Thread

Commits

  1. Clear auth context correctly when re-connecting after failed auth attempt.

  2. Fix double-free bug in GSS authentication.

  3. Abort authentication if the client selected an invalid SASL mechanism.

  4. Refactor libpq authentication request processing.

  1. Server ignores contents of SASLInitialResponse

    Michael Paquier <michael.paquier@gmail.com> — 2017-05-25T03:33:37Z

    Hi all,
    
    I have noticed today that the server ignores completely the contents
    of SASLInitialResponse. For example with the patch attached called
    scram-trick-server:
    diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
    index f4397afc64..8fe1c8edfb 100644
    --- a/src/interfaces/libpq/fe-auth.c
    +++ b/src/interfaces/libpq/fe-auth.c
    @@ -540,7 +540,7 @@ pg_SASL_init(PGconn *conn, int payloadlen)
                conn->sasl_state = pg_fe_scram_init(conn->pguser, password);
                if (!conn->sasl_state)
                    goto oom_error;
    -           selected_mechanism = SCRAM_SHA256_NAME;
    +           selected_mechanism = "kunfoobar";
            }
        }
    
    This sends a custom string to the server to name a SASL mechanism,
    about which the server complains with a COMMERROR log:
    LOG:  client selected an invalid SASL authentication mechanism
    However this error is completely ignored and the server continues
    authentication, succeeding if the password is right. It seems to me
    that the error that should be returned to the user is a password
    mismatch, and that the COMMERROR message is kept only for the server
    logs. Attached is a patch to fix the problem.
    
    Open item added as well.
    
    Thanks,
    -- 
    Michael
    
  2. Re: Server ignores contents of SASLInitialResponse

    Heikki Linnakangas <hlinnaka@iki.fi> — 2017-05-25T12:51:55Z

    On 05/24/2017 11:33 PM, Michael Paquier wrote:
    > I have noticed today that the server ignores completely the contents
    > of SASLInitialResponse. ... Attached is a patch to fix the problem.
    
    Fixed, thanks!
    
    - Heikki
    
    
    
    
  3. Re: Server ignores contents of SASLInitialResponse

    Michael Paquier <michael.paquier@gmail.com> — 2017-05-25T13:32:21Z

    On Thu, May 25, 2017 at 8:51 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
    > On 05/24/2017 11:33 PM, Michael Paquier wrote:
    >> I have noticed today that the server ignores completely the contents
    >> of SASLInitialResponse. ... Attached is a patch to fix the problem.
    >
    > Fixed, thanks!
    
    Thanks for the commit.
    -- 
    Michael
    
    
    
  4. Re: Server ignores contents of SASLInitialResponse

    Michael Paquier <michael.paquier@gmail.com> — 2017-05-25T14:52:23Z

    On Thu, May 25, 2017 at 9:32 AM, Michael Paquier
    <michael.paquier@gmail.com> wrote:
    > On Thu, May 25, 2017 at 8:51 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
    >> On 05/24/2017 11:33 PM, Michael Paquier wrote:
    >>> I have noticed today that the server ignores completely the contents
    >>> of SASLInitialResponse. ... Attached is a patch to fix the problem.
    >>
    >> Fixed, thanks!
    >
    > Thanks for the commit.
    
    Actually, I don't think that we are completely done here. Using the
    patch of upthread to enforce a failure on SASLInitialResponse, I see
    that connecting without SSL causes the following error:
    psql: FATAL:  password authentication failed for user "mpaquier"
    But connecting with SSL returns that:
    psql: duplicate SASL authentication request
    
    I have not looked at that in details yet, but it seems to me that we
    should not take pg_SASL_init() twice in the scram authentication code
    path in libpq for a single attempt.
    -- 
    Michael
    
    
    
  5. Re: Server ignores contents of SASLInitialResponse

    Michael Paquier <michael.paquier@gmail.com> — 2017-05-25T15:36:20Z

    On Thu, May 25, 2017 at 10:52 AM, Michael Paquier
    <michael.paquier@gmail.com> wrote:
    > Actually, I don't think that we are completely done here. Using the
    > patch of upthread to enforce a failure on SASLInitialResponse, I see
    > that connecting without SSL causes the following error:
    > psql: FATAL:  password authentication failed for user "mpaquier"
    > But connecting with SSL returns that:
    > psql: duplicate SASL authentication request
    >
    > I have not looked at that in details yet, but it seems to me that we
    > should not take pg_SASL_init() twice in the scram authentication code
    > path in libpq for a single attempt.
    
