1996-07-09 08:22:35 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
|
*
|
1999-02-14 00:22:53 +01:00
|
|
|
* auth.c
|
1997-09-07 07:04:48 +02:00
|
|
|
* Routines to handle network authentication
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
2016-01-02 19:33:40 +01:00
|
|
|
* Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group
|
2000-01-26 06:58:53 +01:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* IDENTIFICATION
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/backend/libpq/auth.c
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
|
*/
|
2001-06-20 20:07:56 +02:00
|
|
|
|
|
|
|
|
#include "postgres.h"
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2001-08-21 17:21:25 +02:00
|
|
|
#include <sys/param.h>
|
2001-09-07 21:52:54 +02:00
|
|
|
#include <sys/socket.h>
|
1996-07-09 08:22:35 +02:00
|
|
|
#include <netinet/in.h>
|
|
|
|
|
#include <arpa/inet.h>
|
2007-07-10 15:14:22 +02:00
|
|
|
#include <unistd.h>
|
2002-05-05 02:03:29 +02:00
|
|
|
|
1999-07-16 01:04:24 +02:00
|
|
|
#include "libpq/auth.h"
|
1999-07-16 07:00:38 +02:00
|
|
|
#include "libpq/crypt.h"
|
2006-07-13 18:49:20 +02:00
|
|
|
#include "libpq/ip.h"
|
1999-07-16 07:00:38 +02:00
|
|
|
#include "libpq/libpq.h"
|
2001-06-20 20:07:56 +02:00
|
|
|
#include "libpq/pqformat.h"
|
2010-01-27 13:12:00 +01:00
|
|
|
#include "libpq/md5.h"
|
2009-08-29 21:26:52 +02:00
|
|
|
#include "miscadmin.h"
|
2010-04-21 05:32:53 +02:00
|
|
|
#include "replication/walsender.h"
|
2002-05-05 02:03:29 +02:00
|
|
|
#include "storage/ipc.h"
|
|
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
2009-06-11 16:49:15 +02:00
|
|
|
* Global authentication functions
|
2008-08-01 13:41:12 +02:00
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2001-06-20 20:07:56 +02:00
|
|
|
static void sendAuthRequest(Port *port, AuthRequest areq);
|
2014-01-28 03:04:09 +01:00
|
|
|
static void auth_failed(Port *port, int status, char *logdetail);
|
2003-04-19 02:02:30 +02:00
|
|
|
static char *recv_password_packet(Port *port);
|
2014-01-28 03:04:09 +01:00
|
|
|
static int recv_and_check_password_packet(Port *port, char **logdetail);
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2000-08-25 12:00:35 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Ident authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2008-08-01 11:09:49 +02:00
|
|
|
/* Max size of username ident server can return */
|
|
|
|
|
#define IDENT_USERNAME_MAX 512
|
|
|
|
|
|
2014-05-06 18:12:18 +02:00
|
|
|
/* Standard TCP port number for Ident service. Assigned by IANA */
|
2008-08-01 11:09:49 +02:00
|
|
|
#define IDENT_PORT 113
|
|
|
|
|
|
2011-03-19 18:44:35 +01:00
|
|
|
static int ident_inet(hbaPort *port);
|
2011-04-10 17:42:00 +02:00
|
|
|
|
2011-03-19 18:44:35 +01:00
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
|
|
|
|
static int auth_peer(hbaPort *port);
|
|
|
|
|
#endif
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* PAM authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2001-09-06 05:23:38 +02:00
|
|
|
#ifdef USE_PAM
|
2003-02-14 15:05:00 +01:00
|
|
|
#ifdef HAVE_PAM_PAM_APPL_H
|
|
|
|
|
#include <pam/pam_appl.h>
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_SECURITY_PAM_APPL_H
|
2001-09-06 05:23:38 +02:00
|
|
|
#include <security/pam_appl.h>
|
2003-02-14 15:05:00 +01:00
|
|
|
#endif
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
#define PGSQL_PAM_SERVICE "postgresql" /* Service name passed to PAM */
|
|
|
|
|
|
|
|
|
|
static int CheckPAMAuth(Port *port, char *user, char *password);
|
|
|
|
|
static int pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
|
|
|
|
|
struct pam_response ** resp, void *appdata_ptr);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
|
|
|
|
static struct pam_conv pam_passw_conv = {
|
2001-10-25 07:50:21 +02:00
|
|
|
&pam_passwd_conv_proc,
|
|
|
|
|
NULL
|
2001-09-06 05:23:38 +02:00
|
|
|
};
|
|
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
static char *pam_passwd = NULL; /* Workaround for Solaris 2.6 brokenness */
|
2005-10-15 04:49:52 +02:00
|
|
|
static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
|
|
|
|
|
* pam_passwd_conv_proc */
|
2001-11-05 18:46:40 +01:00
|
|
|
#endif /* USE_PAM */
|
2000-08-25 12:00:35 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* LDAP authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifdef USE_LDAP
|
|
|
|
|
#ifndef WIN32
|
2006-08-22 04:23:45 +02:00
|
|
|
/* We use a deprecated function to keep the codepath the same as win32. */
|
2006-03-06 18:41:44 +01:00
|
|
|
#define LDAP_DEPRECATED 1
|
|
|
|
|
#include <ldap.h>
|
|
|
|
|
#else
|
|
|
|
|
#include <winldap.h>
|
|
|
|
|
|
|
|
|
|
/* Correct header from the Platform SDK */
|
2006-10-04 02:30:14 +02:00
|
|
|
typedef
|
2009-06-11 16:49:15 +02:00
|
|
|
ULONG (*__ldap_start_tls_sA) (
|
|
|
|
|
IN PLDAP ExternalHandle,
|
|
|
|
|
OUT PULONG ServerReturnValue,
|
|
|
|
|
OUT LDAPMessage **result,
|
|
|
|
|
IN PLDAPControlA * ServerControls,
|
|
|
|
|
IN PLDAPControlA * ClientControls
|
2006-03-06 18:41:44 +01:00
|
|
|
);
|
|
|
|
|
#endif
|
|
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
static int CheckLDAPAuth(Port *port);
|
2009-06-11 16:49:15 +02:00
|
|
|
#endif /* USE_LDAP */
|
2008-08-01 13:41:12 +02:00
|
|
|
|
2008-11-20 12:48:26 +01:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Cert authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
static int CheckCertAuth(Port *port);
|
|
|
|
|
#endif
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Kerberos and GSSAPI GUCs
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
char *pg_krb_server_keyfile;
|
|
|
|
|
bool pg_krb_caseins_users;
|
2006-03-06 18:41:44 +01:00
|
|
|
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* GSSAPI Authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef ENABLE_GSS
|
|
|
|
|
#if defined(HAVE_GSSAPI_H)
|
|
|
|
|
#include <gssapi.h>
|
|
|
|
|
#else
|
|
|
|
|
#include <gssapi/gssapi.h>
|
|
|
|
|
#endif
|
2008-10-23 15:31:10 +02:00
|
|
|
|
2009-06-11 16:49:15 +02:00
|
|
|
static int pg_GSS_recvauth(Port *port);
|
|
|
|
|
#endif /* ENABLE_GSS */
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2000-05-27 05:58:20 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* SSPI Authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef ENABLE_SSPI
|
2011-04-10 17:42:00 +02:00
|
|
|
typedef SECURITY_STATUS
|
2008-08-01 13:41:12 +02:00
|
|
|
(WINAPI * QUERY_SECURITY_CONTEXT_TOKEN_FN) (
|
|
|
|
|
PCtxtHandle, void **);
|
2009-06-11 16:49:15 +02:00
|
|
|
static int pg_SSPI_recvauth(Port *port);
|
2008-08-01 13:41:12 +02:00
|
|
|
#endif
|
2005-10-08 21:32:58 +02:00
|
|
|
|
2010-01-27 13:12:00 +01:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* RADIUS Authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
Break out OpenSSL-specific code to separate files.
This refactoring is in preparation for adding support for other SSL
implementations, with no user-visible effects. There are now two #defines,
USE_OPENSSL which is defined when building with OpenSSL, and USE_SSL which
is defined when building with any SSL implementation. Currently, OpenSSL is
the only implementation so the two #defines go together, but USE_SSL is
supposed to be used for implementation-independent code.
The libpq SSL code is changed to use a custom BIO, which does all the raw
I/O, like we've been doing in the backend for a long time. That makes it
possible to use MSG_NOSIGNAL to block SIGPIPE when using SSL, which avoids
a couple of syscall for each send(). Probably doesn't make much performance
difference in practice - the SSL encryption is expensive enough to mask the
effect - but it was a natural result of this refactoring.
Based on a patch by Martijn van Oosterhout from 2006. Briefly reviewed by
Alvaro Herrera, Andreas Karlsson, Jeff Janes.
2014-08-11 10:54:19 +02:00
|
|
|
#ifdef USE_OPENSSL
|
2010-01-27 13:12:00 +01:00
|
|
|
#include <openssl/rand.h>
|
|
|
|
|
#endif
|
|
|
|
|
static int CheckRADIUSAuth(Port *port);
|
|
|
|
|
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2009-10-14 09:27:13 +02:00
|
|
|
/*
|
2009-10-15 00:09:46 +02:00
|
|
|
* Maximum accepted size of GSS and SSPI authentication tokens.
|
2009-10-14 09:27:13 +02:00
|
|
|
*
|
|
|
|
|
* Kerberos tickets are usually quite small, but the TGTs issued by Windows
|
|
|
|
|
* domain controllers include an authorization field known as the Privilege
|
|
|
|
|
* Attribute Certificate (PAC), which contains the user's Windows permissions
|
|
|
|
|
* (group memberships etc.). The PAC is copied into all tickets obtained on
|
|
|
|
|
* the basis of this TGT (even those issued by Unix realms which the Windows
|
|
|
|
|
* realm trusts), and can be several kB in size. The maximum token size
|
|
|
|
|
* accepted by Windows systems is determined by the MaxAuthToken Windows
|
|
|
|
|
* registry setting. Microsoft recommends that it is not set higher than
|
|
|
|
|
* 65535 bytes, so that seems like a reasonable limit for us as well.
|
|
|
|
|
*/
|
2009-10-15 00:09:46 +02:00
|
|
|
#define PG_MAX_AUTH_TOKEN_LENGTH 65535
|
2009-10-14 09:27:13 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Global authentication functions
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2010-10-27 03:20:02 +02:00
|
|
|
/*
|
|
|
|
|
* This hook allows plugins to get control following client authentication,
|
|
|
|
|
* but before the user has been informed about the results. It could be used
|
|
|
|
|
* to record login events, insert a delay after failed authentication, etc.
|
|
|
|
|
*/
|
|
|
|
|
ClientAuthentication_hook_type ClientAuthentication_hook = NULL;
|
2000-05-27 06:13:05 +02:00
|
|
|
|
|
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* Tell the user the authentication failed, but not (much about) why.
|
2000-05-27 06:13:05 +02:00
|
|
|
*
|
2008-08-01 13:41:12 +02:00
|
|
|
* There is a tradeoff here between security concerns and making life
|
|
|
|
|
* unnecessarily difficult for legitimate users. We would not, for example,
|
|
|
|
|
* want to report the password we were expecting to receive...
|
|
|
|
|
* But it seems useful to report the username and authorization method
|
|
|
|
|
* in use, and these are items that must be presumed known to an attacker
|
|
|
|
|
* anyway.
|
|
|
|
|
* Note that many sorts of failure report additional information in the
|
2014-01-28 03:04:09 +01:00
|
|
|
* postmaster log, which we hope is only readable by good guys. In
|
|
|
|
|
* particular, if logdetail isn't NULL, we send that string to the log.
|
2000-05-27 06:13:05 +02:00
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
static void
|
2014-01-28 03:04:09 +01:00
|
|
|
auth_failed(Port *port, int status, char *logdetail)
|
2000-05-27 06:13:05 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
const char *errstr;
|
2014-03-03 09:18:51 +01:00
|
|
|
char *cdetail;
|
2010-07-06 21:19:02 +02:00
|
|
|
int errcode_return = ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION;
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* If we failed due to EOF from client, just quit; there's no point in
|
|
|
|
|
* trying to send a message to the client, and not much point in logging
|
|
|
|
|
* the failure in the postmaster log. (Logging the failure might be
|
|
|
|
|
* desirable, were it not for the fact that libpq closes the connection
|
|
|
|
|
* unceremoniously if challenged for a password when it hasn't got one to
|
|
|
|
|
* send. We'll get a useless log entry for every psql connection under
|
|
|
|
|
* password auth, even if it's perfectly successful, if we log STATUS_EOF
|
|
|
|
|
* events.)
|
|
|
|
|
*/
|
|
|
|
|
if (status == STATUS_EOF)
|
|
|
|
|
proc_exit(0);
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2008-09-15 14:32:57 +02:00
|
|
|
switch (port->hba->auth_method)
|
2001-03-22 05:01:46 +01:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaReject:
|
2010-04-21 05:32:53 +02:00
|
|
|
case uaImplicitReject:
|
2008-08-01 13:41:12 +02:00
|
|
|
errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
|
|
|
|
|
break;
|
|
|
|
|
case uaTrust:
|
|
|
|
|
errstr = gettext_noop("\"trust\" authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
|
|
|
|
case uaIdent:
|
|
|
|
|
errstr = gettext_noop("Ident authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2011-03-19 18:44:35 +01:00
|
|
|
case uaPeer:
|
|
|
|
|
errstr = gettext_noop("Peer authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaPassword:
|
2010-05-26 22:47:13 +02:00
|
|
|
case uaMD5:
|
2008-08-01 13:41:12 +02:00
|
|
|
errstr = gettext_noop("password authentication failed for user \"%s\"");
|
2010-03-13 15:55:57 +01:00
|
|
|
/* We use it to indicate if a .pgpass password failed. */
|
|
|
|
|
errcode_return = ERRCODE_INVALID_PASSWORD;
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
2010-05-26 22:47:13 +02:00
|
|
|
case uaGSS:
|
|
|
|
|
errstr = gettext_noop("GSSAPI authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
|
|
|
|
case uaSSPI:
|
|
|
|
|
errstr = gettext_noop("SSPI authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaPAM:
|
|
|
|
|
errstr = gettext_noop("PAM authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
|
|
|
|
case uaLDAP:
|
|
|
|
|
errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2010-05-26 22:47:13 +02:00
|
|
|
case uaCert:
|
|
|
|
|
errstr = gettext_noop("certificate authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2010-01-27 13:12:00 +01:00
|
|
|
case uaRADIUS:
|
|
|
|
|
errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2008-08-01 13:41:12 +02:00
|
|
|
default:
|
|
|
|
|
errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
|
|
|
|
|
break;
|
2001-03-22 05:01:46 +01:00
|
|
|
}
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2014-03-03 09:18:51 +01:00
|
|
|
cdetail = psprintf(_("Connection matched pg_hba.conf line %d: \"%s\""),
|
|
|
|
|
port->hba->linenumber, port->hba->rawline);
|
|
|
|
|
if (logdetail)
|
|
|
|
|
logdetail = psprintf("%s\n%s", logdetail, cdetail);
|
|
|
|
|
else
|
|
|
|
|
logdetail = cdetail;
|
2014-01-28 03:04:09 +01:00
|
|
|
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(errcode_return),
|
|
|
|
|
errmsg(errstr, port->user_name),
|
|
|
|
|
logdetail ? errdetail_log("%s", logdetail) : 0));
|
2013-03-10 15:54:37 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/* doesn't return */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Client authentication starts here. If there is an error, this
|
|
|
|
|
* function does not return and the backend process is terminated.
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
ClientAuthentication(Port *port)
|
|
|
|
|
{
|
|
|
|
|
int status = STATUS_ERROR;
|
2014-01-28 03:04:09 +01:00
|
|
|
char *logdetail = NULL;
|
2008-08-01 13:41:12 +02:00
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* Get the authentication method to use for this frontend/database
|
2011-06-20 23:20:14 +02:00
|
|
|
* combination. Note: we do not parse the file at this point; this has
|
2012-06-10 21:20:04 +02:00
|
|
|
* already been done elsewhere. hba.c dropped an error message into the
|
|
|
|
|
* server logfile if parsing the hba config file failed.
|
1997-09-07 07:04:48 +02:00
|
|
|
*/
|
2011-06-20 23:20:14 +02:00
|
|
|
hba_getauthmethod(port);
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-11-20 10:29:36 +01:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* This is the first point where we have access to the hba record for the
|
|
|
|
|
* current connection, so perform any verifications based on the hba
|
|
|
|
|
* options field that should be done *before* the authentication here.
|
2008-11-20 10:29:36 +01:00
|
|
|
*/
|
|
|
|
|
if (port->hba->clientcert)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* When we parse pg_hba.conf, we have already made sure that we have
|
|
|
|
|
* been able to load a certificate store. Thus, if a certificate is
|
|
|
|
|
* present on the client, it has been verified against our root
|
|
|
|
|
* certificate store, and the connection would have been aborted
|
|
|
|
|
* already if it didn't verify ok.
|
|
|
|
|
*/
|
|
|
|
|
#ifdef USE_SSL
|
Break out OpenSSL-specific code to separate files.
