LCOV - code coverage report
Current view: top level - src/backend/libpq - auth-sasl.c (source / functions) Hit Total Coverage
Test: PostgreSQL 17beta1 Lines: 41 46 89.1 %
Date: 2024-05-29 12:11:05 Functions: 1 1 100.0 %
Legend: Lines: hit not hit

          Line data    Source code
       1             : /*-------------------------------------------------------------------------
       2             :  *
       3             :  * auth-sasl.c
       4             :  *    Routines to handle authentication via SASL
       5             :  *
       6             :  * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
       7             :  * Portions Copyright (c) 1994, Regents of the University of California
       8             :  *
       9             :  *
      10             :  * IDENTIFICATION
      11             :  *    src/backend/libpq/auth-sasl.c
      12             :  *
      13             :  *-------------------------------------------------------------------------
      14             :  */
      15             : 
      16             : #include "postgres.h"
      17             : 
      18             : #include "libpq/auth.h"
      19             : #include "libpq/libpq.h"
      20             : #include "libpq/pqformat.h"
      21             : #include "libpq/sasl.h"
      22             : 
      23             : /*
      24             :  * Maximum accepted size of SASL messages.
      25             :  *
      26             :  * The messages that the server or libpq generate are much smaller than this,
      27             :  * but have some headroom.
      28             :  */
      29             : #define PG_MAX_SASL_MESSAGE_LENGTH  1024
      30             : 
      31             : /*
      32             :  * Perform a SASL exchange with a libpq client, using a specific mechanism
      33             :  * implementation.
      34             :  *
      35             :  * shadow_pass is an optional pointer to the stored secret of the role
      36             :  * authenticated, from pg_authid.rolpassword.  For mechanisms that use
      37             :  * shadowed passwords, a NULL pointer here means that an entry could not
      38             :  * be found for the role (or the user does not exist), and the mechanism
      39             :  * should fail the authentication exchange.
      40             :  *
      41             :  * Mechanisms must take care not to reveal to the client that a user entry
      42             :  * does not exist; ideally, the external failure mode is identical to that
      43             :  * of an incorrect password.  Mechanisms may instead use the logdetail
      44             :  * output parameter to internally differentiate between failure cases and
      45             :  * assist debugging by the server admin.
      46             :  *
      47             :  * A mechanism is not required to utilize a shadow entry, or even a password
      48             :  * system at all; for these cases, shadow_pass may be ignored and the caller
      49             :  * should just pass NULL.
      50             :  */
      51             : int
      52         100 : CheckSASLAuth(const pg_be_sasl_mech *mech, Port *port, char *shadow_pass,
      53             :               const char **logdetail)
      54             : {
      55             :     StringInfoData sasl_mechs;
      56             :     int         mtype;
      57             :     StringInfoData buf;
      58         100 :     void       *opaq = NULL;
      59         100 :     char       *output = NULL;
      60         100 :     int         outputlen = 0;
      61             :     const char *input;
      62             :     int         inputlen;
      63             :     int         result;
      64             :     bool        initial;
      65             : 
      66             :     /*
      67             :      * Send the SASL authentication request to user.  It includes the list of
      68             :      * authentication mechanisms that are supported.
      69             :      */
      70         100 :     initStringInfo(&sasl_mechs);
      71             : 
      72         100 :     mech->get_mechanisms(port, &sasl_mechs);
      73             :     /* Put another '\0' to mark that list is finished. */
      74         100 :     appendStringInfoChar(&sasl_mechs, '\0');
      75             : 
      76         100 :     sendAuthRequest(port, AUTH_REQ_SASL, sasl_mechs.data, sasl_mechs.len);
      77         100 :     pfree(sasl_mechs.data);
      78             : 
      79             :     /*
      80             :      * Loop through SASL message exchange.  This exchange can consist of
      81             :      * multiple messages sent in both directions.  First message is always
      82             :      * from the client.  All messages from client to server are password
      83             :      * packets (type 'p').
