NotificationsYou must be signed in to change notification settings
Fork28
Star151

Commit818fd4a

committed

Support SCRAM-SHA-256 authentication (RFC 5802 and 7677).

This introduces a new generic SASL authentication method, similar to theGSS and SSPI methods. The server first tells the client which SASLauthentication mechanism to use, and then the mechanism-specific SASLmessages are exchanged in AuthenticationSASLcontinue and PasswordMessagemessages. Only SCRAM-SHA-256 is supported at the moment, but this allowsadding more SASL mechanisms in the future, without changing the overallprotocol.Support for channel binding, aka SCRAM-SHA-256-PLUS is left for later.The SASLPrep algorithm, for pre-processing the password, is not yetimplemented. That could cause trouble, if you use a password withnon-ASCII characters, and a client library that does implement SASLprep.That will hopefully be added later.Authorization identities, as specified in the SCRAM-SHA-256 specification,are ignored. SET SESSION AUTHORIZATION provides more or less the samefunctionality, anyway.If a user doesn't exist, perform a "mock" authentication, by constructingan authentic-looking challenge on the fly. The challenge is derived froma new system-wide random value, "mock authentication nonce", which iscreated at initdb, and stored in the control file. We go through thesemotions, in order to not give away the information on whether the userexists, to unauthenticated users.Bumps PG_CONTROL_VERSION, because of the new field in control file.Patch by Michael Paquier and Heikki Linnakangas, reviewed at differentstages by Robert Haas, Stephen Frost, David Steele, Aleksander Alekseev,and many others.Discussion:https://www.postgresql.org/message-id/CAB7nPqRbR3GmFYdedCAhzukfKrgBLTLtMvENOmPrVWREsZkF8g%40mail.gmail.comDiscussion:https://www.postgresql.org/message-id/CAB7nPqSMXU35g%3DW9X74HVeQp0uvgJxvYOuA4A-A3M%2B0wfEBv-w%40mail.gmail.comDiscussion:https://www.postgresql.org/message-id/55192AFE.6080106@iki.fi

1 parent273c458 commit818fd4aCopy full SHA for 818fd4a

File tree

38 files changed

+2866

-77

lines changed

contrib/pgcrypto
- .gitignore
- Makefile
doc/src/sgml
src
- backend
  - access/transam
    - xlog.c
  - commands
    - user.c
  - libpq
  - utils/misc
    - guc.c
    - postgresql.conf.sample
- bin
  - initdb
    - initdb.c
  - pg_controldata
    - pg_controldata.c
- common
- include
  - access
    - xlog.h
  - catalog
    - pg_control.h
  - common
    - base64.h
    - scram-common.h
  - libpq
- interfaces/libpq
- tools/msvc
  - Mkvcbuild.pm

38 files changed

+2866

-77

lines changed

`‎contrib/pgcrypto/.gitignore`

Lines changed: 0 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,3 @@`
`1`		`-# Source file copied from src/common`
`2`		`-/sha2.c`
`3`		`-/sha2_openssl.c`
`4`		`-`
`5`	`1`	`# Generated subdirectories`
`6`	`2`	`/log/`
`7`	`3`	`/results/`

