1996-07-09 08:22:35 +02:00
|
|
|
/*-------------------------------------------------------------------------
|
|
|
|
|
*
|
1999-02-14 00:22:53 +01:00
|
|
|
* auth.c
|
1997-09-07 07:04:48 +02:00
|
|
|
* Routines to handle network authentication
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
2019-01-02 18:44:25 +01:00
|
|
|
* Portions Copyright (c) 1996-2019, PostgreSQL Global Development Group
|
2000-01-26 06:58:53 +01:00
|
|
|
* Portions Copyright (c) 1994, Regents of the University of California
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
*
|
|
|
|
|
* IDENTIFICATION
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/backend/libpq/auth.c
|
1996-07-09 08:22:35 +02:00
|
|
|
*
|
|
|
|
|
*-------------------------------------------------------------------------
|
|
|
|
|
*/
|
2001-06-20 20:07:56 +02:00
|
|
|
|
|
|
|
|
#include "postgres.h"
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2001-08-21 17:21:25 +02:00
|
|
|
#include <sys/param.h>
|
2001-09-07 21:52:54 +02:00
|
|
|
#include <sys/socket.h>
|
1996-07-09 08:22:35 +02:00
|
|
|
#include <netinet/in.h>
|
2007-07-10 15:14:22 +02:00
|
|
|
#include <unistd.h>
|
2016-09-27 06:05:21 +02:00
|
|
|
#ifdef HAVE_SYS_SELECT_H
|
|
|
|
|
#include <sys/select.h>
|
|
|
|
|
#endif
|
2002-05-05 02:03:29 +02:00
|
|
|
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
#include "commands/user.h"
|
2016-09-02 12:49:59 +02:00
|
|
|
#include "common/ip.h"
|
|
|
|
|
#include "common/md5.h"
|
2017-12-18 22:59:10 +01:00
|
|
|
#include "common/scram-common.h"
|
1999-07-16 01:04:24 +02:00
|
|
|
#include "libpq/auth.h"
|
1999-07-16 07:00:38 +02:00
|
|
|
#include "libpq/crypt.h"
|
|
|
|
|
#include "libpq/libpq.h"
|
2001-06-20 20:07:56 +02:00
|
|
|
#include "libpq/pqformat.h"
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
#include "libpq/scram.h"
|
2009-08-29 21:26:52 +02:00
|
|
|
#include "miscadmin.h"
|
2017-10-02 00:36:14 +02:00
|
|
|
#include "port/pg_bswap.h"
|
2010-04-21 05:32:53 +02:00
|
|
|
#include "replication/walsender.h"
|
2002-05-05 02:03:29 +02:00
|
|
|
#include "storage/ipc.h"
|
GSSAPI encryption support
On both the frontend and backend, prepare for GSSAPI encryption
support by moving common code for error handling into a separate file.
Fix a TODO for handling multiple status messages in the process.
Eliminate the OIDs, which have not been needed for some time.
Add frontend and backend encryption support functions. Keep the
context initiation for authentication-only separate on both the
frontend and backend in order to avoid concerns about changing the
requested flags to include encryption support.
In postmaster, pull GSSAPI authorization checking into a shared
function. Also share the initiator name between the encryption and
non-encryption codepaths.
For HBA, add "hostgssenc" and "hostnogssenc" entries that behave
similarly to their SSL counterparts. "hostgssenc" requires either
"gss", "trust", or "reject" for its authentication.
Similarly, add a "gssencmode" parameter to libpq. Supported values are
"disable", "require", and "prefer". Notably, negotiation will only be
attempted if credentials can be acquired. Move credential acquisition
into its own function to support this behavior.
Add a simple pg_stat_gssapi view similar to pg_stat_ssl, for monitoring
if GSSAPI authentication was used, what principal was used, and if
encryption is being used on the connection.
Finally, add documentation for everything new, and update existing
documentation on connection security.
Thanks to Michael Paquier for the Windows fixes.
Author: Robbie Harwood, with changes to the read/write functions by me.
Reviewed in various forms and at different times by: Michael Paquier,
Andres Freund, David Steele.
Discussion: https://www.postgresql.org/message-id/flat/jlg1tgq1ktm.fsf@thriss.redhat.com
2019-04-03 21:02:33 +02:00
|
|
|
#include "utils/memutils.h"
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
#include "utils/timestamp.h"
|
2002-05-05 02:03:29 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
2009-06-11 16:49:15 +02:00
|
|
|
* Global authentication functions
|
2008-08-01 13:41:12 +02:00
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2017-10-31 15:34:31 +01:00
|
|
|
static void sendAuthRequest(Port *port, AuthRequest areq, const char *extradata,
|
2019-05-22 19:04:48 +02:00
|
|
|
int extralen);
|
2014-01-28 03:04:09 +01:00
|
|
|
static void auth_failed(Port *port, int status, char *logdetail);
|
2003-04-19 02:02:30 +02:00
|
|
|
static char *recv_password_packet(Port *port);
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2000-08-25 12:00:35 +02:00
|
|
|
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
/*----------------------------------------------------------------
|
2017-04-18 13:50:50 +02:00
|
|
|
* Password-based authentication methods (password, md5, and scram-sha-256)
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
static int CheckPasswordAuth(Port *port, char **logdetail);
|
|
|
|
|
static int CheckPWChallengeAuth(Port *port, char **logdetail);
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
static int CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail);
|
|
|
|
|
static int CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail);
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Ident authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2019-10-30 11:01:44 +01:00
|
|
|
/* Max size of username ident server can return (per RFC 1413) */
|
2008-08-01 11:09:49 +02:00
|
|
|
#define IDENT_USERNAME_MAX 512
|
|
|
|
|
|
2014-05-06 18:12:18 +02:00
|
|
|
/* Standard TCP port number for Ident service. Assigned by IANA */
|
2008-08-01 11:09:49 +02:00
|
|
|
#define IDENT_PORT 113
|
|
|
|
|
|
2011-03-19 18:44:35 +01:00
|
|
|
static int ident_inet(hbaPort *port);
|
2011-04-10 17:42:00 +02:00
|
|
|
|
2019-10-30 09:13:39 +01:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Peer authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2011-03-19 18:44:35 +01:00
|
|
|
static int auth_peer(hbaPort *port);
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* PAM authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2001-09-06 05:23:38 +02:00
|
|
|
#ifdef USE_PAM
|
2003-02-14 15:05:00 +01:00
|
|
|
#ifdef HAVE_PAM_PAM_APPL_H
|
|
|
|
|
#include <pam/pam_appl.h>
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_SECURITY_PAM_APPL_H
|
2001-09-06 05:23:38 +02:00
|
|
|
#include <security/pam_appl.h>
|
2003-02-14 15:05:00 +01:00
|
|
|
#endif
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
#define PGSQL_PAM_SERVICE "postgresql" /* Service name passed to PAM */
|
|
|
|
|
|
2017-10-31 15:34:31 +01:00
|
|
|
static int CheckPAMAuth(Port *port, const char *user, const char *password);
|
2019-05-22 19:04:48 +02:00
|
|
|
static int pam_passwd_conv_proc(int num_msg, const struct pam_message **msg,
|
|
|
|
|
struct pam_response **resp, void *appdata_ptr);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
|
|
|
|
static struct pam_conv pam_passw_conv = {
|
2001-10-25 07:50:21 +02:00
|
|
|
&pam_passwd_conv_proc,
|
|
|
|
|
NULL
|
2001-09-06 05:23:38 +02:00
|
|
|
};
|
|
|
|
|
|
2017-11-29 15:24:24 +01:00
|
|
|
static const char *pam_passwd = NULL; /* Workaround for Solaris 2.6
|
|
|
|
|
* brokenness */
|
2005-10-15 04:49:52 +02:00
|
|
|
static Port *pam_port_cludge; /* Workaround for passing "Port *port" into
|
|
|
|
|
* pam_passwd_conv_proc */
|
2019-11-05 20:27:37 +01:00
|
|
|
static bool pam_no_password; /* For detecting no-password-given */
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* USE_PAM */
|
2000-08-25 12:00:35 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
|
2016-04-08 19:51:54 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* BSD authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef USE_BSD_AUTH
|
|
|
|
|
#include <bsd_auth.h>
|
|
|
|
|
|
|
|
|
|
static int CheckBSDAuth(Port *port, char *user);
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* USE_BSD_AUTH */
|
2016-04-08 19:51:54 +02:00
|
|
|
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* LDAP authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifdef USE_LDAP
|
|
|
|
|
#ifndef WIN32
|
2006-08-22 04:23:45 +02:00
|
|
|
/* We use a deprecated function to keep the codepath the same as win32. */
|
2006-03-06 18:41:44 +01:00
|
|
|
#define LDAP_DEPRECATED 1
|
|
|
|
|
#include <ldap.h>
|
|
|
|
|
#else
|
|
|
|
|
#include <winldap.h>
|
|
|
|
|
|
|
|
|
|
/* Correct header from the Platform SDK */
|
2006-10-04 02:30:14 +02:00
|
|
|
typedef
|
2019-07-31 09:05:21 +02:00
|
|
|
ULONG (*__ldap_start_tls_sA) (IN PLDAP ExternalHandle,
|
2017-06-21 20:39:04 +02:00
|
|
|
OUT PULONG ServerReturnValue,
|
|
|
|
|
OUT LDAPMessage **result,
|
|
|
|
|
IN PLDAPControlA * ServerControls,
|
|
|
|
|
IN PLDAPControlA * ClientControls
|
2006-03-06 18:41:44 +01:00
|
|
|
);
|
|
|
|
|
#endif
|
|
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
static int CheckLDAPAuth(Port *port);
|
2017-10-13 05:47:48 +02:00
|
|
|
|
|
|
|
|
/* LDAP_OPT_DIAGNOSTIC_MESSAGE is the newer spelling */
|
|
|
|
|
#ifndef LDAP_OPT_DIAGNOSTIC_MESSAGE
|
|
|
|
|
#define LDAP_OPT_DIAGNOSTIC_MESSAGE LDAP_OPT_ERROR_STRING
|
|
|
|
|
#endif
|
|
|
|
|
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* USE_LDAP */
|
2008-08-01 13:41:12 +02:00
|
|
|
|
2008-11-20 12:48:26 +01:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Cert authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
static int CheckCertAuth(Port *port);
|
|
|
|
|
#endif
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Kerberos and GSSAPI GUCs
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
char *pg_krb_server_keyfile;
|
|
|
|
|
bool pg_krb_caseins_users;
|
2006-03-06 18:41:44 +01:00
|
|
|
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* GSSAPI Authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef ENABLE_GSS
|
2019-06-08 02:59:02 +02:00
|
|
|
#include "libpq/be-gssapi-common.h"
|
2008-10-23 15:31:10 +02:00
|
|
|
|
GSSAPI encryption support
On both the frontend and backend, prepare for GSSAPI encryption
support by moving common code for error handling into a separate file.
Fix a TODO for handling multiple status messages in the process.
Eliminate the OIDs, which have not been needed for some time.
Add frontend and backend encryption support functions. Keep the
context initiation for authentication-only separate on both the
frontend and backend in order to avoid concerns about changing the
requested flags to include encryption support.
In postmaster, pull GSSAPI authorization checking into a shared
function. Also share the initiator name between the encryption and
non-encryption codepaths.
For HBA, add "hostgssenc" and "hostnogssenc" entries that behave
similarly to their SSL counterparts. "hostgssenc" requires either
"gss", "trust", or "reject" for its authentication.
Similarly, add a "gssencmode" parameter to libpq. Supported values are
"disable", "require", and "prefer". Notably, negotiation will only be
attempted if credentials can be acquired. Move credential acquisition
into its own function to support this behavior.
Add a simple pg_stat_gssapi view similar to pg_stat_ssl, for monitoring
if GSSAPI authentication was used, what principal was used, and if
encryption is being used on the connection.
Finally, add documentation for everything new, and update existing
documentation on connection security.
Thanks to Michael Paquier for the Windows fixes.
Author: Robbie Harwood, with changes to the read/write functions by me.
Reviewed in various forms and at different times by: Michael Paquier,
Andres Freund, David Steele.
Discussion: https://www.postgresql.org/message-id/flat/jlg1tgq1ktm.fsf@thriss.redhat.com
2019-04-03 21:02:33 +02:00
|
|
|
static int pg_GSS_checkauth(Port *port);
|
2009-06-11 16:49:15 +02:00
|
|
|
static int pg_GSS_recvauth(Port *port);
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* ENABLE_GSS */
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2000-05-27 05:58:20 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* SSPI Authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef ENABLE_SSPI
|
2011-04-10 17:42:00 +02:00
|
|
|
typedef SECURITY_STATUS
|
2008-08-01 13:41:12 +02:00
|
|
|
(WINAPI * QUERY_SECURITY_CONTEXT_TOKEN_FN) (
|
2017-06-21 20:39:04 +02:00
|
|
|
PCtxtHandle, void **);
|
2009-06-11 16:49:15 +02:00
|
|
|
static int pg_SSPI_recvauth(Port *port);
|
2019-05-22 19:04:48 +02:00
|
|
|
static int pg_SSPI_make_upn(char *accountname,
|
|
|
|
|
size_t accountnamesize,
|
|
|
|
|
char *domainname,
|
|
|
|
|
size_t domainnamesize,
|
|
|
|
|
bool update_accountname);
|
2008-08-01 13:41:12 +02:00
|
|
|
#endif
|
2005-10-08 21:32:58 +02:00
|
|
|
|
2010-01-27 13:12:00 +01:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* RADIUS Authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
static int CheckRADIUSAuth(Port *port);
|
2017-10-31 15:34:31 +01:00
|
|
|
static int PerformRadiusTransaction(const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd);
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2009-10-14 09:27:13 +02:00
|
|
|
/*
|
2009-10-15 00:09:46 +02:00
|
|
|
* Maximum accepted size of GSS and SSPI authentication tokens.
|
2009-10-14 09:27:13 +02:00
|
|
|
*
|
|
|
|
|
* Kerberos tickets are usually quite small, but the TGTs issued by Windows
|
|
|
|
|
* domain controllers include an authorization field known as the Privilege
|
|
|
|
|
* Attribute Certificate (PAC), which contains the user's Windows permissions
|
|
|
|
|
* (group memberships etc.). The PAC is copied into all tickets obtained on
|
|
|
|
|
* the basis of this TGT (even those issued by Unix realms which the Windows
|
|
|
|
|
* realm trusts), and can be several kB in size. The maximum token size
|
|
|
|
|
* accepted by Windows systems is determined by the MaxAuthToken Windows
|
|
|
|
|
* registry setting. Microsoft recommends that it is not set higher than
|
|
|
|
|
* 65535 bytes, so that seems like a reasonable limit for us as well.
|
|
|
|
|
*/
|
2009-10-15 00:09:46 +02:00
|
|
|
#define PG_MAX_AUTH_TOKEN_LENGTH 65535
|
2009-10-14 09:27:13 +02:00
|
|
|
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
/*
|
|
|
|
|
* Maximum accepted size of SASL messages.
|
|
|
|
|
*
|
|
|
|
|
* The messages that the server or libpq generate are much smaller than this,
|
|
|
|
|
* but have some headroom.
|
|
|
|
|
*/
|
|
|
|
|
#define PG_MAX_SASL_MESSAGE_LENGTH 1024
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Global authentication functions
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2010-10-27 03:20:02 +02:00
|
|
|
/*
|
|
|
|
|
* This hook allows plugins to get control following client authentication,
|
|
|
|
|
* but before the user has been informed about the results. It could be used
|
|
|
|
|
* to record login events, insert a delay after failed authentication, etc.
|
|
|
|
|
*/
|
|
|
|
|
ClientAuthentication_hook_type ClientAuthentication_hook = NULL;
|
2000-05-27 06:13:05 +02:00
|
|
|
|
|
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* Tell the user the authentication failed, but not (much about) why.
|
2000-05-27 06:13:05 +02:00
|
|
|
*
|
2008-08-01 13:41:12 +02:00
|
|
|
* There is a tradeoff here between security concerns and making life
|
|
|
|
|
* unnecessarily difficult for legitimate users. We would not, for example,
|
|
|
|
|
* want to report the password we were expecting to receive...
|
|
|
|
|
* But it seems useful to report the username and authorization method
|
|
|
|
|
* in use, and these are items that must be presumed known to an attacker
|
|
|
|
|
* anyway.
|
|
|
|
|
* Note that many sorts of failure report additional information in the
|
2014-01-28 03:04:09 +01:00
|
|
|
* postmaster log, which we hope is only readable by good guys. In
|
|
|
|
|
* particular, if logdetail isn't NULL, we send that string to the log.
|
2000-05-27 06:13:05 +02:00
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
static void
|
2014-01-28 03:04:09 +01:00
|
|
|
auth_failed(Port *port, int status, char *logdetail)
|
2000-05-27 06:13:05 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
const char *errstr;
|
2014-03-03 09:18:51 +01:00
|
|
|
char *cdetail;
|
2010-07-06 21:19:02 +02:00
|
|
|
int errcode_return = ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION;
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* If we failed due to EOF from client, just quit; there's no point in
|
|
|
|
|
* trying to send a message to the client, and not much point in logging
|
|
|
|
|
* the failure in the postmaster log. (Logging the failure might be
|
|
|
|
|
* desirable, were it not for the fact that libpq closes the connection
|
|
|
|
|
* unceremoniously if challenged for a password when it hasn't got one to
|
|
|
|
|
* send. We'll get a useless log entry for every psql connection under
|
|
|
|
|
* password auth, even if it's perfectly successful, if we log STATUS_EOF
|
|
|
|
|
* events.)
|
|
|
|
|
*/
|
|
|
|
|
if (status == STATUS_EOF)
|
|
|
|
|
proc_exit(0);
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2008-09-15 14:32:57 +02:00
|
|
|
switch (port->hba->auth_method)
|
2001-03-22 05:01:46 +01:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaReject:
|
2010-04-21 05:32:53 +02:00
|
|
|
case uaImplicitReject:
|
2008-08-01 13:41:12 +02:00
|
|
|
errstr = gettext_noop("authentication failed for user \"%s\": host rejected");
|
|
|
|
|
break;
|
|
|
|
|
case uaTrust:
|
|
|
|
|
errstr = gettext_noop("\"trust\" authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
|
|
|
|
case uaIdent:
|
|
|
|
|
errstr = gettext_noop("Ident authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2011-03-19 18:44:35 +01:00
|
|
|
case uaPeer:
|
|
|
|
|
errstr = gettext_noop("Peer authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaPassword:
|
2010-05-26 22:47:13 +02:00
|
|
|
case uaMD5:
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
case uaSCRAM:
|
2008-08-01 13:41:12 +02:00
|
|
|
errstr = gettext_noop("password authentication failed for user \"%s\"");
|
2010-03-13 15:55:57 +01:00
|
|
|
/* We use it to indicate if a .pgpass password failed. */
|
|
|
|
|
errcode_return = ERRCODE_INVALID_PASSWORD;
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
2010-05-26 22:47:13 +02:00
|
|
|
case uaGSS:
|
|
|
|
|
errstr = gettext_noop("GSSAPI authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
|
|
|
|
case uaSSPI:
|
|
|
|
|
errstr = gettext_noop("SSPI authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaPAM:
|
|
|
|
|
errstr = gettext_noop("PAM authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2016-04-08 19:51:54 +02:00
|
|
|
case uaBSD:
|
|
|
|
|
errstr = gettext_noop("BSD authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaLDAP:
|
|
|
|
|
errstr = gettext_noop("LDAP authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2010-05-26 22:47:13 +02:00
|
|
|
case uaCert:
|
|
|
|
|
errstr = gettext_noop("certificate authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2010-01-27 13:12:00 +01:00
|
|
|
case uaRADIUS:
|
|
|
|
|
errstr = gettext_noop("RADIUS authentication failed for user \"%s\"");
|
|
|
|
|
break;
|
2008-08-01 13:41:12 +02:00
|
|
|
default:
|
|
|
|
|
errstr = gettext_noop("authentication failed for user \"%s\": invalid authentication method");
|
|
|
|
|
break;
|
2001-03-22 05:01:46 +01:00
|
|
|
}
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2014-03-03 09:18:51 +01:00
|
|
|
cdetail = psprintf(_("Connection matched pg_hba.conf line %d: \"%s\""),
|
|
|
|
|
port->hba->linenumber, port->hba->rawline);
|
|
|
|
|
if (logdetail)
|
|
|
|
|
logdetail = psprintf("%s\n%s", logdetail, cdetail);
|
|
|
|
|
else
|
|
|
|
|
logdetail = cdetail;
|
2014-01-28 03:04:09 +01:00
|
|
|
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(errcode_return),
|
|
|
|
|
errmsg(errstr, port->user_name),
|
|
|
|
|
logdetail ? errdetail_log("%s", logdetail) : 0));
|
2013-03-10 15:54:37 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/* doesn't return */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Client authentication starts here. If there is an error, this
|
|
|
|
|
* function does not return and the backend process is terminated.
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
ClientAuthentication(Port *port)
|
|
|
|
|
{
|
|
|
|
|
int status = STATUS_ERROR;
|
2014-01-28 03:04:09 +01:00
|
|
|
char *logdetail = NULL;
|
2008-08-01 13:41:12 +02:00
|
|
|
|
1997-09-07 07:04:48 +02:00
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* Get the authentication method to use for this frontend/database
|
2011-06-20 23:20:14 +02:00
|
|
|
* combination. Note: we do not parse the file at this point; this has
|
2012-06-10 21:20:04 +02:00
|
|
|
* already been done elsewhere. hba.c dropped an error message into the
|
|
|
|
|
* server logfile if parsing the hba config file failed.
|
1997-09-07 07:04:48 +02:00
|
|
|
*/
|
2011-06-20 23:20:14 +02:00
|
|
|
hba_getauthmethod(port);
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2009-08-29 21:26:52 +02:00
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-11-20 10:29:36 +01:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* This is the first point where we have access to the hba record for the
|
|
|
|
|
* current connection, so perform any verifications based on the hba
|
|
|
|
|
* options field that should be done *before* the authentication here.
|
2008-11-20 10:29:36 +01:00
|
|
|
*/
|
2019-03-09 21:09:10 +01:00
|
|
|
if (port->hba->clientcert != clientCertOff)
|
2008-11-20 10:29:36 +01:00
|
|
|
{
|
2017-01-03 03:37:12 +01:00
|
|
|
/* If we haven't loaded a root certificate store, fail */
|
|
|
|
|
if (!secure_loaded_verify_locations())
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_CONFIG_FILE_ERROR),
|
|
|
|
|
errmsg("client certificates can only be checked if a root certificate store is available")));
|
|
|
|
|
|
2008-11-20 10:29:36 +01:00
|
|
|
/*
|
2017-01-03 03:37:12 +01:00
|
|
|
* If we loaded a root certificate store, and if a certificate is
|
|
|
|
|
* present on the client, then it has been verified against our root
|
2008-11-20 10:29:36 +01:00
|
|
|
* certificate store, and the connection would have been aborted
|
|
|
|
|
* already if it didn't verify ok.
|
|
|
|
|
*/
|
Break out OpenSSL-specific code to separate files.
This refactoring is in preparation for adding support for other SSL
implementations, with no user-visible effects. There are now two #defines,
USE_OPENSSL which is defined when building with OpenSSL, and USE_SSL which
is defined when building with any SSL implementation. Currently, OpenSSL is
the only implementation so the two #defines go together, but USE_SSL is
supposed to be used for implementation-independent code.
The libpq SSL code is changed to use a custom BIO, which does all the raw
I/O, like we've been doing in the backend for a long time. That makes it
possible to use MSG_NOSIGNAL to block SIGPIPE when using SSL, which avoids
a couple of syscall for each send(). Probably doesn't make much performance
difference in practice - the SSL encryption is expensive enough to mask the
effect - but it was a natural result of this refactoring.
Based on a patch by Martijn van Oosterhout from 2006. Briefly reviewed by
Alvaro Herrera, Andreas Karlsson, Jeff Janes.
2014-08-11 10:54:19 +02:00
|
|
|
if (!port->peer_cert_valid)
|
2008-11-20 10:29:36 +01:00
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
errmsg("connection requires a valid client certificate")));
|
2008-11-20 10:29:36 +01:00
|
|
|
}
|
|
|
|
|
|
GSSAPI encryption support
On both the frontend and backend, prepare for GSSAPI encryption
support by moving common code for error handling into a separate file.
Fix a TODO for handling multiple status messages in the process.
Eliminate the OIDs, which have not been needed for some time.
Add frontend and backend encryption support functions. Keep the
context initiation for authentication-only separate on both the
frontend and backend in order to avoid concerns about changing the
requested flags to include encryption support.
In postmaster, pull GSSAPI authorization checking into a shared
function. Also share the initiator name between the encryption and
non-encryption codepaths.
For HBA, add "hostgssenc" and "hostnogssenc" entries that behave
similarly to their SSL counterparts. "hostgssenc" requires either
"gss", "trust", or "reject" for its authentication.
Similarly, add a "gssencmode" parameter to libpq. Supported values are
"disable", "require", and "prefer". Notably, negotiation will only be
attempted if credentials can be acquired. Move credential acquisition
into its own function to support this behavior.
Add a simple pg_stat_gssapi view similar to pg_stat_ssl, for monitoring
if GSSAPI authentication was used, what principal was used, and if
encryption is being used on the connection.
Finally, add documentation for everything new, and update existing
documentation on connection security.
Thanks to Michael Paquier for the Windows fixes.
Author: Robbie Harwood, with changes to the read/write functions by me.
Reviewed in various forms and at different times by: Michael Paquier,
Andres Freund, David Steele.
