Age Owner Branch data TLA Line data Source code
1 : : /*-------------------------------------------------------------------------
2 : : *
3 : : * be-secure-gssapi.c
4 : : * GSSAPI encryption support
5 : : *
6 : : * Portions Copyright (c) 2018-2025, PostgreSQL Global Development Group
7 : : *
8 : : * IDENTIFICATION
9 : : * src/backend/libpq/be-secure-gssapi.c
10 : : *
11 : : *-------------------------------------------------------------------------
12 : : */
13 : :
14 : : #include "postgres.h"
15 : :
16 : : #include <unistd.h>
17 : :
18 : : #include "libpq/auth.h"
19 : : #include "libpq/be-gssapi-common.h"
20 : : #include "libpq/libpq.h"
21 : : #include "miscadmin.h"
22 : : #include "pgstat.h"
23 : : #include "port/pg_bswap.h"
24 : : #include "utils/injection_point.h"
25 : : #include "utils/memutils.h"
26 : :
27 : :
28 : : /*
29 : : * Handle the encryption/decryption of data using GSSAPI.
30 : : *
31 : : * In the encrypted data stream on the wire, we break up the data
32 : : * into packets where each packet starts with a uint32-size length
33 : : * word (in network byte order), then encrypted data of that length
34 : : * immediately following. Decryption yields the same data stream
35 : : * that would appear when not using encryption.
36 : : *
37 : : * Encrypted data typically ends up being larger than the same data
38 : : * unencrypted, so we use fixed-size buffers for handling the
39 : : * encryption/decryption which are larger than PQComm's buffer will
40 : : * typically be to minimize the times where we have to make multiple
41 : : * packets (and therefore multiple recv/send calls for a single
42 : : * read/write call to us).
43 : : *
44 : : * NOTE: The client and server have to agree on the max packet size,
45 : : * because we have to pass an entire packet to GSSAPI at a time and we
46 : : * don't want the other side to send arbitrarily huge packets as we
47 : : * would have to allocate memory for them to then pass them to GSSAPI.
48 : : *
49 : : * Therefore, this #define is effectively part of the protocol
50 : : * spec and can't ever be changed.
51 : : */
52 : : #define PQ_GSS_MAX_PACKET_SIZE 16384 /* includes uint32 header word */
53 : :
54 : : /*
55 : : * However, during the authentication exchange we must cope with whatever
56 : : * message size the GSSAPI library wants to send (because our protocol
57 : : * doesn't support splitting those messages). Depending on configuration
58 : : * those messages might be as much as 64kB.
59 : : */
60 : : #define PQ_GSS_AUTH_BUFFER_SIZE 65536 /* includes uint32 header word */
61 : :
62 : : /*
63 : : * Since we manage at most one GSS-encrypted connection per backend,
64 : : * we can just keep all this state in static variables. The char *
65 : : * variables point to buffers that are allocated once and re-used.
66 : : */
67 : : static char *PqGSSSendBuffer; /* Encrypted data waiting to be sent */
68 : : static int PqGSSSendLength; /* End of data available in PqGSSSendBuffer */
69 : : static int PqGSSSendNext; /* Next index to send a byte from
70 : : * PqGSSSendBuffer */
71 : : static int PqGSSSendConsumed; /* Number of source bytes encrypted but not
72 : : * yet reported as sent */
73 : :
74 : : static char *PqGSSRecvBuffer; /* Received, encrypted data */
75 : : static int PqGSSRecvLength; /* End of data available in PqGSSRecvBuffer */
76 : :
77 : : static char *PqGSSResultBuffer; /* Decryption of data in gss_RecvBuffer */
78 : : static int PqGSSResultLength; /* End of data available in PqGSSResultBuffer */
79 : : static int PqGSSResultNext; /* Next index to read a byte from
80 : : * PqGSSResultBuffer */
81 : :
82 : : static uint32 PqGSSMaxPktSize; /* Maximum size we can encrypt and fit the
83 : : * results into our output buffer */
84 : :
85 : :
86 : : /*
87 : : * Attempt to write len bytes of data from ptr to a GSSAPI-encrypted connection.
88 : : *
89 : : * The connection must be already set up for GSSAPI encryption (i.e., GSSAPI
90 : : * transport negotiation is complete).
91 : : *
92 : : * On success, returns the number of data bytes consumed (possibly less than
93 : : * len). On failure, returns -1 with errno set appropriately. For retryable
94 : : * errors, caller should call again (passing the same or more data) once the
95 : : * socket is ready.
96 : : *
97 : : * Dealing with fatal errors here is a bit tricky: we can't invoke elog(FATAL)
98 : : * since it would try to write to the client, probably resulting in infinite
99 : : * recursion. Instead, use elog(COMMERROR) to log extra info about the
100 : : * failure if necessary, and then return an errno indicating connection loss.
