Обсуждение: [COMMITTERS] pgsql: Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).

Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).

This introduces a new generic SASL authentication method, similar to the
GSS and SSPI methods. The server first tells the client which SASL
authentication mechanism to use, and then the mechanism-specific SASL
messages are exchanged in AuthenticationSASLcontinue and PasswordMessage
messages. Only SCRAM-SHA-256 is supported at the moment, but this allows
adding more SASL mechanisms in the future, without changing the overall
protocol.

Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.

The SASLPrep algorithm, for pre-processing the password, is not yet
implemented. That could cause trouble, if you use a password with
non-ASCII characters, and a client library that does implement SASLprep.
That will hopefully be added later.

Authorization identities, as specified in the SCRAM-SHA-256 specification,
are ignored. SET SESSION AUTHORIZATION provides more or less the same
functionality, anyway.

If a user doesn't exist, perform a "mock" authentication, by constructing
an authentic-looking challenge on the fly. The challenge is derived from
a new system-wide random value, "mock authentication nonce", which is
created at initdb, and stored in the control file. We go through these
motions, in order to not give away the information on whether the user
exists, to unauthenticated users.

Bumps PG_CONTROL_VERSION, because of the new field in control file.

Patch by Michael Paquier and Heikki Linnakangas, reviewed at different
stages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,
and many others.

Discussion: https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.com
Discussion:
https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.com
Discussion: https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi

Branch
------
master

Details
-------
http://git.postgresql.org/pg/commitdiff/818fd4a67d610991757b610755e3065fb99d80a5

Modified Files
--------------
contrib/pgcrypto/.gitignore                   |    4 -
contrib/pgcrypto/Makefile                     |   11 +-
doc/src/sgml/catalogs.sgml                    |   25 +-
doc/src/sgml/client-auth.sgml                 |   59 +-
doc/src/sgml/config.sgml                      |    7 +-
doc/src/sgml/protocol.sgml                    |  147 +++-
doc/src/sgml/ref/create_role.sgml             |   17 +-
src/backend/access/transam/xlog.c             |   24 +
src/backend/commands/user.c                   |   14 +-
src/backend/libpq/Makefile                    |    2 +-
src/backend/libpq/auth-scram.c                | 1032 +++++++++++++++++++++++++
src/backend/libpq/auth.c                      |  136 ++++
src/backend/libpq/crypt.c                     |   27 +-
src/backend/libpq/hba.c                       |    3 +
src/backend/libpq/pg_hba.conf.sample          |    8 +-
src/backend/utils/misc/guc.c                  |    1 +
src/backend/utils/misc/postgresql.conf.sample |    2 +-
src/bin/initdb/initdb.c                       |   21 +-
src/bin/pg_controldata/pg_controldata.c       |   12 +-
src/common/Makefile                           |    6 +-
src/common/base64.c                           |  199 +++++
src/common/scram-common.c                     |  196 +++++
src/include/access/xlog.h                     |    1 +
src/include/catalog/pg_control.h              |   11 +-
src/include/common/base64.h                   |   19 +
src/include/common/scram-common.h             |   62 ++
src/include/libpq/crypt.h                     |    3 +-
src/include/libpq/hba.h                       |    1 +
src/include/libpq/pqcomm.h                    |    2 +
src/include/libpq/scram.h                     |   35 +
src/interfaces/libpq/.gitignore               |    5 +
src/interfaces/libpq/Makefile                 |   20 +-
src/interfaces/libpq/fe-auth-scram.c          |  640 +++++++++++++++
src/interfaces/libpq/fe-auth.c                |  112 +++
src/interfaces/libpq/fe-auth.h                |    8 +
src/interfaces/libpq/fe-connect.c             |   52 ++
src/interfaces/libpq/libpq-int.h              |    7 +-
src/tools/msvc/Mkvcbuild.pm                   |   12 +-
38 files changed, 2866 insertions(+), 77 deletions(-)

On Tue, Mar 7, 2017 at 5:56 PM, Heikki Linnakangas
<heikki.linnakangas@iki.fi> wrote:
> Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
>

+ * Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/backend/libpq/auth-scram.c

Year in the copyright notice needs to be updated:
/2016/2017

I could see the same problem with other newly added files.

+ * scram-common.h
+ *     Declarations for helper functions used for SCRAM authentication
+ *
+ * Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/include/common/relpath.h

file name in directory path is not matching actual file name.

--
With Regards,
Amit Kapila.
EnterpriseDB: http://www.enterprisedb.com

On 03/07/2017 03:08 PM, Amit Kapila wrote:
> On Tue, Mar 7, 2017 at 5:56 PM, Heikki Linnakangas
> <heikki.linnakangas@iki.fi> wrote:
>> Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
>>
>
> + * Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group
> + * Portions Copyright (c) 1994, Regents of the University of California
> + *
> + * src/backend/libpq/auth-scram.c
>
> Year in the copyright notice needs to be updated:
> /2016/2017
>
> I could see the same problem with other newly added files.

Ah, time flies..

> + * scram-common.h
> + *     Declarations for helper functions used for SCRAM authentication
> + *
> + * Portions Copyright (c) 1996-2016, PostgreSQL Global Development Group
> + * Portions Copyright (c) 1994, Regents of the University of California
> + *
> + * src/include/common/relpath.h
>
> file name in directory path is not matching actual file name.

Fixed, thanks!

- Heikki

On 3/7/17 07:26, Heikki Linnakangas wrote:
> Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).

This is probably a mistake:

fe-auth.c: In function 'pg_SASL_init':
fe-auth.c:453:24: error: logical 'or' of equal expressions [-Werror=logical-op]
   if (password == NULL || password == '\0')
                        ^~

Did you mean password[0] == '\0'?

--
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

On 03/07/2017 04:07 PM, Peter Eisentraut wrote:
> On 3/7/17 07:26, Heikki Linnakangas wrote:
>> Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).
>
> This is probably a mistake:
>
> fe-auth.c: In function 'pg_SASL_init':
> fe-auth.c:453:24: error: logical 'or' of equal expressions [-Werror=logical-op]
>    if (password == NULL || password == '\0')
>                         ^~
>
> Did you mean password[0] == '\0'?

Thanks, will fix!

I also noticed that the HPUX buildfarm members pademelon and gaur
failed, with this:

/usr/ccs/bin/ld: Unsatisfied symbols:
    htonl (code)

I will look into that too.

- Heikki

Heikki Linnakangas <hlinnaka@iki.fi> writes:
> I also noticed that the HPUX buildfarm members pademelon and gaur
> failed, with this:
> /usr/ccs/bin/ld: Unsatisfied symbols:
>     htonl (code)
> I will look into that too.

I think the critical part of their report is

scram-common.c: In function `scram_Hi':
scram-common.c:106: warning: implicit declaration of function `htonl'

There are two headers that we commonly include when wanting those
functions:

/* for ntohl/htonl */
#include <netinet/in.h>
#include <arpa/inet.h>

I think you probably left out one or both.

            regards, tom lane