/*------------------------------------------------------------------------- * * fe-secure-gssapi.c * The front-end (client) encryption support for GSSAPI * * Portions Copyright (c) 2016-2022, PostgreSQL Global Development Group * * IDENTIFICATION * src/interfaces/libpq/fe-secure-gssapi.c * *------------------------------------------------------------------------- */ #include "postgres_fe.h" #include "fe-gssapi-common.h" #include "libpq-fe.h" #include "libpq-int.h" #include "port/pg_bswap.h" /* * Require encryption support, as well as mutual authentication and * tamperproofing measures. */ #define GSS_REQUIRED_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \ GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG /* * Handle the encryption/decryption of data using GSSAPI. * * In the encrypted data stream on the wire, we break up the data * into packets where each packet starts with a uint32-size length * word (in network byte order), then encrypted data of that length * immediately following. Decryption yields the same data stream * that would appear when not using encryption. * * Encrypted data typically ends up being larger than the same data * unencrypted, so we use fixed-size buffers for handling the * encryption/decryption which are larger than PQComm's buffer will * typically be to minimize the times where we have to make multiple * packets (and therefore multiple recv/send calls for a single * read/write call to us). * * NOTE: The client and server have to agree on the max packet size, * because we have to pass an entire packet to GSSAPI at a time and we * don't want the other side to send arbitrarily huge packets as we * would have to allocate memory for them to then pass them to GSSAPI. * * Therefore, these two #define's are effectively part of the protocol * spec and can't ever be changed. */ #define PQ_GSS_SEND_BUFFER_SIZE 16384 #define PQ_GSS_RECV_BUFFER_SIZE 16384 /* * We need these state variables per-connection. To allow the functions * in this file to look mostly like those in be-secure-gssapi.c, set up * these macros. */ #define PqGSSSendBuffer (conn->gss_SendBuffer) #define PqGSSSendLength (conn->gss_SendLength) #define PqGSSSendNext (conn->gss_SendNext) #define PqGSSSendConsumed (conn->gss_SendConsumed) #define PqGSSRecvBuffer (conn->gss_RecvBuffer) #define PqGSSRecvLength (conn->gss_RecvLength) #define PqGSSResultBuffer (conn->gss_ResultBuffer) #define PqGSSResultLength (conn->gss_ResultLength) #define PqGSSResultNext (conn->gss_ResultNext) #define PqGSSMaxPktSize (conn->gss_MaxPktSize) /* * Attempt to write len bytes of data from ptr to a GSSAPI-encrypted connection. * * The connection must be already set up for GSSAPI encryption (i.e., GSSAPI * transport negotiation is complete). * * On success, returns the number of data bytes consumed (possibly less than * len). On failure, returns -1 with errno set appropriately. If the errno * indicates a non-retryable error, a message is added to conn->errorMessage. * For retryable errors, caller should call again (passing the same data) * once the socket is ready. */ ssize_t pg_GSS_write(PGconn *conn, const void *ptr, size_t len) { OM_uint32 major, minor; gss_buffer_desc input, output = GSS_C_EMPTY_BUFFER; ssize_t ret = -1; size_t bytes_sent = 0; size_t bytes_to_encrypt; size_t bytes_encrypted; gss_ctx_id_t gctx = conn->gctx; /* * When we get a failure, we must not tell the caller we have successfully * transmitted everything, else it won't retry. Hence a "success" * (positive) return value must only count source bytes corresponding to * fully-transmitted encrypted packets. The amount of source data * corresponding to the current partly-transmitted packet is remembered in * PqGSSSendConsumed. On a retry, the caller *must* be sending that data * again, so if it offers a len less than that, something is wrong. */ if (len < PqGSSSendConsumed) { appendPQExpBufferStr(&conn->errorMessage, "GSSAPI