This refactoring is in preparation for adding support for other SSL
implementations, with no user-visible effects. There are now two #defines,
USE_OPENSSL which is defined when building with OpenSSL, and USE_SSL which
is defined when building with any SSL implementation. Currently, OpenSSL is
the only implementation so the two #defines go together, but USE_SSL is
supposed to be used for implementation-independent code.
The libpq SSL code is changed to use a custom BIO, which does all the raw
I/O, like we've been doing in the backend for a long time. That makes it
possible to use MSG_NOSIGNAL to block SIGPIPE when using SSL, which avoids
a couple of syscall for each send(). Probably doesn't make much performance
difference in practice - the SSL encryption is expensive enough to mask the
effect - but it was a natural result of this refactoring.
Based on a patch by Martijn van Oosterhout from 2006. Briefly reviewed by
Alvaro Herrera, Andreas Karlsson, Jeff Janes.
2014-08-11 10:54:19 +02:00
|
|
|
if (!port->peer_cert_valid)
|
2008-11-20 10:29:36 +01:00
|
|
|
{
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
2009-06-11 16:49:15 +02:00
|
|
|
errmsg("connection requires a valid client certificate")));
|
2008-11-20 10:29:36 +01:00
|
|
|
}
|
|
|
|
|
#else
|
2009-06-11 16:49:15 +02:00
|
|
|
|
2008-11-20 10:29:36 +01:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* hba.c makes sure hba->clientcert can't be set unless OpenSSL is
|
|
|
|
|
* present.
|
2008-11-20 10:29:36 +01:00
|
|
|
*/
|
|
|
|
|
Assert(false);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Now proceed to do the actual authentication check
|
|
|
|
|
*/
|
2008-09-15 14:32:57 +02:00
|
|
|
switch (port->hba->auth_method)
|
2007-11-09 18:31:07 +01:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaReject:
|
2007-11-09 18:31:07 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
2010-04-21 05:32:53 +02:00
|
|
|
* An explicit "reject" entry in pg_hba.conf. This report exposes
|
2010-07-06 21:19:02 +02:00
|
|
|
* the fact that there's an explicit reject entry, which is
|
|
|
|
|
* perhaps not so desirable from a security standpoint; but the
|
|
|
|
|
* message for an implicit reject could confuse the DBA a lot when
|
|
|
|
|
* the true situation is a match to an explicit reject. And we
|
|
|
|
|
* don't want to change the message for an implicit reject. As
|
|
|
|
|
* noted below, the additional information shown here doesn't
|
|
|
|
|
* expose anything not known to an attacker.
|
2010-04-19 21:02:18 +02:00
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
char hostinfo[NI_MAXHOST];
|
|
|
|
|
|
|
|
|
|
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
|
|
|
|
hostinfo, sizeof(hostinfo),
|
|
|
|
|
NULL, 0,
|
|
|
|
|
NI_NUMERICHOST);
|
|
|
|
|
|
2010-04-21 05:32:53 +02:00
|
|
|
if (am_walsender)
|
|
|
|
|
{
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
ereport(FATAL,
|
2010-07-06 21:19:02 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
|
|
|
|
|
hostinfo, port->user_name,
|
2015-05-24 03:35:49 +02:00
|
|
|
port->ssl_in_use ? _("SSL on") : _("SSL off"))));
|
2010-04-21 05:32:53 +02:00
|
|
|
#else
|
|
|
|
|
ereport(FATAL,
|
2010-07-06 21:19:02 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"",
|
|
|
|
|
hostinfo, port->user_name)));
|
2010-04-21 05:32:53 +02:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2010-04-19 21:02:18 +02:00
|
|
|
#ifdef USE_SSL
|
2010-04-21 05:32:53 +02:00
|
|
|
ereport(FATAL,
|
2010-07-06 21:19:02 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
|
|
|
|
|
hostinfo, port->user_name,
|
|
|
|
|
port->database_name,
|
2015-05-24 03:35:49 +02:00
|
|
|
port->ssl_in_use ? _("SSL on") : _("SSL off"))));
|
2010-04-19 21:02:18 +02:00
|
|
|
#else
|
2010-04-21 05:32:53 +02:00
|
|
|
ereport(FATAL,
|
2010-07-06 21:19:02 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"",
|
|
|
|
|
hostinfo, port->user_name,
|
|
|
|
|
port->database_name)));
|
2010-04-19 21:02:18 +02:00
|
|
|
#endif
|
2010-04-21 05:32:53 +02:00
|
|
|
}
|
2010-04-19 21:02:18 +02:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case uaImplicitReject:
|
|
|
|
|
|
|
|
|
|
/*
|
2010-04-21 05:32:53 +02:00
|
|
|
* No matching entry, so tell the user we fell through.
|
|
|
|
|
*
|
|
|
|
|
* NOTE: the extra info reported here is not a security breach,
|
|
|
|
|
* because all that info is known at the frontend and must be
|
|
|
|
|
* assumed known to bad guys. We're merely helping out the less
|
|
|
|
|
* clueful good guys.
|
2008-08-01 13:41:12 +02:00
|
|
|
*/
|
2007-11-09 18:31:07 +01:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
char hostinfo[NI_MAXHOST];
|
2007-11-09 18:31:07 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
|
|
|
|
hostinfo, sizeof(hostinfo),
|
|
|
|
|
NULL, 0,
|
|
|
|
|
NI_NUMERICHOST);
|
|
|
|
|
|
2011-07-31 17:03:43 +02:00
|
|
|
#define HOSTNAME_LOOKUP_DETAIL(port) \
|
Fix assorted issues in client host name lookup.
The code for matching clients to pg_hba.conf lines that specify host names
(instead of IP address ranges) failed to complain if reverse DNS lookup
failed; instead it silently didn't match, so that you might end up getting
a surprising "no pg_hba.conf entry for ..." error, as seen in bug #9518
from Mike Blackwell. Since we don't want to make this a fatal error in
situations where pg_hba.conf contains a mixture of host names and IP
addresses (clients matching one of the numeric entries should not have to
have rDNS data), remember the lookup failure and mention it as DETAIL if
we get to "no pg_hba.conf entry". Apply the same approach to forward-DNS
lookup failures, too, rather than treating them as immediate hard errors.
Along the way, fix a couple of bugs that prevented us from detecting an
rDNS lookup error reliably, and make sure that we make only one rDNS lookup
attempt; formerly, if the lookup attempt failed, the code would try again
for each host name entry in pg_hba.conf. Since more or less the whole
point of this design is to ensure there's only one lookup attempt not one
per entry, the latter point represents a performance bug that seems
sufficient justification for back-patching.
Also, adjust src/port/getaddrinfo.c so that it plays as well as it can
with this code. Which is not all that well, since it does not have actual
support for rDNS lookup, but at least it should return the expected (and
required by spec) error codes so that the main code correctly perceives the
lack of functionality as a lookup failure. It's unlikely that PG is still
being used in production on any machines that require our getaddrinfo.c,
so I'm not excited about working harder than this.
To keep the code in the various branches similar, this includes
back-patching commits c424d0d1052cb4053c8712ac44123f9b9a9aa3f2 and
1997f34db4687e671690ed054c8f30bb501b1168 into 9.2 and earlier.
Back-patch to 9.1 where the facility for hostnames in pg_hba.conf was
introduced.
2014-04-02 23:11:24 +02:00
|
|
|
(port->remote_hostname ? \
|
|
|
|
|
(port->remote_hostname_resolv == +1 ? \
|
|
|
|
|
errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
|
|
|
|
|
port->remote_hostname) : \
|
|
|
|
|
port->remote_hostname_resolv == 0 ? \
|
|
|
|
|
errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
|
|
|
|
|
port->remote_hostname) : \
|
|
|
|
|
port->remote_hostname_resolv == -1 ? \
|
|
|
|
|
errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
|
|
|
|
|
port->remote_hostname) : \
|
|
|
|
|
port->remote_hostname_resolv == -2 ? \
|
|
|
|
|
errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
|
|
|
|
|
port->remote_hostname, \
|
|
|
|
|
gai_strerror(port->remote_hostname_errcode)) : \
|
|
|
|
|
0) \
|
|
|
|
|
: (port->remote_hostname_resolv == -2 ? \
|
|
|
|
|
errdetail_log("Could not resolve client IP address to a host name: %s.", \
|
|
|
|
|
gai_strerror(port->remote_hostname_errcode)) : \
|
|
|
|
|
0))
|
2011-07-31 17:03:43 +02:00
|
|
|
|
2010-04-21 05:32:53 +02:00
|
|
|
if (am_walsender)
|
|
|
|
|
{
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
ereport(FATAL,
|
2010-07-06 21:19:02 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
|
|
|
|
|
hostinfo, port->user_name,
|
Break out OpenSSL-specific code to separate files.
This refactoring is in preparation for adding support for other SSL
implementations, with no user-visible effects. There are now two #defines,
USE_OPENSSL which is defined when building with OpenSSL, and USE_SSL which
is defined when building with any SSL implementation. Currently, OpenSSL is
the only implementation so the two #defines go together, but USE_SSL is
supposed to be used for implementation-independent code.
The libpq SSL code is changed to use a custom BIO, which does all the raw
I/O, like we've been doing in the backend for a long time. That makes it
possible to use MSG_NOSIGNAL to block SIGPIPE when using SSL, which avoids
a couple of syscall for each send(). Probably doesn't make much performance
difference in practice - the SSL encryption is expensive enough to mask the
effect - but it was a natural result of this refactoring.
Based on a patch by Martijn van Oosterhout from 2006. Briefly reviewed by
Alvaro Herrera, Andreas Karlsson, Jeff Janes.
2014-08-11 10:54:19 +02:00
|
|
|
port->ssl_in_use ? _("SSL on") : _("SSL off")),
|
2011-07-31 17:03:43 +02:00
|
|
|
HOSTNAME_LOOKUP_DETAIL(port)));
|
2010-04-21 05:32:53 +02:00
|
|
|
#else
|
|
|
|
|
ereport(FATAL,
|
2010-07-06 21:19:02 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
|
2011-07-31 17:03:43 +02:00
|
|
|
hostinfo, port->user_name),
|
|
|
|
|
HOSTNAME_LOOKUP_DETAIL(port)));
|
2010-04-21 05:32:53 +02:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
#ifdef USE_SSL
|
2010-04-21 05:32:53 +02:00
|
|
|
ereport(FATAL,
|
2010-07-06 21:19:02 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
|
|
|
|
|
hostinfo, port->user_name,
|
|
|
|
|
port->database_name,
|
Break out OpenSSL-specific code to separate files.
This refactoring is in preparation for adding support for other SSL
implementations, with no user-visible effects. There are now two #defines,
USE_OPENSSL which is defined when building with OpenSSL, and USE_SSL which
is defined when building with any SSL implementation. Currently, OpenSSL is
the only implementation so the two #defines go together, but USE_SSL is
supposed to be used for implementation-independent code.
The libpq SSL code is changed to use a custom BIO, which does all the raw
I/O, like we've been doing in the backend for a long time. That makes it
possible to use MSG_NOSIGNAL to block SIGPIPE when using SSL, which avoids
a couple of syscall for each send(). Probably doesn't make much performance
difference in practice - the SSL encryption is expensive enough to mask the
effect - but it was a natural result of this refactoring.
Based on a patch by Martijn van Oosterhout from 2006. Briefly reviewed by
Alvaro Herrera, Andreas Karlsson, Jeff Janes.
2014-08-11 10:54:19 +02:00
|
|
|
port->ssl_in_use ? _("SSL on") : _("SSL off")),
|
2011-07-31 17:03:43 +02:00
|
|
|
HOSTNAME_LOOKUP_DETAIL(port)));
|
2008-08-01 13:41:12 +02:00
|
|
|
#else
|
2010-04-21 05:32:53 +02:00
|
|
|
ereport(FATAL,
|
2010-07-06 21:19:02 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
|
|
|
|
|
hostinfo, port->user_name,
|
2011-07-31 17:03:43 +02:00
|
|
|
port->database_name),
|
|
|
|
|
HOSTNAME_LOOKUP_DETAIL(port)));
|
2008-08-01 13:41:12 +02:00
|
|
|
#endif
|
2010-04-21 05:32:53 +02:00
|
|
|
}
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
2007-11-09 18:31:07 +01:00
|
|
|
}
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaGSS:
|
2008-10-23 15:31:10 +02:00
|
|
|
#ifdef ENABLE_GSS
|
2008-08-01 13:41:12 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_GSS);
|
|
|
|
|
status = pg_GSS_recvauth(port);
|
2008-10-23 15:31:10 +02:00
|
|
|
#else
|
|
|
|
|
Assert(false);
|
|
|
|
|
#endif
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
2001-03-22 05:01:46 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaSSPI:
|
2008-10-23 15:31:10 +02:00
|
|
|
#ifdef ENABLE_SSPI
|
2008-08-01 13:41:12 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_SSPI);
|
|
|
|
|
status = pg_SSPI_recvauth(port);
|
2008-10-23 15:31:10 +02:00
|
|
|
#else
|
|
|
|
|
Assert(false);
|
|
|
|
|
#endif
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2011-03-19 18:44:35 +01:00
|
|
|
case uaPeer:
|
|
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
|
|
|
|
status = auth_peer(port);
|
Replace use of credential control messages with getsockopt(LOCAL_PEERCRED).
It turns out the reason we hadn't found out about the portability issues
with our credential-control-message code is that almost no modern platforms
use that code at all; the ones that used to need it now offer getpeereid(),
which we choose first. The last holdout was NetBSD, and they added
getpeereid() as of 5.0. So far as I can tell, the only live platform on
which that code was being exercised was Debian/kFreeBSD, ie, FreeBSD kernel
with Linux userland --- since glibc doesn't provide getpeereid(), we fell
back to the control message code. However, the FreeBSD kernel provides a
LOCAL_PEERCRED socket parameter that's functionally equivalent to Linux's
SO_PEERCRED. That is both much simpler to use than control messages, and
superior because it doesn't require receiving a message from the other end
at just the right time.
Therefore, add code to use LOCAL_PEERCRED when necessary, and rip out all
the credential-control-message code in the backend. (libpq still has such
code so that it can still talk to pre-9.1 servers ... but eventually we can
get rid of it there too.) Clean up related autoconf probes, too.
This means that libpq's requirepeer parameter now works on exactly the same
platforms where the backend supports peer authentication, so adjust the
documentation accordingly.
