mirror of https://github.com/postgres/postgres
The code of SCRAM and SASL have been tightly linked together since SCRAM exists in the core code, making hard to apprehend the addition of new SASL mechanisms, but these are by design different facilities, with SCRAM being an option for SASL. This refactors the code related to both so as the backend and the frontend use a set of callbacks for SASL mechanisms, documenting while on it what is expected by anybody adding a new SASL mechanism. The separation between both layers is neat, using two sets of callbacks for the frontend and the backend to mark the frontier between both facilities. The shape of the callbacks is now directly inspired from the routines used by SCRAM, so the code change is straight-forward, and the SASL code is moved into its own set of files. These will likely change depending on how and if new SASL mechanisms get added in the future. Author: Jacob Champion Reviewed-by: Michael Paquier Discussion: https://postgr.es/m/3d2a6f5d50e741117d6baf83eb67ebf1a8a35a11.camel@vmware.compull/66/head
Michael Paquier
4 years ago
parent
955b3e0f92
commit
9fd85570d1
@ -0,0 +1,195 @@ |
||||
/*-------------------------------------------------------------------------
|
||||
* |
||||
* auth-sasl.c |
||||
* Routines to handle authentication via SASL |
||||
* |
||||
* Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group |
||||
* Portions Copyright (c) 1994, Regents of the University of California |
||||
* |
||||
* |
||||
* IDENTIFICATION |
||||
* src/backend/libpq/auth-sasl.c |
||||
* |
||||
*------------------------------------------------------------------------- |
||||
*/ |
||||
|
||||
#include "postgres.h" |
||||
|
||||
#include "libpq/auth.h" |
||||
#include "libpq/libpq.h" |
||||
#include "libpq/pqformat.h" |
||||
#include "libpq/sasl.h" |
||||
|
||||
/*
|
||||
* Maximum accepted size of SASL messages. |
||||
* |
||||
* The messages that the server or libpq generate are much smaller than this, |
||||
* but have some headroom. |
||||
*/ |
||||
#define PG_MAX_SASL_MESSAGE_LENGTH 1024 |
||||
|
||||
/*
|
||||
* Perform a SASL exchange with a libpq client, using a specific mechanism |
||||
* implementation. |
||||
* |
||||
* shadow_pass is an optional pointer to the stored secret of the role |
||||
* authenticated, from pg_authid.rolpassword. For mechanisms that use |
||||
* shadowed passwords, a NULL pointer here means that an entry could not |
||||
* be found for the role (or the user does not exist), and the mechanism |
||||
* should fail the authentication exchange. |
||||
* |
||||
* Mechanisms must take care not to reveal to the client that a user entry |
||||
* does not exist; ideally, the external failure mode is identical to that |
||||
* of an incorrect password. Mechanisms may instead use the logdetail |
||||
* output parameter to internally differentiate between failure cases and |
||||
* assist debugging by the server admin. |
||||
* |
||||
* A mechanism is not required to utilize a shadow entry, or even a password |
||||
* system at all; for these cases, shadow_pass may be ignored and the caller |
||||
* should just pass NULL. |
||||
*/ |
||||
int |
||||
CheckSASLAuth(const pg_be_sasl_mech *mech, Port *port, char *shadow_pass, |
||||
char **logdetail) |
||||
{ |
||||
StringInfoData sasl_mechs; |
||||
int mtype; |
||||
StringInfoData buf; |
||||
void *opaq = NULL; |
||||
char *output = NULL; |
||||
int outputlen = 0; |
||||
const char *input; |
||||
int inputlen; |
||||
int result; |
||||
bool initial; |
||||
|
||||
/*
|
||||
* Send the SASL authentication request to user. It includes the list of |
||||
* authentication mechanisms that are supported. |
||||
*/ |
||||
initStringInfo(&sasl_mechs); |
||||
|
||||
mech->get_mechanisms(port, &sasl_mechs); |
||||
/* Put another '\0' to mark that list is finished. */ |
||||
appendStringInfoChar(&sasl_mechs, '\0'); |
||||
|
||||
sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs.data, sasl_mechs.len); |
||||
pfree(sasl_mechs.data); |
||||
|
||||
/*
|
||||
* Loop through SASL message exchange. This exchange can consist of |
||||
* multiple messages sent in both directions. First message is always |
||||
* from the client. All messages from client to server are password |
||||
* packets (type 'p'). |
||||
*/ |
||||
initial = true; |
||||
do |
||||
{ |
||||
pq_startmsgread(); |
||||
mtype = pq_getbyte(); |
||||
if (mtype != 'p') |
||||
{ |
||||
