[HACKERS] Postgres GSSAPI Encryption

2015-05-08 Thread Robbie Harwood
Hello! Today, there exists GSSAPI authentication support in Postgres. I plan to extend this work to include encryption as well, but wanted to get your input on that first since you've probably thought about this already. From what I can tell, the auth/encryption layer is very nicely designed

Re: [HACKERS] Postgres GSSAPI Encryption

2015-05-11 Thread Robbie Harwood
Stephen Frost sfr...@snowman.net writes: Robbie, * Robbie Harwood (rharw...@redhat.com) wrote: We'd I think also want a new kind of HBA entry (probably something along the lines of `hostgss` to contrast with `hostssl`), but I'm not sure what we'd want to do for the counterpart

Re: [HACKERS] Postgres GSSAPI Encryption

2015-06-10 Thread Robbie Harwood
Robbie Harwood rharw...@redhat.com writes: Stephen Frost sfr...@snowman.net writes: Robbie, * Robbie Harwood (rharw...@redhat.com) wrote: We'd I think also want a new kind of HBA entry (probably something along the lines of `hostgss` to contrast with `hostssl`), but I'm not sure what

[HACKERS] [PATCH v1] GSSAPI encryption support

2015-07-02 Thread Robbie Harwood
separation rather than too little. A patch for each is attached. This is v1 of the series. Thanks! From f506ba6ab6755f56c8aadba7d72a8839d5fbc0d9 Mon Sep 17 00:00:00 2001 From: Robbie Harwood (frozencemetery) rharw...@redhat.com Date: Mon, 8 Jun 2015 19:27:45 -0400 Subject: build: Define

Re: [HACKERS] [PATCH v1] GSSAPI encryption support

2015-08-21 Thread Robbie Harwood
Michael Paquier michael.paqu...@gmail.com writes: On Fri, Jul 3, 2015 at 3:22 AM, Robbie Harwood rharw...@redhat.com wrote: There are 8 commits in this series; I have tried to err on the side of creating too much separation rather than too little. A patch for each is attached. This is v1

Re: [HACKERS] [PATCH v3] GSSAPI encryption support

2015-10-21 Thread Robbie Harwood
Michael Paquier writes: > Robbie, > > +#ifdef ENABLE_GSS > + if (pggss_encrypt(conn) < 0) > + return EOF; > +#endif > > @@ -1528,10 +1541,20 @@ socket_putmessage(char msgtype, const char *s, > size_t len) > if (internal_putbytes(s, len)) >

Re: [HACKERS] [PATCH v3] GSSAPI encryption support

2015-10-21 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Tue, Oct 20, 2015 at 3:01 AM, Robbie Harwood wrote: >> Stephen Frost <sfr...@snowman.net> writes: >>> psql: lost synchronization with server: got message type "S", length 22 >> >> which un

Re: [HACKERS] [PATCH v3] GSSAPI encryption support

2015-10-22 Thread Robbie Harwood
Andres Freund writes: > On 2015-10-22 16:47:09 +0900, Michael Paquier wrote: >> Hm, and that's why you chose this way of going. My main concern about >> this patch is that it adds on top of the existing Postgres protocol a >> layer to encrypt and decrypt the messages between

Re: [HACKERS] [PATCH v2] GSSAPI encryption support

2015-10-28 Thread Robbie Harwood
Jeff Janes <jeff.ja...@gmail.com> writes: > On Tue, Sep 29, 2015 at 7:53 AM, Robbie Harwood <rharw...@redhat.com> wrote: >> Robbie Harwood <rharw...@redhat.com> writes: >> >>>>>> Michael Paquier <michael.paqu...@gmail.com> writes: >>&

Re: [HACKERS] [PATCH v3] GSSAPI encryption support

2015-10-30 Thread Robbie Harwood
Andreas, can you please weigh in here since your voice is important to this process? Robbie Harwood <rharw...@redhat.com> writes: > Andres Freund <and...@anarazel.de> writes: > >> On 2015-10-22 16:47:09 +0900, Michael Paquier wrote: >>> Hm, and that's why you

