Обсуждение: [COMMITTERS] pgsql: Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
[COMMITTERS] pgsql: Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
От
Heikki Linnakangas
Дата:
Support SCRAM-SHA-256 authentication (RFC 5802 and 7677). This introduces a new generic SASL authentication method, similar to the GSS and SSPI methods. The server first tells the client which SASL authentication mechanism to use, and then the mechanism-specific SASL messages are exchanged in AuthenticationSASLcontinue and PasswordMessage messages. Only SCRAM-SHA-256 is supported at the moment, but this allows adding more SASL mechanisms in the future, without changing the overall protocol. Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later. The SASLPrep algorithm, for pre-processing the password, is not yet implemented. That could cause trouble, if you use a password with non-ASCII characters, and a client library that does implement SASLprep. That will hopefully be added later. Authorization identities, as specified in the SCRAM-SHA-256 specification, are ignored. SET SESSION AUTHORIZATION provides more or less the same functionality, anyway. If a user doesn't exist, perform a "mock" authentication, by constructing an authentic-looking challenge on the fly. The challenge is derived from a new system-wide random value, "mock authentication nonce", which is created at initdb, and stored in the control file. We go through these motions, in order to not give away the information on whether the user exists, to unauthenticated users. Bumps PG_CONTROL_VERSION, because of the new field in control file. Patch by Michael Paquier and Heikki Linnakangas, reviewed at different stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev, and many others. Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com Discussion: https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi Branch ------ master Details ------- http://git.postgresql.org/pg/commitdiff/818fd4a67d610991757b610755e3065fb99d80a5 Modified Files -------------- contrib/pgcrypto/.gitignore | 4 - contrib/pgcrypto/Makefile | 11 +- doc/src/sgml/catalogs.sgml | 25 +- doc/src/sgml/client-auth.sgml | 59 +- doc/src/sgml/config.sgml | 7 +- doc/src/sgml/protocol.sgml | 147 +++- doc/src/sgml/ref/create_role.sgml | 17 +- src/backend/access/transam/xlog.c | 24 + src/backend/commands/user.c | 14 +- src/backend/libpq/Makefile | 2 +- src/backend/libpq/auth-scram.c | 1032 +++++++++++++++++++++++++ src/backend/libpq/auth.c | 136 ++++ src/backend/libpq/crypt.c | 27 +- src/backend/libpq/hba.c | 3 + src/backend/libpq/pg_hba.conf.sample | 8 +- src/backend/utils/misc/guc.c | 1 + src/backend/utils/misc/postgresql.conf.sample | 2 +- src/bin/initdb/initdb.c | 21 +- src/bin/pg_controldata/pg_controldata.c | 12 +- src/common/Makefile | 6 +- src/common/base64.c | 199 +++++ src/common/scram-common.c | 196 +++++ src/include/access/xlog.h | 1 + src/include/catalog/pg_control.h | 11 +- src/include/common/base64.h | 19 + src/include/common/scram-common.h | 62 ++ src/include/libpq/crypt.h | 3 +- src/include/libpq/hba.h | 1 + src/include/libpq/pqcomm.h | 2 + src/include/libpq/scram.h | 35 + src/interfaces/libpq/.gitignore | 5 + src/interfaces/libpq/Makefile | 20 +- src/interfaces/libpq/fe-auth-scram.c | 640 +++++++++++++++ src/interfaces/libpq/fe-auth.c | 112 +++ src/interfaces/libpq/fe-auth.h | 8 + src/interfaces/libpq/fe-connect.c | 52 ++ src/interfaces/libpq/libpq-int.h | 7 +- src/tools/msvc/Mkvcbuild.pm | 12 +- 38 files changed, 2866 insertions(+), 77 deletions(-)
Re: [COMMITTERS] pgsql: Support SCRAM-SHA-256 authentication (RFC5802 and 7677).
От
Amit Kapila
Дата:
On Tue, Mar 7, 2017 at 5:56 PM, Heikki Linnakangas <heikki.linnakangas@iki.fi> wrote: > Support SCRAM-SHA-256 authentication (RFC 5802 and 7677). > + * Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group + * Portions Copyright (c) 1994, Regents of the University of California + * + * src/backend/libpq/auth-scram.c Year in the copyright notice needs to be updated: /2016/2017 I could see the same problem with other newly added files. + * scram-common.h + * Declarations for helper functions used for SCRAM authentication + * + * Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group + * Portions Copyright (c) 1994, Regents of the University of California + * + * src/include/common/relpath.h file name in directory path is not matching actual file name. -- With Regards, Amit Kapila. EnterpriseDB: http://www.enterprisedb.com
Re: [COMMITTERS] pgsql: Support SCRAM-SHA-256 authentication (RFC5802 and 7677).
От
Heikki Linnakangas
Дата:
On 03/07/2017 03:08 PM, Amit Kapila wrote: > On Tue, Mar 7, 2017 at 5:56 PM, Heikki Linnakangas > <heikki.linnakangas@iki.fi> wrote: >> Support SCRAM-SHA-256 authentication (RFC 5802 and 7677). >> > > + * Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group > + * Portions Copyright (c) 1994, Regents of the University of California > + * > + * src/backend/libpq/auth-scram.c > > Year in the copyright notice needs to be updated: > /2016/2017 > > I could see the same problem with other newly added files. Ah, time flies.. > + * scram-common.h > + * Declarations for helper functions used for SCRAM authentication > + * > + * Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group > + * Portions Copyright (c) 1994, Regents of the University of California > + * > + * src/include/common/relpath.h > > file name in directory path is not matching actual file name. Fixed, thanks! - Heikki
Re: [COMMITTERS] pgsql: Support SCRAM-SHA-256 authentication (RFC5802 and 7677).
От
Peter Eisentraut
Дата:
On 3/7/17 07:26, Heikki Linnakangas wrote: > Support SCRAM-SHA-256 authentication (RFC 5802 and 7677). This is probably a mistake: fe-auth.c: In function 'pg_SASL_init': fe-auth.c:453:24: error: logical 'or' of equal expressions [-Werror=logical-op] if (password == NULL || password == '\0') ^~ Did you mean password[0] == '\0'? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
Re: [COMMITTERS] pgsql: Support SCRAM-SHA-256 authentication (RFC5802 and 7677).
От
Heikki Linnakangas
Дата:
On 03/07/2017 04:07 PM, Peter Eisentraut wrote: > On 3/7/17 07:26, Heikki Linnakangas wrote: >> Support SCRAM-SHA-256 authentication (RFC 5802 and 7677). > > This is probably a mistake: > > fe-auth.c: In function 'pg_SASL_init': > fe-auth.c:453:24: error: logical 'or' of equal expressions [-Werror=logical-op] > if (password == NULL || password == '\0') > ^~ > > Did you mean password[0] == '\0'? Thanks, will fix! I also noticed that the HPUX buildfarm members pademelon and gaur failed, with this: /usr/ccs/bin/ld: Unsatisfied symbols: htonl (code) I will look into that too. - Heikki
Heikki Linnakangas <hlinnaka@iki.fi> writes: > I also noticed that the HPUX buildfarm members pademelon and gaur > failed, with this: > /usr/ccs/bin/ld: Unsatisfied symbols: > htonl (code) > I will look into that too. I think the critical part of their report is scram-common.c: In function `scram_Hi': scram-common.c:106: warning: implicit declaration of function `htonl' There are two headers that we commonly include when wanting those functions: /* for ntohl/htonl */ #include <netinet/in.h> #include <arpa/inet.h> I think you probably left out one or both. regards, tom lane