`‎contrib/pgcrypto/Makefile`

Lines changed: 2 additions & 9 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,10 +1,10 @@`
`1`	`1`	`# contrib/pgcrypto/Makefile`
`2`	`2`
`3`		`-INT_SRCS = md5.c sha1.csha2.cinternal.c internal-sha2.c blf.c rijndael.c\`
	`3`	`+INT_SRCS = md5.c sha1.c internal.c internal-sha2.c blf.c rijndael.c\`
`4`	`4`	`pgp-mpi-internal.c imath.c`
`5`	`5`	`INT_TESTS = sha2`
`6`	`6`
`7`		`-OSSL_SRCS = openssl.c pgp-mpi-openssl.c sha2_openssl.c`
	`7`	`+OSSL_SRCS = openssl.c pgp-mpi-openssl.c`
`8`	`8`	`OSSL_TESTS = sha2 des 3des cast5`
`9`	`9`
`10`	`10`	`ZLIB_TST = pgp-compression`
`@@ -59,13 +59,6 @@ SHLIB_LINK += $(filter -leay32, $(LIBS))`
`59`	`59`	`SHLIB_LINK += -lws2_32`
`60`	`60`	`endif`
`61`	`61`
`62`		`-# Compiling pgcrypto with those two raw files is necessary as long`
`63`		`-# as none of their routines are used by the backend code. Note doing`
`64`		`-# so can either result in library loading failures or linking resolution`
`65`		`-# failures at compilation depending on the environment used.`
`66`		`-sha2.csha2_openssl.c:% :$(top_srcdir)/src/common/%`
`67`		`-rm -f$@&&$(LN_S)$<.`
`68`		`-`
`69`	`62`	`rijndael.o: rijndael.tbl`
`70`	`63`
`71`	`64`	`rijndael.tbl:`

`‎doc/src/sgml/catalogs.sgml`

Lines changed: 17 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -1334,14 +1334,8 @@`
`1334`	`1334`	`<entry><structfield>rolpassword</structfield></entry>`
`1335`	`1335`	`<entry><type>text</type></entry>`
`1336`	`1336`	`<entry>`
`1337`		`- Password (possibly encrypted); null if none. If the password`
`1338`		`- is encrypted, this column will begin with the string <literal>md5</>`
`1339`		`- followed by a 32-character hexadecimal MD5 hash. The MD5 hash`
`1340`		`- will be of the user's password concatenated to their user name.`
`1341`		`- For example, if user <literal>joe</> has password <literal>xyzzy</>,`
`1342`		`- <productname>PostgreSQL</> will store the md5 hash of`
`1343`		`- <literal>xyzzyjoe</>. A password that does not follow that`
`1344`		`- format is assumed to be unencrypted.`
	`1337`	`+ Password (possibly encrypted); null if none. The format depends`
	`1338`	`+ on the form of encryption used.`
`1345`	`1339`	`</entry>`
`1346`	`1340`	`</row>`
`1347`	`1341`
`@@ -1355,6 +1349,21 @@`
`1355`	`1349`	`</tgroup>`
`1356`	`1350`	`</table>`
`1357`	`1351`
	`1352`	`+ <para>`
	`1353`	`+ For an MD5 encrypted password, <structfield>rolpassword</structfield>`
	`1354`	`+ column will begin with the string <literal>md5</> followed by a`
	`1355`	`+ 32-character hexadecimal MD5 hash. The MD5 hash will be of the user's`
	`1356`	`+ password concatenated to their user name. For example, if user`
	`1357`	`+ <literal>joe</> has password <literal>xyzzy</>, <productname>PostgreSQL</>`
	`1358`	`+ will store the md5 hash of <literal>xyzzyjoe</>. If the password is`
	`1359`	`+ encrypted with SCRAM-SHA-256, it consists of 5 fields separated by colons.`
	`1360`	`+ The first field is the constant <literal>scram-sha-256</literal>, to`
	`1361`	`+ identify the password as a SCRAM-SHA-256 verifier. The second field is a`
	`1362`	`+ salt, Base64-encoded, and the third field is the number of iterations used`
	`1363`	`+ to generate the password. The fourth field and fifth field are the stored`
	`1364`	`+ key and server key, respectively, in hexadecimal format. A password that`
	`1365`	`+ does not follow either of those formats is assumed to be unencrypted.`
	`1366`	`+ </para>`
`1358`	`1367`	`</sect1>`
`1359`	`1368`
`1360`	`1369`