caller failed to retransmit all data needing to be retried\n"); errno = EINVAL; return -1; } /* Discount whatever source data we already encrypted. */ bytes_to_encrypt = len - PqGSSSendConsumed; bytes_encrypted = PqGSSSendConsumed; /* * Loop through encrypting data and sending it out until it's all done or * pqsecure_raw_write() complains (which would likely mean that the socket * is non-blocking and the requested send() would block, or there was some * kind of actual error). */ while (bytes_to_encrypt || PqGSSSendLength) { int conf_state = 0; uint32 netlen; /* * Check if we have data in the encrypted output buffer that needs to * be sent (possibly left over from a previous call), and if so, try * to send it. If we aren't able to, return that fact back up to the * caller. */ if (PqGSSSendLength) { ssize_t ret; ssize_t amount = PqGSSSendLength - PqGSSSendNext; ret = pqsecure_raw_write(conn, PqGSSSendBuffer + PqGSSSendNext, amount); if (ret <= 0) { /* * Report any previously-sent data; if there was none, reflect * the pqsecure_raw_write result up to our caller. When there * was some, we're effectively assuming that any interesting * failure condition will recur on the next try. */ if (bytes_sent) return bytes_sent; return ret; } /* * Check if this was a partial write, and if so, move forward that * far in our buffer and try again. */ if (ret != amount) { PqGSSSendNext += ret; continue; } /* We've successfully sent whatever data was in that packet. */ bytes_sent += PqGSSSendConsumed; /* All encrypted data was sent, our buffer is empty now. */ PqGSSSendLength = PqGSSSendNext = PqGSSSendConsumed = 0; } /* * Check if there are any bytes left to encrypt. If not, we're done. */ if (!bytes_to_encrypt) break; /* * Check how much we are being asked to send, if it's too much, then * we will have to loop and possibly be called multiple times to get * through all the data. */ if (bytes_to_encrypt > PqGSSMaxPktSize) input.length = PqGSSMaxPktSize; else input.length = bytes_to_encrypt; input.value = (char *) ptr + bytes_encrypted; output.value = NULL; output.length = 0; /* * Create the next encrypted packet. Any failure here is considered a * hard failure, so we return -1 even if bytes_sent > 0. */ major = gss_wrap(&minor, gctx, 1, GSS_C_QOP_DEFAULT, &input, &conf_state, &output); if (major != GSS_S_COMPLETE) { pg_GSS_error(libpq_gettext("GSSAPI wrap error"), conn, major, minor); errno = EIO; /* for lack of a better idea */ goto cleanup; } if (conf_state == 0) { appendPQExpBufferStr(&conn->errorMessage, libpq_gettext("outgoing GSSAPI message would not use confidentiality\n")); errno = EIO; /* for lack of a better idea */ goto cleanup; } if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32)) { appendPQExpBuffer(&conn->errorMessage, libpq_gettext("client tried to send oversize GSSAPI packet (%zu > %zu)\n"), (size_t) output.length, PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32)); errno = EIO; /* for lack of a better idea */ goto cleanup; } bytes_encrypted += input.length; bytes_to_encrypt -= input.length; PqGSSSendConsumed += input.length; /* 4 network-order bytes of length, then payload */ netlen = pg_hton32(output.length); memcpy(PqGSSSendBuffer + PqGSSSendLength, &netlen, sizeof(uint32)); PqGSSSendLength += sizeof(uint32); memcpy(PqGSSSendBuffer + PqGSSSendLength, output.value, output.length); PqGSSSendLength += output.length; /* Release buffer storage allocated by GSSAPI */ gss_release_buffer(&minor, &output); } /* If we get here, our counters should all match up. */ Assert(bytes_sent == len); Assert(bytes_sent == bytes_encrypted); ret = bytes_sent; cleanup: /* Release GSSAPI buffer storage, if we didn't already */ if (output.value != NULL) gss_release_buffer(&minor, &output); return ret; } /* * Read up to len bytes of data into ptr from a GSSAPI-encrypted connection. * * The connection must