#include "postgres.h"
#include <unistd.h>
#include "libpq/auth.h"
#include "libpq/be-gssapi-common.h"
#include "libpq/libpq.h"
#include "libpq/pqformat.h"
#include "miscadmin.h"
#include "pgstat.h"
#include "utils/injection_point.h"
#include "utils/memutils.h"

Include dependency graph for be-secure-gssapi.c:

Macros
#define	PQ_GSS_SEND_BUFFER_SIZE 16384

#define	PQ_GSS_RECV_BUFFER_SIZE 16384

Functions
ssize_t	be_gssapi_write (Port port, void ptr, size_t len)

ssize_t	be_gssapi_read (Port port, void ptr, size_t len)

static ssize_t	read_or_wait (Port *port, ssize_t len)

ssize_t	secure_open_gssapi (Port *port)

bool	be_gssapi_get_auth (Port *port)

bool	be_gssapi_get_enc (Port *port)

const char *	be_gssapi_get_princ (Port *port)

bool	be_gssapi_get_delegation (Port *port)

Variables
static char *	PqGSSSendBuffer

static int	PqGSSSendLength

static int	PqGSSSendNext

static int	PqGSSSendConsumed

static char *	PqGSSRecvBuffer

static int	PqGSSRecvLength

static char *	PqGSSResultBuffer

static int	PqGSSResultLength

static int	PqGSSResultNext

static uint32	PqGSSMaxPktSize

Macro Definition Documentation

◆ PQ_GSS_RECV_BUFFER_SIZE

#define PQ_GSS_RECV_BUFFER_SIZE 16384

Definition at line 53 of file be-secure-gssapi.c.

◆ PQ_GSS_SEND_BUFFER_SIZE

#define PQ_GSS_SEND_BUFFER_SIZE 16384

Definition at line 52 of file be-secure-gssapi.c.

Function Documentation

◆ be_gssapi_get_auth()

bool be_gssapi_get_auth ( Port * port )

Definition at line 717 of file be-secure-gssapi.c.

 {
     if (!port || !port->gss)
         return false;
  
     return port->gss->auth;
 }

References port.

Referenced by PerformAuthentication(), and pgstat_bestart().

◆ be_gssapi_get_delegation()

bool be_gssapi_get_delegation ( Port * port )

Definition at line 755 of file be-secure-gssapi.c.

 {
     if (!port || !port->gss)
         return false;
  
     return port->gss->delegated_creds;
 }

References port.

Referenced by check_conn_params(), dblink_connstr_check(), dblink_security_check(), PerformAuthentication(), pgfdw_security_check(), and pgstat_bestart().

◆ be_gssapi_get_enc()

bool be_gssapi_get_enc ( Port * port )

Definition at line 729 of file be-secure-gssapi.c.

 {
     if (!port || !port->gss)
         return false;
  
     return port->gss->enc;
 }

References port.

Referenced by PerformAuthentication(), and pgstat_bestart().

◆ be_gssapi_get_princ()

const char* be_gssapi_get_princ ( Port * port )

Definition at line 742 of file be-secure-gssapi.c.

 {
     if (!port || !port->gss)
         return NULL;
  
     return port->gss->princ;
 }

References port.

Referenced by PerformAuthentication(), and pgstat_bestart().

◆ be_gssapi_read()

ssize_t be_gssapi_read	(	Port *	port,
		void *	ptr,
		size_t	len
	)

Definition at line 263 of file be-secure-gssapi.c.

