Movatterモバイル変換


[0]ホーム

URL:


Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

Commite6c33d5

Browse files
committed
Clear auth context correctly when re-connecting after failed auth attempt.
If authentication over an SSL connection fails, with sslmode=prefer,libpq will reconnect without SSL and retry. However, we did not clearthe variables related to GSS, SSPI, and SASL authentication state, whenreconnecting. Because of that, the second authentication attempt wouldalways fail with a "duplicate GSS/SASL authentication request" error.pg_SSPI_startup did not check for duplicate authentication requests likethe corresponding GSS and SASL functions, so with SSPI, you would leaksome memory instead.Another way this could manifest itself, on version 10, is if you listmultiple hostnames in the "host" parameter. If the first server requestsKerberos or SCRAM authentication, but it fails, the attempts to connect tothe other servers will also fail with "duplicate authentication request"errors.To fix, move the clearing of authentication state from closePGconn topgDropConnection, so that it is cleared also when re-connecting.Patch by Michael Paquier, with some kibitzing by me.Backpatch down to 9.3. 9.2 has the same bug, but the code around closingthe connection is somewhat different, so that this patch doesn't apply.To fix this in 9.2, I think we would need to back-port commit210eb9bfirst, and then apply this patch. However, given that we only bumped intothis in our own testing, we haven't heard any reports from users aboutthis, and that 9.2 will be end-of-lifed in a couple of months anyway, itdoesn't seem worth the risk and trouble.Discussion:https://www.postgresql.org/message-id/CAB7nPqRuOUm0MyJaUy9L3eXYJU3AKCZ-0-03=-aDTZJGV4GyWw@mail.gmail.com
1 parent3344582 commite6c33d5

File tree

2 files changed

+50
-37
lines changed

2 files changed

+50
-37
lines changed

‎src/interfaces/libpq/fe-auth.c

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -416,7 +416,12 @@ pg_SSPI_startup(PGconn *conn, int use_negotiate, int payloadlen)
416416
TimeStampexpire;
417417
char*host=PQhost(conn);
418418

419-
conn->sspictx=NULL;
419+
if (conn->sspictx)
420+
{
421+
printfPQExpBuffer(&conn->errorMessage,
422+
libpq_gettext("duplicate SSPI authentication request\n"));
423+
returnSTATUS_ERROR;
424+
}
420425

421426
/*
422427
* Retrieve credentials handle

‎src/interfaces/libpq/fe-connect.c

Lines changed: 44 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -406,15 +406,59 @@ pqDropConnection(PGconn *conn, bool flushInput)
406406
{
407407
/* Drop any SSL state */
408408
pqsecure_close(conn);
409+
409410
/* Close the socket itself */
410411
if (conn->sock!=PGINVALID_SOCKET)
411412
closesocket(conn->sock);
412413
conn->sock=PGINVALID_SOCKET;
414+
413415
/* Optionally discard any unread data */
414416
if (flushInput)
415417
conn->inStart=conn->inCursor=conn->inEnd=0;
418+
416419
/* Always discard any unsent data */
417420
conn->outCount=0;
421+
422+
/* Free authentication state */
423+
#ifdefENABLE_GSS
424+
{
425+
OM_uint32min_s;
426+
427+
if (conn->gctx)
428+
gss_delete_sec_context(&min_s,&conn->gctx,GSS_C_NO_BUFFER);
429+
if (conn->gtarg_nam)
430+
gss_release_name(&min_s,&conn->gtarg_nam);
431+
}
432+
#endif
433+
#ifdefENABLE_SSPI
434+
if (conn->sspitarget)
435+
{
436+
free(conn->sspitarget);
437+
conn->sspitarget=NULL;
438+
}
439+
if (conn->sspicred)
440+
{
441+
FreeCredentialsHandle(conn->sspicred);
442+
free(conn->sspicred);
443+
conn->sspicred=NULL;
444+
}
445+
if (conn->sspictx)
446+
{
447+
DeleteSecurityContext(conn->sspictx);
448+
free(conn->sspictx);
449+
conn->sspictx=NULL;
450+
}
451+
conn->usesspi=0;
452+
#endif
453+
if (conn->sasl_state)
454+
{
455+
/*
456+
* XXX: if support for more authentication mechanisms is added, this
457+
* needs to call the right 'free' function.
458+
*/
459+
pg_fe_scram_free(conn->sasl_state);
460+
conn->sasl_state=NULL;
461+
}
418462
}
419463

420464

@@ -3475,42 +3519,6 @@ closePGconn(PGconn *conn)
34753519
if (conn->lobjfuncs)
34763520
free(conn->lobjfuncs);
34773521
conn->lobjfuncs=NULL;
3478-
#ifdefENABLE_GSS
3479-
{
3480-
OM_uint32min_s;
3481-
3482-
if (conn->gctx)
3483-
gss_delete_sec_context(&min_s,&conn->gctx,GSS_C_NO_BUFFER);
3484-
if (conn->gtarg_nam)
3485-
gss_release_name(&min_s,&conn->gtarg_nam);
3486-
}
3487-
#endif
3488-
#ifdefENABLE_SSPI
3489-
if (conn->sspitarget)
3490-
free(conn->sspitarget);
3491-
conn->sspitarget=NULL;
3492-
if (conn->sspicred)
3493-
{
3494-
FreeCredentialsHandle(conn->sspicred);
3495-
free(conn->sspicred);
3496-
conn->sspicred=NULL;
3497-
}
3498-
if (conn->sspictx)
3499-
{
3500-
DeleteSecurityContext(conn->sspictx);
3501-
free(conn->sspictx);
3502-
conn->sspictx=NULL;
3503-
}
3504-
#endif
3505-
if (conn->sasl_state)
3506-
{
3507-
/*
3508-
* XXX: if support for more authentication mechanisms is added, this
3509-
* needs to call the right 'free' function.
3510-
*/
3511-
pg_fe_scram_free(conn->sasl_state);
3512-
conn->sasl_state=NULL;
3513-
}
35143522
}
35153523

35163524
/*

0 commit comments

Comments
 (0)

[8]ページ先頭

©2009-2025 Movatter.jp