101 : : */
102 : : ssize_t
209 peter@eisentraut.org 103 :CBC 415 : be_gssapi_write(Port *port, const void *ptr, size_t len)
104 : : {
105 : : OM_uint32 major,
106 : : minor;
107 : : gss_buffer_desc input,
108 : : output;
109 : : size_t bytes_to_encrypt;
110 : : size_t bytes_encrypted;
2065 tgl@sss.pgh.pa.us 111 : 415 : gss_ctx_id_t gctx = port->gss->ctx;
112 : :
113 : : /*
114 : : * When we get a retryable failure, we must not tell the caller we have
115 : : * successfully transmitted everything, else it won't retry. For
116 : : * simplicity, we claim we haven't transmitted anything until we have
117 : : * successfully transmitted all "len" bytes. Between calls, the amount of
118 : : * the current input data that's already been encrypted and placed into
119 : : * PqGSSSendBuffer (and perhaps transmitted) is remembered in
120 : : * PqGSSSendConsumed. On a retry, the caller *must* be sending that data
121 : : * again, so if it offers a len less than that, something is wrong.
122 : : *
123 : : * Note: it may seem attractive to report partial write completion once
124 : : * we've successfully sent any encrypted packets. However, doing that
125 : : * expands the state space of this processing and has been responsible for
126 : : * bugs in the past (cf. commit d053a879b). We won't save much,
127 : : * typically, by letting callers discard data early, so don't risk it.
128 : : */
129 [ - + ]: 415 : if (len < PqGSSSendConsumed)
130 : : {
1713 tgl@sss.pgh.pa.us 131 [ # # ]:UBC 0 : elog(COMMERROR, "GSSAPI caller failed to retransmit all data needing to be retried");
132 : 0 : errno = ECONNRESET;
133 : 0 : return -1;
134 : : }
135 : :
136 : : /* Discount whatever source data we already encrypted. */
2065 tgl@sss.pgh.pa.us 137 :CBC 415 : bytes_to_encrypt = len - PqGSSSendConsumed;
138 : 415 : bytes_encrypted = PqGSSSendConsumed;
139 : :
140 : : /*
141 : : * Loop through encrypting data and sending it out until it's all done or
142 : : * secure_raw_write() complains (which would likely mean that the socket
143 : : * is non-blocking and the requested send() would block, or there was some
144 : : * kind of actual error).
145 : : */
146 [ + + + - ]: 830 : while (bytes_to_encrypt || PqGSSSendLength)
147 : : {
2179 peter@eisentraut.org 148 : 830 : int conf_state = 0;
149 : : uint32 netlen;
150 : :
151 : : /*
152 : : * Check if we have data in the encrypted output buffer that needs to
153 : : * be sent (possibly left over from a previous call), and if so, try
154 : : * to send it. If we aren't able to, return that fact back up to the
155 : : * caller.
156 : : */
2065 tgl@sss.pgh.pa.us 157 [ + + ]: 830 : if (PqGSSSendLength)
158 : : {
159 : : ssize_t ret;
160 : 415 : ssize_t amount = PqGSSSendLength - PqGSSSendNext;
161 : :
162 : 415 : ret = secure_raw_write(port, PqGSSSendBuffer + PqGSSSendNext, amount);
2348 sfrost@snowman.net 163 [ - + ]: 415 : if (ret <= 0)
2065 tgl@sss.pgh.pa.us 164 :UBC 0 : return ret;
165 : :
166 : : /*
167 : : * Check if this was a partial write, and if so, move forward that
168 : : * far in our buffer and try again.
169 : : */
653 tgl@sss.pgh.pa.us 170 [ - + ]:CBC 415 : if (ret < amount)
171 : : {
2065 tgl@sss.pgh.pa.us 172 :UBC 0 : PqGSSSendNext += ret;
2348 sfrost@snowman.net 173 : 0 : continue;
174 : : }
175 : :
176 : : /* We've successfully sent whatever data was in the buffer. */
653 tgl@sss.pgh.pa.us 177 :CBC 415 : PqGSSSendLength = PqGSSSendNext = 0;
178 : : }
179 : :
180 : : /*
181 : : * Check if there are any bytes left to encrypt. If not, we're done.
182 : : */
2348 sfrost@snowman.net 183 [ + + ]: 830 : if (!bytes_to_encrypt)
2065 tgl@sss.pgh.pa.us 184 : 415 : break;
185 : :
186 : : /*
187 : : * Check how much we are being asked to send, if it's too much, then
188 : : * we will have to loop and possibly be called multiple times to get
189 : : * through all the data.
190 : : */
191 [ - + ]: 415 : if (bytes_to_encrypt > PqGSSMaxPktSize)
2065 tgl@sss.pgh.pa.us 192 :UBC 0 : input.length = PqGSSMaxPktSize;
193 : : else
2348 sfrost@snowman.net 194 :CBC 415 : input.length = bytes_to_encrypt;
195 : :
196 : 415 : input.value = (char *) ptr + bytes_encrypted;
197 : :
198 : 415 : output.value = NULL;
199 : 415 : output.length = 0;
200 : :
201 : : /*
202 : : * Create the next encrypted packet. Any failure here is considered a
203 : : * hard failure, so we return -1 even if some data has been sent.
