auth.c File Reference
#include "postgres.h"#include <sys/param.h>#include <sys/select.h>#include <sys/socket.h>#include <netinet/in.h>#include <netdb.h>#include <pwd.h>#include <unistd.h>#include "commands/user.h"#include "common/ip.h"#include "common/md5.h"#include "libpq/auth.h"#include "libpq/crypt.h"#include "libpq/libpq.h"#include "libpq/oauth.h"#include "libpq/pqformat.h"#include "libpq/sasl.h"#include "libpq/scram.h"#include "miscadmin.h"#include "port/pg_bswap.h"#include "postmaster/postmaster.h"#include "replication/walsender.h"#include "storage/ipc.h"#include "tcop/backend_startup.h"#include "utils/memutils.h"
Include dependency graph for auth.c:
Go to the source code of this file.
Data Structures | |
| struct | radius_attribute |
| struct | radius_packet |
Macros | |
| #define | IDENT_USERNAME_MAX 512 |
| #define | IDENT_PORT 113 |
| #define | HOSTNAME_LOOKUP_DETAIL(port) |
| #define | RADIUS_VECTOR_LENGTH 16 |
| #define | RADIUS_HEADER_LENGTH 20 |
| #define | RADIUS_MAX_PASSWORD_LENGTH 128 |
| #define | RADIUS_BUFFER_SIZE 1024 |
| #define | RADIUS_ACCESS_REQUEST 1 |
| #define | RADIUS_ACCESS_ACCEPT 2 |
| #define | RADIUS_ACCESS_REJECT 3 |
| #define | RADIUS_USER_NAME 1 |
| #define | RADIUS_PASSWORD 2 |
| #define | RADIUS_SERVICE_TYPE 6 |
| #define | RADIUS_NAS_IDENTIFIER 32 |
| #define | RADIUS_AUTHENTICATE_ONLY 8 |
| #define | RADIUS_TIMEOUT 3 |
Functions | |
| static void | auth_failed (Port *port, int status, const char *logdetail) |
| static char * | recv_password_packet (Port *port) |
| static int | CheckPasswordAuth (Port *port, const char **logdetail) |
| static int | CheckPWChallengeAuth (Port *port, const char **logdetail) |
| static int | CheckMD5Auth (Port *port, char *shadow_pass, const char **logdetail) |
| static int | ident_inet (hbaPort *port) |
| static int | auth_peer (hbaPort *port) |
| static int | CheckRADIUSAuth (Port *port) |
| static int | PerformRadiusTransaction (const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd) |
| void | set_authn_id (Port *port, const char *id) |
| void | ClientAuthentication (Port *port) |
| void | sendAuthRequest (Port *port, AuthRequest areq, const char *extradata, int extralen) |
| static bool | interpret_ident_response (const char *ident_response, char *ident_user) |
| static void | radius_add_attribute (radius_packet *packet, uint8 type, const unsigned char *data, int len) |
Variables | |
| char * | pg_krb_server_keyfile |
| bool | pg_krb_caseins_users |
| bool | pg_gss_accept_delegation |
| ClientAuthentication_hook_type | ClientAuthentication_hook = NULL |
Macro Definition Documentation
◆ HOSTNAME_LOOKUP_DETAIL
| #define HOSTNAME_LOOKUP_DETAIL | ( | port | ) |
Value:
(port->remote_hostname ? \
(port->remote_hostname_resolv == +1 ? \
errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
port->remote_hostname) : \
port->remote_hostname_resolv == 0 ? \
errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
port->remote_hostname) : \
port->remote_hostname_resolv == -1 ? \
errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
port->remote_hostname) : \
port->remote_hostname_resolv == -2 ? \
errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
port->remote_hostname, \
gai_strerror(port->remote_hostname_errcode)) : \
0) \
: (port->remote_hostname_resolv == -2 ? \
errdetail_log("Could not resolve client IP address to a host name: %s.", \
gai_strerror(port->remote_hostname_errcode)) : \
0))
◆ IDENT_PORT
◆ IDENT_USERNAME_MAX
◆ RADIUS_ACCESS_ACCEPT
◆ RADIUS_ACCESS_REJECT
◆ RADIUS_ACCESS_REQUEST
◆ RADIUS_AUTHENTICATE_ONLY
◆ RADIUS_BUFFER_SIZE
◆ RADIUS_HEADER_LENGTH
◆ RADIUS_MAX_PASSWORD_LENGTH
◆ RADIUS_NAS_IDENTIFIER
◆ RADIUS_PASSWORD
◆ RADIUS_SERVICE_TYPE
◆ RADIUS_TIMEOUT
◆ RADIUS_USER_NAME
◆ RADIUS_VECTOR_LENGTH
Function Documentation
◆ auth_failed()
|
static |
Definition at line 231 of file auth.c.
232{
233 const char *errstr;
234 char *cdetail;
235 int errcode_return = ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION;
236
237 /*
238 * If we failed due to EOF from client, just quit; there's no point in
239 * trying to send a message to the client, and not much point in logging
240 * the failure in the postmaster log. (Logging the failure might be
241 * desirable, were it not for the fact that libpq closes the connection
242 * unceremoniously if challenged for a password when it hasn't got one to
243 * send. We'll get a useless log entry for every psql connection under
244 * password auth, even if it's perfectly successful, if we log STATUS_EOF
245 * events.)