    Gotcha. This happens because of sslmode=prefer, on which
    pqDropConnection is used to clean up the connection state. So it seems
    to me that the correct fix is to move the cleanup of sasl_state to
    pqDropConnection() instead of closePGconn(). Once I do so the failures
    are correct, showing to the user two FATAL errors because of the two
    attempts:
    psql: FATAL:  password authentication failed for user "mpaquier"
    FATAL:  password authentication failed for user "mpaquier"
    -- 
    Michael
    
  6. Re: Server ignores contents of SASLInitialResponse

    Noah Misch <noah@leadboat.com> — 2017-05-30T03:04:47Z

    On Thu, May 25, 2017 at 10:52:23AM -0400, Michael Paquier wrote:
    > On Thu, May 25, 2017 at 9:32 AM, Michael Paquier
    > <michael.paquier@gmail.com> wrote:
    > > On Thu, May 25, 2017 at 8:51 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
    > >> On 05/24/2017 11:33 PM, Michael Paquier wrote:
    > >>> I have noticed today that the server ignores completely the contents
    > >>> of SASLInitialResponse. ... Attached is a patch to fix the problem.
    > >>
    > >> Fixed, thanks!
    > >
    > > Thanks for the commit.
    > 
    > Actually, I don't think that we are completely done here. Using the
    > patch of upthread to enforce a failure on SASLInitialResponse, I see
    > that connecting without SSL causes the following error:
    > psql: FATAL:  password authentication failed for user "mpaquier"
    > But connecting with SSL returns that:
    > psql: duplicate SASL authentication request
    > 
    > I have not looked at that in details yet, but it seems to me that we
    > should not take pg_SASL_init() twice in the scram authentication code
    > path in libpq for a single attempt.
    
    [Action required within three days.  This is a generic notification.]
    
    The above-described topic is currently a PostgreSQL 10 open item.  Heikki,
    since you committed the patch believed to have created it, you own this open
    item.  If some other commit is more relevant or if this does not belong as a
    v10 open item, please let us know.  Otherwise, please observe the policy on
    open item ownership[1] and send a status update within three calendar days of
    this message.  Include a date for your subsequent status update.  Testers may
    discover new open items at any time, and I want to plan to get them all fixed
    well in advance of shipping v10.  Consequently, I will appreciate your efforts
    toward speedy resolution.  Thanks.
    
    [1] https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
    
    
    
  7. Re: Server ignores contents of SASLInitialResponse

    Heikki Linnakangas <hlinnaka@iki.fi> — 2017-06-01T11:58:36Z

    On 05/25/2017 06:36 PM, Michael Paquier wrote:
    > On Thu, May 25, 2017 at 10:52 AM, Michael Paquier
    > <michael.paquier@gmail.com> wrote:
    >> Actually, I don't think that we are completely done here. Using the
    >> patch of upthread to enforce a failure on SASLInitialResponse, I see
    >> that connecting without SSL causes the following error:
    >> psql: FATAL:  password authentication failed for user "mpaquier"
    >> But connecting with SSL returns that:
    >> psql: duplicate SASL authentication request
    >>
    >> I have not looked at that in details yet, but it seems to me that we
    >> should not take pg_SASL_init() twice in the scram authentication code
    >> path in libpq for a single attempt.
    >
    > Gotcha. This happens because of sslmode=prefer, on which
    > pqDropConnection is used to clean up the connection state. So it seems
    > to me that the correct fix is to move the cleanup of sasl_state to
    > pqDropConnection() instead of closePGconn(). Once I do so the failures
    > are correct, showing to the user two FATAL errors because of the two
    > attempts:
    > psql: FATAL:  password authentication failed for user "mpaquier"
    > FATAL:  password authentication failed for user "mpaquier"
    
    Hmm, the SASL state cleanup is done pretty much the same way that 
    GSS/SSPI cleanup is. Don't we have a similar problem with GSS?
    