 {
     OM_uint32   major,
                 minor;
     gss_buffer_desc input,
                 output;
     ssize_t     ret;
     size_t      bytes_returned = 0;
     gss_ctx_id_t gctx = port->gss->ctx;
  
     /*
      * The plan here is to read one incoming encrypted packet into
      * PqGSSRecvBuffer, decrypt it into PqGSSResultBuffer, and then dole out
      * data from there to the caller.  When we exhaust the current input
      * packet, read another.
      */
     while (bytes_returned < len)
     {
         int         conf_state = 0;
  
         /* Check if we have data in our buffer that we can return immediately */
         if (PqGSSResultNext < PqGSSResultLength)
         {
             size_t      bytes_in_buffer = PqGSSResultLength - PqGSSResultNext;
             size_t      bytes_to_copy = Min(bytes_in_buffer, len - bytes_returned);
  
             /*
              * Copy the data from our result buffer into the caller's buffer,
              * at the point where we last left off filling their buffer.
              */
             memcpy((char *) ptr + bytes_returned, PqGSSResultBuffer + PqGSSResultNext, bytes_to_copy);
             PqGSSResultNext += bytes_to_copy;
             bytes_returned += bytes_to_copy;
  
             /*
              * At this point, we've either filled the caller's buffer or
              * emptied our result buffer.  Either way, return to caller.  In
              * the second case, we could try to read another encrypted packet,
              * but the odds are good that there isn't one available.  (If this
              * isn't true, we chose too small a max packet size.)  In any
              * case, there's no harm letting the caller process the data we've
              * already returned.
              */
             break;
         }
  
         /* Result buffer is empty, so reset buffer pointers */
         PqGSSResultLength = PqGSSResultNext = 0;
  
         /*
          * Because we chose above to return immediately as soon as we emit
          * some data, bytes_returned must be zero at this point.  Therefore
          * the failure exits below can just return -1 without worrying about
          * whether we already emitted some data.
          */
         Assert(bytes_returned == 0);
  
         /*
          * At this point, our result buffer is empty with more bytes being
          * requested to be read.  We are now ready to load the next packet and
          * decrypt it (entirely) into our result buffer.
          */
  
         /* Collect the length if we haven't already */
         if (PqGSSRecvLength < sizeof(uint32))
         {
             ret = secure_raw_read(port, PqGSSRecvBuffer + PqGSSRecvLength,
                                   sizeof(uint32) - PqGSSRecvLength);
  
             /* If ret <= 0, secure_raw_read already set the correct errno */
             if (ret <= 0)
                 return ret;
  
             PqGSSRecvLength += ret;
  
             /* If we still haven't got the length, return to the caller */
             if (PqGSSRecvLength < sizeof(uint32))
             {
                 errno = EWOULDBLOCK;
                 return -1;
             }
         }
  
         /* Decode the packet length and check for overlength packet */
         input.length = pg_ntoh32(*(uint32 *) PqGSSRecvBuffer);
  
         if (input.length > PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32))
         {
             ereport(COMMERROR,
                     (errmsg("oversize GSSAPI packet sent by the client (%zu > %zu)",
                             (size_t) input.length,
                             PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32))));
             errno = ECONNRESET;
             return -1;
         }
  
         /*
          * Read as much of the packet as we are able to on this call into
          * wherever we left off from the last time we were called.
          */
         ret = secure_raw_read(port, PqGSSRecvBuffer + PqGSSRecvLength,
                               input.length - (PqGSSRecvLength - sizeof(uint32)));
         /* If ret <= 0, secure_raw_read already set the correct errno */
         if (ret <= 0)
             return ret;
  
         PqGSSRecvLength += ret;
  
         /* If we don't yet have the whole packet, return to the caller */
         if (PqGSSRecvLength - sizeof(uint32) < input.length)
         {
             errno = EWOULDBLOCK;
             return -1;
         }
  
         /*
          * We now have the full packet and we can perform the decryption and
          * refill our result buffer, then loop back up to pass data back to
          * the caller.
          */
         output.value = NULL;
         output.length = 0;
         input.value = PqGSSRecvBuffer + sizeof(uint32);
  
         major = gss_unwrap(&minor, gctx, &input, &output, &conf_state, NULL);
         if (major != GSS_S_COMPLETE)
         {
             pg_GSS_error(_("GSSAPI unwrap error"), major, minor);
             errno = ECONNRESET;
             return -1;
         }
         if (conf_state == 0)
         {
             ereport(COMMERROR,
                     (errmsg("incoming GSSAPI message did not use confidentiality")));
             errno = ECONNRESET;
             return -1;
         }
  
         memcpy(PqGSSResultBuffer, output.value, output.length);
         PqGSSResultLength = output.length;
  