/* Only log error if client didn't disconnect. */ |
||||
if (mtype != EOF) |
||||
{ |
||||
ereport(ERROR, |
||||
(errcode(ERRCODE_PROTOCOL_VIOLATION), |
||||
errmsg("expected SASL response, got message type %d", |
||||
mtype))); |
||||
} |
||||
else |
||||
return STATUS_EOF; |
||||
} |
||||
|
||||
/* Get the actual SASL message */ |
||||
initStringInfo(&buf); |
||||
if (pq_getmessage(&buf, PG_MAX_SASL_MESSAGE_LENGTH)) |
||||
{ |
||||
/* EOF - pq_getmessage already logged error */ |
||||
pfree(buf.data); |
||||
return STATUS_ERROR; |
||||
} |
||||
|
||||
elog(DEBUG4, "processing received SASL response of length %d", buf.len); |
||||
|
||||
/*
|
||||
* The first SASLInitialResponse message is different from the others. |
||||
* It indicates which SASL mechanism the client selected, and contains |
||||
* an optional Initial Client Response payload. The subsequent |
||||
* SASLResponse messages contain just the SASL payload. |
||||
*/ |
||||
if (initial) |
||||
{ |
||||
const char *selected_mech; |
||||
|
||||
selected_mech = pq_getmsgrawstring(&buf); |
||||
|
||||
/*
|
||||
* Initialize the status tracker for message exchanges. |
||||
* |
||||
* If the user doesn't exist, or doesn't have a valid password, or |
||||
* it's expired, we still go through the motions of SASL |
||||
* authentication, but tell the authentication method that the |
||||
* authentication is "doomed". That is, it's going to fail, no |
||||
* matter what. |
||||
* |
||||
* This is because we don't want to reveal to an attacker what |
||||
* usernames are valid, nor which users have a valid password. |
||||
*/ |
||||
opaq = mech->init(port, selected_mech, shadow_pass); |
||||
|
||||
inputlen = pq_getmsgint(&buf, 4); |
||||
if (inputlen == -1) |
||||
input = NULL; |
||||
else |
||||
input = pq_getmsgbytes(&buf, inputlen); |
||||
|
||||
initial = false; |
||||
} |
||||
else |
||||
{ |
||||
inputlen = buf.len; |
||||
input = pq_getmsgbytes(&buf, buf.len); |
||||
} |
||||
pq_getmsgend(&buf); |
||||
|
||||
/*
|
||||
* The StringInfo guarantees that there's a \0 byte after the |
||||
* response. |
||||
*/ |
||||
Assert(input == NULL || input[inputlen] == '\0'); |
||||
|
||||
/*
|
||||
* Hand the incoming message to the mechanism implementation. |
||||
*/ |
||||
result = mech->exchange(opaq, input, inputlen, |
||||
&output, &outputlen, |
||||
logdetail); |
||||
|
||||
/* input buffer no longer used */ |
||||
pfree(buf.data); |
||||
|
||||
if (output) |
||||
{ |
||||
/*
|
||||
* Negotiation generated data to be sent to the client. |
||||
*/ |
||||
elog(DEBUG4, "sending SASL challenge of length %u", outputlen); |
||||
|
||||
if (result == PG_SASL_EXCHANGE_SUCCESS) |
||||
sendAuthRequest(port, AUTH_REQ_SASL_FIN, output, outputlen); |
||||
else |
||||
sendAuthRequest(port, AUTH_REQ_SASL_CONT, output, outputlen); |
||||
|
||||
pfree(output); |
||||
} |
||||
} while (result == PG_SASL_EXCHANGE_CONTINUE); |
||||
|
||||
/* Oops, Something bad happened */ |
||||
if (result != PG_SASL_EXCHANGE_SUCCESS) |
||||
{ |
||||
return STATUS_ERROR; |
||||
} |
||||
|
||||
return STATUS_OK; |
||||
} |
||||
@ -0,0 +1,136 @@ |
||||
/*-------------------------------------------------------------------------
|
||||
* |
||||
* sasl.h |
||||
* Defines the SASL mechanism interface for the backend. |
||||
* |
||||
* Each SASL mechanism defines a frontend and a backend callback structure. |
||||
* |
||||
* See src/interfaces/libpq/fe-auth-sasl.h for the frontend counterpart. |
||||
* |
||||
* Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group |
||||
* Portions Copyright (c) 1994, Regents of the University of California |
||||
* |
||||
* src/include/libpq/sasl.h |
||||
* |
||||
*------------------------------------------------------------------------- |
||||
*/ |
||||
|
||||
#ifndef PG_SASL_H |
||||
#define PG_SASL_H |
||||
|
||||
#include "lib/stringinfo.h" |
||||
#include "libpq/libpq-be.h" |
||||
|
||||
/* Status codes for message exchange */ |
||||
#define PG_SASL_EXCHANGE_CONTINUE 0 |
||||
#define PG_SASL_EXCHANGE_SUCCESS 1 |
||||
#define PG_SASL_EXCHANGE_FAILURE 2 |
||||
|
||||
/*
|
||||
* Backend SASL mechanism callbacks. |
||||
* |
||||
* To implement a backend mechanism, declare a pg_be_sasl_mech struct with |
||||
* appropriate callback implementations. Then pass the mechanism to |
||||
* CheckSASLAuth() during ClientAuthentication(), once the server has decided |
||||
* which authentication method to use. |
||||