    I tested that, and I got an error from glibc, complaining about a 
    double-free:
    
    > *** Error in `/home/heikki/pgsql.master/bin/psql': double free or corruption (out): 0x000056157d13be00 ***
    > ======= Backtrace: =========
    > /lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f6a460b7bcb]
    > /lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f6a460bdf96]
    > /lib/x86_64-linux-gnu/libc.so.6(+0x7778e)[0x7f6a460be78e]
    > /home/heikki/pgsql.master/lib/libpq.so.5(+0xa1dc)[0x7f6a46d651dc]
    > /home/heikki/pgsql.master/lib/libpq.so.5(+0xa4b3)[0x7f6a46d654b3]
    > /home/heikki/pgsql.master/lib/libpq.so.5(+0xacb9)[0x7f6a46d65cb9]
    > /home/heikki/pgsql.master/lib/libpq.so.5(PQconnectPoll+0x14e7)[0x7f6a46d6ae81]
    > /home/heikki/pgsql.master/lib/libpq.so.5(+0xe895)[0x7f6a46d69895]
    > /home/heikki/pgsql.master/lib/libpq.so.5(PQconnectdbParams+0x4f)[0x7f6a46d675b9]
    > /home/heikki/pgsql.master/bin/psql(+0x3daa9)[0x56157ccafaa9]
    > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f6a460672b1]
    > /home/heikki/pgsql.master/bin/psql(+0x1163a)[0x56157cc8363a]
    
    I bisected that; the culprit was commit 61bf96cab0, where I refactored 
    the libpq authentication code in preparation for SCRAM. The logic around 
    that free() was always a bit wonky, but the refactoring made it outright 
    broken. Attached is a patch for that, see commit message for details. 
    (Review of that would be welcome.)
    
    So, after fixing that, back to the original question; don't we have a 
    similar "duplicate authentication request" problem with GSS? Yes, turns 
    out that we do, even on stable branches:
    
    psql "sslmode=prefer dbname=postgres hostaddr=127.0.0.1 
    krbsrvname=postgres  host=localhost user=krbtestuser"
    psql: duplicate GSS authentication request
    
    To fix, I suppose we can do what you did for SASL in your patch, and 
    move the cleanup of conn->gctx from closePGconn to pgDropConnection. And 
    I presume we need to do the same for the SSPI state too, but I don't 
    have a Windows set up to test that at the moment.
    
    - Heikki
    
    
  8. Re: Server ignores contents of SASLInitialResponse

    Noah Misch <noah@leadboat.com> — 2017-06-03T04:58:40Z

    On Tue, May 30, 2017 at 03:04:47AM +0000, Noah Misch wrote:
    > On Thu, May 25, 2017 at 10:52:23AM -0400, Michael Paquier wrote:
    > > On Thu, May 25, 2017 at 9:32 AM, Michael Paquier
    > > <michael.paquier@gmail.com> wrote:
    > > > On Thu, May 25, 2017 at 8:51 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
    > > >> On 05/24/2017 11:33 PM, Michael Paquier wrote:
    > > >>> I have noticed today that the server ignores completely the contents
    > > >>> of SASLInitialResponse. ... Attached is a patch to fix the problem.
    > > >>
    > > >> Fixed, thanks!
    > > >
    > > > Thanks for the commit.
    > > 
    > > Actually, I don't think that we are completely done here. Using the
    > > patch of upthread to enforce a failure on SASLInitialResponse, I see
    > > that connecting without SSL causes the following error:
    > > psql: FATAL:  password authentication failed for user "mpaquier"
    > > But connecting with SSL returns that:
    > > psql: duplicate SASL authentication request
    > > 
    > > I have not looked at that in details yet, but it seems to me that we
    > > should not take pg_SASL_init() twice in the scram authentication code
    > > path in libpq for a single attempt.
    > 
    > [Action required within three days.  This is a generic notification.]
    > 
    > The above-described topic is currently a PostgreSQL 10 open item.  Heikki,
    > since you committed the patch believed to have created it, you own this open
    > item.  If some other commit is more relevant or if this does not belong as a
    > v10 open item, please let us know.  Otherwise, please observe the policy on
    > open item ownership[1] and send a status update within three calendar days of
    > this message.  Include a date for your subsequent status update.  Testers may
    > discover new open items at any time, and I want to plan to get them all fixed
    > well in advance of shipping v10.  Consequently, I will appreciate your efforts
    > toward speedy resolution.  Thanks.
    > 
    > [1] https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
    
    This PostgreSQL 10 open item is past due for your status update.  Kindly send
    a status update within 24 hours, and include a date for your subsequent status
    update.  Refer to the policy on open item ownership:
    https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
    
    
    
