2021-07-07 03:55:15 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
|
*
|
|
|
|
|
* sasl.h
|
|
|
|
|
* Defines the SASL mechanism interface for the backend.
|
|
|
|
|
*
|
|
|
|
|
* Each SASL mechanism defines a frontend and a backend callback structure.
|
|
|
|
|
*
|
|
|
|
|
* See src/interfaces/libpq/fe-auth-sasl.h for the frontend counterpart.
|
|
|
|
|
*
|
2022-01-08 01:04:57 +01:00
|
|
|
* Portions Copyright (c) 1996-2022, PostgreSQL Global Development Group
|
2021-07-07 03:55:15 +02:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
|
|
|
|
*
|
|
|
|
|
* src/include/libpq/sasl.h
|
|
|
|
|
*
|
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef PG_SASL_H
|
|
|
|
|
#define PG_SASL_H
|
|
|
|
|
|
|
|
|
|
#include "lib/stringinfo.h"
|
|
|
|
|
#include "libpq/libpq-be.h"
|
|
|
|
|
|
|
|
|
|
/* Status codes for message exchange */
|
|
|
|
|
#define PG_SASL_EXCHANGE_CONTINUE 0
|
|
|
|
|
#define PG_SASL_EXCHANGE_SUCCESS 1
|
|
|
|
|
#define PG_SASL_EXCHANGE_FAILURE 2
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Backend SASL mechanism callbacks.
|
|
|
|
|
*
|
|
|
|
|
* To implement a backend mechanism, declare a pg_be_sasl_mech struct with
|
|
|
|
|
* appropriate callback implementations. Then pass the mechanism to
|
|
|
|
|
* CheckSASLAuth() during ClientAuthentication(), once the server has decided
|
|
|
|
|
* which authentication method to use.
|
|
|
|
|
*/
|
|
|
|
|
typedef struct pg_be_sasl_mech
|
|
|
|
|
{
|
|
|
|
|
/*---------
|
|
|
|
|
* get_mechanisms()
|
|
|
|
|
*
|
|
|
|
|
* Retrieves the list of SASL mechanism names supported by this
|
|
|
|
|
* implementation.
|
|
|
|
|
*
|
|
|
|
|
* Input parameters:
|
|
|
|
|
*
|
|
|
|
|
* port: The client Port
|
|
|
|
|
*
|
|
|
|
|
* Output parameters:
|
|
|
|
|
*
|
|
|
|
|
* buf: A StringInfo buffer that the callback should populate with
|
|
|
|
|
* supported mechanism names. The names are appended into this
|
|
|
|
|
* StringInfo, each one ending with '\0' bytes.
|
|
|
|
|
*---------
|
|
|
|
|
*/
|
|
|
|
|
void (*get_mechanisms) (Port *port, StringInfo buf);
|
|
|
|
|
|
|
|
|
|
/*---------
|
|
|
|
|
* init()
|
|
|
|
|
*
|
|
|
|
|
* Initializes mechanism-specific state for a connection. This callback
|
|
|
|
|
* must return a pointer to its allocated state, which will be passed
|
|
|
|
|
* as-is as the first argument to the other callbacks.
|
|
|
|
|
*
|
2022-03-15 03:29:23 +01:00
|
|
|
* Input parameters:
|
2021-07-07 03:55:15 +02:00
|
|
|
*
|
|
|
|
|
* port: The client Port.
|
|
|
|
|
*
|
|
|
|
|
* mech: The actual mechanism name in use by the client.
|
|
|
|
|
*
|
|
|
|
|
* shadow_pass: The stored secret for the role being authenticated, or
|
|
|
|
|
* NULL if one does not exist. Mechanisms that do not use
|
|
|
|
|
* shadow entries may ignore this parameter. If a
|
|
|
|
|
* mechanism uses shadow entries but shadow_pass is NULL,
|
|
|
|
|
* the implementation must continue the exchange as if the
|
|
|
|
|
* user existed and the password did not match, to avoid
|
|
|
|
|
* disclosing valid user names.
|
|
|
|
|
*---------
|
|
|
|
|
*/
|
|
|
|
|
void *(*init) (Port *port, const char *mech, const char *shadow_pass);
|
|
|
|
|
|
|
|
|
|
/*---------
|
|
|
|
|
* exchange()
|
|
|
|
|
*
|
|
|
|
|
* Produces a server challenge to be sent to the client. The callback
|
|
|
|
|
* must return one of the PG_SASL_EXCHANGE_* values, depending on
|
|
|
|
|
* whether the exchange continues, has finished successfully, or has
|
|
|
|
|
* failed.
|
|
|
|
|
*
|
|
|
|
|
* Input parameters:
|
|
|
|
|
*
|
|
|
|
|
* state: The opaque mechanism state returned by init()
|
|
|
|
|
*
|
|
|
|
|
* input: The response data sent by the client, or NULL if the
|
|
|
|
|
* mechanism is client-first but the client did not send an
|
|
|
|
|
* initial response. (This can only happen during the first
|
|
|
|
|
* message from the client.) This is guaranteed to be
|
|
|
|
|
* null-terminated for safety, but SASL allows embedded
|
|
|
|
|
* nulls in responses, so mechanisms must be careful to
|
|
|
|
|
* check inputlen.