2011-05-31 22:10:46 +02:00
|
|
|
#else
|
2011-03-19 18:44:35 +01:00
|
|
|
Assert(false);
|
|
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case uaIdent:
|
|
|
|
|
status = ident_inet(port);
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaMD5:
|
2008-11-20 21:45:30 +01:00
|
|
|
if (Db_user_namespace)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
|
2008-08-01 13:41:12 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_MD5);
|
2014-01-28 03:04:09 +01:00
|
|
|
status = recv_and_check_password_packet(port, &logdetail);
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case uaPassword:
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_PASSWORD);
|
2014-01-28 03:04:09 +01:00
|
|
|
status = recv_and_check_password_packet(port, &logdetail);
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case uaPAM:
|
2008-10-23 15:31:10 +02:00
|
|
|
#ifdef USE_PAM
|
2008-08-01 13:41:12 +02:00
|
|
|
status = CheckPAMAuth(port, port->user_name, "");
|
2008-10-23 15:31:10 +02:00
|
|
|
#else
|
|
|
|
|
Assert(false);
|
2008-08-01 13:41:12 +02:00
|
|
|
#endif /* USE_PAM */
|
2008-10-23 15:31:10 +02:00
|
|
|
break;
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
case uaLDAP:
|
2008-10-23 15:31:10 +02:00
|
|
|
#ifdef USE_LDAP
|
2008-08-01 13:41:12 +02:00
|
|
|
status = CheckLDAPAuth(port);
|
2008-10-23 15:31:10 +02:00
|
|
|
#else
|
|
|
|
|
Assert(false);
|
2007-07-10 15:14:22 +02:00
|
|
|
#endif
|
2008-10-23 15:31:10 +02:00
|
|
|
break;
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-11-20 12:48:26 +01:00
|
|
|
case uaCert:
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
status = CheckCertAuth(port);
|
|
|
|
|
#else
|
|
|
|
|
Assert(false);
|
|
|
|
|
#endif
|
|
|
|
|
break;
|
2010-01-27 13:12:00 +01:00
|
|
|
case uaRADIUS:
|
|
|
|
|
status = CheckRADIUSAuth(port);
|
|
|
|
|
break;
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaTrust:
|
|
|
|
|
status = STATUS_OK;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2010-10-27 03:20:02 +02:00
|
|
|
if (ClientAuthentication_hook)
|
2011-04-10 17:42:00 +02:00
|
|
|
(*ClientAuthentication_hook) (port, status);
|
2010-10-27 03:20:02 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (status == STATUS_OK)
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_OK);
|
|
|
|
|
else
|
2014-01-28 03:04:09 +01:00
|
|
|
auth_failed(port, status, logdetail);
|
2008-08-01 13:41:12 +02:00
|
|
|
}
|
|
|
|
|
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* Send an authentication request packet to the frontend.
|
|
|
|
|
*/
|
2007-07-10 15:14:22 +02:00
|
|
|
static void
|
2008-08-01 13:41:12 +02:00
|
|
|
sendAuthRequest(Port *port, AuthRequest areq)
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
StringInfoData buf;
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2015-02-03 22:54:48 +01:00
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
pq_beginmessage(&buf, 'R');
|
|
|
|
|
pq_sendint(&buf, (int32) areq, sizeof(int32));
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/* Add the salt for encrypted passwords. */
|
|
|
|
|
if (areq == AUTH_REQ_MD5)
|
|
|
|
|
pq_sendbytes(&buf, port->md5Salt, 4);
|
2007-11-15 22:14:46 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* Add the authentication data for the next step of the GSSAPI or SSPI
|
|
|
|
|
* negotiation.
|
|
|
|
|
*/
|
|
|
|
|
else if (areq == AUTH_REQ_GSS_CONT)
|
|
|
|
|
{
|
|
|
|
|
if (port->gss->outbuf.length > 0)
|
|
|
|
|
{
|
|
|
|
|
elog(DEBUG4, "sending GSS token of length %u",
|
|
|
|
|
(unsigned int) port->gss->outbuf.length);
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
pq_sendbytes(&buf, port->gss->outbuf.value, port->gss->outbuf.length);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
pq_endmessage(&buf);
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* Flush message so client will see it, except for AUTH_REQ_OK, which need
|
|
|
|
|
* not be sent until we are ready for queries.
|
2007-11-15 22:14:46 +01:00
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
if (areq != AUTH_REQ_OK)
|
|
|
|
|
pq_flush();
|
2015-02-03 22:54:48 +01:00
|
|
|
|
|
|
|
|
CHECK_FOR_INTERRUPTS();
|
2007-07-10 15:14:22 +02:00
|
|
|
}
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* Collect password response packet from frontend.
|
|
|
|
|
*
|
|
|
|
|
* Returns NULL if couldn't get password, else palloc'd string.
|
|
|
|
|
*/
|
|
|
|
|
static char *
|
|
|
|
|
recv_password_packet(Port *port)
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
2007-11-15 22:14:46 +01:00
|
|
|
StringInfoData buf;
|
2008-02-08 18:58:46 +01:00
|
|
|
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
pq_startmsgread();
|
2008-08-01 13:41:12 +02:00
|
|
|
if (PG_PROTOCOL_MAJOR(port->proto) >= 3)
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
/* Expect 'p' message type */
|
|
|
|
|
int mtype;
|
2008-01-30 05:11:19 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
mtype = pq_getbyte();
|
|
|
|
|
if (mtype != 'p')
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* If the client just disconnects without offering a password,
|
|
|
|
|
* don't make a log entry. This is legal per protocol spec and in
|
|
|
|
|
* fact commonly done by psql, so complaining just clutters the
|
|
|
|
|
* log.
|
|
|
|
|
*/
|
|
|
|
|
if (mtype != EOF)
|
|
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("expected password response, got message type %d",
|
|
|
|
|
mtype)));
|
|
|
|
|
return NULL; /* EOF or bad message type */
|
2007-07-10 15:14:22 +02:00
|
|
|
}
|
|
|
|
|
}
|
2008-08-01 13:41:12 +02:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* For pre-3.0 clients, avoid log entry if they just disconnect */
|
|
|
|
|
if (pq_peekbyte() == EOF)
|
|
|
|
|
return NULL; /* EOF */
|
|
|
|
|
}
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
initStringInfo(&buf);
|
|
|
|
|
if (pq_getmessage(&buf, 1000)) /* receive password */
|
|
|
|
|
{
|
|
|
|
|
/* EOF - pq_getmessage already logged a suitable message */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* Apply sanity check: password packet length should agree with length of
|
|
|
|
|
* contained string. Note it is safe to use strlen here because
|
|
|
|
|
* StringInfo is guaranteed to have an appended '\0'.
|
2007-07-10 15:14:22 +02:00
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
if (strlen(buf.data) + 1 != buf.len)
|
|
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("invalid password packet size")));
|
|
|
|
|
|
|
|
|
|
/* Do not echo password to logs, for security. */
|
2015-11-17 03:16:42 +01:00
|
|
|
elog(DEBUG5, "received password packet");
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
/*
|
2014-05-06 18:12:18 +02:00
|
|
|
* Return the received string. Note we do not attempt to do any
|
2008-08-01 13:41:12 +02:00
|
|
|
* character-set conversion on it; since we don't yet know the client's
|
|
|
|
|
* encoding, there wouldn't be much point.
|
2007-07-10 15:14:22 +02:00
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
return buf.data;
|
|
|
|
|
}
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
2009-04-01 05:23:50 +02:00
|
|
|
* MD5 authentication
|
2008-08-01 13:41:12 +02:00
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* Called when we have sent an authorization request for a password.
|
|
|
|
|
* Get the response and check it.
|
2014-01-28 03:04:09 +01:00
|
|
|
* On error, optionally store a detail string at *logdetail.
|
2008-08-01 13:41:12 +02:00
|
|
|
*/
|
|
|
|
|
static int
|
2014-01-28 03:04:09 +01:00
|
|
|
recv_and_check_password_packet(Port *port, char **logdetail)
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
char *passwd;
|
|
|
|
|
int result;
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
passwd = recv_password_packet(port);
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (passwd == NULL)
|
|
|
|
|
return STATUS_EOF; /* client wouldn't send password */
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2014-01-28 03:04:09 +01:00
|
|
|
result = md5_crypt_verify(port, port->user_name, passwd, logdetail);
|
2007-07-23 12:16:54 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
pfree(passwd);
|
2007-07-11 10:27:33 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
return result;
|
|
|
|
|
}
|
2007-07-23 12:16:54 +02:00
|
|
|
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
|
2008-02-08 18:58:46 +01:00
|
|
|
/*----------------------------------------------------------------
|
2008-08-01 13:41:12 +02:00
|
|
|
* GSSAPI authentication system
|
2008-02-08 18:58:46 +01:00
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
#ifdef ENABLE_GSS
|
2008-02-08 18:58:46 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
#if defined(WIN32) && !defined(WIN32_ONLY_COMPILER)
|
|
|
|
|
/*
|
|
|
|
|
* MIT Kerberos GSSAPI DLL doesn't properly export the symbols for MingW
|
|
|
|
|
* that contain the OIDs required. Redefine here, values copied
|
|
|
|
|
* from src/athena/auth/krb5/src/lib/gssapi/generic/gssapi_generic.c
|
|
|
|
|
*/
|
|
|
|
|
static const gss_OID_desc GSS_C_NT_USER_NAME_desc =
|
|
|
|
|
{10, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"};
|
|
|
|
|
static GSS_DLLIMP gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_desc;
|
|
|
|
|
#endif
|
2008-02-08 18:58:46 +01:00
|
|
|
|
|
|
|
|
|
2007-07-23 12:16:54 +02:00
|
|
|
static void
|
2008-08-01 13:41:12 +02:00
|
|
|
pg_GSS_error(int severity, char *errmsg, OM_uint32 maj_stat, OM_uint32 min_stat)
|
2007-07-23 12:16:54 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
gss_buffer_desc gmsg;
|
2011-04-11 21:28:45 +02:00
|
|
|
OM_uint32 lmin_s,
|
2008-08-01 13:41:12 +02:00
|
|
|
msg_ctx;
|
|
|
|
|
char msg_major[128],
|
|
|
|
|
msg_minor[128];
|
2007-07-23 12:16:54 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/* Fetch major status message */
|
|
|
|
|
msg_ctx = 0;
|
2011-04-11 21:28:45 +02:00
|
|
|
gss_display_status(&lmin_s, maj_stat, GSS_C_GSS_CODE,
|
2011-06-09 20:32:50 +02:00
|
|
|
GSS_C_NO_OID, &msg_ctx, &gmsg);
|
2008-08-01 13:41:12 +02:00
|
|
|
strlcpy(msg_major, gmsg.value, sizeof(msg_major));
|
|
|
|
|
gss_release_buffer(&lmin_s, &gmsg);
|
|
|
|
|
|
|
|
|
|
if (msg_ctx)
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* More than one message available. XXX: Should we loop and read all
|
|
|
|
|
* messages? (same below)
|
|
|
|
|
*/
|
|
|
|
|
ereport(WARNING,
|
|
|
|
|
(errmsg_internal("incomplete GSS error report")));
|
|
|
|
|
|
|
|
|
|
/* Fetch mechanism minor status message */
|
|
|
|
|
msg_ctx = 0;
|
2011-04-11 21:28:45 +02:00
|
|
|
gss_display_status(&lmin_s, min_stat, GSS_C_MECH_CODE,
|
2011-06-09 20:32:50 +02:00
|
|
|
GSS_C_NO_OID, &msg_ctx, &gmsg);
|
2008-08-01 13:41:12 +02:00
|
|
|
strlcpy(msg_minor, gmsg.value, sizeof(msg_minor));
|
|
|
|
|
gss_release_buffer(&lmin_s, &gmsg);
|
|
|
|
|
|
|
|
|
|
if (msg_ctx)
|
|
|
|
|
ereport(WARNING,
|
|
|
|
|
(errmsg_internal("incomplete GSS minor error report")));
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* errmsg_internal, since translation of the first part must be done
|
|
|
|
|
* before calling this function anyway.
|
|
|
|
|
*/
|
|
|
|
|
ereport(severity,
|
|
|
|
|
(errmsg_internal("%s", errmsg),
|
2011-07-16 20:21:12 +02:00
|
|
|
errdetail_internal("%s: %s", msg_major, msg_minor)));
|
2007-07-23 12:16:54 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2008-08-01 13:41:12 +02:00
|
|
|
pg_GSS_recvauth(Port *port)
|
2007-07-23 12:16:54 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
OM_uint32 maj_stat,
|
|
|
|
|
min_stat,
|
|
|
|
|
lmin_s,
|
|
|
|
|
gflags;
|
2007-11-15 22:14:46 +01:00
|
|
|
int mtype;
|
2008-08-01 13:41:12 +02:00
|
|
|
int ret;
|
2007-11-15 22:14:46 +01:00
|
|
|
StringInfoData buf;
|
2008-08-01 13:41:12 +02:00
|
|
|
gss_buffer_desc gbuf;
|
2007-07-23 12:16:54 +02:00
|
|
|
|
2008-02-08 18:58:46 +01:00
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* GSS auth is not supported for protocol versions before 3, because it
|
|
|
|
|
* relies on the overall message length word to determine the GSS payload
|
2009-06-11 16:49:15 +02:00
|
|
|
* size in AuthenticationGSSContinue and PasswordMessage messages. (This
|
|
|
|
|
* is, in fact, a design error in our GSS support, because protocol
|
2008-02-08 18:58:46 +01:00
|
|
|
* messages are supposed to be parsable without relying on the length
|
|
|
|
|
* word; but it's not worth changing it now.)
|
|
|
|
|
*/
|
|
|
|
|
if (PG_PROTOCOL_MAJOR(FrontendProtocol) < 3)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
2008-08-01 13:41:12 +02:00
|
|
|
errmsg("GSSAPI is not supported in protocol version 2")));
|
|
|
|
|
|
|
|
|
|
if (pg_krb_server_keyfile && strlen(pg_krb_server_keyfile) > 0)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Set default Kerberos keytab file for the Krb5 mechanism.
|
|
|
|
|
*
|
|
|
|
|
* setenv("KRB5_KTNAME", pg_krb_server_keyfile, 0); except setenv()
|
|
|
|
|
* not always available.
|
|
|
|
|
*/
|
|
|
|
|
if (getenv("KRB5_KTNAME") == NULL)
|
|
|
|
|
{
|
2013-10-23 00:42:13 +02:00
|
|
|
size_t kt_len = strlen(pg_krb_server_keyfile) + 14;
|
|
|
|
|
char *kt_path = malloc(kt_len);
|
2008-08-01 13:41:12 +02:00
|
|
|
|
2015-05-18 16:02:31 +02:00
|
|
|
if (!kt_path ||
|
|
|
|
|
snprintf(kt_path, kt_len, "KRB5_KTNAME=%s",
|
|
|
|
|
pg_krb_server_keyfile) != kt_len - 2 ||
|
|
|
|
|
putenv(kt_path) != 0)
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2007-07-23 12:16:54 +02:00
|
|
|
|
|
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* We accept any service principal that's present in our keytab. This
|
|
|
|
|
* increases interoperability between kerberos implementations that see
|
|
|
|
|
* for example case sensitivity differently, while not really opening up
|
|
|
|
|
* any vector of attack.
|
2007-07-23 12:16:54 +02:00
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
port->gss->cred = GSS_C_NO_CREDENTIAL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Initialize sequence with an empty context
|
|
|
|
|
*/
|
|
|
|
|
port->gss->ctx = GSS_C_NO_CONTEXT;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Loop through GSSAPI message exchange. This exchange can consist of
|
2016-03-15 23:06:11 +01:00
|
|
|
* multiple messages sent in both directions. First message is always from
|
2008-08-01 13:41:12 +02:00
|
|
|
* the client. All messages from client to server are password packets
|
|
|
|
|
* (type 'p').
|
|
|
|
|
*/
|
|
|
|
|
do
|
|
|
|
|
{
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
pq_startmsgread();
|
2015-02-03 22:54:48 +01:00
|
|
|
|
|
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
mtype = pq_getbyte();
|
|
|
|
|
if (mtype != 'p')
|
|
|
|
|
{
|
|
|
|
|
/* Only log error if client didn't disconnect. */
|
|
|
|
|
if (mtype != EOF)
|
|
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("expected GSS response, got message type %d",
|
|
|
|
|
mtype)));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Get the actual GSS token */
|
|
|
|
|
initStringInfo(&buf);
|
2009-10-15 00:09:46 +02:00
|
|
|
if (pq_getmessage(&buf, PG_MAX_AUTH_TOKEN_LENGTH))
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
/* EOF - pq_getmessage already logged error */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Map to GSSAPI style buffer */
|
|
|
|
|
gbuf.length = buf.len;
|
|
|
|
|
gbuf.value = buf.data;
|
|
|
|
|
|
|
|
|
|
elog(DEBUG4, "Processing received GSS token of length %u",
|
|
|
|
|
(unsigned int) gbuf.length);
|
|
|
|
|
|
|
|
|
|
maj_stat = gss_accept_sec_context(
|
|
|
|
|
&min_stat,
|
|
|
|
|
&port->gss->ctx,
|
|
|
|
|
port->gss->cred,
|
|
|
|
|
&gbuf,
|
|
|
|
|
GSS_C_NO_CHANNEL_BINDINGS,
|
|
|
|
|
&port->gss->name,
|
|
|
|
|
NULL,
|
|
|
|
|
&port->gss->outbuf,
|
|
|
|
|
&gflags,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL);
|
|
|
|
|
|
|
|
|
|
/* gbuf no longer used */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
|
|
|
|
|
elog(DEBUG5, "gss_accept_sec_context major: %d, "
|
|
|
|
|
"minor: %d, outlen: %u, outflags: %x",
|
|
|
|
|
maj_stat, min_stat,
|
|
|
|
|
(unsigned int) port->gss->outbuf.length, gflags);
|
|
|
|
|
|
2015-02-03 22:54:48 +01:00
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (port->gss->outbuf.length != 0)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Negotiation generated data to be sent to the client.
|
|
|
|
|
*/
|
|
|
|
|
elog(DEBUG4, "sending GSS response token of length %u",
|
|
|
|
|
(unsigned int) port->gss->outbuf.length);
|
|
|
|
|
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_GSS_CONT);
|
|
|
|
|
|
|
|
|
|
gss_release_buffer(&lmin_s, &port->gss->outbuf);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
|
|
|
|
|
{
|
|
|
|
|
gss_delete_sec_context(&lmin_s, &port->gss->ctx, GSS_C_NO_BUFFER);
|
|
|
|
|
pg_GSS_error(ERROR,
|
|
|
|
|
gettext_noop("accepting GSS security context failed"),
|
|
|
|
|
maj_stat, min_stat);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (maj_stat == GSS_S_CONTINUE_NEEDED)
|
|
|
|
|
elog(DEBUG4, "GSS continue needed");
|
|
|
|
|
|
|
|
|
|
} while (maj_stat == GSS_S_CONTINUE_NEEDED);
|
|
|
|
|
|
|
|
|
|
if (port->gss->cred != GSS_C_NO_CREDENTIAL)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Release service principal credentials
|
|
|
|
|
*/
|
|
|
|
|
gss_release_cred(&min_stat, &port->gss->cred);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* GSS_S_COMPLETE indicates that authentication is now complete.