         /* Our receive buffer is now empty, reset it */
         PqGSSRecvLength = 0;
  
         /* Release buffer storage allocated by GSSAPI */
         gss_release_buffer(&minor, &output);
     }
  
     return bytes_returned;
 }

References _, Assert, COMMERROR, ECONNRESET, ereport, errmsg(), EWOULDBLOCK, input, len, Min, output, pg_GSS_error(), pg_ntoh32, port, PQ_GSS_RECV_BUFFER_SIZE, PqGSSRecvBuffer, PqGSSRecvLength, PqGSSResultBuffer, PqGSSResultLength, PqGSSResultNext, and secure_raw_read().

Referenced by secure_read().

◆ be_gssapi_write()

ssize_t be_gssapi_write	(	Port *	port,
		void *	ptr,
		size_t	len
	)

Definition at line 96 of file be-secure-gssapi.c.

 {
     OM_uint32   major,
                 minor;
     gss_buffer_desc input,
                 output;
     size_t      bytes_to_encrypt;
     size_t      bytes_encrypted;
     gss_ctx_id_t gctx = port->gss->ctx;
  
     /*
      * When we get a retryable failure, we must not tell the caller we have
      * successfully transmitted everything, else it won't retry.  For
      * simplicity, we claim we haven't transmitted anything until we have
      * successfully transmitted all "len" bytes.  Between calls, the amount of
      * the current input data that's already been encrypted and placed into
      * PqGSSSendBuffer (and perhaps transmitted) is remembered in
      * PqGSSSendConsumed.  On a retry, the caller *must* be sending that data
      * again, so if it offers a len less than that, something is wrong.
      *
      * Note: it may seem attractive to report partial write completion once
      * we've successfully sent any encrypted packets.  However, that can cause
      * problems for callers; notably, pqPutMsgEnd's heuristic to send only
      * full 8K blocks interacts badly with such a hack.  We won't save much,
      * typically, by letting callers discard data early, so don't risk it.
      */
     if (len < PqGSSSendConsumed)
     {
         elog(COMMERROR, "GSSAPI caller failed to retransmit all data needing to be retried");
         errno = ECONNRESET;
         return -1;
     }
  
     /* Discount whatever source data we already encrypted. */
     bytes_to_encrypt = len - PqGSSSendConsumed;
     bytes_encrypted = PqGSSSendConsumed;
  
     /*
      * Loop through encrypting data and sending it out until it's all done or
      * secure_raw_write() complains (which would likely mean that the socket
      * is non-blocking and the requested send() would block, or there was some
      * kind of actual error).
      */
     while (bytes_to_encrypt || PqGSSSendLength)
     {
         int         conf_state = 0;
         uint32      netlen;
  
         /*
          * Check if we have data in the encrypted output buffer that needs to
          * be sent (possibly left over from a previous call), and if so, try
          * to send it.  If we aren't able to, return that fact back up to the
          * caller.
          */
         if (PqGSSSendLength)
         {
             ssize_t     ret;
             ssize_t     amount = PqGSSSendLength - PqGSSSendNext;
  
             ret = secure_raw_write(port, PqGSSSendBuffer + PqGSSSendNext, amount);
             if (ret <= 0)
                 return ret;
  
             /*
              * Check if this was a partial write, and if so, move forward that
              * far in our buffer and try again.
              */
             if (ret < amount)
             {
                 PqGSSSendNext += ret;
                 continue;
             }
  
             /* We've successfully sent whatever data was in the buffer. */
             PqGSSSendLength = PqGSSSendNext = 0;
         }
  
         /*
          * Check if there are any bytes left to encrypt.  If not, we're done.
          */
         if (!bytes_to_encrypt)
             break;
  