204 : : */
2065 tgl@sss.pgh.pa.us 205 : 415 : major = gss_wrap(&minor, gctx, 1, GSS_C_QOP_DEFAULT,
206 : : &input, &conf_state, &output);
2348 sfrost@snowman.net 207 [ - + ]: 415 : if (major != GSS_S_COMPLETE)
208 : : {
1713 tgl@sss.pgh.pa.us 209 :UBC 0 : pg_GSS_error(_("GSSAPI wrap error"), major, minor);
210 : 0 : errno = ECONNRESET;
211 : 0 : return -1;
212 : : }
2179 peter@eisentraut.org 213 [ - + ]:CBC 415 : if (conf_state == 0)
214 : : {
1713 tgl@sss.pgh.pa.us 215 [ # # ]:UBC 0 : ereport(COMMERROR,
216 : : (errmsg("outgoing GSSAPI message would not use confidentiality")));
217 : 0 : errno = ECONNRESET;
218 : 0 : return -1;
219 : : }
99 tgl@sss.pgh.pa.us 220 [ - + ]:CBC 415 : if (output.length > PQ_GSS_MAX_PACKET_SIZE - sizeof(uint32))
221 : : {
1713 tgl@sss.pgh.pa.us 222 [ # # ]:UBC 0 : ereport(COMMERROR,
223 : : (errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",
224 : : (size_t) output.length,
225 : : PQ_GSS_MAX_PACKET_SIZE - sizeof(uint32))));
226 : 0 : errno = ECONNRESET;
227 : 0 : return -1;
228 : : }
229 : :
2348 sfrost@snowman.net 230 :CBC 415 : bytes_encrypted += input.length;
231 : 415 : bytes_to_encrypt -= input.length;
2065 tgl@sss.pgh.pa.us 232 : 415 : PqGSSSendConsumed += input.length;
233 : :
234 : : /* 4 network-order bytes of length, then payload */
1787 michael@paquier.xyz 235 : 415 : netlen = pg_hton32(output.length);
2065 tgl@sss.pgh.pa.us 236 : 415 : memcpy(PqGSSSendBuffer + PqGSSSendLength, &netlen, sizeof(uint32));
237 : 415 : PqGSSSendLength += sizeof(uint32);
238 : :
239 : 415 : memcpy(PqGSSSendBuffer + PqGSSSendLength, output.value, output.length);
240 : 415 : PqGSSSendLength += output.length;
241 : :
242 : : /* Release buffer storage allocated by GSSAPI */
1950 243 : 415 : gss_release_buffer(&minor, &output);
244 : : }
245 : :
246 : : /* If we get here, our counters should all match up. */
653 247 [ - + ]: 415 : Assert(len == PqGSSSendConsumed);
248 [ - + ]: 415 : Assert(len == bytes_encrypted);
249 : :
250 : : /* We're reporting all the data as sent, so reset PqGSSSendConsumed. */
251 : 415 : PqGSSSendConsumed = 0;
252 : :
253 : 415 : return bytes_encrypted;
254 : : }
255 : :
256 : : /*
257 : : * Read up to len bytes of data into ptr from a GSSAPI-encrypted connection.
258 : : *
259 : : * The connection must be already set up for GSSAPI encryption (i.e., GSSAPI
260 : : * transport negotiation is complete).
261 : : *
262 : : * Returns the number of data bytes read, or on failure, returns -1
263 : : * with errno set appropriately. For retryable errors, caller should call
264 : : * again once the socket is ready.
265 : : *
266 : : * We treat fatal errors the same as in be_gssapi_write(), even though the
267 : : * argument about infinite recursion doesn't apply here.
268 : : */
269 : : ssize_t
2348 sfrost@snowman.net 270 : 728 : be_gssapi_read(Port *port, void *ptr, size_t len)
271 : : {
272 : : OM_uint32 major,
273 : : minor;
274 : : gss_buffer_desc input,
275 : : output;
276 : : ssize_t ret;
277 : 728 : size_t bytes_returned = 0;
2065 tgl@sss.pgh.pa.us 278 : 728 : gss_ctx_id_t gctx = port->gss->ctx;
279 : :
280 : : /*
281 : : * The plan here is to read one incoming encrypted packet into
282 : : * PqGSSRecvBuffer, decrypt it into PqGSSResultBuffer, and then dole out
283 : : * data from there to the caller. When we exhaust the current input
284 : : * packet, read another.
285 : : */
286 [ + - ]: 1095 : while (bytes_returned < len)
287 : : {
288 : 1095 : int conf_state = 0;
289 : :
290 : : /* Check if we have data in our buffer that we can return immediately */
291 [ + + ]: 1095 : if (PqGSSResultNext < PqGSSResultLength)
292 : : {
293 : 438 : size_t bytes_in_buffer = PqGSSResultLength - PqGSSResultNext;
294 : 438 : size_t bytes_to_copy = Min(bytes_in_buffer, len - bytes_returned);
295 : :
296 : : /*
297 : : * Copy the data from our result buffer into the caller's buffer,
298 : : * at the point where we last left off filling their buffer.
299 : : */
300 : 438 : memcpy((char *) ptr + bytes_returned, PqGSSResultBuffer + PqGSSResultNext, bytes_to_copy);
301 : 438 : PqGSSResultNext += bytes_to_copy;
2348 sfrost@snowman.net 302 : 438 : bytes_returned += bytes_to_copy;
303 : :
304 : : /*
305 : : * At this point, we've either filled the caller's buffer or
306 : : * emptied our result buffer. Either way, return to caller. In
307 : : * the second case, we could try to read another encrypted packet,
308 : : * but the odds are good that there isn't one available. (If this
309 : : * isn't true, we chose too small a max packet size.) In any
310 : : * case, there's no harm letting the caller process the data we've
311 : : * already returned.
312 : : */
2065 tgl@sss.pgh.pa.us 313 : 438 : break;
314 : : }
315 : :
316 : : /* Result buffer is empty, so reset buffer pointers */
317 : 657 : PqGSSResultLength = PqGSSResultNext = 0;
318 : :
319 : : /*
320 : : * Because we chose above to return immediately as soon as we emit
321 : : * some data, bytes_returned must be zero at this point. Therefore
322 : : * the failure exits below can just return -1 without worrying about
323 : : * whether we already emitted some data.
324 : : */
325 [ - + ]: 657 : Assert(bytes_returned == 0);
326 : :
327 : : /*
328 : : * At this point, our result buffer is empty with more bytes being
329 : : * requested to be read. We are now ready to load the next packet and
330 : : * decrypt it (entirely) into our result buffer.
331 : : */
332 : :
333 : : /* Collect the length if we haven't already */
2348 sfrost@snowman.net 334 [ + + ]: 657 : if (PqGSSRecvLength < sizeof(uint32))
335 : : {
336 : 652 : ret = secure_raw_read(port, PqGSSRecvBuffer + PqGSSRecvLength,
337 : : sizeof(uint32) - PqGSSRecvLength);
338 : :
339 : : /* If ret <= 0, secure_raw_read already set the correct errno */
2065 tgl@sss.pgh.pa.us 340 [ + + ]: 652 : if (ret <= 0)
341 : 290 : return ret;
342 : :
2348 sfrost@snowman.net 343 : 367 : PqGSSRecvLength += ret;
344 : :
345 : : /* If we still haven't got the length, return to the caller */
346 [ - + ]: 367 : if (PqGSSRecvLength < sizeof(uint32))
347 : : {
2065 tgl@sss.pgh.pa.us 348 :UBC 0 : errno = EWOULDBLOCK;
349 : 0 : return -1;
350 : : }
351 : : }
352 : :
353 : : /* Decode the packet length and check for overlength packet */
1787 michael@paquier.xyz 354 :CBC 372 : input.length = pg_ntoh32(*(uint32 *) PqGSSRecvBuffer);
355 : :
99 tgl@sss.pgh.pa.us 356 [ - + ]: 372 : if (input.length > PQ_GSS_MAX_PACKET_SIZE - sizeof(uint32))
357 : : {
1713 tgl@sss.pgh.pa.us 358 [ # # ]:UBC 0 : ereport(COMMERROR,
359 : : (errmsg("oversize GSSAPI packet sent by the client (%zu > %zu)",
360 : : (size_t) input.length,
361 : : PQ_GSS_MAX_PACKET_SIZE - sizeof(uint32))));
362 : 0 : errno = ECONNRESET;
363 : 0 : return -1;
364 : : }
365 : :
366 : : /*
367 : : * Read as much of the packet as we are able to on this call into
368 : : * wherever we left off from the last time we were called.
369 : : */
2348 sfrost@snowman.net 370 :CBC 372 : ret = secure_raw_read(port, PqGSSRecvBuffer + PqGSSRecvLength,
371 : 372 : input.length - (PqGSSRecvLength - sizeof(uint32)));
372 : : /* If ret <= 0, secure_raw_read already set the correct errno */
2065 tgl@sss.pgh.pa.us 373 [ - + ]: 372 : if (ret <= 0)
2065 tgl@sss.pgh.pa.us 374 :UBC 0 : return ret;
375 : :
2348 sfrost@snowman.net 376 :CBC 372 : PqGSSRecvLength += ret;
377 : :
378 : : /* If we don't yet have the whole packet, return to the caller */
379 [ + + ]: 372 : if (PqGSSRecvLength - sizeof(uint32) < input.length)
380 : : {
2065 tgl@sss.pgh.pa.us 381 : 5 : errno = EWOULDBLOCK;
382 : 5 : return -1;
383 : : }
384 : :
385 : : /*
386 : : * We now have the full packet and we can perform the decryption and
387 : : * refill our result buffer, then loop back up to pass data back to
388 : : * the caller.
