On 05/25/2017 06:36 PM, Michael Paquier wrote:
On Thu, May 25, 2017 at 10:52 AM, Michael Paquier
<michael.paqu...@gmail.com> wrote:
Actually, I don't think that we are completely done here. Using the
patch of upthread to enforce a failure on SASLInitialResponse, I see
that connecting without SSL causes the following error:
psql: FATAL:  password authentication failed for user "mpaquier"
But connecting with SSL returns that:
psql: duplicate SASL authentication request

I have not looked at that in details yet, but it seems to me that we
should not take pg_SASL_init() twice in the scram authentication code
path in libpq for a single attempt.

Gotcha. This happens because of sslmode=prefer, on which
pqDropConnection is used to clean up the connection state. So it seems
to me that the correct fix is to move the cleanup of sasl_state to
pqDropConnection() instead of closePGconn(). Once I do so the failures
are correct, showing to the user two FATAL errors because of the two
psql: FATAL:  password authentication failed for user "mpaquier"
FATAL:  password authentication failed for user "mpaquier"

Hmm, the SASL state cleanup is done pretty much the same way that GSS/SSPI cleanup is. Don't we have a similar problem with GSS?

I tested that, and I got an error from glibc, complaining about a double-free:

*** Error in `/home/heikki/pgsql.master/bin/psql': double free or corruption 
(out): 0x000056157d13be00 ***
======= Backtrace: =========

I bisected that; the culprit was commit 61bf96cab0, where I refactored the libpq authentication code in preparation for SCRAM. The logic around that free() was always a bit wonky, but the refactoring made it outright broken. Attached is a patch for that, see commit message for details. (Review of that would be welcome.)

So, after fixing that, back to the original question; don't we have a similar "duplicate authentication request" problem with GSS? Yes, turns out that we do, even on stable branches:

psql "sslmode=prefer dbname=postgres hostaddr= krbsrvname=postgres host=localhost user=krbtestuser"
psql: duplicate GSS authentication request

To fix, I suppose we can do what you did for SASL in your patch, and move the cleanup of conn->gctx from closePGconn to pgDropConnection. And I presume we need to do the same for the SSPI state too, but I don't have a Windows set up to test that at the moment.

- Heikki

Attachment: 0001-Fix-double-free-bug-in-GSS-authentication.patch
Description: invalid/octet-stream

Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Reply via email to