         /*
          * Check how much we are being asked to send, if it's too much, then
          * we will have to loop and possibly be called multiple times to get
          * through all the data.
          */
         if (bytes_to_encrypt > PqGSSMaxPktSize)
             input.length = PqGSSMaxPktSize;
         else
             input.length = bytes_to_encrypt;
  
         input.value = (char *) ptr + bytes_encrypted;
  
         output.value = NULL;
         output.length = 0;
  
         /*
          * Create the next encrypted packet.  Any failure here is considered a
          * hard failure, so we return -1 even if some data has been sent.
          */
         major = gss_wrap(&minor, gctx, 1, GSS_C_QOP_DEFAULT,
                          &input, &conf_state, &output);
         if (major != GSS_S_COMPLETE)
         {
             pg_GSS_error(_("GSSAPI wrap error"), major, minor);
             errno = ECONNRESET;
             return -1;
         }
         if (conf_state == 0)
         {
             ereport(COMMERROR,
                     (errmsg("outgoing GSSAPI message would not use confidentiality")));
             errno = ECONNRESET;
             return -1;
         }
         if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
         {
             ereport(COMMERROR,
                     (errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",
                             (size_t) output.length,
                             PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))));
             errno = ECONNRESET;
             return -1;
         }
  
         bytes_encrypted += input.length;
         bytes_to_encrypt -= input.length;
         PqGSSSendConsumed += input.length;
  
         /* 4 network-order bytes of length, then payload */
         netlen = pg_hton32(output.length);
         memcpy(PqGSSSendBuffer + PqGSSSendLength, &netlen, sizeof(uint32));
         PqGSSSendLength += sizeof(uint32);
  
         memcpy(PqGSSSendBuffer + PqGSSSendLength, output.value, output.length);
         PqGSSSendLength += output.length;
  
         /* Release buffer storage allocated by GSSAPI */
         gss_release_buffer(&minor, &output);
     }
  
     /* If we get here, our counters should all match up. */
     Assert(len == PqGSSSendConsumed);
     Assert(len == bytes_encrypted);
  
     /* We're reporting all the data as sent, so reset PqGSSSendConsumed. */
     PqGSSSendConsumed = 0;
  
     return bytes_encrypted;
 }

References _, Assert, COMMERROR, ECONNRESET, elog, ereport, errmsg(), input, len, output, pg_GSS_error(), pg_hton32, port, PQ_GSS_SEND_BUFFER_SIZE, PqGSSMaxPktSize, PqGSSSendBuffer, PqGSSSendConsumed, PqGSSSendLength, PqGSSSendNext, and secure_raw_write().

Referenced by secure_write().

◆ read_or_wait()

static ssize_t read_or_wait	(	Port *	port,
		ssize_t	len
	)

static

Definition at line 424 of file be-secure-gssapi.c.

 {
     ssize_t     ret;
  
     /*
      * Keep going until we either read in everything we were asked to, or we
      * error out.
      */
     while (PqGSSRecvLength < len)
     {
         ret = secure_raw_read(port, PqGSSRecvBuffer + PqGSSRecvLength, len - PqGSSRecvLength);
  
         /*
          * If we got back an error and it wasn't just
          * EWOULDBLOCK/EAGAIN/EINTR, then give up.
          */
         if (ret < 0 &&
             !(errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR))
             return -1;
  
         /*
          * Ok, we got back either a positive value, zero, or a negative result
          * indicating we should retry.
          *
          * If it was zero or negative, then we wait on the socket to be
          * readable again.
          */
         if (ret <= 0)
         {
             WaitLatchOrSocket(MyLatch,
                               WL_SOCKET_READABLE | WL_EXIT_ON_PM_DEATH,
                               port->sock, 0, WAIT_EVENT_GSS_OPEN_SERVER);
  