`‎doc/src/sgml/client-auth.sgml`

Lines changed: 46 additions & 13 deletions

Original file line number	Diff line number	Diff line change
`@@ -422,6 +422,17 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>`
`422`	`422`	`</listitem>`
`423`	`423`	`</varlistentry>`
`424`	`424`
	`425`	`+ <varlistentry>`
	`426`	`+ <term><literal>scram</></term>`
	`427`	`+ <listitem>`
	`428`	`+ <para>`
	`429`	`+ Perform SCRAM-SHA-256 authentication to verify the user's`
	`430`	`+ password.`
	`431`	`+ See <xref linkend="auth-password"> for details.`
	`432`	`+ </para>`
	`433`	`+ </listitem>`
	`434`	`+ </varlistentry>`
	`435`	`+`
`425`	`436`	`<varlistentry>`
`426`	`437`	`<term><literal>password</></term>`
`427`	`438`	`<listitem>`
`@@ -673,13 +684,19 @@ host postgres all 192.168.93.0/24 ident`
`673`	`684`	`# "postgres" if the user's password is correctly supplied.`
`674`	`685`	`#`
`675`	`686`	`# TYPE DATABASE USER ADDRESS METHOD`
`676`		`-host postgres all 192.168.12.10/32md5`
	`687`	`+host postgres all 192.168.12.10/32scram`
`677`	`688`
`678`	`689`	`# Allow any user from hosts in the example.com domain to connect to`
`679`	`690`	`# any database if the user's password is correctly supplied.`
`680`	`691`	`#`
	`692`	`+# Most users use SCRAM authentication, but some users use older clients`
	`693`	`+# that don't support SCRAM authentication, and need to be able to log`
	`694`	`+# in using MD5 authentication. Such users are put in the @md5users`
	`695`	`+# group, everyone else must use SCRAM.`
	`696`	`+#`
`681`	`697`	`# TYPE DATABASE USER ADDRESS METHOD`
`682`		`-host all all .example.com md5`
	`698`	`+host all @md5users .example.com md5`
	`699`	`+host all all .example.com scram`
`683`	`700`
`684`	`701`	`# In the absence of preceding "host" lines, these two lines will`
`685`	`702`	`# reject all connections from 192.168.54.1 (since that entry will be`
`@@ -907,21 +924,37 @@ omicron bryanh guest1`
`907`	`924`	`</indexterm>`
`908`	`925`
`909`	`926`	`<para>`
`910`		`- The password-based authentication methods are <literal>md5</>`
`911`		`- and <literal>password</>. These methods operate`
	`927`	`+ The password-based authentication methods are <literal>scram</>`
	`928`	`+<literal>md5</>and <literal>password</>. These methods operate`
`912`	`929`	`similarly except for the way that the password is sent across the`
`913`		`- connection, namely MD5-hashed and clear-text respectively.`
	`930`	`+ connection.`
	`931`	`+ </para>`
	`932`	`+`
	`933`	`+ <para>`
	`934`	`+ Plain <literal>password</> sends the password in clear-text, and is`
	`935`	`+ therefore vulnerable to password <quote>sniffing</> attacks. It should`
	`936`	`+ always be avoided if possible. If the connection is protected by SSL`
	`937`	`+ encryption then <literal>password</> can be used safely, though.`
	`938`	`+ (Though SSL certificate authentication might be a better choice if one`
	`939`	`+ is depending on using SSL).`
	`940`	`+ </para>`
	`941`	`+`
	`942`	`+`
	`943`	`+ <para>`
	`944`	`+ <literal>scram</> performs SCRAM-SHA-256 authentication, as described`
	`945`	`+ in <ulink url="https://tools.ietf.org/html/rfc5802">RFC5802</ulink>. It`
	`946`	`+ is a challenge-response scheme, that prevents password sniffing on`
	`947`	`+ untrusted connections. It is more secure than the <literal>md5</>`
	`948`	`+ method, but might not be supported by older clients.`
`914`	`949`	`</para>`
`915`	`950`
`916`	`951`	`<para>`
`917`		`- If you are at all concerned about password`
`918`		`- <quote>sniffing</> attacks then <literal>md5</> is preferred.`
`919`		`- Plain <literal>password</> should always be avoided if possible.`
`920`		`- However, <literal>md5</> cannot be used with the <xref`
`921`		`- linkend="guc-db-user-namespace"> feature. If the connection is`
`922`		`- protected by SSL encryption then <literal>password</> can be used`
`923`		`- safely (though SSL certificate authentication might be a better`
`924`		`- choice if one is depending on using SSL).`
	`952`	`+ In <literal>md5</>, the client sends a hash of a random challenge,`
	`953`	`+ generated by the server, and the password. It prevents password sniffing,`
	`954`	`+ but is less secure than <literal>scram</>, and provides no protection`
	`955`	`+ if an attacker manages to steal the password hash from the server.`
	`956`	`+ <literal>md5</> cannot be used with the <xref`
	`957`	`+ linkend="guc-db-user-namespace"> feature.`
`925`	`958`	`</para>`
`926`	`959`
`927`	`960`	`<para>`

`‎doc/src/sgml/config.sgml`

Lines changed: 4 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1193,9 +1193,10 @@ include_dir 'conf.d'`
`1193`	`1193`	`password is to be encrypted. The default value is <literal>md5</>, which`
`1194`	`1194`	`stores the password as an MD5 hash. Setting this to <literal>plain</> stores`
`1195`	`1195`	`it in plaintext. <literal>on</> and <literal>off</> are also accepted, as`
`1196`		`- aliases for <literal>md5</> and <literal>plain</>, respectively.`
`1197`		`- </para>`
`1198`		`-`
	`1196`	`+ aliases for <literal>md5</> and <literal>plain</>, respectively. Setting`
	`1197`	`+ this parameter to <literal>scram</> will encrypt the password with`
	`1198`	`+ SCRAM-SHA-256.`
	`1199`	`+ </para>`
`1199`	`1200`	`</listitem>`
`1200`	`1201`	`</varlistentry>`
`1201`	`1202`

`‎doc/src/sgml/protocol.sgml`

Lines changed: 142 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -228,11 +228,11 @@`
`228`	`228`	`The server then sends an appropriate authentication request message,`
`229`	`229`	`to which the frontend must reply with an appropriate authentication`
`230`	`230`	`response message (such as a password).`
`231`		`- For all authentication methods except GSSAPIandSSPI, there is at most`
`232`		`- one request and one response. In some methods, no response`
	`231`	`+ For all authentication methods except GSSAPI, SSPIandSASL, there is at`
	`232`	`+mostone request and one response. In some methods, no response`
`233`	`233`	`at all is needed from the frontend, and so no authentication request`
`234`		`- occurs. For GSSAPIandSSPI, multiple exchanges of packets may be needed`
`235`		`- to complete the authentication.`
	`234`	`+ occurs. For GSSAPI, SSPIandSASL, multiple exchanges of packets may be`
	`235`	`+neededto complete the authentication.`
`236`	`236`	`</para>`
`237`	`237`
`238`	`238`	`<para>`
`@@ -366,6 +366,35 @@`
`366`	`366`	`</listitem>`
`367`	`367`	`</varlistentry>`
`368`	`368`
	`369`	`+ <varlistentry>`
	`370`	`+ <term>AuthenticationSASL</term>`
	`371`	`+ <listitem>`
	`372`	`+ <para>`
	`373`	`+ The frontend must now initiate a SASL negotiation, using the SASL`
	`374`	`+ mechanism specified in the message. The frontend will send a`
	`375`	`+ PasswordMessage with the first part of the SASL data stream in`
	`376`	`+ response to this. If further messages are needed, the server will`
	`377`	`+ respond with AuthenticationSASLContinue.`
	`378`	`+ </para>`
	`379`	`+ </listitem>`
	`380`	`+`
	`381`	`+ </varlistentry>`
	`382`	`+ <varlistentry>`
	`383`	`+ <term>AuthenticationSASLContinue</term>`
	`384`	`+ <listitem>`
	`385`	`+ <para>`
	`386`	`+ This message contains the response data from the previous step`
	`387`	`+ of SASL negotiation (AuthenticationSASL, or a previous`
	`388`	`+ AuthenticationSASLContinue). If the SASL data in this message`
	`389`	`+ indicates more data is needed to complete the authentication,`
	`390`	`+ the frontend must send that data as another PasswordMessage. If`
	`391`	`+ SASL authentication is completed by this message, the server`
	`392`	`+ will next send AuthenticationOk to indicate successful authentication`
	`393`	`+ or ErrorResponse to indicate failure.`
	`394`	`+ </para>`
	`395`	`+ </listitem>`
	`396`	`+ </varlistentry>`
	`397`	`+`
`369`	`398`	`</variablelist>`
`370`	`399`	`</para>`
`371`	`400`
`@@ -2782,6 +2811,114 @@ AuthenticationGSSContinue (B)`