Discussion: https://www.postgresql.org/message-id/flat/jlg1tgq1ktm.fsf@thriss.redhat.com
2019-04-03 21:02:33 +02:00
|
|
|
#ifdef ENABLE_GSS
|
|
|
|
|
if (port->gss->enc && port->hba->auth_method != uaReject &&
|
|
|
|
|
port->hba->auth_method != uaImplicitReject &&
|
|
|
|
|
port->hba->auth_method != uaTrust &&
|
|
|
|
|
port->hba->auth_method != uaGSS)
|
|
|
|
|
{
|
|
|
|
|
ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("GSSAPI encryption can only be used with gss, trust, or reject authentication methods")));
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2008-11-20 10:29:36 +01:00
|
|
|
/*
|
|
|
|
|
* Now proceed to do the actual authentication check
|
|
|
|
|
*/
|
2008-09-15 14:32:57 +02:00
|
|
|
switch (port->hba->auth_method)
|
2007-11-09 18:31:07 +01:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaReject:
|
2007-11-09 18:31:07 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
2010-04-21 05:32:53 +02:00
|
|
|
* An explicit "reject" entry in pg_hba.conf. This report exposes
|
2010-07-06 21:19:02 +02:00
|
|
|
* the fact that there's an explicit reject entry, which is
|
|
|
|
|
* perhaps not so desirable from a security standpoint; but the
|
|
|
|
|
* message for an implicit reject could confuse the DBA a lot when
|
|
|
|
|
* the true situation is a match to an explicit reject. And we
|
|
|
|
|
* don't want to change the message for an implicit reject. As
|
|
|
|
|
* noted below, the additional information shown here doesn't
|
|
|
|
|
* expose anything not known to an attacker.
|
2010-04-19 21:02:18 +02:00
|
|
|
*/
|
|
|
|
|
{
|
|
|
|
|
char hostinfo[NI_MAXHOST];
|
|
|
|
|
|
|
|
|
|
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
|
|
|
|
hostinfo, sizeof(hostinfo),
|
|
|
|
|
NULL, 0,
|
|
|
|
|
NI_NUMERICHOST);
|
|
|
|
|
|
2010-04-21 05:32:53 +02:00
|
|
|
if (am_walsender)
|
|
|
|
|
{
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
ereport(FATAL,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
|
|
|
|
|
hostinfo, port->user_name,
|
|
|
|
|
port->ssl_in_use ? _("SSL on") : _("SSL off"))));
|
2010-04-21 05:32:53 +02:00
|
|
|
#else
|
|
|
|
|
ereport(FATAL,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\"",
|
|
|
|
|
hostinfo, port->user_name)));
|
2010-04-21 05:32:53 +02:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2010-04-19 21:02:18 +02:00
|
|
|
#ifdef USE_SSL
|
2010-04-21 05:32:53 +02:00
|
|
|
ereport(FATAL,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
|
|
|
|
|
hostinfo, port->user_name,
|
|
|
|
|
port->database_name,
|
|
|
|
|
port->ssl_in_use ? _("SSL on") : _("SSL off"))));
|
2010-04-19 21:02:18 +02:00
|
|
|
#else
|
2010-04-21 05:32:53 +02:00
|
|
|
ereport(FATAL,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\"",
|
|
|
|
|
hostinfo, port->user_name,
|
|
|
|
|
port->database_name)));
|
2010-04-19 21:02:18 +02:00
|
|
|
#endif
|
2010-04-21 05:32:53 +02:00
|
|
|
}
|
2010-04-19 21:02:18 +02:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
case uaImplicitReject:
|
|
|
|
|
|
|
|
|
|
/*
|
2010-04-21 05:32:53 +02:00
|
|
|
* No matching entry, so tell the user we fell through.
|
|
|
|
|
*
|
|
|
|
|
* NOTE: the extra info reported here is not a security breach,
|
|
|
|
|
* because all that info is known at the frontend and must be
|
|
|
|
|
* assumed known to bad guys. We're merely helping out the less
|
|
|
|
|
* clueful good guys.
|
2008-08-01 13:41:12 +02:00
|
|
|
*/
|
2007-11-09 18:31:07 +01:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
char hostinfo[NI_MAXHOST];
|
2007-11-09 18:31:07 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
|
|
|
|
hostinfo, sizeof(hostinfo),
|
|
|
|
|
NULL, 0,
|
|
|
|
|
NI_NUMERICHOST);
|
|
|
|
|
|
2011-07-31 17:03:43 +02:00
|
|
|
#define HOSTNAME_LOOKUP_DETAIL(port) \
|
Fix assorted issues in client host name lookup.
The code for matching clients to pg_hba.conf lines that specify host names
(instead of IP address ranges) failed to complain if reverse DNS lookup
failed; instead it silently didn't match, so that you might end up getting
a surprising "no pg_hba.conf entry for ..." error, as seen in bug #9518
from Mike Blackwell. Since we don't want to make this a fatal error in
situations where pg_hba.conf contains a mixture of host names and IP
addresses (clients matching one of the numeric entries should not have to
have rDNS data), remember the lookup failure and mention it as DETAIL if
we get to "no pg_hba.conf entry". Apply the same approach to forward-DNS
lookup failures, too, rather than treating them as immediate hard errors.
Along the way, fix a couple of bugs that prevented us from detecting an
rDNS lookup error reliably, and make sure that we make only one rDNS lookup
attempt; formerly, if the lookup attempt failed, the code would try again
for each host name entry in pg_hba.conf. Since more or less the whole
point of this design is to ensure there's only one lookup attempt not one
per entry, the latter point represents a performance bug that seems
sufficient justification for back-patching.
Also, adjust src/port/getaddrinfo.c so that it plays as well as it can
with this code. Which is not all that well, since it does not have actual
support for rDNS lookup, but at least it should return the expected (and
required by spec) error codes so that the main code correctly perceives the
lack of functionality as a lookup failure. It's unlikely that PG is still
being used in production on any machines that require our getaddrinfo.c,
so I'm not excited about working harder than this.
To keep the code in the various branches similar, this includes
back-patching commits c424d0d1052cb4053c8712ac44123f9b9a9aa3f2 and
1997f34db4687e671690ed054c8f30bb501b1168 into 9.2 and earlier.
Back-patch to 9.1 where the facility for hostnames in pg_hba.conf was
introduced.
2014-04-02 23:11:24 +02:00
|
|
|
(port->remote_hostname ? \
|
|
|
|
|
(port->remote_hostname_resolv == +1 ? \
|
|
|
|
|
errdetail_log("Client IP address resolved to \"%s\", forward lookup matches.", \
|
|
|
|
|
port->remote_hostname) : \
|
|
|
|
|
port->remote_hostname_resolv == 0 ? \
|
|
|
|
|
errdetail_log("Client IP address resolved to \"%s\", forward lookup not checked.", \
|
|
|
|
|
port->remote_hostname) : \
|
|
|
|
|
port->remote_hostname_resolv == -1 ? \
|
|
|
|
|
errdetail_log("Client IP address resolved to \"%s\", forward lookup does not match.", \
|
|
|
|
|
port->remote_hostname) : \
|
|
|
|
|
port->remote_hostname_resolv == -2 ? \
|
|
|
|
|
errdetail_log("Could not translate client host name \"%s\" to IP address: %s.", \
|
|
|
|
|
port->remote_hostname, \
|
|
|
|
|
gai_strerror(port->remote_hostname_errcode)) : \
|
|
|
|
|
0) \
|
|
|
|
|
: (port->remote_hostname_resolv == -2 ? \
|
|
|
|
|
errdetail_log("Could not resolve client IP address to a host name: %s.", \
|
|
|
|
|
gai_strerror(port->remote_hostname_errcode)) : \
|
|
|
|
|
0))
|
2011-07-31 17:03:43 +02:00
|
|
|
|
2010-04-21 05:32:53 +02:00
|
|
|
if (am_walsender)
|
|
|
|
|
{
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
ereport(FATAL,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
|
|
|
|
|
hostinfo, port->user_name,
|
|
|
|
|
port->ssl_in_use ? _("SSL on") : _("SSL off")),
|
|
|
|
|
HOSTNAME_LOOKUP_DETAIL(port)));
|
2010-04-21 05:32:53 +02:00
|
|
|
#else
|
|
|
|
|
ereport(FATAL,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\"",
|
|
|
|
|
hostinfo, port->user_name),
|
|
|
|
|
HOSTNAME_LOOKUP_DETAIL(port)));
|
2010-04-21 05:32:53 +02:00
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
#ifdef USE_SSL
|
2010-04-21 05:32:53 +02:00
|
|
|
ereport(FATAL,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
|
|
|
|
|
hostinfo, port->user_name,
|
|
|
|
|
port->database_name,
|
|
|
|
|
port->ssl_in_use ? _("SSL on") : _("SSL off")),
|
|
|
|
|
HOSTNAME_LOOKUP_DETAIL(port)));
|
2008-08-01 13:41:12 +02:00
|
|
|
#else
|
2010-04-21 05:32:53 +02:00
|
|
|
ereport(FATAL,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\"",
|
|
|
|
|
hostinfo, port->user_name,
|
|
|
|
|
port->database_name),
|
|
|
|
|
HOSTNAME_LOOKUP_DETAIL(port)));
|
2008-08-01 13:41:12 +02:00
|
|
|
#endif
|
2010-04-21 05:32:53 +02:00
|
|
|
}
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
2007-11-09 18:31:07 +01:00
|
|
|
}
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaGSS:
|
2008-10-23 15:31:10 +02:00
|
|
|
#ifdef ENABLE_GSS
|
GSSAPI encryption support
On both the frontend and backend, prepare for GSSAPI encryption
support by moving common code for error handling into a separate file.
Fix a TODO for handling multiple status messages in the process.
Eliminate the OIDs, which have not been needed for some time.
Add frontend and backend encryption support functions. Keep the
context initiation for authentication-only separate on both the
frontend and backend in order to avoid concerns about changing the
requested flags to include encryption support.
In postmaster, pull GSSAPI authorization checking into a shared
function. Also share the initiator name between the encryption and
non-encryption codepaths.
For HBA, add "hostgssenc" and "hostnogssenc" entries that behave
similarly to their SSL counterparts. "hostgssenc" requires either
"gss", "trust", or "reject" for its authentication.
Similarly, add a "gssencmode" parameter to libpq. Supported values are
"disable", "require", and "prefer". Notably, negotiation will only be
attempted if credentials can be acquired. Move credential acquisition
into its own function to support this behavior.
Add a simple pg_stat_gssapi view similar to pg_stat_ssl, for monitoring
if GSSAPI authentication was used, what principal was used, and if
encryption is being used on the connection.
Finally, add documentation for everything new, and update existing
documentation on connection security.
Thanks to Michael Paquier for the Windows fixes.
Author: Robbie Harwood, with changes to the read/write functions by me.
Reviewed in various forms and at different times by: Michael Paquier,
Andres Freund, David Steele.
Discussion: https://www.postgresql.org/message-id/flat/jlg1tgq1ktm.fsf@thriss.redhat.com
2019-04-03 21:02:33 +02:00
|
|
|
port->gss->auth = true;
|
|
|
|
|
if (port->gss->enc)
|
|
|
|
|
status = pg_GSS_checkauth(port);
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
|
|
|
|
|
status = pg_GSS_recvauth(port);
|
|
|
|
|
}
|
2008-10-23 15:31:10 +02:00
|
|
|
#else
|
|
|
|
|
Assert(false);
|
|
|
|
|
#endif
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
2001-03-22 05:01:46 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaSSPI:
|
2008-10-23 15:31:10 +02:00
|
|
|
#ifdef ENABLE_SSPI
|
2016-08-18 12:25:31 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_SSPI, NULL, 0);
|
2008-08-01 13:41:12 +02:00
|
|
|
status = pg_SSPI_recvauth(port);
|
2008-10-23 15:31:10 +02:00
|
|
|
#else
|
|
|
|
|
Assert(false);
|
|
|
|
|
#endif
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
2000-05-27 06:13:05 +02:00
|
|
|
|
2011-03-19 18:44:35 +01:00
|
|
|
case uaPeer:
|
|
|
|
|
status = auth_peer(port);
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case uaIdent:
|
|
|
|
|
status = ident_inet(port);
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaMD5:
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
case uaSCRAM:
|
|
|
|
|
status = CheckPWChallengeAuth(port, &logdetail);
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case uaPassword:
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
status = CheckPasswordAuth(port, &logdetail);
|
2008-08-01 13:41:12 +02:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case uaPAM:
|
2008-10-23 15:31:10 +02:00
|
|
|
#ifdef USE_PAM
|
2008-08-01 13:41:12 +02:00
|
|
|
status = CheckPAMAuth(port, port->user_name, "");
|
2008-10-23 15:31:10 +02:00
|
|
|
#else
|
|
|
|
|
Assert(false);
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* USE_PAM */
|
2008-10-23 15:31:10 +02:00
|
|
|
break;
|
2008-08-01 13:41:12 +02:00
|
|
|
|
2016-04-08 19:51:54 +02:00
|
|
|
case uaBSD:
|
|
|
|
|
#ifdef USE_BSD_AUTH
|
|
|
|
|
status = CheckBSDAuth(port, port->user_name);
|
|
|
|
|
#else
|
|
|
|
|
Assert(false);
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* USE_BSD_AUTH */
|
2016-04-08 19:51:54 +02:00
|
|
|
break;
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaLDAP:
|
2008-10-23 15:31:10 +02:00
|
|
|
#ifdef USE_LDAP
|
2008-08-01 13:41:12 +02:00
|
|
|
status = CheckLDAPAuth(port);
|
2008-10-23 15:31:10 +02:00
|
|
|
#else
|
|
|
|
|
Assert(false);
|
2008-11-20 12:48:26 +01:00
|
|
|
#endif
|
|
|
|
|
break;
|
2010-01-27 13:12:00 +01:00
|
|
|
case uaRADIUS:
|
|
|
|
|
status = CheckRADIUSAuth(port);
|
|
|
|
|
break;
|
2019-03-09 21:09:10 +01:00
|
|
|
case uaCert:
|
|
|
|
|
/* uaCert will be treated as if clientcert=verify-full (uaTrust) */
|
2008-08-01 13:41:12 +02:00
|
|
|
case uaTrust:
|
|
|
|
|
status = STATUS_OK;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-09 21:09:10 +01:00
|
|
|
if ((status == STATUS_OK && port->hba->clientcert == clientCertFull)
|
|
|
|
|
|| port->hba->auth_method == uaCert)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Make sure we only check the certificate if we use the cert method
|
|
|
|
|
* or verify-full option.
|
|
|
|
|
*/
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
status = CheckCertAuth(port);
|
|
|
|
|
#else
|
|
|
|
|
Assert(false);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2010-10-27 03:20:02 +02:00
|
|
|
if (ClientAuthentication_hook)
|
2011-04-10 17:42:00 +02:00
|
|
|
(*ClientAuthentication_hook) (port, status);
|
2010-10-27 03:20:02 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (status == STATUS_OK)
|
2016-08-18 12:25:31 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_OK, NULL, 0);
|
2008-08-01 13:41:12 +02:00
|
|
|
else
|
2014-01-28 03:04:09 +01:00
|
|
|
auth_failed(port, status, logdetail);
|
2008-08-01 13:41:12 +02:00
|
|
|
}
|
|
|
|
|
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* Send an authentication request packet to the frontend.
|
|
|
|
|
*/
|
2007-07-10 15:14:22 +02:00
|
|
|
static void
|
2017-10-31 15:34:31 +01:00
|
|
|
sendAuthRequest(Port *port, AuthRequest areq, const char *extradata, int extralen)
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
StringInfoData buf;
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2015-02-03 22:54:48 +01:00
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
pq_beginmessage(&buf, 'R');
|
2017-10-12 06:00:46 +02:00
|
|
|
pq_sendint32(&buf, (int32) areq);
|
2016-08-18 12:25:31 +02:00
|
|
|
if (extralen > 0)
|
|
|
|
|
pq_sendbytes(&buf, extradata, extralen);
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
pq_endmessage(&buf);
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
/*
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
* Flush message so client will see it, except for AUTH_REQ_OK and
|
|
|
|
|
* AUTH_REQ_SASL_FIN, which need not be sent until we are ready for
|
|
|
|
|
* queries.
|
2007-11-15 22:14:46 +01:00
|
|
|
*/
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
if (areq != AUTH_REQ_OK && areq != AUTH_REQ_SASL_FIN)
|
2008-08-01 13:41:12 +02:00
|
|
|
pq_flush();
|
2015-02-03 22:54:48 +01:00
|
|
|
|
|
|
|
|
CHECK_FOR_INTERRUPTS();
|
2007-07-10 15:14:22 +02:00
|
|
|
}
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* Collect password response packet from frontend.
|
|
|
|
|
*
|
|
|
|
|
* Returns NULL if couldn't get password, else palloc'd string.
|
|
|
|
|
*/
|
|
|
|
|
static char *
|
|
|
|
|
recv_password_packet(Port *port)
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
2007-11-15 22:14:46 +01:00
|
|
|
StringInfoData buf;
|
2008-02-08 18:58:46 +01:00
|
|
|
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
pq_startmsgread();
|
2008-08-01 13:41:12 +02:00
|
|
|
if (PG_PROTOCOL_MAJOR(port->proto) >= 3)
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
/* Expect 'p' message type */
|
|
|
|
|
int mtype;
|
2008-01-30 05:11:19 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
mtype = pq_getbyte();
|
|
|
|
|
if (mtype != 'p')
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* If the client just disconnects without offering a password,
|
|
|
|
|
* don't make a log entry. This is legal per protocol spec and in
|
|
|
|
|
* fact commonly done by psql, so complaining just clutters the
|
|
|
|
|
* log.
|
|
|
|
|
*/
|
|
|
|
|
if (mtype != EOF)
|
2017-06-08 18:54:22 +02:00
|
|
|
ereport(ERROR,
|
2008-08-01 13:41:12 +02:00
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
errmsg("expected password response, got message type %d",
|
|
|
|
|
mtype)));
|
2008-08-01 13:41:12 +02:00
|
|
|
return NULL; /* EOF or bad message type */
|
2007-07-10 15:14:22 +02:00
|
|
|
}
|
|
|
|
|
}
|
2008-08-01 13:41:12 +02:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* For pre-3.0 clients, avoid log entry if they just disconnect */
|
|
|
|
|
if (pq_peekbyte() == EOF)
|
|
|
|
|
return NULL; /* EOF */
|
|
|
|
|
}
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
initStringInfo(&buf);
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
if (pq_getmessage(&buf, 1000)) /* receive password */
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
/* EOF - pq_getmessage already logged a suitable message */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* Apply sanity check: password packet length should agree with length of
|
|
|
|
|
* contained string. Note it is safe to use strlen here because
|
|
|
|
|
* StringInfo is guaranteed to have an appended '\0'.
|
2007-07-10 15:14:22 +02:00
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
if (strlen(buf.data) + 1 != buf.len)
|
2017-06-08 18:54:22 +02:00
|
|
|
ereport(ERROR,
|
2008-08-01 13:41:12 +02:00
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("invalid password packet size")));
|
|
|
|
|
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
/*
|
|
|
|
|
* Don't allow an empty password. Libpq treats an empty password the same
|
|
|
|
|
* as no password at all, and won't even try to authenticate. But other
|
|
|
|
|
* clients might, so allowing it would be confusing.
|
|
|
|
|
*
|
|
|
|
|
* Note that this only catches an empty password sent by the client in
|
|
|
|
|
* plaintext. There's also a check in CREATE/ALTER USER that prevents an
|
|
|
|
|
* empty string from being stored as a user's password in the first place.
|
|
|
|
|
* We rely on that for MD5 and SCRAM authentication, but we still need
|
|
|
|
|
* this check here, to prevent an empty password from being used with
|
|
|
|
|
* authentication methods that check the password against an external
|
|
|
|
|
* system, like PAM, LDAP and RADIUS.
|
|
|
|
|
*/
|
|
|
|
|
if (buf.len == 1)
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errcode(ERRCODE_INVALID_PASSWORD),
|
|
|
|
|
errmsg("empty password returned by client")));
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/* Do not echo password to logs, for security. */
|
2015-11-17 03:16:42 +01:00
|
|
|
elog(DEBUG5, "received password packet");
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
/*
|
2014-05-06 18:12:18 +02:00
|
|
|
* Return the received string. Note we do not attempt to do any
|
2008-08-01 13:41:12 +02:00
|
|
|
* character-set conversion on it; since we don't yet know the client's
|
|
|
|
|
* encoding, there wouldn't be much point.
|
2007-07-10 15:14:22 +02:00
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
return buf.data;
|
|
|
|
|
}
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*----------------------------------------------------------------
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
* Password-based authentication mechanisms
|
2008-08-01 13:41:12 +02:00
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2007-07-10 15:14:22 +02:00
|
|
|
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
/*
|
|
|
|
|
* Plaintext password authentication.
|
|
|
|
|
*/
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
static int
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
CheckPasswordAuth(Port *port, char **logdetail)
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
{
|
|
|
|
|
char *passwd;
|
|
|
|
|
int result;
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
char *shadow_pass;
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
|
|
|
|
|
passwd = recv_password_packet(port);
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
return STATUS_EOF; /* client wouldn't send password */
|
|
|
|
|
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
shadow_pass = get_role_password(port->user_name, logdetail);
|
|
|
|
|
if (shadow_pass)
|
|
|
|
|
{
|
|
|
|
|
result = plain_crypt_verify(port->user_name, shadow_pass, passwd,
|
|
|
|
|
logdetail);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
result = STATUS_ERROR;
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
|
2016-12-12 11:48:13 +01:00
|
|
|
if (shadow_pass)
|
|
|
|
|
pfree(shadow_pass);
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
pfree(passwd);
|
|
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
/*
|
|
|
|
|
* MD5 and SCRAM authentication.
|
2008-08-01 13:41:12 +02:00
|
|
|
*/
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
static int
|
|
|
|
|
CheckPWChallengeAuth(Port *port, char **logdetail)
|
|
|
|
|
{
|
|
|
|
|
int auth_result;
|
|
|
|
|
char *shadow_pass;
|
|
|
|
|
PasswordType pwtype;
|
|
|
|
|
|
|
|
|
|
Assert(port->hba->auth_method == uaSCRAM ||
|
|
|
|
|
port->hba->auth_method == uaMD5);
|
|
|
|
|
|
|
|
|
|
/* First look up the user's password. */
|
|
|
|
|
shadow_pass = get_role_password(port->user_name, logdetail);
|
|
|
|
|
|
|
|
|
|
/*
|
Remove support for password_encryption='off' / 'plain'.
Storing passwords in plaintext hasn't been a good idea for a very long
time, if ever. Now seems like a good time to finally forbid it, since we're
messing with this in PostgreSQL 10 anyway.
Remove the CREATE/ALTER USER UNENCRYPTED PASSSWORD 'foo' syntax, since
storing passwords unencrypted is no longer supported. ENCRYPTED PASSWORD
'foo' is still accepted, but ENCRYPTED is now just a noise-word, it does
the same as just PASSWORD 'foo'.
Likewise, remove the --unencrypted option from createuser, but accept
--encrypted as a no-op for backward compatibility. AFAICS, --encrypted was
a no-op even before this patch, because createuser encrypted the password
before sending it to the server even if --encrypted was not specified. It
added the ENCRYPTED keyword to the SQL command, but since the password was
already in encrypted form, it didn't make any difference. The documentation
was not clear on whether that was intended or not, but it's moot now.
Also, while password_encryption='on' is still accepted as an alias for
'md5', it is now marked as hidden, so that it is not listed as an accepted
value in error hints, for example. That's not directly related to removing
'plain', but it seems better this way.
Reviewed by Michael Paquier
Discussion: https://www.postgresql.org/message-id/16e9b768-fd78-0b12-cfc1-7b6b7f238fde@iki.fi
2017-05-08 10:26:07 +02:00
|
|
|
* If the user does not exist, or has no password or it's expired, we
|
|
|
|
|
* still go through the motions of authentication, to avoid revealing to
|
|
|
|
|
* the client that the user didn't exist. If 'md5' is allowed, we choose
|
2017-05-17 22:31:56 +02:00
|
|
|
* whether to use 'md5' or 'scram-sha-256' authentication based on current
|
|
|
|
|
* password_encryption setting. The idea is that most genuine users
|
|
|
|
|
* probably have a password of that type, and if we pretend that this user
|
|
|
|
|
* had a password of that type, too, it "blends in" best.
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
*/
|
|
|
|
|
if (!shadow_pass)
|
|
|
|
|
pwtype = Password_encryption;
|
|
|
|
|
else
|
|
|
|
|
pwtype = get_password_type(shadow_pass);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If 'md5' authentication is allowed, decide whether to perform 'md5' or
|
2017-04-18 13:50:50 +02:00
|
|
|
* 'scram-sha-256' authentication based on the type of password the user
|
2017-05-17 22:31:56 +02:00
|
|
|
* has. If it's an MD5 hash, we must do MD5 authentication, and if it's a
|
2019-10-12 21:17:34 +02:00
|
|
|
* SCRAM secret, we must do SCRAM authentication.
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
*
|
|
|
|
|
* If MD5 authentication is not allowed, always use SCRAM. If the user
|
|
|
|
|
* had an MD5 password, CheckSCRAMAuth() will fail.
|
|
|
|
|
*/
|
|
|
|
|
if (port->hba->auth_method == uaMD5 && pwtype == PASSWORD_TYPE_MD5)
|
|
|
|
|
auth_result = CheckMD5Auth(port, shadow_pass, logdetail);
|
|
|
|
|
else
|
|
|
|
|
auth_result = CheckSCRAMAuth(port, shadow_pass, logdetail);
|
|
|
|
|
|
|
|
|
|
if (shadow_pass)
|
|
|
|
|
pfree(shadow_pass);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If get_role_password() returned error, return error, even if the
|
|
|
|
|
* authentication succeeded.
|
|
|
|
|
*/
|
|
|
|
|
if (!shadow_pass)
|
|
|
|
|
{
|
|
|
|
|
Assert(auth_result != STATUS_OK);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
return auth_result;
|
|
|
|
|
}
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
static int
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
CheckMD5Auth(Port *port, char *shadow_pass, char **logdetail)
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
char md5Salt[4]; /* Password salt */
|
2008-08-01 13:41:12 +02:00
|
|
|
char *passwd;
|
|
|
|
|
int result;
|
2007-07-10 15:14:22 +02:00
|
|
|
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
if (Db_user_namespace)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
|
|
|
|
|
errmsg("MD5 authentication is not supported when \"db_user_namespace\" is enabled")));
|
|
|
|
|
|
|
|
|
|
/* include the salt to use for computing the response */
|
2019-01-01 12:05:51 +01:00
|
|
|
if (!pg_strong_random(md5Salt, 4))
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not generate random MD5 salt")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_MD5, md5Salt, 4);
|
Replace PostmasterRandom() with a stronger source, second attempt.
This adds a new routine, pg_strong_random() for generating random bytes,
for use in both frontend and backend. At the moment, it's only used in
the backend, but the upcoming SCRAM authentication patches need strong
random numbers in libpq as well.
pg_strong_random() is based on, and replaces, the existing implementation
in pgcrypto. It can acquire strong random numbers from a number of sources,
depending on what's available:
- OpenSSL RAND_bytes(), if built with OpenSSL
- On Windows, the native cryptographic functions are used
- /dev/urandom
Unlike the current pgcrypto function, the source is chosen by configure.
That makes it easier to test different implementations, and ensures that
we don't accidentally fall back to a less secure implementation, if the
primary source fails. All of those methods are quite reliable, it would be
pretty surprising for them to fail, so we'd rather find out by failing
hard.
If no strong random source is available, we fall back to using erand48(),
seeded from current timestamp, like PostmasterRandom() was. That isn't
cryptographically secure, but allows us to still work on platforms that
don't have any of the above stronger sources. Because it's not very secure,
the built-in implementation is only used if explicitly requested with
--disable-strong-random.
This replaces the more complicated Fortuna algorithm we used to have in
pgcrypto, which is unfortunate, but all modern platforms have /dev/urandom,
so it doesn't seem worth the maintenance effort to keep that. pgcrypto
functions that require strong random numbers will be disabled with
--disable-strong-random.
Original patch by Magnus Hagander, tons of further work by Michael Paquier
and me.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRy3krN8quR9XujMVVHYtXJ0_60nqgVc6oUk8ygyVkZsA@mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqRWkNYRRPJA7-cF+LfroYV10pvjdz6GNvxk-Eee9FypKA@mail.gmail.com
2016-12-05 12:42:59 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
passwd = recv_password_packet(port);
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
return STATUS_EOF; /* client wouldn't send password */
|
2007-07-10 15:14:22 +02:00
|
|
|
|
2016-12-12 11:48:13 +01:00
|
|
|
if (shadow_pass)
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
result = md5_crypt_verify(port->user_name, shadow_pass, passwd,
|
|
|
|
|
md5Salt, 4, logdetail);
|
|
|
|
|
else
|
|
|
|
|
result = STATUS_ERROR;
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
pfree(passwd);
|
2007-07-11 10:27:33 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
return result;
|
|
|
|
|
}
|
2007-07-23 12:16:54 +02:00
|
|
|
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
static int
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
{
|
Remove support for tls-unique channel binding.