246 */
248 proc_exit(0);
249
251 {
255 break;
258 break;
261 break;
264 break;
269 /* We use it to indicate if a .pgpass password failed. */
270 errcode_return = ERRCODE_INVALID_PASSWORD;
271 break;
274 break;
277 break;
280 break;
283 break;
286 break;
289 break;
292 break;
295 break;
296 default:
298 break;
299 }
300
303 port->hba->rawline);
304 if (logdetail)
306 else
307 logdetail = cdetail;
308
310 (errcode(errcode_return),
313
314 /* doesn't return */
315}
References _, ereport, errcode(), ERRCODE_INVALID_PASSWORD, errdetail_log(), errmsg(), FATAL, gettext_noop, port, proc_exit(), psprintf(), STATUS_EOF, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, and uaTrust.
Referenced by ClientAuthentication().
◆ auth_peer()
|
static |
Definition at line 1848 of file auth.c.
1849{
1850 uid_t uid;
1851 gid_t gid;
1852#ifndef WIN32
1853 struct passwd pwbuf;
1854 struct passwd *pw;
1856 int rc;
1857 int ret;
1858#endif
1859
1861 {
1862 /* Provide special error message if getpeereid is a stub */
1863 if (errno == ENOSYS)
1865 (errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
1867 else
1869 (errcode_for_socket_access(),
1872 }
1873
1874#ifndef WIN32
1876 if (rc != 0)
1877 {
1878 errno = rc;
1882 }
1883 else if (!pw)
1884 {
1888 }
1889
1890 /*
1891 * Make a copy of static getpw*() result area; this is our authenticated
1892 * identity. Set it before calling check_usermap, because authentication
1893 * has already succeeded and we want the log file to reflect that.
1894 */
1896
1899
1900 return ret;
1901#else
1902 /* should have failed with ENOSYS above */
1905#endif
1906}
Assert(PointerIsAligned(start, uint64))
int check_usermap(const char *usermap_name, const char *pg_user, const char *system_user, bool case_insensitive)
Definition: hba.c:2966
References Assert(), ClientConnectionInfo::authn_id, buf, check_usermap(), ereport, errcode(), errcode_for_socket_access(), errmsg(), getpeereid(), LOG, MyClientConnectionInfo, port, set_authn_id(), and STATUS_ERROR.
Referenced by ClientAuthentication().
◆ CheckMD5Auth()
|
static |
Definition at line 875 of file auth.c.
876{
877 char md5Salt[4]; /* Password salt */
878 char *passwd;
879 int result;
880
881 /* include the salt to use for computing the response */
883 {
887 }
888
890
892 if (passwd == NULL)
894
895 if (shadow_pass)
897 md5Salt, 4, logdetail);
898 else
899 result = STATUS_ERROR;
900
901 pfree(passwd);
902
903 return result;
904}
void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata, int extralen)
Definition: auth.c:669
int md5_crypt_verify(const char *role, const char *shadow_pass, const char *client_pass, const char *md5_salt, int md5_salt_len, const char **logdetail)
Definition: crypt.c:202
References AUTH_REQ_MD5, ereport, errmsg(), LOG, md5_crypt_verify(), pfree(), pg_strong_random(), port, recv_password_packet(), sendAuthRequest(), STATUS_EOF, and STATUS_ERROR.
Referenced by CheckPWChallengeAuth().
◆ CheckPasswordAuth()
|
static |
Definition at line 780 of file auth.c.
781{
782 char *passwd;
783 int result;
784 char *shadow_pass;
785
787
789 if (passwd == NULL)
791
793 if (shadow_pass)
794 {
796 logdetail);
797 }
798 else
799 result = STATUS_ERROR;
800
801 if (shadow_pass)
802 pfree(shadow_pass);
803 pfree(passwd);
804
807
808 return result;
809}
int plain_crypt_verify(const char *role, const char *shadow_pass, const char *client_pass, const char **logdetail)
Definition: crypt.c:256
char * get_role_password(const char *role, const char **logdetail)
Definition: crypt.c:38
References AUTH_REQ_PASSWORD, get_role_password(), pfree(), plain_crypt_verify(), port, recv_password_packet(), sendAuthRequest(), set_authn_id(), STATUS_EOF, STATUS_ERROR, and STATUS_OK.
Referenced by ClientAuthentication().
◆ CheckPWChallengeAuth()
|
static |
Definition at line 815 of file auth.c.
816{
817 int auth_result;
818 char *shadow_pass;
819 PasswordType pwtype;
820
823
824 /* First look up the user's password. */
826
827 /*
828 * If the user does not exist, or has no password or it's expired, we
829 * still go through the motions of authentication, to avoid revealing to
830 * the client that the user didn't exist. If 'md5' is allowed, we choose
831 * whether to use 'md5' or 'scram-sha-256' authentication based on current
832 * password_encryption setting. The idea is that most genuine users
833 * probably have a password of that type, and if we pretend that this user
834 * had a password of that type, too, it "blends in" best.
835 */
836 if (!shadow_pass)
837 pwtype = Password_encryption;
838 else
839 pwtype = get_password_type(shadow_pass);
840
841 /*
842 * If 'md5' authentication is allowed, decide whether to perform 'md5' or
843 * 'scram-sha-256' authentication based on the type of password the user
844 * has. If it's an MD5 hash, we must do MD5 authentication, and if it's a
845 * SCRAM secret, we must do SCRAM authentication.
846 *
847 * If MD5 authentication is not allowed, always use SCRAM. If the user
848 * had an MD5 password, CheckSASLAuth() with the SCRAM mechanism will
849 * fail.
