Re: pgsql: Refactor libpq state machine for negotiating encryption

Thu, 25 Apr 2024 08:04:20 -0700 

On 24/04/2024 15:57, Peter Eisentraut wrote:

On 08.04.24 03:25, Heikki Linnakangas wrote:

Refactor libpq state machine for negotiating encryption

This fixes the few corner cases noted in commit 705843d294, as shown
by the changes in the test.


Either this or something nearby appears to have broken the error
reporting from psql or libpq when failing to get an SSL connection:

PG16:

psql 'sslmode=require host=localhost'
psql: error: connection to server at "localhost" (::1), port 65432
failed: server does not support SSL, but SSL was required

master:

psql 'sslmode=require host=localhost'
psql: error: connection to server at "localhost" (::1), port 65432 failed:

(sic, the output ends after the colon).

This commit removed that detail error message string from the code, but
I don't see any similar message that would take its place.


Thanks, attached patch puts back those messages.
This makes one change in the error message behavior compared to v16, in the case that the server responds to GSSRequest with an error instead of rejecting it with 'N'. Previously, libpq would hide the error that the server sent in that case, assuming that it was because the server is an old pre-v12 version that doesn't support GSS and doesn't understand the GSSRequest message. A v11 server responds with a "FATAL: unsupported frontend protocol 1234.5680: server supports 2.0 to 3.0" error if you try to connect to it with GSS. That was a reasonable assumption when the feature was introduced, but v12 was released a long time ago and I don't think it's the most probable cause anymore. The attached patch changes things so that libpq prints the error message that the server sent in that case, making the "server responds with error to GSSRequest" case behave the same as the "server responds with error to SSLRequest" case. We could keep the old behavior if we wanted to, but this is the most convenient way to handle this in the new libpq code, and makes sense anyway IMHO.
While testing this some more, I noticed this existing case with stable versions:
psql "host=enc-test-localhost.postgresql.example.com hostaddr=127.0.0.1 sslmode=disable gssencmode=require" 
psql: error: connection to server at "127.0.0.1", port 5432 failed:

In the server log:
024-04-25 16:38:59.372 EEST [3939163] LOG: could not accept GSSAPI security context 2024-04-25 16:38:59.372 EEST [3939163] DETAIL: No credentials were supplied, or the credentials were unavailable or inaccessible: Key table entry not found
I didn't have everything configured correctly, which is why it failed. That's fine. But the psql error message is missing here too.
The attached patch does not fix that case. I think the correct fix would go somewhere in pqsecure_open_gss(). Whenever pqsecure_open_gss() returns PGRES_POLLING_FAILED, it should also put an error in the error buffer with libpq_append_conn_error(). The corresponding pgtls_open_client() function for TLS does that, and so does pqsecure_open_gss() for many other cases, but apparently not that one. 

--
Heikki Linnakangas
Neon (https://neon.tech)

From fd3261a5b78dae6bcfdafe86d14736da43befbbe Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakan...@iki.fi>
Date: Thu, 25 Apr 2024 14:53:29 +0300
Subject: [PATCH 1/1] libpq: Fix error messages when server rejects SSL or GSS

These messages were lost in commit 05fd30c0e7. Put them back.

This makes one change in the error message behavior compared to v16,
in the case that the server responds to GSSRequest with an error
instead of rejecting it with 'N'. Previously, libpq would hide the
error that the server sent, assuming that you got the error because
the server is an old pre-v12 version that doesn't support GSS and
doesn't understand the GSSRequest message. A v11 server sends a
"FATAL: unsupported frontend protocol 1234.5680: server supports 2.0
to 3.0" error if you try to connect to it with GSS. That was a
reasonable assumption when the feature was introduced, but v12 was
released a long time ago and I don't think it's the most probable
cause anymore. The attached patch changes things so that libpq prints
the error message that the server sent in that case, making the
"server responds with error to GSSRequest" case behave the same as the
"server responds with error to SSLRequest" case.