  9. Re: Server ignores contents of SASLInitialResponse

    Noah Misch <noah@leadboat.com> — 2017-06-04T22:49:52Z

    On Fri, Jun 02, 2017 at 09:58:40PM -0700, Noah Misch wrote:
    > On Tue, May 30, 2017 at 03:04:47AM +0000, Noah Misch wrote:
    > > On Thu, May 25, 2017 at 10:52:23AM -0400, Michael Paquier wrote:
    > > > On Thu, May 25, 2017 at 9:32 AM, Michael Paquier
    > > > <michael.paquier@gmail.com> wrote:
    > > > > On Thu, May 25, 2017 at 8:51 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
    > > > >> On 05/24/2017 11:33 PM, Michael Paquier wrote:
    > > > >>> I have noticed today that the server ignores completely the contents
    > > > >>> of SASLInitialResponse. ... Attached is a patch to fix the problem.
    > > > >>
    > > > >> Fixed, thanks!
    > > > >
    > > > > Thanks for the commit.
    > > > 
    > > > Actually, I don't think that we are completely done here. Using the
    > > > patch of upthread to enforce a failure on SASLInitialResponse, I see
    > > > that connecting without SSL causes the following error:
    > > > psql: FATAL:  password authentication failed for user "mpaquier"
    > > > But connecting with SSL returns that:
    > > > psql: duplicate SASL authentication request
    > > > 
    > > > I have not looked at that in details yet, but it seems to me that we
    > > > should not take pg_SASL_init() twice in the scram authentication code
    > > > path in libpq for a single attempt.
    > > 
    > > [Action required within three days.  This is a generic notification.]
    > > 
    > > The above-described topic is currently a PostgreSQL 10 open item.  Heikki,
    > > since you committed the patch believed to have created it, you own this open
    > > item.  If some other commit is more relevant or if this does not belong as a
    > > v10 open item, please let us know.  Otherwise, please observe the policy on
    > > open item ownership[1] and send a status update within three calendar days of
    > > this message.  Include a date for your subsequent status update.  Testers may
    > > discover new open items at any time, and I want to plan to get them all fixed
    > > well in advance of shipping v10.  Consequently, I will appreciate your efforts
    > > toward speedy resolution.  Thanks.
    > > 
    > > [1] https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
    > 
    > This PostgreSQL 10 open item is past due for your status update.  Kindly send
    > a status update within 24 hours, and include a date for your subsequent status
    > update.  Refer to the policy on open item ownership:
    > https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
    
    IMMEDIATE ATTENTION REQUIRED.  This PostgreSQL 10 open item is long past due
    for your status update.  Please reacquaint yourself with the policy on open
    item ownership[1] and then reply immediately.  If I do not hear from you by
    2017-06-05 23:00 UTC, I will transfer this item to release management team
    ownership without further notice.
    
    [1] https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
    
    
    
  10. Re: Server ignores contents of SASLInitialResponse

    Michael Paquier <michael.paquier@gmail.com> — 2017-06-05T06:34:42Z

    On Mon, Jun 5, 2017 at 7:49 AM, Noah Misch <noah@leadboat.com> wrote:
    > IMMEDIATE ATTENTION REQUIRED.  This PostgreSQL 10 open item is long past due
    > for your status update.  Please reacquaint yourself with the policy on open
    > item ownership[1] and then reply immediately.  If I do not hear from you by
    > 2017-06-05 23:00 UTC, I will transfer this item to release management team
    > ownership without further notice.
    >
    > [1] https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
    
    I am planning to look and comment about Heikki's patch tomorrow my
    time. The GSS issue requires a back-patch and is actually linked to
    what is discussed for SASL. The testing behind it also needs some care
    and attention.
    -- 
    Michael
    
    
    
  11. Re: Server ignores contents of SASLInitialResponse

    Heikki Linnakangas <hlinnaka@iki.fi> — 2017-06-05T08:14:17Z

    On 06/05/2017 09:34 AM, Michael Paquier wrote:
    > On Mon, Jun 5, 2017 at 7:49 AM, Noah Misch <noah@leadboat.com> wrote:
    >> IMMEDIATE ATTENTION REQUIRED.  This PostgreSQL 10 open item is long past due
    >> for your status update.  Please reacquaint yourself with the policy on open
    >> item ownership[1] and then reply immediately.  If I do not hear from you by
    >> 2017-06-05 23:00 UTC, I will transfer this item to release management team
    >> ownership without further notice.
    >>
    >> [1] https://www.postgresql.org/message-id/20170404140717.GA2675809%40tornado.leadboat.com
    >
    > I am planning to look and comment about Heikki's patch tomorrow my
    > time. The GSS issue requires a back-patch and is actually linked to
    > what is discussed for SASL. The testing behind it also needs some care
    > and attention.
    