             /*
              * If we got back zero bytes, and then waited on the socket to be
              * readable and got back zero bytes on a second read, then this is
              * EOF and the client hung up on us.
              *
              * If we did get data here, then we can just fall through and
              * handle it just as if we got data the first time.
              *
              * Otherwise loop back to the top and try again.
              */
             if (ret == 0)
             {
                 ret = secure_raw_read(port, PqGSSRecvBuffer + PqGSSRecvLength, len - PqGSSRecvLength);
                 if (ret == 0)
                     return -1;
             }
             if (ret < 0)
                 continue;
         }
  
         PqGSSRecvLength += ret;
     }
  
     return len;
 }

References EAGAIN, EINTR, EWOULDBLOCK, len, MyLatch, port, PqGSSRecvBuffer, PqGSSRecvLength, secure_raw_read(), WaitLatchOrSocket(), WL_EXIT_ON_PM_DEATH, and WL_SOCKET_READABLE.

Referenced by secure_open_gssapi().

◆ secure_open_gssapi()

ssize_t secure_open_gssapi ( Port * port )

Definition at line 496 of file be-secure-gssapi.c.

 {
     bool        complete_next = false;
     OM_uint32   major,
                 minor;
     gss_cred_id_t delegated_creds;
  
     INJECTION_POINT("backend-gssapi-startup");
  
     /*
      * Allocate subsidiary Port data for GSSAPI operations.
      */
     port->gss = (pg_gssinfo *)
         MemoryContextAllocZero(TopMemoryContext, sizeof(pg_gssinfo));
  
     delegated_creds = GSS_C_NO_CREDENTIAL;
     port->gss->delegated_creds = false;
  
     /*
      * Allocate buffers and initialize state variables.  By malloc'ing the
      * buffers at this point, we avoid wasting static data space in processes
      * that will never use them, and we ensure that the buffers are
      * sufficiently aligned for the length-word accesses that we do in some
      * places in this file.
      */
     PqGSSSendBuffer = malloc(PQ_GSS_SEND_BUFFER_SIZE);
     PqGSSRecvBuffer = malloc(PQ_GSS_RECV_BUFFER_SIZE);
     PqGSSResultBuffer = malloc(PQ_GSS_RECV_BUFFER_SIZE);
     if (!PqGSSSendBuffer || !PqGSSRecvBuffer || !PqGSSResultBuffer)
         ereport(FATAL,
                 (errcode(ERRCODE_OUT_OF_MEMORY),
                  errmsg("out of memory")));
     PqGSSSendLength = PqGSSSendNext = PqGSSSendConsumed = 0;
     PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0;
  
     /*
      * Use the configured keytab, if there is one.  As we now require MIT
      * Kerberos, we might consider using the credential store extensions in
      * the future instead of the environment variable.
      */
     if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
     {
         if (setenv("KRB5_KTNAME", pg_krb_server_keyfile, 1) != 0)
         {
             /* The only likely failure cause is OOM, so use that errcode */
             ereport(FATAL,
                     (errcode(ERRCODE_OUT_OF_MEMORY),
                      errmsg("could not set environment: %m")));
         }
     }
  
     while (true)
     {
         ssize_t     ret;
         gss_buffer_desc input,
                     output = GSS_C_EMPTY_BUFFER;
  
         /*
          * The client always sends first, so try to go ahead and read the
          * length and wait on the socket to be readable again if that fails.
          */
         ret = read_or_wait(port, sizeof(uint32));
         if (ret < 0)
             return ret;
  
         /*
          * Get the length for this packet from the length header.
          */
         input.length = pg_ntoh32(*(uint32 *) PqGSSRecvBuffer);
  
         /* Done with the length, reset our buffer */
         PqGSSRecvLength = 0;
  
         /*
          * During initialization, packets are always fully consumed and
          * shouldn't ever be over PQ_GSS_RECV_BUFFER_SIZE in length.
          *
          * Verify on our side that the client doesn't do something funny.
          */
         if (input.length > PQ_GSS_RECV_BUFFER_SIZE)
         {
             ereport(COMMERROR,
                     (errmsg("oversize GSSAPI packet sent by the client (%zu > %d)",
                             (size_t) input.length,
                             PQ_GSS_RECV_BUFFER_SIZE)));
             return -1;
         }
  
