sasl.h File Reference

#include "lib/stringinfo.h"
#include "libpq/libpq-be.h"

Include dependency graph for sasl.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Data Structures
struct	pg_be_sasl_mech

Macros
#define	PG_SASL_EXCHANGE_CONTINUE   0
#define	PG_SASL_EXCHANGE_SUCCESS   1
#define	PG_SASL_EXCHANGE_FAILURE   2
#define	PG_SASL_EXCHANGE_ABANDONED   3
#define	PG_MAX_SASL_MESSAGE_LENGTH   1024

Typedefs
typedef struct pg_be_sasl_mech	pg_be_sasl_mech

Functions
int	CheckSASLAuth (const pg_be_sasl_mech *mech, Port *port, char *shadow_pass, const char **logdetail, bool *abandoned)

Macro Definition Documentation

PG_MAX_SASL_MESSAGE_LENGTH

#define PG_MAX_SASL_MESSAGE_LENGTH   1024

Definition at line 36 of file sasl.h.

PG_SASL_EXCHANGE_ABANDONED

#define PG_SASL_EXCHANGE_ABANDONED   3

Definition at line 28 of file sasl.h.

PG_SASL_EXCHANGE_CONTINUE

#define PG_SASL_EXCHANGE_CONTINUE   0

Definition at line 25 of file sasl.h.

PG_SASL_EXCHANGE_FAILURE

#define PG_SASL_EXCHANGE_FAILURE   2

Definition at line 27 of file sasl.h.

PG_SASL_EXCHANGE_SUCCESS

#define PG_SASL_EXCHANGE_SUCCESS   1

Definition at line 26 of file sasl.h.

Typedef Documentation

pg_be_sasl_mech

typedef struct pg_be_sasl_mech pg_be_sasl_mech

Function Documentation

CheckSASLAuth()

int CheckSASLAuth ( const pg_be_sasl_mech *  mech, Port *  port, char *  shadow_pass, const char **  logdetail, bool *  abandoned  )

extern

Definition at line 50 of file auth-sasl.c.

{
    StringInfoData sasl_mechs;
    int         mtype;
    StringInfoData buf;
    void       *opaq = NULL;
    char       *output = NULL;
    int         outputlen = 0;
    const char *input;
    int         inputlen;
    int         result;
    bool        initial;
 
    /*
     * Send the SASL authentication request to user.  It includes the list of
     * authentication mechanisms that are supported.
     */
    initStringInfo(&sasl_mechs);
 
    mech->get_mechanisms(port, &sasl_mechs);
    /* Put another '\0' to mark that list is finished. */
    appendStringInfoChar(&sasl_mechs, '\0');
 
    sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs.data, sasl_mechs.len);
    pfree(sasl_mechs.data);
 
    /*
     * Loop through SASL message exchange.  This exchange can consist of
     * multiple messages sent in both directions.  First message is always
     * from the client.  All messages from client to server are password
     * packets (type 'p').
     */
    initial = true;
    do
    {
        pq_startmsgread();
        mtype = pq_getbyte();
        if (mtype != PqMsg_SASLResponse)
        {
            /* Only log error if client didn't disconnect. */
            if (mtype != EOF)
            {
                ereport(ERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("expected SASL response, got message type %d",
                                mtype)));
            }
            else
                return STATUS_EOF;
        }
 
        /* Get the actual SASL message */
        initStringInfo(&buf);
        if (pq_getmessage(&buf, mech->max_message_length))
        {
            /* EOF - pq_getmessage already logged error */
            pfree(buf.data);
            return STATUS_ERROR;
        }
 
        elog(DEBUG4, "processing received SASL response of length %d", buf.len);
 
        /*
         * The first SASLInitialResponse message is different from the others.
         * It indicates which SASL mechanism the client selected, and contains
         * an optional Initial Client Response payload.  The subsequent
         * SASLResponse messages contain just the SASL payload.
         */
        if (initial)
        {
            const char *selected_mech;
 
            selected_mech = pq_getmsgrawstring(&buf);
 
            /*
             * Initialize the status tracker for message exchanges.
             *
             * If the user doesn't exist, or doesn't have a valid password, or
             * it's expired, we still go through the motions of SASL
             * authentication, but tell the authentication method that the
             * authentication is "doomed". That is, it's going to fail, no
             * matter what.
             *
             * This is because we don't want to reveal to an attacker what
             * usernames are valid, nor which users have a valid password.
             */
            opaq = mech->init(port, selected_mech, shadow_pass);
 
            inputlen = pq_getmsgint(&buf, 4);
            if (inputlen == -1)
                input = NULL;
            else
                input = pq_getmsgbytes(&buf, inputlen);
 
            initial = false;
        }
        else
        {
            inputlen = buf.len;
            input = pq_getmsgbytes(&buf, buf.len);
        }
        pq_getmsgend(&buf);
 
        /*
         * The StringInfo guarantees that there's a \0 byte after the
         * response.
         */
        Assert(input == NULL || input[inputlen] == '\0');
 
        /*
         * Hand the incoming message to the mechanism implementation.
         */
        result = mech->exchange(opaq, input, inputlen,
                                &output, &outputlen,
                                logdetail);
 
        /* input buffer no longer used */
        pfree(buf.data);
 
        if (output)
        {
            /*
             * PG_SASL_EXCHANGE_FAILURE with some output is forbidden by SASL.
             * Make sure here that the mechanism used got that right.
             */
            if (result == PG_SASL_EXCHANGE_FAILURE || result == PG_SASL_EXCHANGE_ABANDONED)
                elog(ERROR, "output message found after SASL exchange failure");
 
            /*
             * Negotiation generated data to be sent to the client.
             */
            elog(DEBUG4, "sending SASL challenge of length %d", outputlen);
 
            if (result == PG_SASL_EXCHANGE_SUCCESS)
                sendAuthRequest(port, AUTH_REQ_SASL_FIN, output, outputlen);
            else
                sendAuthRequest(port, AUTH_REQ_SASL_CONT, output, outputlen);
 
            pfree(output);
        }
    } while (result == PG_SASL_EXCHANGE_CONTINUE);
 
    if (result == PG_SASL_EXCHANGE_ABANDONED)
    {
        if (!abandoned)
        {
            /*
             * Programmer error: caller needs to track the abandoned state for
             * this mechanism.
             */
            elog(ERROR, "SASL exchange was abandoned, but CheckSASLAuth isn't tracking it");
        }
 
        *abandoned = true;
    }
 
    /* Oops, Something bad happened */
    if (result != PG_SASL_EXCHANGE_SUCCESS)
    {
        return STATUS_ERROR;
    }
 
    return STATUS_OK;
}

References appendStringInfoChar(), Assert, AUTH_REQ_SASL, AUTH_REQ_SASL_CONT, AUTH_REQ_SASL_FIN, buf, DEBUG4, elog, ereport, errcode(), ERRCODE_PROTOCOL_VIOLATION, errmsg, ERROR, fb(), initStringInfo(), input, output, pfree(), PG_SASL_EXCHANGE_ABANDONED, PG_SASL_EXCHANGE_CONTINUE, PG_SASL_EXCHANGE_FAILURE, PG_SASL_EXCHANGE_SUCCESS, port, pq_getbyte(), pq_getmessage(), pq_getmsgbytes(), pq_getmsgend(), pq_getmsgint(), pq_getmsgrawstring(), pq_startmsgread(), PqMsg_SASLResponse, result, sendAuthRequest(), STATUS_EOF, STATUS_ERROR, and STATUS_OK.

Referenced by CheckPWChallengeAuth(), and ClientAuthentication().