be already set up for GSSAPI encryption (i.e., GSSAPI * transport negotiation is complete). * * Returns the number of data bytes read, or on failure, returns -1 * with errno set appropriately. If the errno indicates a non-retryable * error, a message is added to conn->errorMessage. For retryable errors, * caller should call again once the socket is ready. */ ssize_t pg_GSS_read(PGconn *conn, void *ptr, size_t len) { OM_uint32 major, minor; gss_buffer_desc input = GSS_C_EMPTY_BUFFER, output = GSS_C_EMPTY_BUFFER; ssize_t ret; size_t bytes_returned = 0; gss_ctx_id_t gctx = conn->gctx; /* * The plan here is to read one incoming encrypted packet into * PqGSSRecvBuffer, decrypt it into PqGSSResultBuffer, and then dole out * data from there to the caller. When we exhaust the current input * packet, read another. */ while (bytes_returned < len) { int conf_state = 0; /* Check if we have data in our buffer that we can return immediately */ if (PqGSSResultNext < PqGSSResultLength) { size_t bytes_in_buffer = PqGSSResultLength - PqGSSResultNext; size_t bytes_to_copy = Min(bytes_in_buffer, len - bytes_returned); /* * Copy the data from our result buffer into the caller's buffer, * at the point where we last left off filling their buffer. */ memcpy((char *) ptr + bytes_returned, PqGSSResultBuffer + PqGSSResultNext, bytes_to_copy); PqGSSResultNext += bytes_to_copy; bytes_returned += bytes_to_copy; /* * At this point, we've either filled the caller's buffer or * emptied our result buffer. Either way, return to caller. In * the second case, we could try to read another encrypted packet, * but the odds are good that there isn't one available. (If this * isn't true, we chose too small a max packet size.) In any * case, there's no harm letting the caller process the data we've * already returned. */ break; } /* Result buffer is empty, so reset buffer pointers */ PqGSSResultLength = PqGSSResultNext = 0; /* * Because we chose above to return immediately as soon as we emit * some data, bytes_returned must be zero at this point. Therefore * the failure exits below can just return -1 without worrying about * whether we already emitted some data. */ Assert(bytes_returned == 0); /* * At this point, our result buffer is empty with more bytes being * requested to be read. We are now ready to load the next packet and * decrypt it (entirely) into our result buffer. */ /* Collect the length if we haven't already */ if (PqGSSRecvLength < sizeof(uint32)) { ret = pqsecure_raw_read(conn, PqGSSRecvBuffer + PqGSSRecvLength, sizeof(uint32) - PqGSSRecvLength); /* If ret <= 0, pqsecure_raw_read already set the correct errno */ if (ret <= 0) return ret; PqGSSRecvLength += ret; /* If we still haven't got the length, return to the caller */ if (PqGSSRecvLength < sizeof(uint32)) { errno = EWOULDBLOCK; return -1; } } /* Decode the packet length and check for overlength packet */ input.length = pg_ntoh32(*(uint32 *) PqGSSRecvBuffer); if (input.length > PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32)) { appendPQExpBuffer(&conn->errorMessage, libpq_gettext("oversize GSSAPI packet sent by the server (%zu > %zu)\n"), (size_t) input.length, PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32)); errno = EIO; /* for lack of a better idea */ return -1; } /* * Read as much of the packet as we are able to on this call into * wherever we left off from the last time we were called. */ ret = pqsecure_raw_read(conn, PqGSSRecvBuffer + PqGSSRecvLength, input.length - (PqGSSRecvLength - sizeof(uint32))); /* If ret <= 0, pqsecure_raw_read already set the correct errno */ if (ret <= 0) return ret; PqGSSRecvLength += ret; /* If we don't yet have the whole packet, return to the caller */ if (PqGSSRecvLength - sizeof(uint32) < input.length) { errno = EWOULDBLOCK; return -1; } /* * We now have the full packet and we can perform the decryption and * refill our result buffer, then