1 /*-------------------------------------------------------------------------
4 * The front-end (client) authorization routines
6 * Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
9 * NOTE: the error message strings returned by this module must not
10 * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
13 * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.58 2001/08/21 15:49:17 momjian Exp $
15 *-------------------------------------------------------------------------
20 * frontend (client) routines:
21 * fe_sendauth send authentication information
22 * fe_getauthname get user's name according to the client side
23 * of the authentication system
24 * fe_setauthsvc set frontend authentication service
25 * fe_getauthsvc get current frontend authentication service
31 #include "postgres_fe.h"
33 /* XXX is there a reason these appear before the system defines? */
35 #include "libpq-int.h"
37 #include "libpq/crypt.h"
45 #include <sys/types.h>
46 #include <sys/param.h> /* for MAXHOSTNAMELEN on most */
47 #include <sys/socket.h> /* for SCM_CREDS */
49 #include <sys/uio.h> /* for struct iovec */
50 #include <sys/ucred.h>
52 #ifndef MAXHOSTNAMELEN
53 #include <netdb.h> /* for MAXHOSTNAMELEN on some */
64 * common definitions for generic fe/be routines
69 char name[NAMEDATALEN]; /* service nickname (for command
71 MsgType msgtype; /* startup packet header type */
72 int allowed; /* initially allowed (before command line
77 * Command-line parsing routines use this structure to map nicknames
78 * onto service types (and the startup packets to use with them).
80 * Programs receiving an authentication request use this structure to
81 * decide which authentication service types are currently permitted.
82 * By default, all authentication systems compiled into the system are
83 * allowed. Unauthenticated connections are disallowed unless there
84 * isn't any authentication system.
86 static const struct authsvc authsvcs[] = {
88 {"krb4", STARTUP_KRB4_MSG, 1},
89 {"kerberos", STARTUP_KRB4_MSG, 1},
92 {"krb5", STARTUP_KRB5_MSG, 1},
93 {"kerberos", STARTUP_KRB5_MSG, 1},
95 {UNAUTHNAME, STARTUP_MSG,
96 #if defined(KRB4) || defined(KRB5)
98 #else /* !(KRB4 || KRB5) */
100 #endif /* !(KRB4 || KRB5) */
102 {"password", STARTUP_PASSWORD_MSG, 0}
105 static const int n_authsvcs = sizeof(authsvcs) / sizeof(struct authsvc);
109 * MIT Kerberos authentication system - protocol version 4
114 /* for some reason, this is not defined in krb.h ... */
115 extern char *tkt_string(void);
118 * pg_krb4_init -- initialization performed before any Kerberos calls are made
120 * For v4, all we need to do is make sure the library routines get the right
121 * ticket file if we want them to see a special one. (They will open the file
128 static int init_done = 0;
135 * If the user set PGREALM, then we use a ticket file with a special
136 * name: <usual-ticket-file-name>@<PGREALM-value>
138 if ((realm = getenv("PGREALM")))
140 char tktbuf[MAXPGPATH];
142 (void) sprintf(tktbuf, "%s@%s", tkt_string(), realm);
143 krb_set_tkt_string(tktbuf);
148 * pg_krb4_authname -- returns a pointer to static space containing whatever
149 * name the user has authenticated to the system
151 * We obtain this information by digging around in the ticket file.
154 pg_krb4_authname(char *PQerrormsg)
156 char instance[INST_SZ + 1];
157 char realm[REALM_SZ + 1];
159 static char name[SNAME_SZ + 1] = "";
166 name[SNAME_SZ] = '\0';
167 status = krb_get_tf_fullname(tkt_string(), name, instance, realm);
168 if (status != KSUCCESS)
170 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
171 "pg_krb4_authname: krb_get_tf_fullname: %s\n",
172 krb_err_txt[status]);
173 return (char *) NULL;
179 * pg_krb4_sendauth -- client routine to send authentication information to
182 * This routine does not do mutual authentication, nor does it return enough
183 * information to do encrypted connections. But then, if we want to do
184 * encrypted connections, we'll have to redesign the whole RPC mechanism
187 * If the user is too lazy to feed us a hostname, we try to come up with
188 * something other than "localhost" since the hostname is used as an
189 * instance and instance names in v4 databases are usually actual hostnames
190 * (canonicalized to omit all domain suffixes).
193 pg_krb4_sendauth(char *PQerrormsg, int sock,
194 struct sockaddr_in * laddr,
195 struct sockaddr_in * raddr,
196 const char *hostname)
198 long krbopts = 0; /* one-way authentication */
201 char hostbuf[MAXHOSTNAMELEN];
202 const char *realm = getenv("PGREALM"); /* NULL == current realm */
204 if (!hostname || !(*hostname))
206 if (gethostname(hostbuf, MAXHOSTNAMELEN) < 0)
207 strcpy(hostbuf, "localhost");
213 status = krb_sendauth(krbopts,
221 (CREDENTIALS *) NULL,
226 if (status != KSUCCESS)
228 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
229 libpq_gettext("Kerberos 4 error: %s\n"),
230 krb_err_txt[status]);
240 * MIT Kerberos authentication system - protocol version 5
247 * pg_an_to_ln -- return the local name corresponding to an authentication
250 * XXX Assumes that the first aname component is the user name. This is NOT
251 * necessarily so, since an aname can actually be something out of your
252 * worst X.400 nightmare, like
253 * ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU
254 * Note that the MIT an_to_ln code does the same thing if you don't
255 * provide an aname mapping database...it may be a better idea to use
256 * krb5_an_to_ln, except that it punts if multiple components are found,
257 * and we can't afford to punt.