389 : : */
2348 sfrost@snowman.net 390 : 367 : output.value = NULL;
391 : 367 : output.length = 0;
392 : 367 : input.value = PqGSSRecvBuffer + sizeof(uint32);
393 : :
2065 tgl@sss.pgh.pa.us 394 : 367 : major = gss_unwrap(&minor, gctx, &input, &output, &conf_state, NULL);
2348 sfrost@snowman.net 395 [ - + ]: 367 : if (major != GSS_S_COMPLETE)
396 : : {
1713 tgl@sss.pgh.pa.us 397 :UBC 0 : pg_GSS_error(_("GSSAPI unwrap error"), major, minor);
398 : 0 : errno = ECONNRESET;
399 : 0 : return -1;
400 : : }
2179 peter@eisentraut.org 401 [ - + ]:CBC 367 : if (conf_state == 0)
402 : : {
1713 tgl@sss.pgh.pa.us 403 [ # # ]:UBC 0 : ereport(COMMERROR,
404 : : (errmsg("incoming GSSAPI message did not use confidentiality")));
405 : 0 : errno = ECONNRESET;
406 : 0 : return -1;
407 : : }
408 : :
2348 sfrost@snowman.net 409 :CBC 367 : memcpy(PqGSSResultBuffer, output.value, output.length);
410 : 367 : PqGSSResultLength = output.length;
411 : :
412 : : /* Our receive buffer is now empty, reset it */
413 : 367 : PqGSSRecvLength = 0;
414 : :
415 : : /* Release buffer storage allocated by GSSAPI */
416 : 367 : gss_release_buffer(&minor, &output);
417 : : }
418 : :
419 : 438 : return bytes_returned;
420 : : }
421 : :
422 : : /*
423 : : * Read the specified number of bytes off the wire, waiting using
424 : : * WaitLatchOrSocket if we would block.
425 : : *
426 : : * Results are read into PqGSSRecvBuffer.
427 : : *
428 : : * Will always return either -1, to indicate a permanent error, or len.
429 : : */
430 : : static ssize_t
431 : 242 : read_or_wait(Port *port, ssize_t len)
432 : : {
433 : : ssize_t ret;
434 : :
435 : : /*
436 : : * Keep going until we either read in everything we were asked to, or we
437 : : * error out.
438 : : */
2065 tgl@sss.pgh.pa.us 439 [ + + ]: 605 : while (PqGSSRecvLength < len)
440 : : {
2348 sfrost@snowman.net 441 : 363 : ret = secure_raw_read(port, PqGSSRecvBuffer + PqGSSRecvLength, len - PqGSSRecvLength);
442 : :
443 : : /*
444 : : * If we got back an error and it wasn't just
445 : : * EWOULDBLOCK/EAGAIN/EINTR, then give up.
446 : : */
2065 tgl@sss.pgh.pa.us 447 [ + + ]: 363 : if (ret < 0 &&
448 [ - + - - : 121 : !(errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR))
- - ]
2348 sfrost@snowman.net 449 :UBC 0 : return -1;
450 : :
451 : : /*
452 : : * Ok, we got back either a positive value, zero, or a negative result
453 : : * indicating we should retry.
454 : : *
455 : : * If it was zero or negative, then we wait on the socket to be
456 : : * readable again.
457 : : */
2348 sfrost@snowman.net 458 [ + + ]:CBC 363 : if (ret <= 0)
459 : : {
336 heikki.linnakangas@i 460 : 121 : WaitLatchOrSocket(NULL,
461 : : WL_SOCKET_READABLE | WL_EXIT_ON_PM_DEATH,
462 : : port->sock, 0, WAIT_EVENT_GSS_OPEN_SERVER);
463 : :
464 : : /*
465 : : * If we got back zero bytes, and then waited on the socket to be
466 : : * readable and got back zero bytes on a second read, then this is
467 : : * EOF and the client hung up on us.
468 : : *
469 : : * If we did get data here, then we can just fall through and
470 : : * handle it just as if we got data the first time.
471 : : *
472 : : * Otherwise loop back to the top and try again.
473 : : */
2348 sfrost@snowman.net 474 [ - + ]: 121 : if (ret == 0)
475 : : {
2348 sfrost@snowman.net 476 :UBC 0 : ret = secure_raw_read(port, PqGSSRecvBuffer + PqGSSRecvLength, len - PqGSSRecvLength);
477 [ # # ]: 0 : if (ret == 0)
478 : 0 : return -1;
479 : : }
2065 tgl@sss.pgh.pa.us 480 [ + - ]:CBC 121 : if (ret < 0)
2348 sfrost@snowman.net 481 : 121 : continue;
482 : : }
483 : :
484 : 242 : PqGSSRecvLength += ret;
485 : : }
486 : :
487 : 242 : return len;
488 : : }
489 : :
490 : : /*
491 : : * Start up a GSSAPI-encrypted connection. This performs GSSAPI
492 : : * authentication; after this function completes, it is safe to call
493 : : * be_gssapi_read and be_gssapi_write. Returns -1 and logs on failure;
494 : : * otherwise, returns 0 and marks the connection as ready for GSSAPI
495 : : * encryption.