Re: [HACKERS] Building from git source on ubuntu with gssapi

2015-11-02 Thread Robbie Harwood
Jeff Janes writes: > I can't ./configure --with-gssapi from git on ubuntu 14.04.3 because: > > configure: error: gssapi.h header file is required for GSSAPI > > If I download the distribution-specific 9.3 source with apt, I find > their secret sauce to make it work: > >

Re: [HACKERS] [PATCH v3] GSSAPI encryption support

2015-10-15 Thread Robbie Harwood
Craig Ringer <cr...@2ndquadrant.com> writes: > On 14 October 2015 at 06:34, Robbie Harwood <rharw...@redhat.com> wrote: >> Alright, here's v3. As requested, it's one patch now. > > I hate to ask, but have you looked at how this interacts with Windows? > > We

Re: [HACKERS] [PATCH v3] GSSAPI encryption support

2015-10-19 Thread Robbie Harwood
Stephen Frost writes: > As for this patch, the reason I've not been as involved (beyond being > ridiculously busy) is that Michael's environment, which at least appears > perfectly reasonable (and works with PG unpatched) isn't working. If we > can get that working (and I've

Re: [HACKERS] [PATCH v3] GSSAPI encryption support

2015-10-13 Thread Robbie Harwood
m, I would love to hear them; right now though I don't see a better way. Patch follows. Thanks! From 6710d5ad0226ea3a5ea8e35d6dc54b4500f1d3e0 Mon Sep 17 00:00:00 2001 From: "Robbie Harwood (frozencemetery)" <rharw...@redhat.com> Date: Mon, 8 Jun 2015 19:27:45 -0400 Subject: [PATCH]

Re: [HACKERS] [PATCH v1] GSSAPI encryption support

2015-10-09 Thread Robbie Harwood
both of you! Okay, if block is desired, I'll squish for v3. Sorry for the inconvenience. >> On 2015-07-02 14:22:13 -0400, Robbie Harwood wrote: >> [Andres' comments] > > Here are some comments on top of what Andres has mentioned. > > --- a/configure.in > +++ b/configure

Re: [HACKERS] [PATCH v1] GSSAPI encryption support

2015-10-09 Thread Robbie Harwood
ow the steps don't > individually make sense. That's fair. Can you suggest a better organization? > On 2015-07-02 14:22:13 -0400, Robbie Harwood wrote: >> +#include > > postgres.h should be the first header included. Okay, will fix. >> +size_t >> +be_gss_encrypt(Port *por

Re: [HACKERS] [PATCH] libpq: Allow specifying multiple host names to try to connect to

2015-07-08 Thread Robbie Harwood
Steve Singer st...@ssinger.info writes: On 04/19/2015 11:18 AM, Mikko Tiihonen wrote: Hi, I would like allow specifying multiple host names for libpq to try to connecting to. This is currently only supported if the host name resolves to multiple addresses. Having the support for it

Re: [HACKERS] [PATCH v2] GSSAPI encryption support

2015-09-08 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Fri, Jul 3, 2015 at 3:22 AM, Robbie Harwood <rharw...@redhat.com> wrote: > >> Hello -hackers, >> >> As previously discussed on this list, I have coded up GSSAPI encryption >> support. If it is easi

Re: [HACKERS] [PATCH v2] GSSAPI encryption support

2015-09-16 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Thu, Sep 10, 2015 at 4:27 PM, Michael Paquier <michael.paqu...@gmail.com> > wrote: >> On Thu, Sep 10, 2015 at 1:44 AM, Robbie Harwood <rharw...@redhat.com> wrote: >>> Michael Paquier <michael.paq

Re: [HACKERS] [PATCH v2] GSSAPI encryption support

2015-09-29 Thread Robbie Harwood
Robbie Harwood <rharw...@redhat.com> writes: >>>> Michael Paquier <michael.paqu...@gmail.com> writes: >>>> >>>>> Well, the issue is still here: login through gssapi fails with >>>>> your patch, not with HEAD. This patch is next

Re: [HACKERS] [PATCH v2] GSSAPI encryption support

2015-09-09 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Wed, Sep 9, 2015 at 4:12 AM, Robbie Harwood wrote: >> Michael Paquier writes: >> As promised, here's a V2 to address your issues with comments. I >> haven't heard back on the issues you found in testing, so no o

