Re: Server ignores contents of SASLInitialResponse
Michael Paquier <michael.paquier@gmail.com>
From: Michael Paquier <michael.paquier@gmail.com>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: PostgreSQL mailing lists <pgsql-hackers@postgresql.org>
Date: 2017-06-06T03:09:28Z
Lists: pgsql-hackers
Attachments
- libpq-auth-cleanup.patch (application/octet-stream) patch
On Thu, Jun 1, 2017 at 4:58 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote: > I bisected that; the culprit was commit 61bf96cab0, where I refactored the > libpq authentication code in preparation for SCRAM. The logic around that > free() was always a bit wonky, but the refactoring made it outright broken. > Attached is a patch for that, see commit message for details. (Review of > that would be welcome.) That looks fine to me. > So, after fixing that, back to the original question; don't we have a > similar "duplicate authentication request" problem with GSS? Yes, turns out > that we do, even on stable branches: > > psql "sslmode=prefer dbname=postgres hostaddr=127.0.0.1 krbsrvname=postgres > host=localhost user=krbtestuser" > psql: duplicate GSS authentication request > > To fix, I suppose we can do what you did for SASL in your patch, and move > the cleanup of conn->gctx from closePGconn to pgDropConnection. And I > presume we need to do the same for the SSPI state too, but I don't have a > Windows set up to test that at the moment. SSPI does not complain with sslmode=prefer as each time pg_SSPI_startup() is called conn->sspictx is enforced to NULL. This looks wrong to me by the way as pg_SSPI_startup() is invoked only once per authentication, and it leaks memory this way. That's also inconsistent with SASL and GSS. At the same time this inconsistency is not causing actual problems except a leak with SSPI in libpq, so not doing anything except on HEAD looks fine to me. -- Michael
Commits
-
Clear auth context correctly when re-connecting after failed auth attempt.
- f44c609ea014 9.6.4 landed
- 1fe1fc449772 9.4.13 landed
- f2fa0c6514b6 9.3.18 landed
- 739cb7f8bfeb 9.5.8 landed
- e6c33d594a00 10.0 landed
-
Fix double-free bug in GSS authentication.
- 3344582e6f16 10.0 landed
-
Abort authentication if the client selected an invalid SASL mechanism.
- 505b5d2f8672 10.0 landed
-
Refactor libpq authentication request processing.
- 61bf96cab063 10.0 cited