*/ |
||||
typedef struct pg_be_sasl_mech |
||||
{ |
||||
/*---------
|
||||
* get_mechanisms() |
||||
* |
||||
* Retrieves the list of SASL mechanism names supported by this |
||||
* implementation. |
||||
* |
||||
* Input parameters: |
||||
* |
||||
* port: The client Port |
||||
* |
||||
* Output parameters: |
||||
* |
||||
* buf: A StringInfo buffer that the callback should populate with |
||||
* supported mechanism names. The names are appended into this |
||||
* StringInfo, each one ending with '\0' bytes. |
||||
*--------- |
||||
*/ |
||||
void (*get_mechanisms) (Port *port, StringInfo buf); |
||||
|
||||
/*---------
|
||||
* init() |
||||
* |
||||
* Initializes mechanism-specific state for a connection. This callback |
||||
* must return a pointer to its allocated state, which will be passed |
||||
* as-is as the first argument to the other callbacks. |
||||
* |
||||
* Input paramters: |
||||
* |
||||
* port: The client Port. |
||||
* |
||||
* mech: The actual mechanism name in use by the client. |
||||
* |
||||
* shadow_pass: The stored secret for the role being authenticated, or |
||||
* NULL if one does not exist. Mechanisms that do not use |
||||
* shadow entries may ignore this parameter. If a |
||||
* mechanism uses shadow entries but shadow_pass is NULL, |
||||
* the implementation must continue the exchange as if the |
||||
* user existed and the password did not match, to avoid |
||||
* disclosing valid user names. |
||||
*--------- |
||||
*/ |
||||
void *(*init) (Port *port, const char *mech, const char *shadow_pass); |
||||
|
||||
/*---------
|
||||
* exchange() |
||||
* |
||||
* Produces a server challenge to be sent to the client. The callback |
||||
* must return one of the PG_SASL_EXCHANGE_* values, depending on |
||||
* whether the exchange continues, has finished successfully, or has |
||||
* failed. |
||||
* |
||||
* Input parameters: |
||||
* |
||||
* state: The opaque mechanism state returned by init() |
||||
* |
||||
* input: The response data sent by the client, or NULL if the |
||||
* mechanism is client-first but the client did not send an |
||||
* initial response. (This can only happen during the first |
||||
* message from the client.) This is guaranteed to be |
||||
* null-terminated for safety, but SASL allows embedded |
||||
* nulls in responses, so mechanisms must be careful to |
||||
* check inputlen. |
||||
* |
||||
* inputlen: The length of the challenge data sent by the server, or |
||||
* -1 if the client did not send an initial response |
||||
* |
||||
* Output parameters, to be set by the callback function: |
||||
* |
||||
* output: A palloc'd buffer containing either the server's next |
||||
* challenge (if PG_SASL_EXCHANGE_CONTINUE is returned) or |
||||
* the server's outcome data (if PG_SASL_EXCHANGE_SUCCESS is |
||||
* returned and the mechanism requires data to be sent during |
||||
* a successful outcome). The callback should set this to |
||||
* NULL if the exchange is over and no output should be sent, |
||||
* which should correspond to either PG_SASL_EXCHANGE_FAILURE |
||||
* or a PG_SASL_EXCHANGE_SUCCESS with no outcome data. |
||||
* |
||||
* outputlen: The length of the challenge data. Ignored if *output is |
||||
* NULL. |
||||
* |
||||
* logdetail: Set to an optional DETAIL message to be printed to the |
||||
* server log, to disambiguate failure modes. (The client |
||||
* will only ever see the same generic authentication |
||||
* failure message.) Ignored if the exchange is completed |
||||
* with PG_SASL_EXCHANGE_SUCCESS. |
||||
*--------- |
||||
*/ |
||||
int (*exchange) (void *state, |
||||
const char *input, int inputlen, |
||||
char **output, int *outputlen, |
||||
char **logdetail); |
||||
} pg_be_sasl_mech; |
||||
|
||||
/* Common implementation for auth.c */ |
||||
extern int CheckSASLAuth(const pg_be_sasl_mech *mech, Port *port, |
||||
char *shadow_pass, char **logdetail); |
||||
|
||||
#endif /* PG_SASL_H */ |
||||
@ -0,0 +1,130 @@ |
||||
/*-------------------------------------------------------------------------
|
||||
* |
||||
* fe-auth-sasl.h |
||||
* Defines the SASL mechanism interface for libpq. |
||||
* |
||||
* Each SASL mechanism defines a frontend and a backend callback structure. |
||||
* This is not part of the public API for applications. |
||||
* |
||||
* See src/include/libpq/sasl.h for the backend counterpart. |
||||
* |
||||
* Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group |