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-06-15 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Thu, Apr 7, 2016 at 8:20 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >> Robbie Harwood <rharw...@redhat.com> writes: >>> Tom Lane <t...@sss.pgh.pa.us> writes: >>> >>&g

Re: [HACKERS] [PATCH v4] GSSAPI encryption support

2016-02-10 Thread Robbie Harwood
c92275b6605d7929cda5551de47a4c60aab7179e Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharw...@redhat.com> Date: Tue, 17 Nov 2015 18:34:14 -0500 Subject: [PATCH] Connect encryption support for GSSAPI Existing GSSAPI authentication code is extended to support connection encryption. Connection begins as soon as po

Re: [HACKERS] [PATCH v4] GSSAPI encryption support

2016-02-11 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Thu, Feb 11, 2016 at 6:06 AM, Robbie Harwood <rharw...@redhat.com> wrote: >> >> - The GSSAPI authentication code has been moved without modification. >> In doing so, the temptation to modify it (fla

Re: [HACKERS] [PATCH v5] GSSAPI encryption support

2016-02-25 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Tue, Feb 16, 2016 at 2:45 AM, Robbie Harwood <rharw...@redhat.com> wrote: >> David Steele <da...@pgmasters.net> writes: >>> On 2/10/16 4:06 PM, Robbie Harwood wrote: >>>> Hello friends,

Re: [HACKERS] [PATCH v5] GSSAPI encryption support

2016-02-24 Thread Robbie Harwood
David Steele <da...@pgmasters.net> writes: > On 2/15/16 12:45 PM, Robbie Harwood wrote: >> David Steele <da...@pgmasters.net> writes: >> >>> 1) It didn't apply cleanly to HEAD. It did apply cleanly on a455878 >>> which I figured was recent

Re: [HACKERS] [PATCH v5] GSSAPI encryption support

2016-02-15 Thread Robbie Harwood
David Steele <da...@pgmasters.net> writes: > Hi Robbie, > > On 2/10/16 4:06 PM, Robbie Harwood wrote: >> Hello friends, >> >> For your consideration, here is a new version of GSSAPI encryption >> support. For those who prefer, it's also availa

Re: [HACKERS] [PATCH v6] GSSAPI encryption support

2016-03-15 Thread Robbie Harwood
Stephen Frost <sfr...@snowman.net> writes: > Robbie, > > * Robbie Harwood (rharw...@redhat.com) wrote: >> Michael Paquier <michael.paqu...@gmail.com> writes: >> > - maj_stat = gss_accept_sec_context( >> > -

Re: [HACKERS] [PATCH v6] GSSAPI encryption support

2016-03-15 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Tue, Mar 15, 2016 at 3:12 PM, David Steele <da...@pgmasters.net> wrote: >> On 3/8/16 5:44 PM, Robbie Harwood wrote: >>> Here's yet another version of GSSAPI encryption support. >> >> This look

Re: [HACKERS] [PATCH v6] GSSAPI encryption support

2016-03-14 Thread Robbie Harwood
David Steele <da...@pgmasters.net> writes: > Hi Robbie, > > On 3/8/16 5:44 PM, Robbie Harwood wrote: >> Hello friends, >> >> Here's yet another version of GSSAPI encryption support. It's also >> available for viewing on my github: > > The build wen

Re: [HACKERS] [PATCH v6] GSSAPI encryption support

2016-03-09 Thread Robbie Harwood
David Steele <da...@pgmasters.net> writes: > On 3/8/16 5:44 PM, Robbie Harwood wrote: >> >> Here's yet another version of GSSAPI encryption support. It's also >> available for viewing on my github: > > I got this warning when applying the first patch in the set:

[HACKERS] [PATCH v6] GSSAPI encryption support

2016-03-08 Thread Robbie Harwood
anks! From 5674aa74effab4931bac1044f32dee83d915aa90 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharw...@redhat.com> Date: Fri, 26 Feb 2016 16:07:05 -0500 Subject: [PATCH 1/3] Move common GSSAPI code into its own files On both the frontend and backend, prepare for GSSAPI encryption suport by mo

[HACKERS] [PATCH v7] GSSAPI encryption support

2016-03-14 Thread Robbie Harwood
p until later. This removes the hang because now the connection will not erroneously get stuck polling while data is buffered. Thanks! From 3b62e99de16f2c4600d0bb02f3626e5157ecdc6c Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharw...@redhat.com> Date: Fri, 26 Feb 2016 16:07:05 -0500 Subject: [PAT