`2782`	`2811`	`</listitem>`
`2783`	`2812`	`</varlistentry>`
`2784`	`2813`
	`2814`	`+<varlistentry>`
	`2815`	`+<term>`
	`2816`	`+AuthenticationSASL (B)`
	`2817`	`+</term>`
	`2818`	`+<listitem>`
	`2819`	`+<para>`
	`2820`	`+`
	`2821`	`+<variablelist>`
	`2822`	`+<varlistentry>`
	`2823`	`+<term>`
	`2824`	`+ Byte1('R')`
	`2825`	`+</term>`
	`2826`	`+<listitem>`
	`2827`	`+<para>`
	`2828`	`+ Identifies the message as an authentication request.`
	`2829`	`+</para>`
	`2830`	`+</listitem>`
	`2831`	`+</varlistentry>`
	`2832`	`+<varlistentry>`
	`2833`	`+<term>`
	`2834`	`+ Int32`
	`2835`	`+</term>`
	`2836`	`+<listitem>`
	`2837`	`+<para>`
	`2838`	`+ Length of message contents in bytes, including self.`
	`2839`	`+</para>`
	`2840`	`+</listitem>`
	`2841`	`+</varlistentry>`
	`2842`	`+<varlistentry>`
	`2843`	`+<term>`
	`2844`	`+ Int32(10)`
	`2845`	`+</term>`
	`2846`	`+<listitem>`
	`2847`	`+<para>`
	`2848`	`+ Specifies that SASL authentication is started.`
	`2849`	`+</para>`
	`2850`	`+</listitem>`
	`2851`	`+</varlistentry>`
	`2852`	`+<varlistentry>`
	`2853`	`+<term>`
	`2854`	`+ String`
	`2855`	`+</term>`
	`2856`	`+<listitem>`
	`2857`	`+<para>`
	`2858`	`+ Name of a SASL authentication mechanism.`
	`2859`	`+</para>`
	`2860`	`+</listitem>`
	`2861`	`+</varlistentry>`
	`2862`	`+</variablelist>`
	`2863`	`+`
	`2864`	`+</para>`
	`2865`	`+</listitem>`
	`2866`	`+</varlistentry>`
	`2867`	`+`
	`2868`	`+<varlistentry>`
	`2869`	`+<term>`
	`2870`	`+AuthenticationSASLContinue (B)`
	`2871`	`+</term>`
	`2872`	`+<listitem>`
	`2873`	`+<para>`
	`2874`	`+`
	`2875`	`+<variablelist>`
	`2876`	`+<varlistentry>`
	`2877`	`+<term>`
	`2878`	`+ Byte1('R')`
	`2879`	`+</term>`
	`2880`	`+<listitem>`
	`2881`	`+<para>`
	`2882`	`+ Identifies the message as an authentication request.`
	`2883`	`+</para>`
	`2884`	`+</listitem>`
	`2885`	`+</varlistentry>`
	`2886`	`+<varlistentry>`
	`2887`	`+<term>`
	`2888`	`+ Int32`
	`2889`	`+</term>`
	`2890`	`+<listitem>`
	`2891`	`+<para>`
	`2892`	`+ Length of message contents in bytes, including self.`
	`2893`	`+</para>`
	`2894`	`+</listitem>`
	`2895`	`+</varlistentry>`
	`2896`	`+<varlistentry>`
	`2897`	`+<term>`
	`2898`	`+ Int32(11)`
	`2899`	`+</term>`
	`2900`	`+<listitem>`
	`2901`	`+<para>`
	`2902`	`+ Specifies that this message contains SASL-mechanism specific`
	`2903`	`+ data.`
	`2904`	`+</para>`
	`2905`	`+</listitem>`
	`2906`	`+</varlistentry>`
	`2907`	`+<varlistentry>`
	`2908`	`+<term>`
	`2909`	`+ Byte<replaceable>n</replaceable>`
	`2910`	`+</term>`
	`2911`	`+<listitem>`
	`2912`	`+<para>`
	`2913`	`+ SASL data, specific to the SASL mechanism being used.`
	`2914`	`+</para>`
	`2915`	`+</listitem>`
	`2916`	`+</varlistentry>`
	`2917`	`+</variablelist>`
	`2918`	`+`
	`2919`	`+</para>`
	`2920`	`+</listitem>`
	`2921`	`+</varlistentry>`
`2785`	`2922`
`2786`	`2923`	`<varlistentry>`
`2787`	`2924`	`<term>`
`@@ -4544,7 +4681,7 @@ PasswordMessage (F)`
`4544`	`4681`	`<listitem>`
`4545`	`4682`	`<para>`
`4546`	`4683`	`Identifies the message as a password response. Note that`
`4547`		`- this is also used for GSSAPIandSSPI response messages`
	`4684`	`+ this is also used for GSSAPI, SSPIandSASL response messages`
`4548`	`4685`	`(which is really a design error, since the contained data`
`4549`	`4686`	`is not a null-terminated string in that case, but can be`
`4550`	`4687`	`arbitrary binary data).`

`‎doc/src/sgml/ref/create_role.sgml`

Lines changed: 11 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -231,12 +231,17 @@ CREATE ROLE <replaceable class="PARAMETER">name</replaceable> [ [ WITH ] <replac`
`231`	`231`	`encrypted in the system catalogs. (If neither is specified,`
`232`	`232`	`the default behavior is determined by the configuration`
`233`	`233`	`parameter <xref linkend="guc-password-encryption">.) If the`
`234`		`- presented password string is already in MD5-encrypted format,`
`235`		`- then it is stored encrypted as-is, regardless of whether`
`236`		`- <literal>ENCRYPTED</> or <literal>UNENCRYPTED</> is specified`
`237`		`- (since the system cannot decrypt the specified encrypted`
`238`		`- password string). This allows reloading of encrypted`
`239`		`- passwords during dump/restore.`
	`234`	`+ presented password string is already in MD5-encrypted or`
	`235`	`+ SCRAM-encrypted format, then it is stored encrypted as-is,`
	`236`	`+ regardless of whether <literal>ENCRYPTED</> or <literal>UNENCRYPTED</>`
	`237`	`+ is specified (since the system cannot decrypt the specified encrypted`
	`238`	`+ password string). This allows reloading of encrypted passwords`
	`239`	`+ during dump/restore.`
	`240`	`+ </para>`
	`241`	`+`
	`242`	`+ <para>`
	`243`	`+ Note that older clients might lack support for the SCRAM`
	`244`	`+ authentication mechanism.`
`240`	`245`	`</para>`
`241`	`246`	`</listitem>`
`242`	`247`	`</varlistentry>`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit818fd4a

File tree

38 files changed

38 files changed

`‎contrib/pgcrypto/.gitignore`

`‎contrib/pgcrypto/Makefile`

`‎doc/src/sgml/catalogs.sgml`

`‎doc/src/sgml/client-auth.sgml`

`‎doc/src/sgml/config.sgml`

`‎doc/src/sgml/protocol.sgml`

`‎doc/src/sgml/ref/create_role.sgml`

0 commit comments