||||
* Portions Copyright (c) 1994, Regents of the University of California |
||||
* |
||||
* src/interfaces/libpq/fe-auth-sasl.h |
||||
* |
||||
*------------------------------------------------------------------------- |
||||
*/ |
||||
|
||||
#ifndef FE_AUTH_SASL_H |
||||
#define FE_AUTH_SASL_H |
||||
|
||||
#include "libpq-fe.h" |
||||
|
||||
/*
|
||||
* Frontend SASL mechanism callbacks. |
||||
* |
||||
* To implement a frontend mechanism, declare a pg_be_sasl_mech struct with |
||||
* appropriate callback implementations, then hook it into conn->sasl during |
||||
* pg_SASL_init()'s mechanism negotiation. |
||||
*/ |
||||
typedef struct pg_fe_sasl_mech |
||||
{ |
||||
/*-------
|
||||
* init() |
||||
* |
||||
* Initializes mechanism-specific state for a connection. This |
||||
* callback must return a pointer to its allocated state, which will |
||||
* be passed as-is as the first argument to the other callbacks. |
||||
* the free() callback is called to release any state resources. |
||||
* |
||||
* If state allocation fails, the implementation should return NULL to |
||||
* fail the authentication exchange. |
||||
* |
||||
* Input parameters: |
||||
* |
||||
* conn: The connection to the server |
||||
* |
||||
* password: The user's supplied password for the current connection |
||||
* |
||||
* mech: The mechanism name in use, for implementations that may |
||||
* advertise more than one name (such as *-PLUS variants). |
||||
*------- |
||||
*/ |
||||
void *(*init) (PGconn *conn, const char *password, const char *mech); |
||||
|
||||
/*--------
|
||||
* exchange() |
||||
* |
||||
* Produces a client response to a server challenge. As a special case |
||||
* for client-first SASL mechanisms, exchange() is called with a NULL |
||||
* server response once at the start of the authentication exchange to |
||||
* generate an initial response. |
||||
* |
||||
* Input parameters: |
||||
* |
||||
* state: The opaque mechanism state returned by init() |
||||
* |
||||
* input: The challenge data sent by the server, or NULL when |
||||
* generating a client-first initial response (that is, when |
||||
* the server expects the client to send a message to start |
||||
* the exchange). This is guaranteed to be null-terminated |
||||
* for safety, but SASL allows embedded nulls in challenges, |
||||
* so mechanisms must be careful to check inputlen. |
||||
* |
||||
* inputlen: The length of the challenge data sent by the server, or -1 |
||||
* during client-first initial response generation. |
||||
* |
||||
* Output parameters, to be set by the callback function: |
||||
* |
||||
* output: A malloc'd buffer containing the client's response to |
||||
* the server, or NULL if the exchange should be aborted. |
||||
* (*success should be set to false in the latter case.) |
||||
* |
||||
* outputlen: The length of the client response buffer, or zero if no |
||||
* data should be sent due to an exchange failure |
||||
* |
||||
* done: Set to true if the SASL exchange should not continue, |
||||
* because the exchange is either complete or failed |
||||
* |
||||
* success: Set to true if the SASL exchange completed successfully. |
||||
* Ignored if *done is false. |
||||
*-------- |
||||
*/ |
||||
void (*exchange) (void *state, char *input, int inputlen, |
||||
char **output, int *outputlen, |
||||
bool *done, bool *success); |
||||
|
||||
/*--------
|
||||
* channel_bound() |
||||
* |
||||
* Returns true if the connection has an established channel binding. A |
||||
* mechanism implementation must ensure that a SASL exchange has actually |
||||
* been completed, in addition to checking that channel binding is in use. |
||||
* |
||||
* Mechanisms that do not implement channel binding may simply return |
||||
* false. |
||||
* |
||||
* Input parameters: |
||||
* |
||||
* state: The opaque mechanism state returned by init() |
||||
*-------- |
||||
*/ |
||||
bool (*channel_bound) (void *state); |
||||
|
||||
/*--------
|
||||
* free() |
||||
* |
||||
* Frees the state allocated by init(). This is called when the connection |
||||
* is dropped, not when the exchange is completed. |
||||
* |
||||
* Input parameters: |
||||
* |
||||
* state: The opaque mechanism state returned by init() |
||||
*-------- |
||||
*/ |
||||
void (*free) (void *state); |
||||
|
||||
} pg_fe_sasl_mech; |
||||
|
||||
#endif /* FE_AUTH_SASL_H */ |
||||
Loading…
Reference in new issue