      84             :      */
      85         100 :     initial = true;
      86             :     do
      87             :     {
      88         178 :         pq_startmsgread();
      89         178 :         mtype = pq_getbyte();
      90         178 :         if (mtype != PqMsg_SASLResponse)
      91             :         {
      92             :             /* Only log error if client didn't disconnect. */
      93          22 :             if (mtype != EOF)
      94             :             {
      95           0 :                 ereport(ERROR,
      96             :                         (errcode(ERRCODE_PROTOCOL_VIOLATION),
      97             :                          errmsg("expected SASL response, got message type %d",
      98             :                                 mtype)));
      99             :             }
     100             :             else
     101          22 :                 return STATUS_EOF;
     102             :         }
     103             : 
     104             :         /* Get the actual SASL message */
     105         156 :         initStringInfo(&buf);
     106         156 :         if (pq_getmessage(&buf, PG_MAX_SASL_MESSAGE_LENGTH))
     107             :         {
     108             :             /* EOF - pq_getmessage already logged error */
     109           0 :             pfree(buf.data);
     110           0 :             return STATUS_ERROR;
     111             :         }
     112             : 
     113         156 :         elog(DEBUG4, "processing received SASL response of length %d", buf.len);
     114             : 
     115             :         /*
     116             :          * The first SASLInitialResponse message is different from the others.
     117             :          * It indicates which SASL mechanism the client selected, and contains
     118             :          * an optional Initial Client Response payload.  The subsequent
     119             :          * SASLResponse messages contain just the SASL payload.
     120             :          */
     121         156 :         if (initial)
     122             :         {
     123             :             const char *selected_mech;
     124             : 
     125          78 :             selected_mech = pq_getmsgrawstring(&buf);
     126             : 
     127             :             /*
     128             :              * Initialize the status tracker for message exchanges.
     129             :              *
     130             :              * If the user doesn't exist, or doesn't have a valid password, or
     131             :              * it's expired, we still go through the motions of SASL
     132             :              * authentication, but tell the authentication method that the
     133             :              * authentication is "doomed". That is, it's going to fail, no
     134             :              * matter what.
     135             :              *
     136             :              * This is because we don't want to reveal to an attacker what
     137             :              * usernames are valid, nor which users have a valid password.
     138             :              */
     139          78 :             opaq = mech->init(port, selected_mech, shadow_pass);
     140             : 
     141          78 :             inputlen = pq_getmsgint(&buf, 4);
     142          78 :             if (inputlen == -1)
     143           0 :                 input = NULL;
     144             :             else
     145          78 :                 input = pq_getmsgbytes(&buf, inputlen);
     146             : 
     147          78 :             initial = false;
     148             :         }
     149             :         else
     150             :         {
     151          78 :             inputlen = buf.len;
     152          78 :             input = pq_getmsgbytes(&buf, buf.len);
     153             :         }
     154         156 :         pq_getmsgend(&buf);
     155             : 
     156             :         /*
     157             :          * The StringInfo guarantees that there's a \0 byte after the
     158             :          * response.
     159             :          */
     160             :         Assert(input == NULL || input[inputlen] == '\0');
     161             : 
     162             :         /*
     163             :          * Hand the incoming message to the mechanism implementation.
     164             :          */
     165         156 :         result = mech->exchange(opaq, input, inputlen,
     166             :                                 &output, &outputlen,
     167             :                                 logdetail);
     168             : 
     169             :         /* input buffer no longer used */
     170         156 :         pfree(buf.data);
     171             : 
     172         156 :         if (output)
     173             :         {
     174             :             /*
     175             :              * PG_SASL_EXCHANGE_FAILURE with some output is forbidden by SASL.
     176             :              * Make sure here that the mechanism used got that right.
     177             :              */
     178         144 :             if (result == PG_SASL_EXCHANGE_FAILURE)
     179           0 :                 elog(ERROR, "output message found after SASL exchange failure");
     180             : 
     181             :             /*
     182             :              * Negotiation generated data to be sent to the client.
     183             :              */
     184         144 :             elog(DEBUG4, "sending SASL challenge of length %d", outputlen);
     185             : 
     186         144 :             if (result == PG_SASL_EXCHANGE_SUCCESS)
     187          66 :                 sendAuthRequest(port, AUTH_REQ_SASL_FIN, output, outputlen);
     188             :             else
     189          78 :                 sendAuthRequest(port, AUTH_REQ_SASL_CONT, output, outputlen);
     190             : 
     191         144 :             pfree(output);
     192             :         }
     193         156 :     } while (result == PG_SASL_EXCHANGE_CONTINUE);
     194             : 
     195             :     /* Oops, Something bad happened */
     196          78 :     if (result != PG_SASL_EXCHANGE_SUCCESS)
     197             :     {
     198          12 :         return STATUS_ERROR;
     199             :     }
     200             : 
     201          66 :     return STATUS_OK;
     202             : }

Generated by: LCOV version 1.14