fe-auth.h File Reference

#include "libpq-fe.h"
#include "libpq-int.h"

Include dependency graph for fe-auth.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions
int	pg_fe_sendauth (AuthRequest areq, int payloadlen, PGconn *conn)
char *	pg_fe_getusername (uid_t user_id, PQExpBuffer errorMessage)
char *	pg_fe_getauthname (PQExpBuffer errorMessage)
char *	pg_fe_scram_build_secret (const char *password, int iterations, const char **errstr)

Variables
const pg_fe_sasl_mech	pg_scram_mech

Function Documentation

pg_fe_getauthname()

char* pg_fe_getauthname

(

PQExpBuffer

errorMessage

)

Definition at line 1216 of file fe-auth.c.

{
#ifdef WIN32
    return pg_fe_getusername(0, errorMessage);
#else
    return pg_fe_getusername(geteuid(), errorMessage);
#endif
}

References pg_fe_getusername().

Referenced by connectOptions2(), and conninfo_add_defaults().

pg_fe_getusername()

char* pg_fe_getusername	(	uid_t	user_id,
		PQExpBuffer	errorMessage
	)

Definition at line 1160 of file fe-auth.c.

{
    char       *result = NULL;
    const char *name = NULL;
 
#ifdef WIN32
    /* Microsoft recommends buffer size of UNLEN+1, where UNLEN = 256 */
    char        username[256 + 1];
    DWORD       namesize = sizeof(username);
#else
    char        pwdbuf[BUFSIZ];
#endif
 
    /*
     * Some users are using configure --enable-thread-safety-force, so we
     * might as well do the locking within our library to protect getpwuid().
     * In fact, application developers can use getpwuid() in their application
     * if they use the locking call we provide, or install their own locking
     * function using PQregisterThreadLock().
     */
    pglock_thread();
 
#ifdef WIN32
    if (GetUserName(username, &namesize))
        name = username;
    else if (errorMessage)
        libpq_append_error(errorMessage,
                           "user name lookup failure: error code %lu",
                           GetLastError());
#else
    if (pg_get_user_name(user_id, pwdbuf, sizeof(pwdbuf)))
        name = pwdbuf;
    else if (errorMessage)
        appendPQExpBuffer(errorMessage, "%s\n", pwdbuf);
#endif
 
    if (name)
    {
        result = strdup(name);
        if (result == NULL && errorMessage)
            libpq_append_error(errorMessage, "out of memory");
    }
 
    pgunlock_thread();
 
    return result;
}

References appendPQExpBuffer(), libpq_append_error(), name, pg_get_user_name(), pglock_thread, pgunlock_thread, and username.

Referenced by pg_fe_getauthname(), and PQconnectPoll().

pg_fe_scram_build_secret()

char* pg_fe_scram_build_secret	(	const char *	password,
		int	iterations,
		const char **	errstr
	)

Definition at line 898 of file fe-auth-scram.c.

{
    char       *prep_password;
    pg_saslprep_rc rc;
    char        saltbuf[SCRAM_DEFAULT_SALT_LEN];
    char       *result;
 
    /*
     * Normalize the password with SASLprep.  If that doesn't work, because
     * the password isn't valid UTF-8 or contains prohibited characters, just
     * proceed with the original password.  (See comments at the top of
     * auth-scram.c.)
     */
    rc = pg_saslprep(password, &prep_password);
    if (rc == SASLPREP_OOM)
    {
        *errstr = libpq_gettext("out of memory");
        return NULL;
    }
    if (rc == SASLPREP_SUCCESS)
        password = (const char *) prep_password;
 
    /* Generate a random salt */
    if (!pg_strong_random(saltbuf, SCRAM_DEFAULT_SALT_LEN))
    {
        *errstr = libpq_gettext("could not generate random salt");
        free(prep_password);
        return NULL;
    }
 
    result = scram_build_secret(PG_SHA256, SCRAM_SHA_256_KEY_LEN, saltbuf,
                                SCRAM_DEFAULT_SALT_LEN,
                                iterations, password,
                                errstr);
 
    free(prep_password);
 
    return result;
}

References free, libpq_gettext, password, pg_saslprep(), PG_SHA256, pg_strong_random(), SASLPREP_OOM, SASLPREP_SUCCESS, scram_build_secret(), SCRAM_DEFAULT_SALT_LEN, and SCRAM_SHA_256_KEY_LEN.