Reported-by: Peter Eisentraut
Discussion: https://www.postgresql.org/message-id/bb3b94da-afc7-438d-8940-cb946e553...@eisentraut.org
---
 src/interfaces/libpq/fe-connect.c | 49 ++++++++++++++++++++++---------
 1 file changed, 35 insertions(+), 14 deletions(-)

diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index ec20e3f3a9..4a4d0b9e80 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -2861,12 +2861,17 @@ keep_going:						/* We will come back to here until there is
 		need_new_connection = false;
 	}
 
-	/* Decide what to do next, if SSL or GSS negotiation fails */
-#define ENCRYPTION_NEGOTIATION_FAILED() \
+	/*
+	 * Decide what to do next, if server rejects SSL or GSS negotiation, but
+	 * the connection is still valid. If there are no options left, error out
+	 * with 'msg'.
+	 */
+#define ENCRYPTION_NEGOTIATION_FAILED(msg) \
 	do { \
 		switch (encryption_negotiation_failed(conn)) \
 		{ \
 			case 0: \
+				libpq_append_conn_error(conn, (msg)); \
 				goto error_return; \
 			case 1: \
 				conn->status = CONNECTION_MADE; \
@@ -2877,7 +2882,11 @@ keep_going:						/* We will come back to here until there is
 		} \
 	} while(0);
 
-	/* Decide what to do next, if connection fails */
+	/*
+	 * Decide what to do next, if connection fails. If there are no options
+	 * left, return with an error. The error message has already been written
+	 * to the connection's error buffer.
+	 */
 #define CONNECTION_FAILED() \
 	do { \
 		if (connection_failed(conn)) \
@@ -3483,9 +3492,13 @@ keep_going:						/* We will come back to here until there is
 					{
 						/* mark byte consumed */
 						conn->inStart = conn->inCursor;
-						/* OK to do without SSL? */
-						/* We can proceed using this connection */
-						ENCRYPTION_NEGOTIATION_FAILED();
+
+						/*
+						 * The connection is still valid, so if it's OK to
+						 * continue without SSL, we can proceed using this
+						 * connection. Otherwise return with an error.
+						 */
+						ENCRYPTION_NEGOTIATION_FAILED("server does not support SSL, but SSL was required");
 					}
 					else if (SSLok == 'E')
 					{
@@ -3583,13 +3596,17 @@ keep_going:						/* We will come back to here until there is
 					if (gss_ok == 'E')
 					{
 						/*
-						 * Server failure of some sort.  Assume it's a
-						 * protocol version support failure, and let's see if
-						 * we can't recover (if it's not, we'll get a better
-						 * error message on retry).  Server gets fussy if we
-						 * don't hang up the socket, though.
+						 * Server failure of some sort, possibly protocol
+						 * version support failure.  We need to process and
+						 * report the error message, which might be formatted
+						 * according to either protocol 2 or protocol 3.
+						 * Rather than duplicate the code for that, we flip
+						 * into AWAITING_RESPONSE state and let the code there
+						 * deal with it.  Note we have *not* consumed the "E"
+						 * byte here.
 						 */
-						CONNECTION_FAILED();
+						conn->status = CONNECTION_AWAITING_RESPONSE;
+						goto keep_going;
 					}
 
 					/* mark byte consumed */
@@ -3597,8 +3614,12 @@ keep_going:						/* We will come back to here until there is
 
 					if (gss_ok == 'N')
 					{
-						/* We can proceed using this connection */
-						ENCRYPTION_NEGOTIATION_FAILED();
+						/*
+						 * The connection is still valid, so if it's OK to
+						 * continue without GSS, we can proceed using this
+						 * connection. Otherwise return with an error.
+						 */
+						ENCRYPTION_NEGOTIATION_FAILED("server doesn't support GSSAPI encryption, but it was required");
 					}
 					else if (gss_ok != 'G')
 					{
-- 
2.39.2

Reply via email to