (am_walsender && !am_db_walsender)
                     ereport(FATAL,
                             (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                     /* translator: last %s describes encryption state */
                              errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
                                     hostinfo, port->user_name,
                                     encryption_state)));
                 else
                     ereport(FATAL,
                             (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                     /* translator: last %s describes encryption state */
                              errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
                                     hostinfo, port->user_name,
                                     port->database_name,
                                     encryption_state)));
                 break;
             }
  
         case uaImplicitReject:
  
             /*
              * No matching entry, so tell the user we fell through.
              *
              * NOTE: the extra info reported here is not a security breach,
              * because all that info is known at the frontend and must be
              * assumed known to bad guys.  We're merely helping out the less
              * clueful good guys.
              */
             {
                 char        hostinfo[NI_MAXHOST];
                 const char *encryption_state;
  
                 pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
                                    hostinfo, sizeof(hostinfo),
                                    NULL, 0,
                                    NI_NUMERICHOST);
  
                 encryption_state =
 #ifdef ENABLE_GSS
                     (port->gss && port->gss->enc) ? _("GSS encryption") :
 #endif
 #ifdef USE_SSL
                     port->ssl_in_use ? _("SSL encryption") :
 #endif
                     _("no encryption");
  
 #define HOSTNAME_LOOKUP_DETAIL(port) \
                 (port->remote_hostname ? \
                  (port->remote_hostname_resolv == +1 ? \
                   errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
                                 port->remote_hostname) : \
                   port->remote_hostname_resolv == 0 ? \
                   errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
                                 port->remote_hostname) : \
                   port->remote_hostname_resolv == -1 ? \
                   errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
                                 port->remote_hostname) : \
                   port->remote_hostname_resolv == -2 ? \
                   errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
                                 port->remote_hostname, \
                                 gai_strerror(port->remote_hostname_errcode)) : \
                   0) \
                  : (port->remote_hostname_resolv == -2 ? \
                     errdetail_log("Could not resolve client IP address to a host name: %s.", \
                                   gai_strerror(port->remote_hostname_errcode)) : \
                     0))
  
                 if (am_walsender && !am_db_walsender)
                     ereport(FATAL,
                             (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                     /* translator: last %s describes encryption state */
                              errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
                                     hostinfo, port->user_name,
                                     encryption_state),
                              HOSTNAME_LOOKUP_DETAIL(port)));
                 else
                     ereport(FATAL,
                             (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
                     /* translator: last %s describes encryption state */
                              errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
                                     hostinfo, port->user_name,
                                     port->database_name,
                                     encryption_state),
                              HOSTNAME_LOOKUP_DETAIL(port)));
                 break;
             }
  
         case uaGSS:
 #ifdef ENABLE_GSS
             /* We might or might not have the gss workspace already */
             if (port->gss == NULL)
                 port->gss = (pg_gssinfo *)
                     MemoryContextAllocZero(TopMemoryContext,
                                            sizeof(pg_gssinfo));
             port->gss->auth = true;
  
             /*
              * If GSS state was set up while enabling encryption, we can just
              * check the client's principal.  Otherwise, ask for it.
              */
             if (port->gss->enc)
                 status = pg_GSS_checkauth(port);
             else
             {
                 sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
                 status = pg_GSS_recvauth(port);
             }
 #else
             Assert(false);
 #endif
             break;
  
         case uaSSPI:
 #ifdef ENABLE_SSPI
             if (port->gss == NULL)
                 port->gss = (pg_gssinfo *)
                     MemoryContextAllocZero(TopMemoryContext,
                                            sizeof(pg_gssinfo));
             sendAuthRequest(port, AUTH_REQ_SSPI, NULL, 0);
             status = pg_SSPI_recvauth(port);
 #else
             Assert(false);
 #endif
             break;
  
         case uaPeer:
             status = auth_peer(port);
             break;
  
         case uaIdent:
             status = ident_inet(port);
             break;
  
         case uaMD5:
         case uaSCRAM:
             status = CheckPWChallengeAuth(port, &logdetail);
             break;
  
         case uaPassword:
             status = CheckPasswordAuth(port, &logdetail);
             break;
  
         case uaPAM:
 #ifdef USE_PAM
             status = CheckPAMAuth(port, port->user_name, "");
 #else
             Assert(false);
 #endif                          /* USE_PAM */
             break;
  
         case uaBSD:
 #ifdef USE_BSD_AUTH
             status = CheckBSDAuth(port, port->user_name);
 #else
             Assert(false);
 #endif                          /* USE_BSD_AUTH */
             break;
  
         case uaLDAP:
 #ifdef USE_LDAP
             status = CheckLDAPAuth(port);
 #else
             Assert(false);
 #endif
             break;
         case uaRADIUS:
             status = CheckRADIUSAuth(port);
             break;
         case uaCert:
             /* uaCert will be treated as if clientcert=verify-full (uaTrust) */
         case uaTrust:
             status = STATUS_OK;
             break;
     }
  
     if ((status == STATUS_OK && port->hba->clientcert == clientCertFull)
         || port->hba->auth_method == uaCert)
     {
         /*
          * Make sure we only check the certificate if we use the cert method
          * or verify-full option.
          */
 #ifdef USE_SSL
         status = CheckCertAuth(port);
 #else
         Assert(false);
 #endif
     }
  
     if (Log_connections && status == STATUS_OK &&
         !MyClientConnectionInfo.authn_id)
     {
         /*
          * Normally, if log_connections is set, the call to set_authn_id()
          * will log the connection.  However, if that function is never
          * called, perhaps because the trust method is in use, then we handle
          * the logging here instead.
          */
         ereport(LOG,
                 errmsg("connection authenticated: user=\"%s\" method=%s "
                        "(%s:%d)",
                        port->user_name, hba_authname(port->hba->auth_method),
                        port->hba->sourcefile, port->hba->linenumber));
     }
  
     if (ClientAuthentication_hook)
         (*ClientAuthentication_hook) (port, status);
  
     if (status == STATUS_OK)
         sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
     else
         auth_failed(port, status, logdetail);
 }

References _, am_db_walsender, am_walsender, Assert, auth_failed(), auth_peer(), AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, ClientConnectionInfo::authn_id, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), ClientAuthentication_hook, clientCertFull, clientCertOff, ereport, errcode(), errmsg(), FATAL, hba_authname(), hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), LOG, Log_connections, MemoryContextAllocZero(), MyClientConnectionInfo, pg_getnameinfo_all(), port, secure_loaded_verify_locations(), sendAuthRequest(), STATUS_ERROR, STATUS_OK, TopMemoryContext, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, and uaTrust.

Referenced by PerformAuthentication().

◆ sendAuthRequest()

void sendAuthRequest	(	Port *	port,
		AuthRequest	areq,
		const char *	extradata,
		int	extralen
	)

Definition at line 676 of file auth.c.

 {
     StringInfoData buf;
  
     CHECK_FOR_INTERRUPTS();
  
     pq_beginmessage(&buf, PqMsg_AuthenticationRequest);
     pq_sendint32(&buf, (int32) areq);
     if (extralen > 0)
         pq_sendbytes(&buf, extradata, extralen);
  
     pq_endmessage(&buf);
  
     /*
      * Flush message so client will see it, except for AUTH_REQ_OK and
      * AUTH_REQ_SASL_FIN, which need not be sent until we are ready for
      * queries.
      */
     if (areq != AUTH_REQ_OK && areq != AUTH_REQ_SASL_FIN)
         pq_flush();
  
     CHECK_FOR_INTERRUPTS();
 }