496 : : *
497 : : * Note that unlike the be_gssapi_read/be_gssapi_write functions, this
498 : : * function WILL block on the socket to be ready for read/write (using
499 : : * WaitLatchOrSocket) as appropriate while establishing the GSSAPI
500 : : * session.
501 : : */
502 : : ssize_t
503 : 121 : secure_open_gssapi(Port *port)
504 : : {
505 : 121 : bool complete_next = false;
506 : : OM_uint32 major,
507 : : minor;
508 : : gss_cred_id_t delegated_creds;
509 : :
510 : : INJECTION_POINT("backend-gssapi-startup", NULL);
511 : :
512 : : /*
513 : : * Allocate subsidiary Port data for GSSAPI operations.
514 : : */
1713 tgl@sss.pgh.pa.us 515 : 121 : port->gss = (pg_gssinfo *)
516 : 121 : MemoryContextAllocZero(TopMemoryContext, sizeof(pg_gssinfo));
517 : :
877 sfrost@snowman.net 518 : 121 : delegated_creds = GSS_C_NO_CREDENTIAL;
519 : 121 : port->gss->delegated_creds = false;
520 : :
521 : : /*
522 : : * Allocate buffers and initialize state variables. By malloc'ing the
523 : : * buffers at this point, we avoid wasting static data space in processes
524 : : * that will never use them, and we ensure that the buffers are
525 : : * sufficiently aligned for the length-word accesses that we do in some
526 : : * places in this file.
527 : : *
528 : : * We'll use PQ_GSS_AUTH_BUFFER_SIZE-sized buffers until transport
529 : : * negotiation is complete, then switch to PQ_GSS_MAX_PACKET_SIZE.
530 : : */
99 tgl@sss.pgh.pa.us 531 : 121 : PqGSSSendBuffer = malloc(PQ_GSS_AUTH_BUFFER_SIZE);
532 : 121 : PqGSSRecvBuffer = malloc(PQ_GSS_AUTH_BUFFER_SIZE);
533 : 121 : PqGSSResultBuffer = malloc(PQ_GSS_AUTH_BUFFER_SIZE);
2065 534 [ + - + - : 121 : if (!PqGSSSendBuffer || !PqGSSRecvBuffer || !PqGSSResultBuffer)
- + ]
2065 tgl@sss.pgh.pa.us 535 [ # # ]:UBC 0 : ereport(FATAL,
536 : : (errcode(ERRCODE_OUT_OF_MEMORY),
537 : : errmsg("out of memory")));
2065 tgl@sss.pgh.pa.us 538 :CBC 121 : PqGSSSendLength = PqGSSSendNext = PqGSSSendConsumed = 0;
539 : 121 : PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0;
540 : :
541 : : /*
542 : : * Use the configured keytab, if there is one. As we now require MIT
543 : : * Kerberos, we might consider using the credential store extensions in
544 : : * the future instead of the environment variable.
545 : : */
1711 546 [ - + - + ]: 121 : if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
547 : : {
548 [ + - ]: 121 : if (setenv("KRB5_KTNAME", pg_krb_server_keyfile, 1) != 0)
549 : : {
550 : : /* The only likely failure cause is OOM, so use that errcode */
1711 tgl@sss.pgh.pa.us 551 [ # # ]:UBC 0 : ereport(FATAL,
552 : : (errcode(ERRCODE_OUT_OF_MEMORY),
553 : : errmsg("could not set environment: %m")));
554 : : }
555 : : }
556 : :
557 : : while (true)
2348 sfrost@snowman.net 558 : 0 : {
559 : : ssize_t ret;
560 : : gss_buffer_desc input,
2348 sfrost@snowman.net 561 :CBC 121 : output = GSS_C_EMPTY_BUFFER;
562 : :
563 : : /*
564 : : * The client always sends first, so try to go ahead and read the
565 : : * length and wait on the socket to be readable again if that fails.
566 : : */
567 : 121 : ret = read_or_wait(port, sizeof(uint32));
568 [ - + ]: 121 : if (ret < 0)
2348 sfrost@snowman.net 569 :UBC 0 : return ret;
570 : :
571 : : /*
572 : : * Get the length for this packet from the length header.
573 : : */
1787 michael@paquier.xyz 574 :CBC 121 : input.length = pg_ntoh32(*(uint32 *) PqGSSRecvBuffer);
575 : :
576 : : /* Done with the length, reset our buffer */
2348 sfrost@snowman.net 577 : 121 : PqGSSRecvLength = 0;
578 : :
579 : : /*
580 : : * During initialization, packets are always fully consumed and
581 : : * shouldn't ever be over PQ_GSS_AUTH_BUFFER_SIZE in total length.
582 : : *
583 : : * Verify on our side that the client doesn't do something funny.
584 : : */
99 tgl@sss.pgh.pa.us 585 [ - + ]: 121 : if (input.length > PQ_GSS_AUTH_BUFFER_SIZE - sizeof(uint32))
586 : : {
1713 tgl@sss.pgh.pa.us 587 [ # # ]:UBC 0 : ereport(COMMERROR,
588 : : (errmsg("oversize GSSAPI packet sent by the client (%zu > %zu)",
589 : : (size_t) input.length,
590 : : PQ_GSS_AUTH_BUFFER_SIZE - sizeof(uint32))));
591 : 0 : return -1;
592 : : }
593 : :
594 : : /*
595 : : * Get the rest of the packet so we can pass it to GSSAPI to accept
596 : : * the context.