260 pg_an_to_ln(char *aname)
264 if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
271 * Various krb5 state which is not connection specfic, and a flag to
272 * indicate whether we have initialised it yet.
274 static int pg_krb5_initialised;
275 static krb5_context pg_krb5_context;
276 static krb5_ccache pg_krb5_ccache;
277 static krb5_principal pg_krb5_client;
278 static char *pg_krb5_name;
282 pg_krb5_init(char *PQerrormsg)
284 krb5_error_code retval;
286 if (pg_krb5_initialised)
289 retval = krb5_init_context(&pg_krb5_context);
292 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
293 "pg_krb5_init: krb5_init_context: %s\n",
294 error_message(retval));
298 retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache);
301 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
302 "pg_krb5_init: krb5_cc_default: %s\n",
303 error_message(retval));
304 krb5_free_context(pg_krb5_context);
308 retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache,
312 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
313 "pg_krb5_init: krb5_cc_get_principal: %s\n",
314 error_message(retval));
315 krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
316 krb5_free_context(pg_krb5_context);
320 retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name);
323 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
324 "pg_krb5_init: krb5_unparse_name: %s\n",
325 error_message(retval));
326 krb5_free_principal(pg_krb5_context, pg_krb5_client);
327 krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
328 krb5_free_context(pg_krb5_context);
332 pg_krb5_name = pg_an_to_ln(pg_krb5_name);
334 pg_krb5_initialised = 1;
340 * pg_krb5_authname -- returns a pointer to static space containing whatever
341 * name the user has authenticated to the system
344 pg_krb5_authname(char *PQerrormsg)
346 if (pg_krb5_init(PQerrormsg) != STATUS_OK)
354 * pg_krb5_sendauth -- client routine to send authentication information to
358 pg_krb5_sendauth(char *PQerrormsg, int sock,
359 struct sockaddr_in * laddr,
360 struct sockaddr_in * raddr,
361 const char *hostname)
363 krb5_error_code retval;
365 krb5_principal server;
366 krb5_auth_context auth_context = NULL;
367 krb5_error *err_ret = NULL;
370 ret = pg_krb5_init(PQerrormsg);
371 if (ret != STATUS_OK)
374 retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
375 KRB5_NT_SRV_HST, &server);
378 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
379 "pg_krb5_sendauth: krb5_sname_to_principal: %s\n",
380 error_message(retval));
385 * libpq uses a non-blocking socket. But kerberos needs a blocking
386 * socket, and we have to block somehow to do mutual authentication
387 * anyway. So we temporarily make it blocking.
389 flags = fcntl(sock, F_GETFL);
390 if (flags < 0 || fcntl(sock, F_SETFL, (long) (flags & ~O_NONBLOCK)))
392 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
393 libpq_gettext("could not set socket to blocking mode: %s\n"), strerror(errno));
394 krb5_free_principal(pg_krb5_context, server);
398 retval = krb5_sendauth(pg_krb5_context, &auth_context,
399 (krb5_pointer) & sock, PG_KRB_SRVNAM,
400 pg_krb5_client, server,
401 AP_OPTS_MUTUAL_REQUIRED,
402 NULL, 0, /* no creds, use ccache instead */
403 pg_krb5_ccache, &err_ret, NULL, NULL);
406 if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
408 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
409 libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
410 err_ret->text.length, err_ret->text.data);
414 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
415 "krb5_sendauth: %s\n", error_message(retval));
419 krb5_free_error(pg_krb5_context, err_ret);
424 krb5_free_principal(pg_krb5_context, server);
426 if (fcntl(sock, F_SETFL, (long) flags))
428 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
429 libpq_gettext("could not restore non-blocking mode on socket: %s\n"),
441 pg_local_sendauth(char *PQerrormsg, PGconn *conn)
447 /* Prevent padding */
448 char cmsgmem[sizeof(struct cmsghdr) + sizeof(struct cmsgcred)];
449 /* Point to start of first structure */
450 struct cmsghdr *cmsg = (struct cmsghdr *)cmsgmem;
454 * The backend doesn't care what we send here, but it wants
455 * exactly one character to force recvmsg() to block and wait
462 memset(&msg, 0, sizeof(msg));
467 /* Create control header, FreeBSD */
468 msg.msg_control = cmsg;
469 msg.msg_controllen = sizeof(cmsgmem);
470 memset(cmsg, 0, sizeof(cmsgmem));
471 cmsg->cmsg_len = sizeof(cmsgmem);