850 */
853 else
855 logdetail);
856
857 if (shadow_pass)
858 pfree(shadow_pass);
859 else
860 {
861 /*
862 * If get_role_password() returned error, authentication better not
863 * have succeeded.
864 */
866 }
867
870
871 return auth_result;
872}
int CheckSASLAuth(const pg_be_sasl_mech *mech, Port *port, char *shadow_pass, const char **logdetail)
Definition: auth-sasl.c:44
static int CheckMD5Auth(Port *port, char *shadow_pass, const char **logdetail)
Definition: auth.c:875
References Assert(), CheckMD5Auth(), CheckSASLAuth(), get_password_type(), get_role_password(), Password_encryption, PASSWORD_TYPE_MD5, pfree(), pg_be_scram_mech, port, set_authn_id(), STATUS_OK, uaMD5, and uaSCRAM.
Referenced by ClientAuthentication().
◆ CheckRADIUSAuth()
|
static |
Definition at line 2837 of file auth.c.
2838{
2839 char *passwd;
2840 ListCell *server,
2841 *secrets,
2842 *radiusports,
2843 *identifiers;
2844
2845 /* Make sure struct alignment is correct */
2847
2848 /* Verify parameters */
2850 {
2854 }
2855
2857 {
2861 }
2862
2863 /* Send regular password request to client, and get the response */
2865
2867 if (passwd == NULL)
2869
2871 {
2873 (errmsg("RADIUS authentication does not support passwords longer than %d characters", RADIUS_MAX_PASSWORD_LENGTH)));
2874 pfree(passwd);
2876 }
2877
2878 /*
2879 * Loop over and try each server in order.
2880 */
2885 {
2887 lfirst(secrets),
2888 radiusports ? lfirst(radiusports) : NULL,
2889 identifiers ? lfirst(identifiers) : NULL,
2890 port->user_name,
2891 passwd);
2892
2893 /*------
2894 * STATUS_OK = Login OK
2895 * STATUS_ERROR = Login not OK, but try next server
2896 * STATUS_EOF = Login not OK, and don't try next server
2897 *------
2898 */
2900 {
2902
2903 pfree(passwd);
2905 }
2907 {
2908 pfree(passwd);
2910 }
2911
2912 /*
2913 * secret, port and identifiers either have length 0 (use default),
2914 * length 1 (use the same everywhere) or the same length as servers.
2915 * So if the length is >1, we advance one step. In other cases, we
2916 * don't and will then reuse the correct value.
2917 */
2924 }
2925
2926 /* No servers left to try, so give up */
2927 pfree(passwd);
2929}
static int PerformRadiusTransaction(const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd)
Definition: auth.c:2932
Definition: auth.c:2784
Definition: pg_list.h:46
References Assert(), AUTH_REQ_PASSWORD, ereport, errmsg(), lfirst, list_head(), list_length(), lnext(), LOG, NIL, PerformRadiusTransaction(), pfree(), port, RADIUS_MAX_PASSWORD_LENGTH, recv_password_packet(), sendAuthRequest(), set_authn_id(), STATUS_EOF, STATUS_ERROR, and STATUS_OK.
Referenced by ClientAuthentication().
◆ ClientAuthentication()
| void ClientAuthentication | ( | Port * | port | ) |
Definition at line 371 of file auth.c.
372{
374 const char *logdetail = NULL;
375
376 /*
377 * Get the authentication method to use for this frontend/database
378 * combination. Note: we do not parse the file at this point; this has
379 * already been done elsewhere. hba.c dropped an error message into the
380 * server logfile if parsing the hba config file failed.
381 */
383
384 CHECK_FOR_INTERRUPTS();
385
386 /*
387 * This is the first point where we have access to the hba record for the
388 * current connection, so perform any verifications based on the hba
389 * options field that should be done *before* the authentication here.
390 */
392 {
393 /* If we haven't loaded a root certificate store, fail */
396 (errcode(ERRCODE_CONFIG_FILE_ERROR),
398
399 /*
400 * If we loaded a root certificate store, and if a certificate is
401 * present on the client, then it has been verified against our root
402 * certificate store, and the connection would have been aborted
403 * already if it didn't verify ok.
404 */
407 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
409 }
410
411 /*
412 * Now proceed to do the actual authentication check
413 */
415 {
417
418 /*
419 * An explicit "reject" entry in pg_hba.conf. This report exposes
420 * the fact that there's an explicit reject entry, which is
421 * perhaps not so desirable from a security standpoint; but the
422 * message for an implicit reject could confuse the DBA a lot when
423 * the true situation is a match to an explicit reject. And we
424 * don't want to change the message for an implicit reject. As
425 * noted below, the additional information shown here doesn't
426 * expose anything not known to an attacker.
427 */
428 {
429 char hostinfo[NI_MAXHOST];
430 const char *encryption_state;
431
433 hostinfo, sizeof(hostinfo),
434 NULL, 0,
435 NI_NUMERICHOST);
436
437 encryption_state =
438#ifdef ENABLE_GSS
440#endif
441#ifdef USE_SSL
443#endif
445
448 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
449 /* translator: last %s describes encryption state */
451 hostinfo, port->user_name,
452 encryption_state)));
453 else
455 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
456 /* translator: last %s describes encryption state */
458 hostinfo, port->user_name,
459 port->database_name,
460 encryption_state)));
461 break;
462 }
463
465
466 /*
467 * No matching entry, so tell the user we fell through.
468 *
469 * NOTE: the extra info reported here is not a security breach,
470 * because all that info is known at the frontend and must be
471 * assumed known to bad guys. We're merely helping out the less
472 * clueful good guys.
473 */
474 {
475 char hostinfo[NI_MAXHOST];
476 const char *encryption_state;
477
479 hostinfo, sizeof(hostinfo),
480 NULL, 0,
481 NI_NUMERICHOST);
482
483 encryption_state =
484#ifdef ENABLE_GSS
486#endif
487#ifdef USE_SSL
489#endif
491
492#define HOSTNAME_LOOKUP_DETAIL(port) \
493 (port->remote_hostname ? \
494 (port->remote_hostname_resolv == +1 ? \
495 errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
496 port->remote_hostname) : \
497 port->remote_hostname_resolv == 0 ? \
498 errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
499 port->remote_hostname) : \
500 port->remote_hostname_resolv == -1 ? \
501 errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
502 port->remote_hostname) : \
503 port->remote_hostname_resolv == -2 ? \
504 errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
505 port->remote_hostname, \
506 gai_strerror(port->remote_hostname_errcode)) : \
507 0) \
508 : (port->remote_hostname_resolv == -2 ? \
509 errdetail_log("Could not resolve client IP address to a host name: %s.", \
510 gai_strerror(port->remote_hostname_errcode)) : \
511 0))
512
515 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
516 /* translator: last %s describes encryption state */
518 hostinfo, port->user_name,
519 encryption_state),
521 else
523 (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
524 /* translator: last %s describes encryption state */
526 hostinfo, port->user_name,
527 port->database_name,
528 encryption_state),
530 break;
531 }
532
534#ifdef ENABLE_GSS
535 /* We might or might not have the gss workspace already */
537 port->gss = (pg_gssinfo *)
539 sizeof(pg_gssinfo));
541
542 /*
543 * If GSS state was set up while enabling encryption, we can just
544 * check the client's principal. Otherwise, ask for it.
545 */
547 status = pg_GSS_checkauth(port);
548 else
549 {
551 status = pg_GSS_recvauth(port);
552 }
553#else
555#endif
556 break;
557
559#ifdef ENABLE_SSPI
561 port->gss = (pg_gssinfo *)
563 sizeof(pg_gssinfo));
565 status = pg_SSPI_recvauth(port);
566#else
568#endif
569 break;
570
573 break;
574
577 break;
578
582 break;
583
586 break;
587
589#ifdef USE_PAM
591#else
593#endif /* USE_PAM */
594 break;
595
597#ifdef USE_BSD_AUTH
599#else
601#endif /* USE_BSD_AUTH */
602 break;
603
605#ifdef USE_LDAP
606 status = CheckLDAPAuth(port);
607#else
609#endif
610 break;
613 break;
615 /* uaCert will be treated as if clientcert=verify-full (uaTrust) */
617 status = STATUS_OK;
618 break;
621 break;
622 }
623
626 {
627 /*
628 * Make sure we only check the certificate if we use the cert method
629 * or verify-full option.
630 */
631#ifdef USE_SSL
632 status = CheckCertAuth(port);
633#else
635#endif
636 }
637
639 status == STATUS_OK &&
641 {
642 /*
643 * Normally, if log_connections is set, the call to set_authn_id()
644 * will log the connection. However, if that function is never
645 * called, perhaps because the trust method is in use, then we handle
646 * the logging here instead.
647 */
650 "(%s:%d)",
653 }
654
656 (*ClientAuthentication_hook) (port, status);
657
660 else
662}
static int CheckPWChallengeAuth(Port *port, const char **logdetail)
Definition: auth.c:815
static void auth_failed(Port *port, int status, const char *logdetail)
Definition: auth.c:231
ClientAuthentication_hook_type ClientAuthentication_hook
Definition: auth.c:215
#define HOSTNAME_LOOKUP_DETAIL(port)
static int CheckPasswordAuth(Port *port, const char **logdetail)
Definition: auth.c:780
int pg_getnameinfo_all(const struct sockaddr_storage *addr, int salen, char *node, int nodelen, char *service, int servicelen, int flags)
Definition: ip.c:114
void * MemoryContextAllocZero(MemoryContext context, Size size)
Definition: mcxt.c:1294
References _, am_db_walsender, am_walsender, Assert(), auth_failed(), auth_peer(), AUTH_REQ_GSS, AUTH_REQ_OK, AUTH_REQ_SSPI, ClientConnectionInfo::authn_id, CHECK_FOR_INTERRUPTS, CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), CheckSASLAuth(), ClientAuthentication_hook, clientCertFull, clientCertOff, ereport, errcode(), errmsg(), FATAL, hba_authname(), hba_getauthmethod(), HOSTNAME_LOOKUP_DETAIL, ident_inet(), LOG, LOG_CONNECTION_AUTHENTICATION, log_connections, MemoryContextAllocZero(), MyClientConnectionInfo, pg_be_oauth_mech, pg_getnameinfo_all(), port, secure_loaded_verify_locations(), sendAuthRequest(), STATUS_ERROR, STATUS_OK, TopMemoryContext, uaBSD, uaCert, uaGSS, uaIdent, uaImplicitReject, uaLDAP, uaMD5, uaOAuth, uaPAM, uaPassword, uaPeer, uaRADIUS, uaReject, uaSCRAM, uaSSPI, and uaTrust.
Referenced by PerformAuthentication().
◆ ident_inet()
|
static |
Definition at line 1663 of file auth.c.