597 : : */
2348 sfrost@snowman.net 598 :CBC 121 : ret = read_or_wait(port, input.length);
599 [ - + ]: 121 : if (ret < 0)
2348 sfrost@snowman.net 600 :UBC 0 : return ret;
601 : :
2348 sfrost@snowman.net 602 :CBC 121 : input.value = PqGSSRecvBuffer;
603 : :
604 : : /* Process incoming data. (The client sends first.) */
605 : 121 : major = gss_accept_sec_context(&minor, &port->gss->ctx,
606 : : GSS_C_NO_CREDENTIAL, &input,
607 : : GSS_C_NO_CHANNEL_BINDINGS,
608 : 121 : &port->gss->name, NULL, &output, NULL,
840 bruce@momjian.us 609 [ + + ]: 121 : NULL, pg_gss_accept_delegation ? &delegated_creds : NULL);
610 : :
2348 sfrost@snowman.net 611 [ - + ]: 121 : if (GSS_ERROR(major))
612 : : {
1713 tgl@sss.pgh.pa.us 613 :UBC 0 : pg_GSS_error(_("could not accept GSSAPI security context"),
614 : : major, minor);
2348 sfrost@snowman.net 615 : 0 : gss_release_buffer(&minor, &output);
616 : 0 : return -1;
617 : : }
2348 sfrost@snowman.net 618 [ + - ]:CBC 121 : else if (!(major & GSS_S_CONTINUE_NEEDED))
619 : : {
620 : : /*
621 : : * rfc2744 technically permits context negotiation to be complete
622 : : * both with and without a packet to be sent.
623 : : */
624 : 121 : complete_next = true;
625 : : }
626 : :
877 627 [ + + ]: 121 : if (delegated_creds != GSS_C_NO_CREDENTIAL)
628 : : {
629 : 10 : pg_store_delegated_credential(delegated_creds);
630 : 10 : port->gss->delegated_creds = true;
631 : : }
632 : :
633 : : /* Done handling the incoming packet, reset our buffer */
2348 634 : 121 : PqGSSRecvLength = 0;
635 : :
636 : : /*
637 : : * Check if we have data to send and, if we do, make sure to send it
638 : : * all
639 : : */
2065 tgl@sss.pgh.pa.us 640 [ + - ]: 121 : if (output.length > 0)
641 : : {
1787 michael@paquier.xyz 642 : 121 : uint32 netlen = pg_hton32(output.length);
643 : :
99 tgl@sss.pgh.pa.us 644 [ - + ]: 121 : if (output.length > PQ_GSS_AUTH_BUFFER_SIZE - sizeof(uint32))
645 : : {
1713 tgl@sss.pgh.pa.us 646 [ # # ]:UBC 0 : ereport(COMMERROR,
647 : : (errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",
648 : : (size_t) output.length,
649 : : PQ_GSS_AUTH_BUFFER_SIZE - sizeof(uint32))));
650 : 0 : gss_release_buffer(&minor, &output);
651 : 0 : return -1;
652 : : }
653 : :
206 peter@eisentraut.org 654 :CBC 121 : memcpy(PqGSSSendBuffer, &netlen, sizeof(uint32));
2065 tgl@sss.pgh.pa.us 655 : 121 : PqGSSSendLength += sizeof(uint32);
656 : :
657 : 121 : memcpy(PqGSSSendBuffer + PqGSSSendLength, output.value, output.length);
658 : 121 : PqGSSSendLength += output.length;
659 : :
660 : : /* we don't bother with PqGSSSendConsumed here */
661 : :
662 [ + + ]: 242 : while (PqGSSSendNext < PqGSSSendLength)
663 : : {
664 : 121 : ret = secure_raw_write(port, PqGSSSendBuffer + PqGSSSendNext,
665 : 121 : PqGSSSendLength - PqGSSSendNext);
666 : :
667 : : /*
668 : : * If we got back an error and it wasn't just
669 : : * EWOULDBLOCK/EAGAIN/EINTR, then give up.
670 : : */
671 [ - + ]: 121 : if (ret < 0 &&
2065 tgl@sss.pgh.pa.us 672 [ # # # # :UBC 0 : !(errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR))
# # ]
673 : : {
1950 674 : 0 : gss_release_buffer(&minor, &output);
2065 675 : 0 : return -1;
676 : : }
677 : :
678 : : /* Wait and retry if we couldn't write yet */
2348 sfrost@snowman.net 679 [ - + ]:CBC 121 : if (ret <= 0)
680 : : {
336 heikki.linnakangas@i 681 :UBC 0 : WaitLatchOrSocket(NULL,
682 : : WL_SOCKET_WRITEABLE | WL_EXIT_ON_PM_DEATH,
683 : : port->sock, 0, WAIT_EVENT_GSS_OPEN_SERVER);
2348 sfrost@snowman.net 684 : 0 : continue;
685 : : }
686 : :
2065 tgl@sss.pgh.pa.us 687 :CBC 121 : PqGSSSendNext += ret;
688 : : }
689 : :
690 : : /* Done sending the packet, reset our buffer */
691 : 121 : PqGSSSendLength = PqGSSSendNext = 0;
692 : :
2348 sfrost@snowman.net 693 : 121 : gss_release_buffer(&minor, &output);
694 : : }
695 : :
696 : : /*
697 : : * If we got back that the connection is finished being set up, now
698 : : * that we've sent the last packet, exit our loop.