Re: [HACKERS] [PATCH v6] GSSAPI encryption support

2016-03-14 Thread Robbie Harwood
David Steele <da...@pgmasters.net> writes: > On 3/14/16 4:10 PM, Robbie Harwood wrote: > >> David Steele <da...@pgmasters.net> writes: >> >>> On 3/8/16 5:44 PM, Robbie Harwood wrote: >>> >>>> Here's yet another version of GSSAPI enc

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-04-06 Thread Robbie Harwood
Stephen Frost writes: > Just an initial pass over the patch. Thanks! In the interest of brevity, if I haven't replied to something, I plan to fix it. >> /* >> - * Flush message so client will see it, except for AUTH_REQ_OK, which >> need >> - * not be sent

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-04-05 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Tue, Apr 5, 2016 at 9:06 AM, Robbie Harwood <rharw...@redhat.com> wrote: >> Here's v12, both here and on my github: >> https://github.com/frozencemetery/postgres/tree/feature/gssencryp

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-04-06 Thread Robbie Harwood
Tom Lane <t...@sss.pgh.pa.us> writes: > Robbie Harwood <rharw...@redhat.com> writes: >> I need to flush this any time we might be doing encryption because it >> needs to be in a separate request to _secure_write() from what follows >> it. We don't know whether we

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-04-05 Thread Robbie Harwood
Alvaro Herrera <alvhe...@2ndquadrant.com> writes: > Robbie Harwood wrote: >> Michael Paquier <michael.paqu...@gmail.com> writes: >> >> > On Tue, Apr 5, 2016 at 9:06 AM, Robbie Harwood <rharw...@redhat.com> wrote: >> >> Here's v12

Re: [HACKERS] Lets (not) break all the things. Was: [pgsql-advocacy] 9.6 -> 10.0

2016-04-11 Thread Robbie Harwood
Justin Clift writes: > Moving over a conversation from the pgsql-advocacy mailing list. In it > Simon (CC'd) raised the issue of potentially creating a > backwards-compatibility > breaking release at some point in the future, to deal with things that > might have no

[HACKERS] [PATCH v8] GSSAPI encryption support

2016-03-19 Thread Robbie Harwood
message conditional again. - Fixed typo in server error message for insufficient GSSAPI protection. Thanks! From 3b62e99de16f2c4600d0bb02f3626e5157ecdc6c Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharw...@redhat.com> Date: Fri, 26 Feb 2016 16:07:05 -0500 Subject: [PATCH 1/3] Move common

Re: [HACKERS] BUG #13854: SSPI authentication failure: wrong realm name used

2016-03-24 Thread Robbie Harwood
Christian Ullrich writes: > Updated patch attached. I unfortunately don't have windows machines to test this on, but I thought it might be helpful to review this anyway since I'm touching code in the same general area (GSSAPI). And as far as I can tell, you don't break

Re: [HACKERS] BUG #13854: SSPI authentication failure: wrong realm name used

2016-03-24 Thread Robbie Harwood
Christian Ullrich writes: > Updated patch attached. Okay, I am happy now. Thanks! signature.asc Description: PGP signature

Re: [HACKERS] [PATCH v10] GSSAPI encryption support

2016-04-01 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Fri, Apr 1, 2016 at 12:31 PM, Robbie Harwood <rharw...@redhat.com> wrote: > >> - Fixed buffering of large replies on the serverside. This should fix >> the traceback that was being seen. The issue had

Re: [HACKERS] [PATCH v8] GSSAPI encryption support

2016-03-29 Thread Robbie Harwood
David Steele <da...@pgmasters.net> writes: > On 3/20/16 12:09 AM, Robbie Harwood wrote: > >> A new version of my GSSAPI encryption patchset is available > > Here's a more thorough review: Thanks for the review! To keep this a manageable size, I'm going to trim prett

Re: [HACKERS] [PATCH v9] GSSAPI encryption support

2016-03-31 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Thu, Mar 31, 2016 at 2:14 PM, Michael Paquier > <michael.paqu...@gmail.com> wrote: >> On Wed, Mar 30, 2016 at 1:01 PM, Robbie Harwood <rharw...@redhat.com> wrote: >>> A new version of my GSSAPI