1664{
1669 int rc; /* Return code from a locally called function */
1670 bool ident_return;
1671 char remote_addr_s[NI_MAXHOST];
1672 char remote_port[NI_MAXSERV];
1673 char local_addr_s[NI_MAXHOST];
1674 char local_port[NI_MAXSERV];
1675 char ident_port[NI_MAXSERV];
1676 char ident_query[80];
1678 struct addrinfo *ident_serv = NULL,
1679 *la = NULL,
1680 hints;
1681
1682 /*
1683 * Might look a little weird to first convert it to text and then back to
1684 * sockaddr, but it's protocol independent.
1685 */
1687 remote_addr_s, sizeof(remote_addr_s),
1688 remote_port, sizeof(remote_port),
1689 NI_NUMERICHOST | NI_NUMERICSERV);
1691 local_addr_s, sizeof(local_addr_s),
1692 local_port, sizeof(local_port),
1693 NI_NUMERICHOST | NI_NUMERICSERV);
1694
1696 hints.ai_flags = AI_NUMERICHOST;
1697 hints.ai_family = remote_addr.addr.ss_family;
1698 hints.ai_socktype = SOCK_STREAM;
1699 hints.ai_protocol = 0;
1700 hints.ai_addrlen = 0;
1701 hints.ai_canonname = NULL;
1702 hints.ai_addr = NULL;
1703 hints.ai_next = NULL;
1704 rc = pg_getaddrinfo_all(remote_addr_s, ident_port, &hints, &ident_serv);
1705 if (rc || !ident_serv)
1706 {
1707 /* we don't expect this to happen */
1708 ident_return = false;
1709 goto ident_inet_done;
1710 }
1711
1712 hints.ai_flags = AI_NUMERICHOST;
1713 hints.ai_family = local_addr.addr.ss_family;
1714 hints.ai_socktype = SOCK_STREAM;
1715 hints.ai_protocol = 0;
1716 hints.ai_addrlen = 0;
1717 hints.ai_canonname = NULL;
1718 hints.ai_addr = NULL;
1719 hints.ai_next = NULL;
1720 rc = pg_getaddrinfo_all(local_addr_s, NULL, &hints, &la);
1721 if (rc || !la)
1722 {
1723 /* we don't expect this to happen */
1724 ident_return = false;
1725 goto ident_inet_done;
1726 }
1727
1728 sock_fd = socket(ident_serv->ai_family, ident_serv->ai_socktype,
1729 ident_serv->ai_protocol);
1731 {
1733 (errcode_for_socket_access(),
1735 ident_return = false;
1736 goto ident_inet_done;
1737 }
1738
1739 /*
1740 * Bind to the address which the client originally contacted, otherwise
1741 * the ident server won't be able to match up the right connection. This
1742 * is necessary if the PostgreSQL server is running on an IP alias.
1743 */
1744 rc = bind(sock_fd, la->ai_addr, la->ai_addrlen);
1745 if (rc != 0)
1746 {
1748 (errcode_for_socket_access(),
1750 local_addr_s)));
1751 ident_return = false;
1752 goto ident_inet_done;
1753 }
1754
1755 rc = connect(sock_fd, ident_serv->ai_addr,
1756 ident_serv->ai_addrlen);
1757 if (rc != 0)
1758 {
1760 (errcode_for_socket_access(),
1762 remote_addr_s, ident_port)));
1763 ident_return = false;
1764 goto ident_inet_done;
1765 }
1766
1767 /* The query we send to the Ident server */
1769 remote_port, local_port);
1770
1771 /* loop in case send is interrupted */
1772 do
1773 {
1774 CHECK_FOR_INTERRUPTS();
1775
1776 rc = send(sock_fd, ident_query, strlen(ident_query), 0);
1778
1779 if (rc < 0)
1780 {
1782 (errcode_for_socket_access(),
1784 remote_addr_s, ident_port)));
1785 ident_return = false;
1786 goto ident_inet_done;
1787 }
1788
1789 do
1790 {
1791 CHECK_FOR_INTERRUPTS();
1792
1795
1796 if (rc < 0)
1797 {
1799 (errcode_for_socket_access(),
1801 remote_addr_s, ident_port)));
1802 ident_return = false;
1803 goto ident_inet_done;
1804 }
1805
1806 ident_response[rc] = '\0';
1807 ident_return = interpret_ident_response(ident_response, ident_user);
1808 if (!ident_return)
1811 ident_response)));
1812
1813ident_inet_done:
1815 closesocket(sock_fd);
1816 if (ident_serv)
1818 if (la)
1820
1821 if (ident_return)
1822 {
1823 /*
1824 * Success! Store the identity, then check the usermap. Note that
1825 * setting the authenticated identity is done before checking the
1826 * usermap, because at this point authentication has succeeded.
1827 */
1830 }
1832}
static bool interpret_ident_response(const char *ident_response, char *ident_user)
Definition: auth.c:1582
void pg_freeaddrinfo_all(int hint_ai_family, struct addrinfo *ai)
Definition: ip.c:82
int pg_getaddrinfo_all(const char *hostname, const char *servname, const struct addrinfo *hintp, struct addrinfo **result)
Definition: ip.c:53
Definition: pqcomm.h:31
References SockAddr::addr, bind, CHECK_FOR_INTERRUPTS, check_usermap(), closesocket, connect, EINTR, ereport, errcode_for_socket_access(), errmsg(), IDENT_PORT, IDENT_USERNAME_MAX, interpret_ident_response(), LOG, pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_getnameinfo_all(), PGINVALID_SOCKET, port, recv, SockAddr::salen, send, set_authn_id(), snprintf, socket, and STATUS_ERROR.
Referenced by ClientAuthentication().
◆ interpret_ident_response()
|
static |
Definition at line 1582 of file auth.c.
1584{
1586
1587 /*
1588 * Ident's response, in the telnet tradition, should end in crlf (\r\n).
1589 */
1590 if (strlen(ident_response) < 2)
1591 return false;
1592 else if (ident_response[strlen(ident_response) - 2] != '\r')
1593 return false;
1594 else
1595 {
1598
1600 return false;
1601 else
1602 {
1603 /* We're positioned to colon before response type field */
1604 char response_type[80];
1606
1610 i = 0;
1617 if (strcmp(response_type, "USERID") != 0)
1618 return false;
1619 else
1620 {
1621 /*
1622 * It's a USERID response. Good. "cursor" should be pointing
1623 * to the colon that precedes the operating system type.
1624 */
1626 return false;
1627 else
1628 {
1630 /* Skip over operating system field. */
1632 cursor++;
1634 return false;
1635 else
1636 {
1640 /* Rest of line is user name. Copy it over. */
1641 i = 0;
1645 return true;
1646 }
1647 }
1648 }
1649 }
1650 }
1651}
Definition: type.h:138
References i, IDENT_USERNAME_MAX, and pg_isblank().
Referenced by ident_inet().
◆ PerformRadiusTransaction()
|
static |
Definition at line 2932 of file auth.c.
2933{
2934 radius_packet radius_send_pack;
2935 radius_packet radius_recv_pack;
2936 radius_packet *packet = &radius_send_pack;
2937 radius_packet *receivepacket = &radius_recv_pack;
2938 void *radius_buffer = &radius_send_pack;
2939 void *receive_buffer = &radius_recv_pack;
2941 uint8 *cryptvector;
2942 int encryptedpasswordlen;
2944 uint8 *md5trailer;
2945 int packetlength;
2946 pgsocket sock;
2947
2948 struct sockaddr_in6 localaddr;
2949 struct sockaddr_in6 remoteaddr;
2950 struct addrinfo hint;
2951 struct addrinfo *serveraddrs;
2953 socklen_t addrsize;
2954 fd_set fdset;
2955 struct timeval endtime;
2957 j,
2958 r;
2959
2960 /* Assign default values */
2963 if (identifier == NULL)
2964 identifier = "postgresql";
2965
2967 hint.ai_socktype = SOCK_DGRAM;
2968 hint.ai_family = AF_UNSPEC;
2970
2972 if (r || !serveraddrs)
2973 {
2976 server, gai_strerror(r))));
2977 if (serveraddrs)
2978 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
2980 }
2981 /* XXX: add support for multiple returned addresses? */
2982
2983 /* Construct RADIUS packet */
2987 {
2990 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
2992 }
2994 radius_add_attribute(packet, RADIUS_SERVICE_TYPE, (const unsigned char *) &service, sizeof(service));
2995 radius_add_attribute(packet, RADIUS_USER_NAME, (const unsigned char *) user_name, strlen(user_name));
2996 radius_add_attribute(packet, RADIUS_NAS_IDENTIFIER, (const unsigned char *) identifier, strlen(identifier));
2997
2998 /*
2999 * RADIUS password attributes are calculated as: e[0] = p[0] XOR
3000 * MD5(secret + Request Authenticator) for the first group of 16 octets,
3001 * and then: e[i] = p[i] XOR MD5(secret + e[i-1]) for the following ones
3002 * (if necessary)
3003 */
3004 encryptedpasswordlen = ((strlen(passwd) + RADIUS_VECTOR_LENGTH - 1) / RADIUS_VECTOR_LENGTH) * RADIUS_VECTOR_LENGTH;
3006 memcpy(cryptvector, secret, strlen(secret));
3007
3008 /* for the first iteration, we use the Request Authenticator vector */
3009 md5trailer = packet->vector;
3011 {
3012 const char *errstr = NULL;
3013
3014 memcpy(cryptvector + strlen(secret), md5trailer, RADIUS_VECTOR_LENGTH);
3015
3016 /*
3017 * .. and for subsequent iterations the result of the previous XOR
3018 * (calculated below)
3019 */
3020 md5trailer = encryptedpassword + i;
3021
3023 encryptedpassword + i, &errstr))
3024 {
3027 errstr)));
3028 pfree(cryptvector);
3029 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3031 }
3032
3034 {
3037 else
3039 }
3040 }
3041 pfree(cryptvector);
3042
3044
3045 /* Length needs to be in network order on the wire */
3046 packetlength = packet->length;
3048
3049 sock = socket(serveraddrs[0].ai_family, SOCK_DGRAM, 0);
3051 {
3054 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3056 }
3057
3058 memset(&localaddr, 0, sizeof(localaddr));
3059 localaddr.sin6_family = serveraddrs[0].ai_family;
3060 localaddr.sin6_addr = in6addr_any;
3061 if (localaddr.sin6_family == AF_INET6)
3062 addrsize = sizeof(struct sockaddr_in6);
3063 else
3064 addrsize = sizeof(struct sockaddr_in);
3065
3067 {
3070 closesocket(sock);
3071 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3073 }
3074
3075 if (sendto(sock, radius_buffer, packetlength, 0,
3076 serveraddrs[0].ai_addr, serveraddrs[0].ai_addrlen) < 0)
3077 {
3080 closesocket(sock);
3081 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3083 }
3084
3085 /* Don't need the server address anymore */
3086 pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
3087
3088 /*
3089 * Figure out at what time we should time out. We can't just use a single
3090 * call to select() with a timeout, since somebody can be sending invalid
3091 * packets to our port thus causing us to retry in a loop and never time
3092 * out.