699 : : */
700 [ + - ]: 121 : if (complete_next)
701 : 121 : break;
702 : : }
703 : :
704 : : /*
705 : : * Release the large authentication buffers and allocate the ones we want
706 : : * for normal operation.
707 : : */
99 tgl@sss.pgh.pa.us 708 : 121 : free(PqGSSSendBuffer);
709 : 121 : free(PqGSSRecvBuffer);
710 : 121 : free(PqGSSResultBuffer);
711 : 121 : PqGSSSendBuffer = malloc(PQ_GSS_MAX_PACKET_SIZE);
712 : 121 : PqGSSRecvBuffer = malloc(PQ_GSS_MAX_PACKET_SIZE);
713 : 121 : PqGSSResultBuffer = malloc(PQ_GSS_MAX_PACKET_SIZE);
714 [ + - + - : 121 : if (!PqGSSSendBuffer || !PqGSSRecvBuffer || !PqGSSResultBuffer)
- + ]
99 tgl@sss.pgh.pa.us 715 [ # # ]:UBC 0 : ereport(FATAL,
716 : : (errcode(ERRCODE_OUT_OF_MEMORY),
717 : : errmsg("out of memory")));
99 tgl@sss.pgh.pa.us 718 :CBC 121 : PqGSSSendLength = PqGSSSendNext = PqGSSSendConsumed = 0;
719 : 121 : PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0;
720 : :
721 : : /*
722 : : * Determine the max packet size which will fit in our buffer, after
723 : : * accounting for the length. be_gssapi_write will need this.
724 : : */
2348 sfrost@snowman.net 725 : 121 : major = gss_wrap_size_limit(&minor, port->gss->ctx, 1, GSS_C_QOP_DEFAULT,
726 : : PQ_GSS_MAX_PACKET_SIZE - sizeof(uint32),
727 : : &PqGSSMaxPktSize);
728 : :
729 [ - + ]: 121 : if (GSS_ERROR(major))
730 : : {
1713 tgl@sss.pgh.pa.us 731 :UBC 0 : pg_GSS_error(_("GSSAPI size check error"), major, minor);
732 : 0 : return -1;
733 : : }
734 : :
2348 sfrost@snowman.net 735 :CBC 121 : port->gss->enc = true;
736 : :
737 : 121 : return 0;
738 : : }
739 : :
740 : : /*
741 : : * Return if GSSAPI authentication was used on this connection.
742 : : */
743 : : bool
744 : 180 : be_gssapi_get_auth(Port *port)
745 : : {
746 [ + - - + ]: 180 : if (!port || !port->gss)
2348 sfrost@snowman.net 747 :UBC 0 : return false;
748 : :
2348 sfrost@snowman.net 749 :CBC 180 : return port->gss->auth;
750 : : }
751 : :
752 : : /*
753 : : * Return if GSSAPI encryption is enabled and being used on this connection.
754 : : */
755 : : bool
756 : 180 : be_gssapi_get_enc(Port *port)
757 : : {
758 [ + - - + ]: 180 : if (!port || !port->gss)
2348 sfrost@snowman.net 759 :UBC 0 : return false;
760 : :
2348 sfrost@snowman.net 761 :CBC 180 : return port->gss->enc;
762 : : }
763 : :
764 : : /*
765 : : * Return the GSSAPI principal used for authentication on this connection
766 : : * (NULL if we did not perform GSSAPI authentication).
767 : : */
768 : : const char *
769 : 180 : be_gssapi_get_princ(Port *port)
770 : : {
1713 tgl@sss.pgh.pa.us 771 [ + - - + ]: 180 : if (!port || !port->gss)
2348 sfrost@snowman.net 772 :UBC 0 : return NULL;
773 : :
2348 sfrost@snowman.net 774 :CBC 180 : return port->gss->princ;
775 : : }
776 : :
777 : : /*
778 : : * Return if GSSAPI delegated credentials were included on this
779 : : * connection.
780 : : */
781 : : bool
840 bruce@momjian.us 782 : 206 : be_gssapi_get_delegation(Port *port)
783 : : {
877 sfrost@snowman.net 784 [ + - + + ]: 206 : if (!port || !port->gss)
876 tgl@sss.pgh.pa.us 785 : 13 : return false;
786 : :
877 sfrost@snowman.net 787 : 193 : return port->gss->delegated_creds;
788 : : }
|