Referenced by PQencryptPasswordConn().

pg_fe_sendauth()

int pg_fe_sendauth	(	AuthRequest	areq,
		int	payloadlen,
		PGconn *	conn
	)

Definition at line 952 of file fe-auth.c.

{
    int         oldmsglen;
 
    if (!check_expected_areq(areq, conn))
        return STATUS_ERROR;
 
    switch (areq)
    {
        case AUTH_REQ_OK:
            break;
 
        case AUTH_REQ_KRB4:
            libpq_append_conn_error(conn, "Kerberos 4 authentication not supported");
            return STATUS_ERROR;
 
        case AUTH_REQ_KRB5:
            libpq_append_conn_error(conn, "Kerberos 5 authentication not supported");
            return STATUS_ERROR;
 
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
        case AUTH_REQ_GSS:
#if !defined(ENABLE_SSPI)
            /* no native SSPI, so use GSSAPI library for it */
        case AUTH_REQ_SSPI:
#endif
            {
                int         r;
 
                pglock_thread();
 
                /*
                 * If we have both GSS and SSPI support compiled in, use SSPI
                 * support by default. This is overridable by a connection
                 * string parameter. Note that when using SSPI we still leave
                 * the negotiate parameter off, since we want SSPI to use the
                 * GSSAPI kerberos protocol. For actual SSPI negotiate
                 * protocol, we use AUTH_REQ_SSPI.
                 */
#if defined(ENABLE_GSS) && defined(ENABLE_SSPI)
                if (conn->gsslib && (pg_strcasecmp(conn->gsslib, "gssapi") == 0))
                    r = pg_GSS_startup(conn, payloadlen);
                else
                    r = pg_SSPI_startup(conn, 0, payloadlen);
#elif defined(ENABLE_GSS) && !defined(ENABLE_SSPI)
                r = pg_GSS_startup(conn, payloadlen);
#elif !defined(ENABLE_GSS) && defined(ENABLE_SSPI)
                r = pg_SSPI_startup(conn, 0, payloadlen);
#endif
                if (r != STATUS_OK)
                {
                    /* Error message already filled in. */
                    pgunlock_thread();
                    return STATUS_ERROR;
                }
                pgunlock_thread();
            }
            break;
 
        case AUTH_REQ_GSS_CONT:
            {
                int         r;
 
                pglock_thread();
#if defined(ENABLE_GSS) && defined(ENABLE_SSPI)
                if (conn->usesspi)
                    r = pg_SSPI_continue(conn, payloadlen);
                else
                    r = pg_GSS_continue(conn, payloadlen);
#elif defined(ENABLE_GSS) && !defined(ENABLE_SSPI)
                r = pg_GSS_continue(conn, payloadlen);
#elif !defined(ENABLE_GSS) && defined(ENABLE_SSPI)
                r = pg_SSPI_continue(conn, payloadlen);
#endif
                if (r != STATUS_OK)
                {
                    /* Error message already filled in. */
                    pgunlock_thread();
                    return STATUS_ERROR;
                }
                pgunlock_thread();
            }
            break;
#else                           /* defined(ENABLE_GSS) || defined(ENABLE_SSPI) */
            /* No GSSAPI *or* SSPI support */
        case AUTH_REQ_GSS:
        case AUTH_REQ_GSS_CONT:
            libpq_append_conn_error(conn, "GSSAPI authentication not supported");
            return STATUS_ERROR;
#endif                          /* defined(ENABLE_GSS) || defined(ENABLE_SSPI) */
 
#ifdef ENABLE_SSPI
        case AUTH_REQ_SSPI:
 
            /*
             * SSPI has its own startup message so libpq can decide which
             * method to use. Indicate to pg_SSPI_startup that we want SSPI
             * negotiation instead of Kerberos.
             */
            pglock_thread();
            if (pg_SSPI_startup(conn, 1, payloadlen) != STATUS_OK)
            {
                /* Error message already filled in. */
                pgunlock_thread();
                return STATUS_ERROR;
            }
            pgunlock_thread();
            break;
#else
 