         /*
          * Get the rest of the packet so we can pass it to GSSAPI to accept
          * the context.
          */
         ret = read_or_wait(port, input.length);
         if (ret < 0)
             return ret;
  
         input.value = PqGSSRecvBuffer;
  
         /* Process incoming data.  (The client sends first.) */
         major = gss_accept_sec_context(&minor, &port->gss->ctx,
                                        GSS_C_NO_CREDENTIAL, &input,
                                        GSS_C_NO_CHANNEL_BINDINGS,
                                        &port->gss->name, NULL, &output, NULL,
                                        NULL, pg_gss_accept_delegation ? &delegated_creds : NULL);
  
         if (GSS_ERROR(major))
         {
             pg_GSS_error(_("could not accept GSSAPI security context"),
                          major, minor);
             gss_release_buffer(&minor, &output);
             return -1;
         }
         else if (!(major & GSS_S_CONTINUE_NEEDED))
         {
             /*
              * rfc2744 technically permits context negotiation to be complete
              * both with and without a packet to be sent.
              */
             complete_next = true;
         }
  
         if (delegated_creds != GSS_C_NO_CREDENTIAL)
         {
             pg_store_delegated_credential(delegated_creds);
             port->gss->delegated_creds = true;
         }
  
         /* Done handling the incoming packet, reset our buffer */
         PqGSSRecvLength = 0;
  
         /*
          * Check if we have data to send and, if we do, make sure to send it
          * all
          */
         if (output.length > 0)
         {
             uint32      netlen = pg_hton32(output.length);
  
             if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
             {
                 ereport(COMMERROR,
                         (errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",
                                 (size_t) output.length,
                                 PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))));
                 gss_release_buffer(&minor, &output);
                 return -1;
             }
  
             memcpy(PqGSSSendBuffer, (char *) &netlen, sizeof(uint32));
             PqGSSSendLength += sizeof(uint32);
  
             memcpy(PqGSSSendBuffer + PqGSSSendLength, output.value, output.length);
             PqGSSSendLength += output.length;
  
             /* we don't bother with PqGSSSendConsumed here */
  
             while (PqGSSSendNext < PqGSSSendLength)
             {
                 ret = secure_raw_write(port, PqGSSSendBuffer + PqGSSSendNext,
                                        PqGSSSendLength - PqGSSSendNext);
  
                 /*
                  * If we got back an error and it wasn't just
                  * EWOULDBLOCK/EAGAIN/EINTR, then give up.
                  */
                 if (ret < 0 &&
                     !(errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR))
                 {
                     gss_release_buffer(&minor, &output);
                     return -1;
                 }
  
                 /* Wait and retry if we couldn't write yet */
                 if (ret <= 0)
                 {
                     WaitLatchOrSocket(MyLatch,
                                       WL_SOCKET_WRITEABLE | WL_EXIT_ON_PM_DEATH,
                                       port->sock, 0, WAIT_EVENT_GSS_OPEN_SERVER);
                     continue;
                 }
  
                 PqGSSSendNext += ret;
             }
  
             /* Done sending the packet, reset our buffer */
             PqGSSSendLength = PqGSSSendNext = 0;
  
             gss_release_buffer(&minor, &output);
         }
  
         /*
          * If we got back that the connection is finished being set up, now
          * that we've sent the last packet, exit our loop.
          */
         if (complete_next)
             break;
     }
  
     /*
      * Determine the max packet size which will fit in our buffer, after
      * accounting for the length.  be_gssapi_write will need this.
      */
     major = gss_wrap_size_limit(&minor, port->gss->ctx, 1, GSS_C_QOP_DEFAULT,
                                 PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32),
                                 &PqGSSMaxPktSize);
  
     if (GSS_ERROR(major))
     {
         pg_GSS_error(_("GSSAPI size check error"), major, minor);
         return -1;
     }
  
     port->gss->enc = true;
  
     return 0;
 }