There are some problems with the tls-unique channel binding type. It's not
supported by all SSL libraries, and strictly speaking it's not defined for
TLS 1.3 at all, even though at least in OpenSSL, the functions used for it
still seem to work with TLS 1.3 connections. And since we had no
mechanism to negotiate what channel binding type to use, there would be
awkward interoperability issues if a server only supported some channel
binding types. tls-server-end-point seems feasible to support with any SSL
library, so let's just stick to that.
This removes the scram_channel_binding libpq option altogether, since there
is now only one supported channel binding type.
This also removes all the channel binding tests from the SSL test suite.
They were really just testing the scram_channel_binding option, which
is now gone. Channel binding is used if both client and server support it,
so it is used in the existing tests. It would be good to have some tests
specifically for channel binding, to make sure it really is used, and the
different combinations of a client and a server that support or doesn't
support it. The current set of settings we have make it hard to write such
tests, but I did test those things manually, by disabling
HAVE_BE_TLS_GET_CERTIFICATE_HASH and/or
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.
I also removed the SCRAM_CHANNEL_BINDING_TLS_END_POINT constant. This is a
matter of taste, but IMO it's more readable to just use the
"tls-server-end-point" string.
Refactor the checks on whether the SSL library supports the functions
needed for tls-server-end-point channel binding. Now the server won't
advertise, and the client won't choose, the SCRAM-SHA-256-PLUS variant, if
compiled with an OpenSSL version too old to support it.
In the passing, add some sanity checks to check that the chosen SASL
mechanism, SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, matches whether the SCRAM
exchange used channel binding or not. For example, if the client selects
the non-channel-binding variant SCRAM-SHA-256, but in the SCRAM message
uses channel binding anyway. It's harmless from a security point of view,
I believe, and I'm not sure if there are some other conditions that would
cause the connection to fail, but it seems better to be strict about these
things and check explicitly.
Discussion: https://www.postgresql.org/message-id/ec787074-2305-c6f4-86aa-6902f98485a4%40iki.fi
2018-08-05 12:44:21 +02:00
|
|
|
StringInfoData sasl_mechs;
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
int mtype;
|
|
|
|
|
StringInfoData buf;
|
2018-08-24 16:51:10 +02:00
|
|
|
void *scram_opaq = NULL;
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
char *output = NULL;
|
|
|
|
|
int outputlen = 0;
|
2019-01-29 01:16:24 +01:00
|
|
|
const char *input;
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
int inputlen;
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
int result;
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
bool initial;
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* SASL auth is not supported for protocol versions before 3, because it
|
|
|
|
|
* relies on the overall message length word to determine the SASL payload
|
|
|
|
|
* size in AuthenticationSASLContinue and PasswordMessage messages. (We
|
|
|
|
|
* used to have a hard rule that protocol messages must be parsable
|
|
|
|
|
* without relying on the length word, but we hardly care about older
|
|
|
|
|
* protocol version anymore.)
|
|
|
|
|
*/
|
|
|
|
|
if (PG_PROTOCOL_MAJOR(FrontendProtocol) < 3)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
|
|
|
errmsg("SASL authentication is not supported in protocol version 2")));
|
|
|
|
|
|
|
|
|
|
/*
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
* Send the SASL authentication request to user. It includes the list of
|
Remove support for tls-unique channel binding.
There are some problems with the tls-unique channel binding type. It's not
supported by all SSL libraries, and strictly speaking it's not defined for
TLS 1.3 at all, even though at least in OpenSSL, the functions used for it
still seem to work with TLS 1.3 connections. And since we had no
mechanism to negotiate what channel binding type to use, there would be
awkward interoperability issues if a server only supported some channel
binding types. tls-server-end-point seems feasible to support with any SSL
library, so let's just stick to that.
This removes the scram_channel_binding libpq option altogether, since there
is now only one supported channel binding type.
This also removes all the channel binding tests from the SSL test suite.
They were really just testing the scram_channel_binding option, which
is now gone. Channel binding is used if both client and server support it,
so it is used in the existing tests. It would be good to have some tests
specifically for channel binding, to make sure it really is used, and the
different combinations of a client and a server that support or doesn't
support it. The current set of settings we have make it hard to write such
tests, but I did test those things manually, by disabling
HAVE_BE_TLS_GET_CERTIFICATE_HASH and/or
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.
I also removed the SCRAM_CHANNEL_BINDING_TLS_END_POINT constant. This is a
matter of taste, but IMO it's more readable to just use the
"tls-server-end-point" string.
Refactor the checks on whether the SSL library supports the functions
needed for tls-server-end-point channel binding. Now the server won't
advertise, and the client won't choose, the SCRAM-SHA-256-PLUS variant, if
compiled with an OpenSSL version too old to support it.
In the passing, add some sanity checks to check that the chosen SASL
mechanism, SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, matches whether the SCRAM
exchange used channel binding or not. For example, if the client selects
the non-channel-binding variant SCRAM-SHA-256, but in the SCRAM message
uses channel binding anyway. It's harmless from a security point of view,
I believe, and I'm not sure if there are some other conditions that would
cause the connection to fail, but it seems better to be strict about these
things and check explicitly.
Discussion: https://www.postgresql.org/message-id/ec787074-2305-c6f4-86aa-6902f98485a4%40iki.fi
2018-08-05 12:44:21 +02:00
|
|
|
* authentication mechanisms that are supported.
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
*/
|
Remove support for tls-unique channel binding.
There are some problems with the tls-unique channel binding type. It's not
supported by all SSL libraries, and strictly speaking it's not defined for
TLS 1.3 at all, even though at least in OpenSSL, the functions used for it
still seem to work with TLS 1.3 connections. And since we had no
mechanism to negotiate what channel binding type to use, there would be
awkward interoperability issues if a server only supported some channel
binding types. tls-server-end-point seems feasible to support with any SSL
library, so let's just stick to that.
This removes the scram_channel_binding libpq option altogether, since there
is now only one supported channel binding type.
This also removes all the channel binding tests from the SSL test suite.
They were really just testing the scram_channel_binding option, which
is now gone. Channel binding is used if both client and server support it,
so it is used in the existing tests. It would be good to have some tests
specifically for channel binding, to make sure it really is used, and the
different combinations of a client and a server that support or doesn't
support it. The current set of settings we have make it hard to write such
tests, but I did test those things manually, by disabling
HAVE_BE_TLS_GET_CERTIFICATE_HASH and/or
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.
I also removed the SCRAM_CHANNEL_BINDING_TLS_END_POINT constant. This is a
matter of taste, but IMO it's more readable to just use the
"tls-server-end-point" string.
Refactor the checks on whether the SSL library supports the functions
needed for tls-server-end-point channel binding. Now the server won't
advertise, and the client won't choose, the SCRAM-SHA-256-PLUS variant, if
compiled with an OpenSSL version too old to support it.
In the passing, add some sanity checks to check that the chosen SASL
mechanism, SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, matches whether the SCRAM
exchange used channel binding or not. For example, if the client selects
the non-channel-binding variant SCRAM-SHA-256, but in the SCRAM message
uses channel binding anyway. It's harmless from a security point of view,
I believe, and I'm not sure if there are some other conditions that would
cause the connection to fail, but it seems better to be strict about these
things and check explicitly.
Discussion: https://www.postgresql.org/message-id/ec787074-2305-c6f4-86aa-6902f98485a4%40iki.fi
2018-08-05 12:44:21 +02:00
|
|
|
initStringInfo(&sasl_mechs);
|
2017-11-18 16:07:57 +01:00
|
|
|
|
Remove support for tls-unique channel binding.
There are some problems with the tls-unique channel binding type. It's not
supported by all SSL libraries, and strictly speaking it's not defined for
TLS 1.3 at all, even though at least in OpenSSL, the functions used for it
still seem to work with TLS 1.3 connections. And since we had no
mechanism to negotiate what channel binding type to use, there would be
awkward interoperability issues if a server only supported some channel
binding types. tls-server-end-point seems feasible to support with any SSL
library, so let's just stick to that.
This removes the scram_channel_binding libpq option altogether, since there
is now only one supported channel binding type.
This also removes all the channel binding tests from the SSL test suite.
They were really just testing the scram_channel_binding option, which
is now gone. Channel binding is used if both client and server support it,
so it is used in the existing tests. It would be good to have some tests
specifically for channel binding, to make sure it really is used, and the
different combinations of a client and a server that support or doesn't
support it. The current set of settings we have make it hard to write such
tests, but I did test those things manually, by disabling
HAVE_BE_TLS_GET_CERTIFICATE_HASH and/or
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.
I also removed the SCRAM_CHANNEL_BINDING_TLS_END_POINT constant. This is a
matter of taste, but IMO it's more readable to just use the
"tls-server-end-point" string.
Refactor the checks on whether the SSL library supports the functions
needed for tls-server-end-point channel binding. Now the server won't
advertise, and the client won't choose, the SCRAM-SHA-256-PLUS variant, if
compiled with an OpenSSL version too old to support it.
In the passing, add some sanity checks to check that the chosen SASL
mechanism, SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, matches whether the SCRAM
exchange used channel binding or not. For example, if the client selects
the non-channel-binding variant SCRAM-SHA-256, but in the SCRAM message
uses channel binding anyway. It's harmless from a security point of view,
I believe, and I'm not sure if there are some other conditions that would
cause the connection to fail, but it seems better to be strict about these
things and check explicitly.
Discussion: https://www.postgresql.org/message-id/ec787074-2305-c6f4-86aa-6902f98485a4%40iki.fi
2018-08-05 12:44:21 +02:00
|
|
|
pg_be_scram_get_mechanisms(port, &sasl_mechs);
|
2017-11-18 16:07:57 +01:00
|
|
|
/* Put another '\0' to mark that list is finished. */
|
Remove support for tls-unique channel binding.
There are some problems with the tls-unique channel binding type. It's not
supported by all SSL libraries, and strictly speaking it's not defined for
TLS 1.3 at all, even though at least in OpenSSL, the functions used for it
still seem to work with TLS 1.3 connections. And since we had no
mechanism to negotiate what channel binding type to use, there would be
awkward interoperability issues if a server only supported some channel
binding types. tls-server-end-point seems feasible to support with any SSL
library, so let's just stick to that.
This removes the scram_channel_binding libpq option altogether, since there
is now only one supported channel binding type.
This also removes all the channel binding tests from the SSL test suite.
They were really just testing the scram_channel_binding option, which
is now gone. Channel binding is used if both client and server support it,
so it is used in the existing tests. It would be good to have some tests
specifically for channel binding, to make sure it really is used, and the
different combinations of a client and a server that support or doesn't
support it. The current set of settings we have make it hard to write such
tests, but I did test those things manually, by disabling
HAVE_BE_TLS_GET_CERTIFICATE_HASH and/or
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.
I also removed the SCRAM_CHANNEL_BINDING_TLS_END_POINT constant. This is a
matter of taste, but IMO it's more readable to just use the
"tls-server-end-point" string.
Refactor the checks on whether the SSL library supports the functions
needed for tls-server-end-point channel binding. Now the server won't
advertise, and the client won't choose, the SCRAM-SHA-256-PLUS variant, if
compiled with an OpenSSL version too old to support it.
In the passing, add some sanity checks to check that the chosen SASL
mechanism, SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, matches whether the SCRAM
exchange used channel binding or not. For example, if the client selects
the non-channel-binding variant SCRAM-SHA-256, but in the SCRAM message
uses channel binding anyway. It's harmless from a security point of view,
I believe, and I'm not sure if there are some other conditions that would
cause the connection to fail, but it seems better to be strict about these
things and check explicitly.
Discussion: https://www.postgresql.org/message-id/ec787074-2305-c6f4-86aa-6902f98485a4%40iki.fi
2018-08-05 12:44:21 +02:00
|
|
|
appendStringInfoChar(&sasl_mechs, '\0');
|
2017-11-18 16:07:57 +01:00
|
|
|
|
Remove support for tls-unique channel binding.
There are some problems with the tls-unique channel binding type. It's not
supported by all SSL libraries, and strictly speaking it's not defined for
TLS 1.3 at all, even though at least in OpenSSL, the functions used for it
still seem to work with TLS 1.3 connections. And since we had no
mechanism to negotiate what channel binding type to use, there would be
awkward interoperability issues if a server only supported some channel
binding types. tls-server-end-point seems feasible to support with any SSL
library, so let's just stick to that.
This removes the scram_channel_binding libpq option altogether, since there
is now only one supported channel binding type.
This also removes all the channel binding tests from the SSL test suite.
They were really just testing the scram_channel_binding option, which
is now gone. Channel binding is used if both client and server support it,
so it is used in the existing tests. It would be good to have some tests
specifically for channel binding, to make sure it really is used, and the
different combinations of a client and a server that support or doesn't
support it. The current set of settings we have make it hard to write such
tests, but I did test those things manually, by disabling
HAVE_BE_TLS_GET_CERTIFICATE_HASH and/or
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.
I also removed the SCRAM_CHANNEL_BINDING_TLS_END_POINT constant. This is a
matter of taste, but IMO it's more readable to just use the
"tls-server-end-point" string.
Refactor the checks on whether the SSL library supports the functions
needed for tls-server-end-point channel binding. Now the server won't
advertise, and the client won't choose, the SCRAM-SHA-256-PLUS variant, if
compiled with an OpenSSL version too old to support it.
In the passing, add some sanity checks to check that the chosen SASL
mechanism, SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, matches whether the SCRAM
exchange used channel binding or not. For example, if the client selects
the non-channel-binding variant SCRAM-SHA-256, but in the SCRAM message
uses channel binding anyway. It's harmless from a security point of view,
I believe, and I'm not sure if there are some other conditions that would
cause the connection to fail, but it seems better to be strict about these
things and check explicitly.
Discussion: https://www.postgresql.org/message-id/ec787074-2305-c6f4-86aa-6902f98485a4%40iki.fi
2018-08-05 12:44:21 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs.data, sasl_mechs.len);
|
|
|
|
|
pfree(sasl_mechs.data);
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Loop through SASL message exchange. This exchange can consist of
|
|
|
|
|
* multiple messages sent in both directions. First message is always
|
|
|
|
|
* from the client. All messages from client to server are password
|
|
|
|
|
* packets (type 'p').
|
|
|
|
|
*/
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
initial = true;
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
do
|
|
|
|
|
{
|
|
|
|
|
pq_startmsgread();
|
|
|
|
|
mtype = pq_getbyte();
|
|
|
|
|
if (mtype != 'p')
|
|
|
|
|
{
|
|
|
|
|
/* Only log error if client didn't disconnect. */
|
|
|
|
|
if (mtype != EOF)
|
|
|
|
|
{
|
2017-06-08 18:54:22 +02:00
|
|
|
ereport(ERROR,
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("expected SASL response, got message type %d",
|
|
|
|
|
mtype)));
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
return STATUS_EOF;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Get the actual SASL message */
|
|
|
|
|
initStringInfo(&buf);
|
|
|
|
|
if (pq_getmessage(&buf, PG_MAX_SASL_MESSAGE_LENGTH))
|
|
|
|
|
{
|
|
|
|
|
/* EOF - pq_getmessage already logged error */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-05 20:29:08 +01:00
|
|
|
elog(DEBUG4, "processing received SASL response of length %d", buf.len);
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
/*
|
|
|
|
|
* The first SASLInitialResponse message is different from the others.
|
|
|
|
|
* It indicates which SASL mechanism the client selected, and contains
|
|
|
|
|
* an optional Initial Client Response payload. The subsequent
|
|
|
|
|
* SASLResponse messages contain just the SASL payload.
|
|
|
|
|
*/
|
|
|
|
|
if (initial)
|
|
|
|
|
{
|
|
|
|
|
const char *selected_mech;
|
|
|
|
|
|
|
|
|
|
selected_mech = pq_getmsgrawstring(&buf);
|
Remove support for tls-unique channel binding.
There are some problems with the tls-unique channel binding type. It's not
supported by all SSL libraries, and strictly speaking it's not defined for
TLS 1.3 at all, even though at least in OpenSSL, the functions used for it
still seem to work with TLS 1.3 connections. And since we had no
mechanism to negotiate what channel binding type to use, there would be
awkward interoperability issues if a server only supported some channel
binding types. tls-server-end-point seems feasible to support with any SSL
library, so let's just stick to that.
This removes the scram_channel_binding libpq option altogether, since there
is now only one supported channel binding type.
This also removes all the channel binding tests from the SSL test suite.
They were really just testing the scram_channel_binding option, which
is now gone. Channel binding is used if both client and server support it,
so it is used in the existing tests. It would be good to have some tests
specifically for channel binding, to make sure it really is used, and the
different combinations of a client and a server that support or doesn't
support it. The current set of settings we have make it hard to write such
tests, but I did test those things manually, by disabling
HAVE_BE_TLS_GET_CERTIFICATE_HASH and/or
HAVE_PGTLS_GET_PEER_CERTIFICATE_HASH.
I also removed the SCRAM_CHANNEL_BINDING_TLS_END_POINT constant. This is a
matter of taste, but IMO it's more readable to just use the
"tls-server-end-point" string.
Refactor the checks on whether the SSL library supports the functions
needed for tls-server-end-point channel binding. Now the server won't
advertise, and the client won't choose, the SCRAM-SHA-256-PLUS variant, if
compiled with an OpenSSL version too old to support it.
In the passing, add some sanity checks to check that the chosen SASL
mechanism, SCRAM-SHA-256 or SCRAM-SHA-256-PLUS, matches whether the SCRAM
exchange used channel binding or not. For example, if the client selects
the non-channel-binding variant SCRAM-SHA-256, but in the SCRAM message
uses channel binding anyway. It's harmless from a security point of view,
I believe, and I'm not sure if there are some other conditions that would
cause the connection to fail, but it seems better to be strict about these
things and check explicitly.
Discussion: https://www.postgresql.org/message-id/ec787074-2305-c6f4-86aa-6902f98485a4%40iki.fi
2018-08-05 12:44:21 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Initialize the status tracker for message exchanges.
|
|
|
|
|
*
|
|
|
|
|
* If the user doesn't exist, or doesn't have a valid password, or
|
|
|
|
|
* it's expired, we still go through the motions of SASL
|
|
|
|
|
* authentication, but tell the authentication method that the
|
|
|
|
|
* authentication is "doomed". That is, it's going to fail, no
|
|
|
|
|
* matter what.
|
|
|
|
|
*
|
|
|
|
|
* This is because we don't want to reveal to an attacker what
|
|
|
|
|
* usernames are valid, nor which users have a valid password.
|
|
|
|
|
*/
|
|
|
|
|
scram_opaq = pg_be_scram_init(port, selected_mech, shadow_pass);
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
|
|
|
|
|
inputlen = pq_getmsgint(&buf, 4);
|
|
|
|
|
if (inputlen == -1)
|
|
|
|
|
input = NULL;
|
|
|
|
|
else
|
2019-01-29 01:16:24 +01:00
|
|
|
input = pq_getmsgbytes(&buf, inputlen);
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
|
|
|
|
|
initial = false;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
inputlen = buf.len;
|
2019-01-29 01:16:24 +01:00
|
|
|
input = pq_getmsgbytes(&buf, buf.len);
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
}
|
|
|
|
|
pq_getmsgend(&buf);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The StringInfo guarantees that there's a \0 byte after the
|
|
|
|
|
* response.
|
|
|
|
|
*/
|
|
|
|
|
Assert(input == NULL || input[inputlen] == '\0');
|
|
|
|
|
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
/*
|
|
|
|
|
* we pass 'logdetail' as NULL when doing a mock authentication,
|
|
|
|
|
* because we should already have a better error message in that case
|
|
|
|
|
*/
|
2019-02-14 20:44:47 +01:00
|
|
|
result = pg_be_scram_exchange(scram_opaq, input, inputlen,
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
&output, &outputlen,
|
Allow SCRAM authentication, when pg_hba.conf says 'md5'.
If a user has a SCRAM verifier in pg_authid.rolpassword, there's no reason
we cannot attempt to perform SCRAM authentication instead of MD5. The worst
that can happen is that the client doesn't support SCRAM, and the
authentication will fail. But previously, it would fail for sure, because
we would not even try. SCRAM is strictly more secure than MD5, so there's
no harm in trying it. This allows for a more graceful transition from MD5
passwords to SCRAM, as user passwords can be changed to SCRAM verifiers
incrementally, without changing pg_hba.conf.
Refactor the code in auth.c to support that better. Notably, we now have to
look up the user's pg_authid entry before sending the password challenge,
also when performing MD5 authentication. Also simplify the concept of a
"doomed" authentication. Previously, if a user had a password, but it had
expired, we still performed SCRAM authentication (but always returned error
at the end) using the salt and iteration count from the expired password.
Now we construct a fake salt, like we do when the user doesn't have a
password or doesn't exist at all. That simplifies get_role_password(), and
we can don't need to distinguish the "user has expired password", and
"user does not exist" cases in auth.c.
On second thoughts, also rename uaSASL to uaSCRAM. It refers to the
mechanism specified in pg_hba.conf, and while we use SASL for SCRAM
authentication at the protocol level, the mechanism should be called SCRAM,
not SASL. As a comparison, we have uaLDAP, even though it looks like the
plain 'password' authentication at the protocol level.
Discussion: https://www.postgresql.org/message-id/6425.1489506016@sss.pgh.pa.us
Reviewed-by: Michael Paquier
2017-03-24 12:32:21 +01:00
|
|
|
logdetail);
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
|
|
|
|
|
/* input buffer no longer used */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
|
2017-04-13 16:44:15 +02:00
|
|
|
if (output)
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Negotiation generated data to be sent to the client.
|
|
|
|
|
*/
|
2017-04-13 16:44:15 +02:00
|
|
|
elog(DEBUG4, "sending SASL challenge of length %u", outputlen);
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
|
Improve the SASL authentication protocol.
This contains some protocol changes to SASL authentiation (which is new
in v10):
* For future-proofing, in the AuthenticationSASL message that begins SASL
authentication, provide a list of SASL mechanisms that the server
supports, for the client to choose from. Currently, it's always just
SCRAM-SHA-256.
* Add a separate authentication message type for the final server->client
SASL message, which the client doesn't need to respond to. This makes
it unambiguous whether the client is supposed to send a response or not.
The SASL mechanism should know that anyway, but better to be explicit.
Also, in the server, support clients that don't send an Initial Client
response in the first SASLInitialResponse message. The server is supposed
to first send an empty request in that case, to which the client will
respond with the data that usually comes in the Initial Client Response.
libpq uses the Initial Client Response field and doesn't need this, and I
would assume any other sensible implementation to use Initial Client
Response, too, but let's follow the SASL spec.
Improve the documentation on SASL authentication in protocol. Add a
section describing the SASL message flow, and some details on our
SCRAM-SHA-256 implementation.
Document the different kinds of PasswordMessages that the frontend sends
in different phases of SASL authentication, as well as GSS/SSPI
authentication as separate message formats. Even though they're all 'p'
messages, and the exact format depends on the context, describing them as
separate message formats makes the documentation more clear.
Reviewed by Michael Paquier and Álvaro Hernández Tortosa.
Discussion: https://www.postgresql.org/message-id/CAB7nPqS-aFg0iM3AQOJwKDv_0WkAedRjs1W2X8EixSz+sKBXCQ@mail.gmail.com
2017-04-13 18:34:16 +02:00
|
|
|
if (result == SASL_EXCHANGE_SUCCESS)
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_SASL_FIN, output, outputlen);
|
|
|
|
|
else
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_SASL_CONT, output, outputlen);
|
2017-04-13 16:44:15 +02:00
|
|
|
|
|
|
|
|
pfree(output);
|
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.
Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.
The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.
Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.
If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.
Bumps PG_CONTROL_VERSION, because of the new field in control file.
Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.
Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi
2017-03-07 13:25:40 +01:00
|
|
|
}
|
|
|
|
|
} while (result == SASL_EXCHANGE_CONTINUE);
|
|
|
|
|
|
|
|
|
|
/* Oops, Something bad happened */
|
|
|
|
|
if (result != SASL_EXCHANGE_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
2007-07-10 15:14:22 +02:00
|
|
|
|
|
|
|
|
|
2008-02-08 18:58:46 +01:00
|
|
|
/*----------------------------------------------------------------
|
2008-08-01 13:41:12 +02:00
|
|
|
* GSSAPI authentication system
|
2008-02-08 18:58:46 +01:00
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
#ifdef ENABLE_GSS
|
2007-07-23 12:16:54 +02:00
|
|
|
static int
|
2008-08-01 13:41:12 +02:00
|
|
|
pg_GSS_recvauth(Port *port)
|
2007-07-23 12:16:54 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
OM_uint32 maj_stat,
|
|
|
|
|
min_stat,
|
|
|
|
|
lmin_s,
|
|
|
|
|
gflags;
|
2007-11-15 22:14:46 +01:00
|
|
|
int mtype;
|
|
|
|
|
StringInfoData buf;
|
2008-08-01 13:41:12 +02:00
|
|
|
gss_buffer_desc gbuf;
|
2007-07-23 12:16:54 +02:00
|
|
|
|
2008-02-08 18:58:46 +01:00
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* GSS auth is not supported for protocol versions before 3, because it
|
|
|
|
|
* relies on the overall message length word to determine the GSS payload
|
2009-06-11 16:49:15 +02:00
|
|
|
* size in AuthenticationGSSContinue and PasswordMessage messages. (This
|
|
|
|
|
* is, in fact, a design error in our GSS support, because protocol
|
2008-02-08 18:58:46 +01:00
|
|
|
* messages are supposed to be parsable without relying on the length
|
|
|
|
|
* word; but it's not worth changing it now.)
|
|
|
|
|
*/
|
|
|
|
|
if (PG_PROTOCOL_MAJOR(FrontendProtocol) < 3)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
2008-08-01 13:41:12 +02:00
|
|
|
errmsg("GSSAPI is not supported in protocol version 2")));
|
|
|
|
|
|
|
|
|
|
if (pg_krb_server_keyfile && strlen(pg_krb_server_keyfile) > 0)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Set default Kerberos keytab file for the Krb5 mechanism.
|
|
|
|
|
*
|
|
|
|
|
* setenv("KRB5_KTNAME", pg_krb_server_keyfile, 0); except setenv()
|
|
|
|
|
* not always available.
|
|
|
|
|
*/
|
|
|
|
|
if (getenv("KRB5_KTNAME") == NULL)
|
|
|
|
|
{
|
2013-10-23 00:42:13 +02:00
|
|
|
size_t kt_len = strlen(pg_krb_server_keyfile) + 14;
|
|
|
|
|
char *kt_path = malloc(kt_len);
|
2008-08-01 13:41:12 +02:00
|
|
|
|
2015-05-18 16:02:31 +02:00
|
|
|
if (!kt_path ||
|
|
|
|
|
snprintf(kt_path, kt_len, "KRB5_KTNAME=%s",
|
|
|
|
|
pg_krb_server_keyfile) != kt_len - 2 ||
|
|
|
|
|
putenv(kt_path) != 0)
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2007-07-23 12:16:54 +02:00
|
|
|
|
|
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* We accept any service principal that's present in our keytab. This
|
|
|
|
|
* increases interoperability between kerberos implementations that see
|
|
|
|
|
* for example case sensitivity differently, while not really opening up
|
|
|
|
|
* any vector of attack.
|
2007-07-23 12:16:54 +02:00
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
port->gss->cred = GSS_C_NO_CREDENTIAL;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Initialize sequence with an empty context
|
|
|
|
|
*/
|
|
|
|
|
port->gss->ctx = GSS_C_NO_CONTEXT;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Loop through GSSAPI message exchange. This exchange can consist of
|
2016-03-15 23:06:11 +01:00
|
|
|
* multiple messages sent in both directions. First message is always from
|
2008-08-01 13:41:12 +02:00
|
|
|
* the client. All messages from client to server are password packets
|
|
|
|
|
* (type 'p').
|
|
|
|
|
*/
|
|
|
|
|
do
|
|
|
|
|
{
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
pq_startmsgread();
|
2015-02-03 22:54:48 +01:00
|
|
|
|
|
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
mtype = pq_getbyte();
|
|
|
|
|
if (mtype != 'p')
|
|
|
|
|
{
|
|
|
|
|
/* Only log error if client didn't disconnect. */
|
|
|
|
|
if (mtype != EOF)
|
2017-06-08 18:54:22 +02:00
|
|
|
ereport(ERROR,
|
2008-08-01 13:41:12 +02:00
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("expected GSS response, got message type %d",
|
|
|
|
|
mtype)));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Get the actual GSS token */
|
|
|
|
|
initStringInfo(&buf);
|
2009-10-15 00:09:46 +02:00
|
|
|
if (pq_getmessage(&buf, PG_MAX_AUTH_TOKEN_LENGTH))
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
/* EOF - pq_getmessage already logged error */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Map to GSSAPI style buffer */
|
|
|
|
|
gbuf.length = buf.len;
|
|
|
|
|
gbuf.value = buf.data;
|
|
|
|
|
|
2019-11-05 20:29:08 +01:00
|
|
|
elog(DEBUG4, "processing received GSS token of length %u",
|
2008-08-01 13:41:12 +02:00
|
|
|
(unsigned int) gbuf.length);
|
|
|
|
|
|
|
|
|
|
maj_stat = gss_accept_sec_context(
|
|
|
|
|
&min_stat,
|
|
|
|
|
&port->gss->ctx,
|
|
|
|
|
port->gss->cred,
|
|
|
|
|
&gbuf,
|
|
|
|
|
GSS_C_NO_CHANNEL_BINDINGS,
|
|
|
|
|
&port->gss->name,
|
|
|
|
|
NULL,
|
|
|
|
|
&port->gss->outbuf,
|
|
|
|
|
&gflags,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL);
|
|
|
|
|
|
|
|
|
|
/* gbuf no longer used */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
|
|
|
|
|
elog(DEBUG5, "gss_accept_sec_context major: %d, "
|
|
|
|
|
"minor: %d, outlen: %u, outflags: %x",
|
|
|
|
|
maj_stat, min_stat,
|
|
|
|
|
(unsigned int) port->gss->outbuf.length, gflags);
|
|
|
|
|
|
2015-02-03 22:54:48 +01:00
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (port->gss->outbuf.length != 0)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Negotiation generated data to be sent to the client.
|
|
|
|
|
*/
|
|
|
|
|
elog(DEBUG4, "sending GSS response token of length %u",
|
|
|
|
|
(unsigned int) port->gss->outbuf.length);
|
|
|
|
|
|
2016-08-18 12:25:31 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_GSS_CONT,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
port->gss->outbuf.value, port->gss->outbuf.length);
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
gss_release_buffer(&lmin_s, &port->gss->outbuf);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (maj_stat != GSS_S_COMPLETE && maj_stat != GSS_S_CONTINUE_NEEDED)
|
|
|
|
|
{
|
|
|
|
|
gss_delete_sec_context(&lmin_s, &port->gss->ctx, GSS_C_NO_BUFFER);
|
|
|
|
|
pg_GSS_error(ERROR,
|
2018-08-21 08:17:13 +02:00
|
|
|
_("accepting GSS security context failed"),
|
2008-08-01 13:41:12 +02:00
|
|
|
maj_stat, min_stat);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (maj_stat == GSS_S_CONTINUE_NEEDED)
|
|
|
|
|
elog(DEBUG4, "GSS continue needed");
|
|
|
|
|
|
|
|
|
|
} while (maj_stat == GSS_S_CONTINUE_NEEDED);
|
|
|
|
|
|
|
|
|
|
if (port->gss->cred != GSS_C_NO_CREDENTIAL)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Release service principal credentials
|
|
|
|
|
*/
|
|
|
|
|
gss_release_cred(&min_stat, &port->gss->cred);
|
|
|
|
|
}
|
GSSAPI encryption support
On both the frontend and backend, prepare for GSSAPI encryption
support by moving common code for error handling into a separate file.
Fix a TODO for handling multiple status messages in the process.
Eliminate the OIDs, which have not been needed for some time.
Add frontend and backend encryption support functions. Keep the
context initiation for authentication-only separate on both the
frontend and backend in order to avoid concerns about changing the
requested flags to include encryption support.
In postmaster, pull GSSAPI authorization checking into a shared
function. Also share the initiator name between the encryption and
non-encryption codepaths.
For HBA, add "hostgssenc" and "hostnogssenc" entries that behave
similarly to their SSL counterparts. "hostgssenc" requires either
"gss", "trust", or "reject" for its authentication.
Similarly, add a "gssencmode" parameter to libpq. Supported values are
"disable", "require", and "prefer". Notably, negotiation will only be
attempted if credentials can be acquired. Move credential acquisition
into its own function to support this behavior.
Add a simple pg_stat_gssapi view similar to pg_stat_ssl, for monitoring
if GSSAPI authentication was used, what principal was used, and if
encryption is being used on the connection.
Finally, add documentation for everything new, and update existing
documentation on connection security.
Thanks to Michael Paquier for the Windows fixes.
Author: Robbie Harwood, with changes to the read/write functions by me.
Reviewed in various forms and at different times by: Michael Paquier,
Andres Freund, David Steele.
Discussion: https://www.postgresql.org/message-id/flat/jlg1tgq1ktm.fsf@thriss.redhat.com
2019-04-03 21:02:33 +02:00
|
|
|
return pg_GSS_checkauth(port);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check whether the GSSAPI-authenticated user is allowed to connect as the
|
|
|
|
|
* claimed username.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
pg_GSS_checkauth(Port *port)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
OM_uint32 maj_stat,
|
|
|
|
|
min_stat,
|
|
|
|
|
lmin_s;
|
|
|
|
|
gss_buffer_desc gbuf;
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Get the name of the user that authenticated, and compare it to the pg
|
|
|
|
|
* username that was specified for the connection.
|
|
|
|
|
*/
|
|
|
|
|
maj_stat = gss_display_name(&min_stat, port->gss->name, &gbuf, NULL);
|
|
|
|
|
if (maj_stat != GSS_S_COMPLETE)
|
|
|
|
|
pg_GSS_error(ERROR,
|
2018-08-21 08:17:13 +02:00
|
|
|
_("retrieving GSS user name failed"),
|
2008-08-01 13:41:12 +02:00
|
|
|
maj_stat, min_stat);
|
|
|
|
|
|
GSSAPI encryption support
On both the frontend and backend, prepare for GSSAPI encryption
support by moving common code for error handling into a separate file.
Fix a TODO for handling multiple status messages in the process.
Eliminate the OIDs, which have not been needed for some time.
Add frontend and backend encryption support functions. Keep the
context initiation for authentication-only separate on both the
frontend and backend in order to avoid concerns about changing the
requested flags to include encryption support.
In postmaster, pull GSSAPI authorization checking into a shared
function. Also share the initiator name between the encryption and
non-encryption codepaths.
For HBA, add "hostgssenc" and "hostnogssenc" entries that behave
similarly to their SSL counterparts. "hostgssenc" requires either
"gss", "trust", or "reject" for its authentication.
Similarly, add a "gssencmode" parameter to libpq. Supported values are
"disable", "require", and "prefer". Notably, negotiation will only be
attempted if credentials can be acquired. Move credential acquisition
into its own function to support this behavior.
Add a simple pg_stat_gssapi view similar to pg_stat_ssl, for monitoring
if GSSAPI authentication was used, what principal was used, and if
encryption is being used on the connection.
Finally, add documentation for everything new, and update existing
documentation on connection security.
Thanks to Michael Paquier for the Windows fixes.
Author: Robbie Harwood, with changes to the read/write functions by me.
Reviewed in various forms and at different times by: Michael Paquier,
Andres Freund, David Steele.
Discussion: https://www.postgresql.org/message-id/flat/jlg1tgq1ktm.fsf@thriss.redhat.com
2019-04-03 21:02:33 +02:00
|
|
|
/*
|
|
|
|
|
* Copy the original name of the authenticated principal into our backend
|
|
|
|
|
* memory for display later.
|
|
|
|
|
*/
|
|
|
|
|
port->gss->princ = MemoryContextStrdup(TopMemoryContext, gbuf.value);
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* Split the username at the realm separator
|
|
|
|
|
*/
|
|
|
|
|
if (strchr(gbuf.value, '@'))
|
|
|
|
|
{
|
|
|
|
|
char *cp = strchr(gbuf.value, '@');
|
|
|
|
|
|
2009-01-07 14:09:21 +01:00
|
|
|
/*
|
2009-06-11 16:49:15 +02:00
|
|
|
* If we are not going to include the realm in the username that is
|
|
|
|
|
* passed to the ident map, destructively modify it here to remove the
|
|
|
|
|
* realm. Then advance past the separator to check the realm.
|
2009-01-07 14:09:21 +01:00
|
|
|
*/
|
|
|
|
|
if (!port->hba->include_realm)
|
|
|
|
|
*cp = '\0';
|
2008-08-01 13:41:12 +02:00
|
|
|
cp++;
|
|
|
|
|
|
2009-01-09 11:13:19 +01:00
|
|
|
if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm))
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Match the realm part of the name first
|
|
|
|
|
*/
|
|
|
|
|
if (pg_krb_caseins_users)
|
2009-01-09 11:13:19 +01:00
|
|
|
ret = pg_strcasecmp(port->hba->krb_realm, cp);
|
2008-08-01 13:41:12 +02:00
|
|
|
else
|
2009-01-09 11:13:19 +01:00
|
|
|
ret = strcmp(port->hba->krb_realm, cp);
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
if (ret)
|
|
|
|
|
{
|
|
|
|
|
/* GSS realm does not match */
|
|
|
|
|
elog(DEBUG2,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
"GSSAPI realm (%s) and configured realm (%s) don't match",
|
2009-01-09 11:13:19 +01:00
|
|
|
cp, port->hba->krb_realm);
|
2008-08-01 13:41:12 +02:00
|
|
|
gss_release_buffer(&lmin_s, &gbuf);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2009-01-09 11:13:19 +01:00
|
|
|
else if (port->hba->krb_realm && strlen(port->hba->krb_realm))
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
elog(DEBUG2,
|
|
|
|
|
"GSSAPI did not return realm but realm matching was requested");
|
|
|
|
|
|
|
|
|
|
gss_release_buffer(&lmin_s, &gbuf);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-23 15:31:10 +02:00
|
|
|
ret = check_usermap(port->hba->usermap, port->user_name, gbuf.value,
|
|
|
|
|
pg_krb_caseins_users);
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
gss_release_buffer(&lmin_s, &gbuf);
|
|
|
|
|
|
2009-05-27 23:08:22 +02:00
|
|
|
return ret;
|
2008-08-01 13:41:12 +02:00
|
|
|
}
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* ENABLE_GSS */
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* SSPI authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef ENABLE_SSPI
|
2018-08-21 08:17:13 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Generate an error for SSPI authentication. The caller should apply
|
|
|
|
|
* _() to errmsg to make it translatable.
|
|
|
|
|
*/
|
2008-08-01 13:41:12 +02:00
|
|
|
static void
|
2009-03-22 19:06:35 +01:00
|
|
|
pg_SSPI_error(int severity, const char *errmsg, SECURITY_STATUS r)
|
2008-08-01 13:41:12 +02:00
|
|
|
{
|
|
|
|
|
char sysmsg[256];
|
|
|
|
|
|
2016-03-29 17:54:57 +02:00
|
|
|
if (FormatMessage(FORMAT_MESSAGE_IGNORE_INSERTS |
|
|
|
|
|
FORMAT_MESSAGE_FROM_SYSTEM,
|
|
|
|
|
NULL, r, 0,
|
2009-03-22 19:06:35 +01:00
|
|
|
sysmsg, sizeof(sysmsg), NULL) == 0)
|
2008-08-01 13:41:12 +02:00
|
|
|
ereport(severity,
|
|
|
|
|
(errmsg_internal("%s", errmsg),
|
2011-07-16 20:21:12 +02:00
|
|
|
errdetail_internal("SSPI error %x", (unsigned int) r)));
|
2008-08-01 13:41:12 +02:00
|
|
|
else
|
|
|
|
|
ereport(severity,
|
|
|
|
|
(errmsg_internal("%s", errmsg),
|
2011-07-16 20:21:12 +02:00
|
|
|
errdetail_internal("%s (%x)", sysmsg, (unsigned int) r)));
|
2008-08-01 13:41:12 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
pg_SSPI_recvauth(Port *port)
|
|
|
|
|
{
|
|
|
|
|
int mtype;
|
|
|
|
|
StringInfoData buf;
|
|
|
|
|
SECURITY_STATUS r;
|
|
|
|
|
CredHandle sspicred;
|
|
|
|
|
CtxtHandle *sspictx = NULL,
|
|
|
|
|
newctx;
|
|
|
|
|
TimeStamp expiry;
|
|
|
|
|
ULONG contextattr;
|
|
|
|
|
SecBufferDesc inbuf;
|
|
|
|
|
SecBufferDesc outbuf;
|
|
|
|
|
SecBuffer OutBuffers[1];
|
|
|
|
|
SecBuffer InBuffers[1];
|
|
|
|
|
HANDLE token;
|
|
|
|
|
TOKEN_USER *tokenuser;
|
|
|
|
|
DWORD retlen;
|
|
|
|
|
char accountname[MAXPGPATH];
|
|
|
|
|
char domainname[MAXPGPATH];
|
|
|
|
|
DWORD accountnamesize = sizeof(accountname);
|
|
|
|
|
DWORD domainnamesize = sizeof(domainname);
|
|
|
|
|
SID_NAME_USE accountnameuse;
|
|
|
|
|
HMODULE secur32;
|
2017-06-21 20:39:04 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* SSPI auth is not supported for protocol versions before 3, because it
|
|
|
|
|
* relies on the overall message length word to determine the SSPI payload
|
2009-06-11 16:49:15 +02:00
|
|
|
* size in AuthenticationGSSContinue and PasswordMessage messages. (This
|
|
|
|
|
* is, in fact, a design error in our SSPI support, because protocol
|
2008-08-01 13:41:12 +02:00
|
|
|
* messages are supposed to be parsable without relying on the length
|
|
|
|
|
* word; but it's not worth changing it now.)
|
|
|
|
|
*/
|
|
|
|
|
if (PG_PROTOCOL_MAJOR(FrontendProtocol) < 3)
|
|
|
|
|
ereport(FATAL,
|
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
|
|
|
|
errmsg("SSPI is not supported in protocol version 2")));
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Acquire a handle to the server credentials.
|
|
|
|
|
*/
|
|
|
|
|
r = AcquireCredentialsHandle(NULL,
|
|
|
|
|
"negotiate",
|
2007-11-15 22:14:46 +01:00
|
|
|
SECPKG_CRED_INBOUND,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
NULL,
|
|
|
|
|
&sspicred,
|
|
|
|
|
&expiry);
|
2007-07-23 12:16:54 +02:00
|
|
|
if (r != SEC_E_OK)
|
2009-03-22 19:06:35 +01:00
|
|
|
pg_SSPI_error(ERROR, _("could not acquire SSPI credentials"), r);
|
2007-07-23 12:16:54 +02:00
|
|
|
|
|
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Loop through SSPI message exchange. This exchange can consist of
|
2016-03-15 23:06:11 +01:00
|
|
|
* multiple messages sent in both directions. First message is always from
|
2007-11-15 22:14:46 +01:00
|
|
|
* the client. All messages from client to server are password packets
|
|
|
|
|
* (type 'p').
|
2007-07-23 12:16:54 +02:00
|
|
|
*/
|
2007-11-15 22:14:46 +01:00
|
|
|
do
|
2007-07-23 12:16:54 +02:00
|
|
|
{
|
Be more careful to not lose sync in the FE/BE protocol.
If any error occurred while we were in the middle of reading a protocol
message from the client, we could lose sync, and incorrectly try to
interpret a part of another message as a new protocol message. That will
usually lead to an "invalid frontend message" error that terminates the
connection. However, this is a security issue because an attacker might
be able to deliberately cause an error, inject a Query message in what's
supposed to be just user data, and have the server execute it.
We were quite careful to not have CHECK_FOR_INTERRUPTS() calls or other
operations that could ereport(ERROR) in the middle of processing a message,
but a query cancel interrupt or statement timeout could nevertheless cause
it to happen. Also, the V2 fastpath and COPY handling were not so careful.
It's very difficult to recover in the V2 COPY protocol, so we will just
terminate the connection on error. In practice, that's what happened
previously anyway, as we lost protocol sync.
To fix, add a new variable in pqcomm.c, PqCommReadingMsg, that is set
whenever we're in the middle of reading a message. When it's set, we cannot
safely ERROR out and continue running, because we might've read only part
of a message. PqCommReadingMsg acts somewhat similarly to critical sections
in that if an error occurs while it's set, the error handler will force the
connection to be terminated, as if the error was FATAL. It's not
implemented by promoting ERROR to FATAL in elog.c, like ERROR is promoted
to PANIC in critical sections, because we want to be able to use
PG_TRY/CATCH to recover and regain protocol sync. pq_getmessage() takes
advantage of that to prevent an OOM error from terminating the connection.
To prevent unnecessary connection terminations, add a holdoff mechanism
similar to HOLD/RESUME_INTERRUPTS() that can be used hold off query cancel
interrupts, but still allow die interrupts. The rules on which interrupts
are processed when are now a bit more complicated, so refactor
ProcessInterrupts() and the calls to it in signal handlers so that the
signal handlers always call it if ImmediateInterruptOK is set, and
ProcessInterrupts() can decide to not do anything if the other conditions
are not met.
Reported by Emil Lenngren. Patch reviewed by Noah Misch and Andres Freund.
Backpatch to all supported versions.
Security: CVE-2015-0244
2015-02-02 16:08:45 +01:00
|
|
|
pq_startmsgread();
|
2007-07-23 12:16:54 +02:00
|
|
|
mtype = pq_getbyte();
|
|
|
|
|
if (mtype != 'p')
|
|
|
|
|
{
|
|
|
|
|
/* Only log error if client didn't disconnect. */
|
|
|
|
|
if (mtype != EOF)
|
2017-06-08 18:54:22 +02:00
|
|
|
ereport(ERROR,
|
2007-07-23 12:16:54 +02:00
|
|
|
(errcode(ERRCODE_PROTOCOL_VIOLATION),
|
|
|
|
|
errmsg("expected SSPI response, got message type %d",
|
2007-11-15 22:14:46 +01:00
|
|
|
mtype)));
|
2007-07-23 12:16:54 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Get the actual SSPI token */
|
|
|
|
|
initStringInfo(&buf);
|
2009-10-15 00:09:46 +02:00
|
|
|
if (pq_getmessage(&buf, PG_MAX_AUTH_TOKEN_LENGTH))
|
2007-07-23 12:16:54 +02:00
|
|
|
{
|
|
|
|
|
/* EOF - pq_getmessage already logged error */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Map to SSPI style buffer */
|
|
|
|
|
inbuf.ulVersion = SECBUFFER_VERSION;
|
|
|
|
|
inbuf.cBuffers = 1;
|
|
|
|
|
inbuf.pBuffers = InBuffers;
|
|
|
|
|
InBuffers[0].pvBuffer = buf.data;
|
|
|
|
|
InBuffers[0].cbBuffer = buf.len;
|
|
|
|
|
InBuffers[0].BufferType = SECBUFFER_TOKEN;
|
|
|
|
|
|
|
|
|
|
/* Prepare output buffer */
|
|
|
|
|
OutBuffers[0].pvBuffer = NULL;
|
|
|
|
|
OutBuffers[0].BufferType = SECBUFFER_TOKEN;
|
|
|
|
|
OutBuffers[0].cbBuffer = 0;
|
|
|
|
|
outbuf.cBuffers = 1;
|
|
|
|
|
outbuf.pBuffers = OutBuffers;
|
|
|
|
|
outbuf.ulVersion = SECBUFFER_VERSION;
|
|
|
|
|
|
2019-11-05 20:29:08 +01:00
|
|
|
elog(DEBUG4, "processing received SSPI token of length %u",
|
2007-07-23 12:16:54 +02:00
|
|
|
(unsigned int) buf.len);
|
|
|
|
|
|
|
|
|
|
r = AcceptSecurityContext(&sspicred,
|
2007-11-15 22:14:46 +01:00
|
|
|
sspictx,
|
|
|
|
|
&inbuf,
|
|
|
|
|
ASC_REQ_ALLOCATE_MEMORY,
|
|
|
|
|
SECURITY_NETWORK_DREP,
|
|
|
|
|
&newctx,
|
|
|
|
|
&outbuf,
|
|
|
|
|
&contextattr,
|
|
|
|
|
NULL);
|
2007-07-23 12:16:54 +02:00
|
|
|
|
|
|
|
|
/* input buffer no longer used */
|
|
|
|
|
pfree(buf.data);
|
|
|
|
|
|
|
|
|
|
if (outbuf.cBuffers > 0 && outbuf.pBuffers[0].cbBuffer > 0)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Negotiation generated data to be sent to the client.
|
|
|
|
|
*/
|
|
|
|
|
elog(DEBUG4, "sending SSPI response token of length %u",
|
|
|
|
|
(unsigned int) outbuf.pBuffers[0].cbBuffer);
|
|
|
|
|
|
|
|
|
|
port->gss->outbuf.length = outbuf.pBuffers[0].cbBuffer;
|
|
|
|
|
port->gss->outbuf.value = outbuf.pBuffers[0].pvBuffer;
|
|
|
|
|
|
2016-08-18 12:25:31 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_GSS_CONT,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
port->gss->outbuf.value, port->gss->outbuf.length);
|
2007-07-23 12:16:54 +02:00
|
|
|
|
|
|
|
|
FreeContextBuffer(outbuf.pBuffers[0].pvBuffer);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (r != SEC_E_OK && r != SEC_I_CONTINUE_NEEDED)
|
|
|
|
|
{
|
|
|
|
|
if (sspictx != NULL)
|
|
|
|
|
{
|
|
|
|
|
DeleteSecurityContext(sspictx);
|
|
|
|
|
free(sspictx);
|
|
|
|
|
}
|
|
|
|
|
FreeCredentialsHandle(&sspicred);
|
2007-11-15 22:14:46 +01:00
|
|
|
pg_SSPI_error(ERROR,
|
2009-03-22 19:06:35 +01:00
|
|
|
_("could not accept SSPI security context"), r);
|
2007-07-23 12:16:54 +02:00
|
|
|
}
|
|
|
|
|
|
2011-07-16 19:58:53 +02:00
|
|
|
/*
|
2012-06-10 21:20:04 +02:00
|
|
|
* Overwrite the current context with the one we just received. If
|
|
|
|
|
* sspictx is NULL it was the first loop and we need to allocate a
|
|
|
|
|
* buffer for it. On subsequent runs, we can just overwrite the buffer
|
|
|
|
|
* contents since the size does not change.
|
2011-07-16 19:58:53 +02:00
|
|
|
*/
|
2007-07-23 12:16:54 +02:00
|
|
|
if (sspictx == NULL)
|
|
|
|
|
{
|
|
|
|
|
sspictx = malloc(sizeof(CtxtHandle));
|
|
|
|
|
if (sspictx == NULL)
|
|
|
|
|
ereport(ERROR,
|
2007-11-15 22:14:46 +01:00
|
|
|
(errmsg("out of memory")));
|
2007-07-23 12:16:54 +02:00
|
|
|
}
|
|
|
|
|
|
2011-07-16 19:58:53 +02:00
|
|
|
memcpy(sspictx, &newctx, sizeof(CtxtHandle));
|
|
|
|
|
|
2007-07-23 12:16:54 +02:00
|
|
|
if (r == SEC_I_CONTINUE_NEEDED)
|
|
|
|
|
elog(DEBUG4, "SSPI continue needed");
|
|
|
|
|
|
|
|
|
|
} while (r == SEC_I_CONTINUE_NEEDED);
|
|
|
|
|
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* Release service principal credentials
|
|
|
|
|
*/
|
|
|
|
|
FreeCredentialsHandle(&sspicred);
|
2001-08-16 18:24:16 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* SEC_E_OK indicates that authentication is now complete.
|
|
|
|
|
*
|
|
|
|
|
* Get the name of the user that authenticated, and compare it to the pg
|
|
|
|
|
* username that was specified for the connection.
|
|
|
|
|
*
|
|
|
|
|
* MingW is missing the export for QuerySecurityContextToken in the
|
|
|
|
|
* secur32 library, so we have to load it dynamically.
|
|
|
|
|
*/
|
2001-10-19 00:44:37 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
secur32 = LoadLibrary("SECUR32.DLL");
|
|
|
|
|
if (secur32 == NULL)
|
|
|
|
|
ereport(ERROR,
|
2011-08-23 21:00:52 +02:00
|
|
|
(errmsg_internal("could not load secur32.dll: error code %lu",
|
|
|
|
|
GetLastError())));
|
2001-08-17 17:44:17 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
_QuerySecurityContextToken = (QUERY_SECURITY_CONTEXT_TOKEN_FN)
|
|
|
|
|
GetProcAddress(secur32, "QuerySecurityContextToken");
|
|
|
|
|
if (_QuerySecurityContextToken == NULL)
|
|
|
|
|
{
|
|
|
|
|
FreeLibrary(secur32);
|
|
|
|
|
ereport(ERROR,
|
2011-08-23 21:00:52 +02:00
|
|
|
(errmsg_internal("could not locate QuerySecurityContextToken in secur32.dll: error code %lu",
|
|
|
|
|
GetLastError())));
|
2008-08-01 13:41:12 +02:00
|
|
|
}
|
2006-03-06 18:41:44 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
r = (_QuerySecurityContextToken) (sspictx, &token);
|
|
|
|
|
if (r != SEC_E_OK)
|
|
|
|
|
{
|
|
|
|
|
FreeLibrary(secur32);
|
|
|
|
|
pg_SSPI_error(ERROR,
|
2009-03-22 19:06:35 +01:00
|
|
|
_("could not get token from SSPI security context"), r);
|
1998-01-29 04:24:36 +01:00
|
|
|
}
|
2001-06-20 20:07:56 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
FreeLibrary(secur32);
|
1998-02-26 05:46:47 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
/*
|
|
|
|
|
* No longer need the security context, everything from here on uses the
|
|
|
|
|
* token instead.
