📄 auth.c
字号:
* unnecessarily difficult for legitimate users. We would not, for example, * want to report the password we were expecting to receive... * But it seems useful to report the username and authorization method * in use, and these are items that must be presumed known to an attacker * anyway. * Note that many sorts of failure report additional information in the * postmaster log, which we hope is only readable by good guys. */static voidauth_failed(Port *port){ char buffer[512]; const char *authmethod = "Unknown auth method:"; switch (port->auth_method) { case uaReject: authmethod = "Rejected host:"; break; case uaKrb4: authmethod = "Kerberos4"; break; case uaKrb5: authmethod = "Kerberos5"; break; case uaTrust: authmethod = "Trusted"; break; case uaIdent: authmethod = "IDENT"; break; case uaPassword: authmethod = "Password"; break; case uaCrypt: authmethod = "Password"; break; } sprintf(buffer, "%s authentication failed for user '%s'", authmethod, port->user); PacketSendError(&port->pktInfo, buffer);}/* * be_recvauth -- server demux routine for incoming authentication information */voidbe_recvauth(Port *port){ /* * Get the authentication method to use for this frontend/database * combination. Note: a failure return indicates a problem with the * hba config file, not with the request. hba.c should have dropped * an error message into the postmaster logfile if it failed. */ if (hba_getauthmethod(&port->raddr, port->user, port->database, port->auth_arg, &port->auth_method) != STATUS_OK) PacketSendError(&port->pktInfo, "Missing or erroneous pg_hba.conf file, see postmaster log for details"); else if (PG_PROTOCOL_MAJOR(port->proto) == 0) { /* Handle old style authentication. */ if (old_be_recvauth(port) != STATUS_OK) auth_failed(port); } else { /* Handle new style authentication. */ AuthRequest areq = AUTH_REQ_OK; PacketDoneProc auth_handler = NULL; switch (port->auth_method) { case uaReject: /* * This could have come from an explicit "reject" entry in * pg_hba.conf, but more likely it means there was no * matching entry. Take pity on the poor user and issue a * helpful error message. NOTE: this is not a security * breach, because all the info reported here is known at * the frontend and must be assumed known to bad guys. * We're merely helping out the less clueful good guys. * NOTE 2: libpq-be.h defines the maximum error message * length as 99 characters. It probably wouldn't hurt * anything to increase it, but there might be some client * out there that will fail. So, be terse. */ { char buffer[512]; const char *hostinfo = "localhost"; if (port->raddr.sa.sa_family == AF_INET) hostinfo = inet_ntoa(port->raddr.in.sin_addr); sprintf(buffer, "No pg_hba.conf entry for host %s, user %s, database %s", hostinfo, port->user, port->database); PacketSendError(&port->pktInfo, buffer); return; } break; case uaKrb4: areq = AUTH_REQ_KRB4; auth_handler = handle_krb4_auth; break; case uaKrb5: areq = AUTH_REQ_KRB5; auth_handler = handle_krb5_auth; break; case uaTrust: areq = AUTH_REQ_OK; auth_handler = handle_done_auth; break; case uaIdent: if (authident(&port->raddr.in, &port->laddr.in, port->user, port->auth_arg) == STATUS_OK) { areq = AUTH_REQ_OK; auth_handler = handle_done_auth; } break; case uaPassword: areq = AUTH_REQ_PASSWORD; auth_handler = handle_password_auth; break; case uaCrypt: areq = AUTH_REQ_CRYPT; auth_handler = handle_password_auth; break; } /* Tell the frontend what we want next. */ if (auth_handler != NULL) sendAuthRequest(port, areq, auth_handler); else auth_failed(port); }}/* * Send an authentication request packet to the frontend. */static voidsendAuthRequest(Port *port, AuthRequest areq, PacketDoneProc handler){ char *dp, *sp; int i; uint32 net_areq; /* Convert to a byte stream. */ net_areq = htonl(areq); dp = port->pktInfo.pkt.ar.data; sp = (char *) &net_areq; *dp++ = 'R'; for (i = 1; i <= 4; ++i) *dp++ = *sp++; /* Add the salt for encrypted passwords. */ if (areq == AUTH_REQ_CRYPT) { *dp++ = port->salt[0]; *dp++ = port->salt[1]; i += 2; } PacketSendSetup(&port->pktInfo, i, handler, (void *) port);}/* * Called when we have told the front end that it is authorised. */static inthandle_done_auth(void *arg, PacketLen len, void *pkt){ /* * Don't generate any more traffic. This will cause the backend to * start. */ return STATUS_OK;}/* * Called when we have told the front end that it should use Kerberos V4 * authentication. */static inthandle_krb4_auth(void *arg, PacketLen len, void *pkt){ Port *port = (Port *) arg; if (pg_krb4_recvauth(port) != STATUS_OK) auth_failed(port); else sendAuthRequest(port, AUTH_REQ_OK, handle_done_auth); return STATUS_OK;}/* * Called when we have told the front end that it should use Kerberos V5 * authentication. */static inthandle_krb5_auth(void *arg, PacketLen len, void *pkt){ Port *port = (Port *) arg; if (pg_krb5_recvauth(port) != STATUS_OK) auth_failed(port); else sendAuthRequest(port, AUTH_REQ_OK, handle_done_auth); return STATUS_OK;}/* * Called when we have told the front end that it should use password * authentication. */static inthandle_password_auth(void *arg, PacketLen len, void *pkt){ Port *port = (Port *) arg; /* Set up the read of the password packet. */ PacketReceiveSetup(&port->pktInfo, readPasswordPacket, (void *) port); return STATUS_OK;}/* * Called when we have received the password packet. */static intreadPasswordPacket(void *arg, PacketLen len, void *pkt){ char password[sizeof(PasswordPacket) + 1]; Port *port = (Port *) arg; /* Silently truncate a password that is too big. */ if (len > sizeof(PasswordPacket)) len = sizeof(PasswordPacket); StrNCpy(password, ((PasswordPacket *) pkt)->passwd, len); if (checkPassword(port, port->user, password) != STATUS_OK) auth_failed(port); else sendAuthRequest(port, AUTH_REQ_OK, handle_done_auth); return STATUS_OK; /* don't close the connection yet */}/* * Use the local flat password file if clear passwords are used and the file is * specified. Otherwise use the password in the pg_shadow table, encrypted or * not. */static intcheckPassword(Port *port, char *user, char *password){ if (port->auth_method == uaPassword && port->auth_arg[0] != '\0') return verify_password(port->auth_arg, user, password); return crypt_verify(port, user, password);}/* * Server demux routine for incoming authentication information for protocol * version 0. */static intold_be_recvauth(Port *port){ int status; MsgType msgtype = (MsgType) port->proto; /* Handle the authentication that's offered. */ switch (msgtype) { case STARTUP_KRB4_MSG: status = map_old_to_new(port, uaKrb4, pg_krb4_recvauth(port)); break; case STARTUP_KRB5_MSG: status = map_old_to_new(port, uaKrb5, pg_krb5_recvauth(port)); break; case STARTUP_MSG: status = map_old_to_new(port, uaTrust, STATUS_OK); break; case STARTUP_PASSWORD_MSG: PacketReceiveSetup(&port->pktInfo, pg_passwordv0_recvauth, (void *) port); return STATUS_OK; default: fprintf(stderr, "Invalid startup message type: %u\n", msgtype); return STATUS_OK; } return status;}/* * The old style authentication has been done. Modify the result of this (eg. * allow the connection anyway, disallow it anyway, or use the result) * depending on what authentication we really want to use. */static intmap_old_to_new(Port *port, UserAuth old, int status){ switch (port->auth_method) { case uaCrypt: case uaReject: status = STATUS_ERROR; break; case uaKrb4: if (old != uaKrb4) status = STATUS_ERROR; break; case uaKrb5: if (old != uaKrb5) status = STATUS_ERROR; break; case uaTrust: status = STATUS_OK; break; case uaIdent: status = authident(&port->raddr.in, &port->laddr.in, port->user, port->auth_arg); break; case uaPassword: if (old != uaPassword) status = STATUS_ERROR; break; } return status;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -