Make RADIUS authentication use pg_getaddrinfo_all() to get address of

mhagander · mhagander · commit 0a2734714127 · 2010-02-02T19:09:37.000Z
the server.

Gets rid of a fairly ugly hack for Solaris, and also provides hostname
and IPV6 support.
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
@@ -1,4 +1,4 @@
-<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.129 2010/01/27 13:03:17 mha Exp $ -->
+<!-- $PostgreSQL: pgsql/doc/src/sgml/client-auth.sgml,v 1.130 2010/02/02 19:09:36 mha Exp $ -->
 
 <chapter id="client-authentication">
  <title>Client Authentication</title>
@@ -1375,8 +1375,8 @@ ldapserver=ldap.example.net ldapprefix="cn=" ldapsuffix=", dc=example, dc=net"
        <term><literal>radiusserver</literal></term>
        <listitem>
         <para>
-         The IP address of the RADIUS server to connect to. This must
-         be an IPV4 address and not a hostname. This parameter is required.
+         The name or IP address of the RADIUS server to connect to.
+         This parameter is required.
         </para>
        </listitem>
       </varlistentry>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.193 2010/01/31 17:27:22 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.194 2010/02/02 19:09:36 mha Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -2521,8 +2521,16 @@ CheckRADIUSAuth(Port *port)
 	uint8				encryptedpassword[RADIUS_VECTOR_LENGTH];
 	int					packetlength;
 	pgsocket			sock;
+#ifdef HAVE_IPV6
+	struct sockaddr_in6 localaddr;
+	struct sockaddr_in6 remoteaddr;
+#else
 	struct sockaddr_in	localaddr;
 	struct sockaddr_in	remoteaddr;
+#endif
+	struct addrinfo		hint;
+	struct addrinfo	   *serveraddrs;
+	char				portstr[128];
 	ACCEPT_TYPE_ARG3	addrsize;
 	fd_set				fdset;
 	struct timeval		timeout;
@@ -2549,17 +2557,22 @@ CheckRADIUSAuth(Port *port)
 	if (port->hba->radiusport == 0)
 		port->hba->radiusport = 1812;
 
-	memset(&remoteaddr, 0, sizeof(remoteaddr));
-	remoteaddr.sin_family = AF_INET;
-	remoteaddr.sin_addr.s_addr = inet_addr(port->hba->radiusserver);
-	if (remoteaddr.sin_addr.s_addr == INADDR_NONE)
+	MemSet(&hint, 0, sizeof(hint));
+	hint.ai_socktype = SOCK_DGRAM;
+	hint.ai_family = AF_UNSPEC;
+	snprintf(portstr, sizeof(portstr), "%d", port->hba->radiusport);
+
+	r = pg_getaddrinfo_all(port->hba->radiusserver, portstr, &hint, &serveraddrs);
+	if (r || !serveraddrs)
 	{
 		ereport(LOG,
-				(errmsg("RADIUS server '%s' is not a valid IP address",
-						port->hba->radiusserver)));
+				(errmsg("could not translate RADIUS server name \"%s\" to address: %s",
+						port->hba->radiusserver, gai_strerror(r))));
+		if (serveraddrs)
+			pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
 		return STATUS_ERROR;
 	}
-	remoteaddr.sin_port = htons(port->hba->radiusport);
+	/* XXX: add support for multiple returned addresses? */
 
 	if (port->hba->radiusidentifier && port->hba->radiusidentifier[0])
 		identifier = port->hba->radiusidentifier;
@@ -2633,34 +2646,51 @@ CheckRADIUSAuth(Port *port)
 	packetlength = packet->length;
 	packet->length = htons(packet->length);
 
-	sock = socket(AF_INET, SOCK_DGRAM, 0);
+	sock = socket(serveraddrs[0].ai_family, SOCK_DGRAM, 0);
 	if (sock < 0)
 	{
 		ereport(LOG,
 				(errmsg("could not create RADIUS socket: %m")));
+		pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
 		return STATUS_ERROR;
 	}
 
 	memset(&localaddr, 0, sizeof(localaddr));
-	localaddr.sin_family = AF_INET;
+#ifdef HAVE_IPV6
+	localaddr.sin6_family = serveraddrs[0].ai_family;
+	localaddr.sin6_addr = in6addr_any;
+	if (localaddr.sin6_family == AF_INET6)
+		addrsize = sizeof(struct sockaddr_in6);
+	else
+		addrsize = sizeof(struct sockaddr_in);
+#else
+	localaddr.sin_family = serveraddrs[0].ai_family;
 	localaddr.sin_addr.s_addr = INADDR_ANY;
-	if (bind(sock, (struct sockaddr *) &localaddr, sizeof(localaddr)))
+	addrsize = sizeof(struct sockaddr_in);
+#endif
+	if (bind(sock, (struct sockaddr *) &localaddr, addrsize))
 	{
 		ereport(LOG,
 				(errmsg("could not bind local RADIUS socket: %m")));
 		closesocket(sock);
+		pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
 		return STATUS_ERROR;
 	}
 
 	if (sendto(sock, radius_buffer, packetlength, 0,
-			   (struct sockaddr *) &remoteaddr, sizeof(remoteaddr)) < 0)
+			   serveraddrs[0].ai_addr, serveraddrs[0].ai_addrlen) < 0)
 	{
 		ereport(LOG,
 				(errmsg("could not send RADIUS packet: %m")));
 		closesocket(sock);
+		pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
 		return STATUS_ERROR;
 	}
 