|
|
|
|
|
*
|
|
|
|
|
* Get the name of the user that authenticated, and compare it to the pg
|
|
|
|
|
* username that was specified for the connection.
|
|
|
|
|
*/
|
|
|
|
|
maj_stat = gss_display_name(&min_stat, port->gss->name, &gbuf, NULL);
|
|
|
|
|
if (maj_stat != GSS_S_COMPLETE)
|
|
|
|
|
pg_GSS_error(ERROR,
|
|
|
|
|
gettext_noop("retrieving GSS user name failed"),
|
|
|
|
|
maj_stat, min_stat);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Split the username at the realm separator
|
|
|
|
|
*/
|
|
|
|
|
if (strchr(gbuf.value, '@'))
|
|
|
|
|
{
|
|
|
|
|
char *cp = strchr(gbuf.value, '@');
|
|
|
|
|
|
2009-01-07 14:09:21 +01:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* If we are not going to include the realm in the username that is
|
|
|
|
|
* passed to the ident map, destructively modify it here to remove the
|
|
|
|
|
* realm. Then advance past the separator to check the realm.
|
2009-01-07 14:09:21 +01:00
|
|
|
*/
|
|
|
|
|
if (!port->hba->include_realm)
|
|
|
|
|
*cp = '\0';
|
2008-08-01 13:41:12 +02:00
|
|
|
cp++;
|
|
|
|
|
|
2009-01-09 11:13:19 +01:00
|
|
|
if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Match the realm part of the name first
|
|
|
|
|
*/
|
|
|
|
|
if (pg_krb_caseins_users)
|
2009-01-09 11:13:19 +01:00
|
|
|
ret = pg_strcasecmp(port->hba->krb_realm, cp);
|
2008-08-01 13:41:12 +02:00
|
|
|
else
|
2009-01-09 11:13:19 +01:00
|
|
|
ret = strcmp(port->hba->krb_realm, cp);
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
if (ret)
|
|
|
|
|
{
|
|
|
|
|
/* GSS realm does not match */
|
|
|
|
|
elog(DEBUG2,
|
|
|
|
|
"GSSAPI realm (%s) and configured realm (%s) don't match",
|
2009-01-09 11:13:19 +01:00
|
|
|
cp, port->hba->krb_realm);
|
2008-08-01 13:41:12 +02:00
|
|
|
gss_release_buffer(&lmin_s, &gbuf);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-01-09 11:13:19 +01:00
|
|
|
else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
elog(DEBUG2,
|
|
|
|
|
"GSSAPI did not return realm but realm matching was requested");
|
|
|
|
|
|
|
|
|
|
gss_release_buffer(&lmin_s, &gbuf);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-23 15:31:10 +02:00
|
|
|
ret = check_usermap(port->hba->usermap, port->user_name, gbuf.value,
|
|
|
|
|
pg_krb_caseins_users);
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
gss_release_buffer(&lmin_s, &gbuf);
|
|
|
|
|
|
2009-05-27 23:08:22 +02:00
|
|
|
return ret;
|
2008-08-01 13:41:12 +02:00
|
|
|
}
|
|
|
|
|
#endif /* ENABLE_GSS */
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* SSPI authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef ENABLE_SSPI
|
|
|
|
|
static void
|
2009-03-22 19:06:35 +01:00
|
|
|
pg_SSPI_error(int severity, const char *errmsg, SECURITY_STATUS r)
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
char sysmsg[256];
|
|
|
|
|
|
2016-03-29 17:54:57 +02:00
|
|
|
if (FormatMessage(FORMAT_MESSAGE_IGNORE_INSERTS |
|
|
|
|
|
FORMAT_MESSAGE_FROM_SYSTEM,
|
|
|
|
|
NULL, r, 0,
|
2009-03-22 19:06:35 +01:00
|
|
|
sysmsg, sizeof(sysmsg), NULL) == 0)
|
2008-08-01 13:41:12 +02:00
|
|
|
ereport(severity,
|
|
|
|
|
(errmsg_internal("%s", errmsg),
|
2011-07-16 20:21:12 +02:00
|
|
|
errdetail_internal("SSPI error %x", (unsigned int) r)));
|
2008-08-01 13:41:12 +02:00
|
|
|
else
|
|
|
|
|
ereport(severity,
|
|
|
|
|
(errmsg_internal("%s", errmsg),
|
2011-07-16 20:21:12 +02:00
|
|
|
errdetail_internal("%s (%x)", sysmsg, (unsigned int) r)));
|
2008-08-01 13:41:12 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
pg_SSPI_recvauth(Port *port)
|
|
|
|
|
{
|
|
|
|
|
int mtype;
|
|
|
|
|
StringInfoData buf;
|
|
|
|
|
SECURITY_STATUS r;
|
|
|
|
|
CredHandle sspicred;
|
|
|
|
|
CtxtHandle *sspictx = NULL,
|
|
|
|
|
newctx;
|
|
|
|
|
TimeStamp expiry;
|
|
|
|
|
ULONG contextattr;
|
|
|
|
|
SecBufferDesc inbuf;
|
|
|
|
|
SecBufferDesc outbuf;
|
|
|
|
|
SecBuffer OutBuffers[1];
|
|
|
|
|
SecBuffer InBuffers[1];
|
|
|
|
|
HANDLE token;
|
|
|
|
|
TOKEN_USER *tokenuser;
|
|
|
|
|
DWORD retlen;
|
|
|
|
|
char accountname[MAXPGPATH];
|
|
|
|
|
char domainname[MAXPGPATH];
|
|
|
|
|
DWORD accountnamesize = sizeof(accountname);
|
|
|
|
|
DWORD domainnamesize = sizeof(domainname);
|
|
|
|
|
SID_NAME_USE accountnameuse;
|
|
|
|
|
HMODULE secur32;
|
|
|
|
|
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* SSPI auth is not supported for protocol versions before 3, because it
|
|
|
|
|
* relies on the overall message length word to determine the SSPI payload
|
2009-06-11 16:49:15 +02:00
|
|
|
* size in AuthenticationGSSContinue and PasswordMessage messages. (This
|
|
|
|
|
* is, in fact, a design error in our SSPI support, because protocol
|
2008-08-01 13:41:12 +02:00
|
|
|
* messages are supposed to be parsable without relying on the length
|
|
|
|
|
* word; but it's not worth changing it now.)
|
|
|
|
|
*/
|
|
|
|
|
if (PG_PROTOCOL_MAJOR(FrontendProtocol) < 3)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
|
|
|
errmsg("SSPI is not supported in protocol version 2")));
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Acquire a handle to the server credentials.
|
|
|
|
|
*/
|
|
|
|
|
r = AcquireCredentialsHandle(NULL,
|
|
|
|
|
"negotiate",
|
2007-11-15 22:14:46 +01:00
|
|
|
SECPKG_CRED_INBOUND,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
&sspicred,
|
|
|
|
|
&expiry);
|
2007-07-23 12:16:54 +02:00
|
|
|
if (r != SEC_E_OK)
|
2009-03-22 19:06:35 +01:00
|
|
|
pg_SSPI_error(ERROR, _("could not acquire SSPI credentials"), r);
|
2007-07-23 12:16:54 +02:00
|
|
|
|
|
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Loop through SSPI message exchange. This exchange can consist of
|
2016-03-15 23:06:11 +01:00
|
|
|
* multiple messages sent in both directions. First message is always from
|
2007-11-15 22:14:46 +01:00
|
|
|
* the client. All messages from client to server are password packets
|
|
|
|
|
* (type 'p').
|
2007-07-23 12:16:54 +02:00
|
|
|
*/
|
2007-11-15 22:14:46 +01:00
|
|
|
do
|
2007-07-23 12:16:54 +02:00
|
|
|
{
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
pq_startmsgread();
|
2007-07-23 12:16:54 +02:00
|
|
|
mtype = pq_getbyte();
|
|
|
|
|
if (mtype != 'p')
|
|
|
|
|
{
|
|
|
|
|
/* Only log error if client didn't disconnect. */
|
|
|
|
|
if (mtype != EOF)
|
|
|
|
|
ereport(COMMERROR,
|
|
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("expected SSPI response, got message type %d",
|
2007-11-15 22:14:46 +01:00
|
|
|
mtype)));
|
2007-07-23 12:16:54 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Get the actual SSPI token */
|
|
|
|
|
initStringInfo(&buf);
|
2009-10-15 00:09:46 +02:00
|
|
|
if (pq_getmessage(&buf, PG_MAX_AUTH_TOKEN_LENGTH))
|
2007-07-23 12:16:54 +02:00
|
|
|
{
|
|
|
|
|
/* EOF - pq_getmessage already logged error */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Map to SSPI style buffer */
|
|
|
|
|
inbuf.ulVersion = SECBUFFER_VERSION;
|
|
|
|
|
inbuf.cBuffers = 1;
|
|
|
|
|
inbuf.pBuffers = InBuffers;
|
|
|
|
|
InBuffers[0].pvBuffer = buf.data;
|
|
|
|
|
InBuffers[0].cbBuffer = buf.len;
|
|
|
|
|
InBuffers[0].BufferType = SECBUFFER_TOKEN;
|
|
|
|
|
|
|
|
|
|
/* Prepare output buffer */
|
|
|
|
|
OutBuffers[0].pvBuffer = NULL;
|
|
|
|
|
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
|
|
|
|
|
OutBuffers[0].cbBuffer = 0;
|
|
|
|
|
outbuf.cBuffers = 1;
|
|
|
|
|
outbuf.pBuffers = OutBuffers;
|
|
|
|
|
outbuf.ulVersion = SECBUFFER_VERSION;
|
|
|
|
|
|
|
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
elog(DEBUG4, "Processing received SSPI token of length %u",
|
2007-07-23 12:16:54 +02:00
|
|
|
(unsigned int) buf.len);
|
|
|
|
|
|
|
|
|
|
r = AcceptSecurityContext(&sspicred,
|
2007-11-15 22:14:46 +01:00
|
|
|
sspictx,
|
|
|
|
|
&inbuf,
|
|
|
|
|
ASC_REQ_ALLOCATE_MEMORY,
|
|
|
|
|
SECURITY_NETWORK_DREP,
|
|
|
|
|
&newctx,
|
|
|
|
|
&outbuf,
|
|
|
|
|
&contextattr,
|
|
|
|
|
NULL);
|
2007-07-23 12:16:54 +02:00
|
|
|
|
|
|
|
|
/* input buffer no longer used */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
|
|
|
|
|
if (outbuf.cBuffers > 0 && outbuf.pBuffers[0].cbBuffer > 0)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Negotiation generated data to be sent to the client.
|
|
|
|
|
*/
|
|
|
|
|
elog(DEBUG4, "sending SSPI response token of length %u",
|
|
|
|
|
(unsigned int) outbuf.pBuffers[0].cbBuffer);
|
|
|
|
|
|
|
|
|
|
port->gss->outbuf.length = outbuf.pBuffers[0].cbBuffer;
|
|
|
|
|
port->gss->outbuf.value = outbuf.pBuffers[0].pvBuffer;
|
|
|
|
|
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_GSS_CONT);
|
|
|
|
|
|
|
|
|
|
FreeContextBuffer(outbuf.pBuffers[0].pvBuffer);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (r != SEC_E_OK && r != SEC_I_CONTINUE_NEEDED)
|
|
|
|
|
{
|
|
|
|
|
if (sspictx != NULL)
|
|
|
|
|
{
|
|
|
|
|
DeleteSecurityContext(sspictx);
|
|
|
|
|
free(sspictx);
|
|
|
|
|
}
|
|
|
|
|
FreeCredentialsHandle(&sspicred);
|
2007-11-15 22:14:46 +01:00
|
|
|
pg_SSPI_error(ERROR,
|
2009-03-22 19:06:35 +01:00
|
|
|
_("could not accept SSPI security context"), r);
|
2007-07-23 12:16:54 +02:00
|
|
|
}
|
|
|
|
|
|
2011-07-16 19:58:53 +02:00
|
|
|
/*
|
2012-06-10 21:20:04 +02:00
|
|
|
* Overwrite the current context with the one we just received. If
|
|
|
|
|
* sspictx is NULL it was the first loop and we need to allocate a
|
|
|
|
|
* buffer for it. On subsequent runs, we can just overwrite the buffer
|
|
|
|
|
* contents since the size does not change.
|
2011-07-16 19:58:53 +02:00
|
|
|
*/
|
2007-07-23 12:16:54 +02:00
|
|
|
if (sspictx == NULL)
|
|
|
|
|
{
|
|
|
|
|
sspictx = malloc(sizeof(CtxtHandle));
|
|
|
|
|
if (sspictx == NULL)
|
|
|
|
|
ereport(ERROR,
|
2007-11-15 22:14:46 +01:00
|
|
|
(errmsg("out of memory")));
|
2007-07-23 12:16:54 +02:00
|
|
|
}
|
|
|
|
|
|
2011-07-16 19:58:53 +02:00
|
|
|
memcpy(sspictx, &newctx, sizeof(CtxtHandle));
|
|
|
|
|
|
2007-07-23 12:16:54 +02:00
|
|
|
if (r == SEC_I_CONTINUE_NEEDED)
|
|
|
|
|
elog(DEBUG4, "SSPI continue needed");
|
|
|
|
|
|
|
|
|
|
} while (r == SEC_I_CONTINUE_NEEDED);
|
|
|
|
|
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* Release service principal credentials
|
|
|
|
|
*/
|
|
|
|
|
FreeCredentialsHandle(&sspicred);
|
2001-08-16 18:24:16 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* SEC_E_OK indicates that authentication is now complete.
|
|
|
|
|
*
|
|
|
|
|
* Get the name of the user that authenticated, and compare it to the pg
|
|
|
|
|
* username that was specified for the connection.
|
|
|
|
|
*
|
|
|
|
|
* MingW is missing the export for QuerySecurityContextToken in the
|
|
|
|
|
* secur32 library, so we have to load it dynamically.
|
|
|
|
|
*/
|
2001-10-19 00:44:37 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
secur32 = LoadLibrary("SECUR32.DLL");
|
|
|
|
|
if (secur32 == NULL)
|
|
|
|
|
ereport(ERROR,
|
2011-08-23 21:00:52 +02:00
|
|
|
(errmsg_internal("could not load secur32.dll: error code %lu",
|
|
|
|
|
GetLastError())));
|
2001-08-17 17:44:17 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
_QuerySecurityContextToken = (QUERY_SECURITY_CONTEXT_TOKEN_FN)
|
|
|
|
|
GetProcAddress(secur32, "QuerySecurityContextToken");
|
|
|
|
|
if (_QuerySecurityContextToken == NULL)
|
|
|
|
|
{
|
|
|
|
|
FreeLibrary(secur32);
|
|
|
|
|
ereport(ERROR,
|
2011-08-23 21:00:52 +02:00
|
|
|
(errmsg_internal("could not locate QuerySecurityContextToken in secur32.dll: error code %lu",
|
|
|
|
|
GetLastError())));
|
2008-08-01 13:41:12 +02:00
|
|
|
}
|
2006-03-06 18:41:44 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
r = (_QuerySecurityContextToken) (sspictx, &token);
|
|
|
|
|
if (r != SEC_E_OK)
|
|
|
|
|
{
|
|
|
|
|
FreeLibrary(secur32);
|
|
|
|
|
pg_SSPI_error(ERROR,
|
2009-03-22 19:06:35 +01:00
|
|
|
_("could not get token from SSPI security context"), r);
|
1998-01-29 04:24:36 +01:00
|
|
|
}
|
2001-06-20 20:07:56 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
FreeLibrary(secur32);
|
1998-02-26 05:46:47 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* No longer need the security context, everything from here on uses the
|
|
|
|
|
* token instead.
|
|
|
|
|
*/
|
|
|
|
|
DeleteSecurityContext(sspictx);
|
|
|
|
|
free(sspictx);
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (!GetTokenInformation(token, TokenUser, NULL, 0, &retlen) && GetLastError() != 122)
|
|
|
|
|
ereport(ERROR,
|
2016-04-07 05:41:43 +02:00
|
|
|
(errmsg_internal("could not get token information buffer size: error code %lu",
|
|
|
|
|
GetLastError())));
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
tokenuser = malloc(retlen);
|
|
|
|
|
if (tokenuser == NULL)
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errmsg("out of memory")));
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (!GetTokenInformation(token, TokenUser, tokenuser, retlen, &retlen))
|
|
|
|
|
ereport(ERROR,
|
2016-04-07 05:41:43 +02:00
|
|
|
(errmsg_internal("could not get token information: error code %lu",
|
|
|
|
|
GetLastError())));
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2016-01-14 13:06:03 +01:00
|
|
|
CloseHandle(token);
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (!LookupAccountSid(NULL, tokenuser->User.Sid, accountname, &accountnamesize,
|
|
|
|
|
domainname, &domainnamesize, &accountnameuse))
|
|
|
|
|
ereport(ERROR,
|
2012-06-10 21:20:04 +02:00
|
|
|
(errmsg_internal("could not look up account SID: error code %lu",
|
|
|
|
|
GetLastError())));
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
free(tokenuser);
|
2007-11-15 22:14:46 +01:00
|
|
|
|
|
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* Compare realm/domain if requested. In SSPI, always compare case
|
|
|
|
|
* insensitive.