|
|
|
|
|
*/
|
|
|
|
|
DeleteSecurityContext(sspictx);
|
|
|
|
|
free(sspictx);
|
1996-07-09 08:22:35 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (!GetTokenInformation(token, TokenUser, NULL, 0, &retlen) && GetLastError() != 122)
|
|
|
|
|
ereport(ERROR,
|
2016-04-07 05:41:43 +02:00
|
|
|
(errmsg_internal("could not get token information buffer size: error code %lu",
|
|
|
|
|
GetLastError())));
|
1997-09-07 07:04:48 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
tokenuser = malloc(retlen);
|
|
|
|
|
if (tokenuser == NULL)
|
|
|
|
|
ereport(ERROR,
|
|
|
|
|
(errmsg("out of memory")));
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (!GetTokenInformation(token, TokenUser, tokenuser, retlen, &retlen))
|
|
|
|
|
ereport(ERROR,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errmsg_internal("could not get token information: error code %lu",
|
|
|
|
|
GetLastError())));
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2016-01-14 13:06:03 +01:00
|
|
|
CloseHandle(token);
|
|
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
if (!LookupAccountSid(NULL, tokenuser->User.Sid, accountname, &accountnamesize,
|
|
|
|
|
domainname, &domainnamesize, &accountnameuse))
|
|
|
|
|
ereport(ERROR,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errmsg_internal("could not look up account SID: error code %lu",
|
|
|
|
|
GetLastError())));
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
free(tokenuser);
|
2007-11-15 22:14:46 +01:00
|
|
|
|
2016-04-08 20:23:52 +02:00
|
|
|
if (!port->hba->compat_realm)
|
|
|
|
|
{
|
|
|
|
|
int status = pg_SSPI_make_upn(accountname, sizeof(accountname),
|
|
|
|
|
domainname, sizeof(domainname),
|
|
|
|
|
port->hba->upn_username);
|
|
|
|
|
|
|
|
|
|
if (status != STATUS_OK)
|
|
|
|
|
/* Error already reported from pg_SSPI_make_upn */
|
|
|
|
|
return status;
|
|
|
|
|
}
|
|
|
|
|
|
2007-11-15 22:14:46 +01:00
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* Compare realm/domain if requested. In SSPI, always compare case
|
|
|
|
|
* insensitive.
|
2007-11-15 22:14:46 +01:00
|
|
|
*/
|
2009-01-09 11:13:19 +01:00
|
|
|
if (port->hba->krb_realm && strlen(port->hba->krb_realm))
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
2011-12-27 20:19:09 +01:00
|
|
|
if (pg_strcasecmp(port->hba->krb_realm, domainname) != 0)
|
2007-07-10 15:14:22 +02:00
|
|
|
{
|
2008-08-01 13:41:12 +02:00
|
|
|
elog(DEBUG2,
|
|
|
|
|
"SSPI domain (%s) and configured domain (%s) don't match",
|
2009-01-09 11:13:19 +01:00
|
|
|
domainname, port->hba->krb_realm);
|
2007-07-11 10:27:33 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
return STATUS_ERROR;
|
2007-07-10 15:14:22 +02:00
|
|
|
}
|
|
|
|
|
}
|
2002-02-19 20:49:09 +01:00
|
|
|
|
|
|
|
|
/*
|
2008-08-01 13:41:12 +02:00
|
|
|
* We have the username (without domain/realm) in accountname, compare to
|
|
|
|
|
* the supplied value. In SSPI, always compare case insensitive.
|
2009-01-07 14:09:21 +01:00
|
|
|
*
|
|
|
|
|
* If set to include realm, append it in <username>@<realm> format.
|
2002-02-19 20:49:09 +01:00
|
|
|
*/
|
2009-01-07 14:09:21 +01:00
|
|
|
if (port->hba->include_realm)
|
|
|
|
|
{
|
2009-06-11 16:49:15 +02:00
|
|
|
char *namebuf;
|
|
|
|
|
int retval;
|
2009-01-07 14:09:21 +01:00
|
|
|
|
2013-10-13 06:09:18 +02:00
|
|
|
namebuf = psprintf("%s@%s", accountname, domainname);
|
2009-01-07 14:09:21 +01:00
|
|
|
retval = check_usermap(port->hba->usermap, port->user_name, namebuf, true);
|
|
|
|
|
pfree(namebuf);
|
|
|
|
|
return retval;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
return check_usermap(port->hba->usermap, port->user_name, accountname, true);
|
2008-08-01 13:41:12 +02:00
|
|
|
}
|
2016-04-08 20:23:52 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Replaces the domainname with the Kerberos realm name,
|
|
|
|
|
* and optionally the accountname with the Kerberos user name.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
pg_SSPI_make_upn(char *accountname,
|
|
|
|
|
size_t accountnamesize,
|
|
|
|
|
char *domainname,
|
|
|
|
|
size_t domainnamesize,
|
|
|
|
|
bool update_accountname)
|
|
|
|
|
{
|
|
|
|
|
char *samname;
|
|
|
|
|
char *upname = NULL;
|
|
|
|
|
char *p = NULL;
|
|
|
|
|
ULONG upnamesize = 0;
|
|
|
|
|
size_t upnamerealmsize;
|
|
|
|
|
BOOLEAN res;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Build SAM name (DOMAIN\user), then translate to UPN
|
|
|
|
|
* (user@kerberos.realm). The realm name is returned in lower case, but
|
|
|
|
|
* that is fine because in SSPI auth, string comparisons are always
|
|
|
|
|
* case-insensitive.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
samname = psprintf("%s\\%s", domainname, accountname);
|
|
|
|
|
res = TranslateName(samname, NameSamCompatible, NameUserPrincipal,
|
|
|
|
|
NULL, &upnamesize);
|
|
|
|
|
|
|
|
|
|
if ((!res && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
|
|
|
|
|
|| upnamesize == 0)
|
|
|
|
|
{
|
|
|
|
|
pfree(samname);
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
|
|
|
|
|
errmsg("could not translate name")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* upnamesize includes the terminating NUL. */
|
|
|
|
|
upname = palloc(upnamesize);
|
|
|
|
|
|
|
|
|
|
res = TranslateName(samname, NameSamCompatible, NameUserPrincipal,
|
|
|
|
|
upname, &upnamesize);
|
|
|
|
|
|
|
|
|
|
pfree(samname);
|
|
|
|
|
if (res)
|
|
|
|
|
p = strchr(upname, '@');
|
|
|
|
|
|
|
|
|
|
if (!res || p == NULL)
|
|
|
|
|
{
|
|
|
|
|
pfree(upname);
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
|
|
|
|
|
errmsg("could not translate name")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Length of realm name after the '@', including the NUL. */
|
|
|
|
|
upnamerealmsize = upnamesize - (p - upname + 1);
|
|
|
|
|
|
|
|
|
|
/* Replace domainname with realm name. */
|
|
|
|
|
if (upnamerealmsize > domainnamesize)
|
|
|
|
|
{
|
|
|
|
|
pfree(upname);
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
|
|
|
|
|
errmsg("realm name too long")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Length is now safe. */
|
|
|
|
|
strcpy(domainname, p + 1);
|
|
|
|
|
|
|
|
|
|
/* Replace account name as well (in case UPN != SAM)? */
|
|
|
|
|
if (update_accountname)
|
|
|
|
|
{
|
|
|
|
|
if ((p - upname + 1) > accountnamesize)
|
|
|
|
|
{
|
|
|
|
|
pfree(upname);
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
|
|
|
|
|
errmsg("translated account name too long")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*p = 0;
|
|
|
|
|
strcpy(accountname, upname);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pfree(upname);
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* ENABLE_SSPI */
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2008-08-01 11:09:49 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Ident authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Parse the string "*ident_response" as a response from a query to an Ident
|
|
|
|
|
* server. If it's a normal response indicating a user name, return true
|
|
|
|
|
* and store the user name at *ident_user. If it's anything else,
|
|
|
|
|
* return false.
|
|
|
|
|
*/
|
|
|
|
|
static bool
|
|
|
|
|
interpret_ident_response(const char *ident_response,
|
|
|
|
|
char *ident_user)
|
|
|
|
|
{
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
const char *cursor = ident_response; /* Cursor into *ident_response */
|
2008-08-01 11:09:49 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Ident's response, in the telnet tradition, should end in crlf (\r\n).
|
|
|
|
|
*/
|
|
|
|
|
if (strlen(ident_response) < 2)
|
|
|
|
|
return false;
|
|
|
|
|
else if (ident_response[strlen(ident_response) - 2] != '\r')
|
|
|
|
|
return false;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
while (*cursor != ':' && *cursor != '\r')
|
|
|
|
|
cursor++; /* skip port field */
|
|
|
|
|
|
|
|
|
|
if (*cursor != ':')
|
|
|
|
|
return false;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* We're positioned to colon before response type field */
|
|
|
|
|
char response_type[80];
|
|
|
|
|
int i; /* Index into *response_type */
|
|
|
|
|
|
|
|
|
|
cursor++; /* Go over colon */
|
|
|
|
|
while (pg_isblank(*cursor))
|
|
|
|
|
cursor++; /* skip blanks */
|
|
|
|
|
i = 0;
|
|
|
|
|
while (*cursor != ':' && *cursor != '\r' && !pg_isblank(*cursor) &&
|
|
|
|
|
i < (int) (sizeof(response_type) - 1))
|
|
|
|
|
response_type[i++] = *cursor++;
|
|
|
|
|
response_type[i] = '\0';
|
|
|
|
|
while (pg_isblank(*cursor))
|
|
|
|
|
cursor++; /* skip blanks */
|
|
|
|
|
if (strcmp(response_type, "USERID") != 0)
|
|
|
|
|
return false;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* It's a USERID response. Good. "cursor" should be pointing
|
|
|
|
|
* to the colon that precedes the operating system type.
|
|
|
|
|
*/
|
|
|
|
|
if (*cursor != ':')
|
|
|
|
|
return false;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
cursor++; /* Go over colon */
|
|
|
|
|
/* Skip over operating system field. */
|
|
|
|
|
while (*cursor != ':' && *cursor != '\r')
|
|
|
|
|
cursor++;
|
|
|
|
|
if (*cursor != ':')
|
|
|
|
|
return false;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
int i; /* Index into *ident_user */
|
|
|
|
|
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
cursor++; /* Go over colon */
|
2008-08-01 11:09:49 +02:00
|
|
|
while (pg_isblank(*cursor))
|
|
|
|
|
cursor++; /* skip blanks */
|
|
|
|
|
/* Rest of line is user name. Copy it over. */
|
|
|
|
|
i = 0;
|
|
|
|
|
while (*cursor != '\r' && i < IDENT_USERNAME_MAX)
|
|
|
|
|
ident_user[i++] = *cursor++;
|
|
|
|
|
ident_user[i] = '\0';
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
2019-07-29 05:28:30 +02:00
|
|
|
* Talk to the ident server on "remote_addr" and find out who
|
|
|
|
|
* owns the tcp connection to "local_addr"
|
2019-08-13 06:53:41 +02:00
|
|
|
* If the username is successfully retrieved, check the usermap.
|
2015-02-03 22:54:48 +01:00
|
|
|
*
|
|
|
|
|
* XXX: Using WaitLatchOrSocket() and doing a CHECK_FOR_INTERRUPTS() if the
|
|
|
|
|
* latch was set would improve the responsiveness to timeouts/cancellations.
|
2008-08-01 11:09:49 +02:00
|
|
|
*/
|
2011-03-19 18:44:35 +01:00
|
|
|
static int
|
|
|
|
|
ident_inet(hbaPort *port)
|
2008-08-01 11:09:49 +02:00
|
|
|
{
|
2011-03-19 18:44:35 +01:00
|
|
|
const SockAddr remote_addr = port->raddr;
|
|
|
|
|
const SockAddr local_addr = port->laddr;
|
|
|
|
|
char ident_user[IDENT_USERNAME_MAX + 1];
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
pgsocket sock_fd = PGINVALID_SOCKET; /* for talking to Ident server */
|
2012-05-13 06:30:32 +02:00
|
|
|
int rc; /* Return code from a locally called function */
|
2008-08-01 11:09:49 +02:00
|
|
|
bool ident_return;
|
|
|
|
|
char remote_addr_s[NI_MAXHOST];
|
|
|
|
|
char remote_port[NI_MAXSERV];
|
|
|
|
|
char local_addr_s[NI_MAXHOST];
|
|
|
|
|
char local_port[NI_MAXSERV];
|
|
|
|
|
char ident_port[NI_MAXSERV];
|
|
|
|
|
char ident_query[80];
|
|
|
|
|
char ident_response[80 + IDENT_USERNAME_MAX];
|
|
|
|
|
struct addrinfo *ident_serv = NULL,
|
|
|
|
|
*la = NULL,
|
|
|
|
|
hints;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Might look a little weird to first convert it to text and then back to
|
|
|
|
|
* sockaddr, but it's protocol independent.
|
|
|
|
|
*/
|
|
|
|
|
pg_getnameinfo_all(&remote_addr.addr, remote_addr.salen,
|
|
|
|
|
remote_addr_s, sizeof(remote_addr_s),
|
|
|
|
|
remote_port, sizeof(remote_port),
|
|
|
|
|
NI_NUMERICHOST | NI_NUMERICSERV);
|
|
|
|
|
pg_getnameinfo_all(&local_addr.addr, local_addr.salen,
|
|
|
|
|
local_addr_s, sizeof(local_addr_s),
|
|
|
|
|
local_port, sizeof(local_port),
|
|
|
|
|
NI_NUMERICHOST | NI_NUMERICSERV);
|
|
|
|
|
|
|
|
|
|
snprintf(ident_port, sizeof(ident_port), "%d", IDENT_PORT);
|
|
|
|
|
hints.ai_flags = AI_NUMERICHOST;
|
|
|
|
|
hints.ai_family = remote_addr.addr.ss_family;
|
|
|
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
|
|
|
hints.ai_protocol = 0;
|
|
|
|
|
hints.ai_addrlen = 0;
|
|
|
|
|
hints.ai_canonname = NULL;
|
|
|
|
|
hints.ai_addr = NULL;
|
|
|
|
|
hints.ai_next = NULL;
|
|
|
|
|
rc = pg_getaddrinfo_all(remote_addr_s, ident_port, &hints, &ident_serv);
|
|
|
|
|
if (rc || !ident_serv)
|
|
|
|
|
{
|
2015-02-12 01:09:54 +01:00
|
|
|
/* we don't expect this to happen */
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
2008-08-01 11:09:49 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
hints.ai_flags = AI_NUMERICHOST;
|
|
|
|
|
hints.ai_family = local_addr.addr.ss_family;
|
|
|
|
|
hints.ai_socktype = SOCK_STREAM;
|
|
|
|
|
hints.ai_protocol = 0;
|
|
|
|
|
hints.ai_addrlen = 0;
|
|
|
|
|
hints.ai_canonname = NULL;
|
|
|
|
|
hints.ai_addr = NULL;
|
|
|
|
|
hints.ai_next = NULL;
|
|
|
|
|
rc = pg_getaddrinfo_all(local_addr_s, NULL, &hints, &la);
|
|
|
|
|
if (rc || !la)
|
|
|
|
|
{
|
2015-02-12 01:09:54 +01:00
|
|
|
/* we don't expect this to happen */
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
2008-08-01 11:09:49 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sock_fd = socket(ident_serv->ai_family, ident_serv->ai_socktype,
|
|
|
|
|
ident_serv->ai_protocol);
|
2014-04-16 16:45:48 +02:00
|
|
|
if (sock_fd == PGINVALID_SOCKET)
|
2008-08-01 11:09:49 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not create socket for Ident connection: %m")));
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Bind to the address which the client originally contacted, otherwise
|
|
|
|
|
* the ident server won't be able to match up the right connection. This
|
|
|
|
|
* is necessary if the PostgreSQL server is running on an IP alias.
|
|
|
|
|
*/
|
|
|
|
|
rc = bind(sock_fd, la->ai_addr, la->ai_addrlen);
|
|
|
|
|
if (rc != 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not bind to local address \"%s\": %m",
|
|
|
|
|
local_addr_s)));
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rc = connect(sock_fd, ident_serv->ai_addr,
|
|
|
|
|
ident_serv->ai_addrlen);
|
|
|
|
|
if (rc != 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not connect to Ident server at address \"%s\", port %s: %m",
|
|
|
|
|
remote_addr_s, ident_port)));
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* The query we send to the Ident server */
|
|
|
|
|
snprintf(ident_query, sizeof(ident_query), "%s,%s\r\n",
|
|
|
|
|
remote_port, local_port);
|
|
|
|
|
|
|
|
|
|
/* loop in case send is interrupted */
|
|
|
|
|
do
|
|
|
|
|
{
|
2015-02-03 22:54:48 +01:00
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-08-01 11:09:49 +02:00
|
|
|
rc = send(sock_fd, ident_query, strlen(ident_query), 0);
|
|
|
|
|
} while (rc < 0 && errno == EINTR);
|
|
|
|
|
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not send query to Ident server at address \"%s\", port %s: %m",
|
|
|
|
|
remote_addr_s, ident_port)));
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
do
|
|
|
|
|
{
|
2015-02-03 22:54:48 +01:00
|
|
|
CHECK_FOR_INTERRUPTS();
|
|
|
|
|
|
2008-08-01 11:09:49 +02:00
|
|
|
rc = recv(sock_fd, ident_response, sizeof(ident_response) - 1, 0);
|
|
|
|
|
} while (rc < 0 && errno == EINTR);
|
|
|
|
|
|
|
|
|
|
if (rc < 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not receive response from Ident server at address \"%s\", port %s: %m",
|
|
|
|
|
remote_addr_s, ident_port)));
|
|
|
|
|
ident_return = false;
|
|
|
|
|
goto ident_inet_done;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ident_response[rc] = '\0';
|
|
|
|
|
ident_return = interpret_ident_response(ident_response, ident_user);
|
|
|
|
|
if (!ident_return)
|
|
|
|
|
ereport(LOG,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errmsg("invalidly formatted response from Ident server: \"%s\"",
|
|
|
|
|
ident_response)));
|
2008-08-01 11:09:49 +02:00
|
|
|
|
|
|
|
|
ident_inet_done:
|
2014-04-16 16:45:48 +02:00
|
|
|
if (sock_fd != PGINVALID_SOCKET)
|
2008-08-01 11:09:49 +02:00
|
|
|
closesocket(sock_fd);
|
2015-02-12 01:09:54 +01:00
|
|
|
if (ident_serv)
|
|
|
|
|
pg_freeaddrinfo_all(remote_addr.addr.ss_family, ident_serv);
|
|
|
|
|
if (la)
|
|
|
|
|
pg_freeaddrinfo_all(local_addr.addr.ss_family, la);
|
2011-03-19 18:44:35 +01:00
|
|
|
|
|
|
|
|
if (ident_return)
|
|
|
|
|
/* Success! Check the usermap */
|
|
|
|
|
return check_usermap(port->hba->usermap, port->user_name, ident_user, false);
|
|
|
|
|
return STATUS_ERROR;
|
2008-08-01 11:09:49 +02:00
|
|
|
}
|
|
|
|
|
|
2019-10-30 09:13:39 +01:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* Peer authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
2008-08-01 11:09:49 +02:00
|
|
|
/*
|
Replace use of credential control messages with getsockopt(LOCAL_PEERCRED).
It turns out the reason we hadn't found out about the portability issues
with our credential-control-message code is that almost no modern platforms
use that code at all; the ones that used to need it now offer getpeereid(),
which we choose first. The last holdout was NetBSD, and they added
getpeereid() as of 5.0. So far as I can tell, the only live platform on
which that code was being exercised was Debian/kFreeBSD, ie, FreeBSD kernel
with Linux userland --- since glibc doesn't provide getpeereid(), we fell
back to the control message code. However, the FreeBSD kernel provides a
LOCAL_PEERCRED socket parameter that's functionally equivalent to Linux's
SO_PEERCRED. That is both much simpler to use than control messages, and
superior because it doesn't require receiving a message from the other end
at just the right time.
Therefore, add code to use LOCAL_PEERCRED when necessary, and rip out all
the credential-control-message code in the backend. (libpq still has such
code so that it can still talk to pre-9.1 servers ... but eventually we can
get rid of it there too.) Clean up related autoconf probes, too.
This means that libpq's requirepeer parameter now works on exactly the same
platforms where the backend supports peer authentication, so adjust the
documentation accordingly.
2011-05-31 22:10:46 +02:00
|
|
|
* Ask kernel about the credentials of the connecting process,
|
|
|
|
|
* determine the symbolic name of the corresponding user, and check
|
|
|
|
|
* if valid per the usermap.
|
2008-08-01 11:09:49 +02:00
|
|
|
*
|
Replace use of credential control messages with getsockopt(LOCAL_PEERCRED).
It turns out the reason we hadn't found out about the portability issues
with our credential-control-message code is that almost no modern platforms
use that code at all; the ones that used to need it now offer getpeereid(),
which we choose first. The last holdout was NetBSD, and they added
getpeereid() as of 5.0. So far as I can tell, the only live platform on
which that code was being exercised was Debian/kFreeBSD, ie, FreeBSD kernel
with Linux userland --- since glibc doesn't provide getpeereid(), we fell
back to the control message code. However, the FreeBSD kernel provides a
LOCAL_PEERCRED socket parameter that's functionally equivalent to Linux's
SO_PEERCRED. That is both much simpler to use than control messages, and
superior because it doesn't require receiving a message from the other end
at just the right time.
Therefore, add code to use LOCAL_PEERCRED when necessary, and rip out all
the credential-control-message code in the backend. (libpq still has such
code so that it can still talk to pre-9.1 servers ... but eventually we can
get rid of it there too.) Clean up related autoconf probes, too.
This means that libpq's requirepeer parameter now works on exactly the same
platforms where the backend supports peer authentication, so adjust the
documentation accordingly.
2011-05-31 22:10:46 +02:00
|
|
|
* Iff authorized, return STATUS_OK, otherwise return STATUS_ERROR.
|
2008-08-01 11:09:49 +02:00
|
|
|
*/
|
2011-03-19 18:44:35 +01:00
|
|
|
static int
|
|
|
|
|
auth_peer(hbaPort *port)
|
2008-08-01 11:09:49 +02:00
|
|
|
{
|
2011-06-02 19:05:01 +02:00
|
|
|
uid_t uid;
|
2008-08-01 11:09:49 +02:00
|
|
|
gid_t gid;
|
2019-10-30 12:58:32 +01:00
|
|
|
#ifndef WIN32
|
2014-03-28 17:50:11 +01:00
|
|
|
struct passwd *pw;
|
2019-10-30 11:01:44 +01:00
|
|
|
char *peer_user;
|
|
|
|
|
int ret;
|
2019-10-30 12:58:32 +01:00
|
|
|
#endif
|
2008-08-01 11:09:49 +02:00
|
|
|
|
2011-03-20 18:34:31 +01:00
|
|
|
if (getpeereid(port->sock, &uid, &gid) != 0)
|
2008-08-01 11:09:49 +02:00
|
|
|
{
|
2011-06-02 19:05:01 +02:00
|
|
|
/* Provide special error message if getpeereid is a stub */
|
|
|
|
|
if (errno == ENOSYS)
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
errmsg("peer authentication is not supported on this platform")));
|
2011-06-02 19:05:01 +02:00
|
|
|
else
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode_for_socket_access(),
|
|
|
|
|
errmsg("could not get peer credentials: %m")));
|
2011-03-19 18:44:35 +01:00
|
|
|
return STATUS_ERROR;
|
2008-11-18 14:10:20 +01:00
|
|
|
}
|
|
|
|
|
|
2019-10-30 12:58:32 +01:00
|
|
|
#ifndef WIN32
|
2014-03-28 17:50:11 +01:00
|
|
|
errno = 0; /* clear errno before call */
|
|
|
|
|
pw = getpwuid(uid);
|
|
|
|
|
if (!pw)
|
2008-11-18 14:10:20 +01:00
|
|
|
{
|
2018-05-21 06:32:28 +02:00
|
|
|
int save_errno = errno;
|
|
|
|
|
|
2014-03-28 15:30:37 +01:00
|
|
|
ereport(LOG,
|
2014-12-17 19:14:53 +01:00
|
|
|
(errmsg("could not look up local user ID %ld: %s",
|
|
|
|
|
(long) uid,
|
2018-05-21 06:32:28 +02:00
|
|
|
save_errno ? strerror(save_errno) : _("user does not exist"))));
|
2011-03-19 18:44:35 +01:00
|
|
|
return STATUS_ERROR;
|
2008-11-18 14:10:20 +01:00
|
|
|
}
|
|
|
|
|
|
2019-10-30 11:01:44 +01:00
|
|
|
/* Make a copy of static getpw*() result area. */
|
|
|
|
|
peer_user = pstrdup(pw->pw_name);
|
|
|
|
|
|
|
|
|
|
ret = check_usermap(port->hba->usermap, port->user_name, peer_user, false);
|
2008-08-01 11:09:49 +02:00
|
|
|
|
2019-10-30 11:01:44 +01:00
|
|
|
pfree(peer_user);
|
|
|
|
|
|
|
|
|
|
return ret;
|
2019-10-30 12:58:32 +01:00
|
|
|
#else
|
|
|
|
|
/* should have failed with ENOSYS above */
|
|
|
|
|
Assert(false);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
#endif
|
2008-08-01 11:09:49 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* PAM authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2001-09-06 05:23:38 +02:00
|
|
|
#ifdef USE_PAM
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* PAM conversation function
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static int
|
2017-06-21 20:39:04 +02:00
|
|
|
pam_passwd_conv_proc(int num_msg, const struct pam_message **msg,
|
|
|
|
|
struct pam_response **resp, void *appdata_ptr)
|
2001-09-06 05:23:38 +02:00
|
|
|
{
|
2017-10-31 15:34:31 +01:00
|
|
|
const char *passwd;
|
2009-10-17 00:08:36 +02:00
|
|
|
struct pam_response *reply;
|
|
|
|
|
int i;
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2009-10-17 00:08:36 +02:00
|
|
|
if (appdata_ptr)
|
|
|
|
|
passwd = (char *) appdata_ptr;
|
|
|
|
|
else
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
|
|
|
|
/*
|
2005-10-15 04:49:52 +02:00
|
|
|
* Workaround for Solaris 2.6 where the PAM library is broken and does
|
|
|
|
|
* not pass appdata_ptr to the conversation routine
|
2001-09-06 05:23:38 +02:00
|
|
|
*/
|
2009-10-17 00:08:36 +02:00
|
|
|
passwd = pam_passwd;
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
|
|
|
|
|
2009-10-17 00:08:36 +02:00
|
|
|
*resp = NULL; /* in case of error exit */
|
2002-04-04 06:25:54 +02:00
|
|
|
|
2009-10-17 00:08:36 +02:00
|
|
|
if (num_msg <= 0 || num_msg > PAM_MAX_NUM_MSG)
|
|
|
|
|
return PAM_CONV_ERR;
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
/*
|
|
|
|
|
* Explicitly not using palloc here - PAM will free this memory in
|
2001-09-06 05:23:38 +02:00
|
|
|
* pam_end()
|
|
|
|
|
*/
|
2009-10-17 00:08:36 +02:00
|
|
|
if ((reply = calloc(num_msg, sizeof(struct pam_response))) == NULL)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errcode(ERRCODE_OUT_OF_MEMORY),
|
|
|
|
|
errmsg("out of memory")));
|
2001-10-25 07:50:21 +02:00
|
|
|
return PAM_CONV_ERR;
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
|
|
|
|
|
2009-10-17 00:08:36 +02:00
|
|
|
for (i = 0; i < num_msg; i++)
|
|
|
|
|
{
|
|
|
|
|
switch (msg[i]->msg_style)
|
|
|
|
|
{
|
|
|
|
|
case PAM_PROMPT_ECHO_OFF:
|
|
|
|
|
if (strlen(passwd) == 0)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Password wasn't passed to PAM the first time around -
|
|
|
|
|
* let's go ask the client to send a password, which we
|
|
|
|
|
* then stuff into PAM.