472 cmsg->cmsg_level = SOL_SOCKET;
473 cmsg->cmsg_type = SCM_CREDS;
476 if (sendmsg(conn->sock, &msg, 0) == -1)
478 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
479 "pg_local_sendauth: sendmsg: %s\n", strerror(errno));
487 pg_password_sendauth(PGconn *conn, const char *password, AuthRequest areq)
492 /* Encrypt the password if needed. */
500 if (!(crypt_pwd = malloc(MD5_PASSWD_LEN+1)) ||
501 !(crypt_pwd2 = malloc(MD5_PASSWD_LEN+1)))
506 if (!EncryptMD5(password, conn->pguser,
507 strlen(conn->pguser), crypt_pwd2))
513 if (!EncryptMD5(crypt_pwd2 + strlen("md5"), conn->md5Salt,
514 sizeof(conn->md5Salt), crypt_pwd))
527 StrNCpy(salt, conn->cryptSalt,3);
528 crypt_pwd = crypt(password, salt);
531 case AUTH_REQ_PASSWORD:
532 /* discard const so we can assign it */
533 crypt_pwd = (char *)password;
538 ret = pqPacketSend(conn, crypt_pwd, strlen(crypt_pwd) + 1);
539 if (areq == AUTH_REQ_MD5)
545 * fe_sendauth -- client demux routine for outgoing authentication information
548 fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
549 const char *password, char *PQerrormsg)
551 #if !defined(KRB4) && !defined(KRB5)
552 (void) hostname; /* not used */
562 if (pg_krb4_sendauth(PQerrormsg, conn->sock, &conn->laddr.in,
564 hostname) != STATUS_OK)
566 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
567 libpq_gettext("Kerberos 4 authentication failed\n"));
572 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
573 libpq_gettext("Kerberos 4 authentication not supported\n"));
579 if (pg_krb5_sendauth(PQerrormsg, conn->sock, &conn->laddr.in,
581 hostname) != STATUS_OK)
583 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
584 libpq_gettext("Kerberos 5 authentication failed\n"));
589 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
590 libpq_gettext("Kerberos 5 authentication not supported\n"));
596 case AUTH_REQ_PASSWORD:
597 if (password == NULL || *password == '\0')
599 (void) sprintf(PQerrormsg,
600 "fe_sendauth: no password supplied\n");
603 if (pg_password_sendauth(conn, password, areq) != STATUS_OK)
605 (void) sprintf(PQerrormsg,
606 "fe_sendauth: error sending password authentication\n");
611 case AUTH_REQ_SCM_CREDS:
613 if (pg_local_sendauth(PQerrormsg, conn) != STATUS_OK)
616 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
617 libpq_gettext("SCM_CRED authentication method not supported\n"));
623 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
624 libpq_gettext("authentication method %u not supported\n"), areq);
635 * Set/return the authentication service currently selected for use by the
636 * frontend. (You can only use one in the frontend, obviously.)
638 * NB: This is not thread-safe if different threads try to select different
639 * authentication services! It's OK for fe_getauthsvc to select the default,
640 * since that will be the same for all threads, but direct application use
641 * of fe_setauthsvc is not thread-safe. However, use of fe_setauthsvc is
642 * deprecated anyway...
645 static int pg_authsvc = -1;
648 fe_setauthsvc(const char *name, char *PQerrormsg)
652 for (i = 0; i < n_authsvcs; ++i)
653 if (strcmp(name, authsvcs[i].name) == 0)
660 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
661 libpq_gettext("invalid authentication service name \"%s\", ignored\n"),
668 fe_getauthsvc(char *PQerrormsg)
670 if (pg_authsvc < 0 || pg_authsvc >= n_authsvcs)
671 fe_setauthsvc(DEFAULT_CLIENT_AUTHSVC, PQerrormsg);
672 return authsvcs[pg_authsvc].msgtype;
676 * fe_getauthname -- returns a pointer to dynamic space containing whatever
677 * name the user has authenticated to the system
678 * if there is an error, return the error message in PQerrormsg
681 fe_getauthname(char *PQerrormsg)
683 char *name = (char *) NULL;
684 char *authn = (char *) NULL;
687 authsvc = fe_getauthsvc(PQerrormsg);
690 if (authsvc == STARTUP_KRB4_MSG)
691 name = pg_krb4_authname(PQerrormsg);
694 if (authsvc == STARTUP_KRB5_MSG)
695 name = pg_krb5_authname(PQerrormsg);
698 if (authsvc == STARTUP_MSG
699 || (authsvc == STARTUP_KRB4_MSG && !name)
700 || (authsvc == STARTUP_KRB5_MSG && !name))
704 DWORD namesize = sizeof(username) - 1;
706 if (GetUserName(username, &namesize))
709 struct passwd *pw = getpwuid(geteuid());
716 if (authsvc != STARTUP_MSG && authsvc != STARTUP_KRB4_MSG && authsvc != STARTUP_KRB5_MSG)
717 snprintf(PQerrormsg, PQERRORMSG_LENGTH,
718 libpq_gettext("fe_getauthname: invalid authentication system: %d\n"),
721 if (name && (authn = (char *) malloc(strlen(name) + 1)))