3093 *
3094 * XXX: Using WaitLatchOrSocket() and doing a CHECK_FOR_INTERRUPTS() if
3095 * the latch was set would improve the responsiveness to
3096 * timeouts/cancellations.
3097 */
3098 gettimeofday(&endtime, NULL);
3099 endtime.tv_sec += RADIUS_TIMEOUT;
3100
3101 while (true)
3102 {
3103 struct timeval timeout;
3105 int64 timeoutval;
3106 const char *errstr = NULL;
3107
3109 timeoutval = (endtime.tv_sec * 1000000 + endtime.tv_usec) - (now.tv_sec * 1000000 + now.tv_usec);
3110 if (timeoutval <= 0)
3111 {
3114 server)));
3115 closesocket(sock);
3117 }
3118 timeout.tv_sec = timeoutval / 1000000;
3119 timeout.tv_usec = timeoutval % 1000000;
3120
3121 FD_ZERO(&fdset);
3122 FD_SET(sock, &fdset);
3123
3124 r = select(sock + 1, &fdset, NULL, NULL, &timeout);
3125 if (r < 0)
3126 {
3128 continue;
3129
3130 /* Anything else is an actual error */
3133 closesocket(sock);
3135 }
3136 if (r == 0)
3137 {
3140 server)));
3141 closesocket(sock);
3143 }
3144
3145 /*
3146 * Attempt to read the response packet, and verify the contents.
3147 *
3148 * Any packet that's not actually a RADIUS packet, or otherwise does
3149 * not validate as an explicit reject, is just ignored and we retry
3150 * for another packet (until we reach the timeout). This is to avoid
3151 * the possibility to denial-of-service the login by flooding the
3152 * server with invalid packets on the port that we're expecting the
3153 * RADIUS response on.
3154 */
3155
3156 addrsize = sizeof(remoteaddr);
3157 packetlength = recvfrom(sock, receive_buffer, RADIUS_BUFFER_SIZE, 0,
3158 (struct sockaddr *) &remoteaddr, &addrsize);
3159 if (packetlength < 0)
3160 {
3163 closesocket(sock);
3165 }
3166
3168 {
3171 server, pg_ntoh16(remoteaddr.sin6_port))));
3172 continue;
3173 }
3174
3176 {
3179 continue;
3180 }
3181
3183 {
3187 continue;
3188 }
3189
3191 {
3195 continue;
3196 }
3197
3198 /*
3199 * Verify the response authenticator, which is calculated as
3200 * MD5(Code+ID+Length+RequestAuthenticator+Attributes+Secret)
3201 */
3202 cryptvector = palloc(packetlength + strlen(secret));
3203
3204 memcpy(cryptvector, receivepacket, 4); /* code+id+length */
3206 * authenticator, from
3207 * original packet */
3209 * attributes at all */
3210 memcpy(cryptvector + RADIUS_HEADER_LENGTH,
3212 packetlength - RADIUS_HEADER_LENGTH);
3213 memcpy(cryptvector + packetlength, secret, strlen(secret));
3214
3216 packetlength + strlen(secret),
3217 encryptedpassword, &errstr))
3218 {
3221 errstr)));
3222 pfree(cryptvector);
3223 continue;
3224 }
3225 pfree(cryptvector);
3226
3228 {
3231 server)));
3232 continue;
3233 }
3234
3236 {
3237 closesocket(sock);
3239 }
3241 {
3242 closesocket(sock);
3244 }
3245 else
3246 {
3249 server, receivepacket->code, user_name)));
3250 continue;
3251 }
3252 } /* while (true) */
3253}
static void radius_add_attribute(radius_packet *packet, uint8 type, const unsigned char *data, int len)
Definition: auth.c:2811
bool pg_md5_binary(const void *buff, size_t len, void *outbuf, const char **errstr)
Definition: md5_common.c:108
References bind, closesocket, radius_packet::code, EINTR, ereport, errmsg(), gai_strerror(), gettimeofday(), i, radius_packet::id, j, radius_packet::length, LOG, MemSet, now(), palloc(), pfree(), pg_freeaddrinfo_all(), pg_getaddrinfo_all(), pg_hton16, pg_hton32, pg_md5_binary(), pg_ntoh16, pg_strong_random(), PGINVALID_SOCKET, port, portstr, RADIUS_ACCESS_ACCEPT, RADIUS_ACCESS_REJECT, RADIUS_ACCESS_REQUEST, radius_add_attribute(), RADIUS_AUTHENTICATE_ONLY, RADIUS_BUFFER_SIZE, RADIUS_HEADER_LENGTH, RADIUS_MAX_PASSWORD_LENGTH, RADIUS_NAS_IDENTIFIER, RADIUS_PASSWORD, RADIUS_SERVICE_TYPE, RADIUS_TIMEOUT, RADIUS_USER_NAME, RADIUS_VECTOR_LENGTH, select, socket, STATUS_EOF, STATUS_ERROR, STATUS_OK, and radius_packet::vector.
Referenced by CheckRADIUSAuth().
◆ radius_add_attribute()
|
static |
Definition at line 2811 of file auth.c.
2812{
2813 radius_attribute *attr;
2814
2816 {
2817 /*
2818 * With remotely realistic data, this can never happen. But catch it
2819 * just to make sure we don't overrun a buffer. We'll just skip adding
2820 * the broken attribute, which will in the end cause authentication to
2821 * fail.