|
|
|
|
|
*/
|
2016-08-18 12:25:31 +02:00
|
|
|
sendAuthRequest(pam_port_cludge, AUTH_REQ_PASSWORD, NULL, 0);
|
2009-10-17 00:08:36 +02:00
|
|
|
passwd = recv_password_packet(pam_port_cludge);
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Client didn't want to send password. We
|
2019-11-05 20:27:37 +01:00
|
|
|
* intentionally do not log anything about this,
|
|
|
|
|
* either here or at higher levels.
|
2009-10-17 00:08:36 +02:00
|
|
|
*/
|
2019-11-05 20:27:37 +01:00
|
|
|
pam_no_password = true;
|
2009-10-17 00:08:36 +02:00
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if ((reply[i].resp = strdup(passwd)) == NULL)
|
|
|
|
|
goto fail;
|
|
|
|
|
reply[i].resp_retcode = PAM_SUCCESS;
|
|
|
|
|
break;
|
|
|
|
|
case PAM_ERROR_MSG:
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("error from underlying PAM layer: %s",
|
|
|
|
|
msg[i]->msg)));
|
|
|
|
|
/* FALL THROUGH */
|
|
|
|
|
case PAM_TEXT_INFO:
|
|
|
|
|
/* we don't bother to log TEXT_INFO messages */
|
|
|
|
|
if ((reply[i].resp = strdup("")) == NULL)
|
|
|
|
|
goto fail;
|
|
|
|
|
reply[i].resp_retcode = PAM_SUCCESS;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
elog(LOG, "unsupported PAM conversation %d/\"%s\"",
|
|
|
|
|
msg[i]->msg_style,
|
|
|
|
|
msg[i]->msg ? msg[i]->msg : "(none)");
|
|
|
|
|
goto fail;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*resp = reply;
|
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
|
|
|
|
|
|
fail:
|
|
|
|
|
/* free up whatever we allocated */
|
|
|
|
|
for (i = 0; i < num_msg; i++)
|
|
|
|
|
{
|
|
|
|
|
if (reply[i].resp != NULL)
|
|
|
|
|
free(reply[i].resp);
|
|
|
|
|
}
|
|
|
|
|
free(reply);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2009-10-17 00:08:36 +02:00
|
|
|
return PAM_CONV_ERR;
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Check authentication against PAM.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
2017-10-31 15:34:31 +01:00
|
|
|
CheckPAMAuth(Port *port, const char *user, const char *password)
|
2001-09-06 05:23:38 +02:00
|
|
|
{
|
2001-10-25 07:50:21 +02:00
|
|
|
int retval;
|
2001-09-06 05:23:38 +02:00
|
|
|
pam_handle_t *pamh = NULL;
|
|
|
|
|
|
|
|
|
|
/*
|
2009-10-17 00:08:36 +02:00
|
|
|
* We can't entirely rely on PAM to pass through appdata --- it appears
|
|
|
|
|
* not to work on at least Solaris 2.6. So use these ugly static
|
|
|
|
|
* variables instead.
|
2001-09-06 05:23:38 +02:00
|
|
|
*/
|
|
|
|
|
pam_passwd = password;
|
2009-10-17 00:08:36 +02:00
|
|
|
pam_port_cludge = port;
|
2019-11-05 20:27:37 +01:00
|
|
|
pam_no_password = false;
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
/*
|
2013-08-16 15:25:52 +02:00
|
|
|
* Set the application data portion of the conversation struct. This is
|
2001-10-25 07:50:21 +02:00
|
|
|
* later used inside the PAM conversation to pass the password to the
|
|
|
|
|
* authentication module.
|
2001-09-06 05:23:38 +02:00
|
|
|
*/
|
2019-05-22 18:55:34 +02:00
|
|
|
pam_passw_conv.appdata_ptr = unconstify(char *, password); /* from password above,
|
|
|
|
|
* not allocated */
|
2001-09-06 05:23:38 +02:00
|
|
|
|
|
|
|
|
/* Optionally, one can set the service name in pg_hba.conf */
|
2008-10-23 15:31:10 +02:00
|
|
|
if (port->hba->pamservice && port->hba->pamservice[0] != '\0')
|
|
|
|
|
retval = pam_start(port->hba->pamservice, "pgsql@",
|
2003-04-18 00:26:02 +02:00
|
|
|
&pam_passw_conv, &pamh);
|
2001-10-25 07:50:21 +02:00
|
|
|
else
|
2003-04-18 00:26:02 +02:00
|
|
|
retval = pam_start(PGSQL_PAM_SERVICE, "pgsql@",
|
|
|
|
|
&pam_passw_conv, &pamh);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2001-10-25 07:50:21 +02:00
|
|
|
if (retval != PAM_SUCCESS)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("could not create PAM authenticator: %s",
|
2003-07-22 21:00:12 +02:00
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
retval = pam_set_item(pamh, PAM_USER, user);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_set_item(PAM_USER) failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
2018-11-28 02:00:57 +01:00
|
|
|
if (port->hba->conntype != ctLocal)
|
2016-04-08 16:45:16 +02:00
|
|
|
{
|
2018-11-28 02:00:57 +01:00
|
|
|
char hostinfo[NI_MAXHOST];
|
|
|
|
|
int flags;
|
|
|
|
|
|
|
|
|
|
if (port->hba->pam_use_hostname)
|
|
|
|
|
flags = 0;
|
|
|
|
|
else
|
|
|
|
|
flags = NI_NUMERICHOST | NI_NUMERICSERV;
|
|
|
|
|
|
|
|
|
|
retval = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen,
|
|
|
|
|
hostinfo, sizeof(hostinfo), NULL, 0,
|
|
|
|
|
flags);
|
|
|
|
|
if (retval != 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(WARNING,
|
|
|
|
|
(errmsg_internal("pg_getnameinfo_all() failed: %s",
|
|
|
|
|
gai_strerror(retval))));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
retval = pam_set_item(pamh, PAM_RHOST, hostinfo);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_set_item(PAM_RHOST) failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
|
|
|
|
pam_passwd = NULL;
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2016-04-08 16:45:16 +02:00
|
|
|
}
|
|
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
retval = pam_set_item(pamh, PAM_CONV, &pam_passw_conv);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_set_item(PAM_CONV) failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2001-09-06 05:23:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
|
|
|
|
retval = pam_authenticate(pamh, 0);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2019-11-05 20:27:37 +01:00
|
|
|
/* If pam_passwd_conv_proc saw EOF, don't log anything */
|
|
|
|
|
if (!pam_no_password)
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_authenticate failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2019-11-05 20:27:37 +01:00
|
|
|
return pam_no_password ? STATUS_EOF : STATUS_ERROR;
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
|
|
|
|
retval = pam_acct_mgmt(pamh, 0);
|
|
|
|
|
|
|
|
|
|
if (retval != PAM_SUCCESS)
|
2001-10-25 07:50:21 +02:00
|
|
|
{
|
2019-11-05 20:27:37 +01:00
|
|
|
/* If pam_passwd_conv_proc saw EOF, don't log anything */
|
|
|
|
|
if (!pam_no_password)
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("pam_acct_mgmt failed: %s",
|
|
|
|
|
pam_strerror(pamh, retval))));
|
2001-10-25 07:50:21 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2019-11-05 20:27:37 +01:00
|
|
|
return pam_no_password ? STATUS_EOF : STATUS_ERROR;
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
|
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
retval = pam_end(pamh, retval);
|
2001-09-06 05:23:38 +02:00
|
|
|
|
2002-02-25 21:07:02 +01:00
|
|
|
if (retval != PAM_SUCCESS)
|
|
|
|
|
{
|
2003-07-22 21:00:12 +02:00
|
|
|
ereport(LOG,
|
2003-09-25 08:58:07 +02:00
|
|
|
(errmsg("could not release PAM authenticator: %s",
|
2003-07-22 21:00:12 +02:00
|
|
|
pam_strerror(pamh, retval))));
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
2002-02-25 21:07:02 +01:00
|
|
|
|
2002-09-04 22:31:48 +02:00
|
|
|
pam_passwd = NULL; /* Unset pam_passwd */
|
2002-02-25 21:07:02 +01:00
|
|
|
|
|
|
|
|
return (retval == PAM_SUCCESS ? STATUS_OK : STATUS_ERROR);
|
2001-09-06 05:23:38 +02:00
|
|
|
}
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* USE_PAM */
|
1998-01-26 02:42:53 +01:00
|
|
|
|
2001-10-19 00:44:37 +02:00
|
|
|
|
2016-04-08 19:51:54 +02:00
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* BSD authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef USE_BSD_AUTH
|
|
|
|
|
static int
|
|
|
|
|
CheckBSDAuth(Port *port, char *user)
|
|
|
|
|
{
|
2016-06-10 00:02:36 +02:00
|
|
|
char *passwd;
|
|
|
|
|
int retval;
|
2016-04-08 19:51:54 +02:00
|
|
|
|
|
|
|
|
/* Send regular password request to client, and get the response */
|
2017-05-19 11:21:55 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
|
2016-04-08 19:51:54 +02:00
|
|
|
|
|
|
|
|
passwd = recv_password_packet(port);
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
return STATUS_EOF;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Ask the BSD auth system to verify password. Note that auth_userokay
|
|
|
|
|
* will overwrite the password string with zeroes, but it's just a
|
|
|
|
|
* temporary string so we don't care.
|
|
|
|
|
*/
|
|
|
|
|
retval = auth_userokay(user, NULL, "auth-postgresql", passwd);
|
|
|
|
|
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
|
|
|
|
|
2016-04-08 19:51:54 +02:00
|
|
|
if (!retval)
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* USE_BSD_AUTH */
|
2016-04-08 19:51:54 +02:00
|
|
|
|
2008-08-01 13:41:12 +02:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* LDAP authentication system
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifdef USE_LDAP
|
2006-03-16 19:11:17 +01:00
|
|
|
|
2017-11-29 15:24:24 +01:00
|
|
|
static int errdetail_for_ldap(LDAP *ldap);
|
2017-10-13 04:33:34 +02:00
|
|
|
|
2009-12-12 22:35:21 +01:00
|
|
|
/*
|
|
|
|
|
* Initialize a connection to the LDAP server, including setting up
|
|
|
|
|
* TLS if requested.
|
|
|
|
|
*/
|
2006-03-06 18:41:44 +01:00
|
|
|
static int
|
2009-12-12 22:35:21 +01:00
|
|
|
InitializeLDAPConnection(Port *port, LDAP **ldap)
|
2006-03-06 18:41:44 +01:00
|
|
|
{
|
2018-01-03 16:00:08 +01:00
|
|
|
const char *scheme;
|
2006-10-04 02:30:14 +02:00
|
|
|
int ldapversion = LDAP_VERSION3;
|
2009-12-12 22:35:21 +01:00
|
|
|
int r;
|
2009-06-25 13:30:08 +02:00
|
|
|
|
2018-01-03 16:00:08 +01:00
|
|
|
scheme = port->hba->ldapscheme;
|
|
|
|
|
if (scheme == NULL)
|
|
|
|
|
scheme = "ldap";
|
|
|
|
|
#ifdef WIN32
|
2018-01-04 16:34:41 +01:00
|
|
|
if (strcmp(scheme, "ldaps") == 0)
|
|
|
|
|
*ldap = ldap_sslinit(port->hba->ldapserver, port->hba->ldapport, 1);
|
|
|
|
|
else
|
|
|
|
|
*ldap = ldap_init(port->hba->ldapserver, port->hba->ldapport);
|
2009-12-12 22:35:21 +01:00
|
|
|
if (!*ldap)
|
2006-10-04 02:30:14 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not initialize LDAP: error code %d",
|
|
|
|
|
(int) LdapGetLastError())));
|
2018-01-03 16:00:08 +01:00
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2018-01-03 16:00:08 +01:00
|
|
|
#else
|
|
|
|
|
#ifdef HAVE_LDAP_INITIALIZE
|
2019-03-21 03:19:03 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* OpenLDAP provides a non-standard extension ldap_initialize() that takes
|
|
|
|
|
* a list of URIs, allowing us to request "ldaps" instead of "ldap". It
|
|
|
|
|
* also provides ldap_domain2hostlist() to find LDAP servers automatically
|
|
|
|
|
* using DNS SRV. They were introduced in the same version, so for now we
|
|
|
|
|
* don't have an extra configure check for the latter.
|
|
|
|
|
*/
|
2018-01-03 16:00:08 +01:00
|
|
|
{
|
2019-03-21 03:19:03 +01:00
|
|
|
StringInfoData uris;
|
|
|
|
|
char *hostlist = NULL;
|
|
|
|
|
char *p;
|
|
|
|
|
bool append_port;
|
|
|
|
|
|
|
|
|
|
/* We'll build a space-separated scheme://hostname:port list here */
|
|
|
|
|
initStringInfo(&uris);
|
2018-01-03 16:00:08 +01:00
|
|
|
|
2018-11-13 05:39:36 +01:00
|
|
|
/*
|
2019-03-21 03:19:03 +01:00
|
|
|
* If pg_hba.conf provided no hostnames, we can ask OpenLDAP to try to
|
|
|
|
|
* find some by extracting a domain name from the base DN and looking
|
|
|
|
|
* up DSN SRV records for _ldap._tcp.<domain>.
|
2018-11-13 05:39:36 +01:00
|
|
|
*/
|
2019-03-21 03:19:03 +01:00
|
|
|
if (!port->hba->ldapserver || port->hba->ldapserver[0] == '\0')
|
|
|
|
|
{
|
|
|
|
|
char *domain;
|
|
|
|
|
|
|
|
|
|
/* ou=blah,dc=foo,dc=bar -> foo.bar */
|
|
|
|
|
if (ldap_dn2domain(port->hba->ldapbasedn, &domain))
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not extract domain name from ldapbasedn")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Look up a list of LDAP server hosts and port numbers */
|
|
|
|
|
if (ldap_domain2hostlist(domain, &hostlist))
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("LDAP authentication could not find DNS SRV records for \"%s\"",
|
|
|
|
|
domain),
|
|
|
|
|
(errhint("Set an LDAP server name explicitly."))));
|
|
|
|
|
ldap_memfree(domain);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
ldap_memfree(domain);
|
|
|
|
|
|
|
|
|
|
/* We have a space-separated list of host:port entries */
|
|
|
|
|
p = hostlist;
|
|
|
|
|
append_port = false;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* We have a space-separated list of hosts from pg_hba.conf */
|
|
|
|
|
p = port->hba->ldapserver;
|
|
|
|
|
append_port = true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Convert the list of host[:port] entries to full URIs */
|
2018-11-13 05:39:36 +01:00
|
|
|
do
|
|
|
|
|
{
|
2019-03-21 03:19:03 +01:00
|
|
|
size_t size;
|
|
|
|
|
|
|
|
|
|
/* Find the span of the next entry */
|
|
|
|
|
size = strcspn(p, " ");
|
|
|
|
|
|
|
|
|
|
/* Append a space separator if this isn't the first URI */
|
|
|
|
|
if (uris.len > 0)
|
|
|
|
|
appendStringInfoChar(&uris, ' ');
|
|
|
|
|
|
|
|
|
|
/* Append scheme://host:port */
|
|
|
|
|
appendStringInfoString(&uris, scheme);
|
|
|
|
|
appendStringInfoString(&uris, "://");
|
|
|
|
|
appendBinaryStringInfo(&uris, p, size);
|
|
|
|
|
if (append_port)
|
|
|
|
|
appendStringInfo(&uris, ":%d", port->hba->ldapport);
|
|
|
|
|
|
|
|
|
|
/* Step over this entry and any number of trailing spaces */
|
|
|
|
|
p += size;
|
|
|
|
|
while (*p == ' ')
|
|
|
|
|
++p;
|
|
|
|
|
} while (*p);
|
|
|
|
|
|
|
|
|
|
/* Free memory from OpenLDAP if we looked up SRV records */
|
|
|
|
|
if (hostlist)
|
|
|
|
|
ldap_memfree(hostlist);
|
|
|
|
|
|
|
|
|
|
/* Finally, try to connect using the URI list */
|
|
|
|
|
r = ldap_initialize(ldap, uris.data);
|
|
|
|
|
pfree(uris.data);
|
2018-01-03 16:00:08 +01:00
|
|
|
if (r != LDAP_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not initialize LDAP: %s",
|
|
|
|
|
ldap_err2string(r))));
|
|
|
|
|
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
if (strcmp(scheme, "ldaps") == 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("ldaps not supported with this LDAP library")));
|
|
|
|
|
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
*ldap = ldap_init(port->hba->ldapserver, port->hba->ldapport);
|
|
|
|
|
if (!*ldap)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not initialize LDAP: %m")));
|
|
|
|
|
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
2006-10-04 02:30:14 +02:00
|
|
|
|
2009-12-12 22:35:21 +01:00
|
|
|
if ((r = ldap_set_option(*ldap, LDAP_OPT_PROTOCOL_VERSION, &ldapversion)) != LDAP_SUCCESS)
|
2006-10-04 02:30:14 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2017-10-13 04:33:34 +02:00
|
|
|
(errmsg("could not set LDAP protocol version: %s",
|
|
|
|
|
ldap_err2string(r)),
|
|
|
|
|
errdetail_for_ldap(*ldap)));
|
2017-10-13 04:33:15 +02:00
|
|
|
ldap_unbind(*ldap);
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2008-10-23 15:31:10 +02:00
|
|
|
if (port->hba->ldaptls)
|
2006-10-04 02:30:14 +02:00
|
|
|
{
|
2006-03-06 18:41:44 +01:00
|
|
|
#ifndef WIN32
|
2009-12-12 22:35:21 +01:00
|
|
|
if ((r = ldap_start_tls_s(*ldap, NULL, NULL)) != LDAP_SUCCESS)
|
2006-03-06 18:41:44 +01:00
|
|
|
#else
|
2006-08-22 04:23:45 +02:00
|
|
|
static __ldap_start_tls_sA _ldap_start_tls_sA = NULL;
|
|
|
|
|
|
2006-08-21 21:21:38 +02:00
|
|
|
if (_ldap_start_tls_sA == NULL)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* Need to load this function dynamically because it does not
|
|
|
|
|
* exist on Windows 2000, and causes a load error for the whole
|
|
|
|
|
* exe if referenced.
|
|
|
|
|
*/
|
2006-10-04 02:30:14 +02:00
|
|
|
HANDLE ldaphandle;
|
|
|
|
|
|
2006-08-21 21:21:38 +02:00
|
|
|
ldaphandle = LoadLibrary("WLDAP32.DLL");
|
|
|
|
|
if (ldaphandle == NULL)
|
|
|
|
|
{
|
2006-10-04 02:30:14 +02:00
|
|
|
/*
|
|
|
|
|
* should never happen since we import other files from
|
|
|
|
|
* wldap32, but check anyway
|
|
|
|
|
*/
|
2006-08-21 21:21:38 +02:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not load wldap32.dll")));
|
2017-10-13 04:33:15 +02:00
|
|
|
ldap_unbind(*ldap);
|
2006-08-21 21:21:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2006-10-04 02:30:14 +02:00
|
|
|
_ldap_start_tls_sA = (__ldap_start_tls_sA) GetProcAddress(ldaphandle, "ldap_start_tls_sA");
|
2006-08-21 21:21:38 +02:00
|
|
|
if (_ldap_start_tls_sA == NULL)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2006-10-06 19:14:01 +02:00
|
|
|
(errmsg("could not load function _ldap_start_tls_sA in wldap32.dll"),
|
|
|
|
|
errdetail("LDAP over SSL is not supported on this platform.")));
|
2017-10-13 04:33:15 +02:00
|
|
|
ldap_unbind(*ldap);
|
2006-08-21 21:21:38 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2007-11-15 22:14:46 +01:00
|
|
|
* Leak LDAP handle on purpose, because we need the library to
|
|
|
|
|
* stay open. This is ok because it will only ever be leaked once
|
|
|
|
|
* per process and is automatically cleaned up on process exit.
|
2006-08-21 21:21:38 +02:00
|
|
|
*/
|
|
|
|
|
}
|
2009-12-12 22:35:21 +01:00
|
|
|
if ((r = _ldap_start_tls_sA(*ldap, NULL, NULL, NULL, NULL)) != LDAP_SUCCESS)
|
2006-03-06 18:41:44 +01:00
|
|
|
#endif
|
2006-10-04 02:30:14 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2017-10-13 04:33:34 +02:00
|
|
|
(errmsg("could not start LDAP TLS session: %s",
|
|
|
|
|
ldap_err2string(r)),
|
|
|
|
|
errdetail_for_ldap(*ldap)));
|
2017-10-13 04:33:15 +02:00
|
|
|
ldap_unbind(*ldap);
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-12 22:35:21 +01:00
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-12 15:46:14 +02:00
|
|
|
/* Placeholders recognized by FormatSearchFilter. For now just one. */
|
|
|
|
|
#define LPH_USERNAME "$username"
|
|
|
|
|
#define LPH_USERNAME_LEN (sizeof(LPH_USERNAME) - 1)
|
|
|
|
|
|
2017-09-13 14:20:45 +02:00
|
|
|
/* Not all LDAP implementations define this. */
|
|
|
|
|
#ifndef LDAP_NO_ATTRS
|
|
|
|
|
#define LDAP_NO_ATTRS "1.1"
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-01-04 16:34:41 +01:00
|
|
|
/* Not all LDAP implementations define this. */
|
|
|
|
|
#ifndef LDAPS_PORT
|
|
|
|
|
#define LDAPS_PORT 636
|
|
|
|
|
#endif
|
|
|
|
|
|
2017-09-12 15:46:14 +02:00
|
|
|
/*
|
|
|
|
|
* Return a newly allocated C string copied from "pattern" with all
|
|
|
|
|
* occurrences of the placeholder "$username" replaced with "user_name".
|
|
|
|
|
*/
|
|
|
|
|
static char *
|
|
|
|
|
FormatSearchFilter(const char *pattern, const char *user_name)
|
|
|
|
|
{
|
|
|
|
|
StringInfoData output;
|
|
|
|
|
|
|
|
|
|
initStringInfo(&output);
|
|
|
|
|
while (*pattern != '\0')
|
|
|
|
|
{
|
|
|
|
|
if (strncmp(pattern, LPH_USERNAME, LPH_USERNAME_LEN) == 0)
|
|
|
|
|
{
|
|
|
|
|
appendStringInfoString(&output, user_name);
|
|
|
|
|
pattern += LPH_USERNAME_LEN;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
appendStringInfoChar(&output, *pattern++);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return output.data;
|
|
|
|
|
}
|
|
|
|
|
|
2009-12-12 22:35:21 +01:00
|
|
|
/*
|
|
|
|
|
* Perform LDAP authentication
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
CheckLDAPAuth(Port *port)
|
|
|
|
|
{
|
|
|
|
|
char *passwd;
|
|
|
|
|
LDAP *ldap;
|
|
|
|
|
int r;
|
|
|
|
|
char *fulluser;
|
2019-03-21 03:19:03 +01:00
|
|
|
const char *server_name;
|
2009-12-12 22:35:21 +01:00
|
|
|
|
2019-03-21 03:19:03 +01:00
|
|
|
#ifdef HAVE_LDAP_INITIALIZE
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* For OpenLDAP, allow empty hostname if we have a basedn. We'll look for
|
|
|
|
|
* servers with DNS SRV records via OpenLDAP library facilities.
|
|
|
|
|
*/
|
|
|
|
|
if ((!port->hba->ldapserver || port->hba->ldapserver[0] == '\0') &&
|
|
|
|
|
(!port->hba->ldapbasedn || port->hba->ldapbasedn[0] == '\0'))
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("LDAP server not specified, and no ldapbasedn")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
#else
|
2009-12-12 22:35:21 +01:00
|
|
|
if (!port->hba->ldapserver || port->hba->ldapserver[0] == '\0')
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("LDAP server not specified")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2019-03-21 03:19:03 +01:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If we're using SRV records, we don't have a server name so we'll just
|
|
|
|
|
* show an empty string in error messages.
|
|
|
|
|
*/
|
|
|
|
|
server_name = port->hba->ldapserver ? port->hba->ldapserver : "";
|
2009-12-12 22:35:21 +01:00
|
|
|
|
|
|
|
|
if (port->hba->ldapport == 0)
|
2018-01-03 16:00:08 +01:00
|
|
|
{
|
|
|
|
|
if (port->hba->ldapscheme != NULL &&
|
|
|
|
|
strcmp(port->hba->ldapscheme, "ldaps") == 0)
|
|
|
|
|
port->hba->ldapport = LDAPS_PORT;
|
|
|
|
|
else
|
|
|
|
|
port->hba->ldapport = LDAP_PORT;
|
|
|
|
|
}
|
2009-12-12 22:35:21 +01:00
|
|
|
|
2016-08-18 12:25:31 +02:00
|
|
|
sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
|
2009-12-12 22:35:21 +01:00
|
|
|
|
|
|
|
|
passwd = recv_password_packet(port);
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
return STATUS_EOF; /* client wouldn't send password */
|
|
|
|
|
|
|
|
|
|
if (InitializeLDAPConnection(port, &ldap) == STATUS_ERROR)
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
{
|
2009-12-12 22:35:21 +01:00
|
|
|
/* Error message already sent */
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2009-12-12 22:35:21 +01:00
|
|
|
return STATUS_ERROR;
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
}
|
2009-12-12 22:35:21 +01:00
|
|
|
|
|
|
|
|
if (port->hba->ldapbasedn)
|
|
|
|
|
{
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* First perform an LDAP search to find the DN for the user we are
|
|
|
|
|
* trying to log in as.
|
2009-12-12 22:35:21 +01:00
|
|
|
*/
|
2010-02-26 03:01:40 +01:00
|
|
|
char *filter;
|
|
|
|
|
LDAPMessage *search_message;
|
|
|
|
|
LDAPMessage *entry;
|
2017-11-29 15:24:24 +01:00
|
|
|
char *attributes[] = {LDAP_NO_ATTRS, NULL};
|
2010-02-26 03:01:40 +01:00
|
|
|
char *dn;
|
|
|
|
|
char *c;
|
2012-10-03 05:25:05 +02:00
|
|
|
int count;
|
2009-12-12 22:35:21 +01:00
|
|
|
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* Disallow any characters that we would otherwise need to escape,
|
|
|
|
|
* since they aren't really reasonable in a username anyway. Allowing
|
|
|
|
|
* them would make it possible to inject any kind of custom filters in
|
|
|
|
|
* the LDAP filter.
|
2009-12-12 22:35:21 +01:00
|
|
|
*/
|
|
|
|
|
for (c = port->user_name; *c; c++)
|
|
|
|
|
{
|
|
|
|
|
if (*c == '*' ||
|
|
|
|
|
*c == '(' ||
|
|
|
|
|
*c == ')' ||
|
|
|
|
|
*c == '\\' ||
|
|
|
|
|
*c == '/')
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2010-03-21 01:17:59 +01:00
|
|
|
(errmsg("invalid character in user name for LDAP authentication")));
|
2017-10-13 04:33:15 +02:00
|
|
|
ldap_unbind(ldap);
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2009-12-12 22:35:21 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* Bind with a pre-defined username/password (if available) for
|
|
|
|
|
* searching. If none is specified, this turns into an anonymous bind.