|
2007-11-15 22:14:46 +01:00
|
|
|
*/
|
2009-01-09 11:13:19 +01:00
|
|
|
if (port->hba->krb_realm && strlen(port->hba->krb_realm))
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
2011-12-27 20:19:09 +01:00
|
|
|
if (pg_strcasecmp(port->hba->krb_realm, domainname) != 0)
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
elog(DEBUG2,
|
|
|
|
|
"SSPI domain (%s) and configured domain (%s) don't match",
|
2009-01-09 11:13:19 +01:00
|
|
|
domainname, port->hba->krb_realm);
|
2007-07-11 10:27:33 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
return STATUS_ERROR;
|
2007-07-10 15:14:22 +02:00
|
|
|
}
|
|
|
|
|
}
|
2002-02-19 20:49:09 +01:00
|
|
|
|
|
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* We have the username (without domain/realm) in accountname, compare to
|
|
|
|
|
* the supplied value. In SSPI, always compare case insensitive.
|
2009-01-07 14:09:21 +01:00
|
|
|
*
|
|
|
|
|
* If set to include realm, append it in <username>@<realm> format.
|
2002-02-19 20:49:09 +01:00
|
|
|
*/
|
2009-01-07 14:09:21 +01:00
|
|
|
if (port->hba->include_realm)
|
|
|
|
|
{
|
2009-06-11 16:49:15 +02:00
|
|
|
char *namebuf;
|
|
|
|
|
int retval;
|
2009-01-07 14:09:21 +01:00
|
|
|
|
2013-10-13 06:09:18 +02:00
|
|
|
namebuf = psprintf("%s@%s", accountname, domainname);
|
2009-01-07 14:09:21 +01:00
|
|
|
retval = check_usermap(port->hba->usermap, port->user_name, namebuf, true);
|
|
|
|
|
pfree(namebuf);
|
|
|
|
|
return retval;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
return check_usermap(port->hba->usermap, port->user_name, accountname, true);
|
2008-08-01 13:41:12 +02:00
|
|
|
}
|
|
|
|
|
#endif /* ENABLE_SSPI */
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2008-08-01 11:09:49 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Ident authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Parse the string "*ident_response" as a response from a query to an Ident
|
|
|
|
|
* server. If it's a normal response indicating a user name, return true
|
|
|
|
|
* and store the user name at *ident_user. If it's anything else,
|
|
|
|
|
* return false.
|
|
|
|
|
*/
|
|
|
|
|
static bool
|
|
|
|
|
interpret_ident_response(const char *ident_response,
|
|
|
|
|
char *ident_user)
|
|
|
|
|
{
|
|
|
|
|
const char *cursor = ident_response; /* Cursor into *ident_response */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Ident's response, in the telnet tradition, should end in crlf (\r\n).
|
|
|
|
|
*/
|
|
|
|
|
if (strlen(ident_response) < 2)
|
|
|
|
|
return false;
|
|
|
|
|
else if (ident_response[strlen(ident_response) - 2] != '\r')
|
|
|
|
|
return false;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
while (*cursor != ':' && *cursor != '\r')
|
|
|
|
|
cursor++; /* skip port field */
|
|
|
|
|
|
|
|
|
|
if (*cursor != ':')
|
|
|
|
|
return false;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* We're positioned to colon before response type field */
|
|
|
|
|
char response_type[80];
|
|
|
|
|
int i; /* Index into *response_type */
|
|
|
|
|
|
|
|
|
|
cursor++; /* Go over colon */
|
|
|
|
|
while (pg_isblank(*cursor))
|
|
|
|
|
cursor++; /* skip blanks */
|
|
|
|
|
i = 0;
|
|
|
|
|
while (*cursor != ':' && *cursor != '\r' && !pg_isblank(*cursor) &&
|
|
|
|
|
i < (int) (sizeof(response_type) - 1))
|
|
|
|
|
response_type[i++] = *cursor++;
|
|
|
|
|
response_type[i] = '\0';
|
|
|
|
|
while (pg_isblank(*cursor))
|
|
|
|
|
cursor++; /* skip blanks */
|
|
|
|
|
if (strcmp(response_type, "USERID") != 0)
|
|
|
|
|
return false;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* It's a USERID response. Good. "cursor" should be pointing
|
|
|
|
|
* to the colon that precedes the operating system type.
|
|
|
|
|
*/
|
|
|
|
|
if (*cursor != ':')
|
|
|
|
|
return false;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
cursor++; /* Go over colon */
|
|
|
|
|
/* Skip over operating system field. */
|
|
|
|
|
while (*cursor != ':' && *cursor != '\r')
|
|
|
|
|
cursor++;
|
|
|
|
|
if (*cursor != ':')
|
|
|
|
|
return false;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
int i; /* Index into *ident_user */
|
|
|
|
|
|
|
|
|
|
cursor++; /* Go over colon */
|
|
|
|
|
while (pg_isblank(*cursor))
|
|
|
|
|
cursor++; /* skip blanks */
|
|
|
|
|
/* Rest of line is user name. Copy it over. */
|
|
|
|
|
i = 0;
|
|
|
|
|
while (*cursor != '\r' && i < IDENT_USERNAME_MAX)
|
|
|
|
|
ident_user[i++] = *cursor++;
|
|
|
|
|
ident_user[i] = '\0';
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Talk to the ident server on host "remote_ip_addr" and find out who
|
|
|
|
|
* owns the tcp connection from his port "remote_port" to port
|
2014-05-06 18:12:18 +02:00
|
|
|
* "local_port_addr" on host "local_ip_addr". Return the user name the
|
2008-08-01 11:09:49 +02:00
|
|
|
* ident server gives as "*ident_user".
|
|
|
|
|
*
|
|
|
|
|
* IP addresses and port numbers are in network byte order.
|
|
|
|
|
*
|
|
|
|
|
* But iff we're unable to get the information from ident, return false.
|
2015-02-03 22:54:48 +01:00
|
|
|
*
|
|
|
|
|
* XXX: Using WaitLatchOrSocket() and doing a CHECK_FOR_INTERRUPTS() if the
|
|
|
|
|
* latch was set would improve the responsiveness to timeouts/cancellations.
|
2008-08-01 11:09:49 +02:00
|
|
|
*/
|
2011-03-19 18:44:35 +01:00
|
|
|
static int
|
|
|
|
|
ident_inet(hbaPort *port)
|
2008-08-01 11:09:49 +02:00
|
|
|
{
|
2011-03-19 18:44:35 +01:00
|
|
|
const SockAddr remote_addr = port->raddr;
|
|
|
|
|
const SockAddr local_addr = port->laddr;
|
|
|
|
|
char ident_user[IDENT_USERNAME_MAX + 1];
|
2015-02-12 01:09:54 +01:00
|
|
|
pgsocket sock_fd = PGINVALID_SOCKET; /* for talking to Ident server */
|
2012-05-13 06:30:32 +02:00
|
|
|
int rc; /* Return code from a locally called function */
|
2008-08-01 11:09:49 +02:00
|
|
|
bool ident_return;
|
|
|
|
|
char remote_addr_s[NI_MAXHOST];
|
|
|
|
|
char remote_port[NI_MAXSERV];
|
|
|
|
|
char local_addr_s[NI_MAXHOST];
|
|
|
|
|
char local_port[NI_MAXSERV];
|
|
|
|
|
char ident_port[NI_MAXSERV];
|
|
|
|
|
char ident_query[80];
|
|
|
|
|
char ident_response[80 + IDENT_USERNAME_MAX];
|
|
|
|
|
struct addrinfo *ident_serv = NULL,
|
|
|
|
|
*la = NULL,
|
|
|
|
|
hints;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Might look a little weird to first convert it to text and then back to
|
|
|
|
|
* sockaddr, but it's protocol independent.
|
|
|
|
|
*/
|
|
|
|
|
pg_getnameinfo_all(&remote_addr.addr, remote_addr.salen,
|
|
|
|
|
remote_addr_s, sizeof(remote_addr_s),
|
|
|
|
|
remote_port, sizeof(remote_port),
|
|
|
|
|
NI_NUMERICHOST | NI_NUMERICSERV);
|
|
|
|
|
pg_getnameinfo_all(&local_addr.addr, local_addr.salen,
|
|
|
|
|
local_addr_s, sizeof(local_addr_s),
|
|
|
|
|
local_port, sizeof(local_port),
|
|
|
|
|
NI_NUMERICHOST | NI_NUMERICSERV);
|
|
|
|
|
|
|
|
|
|
snprintf(ident_port, sizeof(ident_port), "%d", IDENT_PORT);
|
|
|
|
|
hints.ai_flags = AI_NUMERICHOST;
|
|
|
|
|
hints.ai_family = remote_addr.addr.ss_family;
|
|
|
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
|
|
|
hints.ai_protocol = 0;
|
|
|
|
|
hints.ai_addrlen = 0;
|
|
|
|
|
hints.ai_canonname = NULL;
|
|
|
|
|
hints.ai_addr = NULL;
|
|
|
|
|
hints.ai_next = NULL;
|
|
|
|
|
rc = pg_getaddrinfo_all(remote_addr_s, ident_port, &hints, &ident_serv);
|
|
|
|
|
if (rc || !ident_serv)
|
|
|
|
|
{
|
2015-02-12 01:09:54 +01:00
|
|
|
/* we don't expect this to happen */
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
2008-08-01 11:09:49 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hints.ai_flags = AI_NUMERICHOST;
|
|
|
|
|
hints.ai_family = local_addr.addr.ss_family;
|
|
|
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
|
|
|
hints.ai_protocol = 0;
|
|
|
|
|
hints.ai_addrlen = 0;
|
|
|
|
|
hints.ai_canonname = NULL;
|
|
|
|
|
hints.ai_addr = NULL;
|
|
|
|
|
hints.ai_next = NULL;
|
|
|
|
|
rc = pg_getaddrinfo_all(local_addr_s, NULL, &hints, &la);
|
|
|
|
|
if (rc || !la)
|
|
|
|
|
{
|
2015-02-12 01:09:54 +01:00
|
|
|
/* we don't expect this to happen */
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
2008-08-01 11:09:49 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sock_fd = socket(ident_serv->ai_family, ident_serv->ai_socktype,
|
|
|
|
|
ident_serv->ai_protocol);
|
2014-04-16 16:45:48 +02:00
|
|
|
if (sock_fd == PGINVALID_SOCKET)
|
2008-08-01 11:09:49 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not create socket for Ident connection: %m")));
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Bind to the address which the client originally contacted, otherwise
|
|
|
|
|
* the ident server won't be able to match up the right connection. This
|
|
|
|
|
* is necessary if the PostgreSQL server is running on an IP alias.
|
|
|
|
|
*/
|
|
|
|
|
rc = bind(sock_fd, la->ai_addr, la->ai_addrlen);
|
|
|
|
|
if (rc != 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not bind to local address \"%s\": %m",
|
|
|
|
|
local_addr_s)));
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rc = connect(sock_fd, ident_serv->ai_addr,
|
|
|
|
|
ident_serv->ai_addrlen);
|
|
|
|
|
if (rc != 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not connect to Ident server at address \"%s\", port %s: %m",
|
|
|
|
|
remote_addr_s, ident_port)));
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* The query we send to the Ident server */
|
|
|
|
|
snprintf(ident_query, sizeof(ident_query), "%s,%s\r\n",
|
|
|
|
|
remote_port, local_port);
|
|
|
|
|
|
|
|
|
|
/* loop in case send is interrupted */
|
|
|
|
|
do
|
|
|
|
|
{
|
2015-02-03 22:54:48 +01:00
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-08-01 11:09:49 +02:00
|
|
|
rc = send(sock_fd, ident_query, strlen(ident_query), 0);
|
|
|
|
|
} while (rc < 0 && errno == EINTR);
|
|
|
|
|
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not send query to Ident server at address \"%s\", port %s: %m",
|
|
|
|
|
remote_addr_s, ident_port)));
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
do
|
|
|
|
|
{
|
2015-02-03 22:54:48 +01:00
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-08-01 11:09:49 +02:00
|
|
|
rc = recv(sock_fd, ident_response, sizeof(ident_response) - 1, 0);
|
|
|
|
|
} while (rc < 0 && errno == EINTR);
|
|
|
|
|
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not receive response from Ident server at address \"%s\", port %s: %m",
|
|
|
|
|
remote_addr_s, ident_port)));
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ident_response[rc] = '\0';
|
|
|
|
|
ident_return = interpret_ident_response(ident_response, ident_user);
|
|
|
|
|
if (!ident_return)
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("invalidly formatted response from Ident server: \"%s\"",
|
|
|
|
|
ident_response)));
|
|
|
|
|
|
|
|
|
|
ident_inet_done:
|
2014-04-16 16:45:48 +02:00
|
|
|
if (sock_fd != PGINVALID_SOCKET)
|
2008-08-01 11:09:49 +02:00
|
|
|
closesocket(sock_fd);
|
2015-02-12 01:09:54 +01:00
|
|
|
if (ident_serv)
|
|
|
|
|
pg_freeaddrinfo_all(remote_addr.addr.ss_family, ident_serv);
|
|
|
|
|
if (la)
|
|
|
|
|
pg_freeaddrinfo_all(local_addr.addr.ss_family, la);
|
2011-03-19 18:44:35 +01:00
|
|
|
|
|
|
|
|
if (ident_return)
|
|
|
|
|
/* Success! Check the usermap */
|
|
|
|
|
return check_usermap(port->hba->usermap, port->user_name, ident_user, false);
|
|
|
|
|
return STATUS_ERROR;
|
2008-08-01 11:09:49 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
Replace use of credential control messages with getsockopt(LOCAL_PEERCRED).
It turns out the reason we hadn't found out about the portability issues
with our credential-control-message code is that almost no modern platforms
use that code at all; the ones that used to need it now offer getpeereid(),
which we choose first. The last holdout was NetBSD, and they added
getpeereid() as of 5.0. So far as I can tell, the only live platform on
which that code was being exercised was Debian/kFreeBSD, ie, FreeBSD kernel
with Linux userland --- since glibc doesn't provide getpeereid(), we fell
back to the control message code. However, the FreeBSD kernel provides a
LOCAL_PEERCRED socket parameter that's functionally equivalent to Linux's
SO_PEERCRED. That is both much simpler to use than control messages, and
superior because it doesn't require receiving a message from the other end
at just the right time.
Therefore, add code to use LOCAL_PEERCRED when necessary, and rip out all
the credential-control-message code in the backend. (libpq still has such
code so that it can still talk to pre-9.1 servers ... but eventually we can
get rid of it there too.) Clean up related autoconf probes, too.
This means that libpq's requirepeer parameter now works on exactly the same
platforms where the backend supports peer authentication, so adjust the
documentation accordingly.
2011-05-31 22:10:46 +02:00
|
|
|
* Ask kernel about the credentials of the connecting process,
|
|
|
|
|
* determine the symbolic name of the corresponding user, and check
|
|
|
|
|
* if valid per the usermap.
|
2008-08-01 11:09:49 +02:00
|
|
|
*
|
Replace use of credential control messages with getsockopt(LOCAL_PEERCRED).
It turns out the reason we hadn't found out about the portability issues
with our credential-control-message code is that almost no modern platforms
use that code at all; the ones that used to need it now offer getpeereid(),
which we choose first. The last holdout was NetBSD, and they added
getpeereid() as of 5.0. So far as I can tell, the only live platform on
which that code was being exercised was Debian/kFreeBSD, ie, FreeBSD kernel
with Linux userland --- since glibc doesn't provide getpeereid(), we fell
back to the control message code. However, the FreeBSD kernel provides a
LOCAL_PEERCRED socket parameter that's functionally equivalent to Linux's
SO_PEERCRED. That is both much simpler to use than control messages, and
superior because it doesn't require receiving a message from the other end
at just the right time.
Therefore, add code to use LOCAL_PEERCRED when necessary, and rip out all
the credential-control-message code in the backend. (libpq still has such
code so that it can still talk to pre-9.1 servers ... but eventually we can
get rid of it there too.) Clean up related autoconf probes, too.
This means that libpq's requirepeer parameter now works on exactly the same
platforms where the backend supports peer authentication, so adjust the
documentation accordingly.