loop back up to pass data back to * the caller. Note that error exits below here must take care of * releasing the gss output buffer. */ output.value = NULL; output.length = 0; input.value = PqGSSRecvBuffer + sizeof(uint32); major = gss_unwrap(&minor, gctx, &input, &output, &conf_state, NULL); if (major != GSS_S_COMPLETE) { pg_GSS_error(libpq_gettext("GSSAPI unwrap error"), conn, major, minor); ret = -1; errno = EIO; /* for lack of a better idea */ goto cleanup; } if (conf_state == 0) { appendPQExpBufferStr(&conn->errorMessage, libpq_gettext("incoming GSSAPI message did not use confidentiality\n")); ret = -1; errno = EIO; /* for lack of a better idea */ goto cleanup; } memcpy(PqGSSResultBuffer, output.value, output.length); PqGSSResultLength = output.length; /* Our receive buffer is now empty, reset it */ PqGSSRecvLength = 0; /* Release buffer storage allocated by GSSAPI */ gss_release_buffer(&minor, &output); } ret = bytes_returned; cleanup: /* Release GSSAPI buffer storage, if we didn't already */ if (output.value != NULL) gss_release_buffer(&minor, &output); return ret; } /* * Simple wrapper for reading from pqsecure_raw_read. * * This takes the same arguments as pqsecure_raw_read, plus an output parameter * to return the number of bytes read. This handles if blocking would occur and * if we detect EOF on the connection. */ static PostgresPollingStatusType gss_read(PGconn *conn, void *recv_buffer, size_t length, ssize_t *ret) { *ret = pqsecure_raw_read(conn, recv_buffer, length); if (*ret < 0) { if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) return PGRES_POLLING_READING; else return PGRES_POLLING_FAILED; } /* Check for EOF */ if (*ret == 0) { int result = pqReadReady(conn); if (result < 0) return PGRES_POLLING_FAILED; if (!result) return PGRES_POLLING_READING; *ret = pqsecure_raw_read(conn, recv_buffer, length); if (*ret < 0) { if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) return PGRES_POLLING_READING; else return PGRES_POLLING_FAILED; } if (*ret == 0) return PGRES_POLLING_FAILED; } return PGRES_POLLING_OK; } /* * Negotiate GSSAPI transport for a connection. When complete, returns * PGRES_POLLING_OK. Will return PGRES_POLLING_READING or * PGRES_POLLING_WRITING as appropriate whenever it would block, and * PGRES_POLLING_FAILED if transport could not be negotiated. */ PostgresPollingStatusType pqsecure_open_gss(PGconn *conn) { ssize_t ret; OM_uint32 major, minor; uint32 netlen; PostgresPollingStatusType result; gss_buffer_desc input = GSS_C_EMPTY_BUFFER, output = GSS_C_EMPTY_BUFFER; /* * If first time through for this connection, allocate buffers and * initialize state variables. By malloc'ing the buffers separately, we * ensure that they are sufficiently aligned for the length-word accesses * that we do in some places in this file. */ if (PqGSSSendBuffer == NULL) { PqGSSSendBuffer = malloc(PQ_GSS_SEND_BUFFER_SIZE); PqGSSRecvBuffer = malloc(PQ_GSS_RECV_BUFFER_SIZE); PqGSSResultBuffer = malloc(PQ_GSS_RECV_BUFFER_SIZE); if (!PqGSSSendBuffer || !PqGSSRecvBuffer || !PqGSSResultBuffer) { appendPQExpBufferStr(&conn->errorMessage, libpq_gettext("out of memory\n")); return PGRES_POLLING_FAILED; } PqGSSSendLength = PqGSSSendNext = PqGSSSendConsumed = 0; PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0; } /* * Check if we have anything to send from a prior call and if so, send it. */ if (PqGSSSendLength) { ssize_t amount = PqGSSSendLength - PqGSSSendNext; ret = pqsecure_raw_write(conn, PqGSSSendBuffer + PqGSSSendNext, amount); if (ret < 0) { if (errno == EAGAIN || errno == EWOULDBLOCK || errno == EINTR) return PGRES_POLLING_WRITING; else return PGRES_POLLING_FAILED; } if (ret < amount) { PqGSSSendNext += ret; return PGRES_POLLING_WRITING; } PqGSSSendLength = PqGSSSendNext = 0; } /* * Client sends first, and sending creates a context, therefore this will * be false the first time through, and then when we get