+	/* Don't need the server address anymore */
+	pg_freeaddrinfo_all(hint.ai_family, serveraddrs);
+
+	/* Wait for a response */
 	timeout.tv_sec = RADIUS_TIMEOUT;
 	timeout.tv_usec = 0;
 	FD_ZERO(&fdset);
@@ -2705,11 +2735,21 @@ CheckRADIUSAuth(Port *port)
 
 	closesocket(sock);
 
+#ifdef HAVE_IPV6
+	if (remoteaddr.sin6_port != htons(port->hba->radiusport))
+#else
 	if (remoteaddr.sin_port != htons(port->hba->radiusport))
+#endif
 	{
+#ifdef HAVE_IPV6
+		ereport(LOG,
+				(errmsg("RADIUS response was sent from incorrect port: %i",
+						ntohs(remoteaddr.sin6_port))));
+#else
 		ereport(LOG,
 				(errmsg("RADIUS response was sent from incorrect port: %i",
 						ntohs(remoteaddr.sin_port))));
+#endif
 		return STATUS_ERROR;
 	}
 
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
@@ -10,7 +10,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.196 2010/01/27 12:11:59 mha Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.197 2010/02/02 19:09:37 mha Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -1167,16 +1167,25 @@ parse_hba_line(List *line, int line_num, HbaLine *parsedline)
 			else if (strcmp(token, "radiusserver") == 0)
 			{
 				REQUIRE_AUTH_OPTION(uaRADIUS, "radiusserver", "radius");
-				if (inet_addr(c) == INADDR_NONE)
+
+				MemSet(&hints, 0, sizeof(hints));
+				hints.ai_socktype = SOCK_DGRAM;
+				hints.ai_family = AF_UNSPEC;
+
+				ret = pg_getaddrinfo_all(c, NULL, &hints, &gai_result);
+				if (ret || !gai_result)
 				{
 					ereport(LOG,
 							(errcode(ERRCODE_CONFIG_FILE_ERROR),
-							 errmsg("invalid RADIUS server IP address: \"%s\"", c),
+							 errmsg("could not translate RADIUS server name \"%s\" to address: %s",
+									c, gai_strerror(ret)),
 						   errcontext("line %d of configuration file \"%s\"",
 									  line_num, HbaFileName)));
+					if (gai_result)
+						pg_freeaddrinfo_all(hints.ai_family, gai_result);
 					return false;
-
 				}
+				pg_freeaddrinfo_all(hints.ai_family, gai_result);
 				parsedline->radiusserver = pstrdup(c);
 			}
 			else if (strcmp(token, "radiusport") == 0)
diff --git a/src/include/port/solaris.h b/src/include/port/solaris.h
@@ -1,4 +1,4 @@
-/* $PostgreSQL: pgsql/src/include/port/solaris.h,v 1.18 2010/01/28 11:36:14 mha Exp $ */
+/* $PostgreSQL: pgsql/src/include/port/solaris.h,v 1.19 2010/02/02 19:09:37 mha Exp $ */
 
 /*
  * Sort this out for all operating systems some time.  The __xxx
@@ -36,11 +36,3 @@
  * still use our own fix for the buggy version.
  */
 #define HAVE_BUGGY_SOLARIS_STRTOD
-
-/*
- * Many versions of Solaris are missing the definition of INADDR_NONE
- */
-#ifndef INADDR_NONE
-#define INADDR_NONE ((in_addr_t)(-1))
-#endif
-

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`*`
`11`	`11`	`*`
`12`	`12`	`* IDENTIFICATION`
`13`		`- * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.196 2010/01/27 12:11:59 mha Exp $`
	`13`	`+ * $PostgreSQL: pgsql/src/backend/libpq/hba.c,v 1.197 2010/02/02 19:09:37 mha Exp $`
`14`	`14`	`*`
`15`	`15`	`*-------------------------------------------------------------------------`
`16`	`16`	`*/`
`@@ -1167,16 +1167,25 @@ parse_hba_line(List line, int line_num, HbaLine parsedline)`
`1167`	`1167`	`else if (strcmp(token, "radiusserver") == 0)`
`1168`	`1168`	`{`
`1169`	`1169`	`REQUIRE_AUTH_OPTION(uaRADIUS, "radiusserver", "radius");`
`1170`		`- if (inet_addr(c) == INADDR_NONE)`
	`1170`	`+`
	`1171`	`+ MemSet(&hints, 0, sizeof(hints));`
	`1172`	`+ hints.ai_socktype = SOCK_DGRAM;`
	`1173`	`+ hints.ai_family = AF_UNSPEC;`
	`1174`	`+`
	`1175`	`+ ret = pg_getaddrinfo_all(c, NULL, &hints, &gai_result);`
	`1176`	`+ if (ret \|\| !gai_result)`
`1171`	`1177`	`{`
`1172`	`1178`	`ereport(LOG,`
`1173`	`1179`	`(errcode(ERRCODE_CONFIG_FILE_ERROR),`
`1174`		`- errmsg("invalid RADIUS server IP address: \"%s\"", c),`
	`1180`	`+ errmsg("could not translate RADIUS server name \"%s\" to address: %s",`
	`1181`	`+ c, gai_strerror(ret)),`
`1175`	`1182`	`errcontext("line %d of configuration file \"%s\"",`
`1176`	`1183`	`line_num, HbaFileName)));`
	`1184`	`+ if (gai_result)`
	`1185`	`+ pg_freeaddrinfo_all(hints.ai_family, gai_result);`
`1177`	`1186`	`return false;`
`1178`		`-`
`1179`	`1187`	`}`
	`1188`	`+ pg_freeaddrinfo_all(hints.ai_family, gai_result);`
`1180`	`1189`	`parsedline->radiusserver = pstrdup(c);`
`1181`	`1190`	`}`
`1182`	`1191`	`else if (strcmp(token, "radiusport") == 0)`