2011-05-31 22:10:46 +02:00
|
|
|
* Iff authorized, return STATUS_OK, otherwise return STATUS_ERROR.
|
2008-08-01 11:09:49 +02:00
|
|
|
*/
|
|
|
|
|
#ifdef HAVE_UNIX_SOCKETS
|
|
|
|
|
|
2011-03-19 18:44:35 +01:00
|
|
|
static int
|
|
|
|
|
auth_peer(hbaPort *port)
|
2008-08-01 11:09:49 +02:00
|
|
|
{
|
2011-03-19 18:44:35 +01:00
|
|
|
char ident_user[IDENT_USERNAME_MAX + 1];
|
2011-06-02 19:05:01 +02:00
|
|
|
uid_t uid;
|
2008-08-01 11:09:49 +02:00
|
|
|
gid_t gid;
|
2014-03-28 17:50:11 +01:00
|
|
|
struct passwd *pw;
|
2008-08-01 11:09:49 +02:00
|
|
|
|
2011-03-20 18:34:31 +01:00
|
|
|
if (getpeereid(port->sock, &uid, &gid) != 0)
|
2008-08-01 11:09:49 +02:00
|
|
|
{
|
2011-06-02 19:05:01 +02:00
|
|
|
/* Provide special error message if getpeereid is a stub */
|
|
|
|
|
if (errno == ENOSYS)
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
2011-06-09 20:32:50 +02:00
|
|
|
errmsg("peer authentication is not supported on this platform")));
|
2011-06-02 19:05:01 +02:00
|
|
|
else
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not get peer credentials: %m")));
|
2011-03-19 18:44:35 +01:00
|
|
|
return STATUS_ERROR;
|
2008-11-18 14:10:20 +01:00
|
|
|
}
|
|
|
|
|
|
2014-03-28 17:50:11 +01:00
|
|
|
errno = 0; /* clear errno before call */
|
|
|
|
|
pw = getpwuid(uid);
|
|
|
|
|
if (!pw)
|
2008-11-18 14:10:20 +01:00
|
|
|
{
|
2014-03-28 15:30:37 +01:00
|
|
|
ereport(LOG,
|
2014-12-17 19:14:53 +01:00
|
|
|
(errmsg("could not look up local user ID %ld: %s",
|
|
|
|
|
(long) uid,
|
|
|
|
|
errno ? strerror(errno) : _("user does not exist"))));
|
2011-03-19 18:44:35 +01:00
|
|
|
return STATUS_ERROR;
|
2008-11-18 14:10:20 +01:00
|
|
|
}
|
|
|
|
|
|
2014-03-28 17:50:11 +01:00
|
|
|
strlcpy(ident_user, pw->pw_name, IDENT_USERNAME_MAX + 1);
|
2008-08-01 11:09:49 +02:00
|
|
|
|
2008-10-23 15:31:10 +02:00
|
|
|
return check_usermap(port->hba->usermap, port->user_name, ident_user, false);
|
2008-08-01 11:09:49 +02:00
|
|
|
}
|
2011-03-19 18:44:35 +01:00
|
|
|
#endif /* HAVE_UNIX_SOCKETS */
|
2008-08-01 11:09:49 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* PAM authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2001-09-06 05:23:38 +02:00
|
|
|
#ifdef USE_PAM
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* PAM conversation function
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static int
|
2003-04-19 02:02:30 +02:00
|
|
|
pam_passwd_conv_proc(int num_msg, const struct pam_message ** msg,
|
|
|
|
|
struct pam_response ** resp, void *appdata_ptr)
|
2001-09-06 05:23:38 +02:00
|
|
|
{
|
2009-10-17 00:08:36 +02:00
|
|
|
char *passwd;
|
|
|
|
|
struct pam_response *reply;
|
|
|
|
|
int i;
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2009-10-17 00:08:36 +02:00
|
|
|
if (appdata_ptr)
|
|
|
|
|
passwd = (char *) appdata_ptr;
|
|
|
|
|
else
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Workaround for Solaris 2.6 where the PAM library is broken and does
|
|
|
|
|
* not pass appdata_ptr to the conversation routine
|
2001-09-06 05:23:38 +02:00
|
|
|
*/
|
2009-10-17 00:08:36 +02:00
|
|
|
passwd = pam_passwd;
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
|
|
|
|
|
2009-10-17 00:08:36 +02:00
|
|
|
*resp = NULL; /* in case of error exit */
|
2002-04-04 06:25:54 +02:00
|
|
|
|
2009-10-17 00:08:36 +02:00
|
|
|
if (num_msg <= 0 || num_msg > PAM_MAX_NUM_MSG)
|
|
|
|
|
return PAM_CONV_ERR;
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
/*
|
|
|
|
|
* Explicitly not using palloc here - PAM will free this memory in
|
2001-09-06 05:23:38 +02:00
|
|
|
* pam_end()
|
|
|
|
|
*/
|
2009-10-17 00:08:36 +02:00
|
|
|
if ((reply = calloc(num_msg, sizeof(struct pam_response))) == NULL)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
2001-10-25 07:50:21 +02:00
|
|
|
return PAM_CONV_ERR;
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
|
|
|
|
|
2009-10-17 00:08:36 +02:00
|
|
|
for (i = 0; i < num_msg; i++)
|
|
|
|
|
{
|
|
|
|
|
switch (msg[i]->msg_style)
|
|
|
|
|
{
|
|
|
|
|
case PAM_PROMPT_ECHO_OFF:
|
|
|
|
|
if (strlen(passwd) == 0)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Password wasn't passed to PAM the first time around -
|
|
|
|
|
* let's go ask the client to send a password, which we
|
|
|
|
|
* then stuff into PAM.
|
|
|
|
|
*/
|
|
|
|
|
sendAuthRequest(pam_port_cludge, AUTH_REQ_PASSWORD);
|
|
|
|
|
passwd = recv_password_packet(pam_port_cludge);
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Client didn't want to send password. We
|
|
|
|
|
* intentionally do not log anything about this.
|
|
|
|
|
*/
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
if (strlen(passwd) == 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2010-02-26 03:01:40 +01:00
|
|
|
(errmsg("empty password returned by client")));
|
2009-10-17 00:08:36 +02:00
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if ((reply[i].resp = strdup(passwd)) == NULL)
|
|
|
|
|
goto fail;
|
|
|
|
|
reply[i].resp_retcode = PAM_SUCCESS;
|
|
|
|
|
break;
|
|
|
|
|
case PAM_ERROR_MSG:
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("error from underlying PAM layer: %s",
|
|
|
|
|
msg[i]->msg)));
|
|
|
|
|
/* FALL THROUGH */
|
|
|
|
|
case PAM_TEXT_INFO:
|
|
|
|
|
/* we don't bother to log TEXT_INFO messages */
|
|
|
|
|
if ((reply[i].resp = strdup("")) == NULL)
|
|
|
|
|
goto fail;
|
|
|
|
|
reply[i].resp_retcode = PAM_SUCCESS;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
elog(LOG, "unsupported PAM conversation %d/\"%s\"",
|
|
|
|
|
msg[i]->msg_style,
|
|
|
|
|
msg[i]->msg ? msg[i]->msg : "(none)");
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*resp = reply;
|
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
|
|
|
|
|
|
fail:
|
|
|
|
|
/* free up whatever we allocated */
|
|
|
|
|
for (i = 0; i < num_msg; i++)
|
|
|
|
|
{
|
|
|
|
|
if (reply[i].resp != NULL)
|
|
|
|
|
free(reply[i].resp);
|
|
|
|
|
}
|
|
|
|
|
free(reply);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2009-10-17 00:08:36 +02:00
|
|
|
return PAM_CONV_ERR;
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check authentication against PAM.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
CheckPAMAuth(Port *port, char *user, char *password)
|
|
|
|
|
{
|
2001-10-25 07:50:21 +02:00
|
|
|
int retval;
|
2001-09-06 05:23:38 +02:00
|
|
|
pam_handle_t *pamh = NULL;
|
2016-04-08 16:45:16 +02:00
|
|
|
char hostinfo[NI_MAXHOST];
|
|
|
|
|
|
|
|
|
|
retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
|
|
|
|
hostinfo, sizeof(hostinfo), NULL, 0,
|
|
|
|
|
port->hba->pam_use_hostname ? 0 : NI_NUMERICHOST | NI_NUMERICSERV);
|
|
|
|
|
if (retval != 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(WARNING,
|
|
|
|
|
(errmsg_internal("pg_getnameinfo_all() failed: %s",
|
|
|
|
|
gai_strerror(retval))));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2001-09-06 05:23:38 +02:00
|
|
|
|
|
|
|
|
/*
|
2009-10-17 00:08:36 +02:00
|
|
|
* We can't entirely rely on PAM to pass through appdata --- it appears
|
|
|
|
|
* not to work on at least Solaris 2.6. So use these ugly static
|
|
|
|
|
* variables instead.
|
2001-09-06 05:23:38 +02:00
|
|
|
*/
|
|
|
|
|
pam_passwd = password;
|
2009-10-17 00:08:36 +02:00
|
|
|
pam_port_cludge = port;
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
/*
|
2013-08-16 15:25:52 +02:00
|
|
|
* Set the application data portion of the conversation struct. This is
|
2001-10-25 07:50:21 +02:00
|
|
|
* later used inside the PAM conversation to pass the password to the
|
|
|
|
|
* authentication module.
|
2001-09-06 05:23:38 +02:00
|
|
|
*/
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passw_conv.appdata_ptr = (char *) password; /* from password above,
|
|
|
|
|
* not allocated */
|
2001-09-06 05:23:38 +02:00
|
|
|
|
|
|
|
|
/* Optionally, one can set the service name in pg_hba.conf */
|
2008-10-23 15:31:10 +02:00
|
|
|
if (port->hba->pamservice && port->hba->pamservice[0] != '\0')
|
|
|
|
|
retval = pam_start(port->hba->pamservice, "pgsql@",
|
2003-04-18 00:26:02 +02:00
|
|
|
&pam_passw_conv, &pamh);
|
2001-10-25 07:50:21 +02:00
|
|
|
else
|
2003-04-18 00:26:02 +02:00
|
|
|
retval = pam_start(PGSQL_PAM_SERVICE, "pgsql@",
|
|
|
|
|
&pam_passw_conv, &pamh);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
if (retval != PAM_SUCCESS)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("could not create PAM authenticator: %s",
|
2003-07-22 21:00:12 +02:00
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
retval = pam_set_item(pamh, PAM_USER, user);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_set_item(PAM_USER) failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
2016-04-08 16:45:16 +02:00
|
|
|
retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_set_item(PAM_RHOST) failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
|
|
|
|
pam_passwd = NULL;
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_set_item(PAM_CONV) failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
|
|
|
|
retval = pam_authenticate(pamh, 0);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_authenticate failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
|
|
|
|
retval = pam_acct_mgmt(pamh, 0);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_acct_mgmt failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
retval = pam_end(pamh, retval);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
if (retval != PAM_SUCCESS)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("could not release PAM authenticator: %s",
|
2003-07-22 21:00:12 +02:00
|
|
|
pam_strerror(pamh, retval))));
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
2002-09-04 22:31:48 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2002-02-25 21:07:02 +01:00
|
|
|
|
|
|
|
|
return (retval == PAM_SUCCESS ? STATUS_OK : STATUS_ERROR);
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
2001-11-05 18:46:40 +01:00
|
|
|
#endif /* USE_PAM */
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2001-10-19 00:44:37 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* LDAP authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifdef USE_LDAP
|
2006-03-16 19:11:17 +01:00
|
|
|
|
2009-12-12 22:35:21 +01:00
|
|
|
/*
|
|
|
|
|
* Initialize a connection to the LDAP server, including setting up
|
|
|
|
|
* TLS if requested.
|
|
|
|
|
*/
|
2006-03-06 18:41:44 +01:00
|
|
|
static int
|
2009-12-12 22:35:21 +01:00
|
|
|
InitializeLDAPConnection(Port *port, LDAP **ldap)
|
2006-03-06 18:41:44 +01:00
|
|
|
{
|
2006-10-04 02:30:14 +02:00
|
|
|
int ldapversion = LDAP_VERSION3;
|
2009-12-12 22:35:21 +01:00
|
|
|
int r;
|
2009-06-25 13:30:08 +02:00
|
|
|
|
2009-12-12 22:35:21 +01:00
|
|
|
*ldap = ldap_init(port->hba->ldapserver, port->hba->ldapport);
|
|
|
|
|
if (!*ldap)
|
2006-10-04 02:30:14 +02:00
|
|
|
{
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifndef WIN32
|
2006-10-04 02:30:14 +02:00
|
|
|
ereport(LOG,
|
2012-09-28 02:22:50 +02:00
|
|
|
(errmsg("could not initialize LDAP: %m")));
|
2006-03-06 18:41:44 +01:00
|
|
|
#else
|
2006-10-04 02:30:14 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not initialize LDAP: error code %d",
|
|
|
|
|
(int) LdapGetLastError())));
|
2006-03-06 18:41:44 +01:00
|
|
|
#endif
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-12 22:35:21 +01:00
|
|
|
if ((r = ldap_set_option(*ldap, LDAP_OPT_PROTOCOL_VERSION, &ldapversion)) != LDAP_SUCCESS)
|
2006-10-04 02:30:14 +02:00
|
|
|
{
|
2009-12-12 22:35:21 +01:00
|
|
|
ldap_unbind(*ldap);
|
2006-10-04 02:30:14 +02:00
|
|
|
ereport(LOG,
|
2013-05-29 22:58:43 +02:00
|
|
|
(errmsg("could not set LDAP protocol version: %s", ldap_err2string(r))));
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-23 15:31:10 +02:00
|
|
|
if (port->hba->ldaptls)
|
2006-10-04 02:30:14 +02:00
|
|
|
{
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifndef WIN32
|
2009-12-12 22:35:21 +01:00
|
|
|
if ((r = ldap_start_tls_s(*ldap, NULL, NULL)) != LDAP_SUCCESS)
|
2006-03-06 18:41:44 +01:00
|
|
|
#else
|
2006-08-22 04:23:45 +02:00
|
|
|
static __ldap_start_tls_sA _ldap_start_tls_sA = NULL;
|
|
|
|
|
|
2006-08-21 21:21:38 +02:00
|
|
|
if (_ldap_start_tls_sA == NULL)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Need to load this function dynamically because it does not
|
|
|
|
|
* exist on Windows 2000, and causes a load error for the whole
|
|
|
|
|
* exe if referenced.
|
|
|
|
|
*/
|
2006-10-04 02:30:14 +02:00
|
|
|
HANDLE ldaphandle;
|
|
|
|
|
|
2006-08-21 21:21:38 +02:00
|
|
|
ldaphandle = LoadLibrary("WLDAP32.DLL");
|
|
|
|
|
if (ldaphandle == NULL)
|
|
|
|
|
{
|
2006-10-04 02:30:14 +02:00
|
|
|
/*
|
|
|
|
|
* should never happen since we import other files from
|
|
|
|
|
* wldap32, but check anyway
|
|
|
|
|
*/
|
2009-12-12 22:35:21 +01:00
|
|
|
ldap_unbind(*ldap);
|
2006-08-21 21:21:38 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not load wldap32.dll")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2006-10-04 02:30:14 +02:00
|
|
|
_ldap_start_tls_sA = (__ldap_start_tls_sA) GetProcAddress(ldaphandle, "ldap_start_tls_sA");
|
2006-08-21 21:21:38 +02:00
|
|
|
if (_ldap_start_tls_sA == NULL)
|
|
|
|
|
{
|
2009-12-12 22:35:21 +01:00
|
|
|
ldap_unbind(*ldap);
|
2006-08-21 21:21:38 +02:00
|
|
|
ereport(LOG,
|
2006-10-06 19:14:01 +02:00
|
|
|
(errmsg("could not load function _ldap_start_tls_sA in wldap32.dll"),
|
|
|
|
|
errdetail("LDAP over SSL is not supported on this platform.")));
|
2006-08-21 21:21:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Leak LDAP handle on purpose, because we need the library to
|
|
|
|
|
* stay open. This is ok because it will only ever be leaked once
|
|
|
|
|
* per process and is automatically cleaned up on process exit.
|
2006-08-21 21:21:38 +02:00
|
|
|
*/
|
|
|
|
|
}
|
2009-12-12 22:35:21 +01:00
|
|
|
if ((r = _ldap_start_tls_sA(*ldap, NULL, NULL, NULL, NULL)) != LDAP_SUCCESS)
|
2006-03-06 18:41:44 +01:00
|
|
|
#endif
|
2006-10-04 02:30:14 +02:00
|
|
|
{
|
2009-12-12 22:35:21 +01:00
|
|
|
ldap_unbind(*ldap);
|
2006-10-04 02:30:14 +02:00
|
|
|
ereport(LOG,
|
2013-05-29 22:58:43 +02:00
|
|
|
(errmsg("could not start LDAP TLS session: %s", ldap_err2string(r))));
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-12 22:35:21 +01:00
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Perform LDAP authentication
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
CheckLDAPAuth(Port *port)
|
|
|
|
|
{
|
|
|
|
|
char *passwd;
|
|
|
|
|
LDAP *ldap;
|
|
|
|
|
int r;
|
|
|
|
|
char *fulluser;
|
|
|
|
|
|
|
|
|
|
if (!port->hba->ldapserver || port->hba->ldapserver[0] == '\0')
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("LDAP server not specified")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (port->hba->ldapport == 0)
|
|
|
|
|
port->hba->ldapport = LDAP_PORT;
|
|
|
|
|
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_PASSWORD);
|
|
|
|
|
|
|
|
|
|
passwd = recv_password_packet(port);
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
return STATUS_EOF; /* client wouldn't send password */
|
|
|
|
|
|
|
|
|
|
if (strlen(passwd) == 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("empty password returned by client")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (InitializeLDAPConnection(port, &ldap) == STATUS_ERROR)
|
|
|
|
|
/* Error message already sent */
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
|
|
|
|
|
if (port->hba->ldapbasedn)
|
|
|
|
|
{
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* First perform an LDAP search to find the DN for the user we are
|
|
|
|
|
* trying to log in as.
