Re: Server ignores contents of SASLInitialResponse

Michael Paquier <michael.paquier@gmail.com>

From: Michael Paquier <michael.paquier@gmail.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2017-05-25T14:52:23Z
Lists: pgsql-hackers
On Thu, May 25, 2017 at 9:32 AM, Michael Paquier
<michael.paquier@gmail.com> wrote:
> On Thu, May 25, 2017 at 8:51 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
>> On 05/24/2017 11:33 PM, Michael Paquier wrote:
>>> I have noticed today that the server ignores completely the contents
>>> of SASLInitialResponse. ... Attached is a patch to fix the problem.
>>
>> Fixed, thanks!
>
> Thanks for the commit.

Actually, I don't think that we are completely done here. Using the
patch of upthread to enforce a failure on SASLInitialResponse, I see
that connecting without SSL causes the following error:
psql: FATAL:  password authentication failed for user "mpaquier"
But connecting with SSL returns that:
psql: duplicate SASL authentication request

I have not looked at that in details yet, but it seems to me that we
should not take pg_SASL_init() twice in the scram authentication code
path in libpq for a single attempt.
-- 
Michael


Commits

  1. Clear auth context correctly when re-connecting after failed auth attempt.

  2. Fix double-free bug in GSS authentication.

  3. Abort authentication if the client selected an invalid SASL mechanism.

  4. Refactor libpq authentication request processing.