|
2009-12-12 22:35:21 +01:00
|
|
|
*/
|
|
|
|
|
r = ldap_simple_bind_s(ldap,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
port->hba->ldapbinddn ? port->hba->ldapbinddn : "",
|
|
|
|
|
port->hba->ldapbindpasswd ? port->hba->ldapbindpasswd : "");
|
2009-12-12 22:35:21 +01:00
|
|
|
if (r != LDAP_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2012-09-28 02:22:50 +02:00
|
|
|
(errmsg("could not perform initial LDAP bind for ldapbinddn \"%s\" on server \"%s\": %s",
|
2017-11-10 20:21:32 +01:00
|
|
|
port->hba->ldapbinddn ? port->hba->ldapbinddn : "",
|
2019-03-21 03:19:03 +01:00
|
|
|
server_name,
|
2017-10-13 04:33:34 +02:00
|
|
|
ldap_err2string(r)),
|
|
|
|
|
errdetail_for_ldap(ldap)));
|
2017-10-13 04:33:15 +02:00
|
|
|
ldap_unbind(ldap);
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2009-12-12 22:35:21 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-12 15:46:14 +02:00
|
|
|
/* Build a custom filter or a single attribute filter? */
|
|
|
|
|
if (port->hba->ldapsearchfilter)
|
|
|
|
|
filter = FormatSearchFilter(port->hba->ldapsearchfilter, port->user_name);
|
|
|
|
|
else if (port->hba->ldapsearchattribute)
|
|
|
|
|
filter = psprintf("(%s=%s)", port->hba->ldapsearchattribute, port->user_name);
|
|
|
|
|
else
|
|
|
|
|
filter = psprintf("(uid=%s)", port->user_name);
|
2009-12-12 22:35:21 +01:00
|
|
|
|
|
|
|
|
r = ldap_search_s(ldap,
|
|
|
|
|
port->hba->ldapbasedn,
|
2012-12-04 05:29:56 +01:00
|
|
|
port->hba->ldapscope,
|
2009-12-12 22:35:21 +01:00
|
|
|
filter,
|
|
|
|
|
attributes,
|
|
|
|
|
0,
|
|
|
|
|
&search_message);
|
|
|
|
|
|
|
|
|
|
if (r != LDAP_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2012-09-28 02:22:50 +02:00
|
|
|
(errmsg("could not search LDAP for filter \"%s\" on server \"%s\": %s",
|
2019-03-21 03:19:03 +01:00
|
|
|
filter, server_name, ldap_err2string(r)),
|
2017-10-13 04:33:34 +02:00
|
|
|
errdetail_for_ldap(ldap)));
|
2017-10-13 04:33:15 +02:00
|
|
|
ldap_unbind(ldap);
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(filter);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-03 05:25:05 +02:00
|
|
|
count = ldap_count_entries(ldap, search_message);
|
|
|
|
|
if (count != 1)
|
2009-12-12 22:35:21 +01:00
|
|
|
{
|
2012-10-03 05:25:05 +02:00
|
|
|
if (count == 0)
|
2009-12-12 22:35:21 +01:00
|
|
|
ereport(LOG,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errmsg("LDAP user \"%s\" does not exist", port->user_name),
|
|
|
|
|
errdetail("LDAP search for filter \"%s\" on server \"%s\" returned no entries.",
|
2019-03-21 03:19:03 +01:00
|
|
|
filter, server_name)));
|
2009-12-12 22:35:21 +01:00
|
|
|
else
|
|
|
|
|
ereport(LOG,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errmsg("LDAP user \"%s\" is not unique", port->user_name),
|
|
|
|
|
errdetail_plural("LDAP search for filter \"%s\" on server \"%s\" returned %d entry.",
|
|
|
|
|
"LDAP search for filter \"%s\" on server \"%s\" returned %d entries.",
|
|
|
|
|
count,
|
2019-03-21 03:19:03 +01:00
|
|
|
filter, server_name, count)));
|
2009-12-12 22:35:21 +01:00
|
|
|
|
2017-10-13 04:33:15 +02:00
|
|
|
ldap_unbind(ldap);
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(filter);
|
|
|
|
|
ldap_msgfree(search_message);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
entry = ldap_first_entry(ldap, search_message);
|
|
|
|
|
dn = ldap_get_dn(ldap, entry);
|
|
|
|
|
if (dn == NULL)
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
(void) ldap_get_option(ldap, LDAP_OPT_ERROR_NUMBER, &error);
|
2009-12-12 22:35:21 +01:00
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not get dn for the first entry matching \"%s\" on server \"%s\": %s",
|
2019-03-21 03:19:03 +01:00
|
|
|
filter, server_name,
|
2017-10-13 04:33:34 +02:00
|
|
|
ldap_err2string(error)),
|
|
|
|
|
errdetail_for_ldap(ldap)));
|
2017-10-13 04:33:15 +02:00
|
|
|
ldap_unbind(ldap);
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(filter);
|
|
|
|
|
ldap_msgfree(search_message);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
fulluser = pstrdup(dn);
|
|
|
|
|
|
|
|
|
|
pfree(filter);
|
|
|
|
|
ldap_memfree(dn);
|
|
|
|
|
ldap_msgfree(search_message);
|
|
|
|
|
|
|
|
|
|
/* Unbind and disconnect from the LDAP server */
|
|
|
|
|
r = ldap_unbind_s(ldap);
|
|
|
|
|
if (r != LDAP_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2017-10-13 04:33:15 +02:00
|
|
|
(errmsg("could not unbind after searching for user \"%s\" on server \"%s\"",
|
2019-03-21 03:19:03 +01:00
|
|
|
fulluser, server_name)));
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(fulluser);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* Need to re-initialize the LDAP connection, so that we can bind to
|
|
|
|
|
* it with a different username.
|
2009-12-12 22:35:21 +01:00
|
|
|
*/
|
|
|
|
|
if (InitializeLDAPConnection(port, &ldap) == STATUS_ERROR)
|
|
|
|
|
{
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(fulluser);
|
|
|
|
|
|
|
|
|
|
/* Error message already sent */
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
2013-10-13 06:09:18 +02:00
|
|
|
fulluser = psprintf("%s%s%s",
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
port->hba->ldapprefix ? port->hba->ldapprefix : "",
|
2014-05-06 18:12:18 +02:00
|
|
|
port->user_name,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
port->hba->ldapsuffix ? port->hba->ldapsuffix : "");
|
2006-03-06 18:41:44 +01:00
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
r = ldap_simple_bind_s(ldap, fulluser, passwd);
|
2006-03-06 18:41:44 +01:00
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
if (r != LDAP_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errmsg("LDAP login failed for user \"%s\" on server \"%s\": %s",
|
2019-03-21 03:19:03 +01:00
|
|
|
fulluser, server_name, ldap_err2string(r)),
|
2017-10-13 04:33:34 +02:00
|
|
|
errdetail_for_ldap(ldap)));
|
|
|
|
|
ldap_unbind(ldap);
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(fulluser);
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2006-03-16 19:11:17 +01:00
|
|
|
|
2017-10-13 04:33:34 +02:00
|
|
|
ldap_unbind(ldap);
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2009-12-12 22:35:21 +01:00
|
|
|
pfree(fulluser);
|
|
|
|
|
|
2006-10-04 02:30:14 +02:00
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
2017-10-13 04:33:34 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Add a detail error message text to the current error if one can be
|
|
|
|
|
* constructed from the LDAP 'diagnostic message'.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
errdetail_for_ldap(LDAP *ldap)
|
|
|
|
|
{
|
|
|
|
|
char *message;
|
|
|
|
|
int rc;
|
|
|
|
|
|
|
|
|
|
rc = ldap_get_option(ldap, LDAP_OPT_DIAGNOSTIC_MESSAGE, &message);
|
|
|
|
|
if (rc == LDAP_SUCCESS && message != NULL)
|
|
|
|
|
{
|
|
|
|
|
errdetail("LDAP diagnostics: %s", message);
|
|
|
|
|
ldap_memfree(message);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
#endif /* USE_LDAP */
|
2006-03-06 18:41:44 +01:00
|
|
|
|
2008-11-20 12:48:26 +01:00
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* SSL client certificate authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
#ifdef USE_SSL
|
|
|
|
|
static int
|
|
|
|
|
CheckCertAuth(Port *port)
|
|
|
|
|
{
|
2019-03-09 21:09:10 +01:00
|
|
|
int status_check_usermap = STATUS_ERROR;
|
|
|
|
|
|
2008-11-20 12:48:26 +01:00
|
|
|
Assert(port->ssl);
|
|
|
|
|
|
|
|
|
|
/* Make sure we have received a username in the certificate */
|
|
|
|
|
if (port->peer_cn == NULL ||
|
|
|
|
|
strlen(port->peer_cn) <= 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2010-06-29 06:12:47 +02:00
|
|
|
(errmsg("certificate authentication failed for user \"%s\": client certificate contains no user name",
|
2008-11-20 12:48:26 +01:00
|
|
|
port->user_name)));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-09 21:09:10 +01:00
|
|
|
/* Just pass the certificate cn to the usermap check */
|
|
|
|
|
status_check_usermap = check_usermap(port->hba->usermap, port->user_name, port->peer_cn, false);
|
|
|
|
|
if (status_check_usermap != STATUS_OK)
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* If clientcert=verify-full was specified and the authentication
|
|
|
|
|
* method is other than uaCert, log the reason for rejecting the
|
|
|
|
|
* authentication.
|
|
|
|
|
*/
|
|
|
|
|
if (port->hba->clientcert == clientCertFull && port->hba->auth_method != uaCert)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2019-09-23 13:37:33 +02:00
|
|
|
(errmsg("certificate validation (clientcert=verify-full) failed for user \"%s\": CN mismatch",
|
2019-03-09 21:09:10 +01:00
|
|
|
port->user_name)));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return status_check_usermap;
|
2008-11-20 12:48:26 +01:00
|
|
|
}
|
|
|
|
|
#endif
|
2010-01-27 13:12:00 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
/*----------------------------------------------------------------
|
|
|
|
|
* RADIUS authentication
|
|
|
|
|
*----------------------------------------------------------------
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
2017-03-26 23:35:35 +02:00
|
|
|
* RADIUS authentication is described in RFC2865 (and several others).
|
2010-01-27 13:12:00 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#define RADIUS_VECTOR_LENGTH 16
|
|
|
|
|
#define RADIUS_HEADER_LENGTH 20
|
2015-09-06 14:26:33 +02:00
|
|
|
#define RADIUS_MAX_PASSWORD_LENGTH 128
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2017-03-26 23:35:35 +02:00
|
|
|
/* Maximum size of a RADIUS packet we will create or accept */
|
|
|
|
|
#define RADIUS_BUFFER_SIZE 1024
|
|
|
|
|
|
2010-01-27 13:12:00 +01:00
|
|
|
typedef struct
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
uint8 attribute;
|
|
|
|
|
uint8 length;
|
2015-02-21 22:12:14 +01:00
|
|
|
uint8 data[FLEXIBLE_ARRAY_MEMBER];
|
2010-01-27 13:12:00 +01:00
|
|
|
} radius_attribute;
|
|
|
|
|
|
|
|
|
|
typedef struct
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
uint8 code;
|
|
|
|
|
uint8 id;
|
|
|
|
|
uint16 length;
|
|
|
|
|
uint8 vector[RADIUS_VECTOR_LENGTH];
|
2017-03-26 23:35:35 +02:00
|
|
|
/* this is a bit longer than strictly necessary: */
|
|
|
|
|
char pad[RADIUS_BUFFER_SIZE - RADIUS_VECTOR_LENGTH];
|
2010-01-27 13:12:00 +01:00
|
|
|
} radius_packet;
|
|
|
|
|
|
|
|
|
|
/* RADIUS packet types */
|
|
|
|
|
#define RADIUS_ACCESS_REQUEST 1
|
|
|
|
|
#define RADIUS_ACCESS_ACCEPT 2
|
|
|
|
|
#define RADIUS_ACCESS_REJECT 3
|
|
|
|
|
|
2017-10-19 13:57:20 +02:00
|
|
|
/* RADIUS attributes */
|
2010-01-27 13:12:00 +01:00
|
|
|
#define RADIUS_USER_NAME 1
|
|
|
|
|
#define RADIUS_PASSWORD 2
|
|
|
|
|
#define RADIUS_SERVICE_TYPE 6
|
|
|
|
|
#define RADIUS_NAS_IDENTIFIER 32
|
|
|
|
|
|
|
|
|
|
/* RADIUS service types */
|
|
|
|
|
#define RADIUS_AUTHENTICATE_ONLY 8
|
|
|
|
|
|
|
|
|
|
/* Seconds to wait - XXX: should be in a config variable! */
|
|
|
|
|
#define RADIUS_TIMEOUT 3
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
radius_add_attribute(radius_packet *packet, uint8 type, const unsigned char *data, int len)
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
radius_attribute *attr;
|
2010-01-27 13:12:00 +01:00
|
|
|
|
|
|
|
|
if (packet->length + len > RADIUS_BUFFER_SIZE)
|
|
|
|
|
{
|
|
|
|
|
/*
|
2010-02-26 03:01:40 +01:00
|
|
|
* With remotely realistic data, this can never happen. But catch it
|
|
|
|
|
* just to make sure we don't overrun a buffer. We'll just skip adding
|
|
|
|
|
* the broken attribute, which will in the end cause authentication to
|
|
|
|
|
* fail.
|
2010-01-27 13:12:00 +01:00
|
|
|
*/
|
|
|
|
|
elog(WARNING,
|
2019-11-05 20:29:08 +01:00
|
|
|
"adding attribute code %d with length %d to radius packet would create oversize packet, ignoring",
|
2010-01-27 13:12:00 +01:00
|
|
|
type, len);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-26 03:01:40 +01:00
|
|
|
attr = (radius_attribute *) ((unsigned char *) packet + packet->length);
|
2010-01-27 13:12:00 +01:00
|
|
|
attr->attribute = type;
|
2010-02-26 03:01:40 +01:00
|
|
|
attr->length = len + 2; /* total size includes type and length */
|
2010-01-27 13:12:00 +01:00
|
|
|
memcpy(attr->data, data, len);
|
|
|
|
|
packet->length += attr->length;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
CheckRADIUSAuth(Port *port)
|
|
|
|
|
{
|
2010-02-26 03:01:40 +01:00
|
|
|
char *passwd;
|
2017-03-22 17:55:16 +01:00
|
|
|
ListCell *server,
|
|
|
|
|
*secrets,
|
|
|
|
|
*radiusports,
|
|
|
|
|
*identifiers;
|
|
|
|
|
|
|
|
|
|
/* Make sure struct alignment is correct */
|
|
|
|
|
Assert(offsetof(radius_packet, vector) == 4);
|
|
|
|
|
|
|
|
|
|
/* Verify parameters */
|
|
|
|
|
if (list_length(port->hba->radiusservers) < 1)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("RADIUS server not specified")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (list_length(port->hba->radiussecrets) < 1)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("RADIUS secret not specified")));
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Send regular password request to client, and get the response */
|
|
|
|
|
sendAuthRequest(port, AUTH_REQ_PASSWORD, NULL, 0);
|
|
|
|
|
|
|
|
|
|
passwd = recv_password_packet(port);
|
|
|
|
|
if (passwd == NULL)
|
|
|
|
|
return STATUS_EOF; /* client wouldn't send password */
|
|
|
|
|
|
|
|
|
|
if (strlen(passwd) > RADIUS_MAX_PASSWORD_LENGTH)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("RADIUS authentication does not support passwords longer than %d characters", RADIUS_MAX_PASSWORD_LENGTH)));
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2017-03-22 17:55:16 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Loop over and try each server in order.
|
|
|
|
|
*/
|
|
|
|
|
secrets = list_head(port->hba->radiussecrets);
|
|
|
|
|
radiusports = list_head(port->hba->radiusports);
|
|
|
|
|
identifiers = list_head(port->hba->radiusidentifiers);
|
|
|
|
|
foreach(server, port->hba->radiusservers)
|
|
|
|
|
{
|
|
|
|
|
int ret = PerformRadiusTransaction(lfirst(server),
|
|
|
|
|
lfirst(secrets),
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
radiusports ? lfirst(radiusports) : NULL,
|
|
|
|
|
identifiers ? lfirst(identifiers) : NULL,
|
2017-03-22 17:55:16 +01:00
|
|
|
port->user_name,
|
|
|
|
|
passwd);
|
|
|
|
|
|
|
|
|
|
/*------
|
|
|
|
|
* STATUS_OK = Login OK
|
|
|
|
|
* STATUS_ERROR = Login not OK, but try next server
|
|
|
|
|
* STATUS_EOF = Login not OK, and don't try next server
|
|
|
|
|
*------
|
|
|
|
|
*/
|
|
|
|
|
if (ret == STATUS_OK)
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
{
|
|
|
|
|
pfree(passwd);
|
2017-03-22 17:55:16 +01:00
|
|
|
return STATUS_OK;
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
}
|
2017-03-22 17:55:16 +01:00
|
|
|
else if (ret == STATUS_EOF)
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
{
|
|
|
|
|
pfree(passwd);
|
2017-03-22 17:55:16 +01:00
|
|
|
return STATUS_ERROR;
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
}
|
2017-03-22 17:55:16 +01:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* secret, port and identifiers either have length 0 (use default),
|
|
|
|
|
* length 1 (use the same everywhere) or the same length as servers.
|
|
|
|
|
* So if the length is >1, we advance one step. In other cases, we
|
|
|
|
|
* don't and will then reuse the correct value.
|
|
|
|
|
*/
|
|
|
|
|
if (list_length(port->hba->radiussecrets) > 1)
|
Represent Lists as expansible arrays, not chains of cons-cells.
Originally, Postgres Lists were a more or less exact reimplementation of
Lisp lists, which consist of chains of separately-allocated cons cells,
each having a value and a next-cell link. We'd hacked that once before
(commit d0b4399d8) to add a separate List header, but the data was still
in cons cells. That makes some operations -- notably list_nth() -- O(N),
and it's bulky because of the next-cell pointers and per-cell palloc
overhead, and it's very cache-unfriendly if the cons cells end up
scattered around rather than being adjacent.
In this rewrite, we still have List headers, but the data is in a
resizable array of values, with no next-cell links. Now we need at
most two palloc's per List, and often only one, since we can allocate
some values in the same palloc call as the List header. (Of course,
extending an existing List may require repalloc's to enlarge the array.
But this involves just O(log N) allocations not O(N).)
Of course this is not without downsides. The key difficulty is that
addition or deletion of a list entry may now cause other entries to
move, which it did not before.
For example, that breaks foreach() and sister macros, which historically
used a pointer to the current cons-cell as loop state. We can repair
those macros transparently by making their actual loop state be an
integer list index; the exposed "ListCell *" pointer is no longer state
carried across loop iterations, but is just a derived value. (In
practice, modern compilers can optimize things back to having just one
loop state value, at least for simple cases with inline loop bodies.)
In principle, this is a semantics change for cases where the loop body
inserts or deletes list entries ahead of the current loop index; but
I found no such cases in the Postgres code.
The change is not at all transparent for code that doesn't use foreach()
but chases lists "by hand" using lnext(). The largest share of such
code in the backend is in loops that were maintaining "prev" and "next"
variables in addition to the current-cell pointer, in order to delete
list cells efficiently using list_delete_cell(). However, we no longer
need a previous-cell pointer to delete a list cell efficiently. Keeping
a next-cell pointer doesn't work, as explained above, but we can improve
matters by changing such code to use a regular foreach() loop and then
using the new macro foreach_delete_current() to delete the current cell.
(This macro knows how to update the associated foreach loop's state so
that no cells will be missed in the traversal.)
There remains a nontrivial risk of code assuming that a ListCell *
pointer will remain good over an operation that could now move the list
contents. To help catch such errors, list.c can be compiled with a new
define symbol DEBUG_LIST_MEMORY_USAGE that forcibly moves list contents
whenever that could possibly happen. This makes list operations
significantly more expensive so it's not normally turned on (though it
is on by default if USE_VALGRIND is on).
There are two notable API differences from the previous code:
* lnext() now requires the List's header pointer in addition to the
current cell's address.
* list_delete_cell() no longer requires a previous-cell argument.
These changes are somewhat unfortunate, but on the other hand code using
either function needs inspection to see if it is assuming anything
it shouldn't, so it's not all bad.
Programmers should be aware of these significant performance changes:
* list_nth() and related functions are now O(1); so there's no
major access-speed difference between a list and an array.
* Inserting or deleting a list element now takes time proportional to
the distance to the end of the list, due to moving the array elements.
(However, it typically *doesn't* require palloc or pfree, so except in
long lists it's probably still faster than before.) Notably, lcons()
used to be about the same cost as lappend(), but that's no longer true
if the list is long. Code that uses lcons() and list_delete_first()
to maintain a stack might usefully be rewritten to push and pop at the
end of the list rather than the beginning.
* There are now list_insert_nth...() and list_delete_nth...() functions
that add or remove a list cell identified by index. These have the
data-movement penalty explained above, but there's no search penalty.
* list_concat() and variants now copy the second list's data into
storage belonging to the first list, so there is no longer any
sharing of cells between the input lists. The second argument is
now declared "const List *" to reflect that it isn't changed.
This patch just does the minimum needed to get the new implementation
in place and fix bugs exposed by the regression tests. As suggested
by the foregoing, there's a fair amount of followup work remaining to
do.
Also, the ENABLE_LIST_COMPAT macros are finally removed in this
commit. Code using those should have been gone a dozen years ago.
Patch by me; thanks to David Rowley, Jesper Pedersen, and others
for review.
Discussion: https://postgr.es/m/11587.1550975080@sss.pgh.pa.us
2019-07-15 19:41:58 +02:00
|
|
|
secrets = lnext(port->hba->radiussecrets, secrets);
|
2017-03-22 17:55:16 +01:00
|
|
|
if (list_length(port->hba->radiusports) > 1)
|
Represent Lists as expansible arrays, not chains of cons-cells.
Originally, Postgres Lists were a more or less exact reimplementation of
Lisp lists, which consist of chains of separately-allocated cons cells,
each having a value and a next-cell link. We'd hacked that once before
(commit d0b4399d8) to add a separate List header, but the data was still
in cons cells. That makes some operations -- notably list_nth() -- O(N),
and it's bulky because of the next-cell pointers and per-cell palloc
overhead, and it's very cache-unfriendly if the cons cells end up
scattered around rather than being adjacent.
In this rewrite, we still have List headers, but the data is in a
resizable array of values, with no next-cell links. Now we need at
most two palloc's per List, and often only one, since we can allocate
some values in the same palloc call as the List header. (Of course,
extending an existing List may require repalloc's to enlarge the array.
But this involves just O(log N) allocations not O(N).)
Of course this is not without downsides. The key difficulty is that
addition or deletion of a list entry may now cause other entries to
move, which it did not before.
For example, that breaks foreach() and sister macros, which historically
used a pointer to the current cons-cell as loop state. We can repair
those macros transparently by making their actual loop state be an
integer list index; the exposed "ListCell *" pointer is no longer state
carried across loop iterations, but is just a derived value. (In
practice, modern compilers can optimize things back to having just one
loop state value, at least for simple cases with inline loop bodies.)
In principle, this is a semantics change for cases where the loop body
inserts or deletes list entries ahead of the current loop index; but
I found no such cases in the Postgres code.
The change is not at all transparent for code that doesn't use foreach()
but chases lists "by hand" using lnext(). The largest share of such
code in the backend is in loops that were maintaining "prev" and "next"
variables in addition to the current-cell pointer, in order to delete
list cells efficiently using list_delete_cell(). However, we no longer
need a previous-cell pointer to delete a list cell efficiently. Keeping
a next-cell pointer doesn't work, as explained above, but we can improve
matters by changing such code to use a regular foreach() loop and then
using the new macro foreach_delete_current() to delete the current cell.
(This macro knows how to update the associated foreach loop's state so
that no cells will be missed in the traversal.)
There remains a nontrivial risk of code assuming that a ListCell *
pointer will remain good over an operation that could now move the list
contents. To help catch such errors, list.c can be compiled with a new
define symbol DEBUG_LIST_MEMORY_USAGE that forcibly moves list contents
whenever that could possibly happen. This makes list operations
significantly more expensive so it's not normally turned on (though it
is on by default if USE_VALGRIND is on).
There are two notable API differences from the previous code:
* lnext() now requires the List's header pointer in addition to the
current cell's address.
* list_delete_cell() no longer requires a previous-cell argument.
These changes are somewhat unfortunate, but on the other hand code using
either function needs inspection to see if it is assuming anything
it shouldn't, so it's not all bad.
Programmers should be aware of these significant performance changes:
* list_nth() and related functions are now O(1); so there's no
major access-speed difference between a list and an array.
* Inserting or deleting a list element now takes time proportional to
the distance to the end of the list, due to moving the array elements.
(However, it typically *doesn't* require palloc or pfree, so except in
long lists it's probably still faster than before.) Notably, lcons()
used to be about the same cost as lappend(), but that's no longer true
if the list is long. Code that uses lcons() and list_delete_first()
to maintain a stack might usefully be rewritten to push and pop at the
end of the list rather than the beginning.
* There are now list_insert_nth...() and list_delete_nth...() functions
that add or remove a list cell identified by index. These have the
data-movement penalty explained above, but there's no search penalty.
* list_concat() and variants now copy the second list's data into
storage belonging to the first list, so there is no longer any
sharing of cells between the input lists. The second argument is
now declared "const List *" to reflect that it isn't changed.
This patch just does the minimum needed to get the new implementation
in place and fix bugs exposed by the regression tests. As suggested
by the foregoing, there's a fair amount of followup work remaining to
do.
Also, the ENABLE_LIST_COMPAT macros are finally removed in this
commit. Code using those should have been gone a dozen years ago.
Patch by me; thanks to David Rowley, Jesper Pedersen, and others
for review.
Discussion: https://postgr.es/m/11587.1550975080@sss.pgh.pa.us
2019-07-15 19:41:58 +02:00
|
|
|
radiusports = lnext(port->hba->radiusports, radiusports);
|
2017-03-22 17:55:16 +01:00
|
|
|
if (list_length(port->hba->radiusidentifiers) > 1)
|
Represent Lists as expansible arrays, not chains of cons-cells.
Originally, Postgres Lists were a more or less exact reimplementation of
Lisp lists, which consist of chains of separately-allocated cons cells,
each having a value and a next-cell link. We'd hacked that once before
(commit d0b4399d8) to add a separate List header, but the data was still
in cons cells. That makes some operations -- notably list_nth() -- O(N),
and it's bulky because of the next-cell pointers and per-cell palloc
overhead, and it's very cache-unfriendly if the cons cells end up
scattered around rather than being adjacent.
In this rewrite, we still have List headers, but the data is in a
resizable array of values, with no next-cell links. Now we need at
most two palloc's per List, and often only one, since we can allocate
some values in the same palloc call as the List header. (Of course,
extending an existing List may require repalloc's to enlarge the array.
But this involves just O(log N) allocations not O(N).)
Of course this is not without downsides. The key difficulty is that
addition or deletion of a list entry may now cause other entries to
move, which it did not before.