|
2009-12-12 22:35:21 +01:00
|
|
|
*/
|
2010-02-26 03:01:40 +01:00
|
|
|
char *filter;
|
|
|
|
|
LDAPMessage *search_message;
|
|
|
|
|
LDAPMessage *entry;
|
|
|
|
|
char *attributes[2];
|
|
|
|
|
char *dn;
|
|
|
|
|
char *c;
|
2012-10-03 05:25:05 +02:00
|
|
|
int count;
|
2009-12-12 22:35:21 +01:00
|
|
|
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* Disallow any characters that we would otherwise need to escape,
|
|
|
|
|
* since they aren't really reasonable in a username anyway. Allowing
|
|
|
|
|
* them would make it possible to inject any kind of custom filters in
|
|
|
|
|
* the LDAP filter.
|
2009-12-12 22:35:21 +01:00
|
|
|
*/
|
|
|
|
|
for (c = port->user_name; *c; c++)
|
|
|
|
|
{
|
|
|
|
|
if (*c == '*' ||
|
|
|
|
|
*c == '(' ||
|
|
|
|
|
*c == ')' ||
|
|
|
|
|
*c == '\\' ||
|
|
|
|
|
*c == '/')
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2010-03-21 01:17:59 +01:00
|
|
|
(errmsg("invalid character in user name for LDAP authentication")));
|
2009-12-12 22:35:21 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* Bind with a pre-defined username/password (if available) for
|
|
|
|
|
* searching. If none is specified, this turns into an anonymous bind.
|
2009-12-12 22:35:21 +01:00
|
|
|
*/
|
|
|
|
|
r = ldap_simple_bind_s(ldap,
|
2010-02-26 03:01:40 +01:00
|
|
|
port->hba->ldapbinddn ? port->hba->ldapbinddn : "",
|
|
|
|
|
port->hba->ldapbindpasswd ? port->hba->ldapbindpasswd : "");
|
2009-12-12 22:35:21 +01:00
|
|
|
if (r != LDAP_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2012-09-28 02:22:50 +02:00
|
|
|
(errmsg("could not perform initial LDAP bind for ldapbinddn \"%s\" on server \"%s\": %s",
|
2013-05-29 22:58:43 +02:00
|
|
|
port->hba->ldapbinddn, port->hba->ldapserver, ldap_err2string(r))));
|
2009-12-12 22:35:21 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Fetch just one attribute, else *all* attributes are returned */
|
|
|
|
|
attributes[0] = port->hba->ldapsearchattribute ? port->hba->ldapsearchattribute : "uid";
|
|
|
|
|
attributes[1] = NULL;
|
|
|
|
|
|
2013-10-13 06:09:18 +02:00
|
|
|
filter = psprintf("(%s=%s)",
|
2014-05-06 18:12:18 +02:00
|
|
|
attributes[0],
|
|
|
|
|
port->user_name);
|
2009-12-12 22:35:21 +01:00
|
|
|
|
|
|
|
|
r = ldap_search_s(ldap,
|
|
|
|
|
port->hba->ldapbasedn,
|
2012-12-04 05:29:56 +01:00
|
|
|
port->hba->ldapscope,
|
2009-12-12 22:35:21 +01:00
|
|
|
filter,
|
|
|
|
|
attributes,
|
|
|
|
|
0,
|
|
|
|
|
&search_message);
|
|
|
|
|
|
|
|
|
|
if (r != LDAP_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2012-09-28 02:22:50 +02:00
|
|
|
(errmsg("could not search LDAP for filter \"%s\" on server \"%s\": %s",
|
2013-05-29 22:58:43 +02:00
|
|
|
filter, port->hba->ldapserver, ldap_err2string(r))));
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(filter);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-03 05:25:05 +02:00
|
|
|
count = ldap_count_entries(ldap, search_message);
|
|
|
|
|
if (count != 1)
|
2009-12-12 22:35:21 +01:00
|
|
|
{
|
2012-10-03 05:25:05 +02:00
|
|
|
if (count == 0)
|
2009-12-12 22:35:21 +01:00
|
|
|
ereport(LOG,
|
2013-05-29 22:58:43 +02:00
|
|
|
(errmsg("LDAP user \"%s\" does not exist", port->user_name),
|
|
|
|
|
errdetail("LDAP search for filter \"%s\" on server \"%s\" returned no entries.",
|
|
|
|
|
filter, port->hba->ldapserver)));
|
2009-12-12 22:35:21 +01:00
|
|
|
else
|
|
|
|
|
ereport(LOG,
|
2013-05-29 22:58:43 +02:00
|
|
|
(errmsg("LDAP user \"%s\" is not unique", port->user_name),
|
|
|
|
|
errdetail_plural("LDAP search for filter \"%s\" on server \"%s\" returned %d entry.",
|
|
|
|
|
"LDAP search for filter \"%s\" on server \"%s\" returned %d entries.",
|
|
|
|
|
count,
|
|
|
|
|
filter, port->hba->ldapserver, count)));
|
2009-12-12 22:35:21 +01:00
|
|
|
|
|
|
|
|
pfree(filter);
|
|
|
|
|
ldap_msgfree(search_message);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
entry = ldap_first_entry(ldap, search_message);
|
|
|
|
|
dn = ldap_get_dn(ldap, entry);
|
|
|
|
|
if (dn == NULL)
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
(void) ldap_get_option(ldap, LDAP_OPT_ERROR_NUMBER, &error);
|
2009-12-12 22:35:21 +01:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not get dn for the first entry matching \"%s\" on server \"%s\": %s",
|
2010-02-26 03:01:40 +01:00
|
|
|
filter, port->hba->ldapserver, ldap_err2string(error))));
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(filter);
|
|
|
|
|
ldap_msgfree(search_message);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
fulluser = pstrdup(dn);
|
|
|
|
|
|
|
|
|
|
pfree(filter);
|
|
|
|
|
ldap_memfree(dn);
|
|
|
|
|
ldap_msgfree(search_message);
|
|
|
|
|
|
|
|
|
|
/* Unbind and disconnect from the LDAP server */
|
|
|
|
|
r = ldap_unbind_s(ldap);
|
|
|
|
|
if (r != LDAP_SUCCESS)
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
(void) ldap_get_option(ldap, LDAP_OPT_ERROR_NUMBER, &error);
|
2009-12-12 22:35:21 +01:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not unbind after searching for user \"%s\" on server \"%s\": %s",
|
2010-02-26 03:01:40 +01:00
|
|
|
fulluser, port->hba->ldapserver, ldap_err2string(error))));
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(fulluser);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* Need to re-initialize the LDAP connection, so that we can bind to
|
|
|
|
|
* it with a different username.
|
2009-12-12 22:35:21 +01:00
|
|
|
*/
|
|
|
|
|
if (InitializeLDAPConnection(port, &ldap) == STATUS_ERROR)
|
|
|
|
|
{
|
|
|
|
|
pfree(fulluser);
|
|
|
|
|
|
|
|
|
|
/* Error message already sent */
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
2013-10-13 06:09:18 +02:00
|
|
|
fulluser = psprintf("%s%s%s",
|
2014-05-06 18:12:18 +02:00
|
|
|
port->hba->ldapprefix ? port->hba->ldapprefix : "",
|
|
|
|
|
port->user_name,
|
|
|
|
|
port->hba->ldapsuffix ? port->hba->ldapsuffix : "");
|
2006-03-06 18:41:44 +01:00
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
r = ldap_simple_bind_s(ldap, fulluser, passwd);
|
|
|
|
|
ldap_unbind(ldap);
|
2006-03-06 18:41:44 +01:00
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
if (r != LDAP_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2013-05-29 22:58:43 +02:00
|
|
|
(errmsg("LDAP login failed for user \"%s\" on server \"%s\": %s",
|
|
|
|
|
fulluser, port->hba->ldapserver, ldap_err2string(r))));
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(fulluser);
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2006-03-16 19:11:17 +01:00
|
|
|
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(fulluser);
|
|
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
2006-03-06 18:41:44 +01:00
|
|
|
#endif /* USE_LDAP */
|
|
|
|
|
|
2008-11-20 12:48:26 +01:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* SSL client certificate authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
static int
|
|
|
|
|
CheckCertAuth(Port *port)
|
|
|
|
|
{
|
|
|
|
|
Assert(port->ssl);
|
|
|
|
|
|
|
|
|
|
/* Make sure we have received a username in the certificate */
|
|
|
|
|
if (port->peer_cn == NULL ||
|
|
|
|
|
strlen(port->peer_cn) <= 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2010-06-29 06:12:47 +02:00
|
|
|
(errmsg("certificate authentication failed for user \"%s\": client certificate contains no user name",
|
2008-11-20 12:48:26 +01:00
|
|
|
port->user_name)));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Just pass the certificate CN to the usermap check */
|
|
|
|
|
return check_usermap(port->hba->usermap, port->user_name, port->peer_cn, false);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2010-01-27 13:12:00 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* RADIUS authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* RADIUS authentication is described in RFC2865 (and several
|
|
|
|
|
* others).
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#define RADIUS_VECTOR_LENGTH 16
|
|
|
|
|
#define RADIUS_HEADER_LENGTH 20
|
2015-09-06 14:26:33 +02:00
|
|
|
#define RADIUS_MAX_PASSWORD_LENGTH 128
|
2010-01-27 13:12:00 +01:00
|
|
|
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
uint8 attribute;
|
|
|
|
|
uint8 length;
|
2015-02-21 22:12:14 +01:00
|
|
|
uint8 data[FLEXIBLE_ARRAY_MEMBER];
|
2010-01-27 13:12:00 +01:00
|
|
|
} radius_attribute;
|
|
|
|
|
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
uint8 code;
|
|
|
|
|
uint8 id;
|
|
|
|
|
uint16 length;
|
|
|
|
|
uint8 vector[RADIUS_VECTOR_LENGTH];
|
2010-01-27 13:12:00 +01:00
|
|
|
} radius_packet;
|
|
|
|
|
|
|
|
|
|
/* RADIUS packet types */
|
|
|
|
|
#define RADIUS_ACCESS_REQUEST 1
|
|
|
|
|
#define RADIUS_ACCESS_ACCEPT 2
|
|
|
|
|
#define RADIUS_ACCESS_REJECT 3
|
|
|
|
|
|
|
|
|
|
/* RAIDUS attributes */
|
|
|
|
|
#define RADIUS_USER_NAME 1
|
|
|
|
|
#define RADIUS_PASSWORD 2
|
|
|
|
|
#define RADIUS_SERVICE_TYPE 6
|
|
|
|
|
#define RADIUS_NAS_IDENTIFIER 32
|
|
|
|
|
|
|
|
|
|
/* RADIUS service types */
|
|
|
|
|
#define RADIUS_AUTHENTICATE_ONLY 8
|
|
|
|
|
|
|
|
|
|
/* Maximum size of a RADIUS packet we will create or accept */
|
|
|
|
|
#define RADIUS_BUFFER_SIZE 1024
|
|
|
|
|
|
|
|
|
|
/* Seconds to wait - XXX: should be in a config variable! */
|
|
|
|
|
#define RADIUS_TIMEOUT 3
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
radius_add_attribute(radius_packet *packet, uint8 type, const unsigned char *data, int len)
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
radius_attribute *attr;
|
2010-01-27 13:12:00 +01:00
|
|
|
|
|
|
|
|
if (packet->length + len > RADIUS_BUFFER_SIZE)
|
|
|
|
|
{
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* With remotely realistic data, this can never happen. But catch it
|
|
|
|
|
* just to make sure we don't overrun a buffer. We'll just skip adding
|
|
|
|
|
* the broken attribute, which will in the end cause authentication to
|
|
|
|
|
* fail.
|
2010-01-27 13:12:00 +01:00
|
|
|
*/
|
|
|
|
|
elog(WARNING,
|
2011-07-26 21:54:29 +02:00
|
|
|
"Adding attribute code %d with length %d to radius packet would create oversize packet, ignoring",
|
2010-01-27 13:12:00 +01:00
|
|
|
type, len);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-26 03:01:40 +01:00
|
|
|
attr = (radius_attribute *) ((unsigned char *) packet + packet->length);
|
2010-01-27 13:12:00 +01:00
|
|
|
attr->attribute = type;
|
2010-02-26 03:01:40 +01:00
|
|
|
attr->length = len + 2; /* total size includes type and length */
|
2010-01-27 13:12:00 +01:00
|
|
|
memcpy(attr->data, data, len);
|
|
|
|
|
packet->length += attr->length;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
CheckRADIUSAuth(Port *port)
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
char *passwd;
|
|
|
|
|
char *identifier = "postgresql";
|
|
|
|
|
char radius_buffer[RADIUS_BUFFER_SIZE];
|
|
|
|
|
char receive_buffer[RADIUS_BUFFER_SIZE];
|
|
|
|
|
radius_packet *packet = (radius_packet *) radius_buffer;
|
|
|
|
|
radius_packet *receivepacket = (radius_packet *) receive_buffer;
|
|
|
|
|
int32 service = htonl(RADIUS_AUTHENTICATE_ONLY);
|
|
|
|
|
uint8 *cryptvector;
|
2015-09-06 14:26:33 +02:00
|
|
|
int encryptedpasswordlen;
|
|
|
|
|
uint8 encryptedpassword[RADIUS_MAX_PASSWORD_LENGTH];
|
|
|
|
|
uint8 *md5trailer;
|
2010-02-26 03:01:40 +01:00
|
|
|
int packetlength;
|
|
|
|
|
pgsocket sock;
|
|
|
|
|
|
2010-02-02 20:09:37 +01:00
|
|
|
#ifdef HAVE_IPV6
|
|
|
|
|
struct sockaddr_in6 localaddr;
|
|
|
|
|
struct sockaddr_in6 remoteaddr;
|
|
|
|
|
#else
|
2010-02-26 03:01:40 +01:00
|
|
|
struct sockaddr_in localaddr;
|
|
|
|
|
struct sockaddr_in remoteaddr;
|
2010-02-02 20:09:37 +01:00
|
|
|
#endif
|
2010-02-26 03:01:40 +01:00
|
|
|
struct addrinfo hint;
|
|
|
|
|
struct addrinfo *serveraddrs;
|
|
|
|
|
char portstr[128];
|
|
|
|
|
ACCEPT_TYPE_ARG3 addrsize;
|
|
|
|
|
fd_set fdset;
|
2010-10-15 16:59:10 +02:00
|
|
|
struct timeval endtime;
|
2010-02-26 03:01:40 +01:00
|
|
|
int i,
|
2015-09-06 14:26:33 +02:00
|
|
|
j,
|
2010-02-26 03:01:40 +01:00
|
|
|
r;
|
2010-01-27 13:12:00 +01:00
|
|
|
|
|
|
|
|
/* Make sure struct alignment is correct */
|
|
|
|
|
Assert(offsetof(radius_packet, vector) == 4);
|
|
|
|
|
|
|
|
|
|
/* Verify parameters */
|
|
|
|
|
if (!port->hba->radiusserver || port->hba->radiusserver[0] == '\0')
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("RADIUS server not specified")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!port->hba->radiussecret || port->hba->radiussecret[0] == '\0')
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("RADIUS secret not specified")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (port->hba->radiusport == 0)
|
|
|
|
|
port->hba->radiusport = 1812;
|
|
|
|
|
|
2010-02-02 20:09:37 +01:00
|
|
|
MemSet(&hint, 0, sizeof(hint));
|
|
|
|
|
hint.ai_socktype = SOCK_DGRAM;
|
|
|
|
|
hint.ai_family = AF_UNSPEC;
|
|
|
|
|
snprintf(portstr, sizeof(portstr), "%d", port->hba->radiusport);
|
|
|
|
|
|
|
|
|
|
r = pg_getaddrinfo_all(port->hba->radiusserver, portstr, &hint, &serveraddrs);
|
|
|
|
|
if (r || !serveraddrs)
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2010-02-02 20:09:37 +01:00
|
|
|
(errmsg("could not translate RADIUS server name \"%s\" to address: %s",
|
|
|
|
|
port->hba->radiusserver, gai_strerror(r))));
|
|
|
|
|
if (serveraddrs)
|
|
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
2010-01-27 13:12:00 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2010-02-02 20:09:37 +01:00
|
|
|
/* XXX: add support for multiple returned addresses? */
|
2010-01-27 13:12:00 +01:00
|
|
|
|
|
|
|
|
if (port->hba->radiusidentifier && port->hba->radiusidentifier[0])
|
|
|
|
|
identifier = port->hba->radiusidentifier;
|
|
|
|
|
|
|
|
|
|
/* Send regular password request to client, and get the response */
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_PASSWORD);
|
|
|
|
|
|
|
|
|
|
passwd = recv_password_packet(port);
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
return STATUS_EOF; /* client wouldn't send password */
|
|
|
|
|
|
|
|
|
|
if (strlen(passwd) == 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("empty password returned by client")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-06 14:26:33 +02:00
|
|
|
if (strlen(passwd) > RADIUS_MAX_PASSWORD_LENGTH)
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2015-09-06 14:26:33 +02:00
|
|
|
(errmsg("RADIUS authentication does not support passwords longer than %d characters", RADIUS_MAX_PASSWORD_LENGTH)));
|
2010-01-27 13:12:00 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2015-09-06 14:26:33 +02:00
|
|
|
|
2010-01-27 13:12:00 +01:00
|
|
|
/* Construct RADIUS packet */
|
|
|
|
|
packet->code = RADIUS_ACCESS_REQUEST;
|
|
|
|
|
packet->length = RADIUS_HEADER_LENGTH;
|
Break out OpenSSL-specific code to separate files.