            /*
             * No SSPI support. However, if we have GSSAPI but not SSPI
             * support, AUTH_REQ_SSPI will have been handled in the codepath
             * for AUTH_REQ_GSS above, so don't duplicate the case label in
             * that case.
             */
#if !defined(ENABLE_GSS)
        case AUTH_REQ_SSPI:
            libpq_append_conn_error(conn, "SSPI authentication not supported");
            return STATUS_ERROR;
#endif                          /* !define(ENABLE_GSS) */
#endif                          /* ENABLE_SSPI */
 
 
        case AUTH_REQ_CRYPT:
            libpq_append_conn_error(conn, "Crypt authentication not supported");
            return STATUS_ERROR;
 
        case AUTH_REQ_MD5:
        case AUTH_REQ_PASSWORD:
            {
                char       *password;
 
                conn->password_needed = true;
                password = conn->connhost[conn->whichhost].password;
                if (password == NULL)
                    password = conn->pgpass;
                if (password == NULL || password[0] == '\0')
                {
                    appendPQExpBufferStr(&conn->errorMessage,
                                         PQnoPasswordSupplied);
                    return STATUS_ERROR;
                }
                if (pg_password_sendauth(conn, password, areq) != STATUS_OK)
                {
                    appendPQExpBufferStr(&conn->errorMessage,
                                         "fe_sendauth: error sending password authentication\n");
                    return STATUS_ERROR;
                }
 
                /* We expect no further authentication requests. */
                conn->client_finished_auth = true;
                break;
            }
 
        case AUTH_REQ_SASL:
 
            /*
             * The request contains the name (as assigned by IANA) of the
             * authentication mechanism.
             */
            if (pg_SASL_init(conn, payloadlen) != STATUS_OK)
            {
                /* pg_SASL_init already set the error message */
                return STATUS_ERROR;
            }
            break;
 
        case AUTH_REQ_SASL_CONT:
        case AUTH_REQ_SASL_FIN:
            if (conn->sasl_state == NULL)
            {
                appendPQExpBufferStr(&conn->errorMessage,
                                     "fe_sendauth: invalid authentication request from server: AUTH_REQ_SASL_CONT without AUTH_REQ_SASL\n");
                return STATUS_ERROR;
            }
            oldmsglen = conn->errorMessage.len;
            if (pg_SASL_continue(conn, payloadlen,
                                 (areq == AUTH_REQ_SASL_FIN)) != STATUS_OK)
            {
                /* Use this message if pg_SASL_continue didn't supply one */
                if (conn->errorMessage.len == oldmsglen)
                    appendPQExpBufferStr(&conn->errorMessage,
                                         "fe_sendauth: error in SASL authentication\n");
                return STATUS_ERROR;
            }
            break;
 
        default:
            libpq_append_conn_error(conn, "authentication method %u not supported", areq);
            return STATUS_ERROR;
    }
 
    return STATUS_OK;
}

References appendPQExpBufferStr(), AUTH_REQ_CRYPT, AUTH_REQ_GSS, AUTH_REQ_GSS_CONT, AUTH_REQ_KRB4, AUTH_REQ_KRB5, AUTH_REQ_MD5, AUTH_REQ_OK, AUTH_REQ_PASSWORD, AUTH_REQ_SASL, AUTH_REQ_SASL_CONT, AUTH_REQ_SASL_FIN, AUTH_REQ_SSPI, check_expected_areq(), pg_conn::client_finished_auth, conn, pg_conn::connhost, pg_conn::errorMessage, pg_conn::gsslib, PQExpBufferData::len, libpq_append_conn_error(), password, pg_conn_host::password, pg_conn::password_needed, pg_password_sendauth(), pg_SASL_continue(), pg_SASL_init(), pg_strcasecmp(), pglock_thread, pg_conn::pgpass, pgunlock_thread, PQnoPasswordSupplied, pg_conn::sasl_state, STATUS_ERROR, STATUS_OK, and pg_conn::whichhost.

Referenced by PQconnectPoll().

Variable Documentation

pg_scram_mech

const pg_fe_sasl_mech pg_scram_mech

extern

Definition at line 33 of file fe-auth-scram.c.

Referenced by pg_SASL_init().