|
|
|
|
|
*
|
|
|
|
|
* inputlen: The length of the challenge data sent by the server, or
|
|
|
|
|
* -1 if the client did not send an initial response
|
|
|
|
|
*
|
|
|
|
|
* Output parameters, to be set by the callback function:
|
|
|
|
|
*
|
|
|
|
|
* output: A palloc'd buffer containing either the server's next
|
|
|
|
|
* challenge (if PG_SASL_EXCHANGE_CONTINUE is returned) or
|
|
|
|
|
* the server's outcome data (if PG_SASL_EXCHANGE_SUCCESS is
|
|
|
|
|
* returned and the mechanism requires data to be sent during
|
|
|
|
|
* a successful outcome). The callback should set this to
|
|
|
|
|
* NULL if the exchange is over and no output should be sent,
|
|
|
|
|
* which should correspond to either PG_SASL_EXCHANGE_FAILURE
|
|
|
|
|
* or a PG_SASL_EXCHANGE_SUCCESS with no outcome data.
|
|
|
|
|
*
|
|
|
|
|
* outputlen: The length of the challenge data. Ignored if *output is
|
|
|
|
|
* NULL.
|
|
|
|
|
*
|
|
|
|
|
* logdetail: Set to an optional DETAIL message to be printed to the
|
|
|
|
|
* server log, to disambiguate failure modes. (The client
|
|
|
|
|
* will only ever see the same generic authentication
|
|
|
|
|
* failure message.) Ignored if the exchange is completed
|
|
|
|
|
* with PG_SASL_EXCHANGE_SUCCESS.
|
|
|
|
|
*---------
|
|
|
|
|
*/
|
|
|
|
|
int (*exchange) (void *state,
|
|
|
|
|
const char *input, int inputlen,
|
|
|
|
|
char **output, int *outputlen,
|
Improve error handling of cryptohash computations
The existing cryptohash facility was causing problems in some code paths
related to MD5 (frontend and backend) that relied on the fact that the
only type of error that could happen would be an OOM, as the MD5
implementation used in PostgreSQL ~13 (the in-core implementation is
used when compiling with or without OpenSSL in those older versions),
could fail only under this circumstance.
The new cryptohash facilities can fail for reasons other than OOMs, like
attempting MD5 when FIPS is enabled (upstream OpenSSL allows that up to
1.0.2, Fedora and Photon patch OpenSSL 1.1.1 to allow that), so this
would cause incorrect reports to show up.
This commit extends the cryptohash APIs so as callers of those routines
can fetch more context when an error happens, by using a new routine
called pg_cryptohash_error(). The error states are stored within each
implementation's internal context data, so as it is possible to extend
the logic depending on what's suited for an implementation. The default
implementation requires few error states, but OpenSSL could report
various issues depending on its internal state so more is needed in
cryptohash_openssl.c, and the code is shaped so as we are always able to
grab the necessary information.
The core code is changed to adapt to the new error routine, painting
more "const" across the call stack where the static errors are stored,
particularly in authentication code paths on variables that provide
log details. This way, any future changes would warn if attempting to
free these strings. The MD5 authentication code was also a bit blurry
about the handling of "logdetail" (LOG sent to the postmaster), so
improve the comments related that, while on it.
The origin of the problem is 87ae969, that introduced the centralized
cryptohash facility. Extra changes are done for pgcrypto in v14 for the
non-OpenSSL code path to cope with the improvements done by this
commit.
Reported-by: Michael Mühlbeyer
Author: Michael Paquier
Reviewed-by: Tom Lane
Discussion: https://postgr.es/m/89B7F072-5BBE-4C92-903E-D83E865D9367@trivadis.com
Backpatch-through: 14
2022-01-11 01:55:16 +01:00
|
|
|
const char **logdetail);
|
2021-07-07 03:55:15 +02:00
|
|
|
} pg_be_sasl_mech;
|
|
|
|
|
|
|
|
|
|
/* Common implementation for auth.c */
|
|
|
|
|
extern int CheckSASLAuth(const pg_be_sasl_mech *mech, Port *port,
|
Improve error handling of cryptohash computations
The existing cryptohash facility was causing problems in some code paths
related to MD5 (frontend and backend) that relied on the fact that the
only type of error that could happen would be an OOM, as the MD5
implementation used in PostgreSQL ~13 (the in-core implementation is
used when compiling with or without OpenSSL in those older versions),
could fail only under this circumstance.
The new cryptohash facilities can fail for reasons other than OOMs, like
attempting MD5 when FIPS is enabled (upstream OpenSSL allows that up to
1.0.2, Fedora and Photon patch OpenSSL 1.1.1 to allow that), so this
would cause incorrect reports to show up.
This commit extends the cryptohash APIs so as callers of those routines
can fetch more context when an error happens, by using a new routine
called pg_cryptohash_error(). The error states are stored within each
implementation's internal context data, so as it is possible to extend
the logic depending on what's suited for an implementation. The default
implementation requires few error states, but OpenSSL could report
various issues depending on its internal state so more is needed in
cryptohash_openssl.c, and the code is shaped so as we are always able to
grab the necessary information.
The core code is changed to adapt to the new error routine, painting
more "const" across the call stack where the static errors are stored,
particularly in authentication code paths on variables that provide
log details. This way, any future changes would warn if attempting to
free these strings. The MD5 authentication code was also a bit blurry
about the handling of "logdetail" (LOG sent to the postmaster), so
improve the comments related that, while on it.
The origin of the problem is 87ae969, that introduced the centralized
cryptohash facility. Extra changes are done for pgcrypto in v14 for the
non-OpenSSL code path to cope with the improvements done by this
commit.
Reported-by: Michael Mühlbeyer
Author: Michael Paquier
Reviewed-by: Tom Lane
Discussion: https://postgr.es/m/89B7F072-5BBE-4C92-903E-D83E865D9367@trivadis.com
Backpatch-through: 14
2022-01-11 01:55:16 +01:00
|
|
|
char *shadow_pass, const char **logdetail);
|
2021-07-07 03:55:15 +02:00
|
|
|
|
|
|
|
|
#endif /* PG_SASL_H */
|