This refactoring is in preparation for adding support for other SSL
implementations, with no user-visible effects. There are now two #defines,
USE_OPENSSL which is defined when building with OpenSSL, and USE_SSL which
is defined when building with any SSL implementation. Currently, OpenSSL is
the only implementation so the two #defines go together, but USE_SSL is
supposed to be used for implementation-independent code.
The libpq SSL code is changed to use a custom BIO, which does all the raw
I/O, like we've been doing in the backend for a long time. That makes it
possible to use MSG_NOSIGNAL to block SIGPIPE when using SSL, which avoids
a couple of syscall for each send(). Probably doesn't make much performance
difference in practice - the SSL encryption is expensive enough to mask the
effect - but it was a natural result of this refactoring.
Based on a patch by Martijn van Oosterhout from 2006. Briefly reviewed by
Alvaro Herrera, Andreas Karlsson, Jeff Janes.
2014-08-11 10:54:19 +02:00
|
|
|
#ifdef USE_OPENSSL
|
2010-01-27 13:12:00 +01:00
|
|
|
if (RAND_bytes(packet->vector, RADIUS_VECTOR_LENGTH) != 1)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not generate random encryption vector")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
for (i = 0; i < RADIUS_VECTOR_LENGTH; i++)
|
|
|
|
|
/* Use a lower strengh random number of OpenSSL is not available */
|
|
|
|
|
packet->vector[i] = random() % 255;
|
|
|
|
|
#endif
|
|
|
|
|
packet->id = packet->vector[0];
|
|
|
|
|
radius_add_attribute(packet, RADIUS_SERVICE_TYPE, (unsigned char *) &service, sizeof(service));
|
|
|
|
|
radius_add_attribute(packet, RADIUS_USER_NAME, (unsigned char *) port->user_name, strlen(port->user_name));
|
|
|
|
|
radius_add_attribute(packet, RADIUS_NAS_IDENTIFIER, (unsigned char *) identifier, strlen(identifier));
|
|
|
|
|
|
|
|
|
|
/*
|
2015-09-06 14:26:33 +02:00
|
|
|
* RADIUS password attributes are calculated as:
|
|
|
|
|
* e[0] = p[0] XOR MD5(secret + Request Authenticator)
|
|
|
|
|
* for the first group of 16 octets, and then:
|
|
|
|
|
* e[i] = p[i] XOR MD5(secret + e[i-1])
|
|
|
|
|
* for the following ones (if necessary)
|
2010-01-27 13:12:00 +01:00
|
|
|
*/
|
2015-09-06 14:26:33 +02:00
|
|
|
encryptedpasswordlen = ((strlen(passwd) + RADIUS_VECTOR_LENGTH - 1) / RADIUS_VECTOR_LENGTH) * RADIUS_VECTOR_LENGTH;
|
|
|
|
|
cryptvector = palloc(strlen(port->hba->radiussecret) + RADIUS_VECTOR_LENGTH);
|
2010-01-27 13:12:00 +01:00
|
|
|
memcpy(cryptvector, port->hba->radiussecret, strlen(port->hba->radiussecret));
|
2015-09-06 14:26:33 +02:00
|
|
|
|
|
|
|
|
/* for the first iteration, we use the Request Authenticator vector */
|
|
|
|
|
md5trailer = packet->vector;
|
|
|
|
|
for (i = 0; i < encryptedpasswordlen; i += RADIUS_VECTOR_LENGTH)
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
2015-09-06 14:26:33 +02:00
|
|
|
memcpy(cryptvector + strlen(port->hba->radiussecret), md5trailer, RADIUS_VECTOR_LENGTH);
|
|
|
|
|
/* .. and for subsequent iterations the result of the previous XOR (calculated below) */
|
|
|
|
|
md5trailer = encryptedpassword + i;
|
|
|
|
|
|
|
|
|
|
if (!pg_md5_binary(cryptvector, strlen(port->hba->radiussecret) + RADIUS_VECTOR_LENGTH, encryptedpassword + i))
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not perform MD5 encryption of password")));
|
|
|
|
|
pfree(cryptvector);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (j = i; j < i+RADIUS_VECTOR_LENGTH; j++)
|
|
|
|
|
{
|
|
|
|
|
if (j < strlen(passwd))
|
|
|
|
|
encryptedpassword[j] = passwd[j] ^ encryptedpassword[j];
|
|
|
|
|
else
|
|
|
|
|
encryptedpassword[j] = '\0' ^ encryptedpassword[j];
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
}
|
|
|
|
|
pfree(cryptvector);
|
2015-09-06 14:26:33 +02:00
|
|
|
|
|
|
|
|
radius_add_attribute(packet, RADIUS_PASSWORD, encryptedpassword, encryptedpasswordlen);
|
2010-01-27 13:12:00 +01:00
|
|
|
|
|
|
|
|
/* Length need to be in network order on the wire */
|
|
|
|
|
packetlength = packet->length;
|
|
|
|
|
packet->length = htons(packet->length);
|
|
|
|
|
|
2010-02-02 20:09:37 +01:00
|
|
|
sock = socket(serveraddrs[0].ai_family, SOCK_DGRAM, 0);
|
2014-04-16 16:45:48 +02:00
|
|
|
if (sock == PGINVALID_SOCKET)
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not create RADIUS socket: %m")));
|
2010-02-02 20:09:37 +01:00
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
2010-01-27 13:12:00 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memset(&localaddr, 0, sizeof(localaddr));
|
2010-02-02 20:09:37 +01:00
|
|
|
#ifdef HAVE_IPV6
|
|
|
|
|
localaddr.sin6_family = serveraddrs[0].ai_family;
|
|
|
|
|
localaddr.sin6_addr = in6addr_any;
|
|
|
|
|
if (localaddr.sin6_family == AF_INET6)
|
|
|
|
|
addrsize = sizeof(struct sockaddr_in6);
|
|
|
|
|
else
|
|
|
|
|
addrsize = sizeof(struct sockaddr_in);
|
|
|
|
|
#else
|
|
|
|
|
localaddr.sin_family = serveraddrs[0].ai_family;
|
2010-01-27 13:12:00 +01:00
|
|
|
localaddr.sin_addr.s_addr = INADDR_ANY;
|
2010-02-02 20:09:37 +01:00
|
|
|
addrsize = sizeof(struct sockaddr_in);
|
|
|
|
|
#endif
|
2010-02-26 03:01:40 +01:00
|
|
|
if (bind(sock, (struct sockaddr *) & localaddr, addrsize))
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not bind local RADIUS socket: %m")));
|
|
|
|
|
closesocket(sock);
|
2010-02-02 20:09:37 +01:00
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
2010-01-27 13:12:00 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (sendto(sock, radius_buffer, packetlength, 0,
|
2010-02-02 20:09:37 +01:00
|
|
|
serveraddrs[0].ai_addr, serveraddrs[0].ai_addrlen) < 0)
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not send RADIUS packet: %m")));
|
|
|
|
|
closesocket(sock);
|
2010-02-02 20:09:37 +01:00
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
2010-01-27 13:12:00 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-02 20:09:37 +01:00
|
|
|
/* Don't need the server address anymore */
|
|
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
|
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
/*
|
2011-04-10 17:42:00 +02:00
|
|
|
* Figure out at what time we should time out. We can't just use a single
|
|
|
|
|
* call to select() with a timeout, since somebody can be sending invalid
|
|
|
|
|
* packets to our port thus causing us to retry in a loop and never time
|
|
|
|
|
* out.
|
2015-02-03 22:54:48 +01:00
|
|
|
*
|
|
|
|
|
* XXX: Using WaitLatchOrSocket() and doing a CHECK_FOR_INTERRUPTS() if
|
|
|
|
|
* the latch was set would improve the responsiveness to
|
|
|
|
|
* timeouts/cancellations.
|
2010-10-15 16:59:10 +02:00
|
|
|
*/
|
|
|
|
|
gettimeofday(&endtime, NULL);
|
|
|
|
|
endtime.tv_sec += RADIUS_TIMEOUT;
|
2010-02-26 03:01:40 +01:00
|
|
|
|
2010-01-27 13:12:00 +01:00
|
|
|
while (true)
|
|
|
|
|
{
|
2010-10-15 16:59:10 +02:00
|
|
|
struct timeval timeout;
|
|
|
|
|
struct timeval now;
|
2011-04-10 17:42:00 +02:00
|
|
|
int64 timeoutval;
|
2010-10-15 16:59:10 +02:00
|
|
|
|
|
|
|
|
gettimeofday(&now, NULL);
|
|
|
|
|
timeoutval = (endtime.tv_sec * 1000000 + endtime.tv_usec) - (now.tv_sec * 1000000 + now.tv_usec);
|
|
|
|
|
if (timeoutval <= 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("timeout waiting for RADIUS response")));
|
|
|
|
|
closesocket(sock);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
timeout.tv_sec = timeoutval / 1000000;
|
|
|
|
|
timeout.tv_usec = timeoutval % 1000000;
|
|
|
|
|
|
|
|
|
|
FD_ZERO(&fdset);
|
|
|
|
|
FD_SET(sock, &fdset);
|
|
|
|
|
|
2010-01-27 13:12:00 +01:00
|
|
|
r = select(sock + 1, &fdset, NULL, NULL, &timeout);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
{
|
|
|
|
|
if (errno == EINTR)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
/* Anything else is an actual error */
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not check status on RADIUS socket: %m")));
|
|
|
|
|
closesocket(sock);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
if (r == 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("timeout waiting for RADIUS response")));
|
|
|
|
|
closesocket(sock);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
/*
|
|
|
|
|
* Attempt to read the response packet, and verify the contents.
|
|
|
|
|
*
|
2011-04-10 17:42:00 +02:00
|
|
|
* Any packet that's not actually a RADIUS packet, or otherwise does
|
|
|
|
|
* not validate as an explicit reject, is just ignored and we retry
|
|
|
|
|
* for another packet (until we reach the timeout). This is to avoid
|
|
|
|
|
* the possibility to denial-of-service the login by flooding the
|
|
|
|
|
* server with invalid packets on the port that we're expecting the
|
|
|
|
|
* RADIUS response on.
|
2010-10-15 16:59:10 +02:00
|
|
|
*/
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
addrsize = sizeof(remoteaddr);
|
|
|
|
|
packetlength = recvfrom(sock, receive_buffer, RADIUS_BUFFER_SIZE, 0,
|
|
|
|
|
(struct sockaddr *) & remoteaddr, &addrsize);
|
|
|
|
|
if (packetlength < 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not read RADIUS response: %m")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-02-02 20:09:37 +01:00
|
|
|
#ifdef HAVE_IPV6
|
2010-10-15 16:59:10 +02:00
|
|
|
if (remoteaddr.sin6_port != htons(port->hba->radiusport))
|
2010-02-02 20:09:37 +01:00
|
|
|
#else
|
2010-10-15 16:59:10 +02:00
|
|
|
if (remoteaddr.sin_port != htons(port->hba->radiusport))
|
2010-02-02 20:09:37 +01:00
|
|
|
#endif
|
2010-10-15 16:59:10 +02:00
|
|
|
{
|
2010-02-02 20:09:37 +01:00
|
|
|
#ifdef HAVE_IPV6
|
2010-10-15 16:59:10 +02:00
|
|
|
ereport(LOG,
|
2011-07-26 21:54:29 +02:00
|
|
|
(errmsg("RADIUS response was sent from incorrect port: %d",
|
2011-04-10 17:42:00 +02:00
|
|
|
ntohs(remoteaddr.sin6_port))));
|
2010-02-02 20:09:37 +01:00
|
|
|
#else
|
2010-10-15 16:59:10 +02:00
|
|
|
ereport(LOG,
|
2011-07-26 21:54:29 +02:00
|
|
|
(errmsg("RADIUS response was sent from incorrect port: %d",
|
2011-04-10 17:42:00 +02:00
|
|
|
ntohs(remoteaddr.sin_port))));
|
2010-02-02 20:09:37 +01:00
|
|
|
#endif
|
2010-10-15 16:59:10 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
if (packetlength < RADIUS_HEADER_LENGTH)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2011-07-26 21:54:29 +02:00
|
|
|
(errmsg("RADIUS response too short: %d", packetlength)));
|
2010-10-15 16:59:10 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
if (packetlength != ntohs(receivepacket->length))
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2011-07-26 21:54:29 +02:00
|
|
|
(errmsg("RADIUS response has corrupt length: %d (actual length %d)",
|
2010-10-15 16:59:10 +02:00
|
|
|
ntohs(receivepacket->length), packetlength)));
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
if (packet->id != receivepacket->id)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2011-07-26 21:54:29 +02:00
|
|
|
(errmsg("RADIUS response is to a different request: %d (should be %d)",
|
2010-10-15 16:59:10 +02:00
|
|
|
receivepacket->id, packet->id)));
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
/*
|
|
|
|
|
* Verify the response authenticator, which is calculated as
|
|
|
|
|
* MD5(Code+ID+Length+RequestAuthenticator+Attributes+Secret)
|
|
|
|
|
*/
|
|
|
|
|
cryptvector = palloc(packetlength + strlen(port->hba->radiussecret));
|
|
|
|
|
|
2011-04-10 17:42:00 +02:00
|
|
|
memcpy(cryptvector, receivepacket, 4); /* code+id+length */
|
|
|
|
|
memcpy(cryptvector + 4, packet->vector, RADIUS_VECTOR_LENGTH); /* request
|
|
|
|
|
* authenticator, from
|
|
|
|
|
* original packet */
|
|
|
|
|
if (packetlength > RADIUS_HEADER_LENGTH) /* there may be no
|
|
|
|
|
* attributes at all */
|
2010-10-15 16:59:10 +02:00
|
|
|
memcpy(cryptvector + RADIUS_HEADER_LENGTH, receive_buffer + RADIUS_HEADER_LENGTH, packetlength - RADIUS_HEADER_LENGTH);
|
|
|
|
|
memcpy(cryptvector + packetlength, port->hba->radiussecret, strlen(port->hba->radiussecret));
|
|
|
|
|
|
|
|
|
|
if (!pg_md5_binary(cryptvector,
|
|
|
|
|
packetlength + strlen(port->hba->radiussecret),
|
|
|
|
|
encryptedpassword))
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2011-04-10 17:42:00 +02:00
|
|
|
(errmsg("could not perform MD5 encryption of received packet")));
|
2010-10-15 16:59:10 +02:00
|
|
|
pfree(cryptvector);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
pfree(cryptvector);
|
|
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
if (memcmp(receivepacket->vector, encryptedpassword, RADIUS_VECTOR_LENGTH) != 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("RADIUS response has incorrect MD5 signature")));
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
if (receivepacket->code == RADIUS_ACCESS_ACCEPT)
|
|
|
|
|
{
|
|
|
|
|
closesocket(sock);
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
else if (receivepacket->code == RADIUS_ACCESS_REJECT)
|
|
|
|
|
{
|
|
|
|
|
closesocket(sock);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2011-07-26 21:54:29 +02:00
|
|
|
(errmsg("RADIUS response has invalid code (%d) for user \"%s\"",
|
2011-04-10 17:42:00 +02:00
|
|
|
receivepacket->code, port->user_name)));
|
2010-10-15 16:59:10 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2011-04-10 17:42:00 +02:00
|
|
|
} /* while (true) */
|
2010-01-27 13:12:00 +01:00
|
|
|
}
|