    Thanks. I'll wait for Michael's update tomorrow, and will have a look at 
    this after that. Expect a new status update by Wednesday.
    
    - Heikki
    
    
    
    
  12. Re: Server ignores contents of SASLInitialResponse

    Michael Paquier <michael.paquier@gmail.com> — 2017-06-06T03:09:28Z

    On Thu, Jun 1, 2017 at 4:58 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
    > I bisected that; the culprit was commit 61bf96cab0, where I refactored the
    > libpq authentication code in preparation for SCRAM. The logic around that
    > free() was always a bit wonky, but the refactoring made it outright broken.
    > Attached is a patch for that, see commit message for details. (Review of
    > that would be welcome.)
    
    That looks fine to me.
    
    > So, after fixing that, back to the original question; don't we have a
    > similar "duplicate authentication request" problem with GSS? Yes, turns out
    > that we do, even on stable branches:
    >
    > psql "sslmode=prefer dbname=postgres hostaddr=127.0.0.1 krbsrvname=postgres
    > host=localhost user=krbtestuser"
    > psql: duplicate GSS authentication request
    >
    > To fix, I suppose we can do what you did for SASL in your patch, and move
    > the cleanup of conn->gctx from closePGconn to pgDropConnection. And I
    > presume we need to do the same for the SSPI state too, but I don't have a
    > Windows set up to test that at the moment.
    
    SSPI does not complain with sslmode=prefer as each time
    pg_SSPI_startup() is called conn->sspictx is enforced to NULL. This
    looks wrong to me by the way as pg_SSPI_startup() is invoked only once
    per authentication, and it leaks memory this way. That's also
    inconsistent with SASL and GSS. At the same time this inconsistency is
    not causing actual problems except a leak with SSPI in libpq, so not
    doing anything except on HEAD looks fine to me.
    -- 
    Michael
    
  13. Re: Server ignores contents of SASLInitialResponse

    Heikki Linnakangas <hlinnaka@iki.fi> — 2017-06-07T11:27:37Z

    On 06/06/2017 06:09 AM, Michael Paquier wrote:
    > On Thu, Jun 1, 2017 at 4:58 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
    >> To fix, I suppose we can do what you did for SASL in your patch, and move
    >> the cleanup of conn->gctx from closePGconn to pgDropConnection. And I
    >> presume we need to do the same for the SSPI state too, but I don't have a
    >> Windows set up to test that at the moment.
    >
    > SSPI does not complain with sslmode=prefer as each time
    > pg_SSPI_startup() is called conn->sspictx is enforced to NULL. This
    > looks wrong to me by the way as pg_SSPI_startup() is invoked only once
    > per authentication, and it leaks memory this way. That's also
    > inconsistent with SASL and GSS. At the same time this inconsistency is
    > not causing actual problems except a leak with SSPI in libpq, so not
    > doing anything except on HEAD looks fine to me.
    
    Ok, I committed your patch, with some minor changes. I added a line to 
    also clear "conn->usesspi". Without that, if the server on first attempt 
    asked for SSPI authentication, but GSS on the second attempt, we would 
    incorrectly try to continue SSPI authentication during the second 
    attempt. Also, I kept the existing code to discard the input and output 
    data together, and added the new code after that, instead of in the 
    middle. And added some newlines to pqDropConnection for beauty.
    
    BTW, multiple connection attempts if "host" is a list of hostnames, 
    which is now possible in version 10, also had the same issue. On master, 
    that was the easiest way to reproduce this.
    
    I decided to backpatch this down to 9.3, after all. It is clearly a bug, 
    although unlikely to be hit in typical configurations. One configuration 
    where this can be reproduced, is if you have separate "hostnossl" and 
    "hostssl" lines in pg_hba.conf, for Kerberos authentication, but with 
    different options. If the options are such that the first 
    authentication, with SSL, fails, but the second one should succeed, 
    before this fix the second attempt would nevertheless fail with the 
    "duplicate authentication request".
    
    The code in 9.2 was sufficiently different that I didn't backport it 
    there, out of conservatism (ok, laziness).
    
    - Heikki
    
    
    
    
  14. Re: Server ignores contents of SASLInitialResponse

    Michael Paquier <michael.paquier@gmail.com> — 2017-06-07T12:19:52Z

    On Wed, Jun 7, 2017 at 8:27 PM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
    > Ok, I committed your patch, with some minor changes.
    
    Thanks for the commit.
    -- 
    Michael