Re: [HACKERS] [PATCH v9] GSSAPI encryption support

2016-03-31 Thread Robbie Harwood
Alvaro Herrera <alvhe...@2ndquadrant.com> writes: > Robbie Harwood wrote: >> Michael Paquier <michael.paqu...@gmail.com> writes: > >> > + iov[0].iov_base = lenbuf; >> > + iov[0].iov_len = 4; >> > + iov[1].iov_base = output.value; >>

Re: [HACKERS] [PATCH v11] GSSAPI encryption support

2016-04-01 Thread Robbie Harwood
. - Remove accidental whitespace change. Thanks! From 945805d45e8021f92ad73518b3a74ac6bab89525 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharw...@redhat.com> Date: Fri, 26 Feb 2016 16:07:05 -0500 Subject: [PATCH 1/3] Move common GSSAPI code into its own files On both the frontend and b

Re: [HACKERS] [PATCH v11] GSSAPI encryption support

2016-04-04 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Sat, Apr 2, 2016 at 7:34 AM, Robbie Harwood <rharw...@redhat.com> wrote: > >> Since I still can't reproduce this locally (left a client machine and >> a process on the same machine retrying for over

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-04-04 Thread Robbie Harwood
-and-then-send, which turns out to be not only shorter but easier for me to reason about. Thanks! From 945805d45e8021f92ad73518b3a74ac6bab89525 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharw...@redhat.com> Date: Fri, 26 Feb 2016 16:07:05 -0500 Subject: [PATCH 1/3] Move common GSSAP

Re: [HACKERS] [PATCH v1] GSSAPI encryption support

2016-03-29 Thread Robbie Harwood
nse to see what changed by diffing from the previous changeset. Thanks! From 3b62e99de16f2c4600d0bb02f3626e5157ecdc6c Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharw...@redhat.com> Date: Fri, 26 Feb 2016 16:07:05 -0500 Subject: [PATCH 1/3] Move common GSSAPI code into its own files On b

Re: [HACKERS] [PATCH v10] GSSAPI encryption support

2016-03-31 Thread Robbie Harwood
functions. - Error message cleanup. Thanks! From 945805d45e8021f92ad73518b3a74ac6bab89525 Mon Sep 17 00:00:00 2001 From: Robbie Harwood <rharw...@redhat.com> Date: Fri, 26 Feb 2016 16:07:05 -0500 Subject: [PATCH 1/3] Move common GSSAPI code into its own files On both the frontend and b

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-07-27 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Wed, Jul 27, 2016 at 12:22 AM, Robbie Harwood <rharw...@redhat.com> wrote: >> Michael Paquier <michael.paqu...@gmail.com> writes: >> >> So there's a connection setting `sslmode` that we'll want so

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-07-25 Thread Robbie Harwood
Robbie Harwood <rharw...@redhat.com> writes: > Michael Paquier <michael.paqu...@gmail.com> writes: > >> On Thu, Apr 7, 2016 at 8:20 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: >>> Robbie Harwood <rharw...@redhat.com> writes: >>>> Tom Lane &

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-07-26 Thread Robbie Harwood
Robbie Harwood <rharw...@redhat.com> writes: > So there's a connection setting `sslmode` that we'll want something > similar to here (`gssapimode` or so). `sslmode` has six settings, but I > think we only need three for GSSAPI: "disable", "allow", and

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-07-26 Thread Robbie Harwood
Michael Paquier <michael.paqu...@gmail.com> writes: > On Tue, Jul 26, 2016 at 5:58 AM, Robbie Harwood <rharw...@redhat.com> wrote: >> Robbie Harwood <rharw...@redhat.com> writes: > > Sorry for my late reply. Thanks for the feedback! >>> If I were to con

Re: [HACKERS] [PATCH v12] GSSAPI encryption support

2016-07-26 Thread Robbie Harwood
Tom Lane <t...@sss.pgh.pa.us> writes: > Robbie Harwood <rharw...@redhat.com> writes: >> So there's a connection setting `sslmode` that we'll want something >> similar to here (`gssapimode` or so). `sslmode` has six settings, but I >> think we only need th