For example, that breaks foreach() and sister macros, which historically
used a pointer to the current cons-cell as loop state. We can repair
those macros transparently by making their actual loop state be an
integer list index; the exposed "ListCell *" pointer is no longer state
carried across loop iterations, but is just a derived value. (In
practice, modern compilers can optimize things back to having just one
loop state value, at least for simple cases with inline loop bodies.)
In principle, this is a semantics change for cases where the loop body
inserts or deletes list entries ahead of the current loop index; but
I found no such cases in the Postgres code.
The change is not at all transparent for code that doesn't use foreach()
but chases lists "by hand" using lnext(). The largest share of such
code in the backend is in loops that were maintaining "prev" and "next"
variables in addition to the current-cell pointer, in order to delete
list cells efficiently using list_delete_cell(). However, we no longer
need a previous-cell pointer to delete a list cell efficiently. Keeping
a next-cell pointer doesn't work, as explained above, but we can improve
matters by changing such code to use a regular foreach() loop and then
using the new macro foreach_delete_current() to delete the current cell.
(This macro knows how to update the associated foreach loop's state so
that no cells will be missed in the traversal.)
There remains a nontrivial risk of code assuming that a ListCell *
pointer will remain good over an operation that could now move the list
contents. To help catch such errors, list.c can be compiled with a new
define symbol DEBUG_LIST_MEMORY_USAGE that forcibly moves list contents
whenever that could possibly happen. This makes list operations
significantly more expensive so it's not normally turned on (though it
is on by default if USE_VALGRIND is on).
There are two notable API differences from the previous code:
* lnext() now requires the List's header pointer in addition to the
current cell's address.
* list_delete_cell() no longer requires a previous-cell argument.
These changes are somewhat unfortunate, but on the other hand code using
either function needs inspection to see if it is assuming anything
it shouldn't, so it's not all bad.
Programmers should be aware of these significant performance changes:
* list_nth() and related functions are now O(1); so there's no
major access-speed difference between a list and an array.
* Inserting or deleting a list element now takes time proportional to
the distance to the end of the list, due to moving the array elements.
(However, it typically *doesn't* require palloc or pfree, so except in
long lists it's probably still faster than before.) Notably, lcons()
used to be about the same cost as lappend(), but that's no longer true
if the list is long. Code that uses lcons() and list_delete_first()
to maintain a stack might usefully be rewritten to push and pop at the
end of the list rather than the beginning.
* There are now list_insert_nth...() and list_delete_nth...() functions
that add or remove a list cell identified by index. These have the
data-movement penalty explained above, but there's no search penalty.
* list_concat() and variants now copy the second list's data into
storage belonging to the first list, so there is no longer any
sharing of cells between the input lists. The second argument is
now declared "const List *" to reflect that it isn't changed.
This patch just does the minimum needed to get the new implementation
in place and fix bugs exposed by the regression tests. As suggested
by the foregoing, there's a fair amount of followup work remaining to
do.
Also, the ENABLE_LIST_COMPAT macros are finally removed in this
commit. Code using those should have been gone a dozen years ago.
Patch by me; thanks to David Rowley, Jesper Pedersen, and others
for review.
Discussion: https://postgr.es/m/11587.1550975080@sss.pgh.pa.us
2019-07-15 19:41:58 +02:00
|
|
|
identifiers = lnext(port->hba->radiusidentifiers, identifiers);
|
2017-03-22 17:55:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* No servers left to try, so give up */
|
Don't allow logging in with empty password.
Some authentication methods allowed it, others did not. In the client-side,
libpq does not even try to authenticate with an empty password, which makes
using empty passwords hazardous: an administrator might think that an
account with an empty password cannot be used to log in, because psql
doesn't allow it, and not realize that a different client would in fact
allow it. To clear that confusion and to be be consistent, disallow empty
passwords in all authentication methods.
All the authentication methods that used plaintext authentication over the
wire, except for BSD authentication, already checked that the password
received from the user was not empty. To avoid forgetting it in the future
again, move the check to the recv_password_packet function. That only
forbids using an empty password with plaintext authentication, however.
MD5 and SCRAM need a different fix:
* In stable branches, check that the MD5 hash stored for the user does not
not correspond to an empty string. This adds some overhead to MD5
authentication, because the server needs to compute an extra MD5 hash, but
it is not noticeable in practice.
* In HEAD, modify CREATE and ALTER ROLE to clear the password if an empty
string, or a password hash that corresponds to an empty string, is
specified. The user-visible behavior is the same as in the stable branches,
the user cannot log in, but it seems better to stop the empty password from
entering the system in the first place. Secondly, it is fairly expensive to
check that a SCRAM hash doesn't correspond to an empty string, because
computing a SCRAM hash is much more expensive than an MD5 hash by design,
so better avoid doing that on every authentication.
We could clear the password on CREATE/ALTER ROLE also in stable branches,
but we would still need to check at authentication time, because even if we
prevent empty passwords from being stored in pg_authid, there might be
existing ones there already.
Reported by Jeroen van der Ham, Ben de Graaff and Jelte Fennema.
Security: CVE-2017-7546
2017-08-07 16:03:42 +02:00
|
|
|
pfree(passwd);
|
2017-03-22 17:55:16 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2017-10-31 15:34:31 +01:00
|
|
|
PerformRadiusTransaction(const char *server, const char *secret, const char *portstr, const char *identifier, const char *user_name, const char *passwd)
|
2017-03-22 17:55:16 +01:00
|
|
|
{
|
2017-03-26 23:35:35 +02:00
|
|
|
radius_packet radius_send_pack;
|
|
|
|
|
radius_packet radius_recv_pack;
|
|
|
|
|
radius_packet *packet = &radius_send_pack;
|
|
|
|
|
radius_packet *receivepacket = &radius_recv_pack;
|
|
|
|
|
char *radius_buffer = (char *) &radius_send_pack;
|
|
|
|
|
char *receive_buffer = (char *) &radius_recv_pack;
|
2017-10-02 00:36:14 +02:00
|
|
|
int32 service = pg_hton32(RADIUS_AUTHENTICATE_ONLY);
|
2010-02-26 03:01:40 +01:00
|
|
|
uint8 *cryptvector;
|
2015-09-06 14:26:33 +02:00
|
|
|
int encryptedpasswordlen;
|
|
|
|
|
uint8 encryptedpassword[RADIUS_MAX_PASSWORD_LENGTH];
|
|
|
|
|
uint8 *md5trailer;
|
2010-02-26 03:01:40 +01:00
|
|
|
int packetlength;
|
|
|
|
|
pgsocket sock;
|
|
|
|
|
|
2010-02-02 20:09:37 +01:00
|
|
|
#ifdef HAVE_IPV6
|
|
|
|
|
struct sockaddr_in6 localaddr;
|
|
|
|
|
struct sockaddr_in6 remoteaddr;
|
|
|
|
|
#else
|
2010-02-26 03:01:40 +01:00
|
|
|
struct sockaddr_in localaddr;
|
|
|
|
|
struct sockaddr_in remoteaddr;
|
2010-02-02 20:09:37 +01:00
|
|
|
#endif
|
2010-02-26 03:01:40 +01:00
|
|
|
struct addrinfo hint;
|
|
|
|
|
struct addrinfo *serveraddrs;
|
2017-03-22 17:55:16 +01:00
|
|
|
int port;
|
2010-02-26 03:01:40 +01:00
|
|
|
ACCEPT_TYPE_ARG3 addrsize;
|
|
|
|
|
fd_set fdset;
|
2010-10-15 16:59:10 +02:00
|
|
|
struct timeval endtime;
|
2010-02-26 03:01:40 +01:00
|
|
|
int i,
|
2015-09-06 14:26:33 +02:00
|
|
|
j,
|
2010-02-26 03:01:40 +01:00
|
|
|
r;
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2017-03-22 17:55:16 +01:00
|
|
|
/* Assign default values */
|
|
|
|
|
if (portstr == NULL)
|
|
|
|
|
portstr = "1812";
|
|
|
|
|
if (identifier == NULL)
|
|
|
|
|
identifier = "postgresql";
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-02-02 20:09:37 +01:00
|
|
|
MemSet(&hint, 0, sizeof(hint));
|
|
|
|
|
hint.ai_socktype = SOCK_DGRAM;
|
|
|
|
|
hint.ai_family = AF_UNSPEC;
|
2017-03-22 17:55:16 +01:00
|
|
|
port = atoi(portstr);
|
2010-02-02 20:09:37 +01:00
|
|
|
|
2017-03-22 17:55:16 +01:00
|
|
|
r = pg_getaddrinfo_all(server, portstr, &hint, &serveraddrs);
|
2010-02-02 20:09:37 +01:00
|
|
|
if (r || !serveraddrs)
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2010-02-02 20:09:37 +01:00
|
|
|
(errmsg("could not translate RADIUS server name \"%s\" to address: %s",
|
2017-03-22 17:55:16 +01:00
|
|
|
server, gai_strerror(r))));
|
2010-02-02 20:09:37 +01:00
|
|
|
if (serveraddrs)
|
|
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
2010-01-27 13:12:00 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2010-02-02 20:09:37 +01:00
|
|
|
/* XXX: add support for multiple returned addresses? */
|
2010-01-27 13:12:00 +01:00
|
|
|
|
|
|
|
|
/* Construct RADIUS packet */
|
|
|
|
|
packet->code = RADIUS_ACCESS_REQUEST;
|
|
|
|
|
packet->length = RADIUS_HEADER_LENGTH;
|
2019-01-01 12:05:51 +01:00
|
|
|
if (!pg_strong_random(packet->vector, RADIUS_VECTOR_LENGTH))
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not generate random encryption vector")));
|
2017-03-26 23:02:38 +02:00
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
2010-01-27 13:12:00 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
packet->id = packet->vector[0];
|
2017-10-31 15:34:31 +01:00
|
|
|
radius_add_attribute(packet, RADIUS_SERVICE_TYPE, (const unsigned char *) &service, sizeof(service));
|
|
|
|
|
radius_add_attribute(packet, RADIUS_USER_NAME, (const unsigned char *) user_name, strlen(user_name));
|
|
|
|
|
radius_add_attribute(packet, RADIUS_NAS_IDENTIFIER, (const unsigned char *) identifier, strlen(identifier));
|
2010-01-27 13:12:00 +01:00
|
|
|
|
|
|
|
|
/*
|
2016-06-10 00:02:36 +02:00
|
|
|
* RADIUS password attributes are calculated as: e[0] = p[0] XOR
|
|
|
|
|
* MD5(secret + Request Authenticator) for the first group of 16 octets,
|
|
|
|
|
* and then: e[i] = p[i] XOR MD5(secret + e[i-1]) for the following ones
|
|
|
|
|
* (if necessary)
|
2010-01-27 13:12:00 +01:00
|
|
|
*/
|
2015-09-06 14:26:33 +02:00
|
|
|
encryptedpasswordlen = ((strlen(passwd) + RADIUS_VECTOR_LENGTH - 1) / RADIUS_VECTOR_LENGTH) * RADIUS_VECTOR_LENGTH;
|
2017-03-22 17:55:16 +01:00
|
|
|
cryptvector = palloc(strlen(secret) + RADIUS_VECTOR_LENGTH);
|
|
|
|
|
memcpy(cryptvector, secret, strlen(secret));
|
2015-09-06 14:26:33 +02:00
|
|
|
|
|
|
|
|
/* for the first iteration, we use the Request Authenticator vector */
|
|
|
|
|
md5trailer = packet->vector;
|
|
|
|
|
for (i = 0; i < encryptedpasswordlen; i += RADIUS_VECTOR_LENGTH)
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
2017-03-22 17:55:16 +01:00
|
|
|
memcpy(cryptvector + strlen(secret), md5trailer, RADIUS_VECTOR_LENGTH);
|
2016-06-10 00:02:36 +02:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* .. and for subsequent iterations the result of the previous XOR
|
|
|
|
|
* (calculated below)
|
|
|
|
|
*/
|
2015-09-06 14:26:33 +02:00
|
|
|
md5trailer = encryptedpassword + i;
|
|
|
|
|
|
2017-03-22 17:55:16 +01:00
|
|
|
if (!pg_md5_binary(cryptvector, strlen(secret) + RADIUS_VECTOR_LENGTH, encryptedpassword + i))
|
2015-09-06 14:26:33 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not perform MD5 encryption of password")));
|
|
|
|
|
pfree(cryptvector);
|
2017-03-26 23:02:38 +02:00
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
2015-09-06 14:26:33 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2016-06-10 00:02:36 +02:00
|
|
|
for (j = i; j < i + RADIUS_VECTOR_LENGTH; j++)
|
2015-09-06 14:26:33 +02:00
|
|
|
{
|
|
|
|
|
if (j < strlen(passwd))
|
|
|
|
|
encryptedpassword[j] = passwd[j] ^ encryptedpassword[j];
|
|
|
|
|
else
|
|
|
|
|
encryptedpassword[j] = '\0' ^ encryptedpassword[j];
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
}
|
|
|
|
|
pfree(cryptvector);
|
2015-09-06 14:26:33 +02:00
|
|
|
|
|
|
|
|
radius_add_attribute(packet, RADIUS_PASSWORD, encryptedpassword, encryptedpasswordlen);
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2017-03-26 23:02:38 +02:00
|
|
|
/* Length needs to be in network order on the wire */
|
2010-01-27 13:12:00 +01:00
|
|
|
packetlength = packet->length;
|
2017-10-02 00:36:14 +02:00
|
|
|
packet->length = pg_hton16(packet->length);
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-02-02 20:09:37 +01:00
|
|
|
sock = socket(serveraddrs[0].ai_family, SOCK_DGRAM, 0);
|
2014-04-16 16:45:48 +02:00
|
|
|
if (sock == PGINVALID_SOCKET)
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not create RADIUS socket: %m")));
|
2010-02-02 20:09:37 +01:00
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
2010-01-27 13:12:00 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
memset(&localaddr, 0, sizeof(localaddr));
|
2010-02-02 20:09:37 +01:00
|
|
|
#ifdef HAVE_IPV6
|
|
|
|
|
localaddr.sin6_family = serveraddrs[0].ai_family;
|
|
|
|
|
localaddr.sin6_addr = in6addr_any;
|
|
|
|
|
if (localaddr.sin6_family == AF_INET6)
|
|
|
|
|
addrsize = sizeof(struct sockaddr_in6);
|
|
|
|
|
else
|
|
|
|
|
addrsize = sizeof(struct sockaddr_in);
|
|
|
|
|
#else
|
|
|
|
|
localaddr.sin_family = serveraddrs[0].ai_family;
|
2010-01-27 13:12:00 +01:00
|
|
|
localaddr.sin_addr.s_addr = INADDR_ANY;
|
2010-02-02 20:09:37 +01:00
|
|
|
addrsize = sizeof(struct sockaddr_in);
|
|
|
|
|
#endif
|
2017-03-26 23:02:38 +02:00
|
|
|
|
2017-06-21 20:39:04 +02:00
|
|
|
if (bind(sock, (struct sockaddr *) &localaddr, addrsize))
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not bind local RADIUS socket: %m")));
|
|
|
|
|
closesocket(sock);
|
2010-02-02 20:09:37 +01:00
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
2010-01-27 13:12:00 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (sendto(sock, radius_buffer, packetlength, 0,
|
2010-02-02 20:09:37 +01:00
|
|
|
serveraddrs[0].ai_addr, serveraddrs[0].ai_addrlen) < 0)
|
2010-01-27 13:12:00 +01:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not send RADIUS packet: %m")));
|
|
|
|
|
closesocket(sock);
|
2010-02-02 20:09:37 +01:00
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
2010-01-27 13:12:00 +01:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2010-02-02 20:09:37 +01:00
|
|
|
/* Don't need the server address anymore */
|
|
|
|
|
pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
|
|
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
/*
|
2011-04-10 17:42:00 +02:00
|
|
|
* Figure out at what time we should time out. We can't just use a single
|
|
|
|
|
* call to select() with a timeout, since somebody can be sending invalid
|
|
|
|
|
* packets to our port thus causing us to retry in a loop and never time
|
|
|
|
|
* out.
|
2015-02-03 22:54:48 +01:00
|
|
|
*
|
|
|
|
|
* XXX: Using WaitLatchOrSocket() and doing a CHECK_FOR_INTERRUPTS() if
|
|
|
|
|
* the latch was set would improve the responsiveness to
|
|
|
|
|
* timeouts/cancellations.
|
2010-10-15 16:59:10 +02:00
|
|
|
*/
|
|
|
|
|
gettimeofday(&endtime, NULL);
|
|
|
|
|
endtime.tv_sec += RADIUS_TIMEOUT;
|
2010-02-26 03:01:40 +01:00
|
|
|
|
2010-01-27 13:12:00 +01:00
|
|
|
while (true)
|
|
|
|
|
{
|
2010-10-15 16:59:10 +02:00
|
|
|
struct timeval timeout;
|
|
|
|
|
struct timeval now;
|
2011-04-10 17:42:00 +02:00
|
|
|
int64 timeoutval;
|
2010-10-15 16:59:10 +02:00
|
|
|
|
|
|
|
|
gettimeofday(&now, NULL);
|
|
|
|
|
timeoutval = (endtime.tv_sec * 1000000 + endtime.tv_usec) - (now.tv_sec * 1000000 + now.tv_usec);
|
|
|
|
|
if (timeoutval <= 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2017-03-22 17:55:16 +01:00
|
|
|
(errmsg("timeout waiting for RADIUS response from %s",
|
|
|
|
|
server)));
|
2010-10-15 16:59:10 +02:00
|
|
|
closesocket(sock);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
timeout.tv_sec = timeoutval / 1000000;
|
|
|
|
|
timeout.tv_usec = timeoutval % 1000000;
|
|
|
|
|
|
|
|
|
|
FD_ZERO(&fdset);
|
|
|
|
|
FD_SET(sock, &fdset);
|
|
|
|
|
|
2010-01-27 13:12:00 +01:00
|
|
|
r = select(sock + 1, &fdset, NULL, NULL, &timeout);
|
|
|
|
|
if (r < 0)
|
|
|
|
|
{
|
|
|
|
|
if (errno == EINTR)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
/* Anything else is an actual error */
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not check status on RADIUS socket: %m")));
|
|
|
|
|
closesocket(sock);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
if (r == 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2017-03-22 17:55:16 +01:00
|
|
|
(errmsg("timeout waiting for RADIUS response from %s",
|
|
|
|
|
server)));
|
2010-01-27 13:12:00 +01:00
|
|
|
closesocket(sock);
|
|
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
/*
|
|
|
|
|
* Attempt to read the response packet, and verify the contents.
|
|
|
|
|
*
|
2011-04-10 17:42:00 +02:00
|
|
|
* Any packet that's not actually a RADIUS packet, or otherwise does
|
|
|
|
|
* not validate as an explicit reject, is just ignored and we retry
|
|
|
|
|
* for another packet (until we reach the timeout). This is to avoid
|
|
|
|
|
* the possibility to denial-of-service the login by flooding the
|
|
|
|
|
* server with invalid packets on the port that we're expecting the
|
|
|
|
|
* RADIUS response on.
|
2010-10-15 16:59:10 +02:00
|
|
|
*/
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
addrsize = sizeof(remoteaddr);
|
|
|
|
|
packetlength = recvfrom(sock, receive_buffer, RADIUS_BUFFER_SIZE, 0,
|
2017-06-21 20:39:04 +02:00
|
|
|
(struct sockaddr *) &remoteaddr, &addrsize);
|
2010-10-15 16:59:10 +02:00
|
|
|
if (packetlength < 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
|
|
|
|
(errmsg("could not read RADIUS response: %m")));
|
2017-03-26 23:02:38 +02:00
|
|
|
closesocket(sock);
|
2010-10-15 16:59:10 +02:00
|
|
|
return STATUS_ERROR;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-02-02 20:09:37 +01:00
|
|
|
#ifdef HAVE_IPV6
|
2017-10-02 00:36:14 +02:00
|
|
|
if (remoteaddr.sin6_port != pg_hton16(port))
|
2010-02-02 20:09:37 +01:00
|
|
|
#else
|
2017-10-02 00:36:14 +02:00
|
|
|
if (remoteaddr.sin_port != pg_hton16(port))
|
2010-02-02 20:09:37 +01:00
|
|
|
#endif
|
2010-10-15 16:59:10 +02:00
|
|
|
{
|
2010-02-02 20:09:37 +01:00
|
|
|
#ifdef HAVE_IPV6
|
2010-10-15 16:59:10 +02:00
|
|
|
ereport(LOG,
|
2017-03-22 17:55:16 +01:00
|
|
|
(errmsg("RADIUS response from %s was sent from incorrect port: %d",
|
2017-10-02 00:36:14 +02:00
|
|
|
server, pg_ntoh16(remoteaddr.sin6_port))));
|
2010-02-02 20:09:37 +01:00
|
|
|
#else
|
2010-10-15 16:59:10 +02:00
|
|
|
ereport(LOG,
|
2017-03-22 17:55:16 +01:00
|
|
|
(errmsg("RADIUS response from %s was sent from incorrect port: %d",
|
2017-10-02 00:36:14 +02:00
|
|
|
server, pg_ntoh16(remoteaddr.sin_port))));
|
2010-02-02 20:09:37 +01:00
|
|
|
#endif
|
2010-10-15 16:59:10 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
if (packetlength < RADIUS_HEADER_LENGTH)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2017-03-22 17:55:16 +01:00
|
|
|
(errmsg("RADIUS response from %s too short: %d", server, packetlength)));
|
2010-10-15 16:59:10 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2017-10-02 00:36:14 +02:00
|
|
|
if (packetlength != pg_ntoh16(receivepacket->length))
|
2010-10-15 16:59:10 +02:00
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2017-03-22 17:55:16 +01:00
|
|
|
(errmsg("RADIUS response from %s has corrupt length: %d (actual length %d)",
|
2017-10-02 00:36:14 +02:00
|
|
|
server, pg_ntoh16(receivepacket->length), packetlength)));
|
2010-10-15 16:59:10 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
if (packet->id != receivepacket->id)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2017-03-22 17:55:16 +01:00
|
|
|
(errmsg("RADIUS response from %s is to a different request: %d (should be %d)",
|
|
|
|
|
server, receivepacket->id, packet->id)));
|
2010-10-15 16:59:10 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
/*
|
|
|
|
|
* Verify the response authenticator, which is calculated as
|
|
|
|
|
* MD5(Code+ID+Length+RequestAuthenticator+Attributes+Secret)
|
|
|
|
|
*/
|
2017-03-22 17:55:16 +01:00
|
|
|
cryptvector = palloc(packetlength + strlen(secret));
|
2010-10-15 16:59:10 +02:00
|
|
|
|
2011-04-10 17:42:00 +02:00
|
|
|
memcpy(cryptvector, receivepacket, 4); /* code+id+length */
|
|
|
|
|
memcpy(cryptvector + 4, packet->vector, RADIUS_VECTOR_LENGTH); /* request
|
|
|
|
|
* authenticator, from
|
|
|
|
|
* original packet */
|
Phase 2 of pgindent updates.
Change pg_bsd_indent to follow upstream rules for placement of comments
to the right of code, and remove pgindent hack that caused comments
following #endif to not obey the general rule.
Commit e3860ffa4dd0dad0dd9eea4be9cc1412373a8c89 wasn't actually using
the published version of pg_bsd_indent, but a hacked-up version that
tried to minimize the amount of movement of comments to the right of
code. The situation of interest is where such a comment has to be
moved to the right of its default placement at column 33 because there's
code there. BSD indent has always moved right in units of tab stops
in such cases --- but in the previous incarnation, indent was working
in 8-space tab stops, while now it knows we use 4-space tabs. So the
net result is that in about half the cases, such comments are placed
one tab stop left of before. This is better all around: it leaves
more room on the line for comment text, and it means that in such
cases the comment uniformly starts at the next 4-space tab stop after
the code, rather than sometimes one and sometimes two tabs after.
Also, ensure that comments following #endif are indented the same
as comments following other preprocessor commands such as #else.
That inconsistency turns out to have been self-inflicted damage
from a poorly-thought-through post-indent "fixup" in pgindent.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:18:54 +02:00
|
|
|
if (packetlength > RADIUS_HEADER_LENGTH) /* there may be no
|
|
|
|
|
* attributes at all */
|
2010-10-15 16:59:10 +02:00
|
|
|
memcpy(cryptvector + RADIUS_HEADER_LENGTH, receive_buffer + RADIUS_HEADER_LENGTH, packetlength - RADIUS_HEADER_LENGTH);
|
2017-03-22 17:55:16 +01:00
|
|
|
memcpy(cryptvector + packetlength, secret, strlen(secret));
|
2010-10-15 16:59:10 +02:00
|
|
|
|
|
|
|
|
if (!pg_md5_binary(cryptvector,
|
2017-03-22 17:55:16 +01:00
|
|
|
packetlength + strlen(secret),
|
2010-10-15 16:59:10 +02:00
|
|
|
encryptedpassword))
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errmsg("could not perform MD5 encryption of received packet")));
|
2010-10-15 16:59:10 +02:00
|
|
|
pfree(cryptvector);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
pfree(cryptvector);
|
|
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
if (memcmp(receivepacket->vector, encryptedpassword, RADIUS_VECTOR_LENGTH) != 0)
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
Phase 3 of pgindent updates.
Don't move parenthesized lines to the left, even if that means they
flow past the right margin.
By default, BSD indent lines up statement continuation lines that are
within parentheses so that they start just to the right of the preceding
left parenthesis. However, traditionally, if that resulted in the
continuation line extending to the right of the desired right margin,
then indent would push it left just far enough to not overrun the margin,
if it could do so without making the continuation line start to the left of
the current statement indent. That makes for a weird mix of indentations
unless one has been completely rigid about never violating the 80-column
limit.
This behavior has been pretty universally panned by Postgres developers.
Hence, disable it with indent's new -lpl switch, so that parenthesized
lines are always lined up with the preceding left paren.
This patch is much less interesting than the first round of indent
changes, but also bulkier, so I thought it best to separate the effects.
Discussion: https://postgr.es/m/E1dAmxK-0006EE-1r@gemulon.postgresql.org
Discussion: https://postgr.es/m/30527.1495162840@sss.pgh.pa.us
2017-06-21 21:35:54 +02:00
|
|
|
(errmsg("RADIUS response from %s has incorrect MD5 signature",
|
|
|
|
|
server)));
|
2010-10-15 16:59:10 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2010-01-27 13:12:00 +01:00
|
|
|
|
2010-10-15 16:59:10 +02:00
|
|
|
if (receivepacket->code == RADIUS_ACCESS_ACCEPT)
|
|
|
|
|
{
|
|
|
|
|
closesocket(sock);
|
|
|
|
|
return STATUS_OK;
|
|
|
|
|
}
|
|
|
|
|
else if (receivepacket->code == RADIUS_ACCESS_REJECT)
|
|
|
|
|
{
|
|
|
|
|
closesocket(sock);
|
2017-03-22 17:55:16 +01:00
|
|
|
return STATUS_EOF;
|
2010-10-15 16:59:10 +02:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
ereport(LOG,
|
2017-03-22 17:55:16 +01:00
|
|
|
(errmsg("RADIUS response from %s has invalid code (%d) for user \"%s\"",
|
|
|
|
|
server, receivepacket->code, user_name)));
|
2010-10-15 16:59:10 +02:00
|
|
|
continue;
|
|
|
|
|
}
|
2011-04-10 17:42:00 +02:00
|
|
|
} /* while (true) */
|
2010-01-27 13:12:00 +01:00
|
|
|
}
|