2822 */
2824 "adding attribute code %d with length %d to radius packet would create oversize packet, ignoring",
2826 return;
2827 }
2828
2834}
Definition: auth.c:2777
References radius_attribute::attribute, radius_attribute::data, data, elog, len, radius_attribute::length, radius_packet::length, RADIUS_BUFFER_SIZE, type, and WARNING.
Referenced by PerformRadiusTransaction().
◆ recv_password_packet()
|
static |
Definition at line 699 of file auth.c.
700{
702 int mtype;
703
704 pq_startmsgread();
705
706 /* Expect 'p' message type */
707 mtype = pq_getbyte();
709 {
710 /*
711 * If the client just disconnects without offering a password, don't
712 * make a log entry. This is legal per protocol spec and in fact
713 * commonly done by psql, so complaining just clutters the log.
714 */
715 if (mtype != EOF)
717 (errcode(ERRCODE_PROTOCOL_VIOLATION),
719 mtype)));
720 return NULL; /* EOF or bad message type */
721 }
722
725 {
726 /* EOF - pq_getmessage already logged a suitable message */
728 return NULL;
729 }
730
731 /*
732 * Apply sanity check: password packet length should agree with length of
733 * contained string. Note it is safe to use strlen here because
734 * StringInfo is guaranteed to have an appended '\0'.
735 */
738 (errcode(ERRCODE_PROTOCOL_VIOLATION),
740
741 /*
742 * Don't allow an empty password. Libpq treats an empty password the same
743 * as no password at all, and won't even try to authenticate. But other
744 * clients might, so allowing it would be confusing.
745 *
746 * Note that this only catches an empty password sent by the client in
747 * plaintext. There's also a check in CREATE/ALTER USER that prevents an
748 * empty string from being stored as a user's password in the first place.
749 * We rely on that for MD5 and SCRAM authentication, but we still need
750 * this check here, to prevent an empty password from being used with
751 * authentication methods that check the password against an external
752 * system, like PAM, LDAP and RADIUS.
753 */
758
759 /* Do not echo password to logs, for security. */
761
762 /*
763 * Return the received string. Note we do not attempt to do any
764 * character-set conversion on it; since we don't yet know the client's
765 * encoding, there wouldn't be much point.
766 */
768}
Definition: stringinfo.h:47
References buf, DEBUG5, elog, ereport, errcode(), ERRCODE_INVALID_PASSWORD, errmsg(), ERROR, initStringInfo(), pfree(), PG_MAX_AUTH_TOKEN_LENGTH, pq_getbyte(), pq_getmessage(), pq_startmsgread(), and PqMsg_PasswordMessage.
Referenced by CheckMD5Auth(), CheckPasswordAuth(), and CheckRADIUSAuth().
◆ sendAuthRequest()
| void sendAuthRequest | ( | Port * | port, |
| AuthRequest | areq, | ||
| const char * | extradata, | ||
| int | extralen | ||
| ) |
Definition at line 669 of file auth.c.
670{
672
673 CHECK_FOR_INTERRUPTS();
674
677 if (extralen > 0)
679
681
682 /*
683 * Flush message so client will see it, except for AUTH_REQ_OK and
684 * AUTH_REQ_SASL_FIN, which need not be sent until we are ready for
685 * queries.
686 */
688 pq_flush();
689
690 CHECK_FOR_INTERRUPTS();
691}
void pq_sendbytes(StringInfo buf, const void *data, int datalen)
Definition: pqformat.c:126
References AUTH_REQ_OK, AUTH_REQ_SASL_FIN, buf, CHECK_FOR_INTERRUPTS, pq_beginmessage(), pq_endmessage(), pq_flush, pq_sendbytes(), pq_sendint32(), and PqMsg_AuthenticationRequest.
Referenced by CheckMD5Auth(), CheckPasswordAuth(), CheckRADIUSAuth(), CheckSASLAuth(), and ClientAuthentication().
◆ set_authn_id()
| void set_authn_id | ( | Port * | port, |
| const char * | id | ||
| ) |
Definition at line 333 of file auth.c.
334{
336
338 {
339 /*
340 * An existing authn_id should never be overwritten; that means two
341 * authentication providers are fighting (or one is fighting itself).
342 * Don't leak any authn details to the client, but don't let the
343 * connection continue, either.
344 */
349 }
350
353
355 {
358 "(%s:%d)",
362 }
363}
char * MemoryContextStrdup(MemoryContext context, const char *string)
Definition: mcxt.c:2312
References Assert(), ClientConnectionInfo::auth_method, ClientConnectionInfo::authn_id, ereport, errdetail_log(), errmsg(), FATAL, hba_authname(), LOG, LOG_CONNECTION_AUTHENTICATION, log_connections, MemoryContextStrdup(), MyClientConnectionInfo, port, and TopMemoryContext.
Referenced by auth_peer(), CheckPasswordAuth(), CheckPWChallengeAuth(), CheckRADIUSAuth(), ident_inet(), and validate().
Variable Documentation
◆ ClientAuthentication_hook
| ClientAuthentication_hook_type ClientAuthentication_hook = NULL |
Definition at line 215 of file auth.c.
Referenced by _PG_init(), ClientAuthentication(), and sepgsql_init_client_label().
◆ pg_gss_accept_delegation
| bool pg_gss_accept_delegation |
Definition at line 167 of file auth.c.
Referenced by secure_open_gssapi().
◆ pg_krb_caseins_users
◆ pg_krb_server_keyfile
| char* pg_krb_server_keyfile |
Definition at line 165 of file auth.c.
Referenced by secure_open_gssapi().