called again we * will check for incoming data. */ if (conn->gctx) { /* Process any incoming data we might have */ /* See if we are still trying to get the length */ if (PqGSSRecvLength < sizeof(uint32)) { /* Attempt to get the length first */ result = gss_read(conn, PqGSSRecvBuffer + PqGSSRecvLength, sizeof(uint32) - PqGSSRecvLength, &ret); if (result != PGRES_POLLING_OK) return result; PqGSSRecvLength += ret; if (PqGSSRecvLength < sizeof(uint32)) return PGRES_POLLING_READING; } /* * Check if we got an error packet * * This is safe to do because we shouldn't ever get a packet over 8192 * and therefore the actual length bytes, being that they are in * network byte order, for any real packet will start with two zero * bytes. */ if (PqGSSRecvBuffer[0] == 'E') { /* * For an error packet during startup, we don't get a length, so * simply read as much as we can fit into our buffer (as a string, * so leave a spot at the end for a NULL byte too) and report that * back to the caller. */ result = gss_read(conn, PqGSSRecvBuffer + PqGSSRecvLength, PQ_GSS_RECV_BUFFER_SIZE - PqGSSRecvLength - 1, &ret); if (result != PGRES_POLLING_OK) return result; PqGSSRecvLength += ret; Assert(PqGSSRecvLength < PQ_GSS_RECV_BUFFER_SIZE); PqGSSRecvBuffer[PqGSSRecvLength] = '\0'; appendPQExpBuffer(&conn->errorMessage, "%s\n", PqGSSRecvBuffer + 1); return PGRES_POLLING_FAILED; } /* * We should have the whole length at this point, so pull it out and * then read whatever we have left of the packet */ /* Get the length and check for over-length packet */ input.length = pg_ntoh32(*(uint32 *) PqGSSRecvBuffer); if (input.length > PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32)) { appendPQExpBuffer(&conn->errorMessage, libpq_gettext("oversize GSSAPI packet sent by the server (%zu > %zu)\n"), (size_t) input.length, PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32)); return PGRES_POLLING_FAILED; } /* * Read as much of the packet as we are able to on this call into * wherever we left off from the last time we were called. */ result = gss_read(conn, PqGSSRecvBuffer + PqGSSRecvLength, input.length - (PqGSSRecvLength - sizeof(uint32)), &ret); if (result != PGRES_POLLING_OK) return result; PqGSSRecvLength += ret; /* * If we got less than the rest of the packet then we need to return * and be called again. */ if (PqGSSRecvLength - sizeof(uint32) < input.length) return PGRES_POLLING_READING; input.value = PqGSSRecvBuffer + sizeof(uint32); } /* Load the service name (no-op if already done */ ret = pg_GSS_load_servicename(conn); if (ret != STATUS_OK) return PGRES_POLLING_FAILED; /* * Call GSS init context, either with an empty input, or with a complete * packet from the server. */ major = gss_init_sec_context(&minor, conn->gcred, &conn->gctx, conn->gtarg_nam, GSS_C_NO_OID, GSS_REQUIRED_FLAGS, 0, 0, &input, NULL, &output, NULL, NULL); /* GSS Init Sec Context uses the whole packet, so clear it */ PqGSSRecvLength = 0; if (GSS_ERROR(major)) { pg_GSS_error(libpq_gettext("could not initiate GSSAPI security context"), conn, major, minor); return PGRES_POLLING_FAILED; } if (output.length == 0) { /* * We're done - hooray! Set flag to tell the low-level I/O routines * to do GSS wrapping/unwrapping. */ conn->gssenc = true; /* Clean up */ gss_release_cred(&minor, &conn->gcred); conn->gcred = GSS_C_NO_CREDENTIAL; gss_release_buffer(&minor, &output); /* * Determine the max packet size which will fit in our buffer, after * accounting for the length. pg_GSS_write will need this. */ major = gss_wrap_size_limit(&minor, conn->gctx, 1, GSS_C_QOP_DEFAULT, PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32), &PqGSSMaxPktSize); if (GSS_ERROR(major)) { pg_GSS_error(libpq_gettext("GSSAPI size check error"), conn, major, minor); return PGRES_POLLING_FAILED; } return PGRES_POLLING_OK; } /* Must have output.length > 0 */ if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32)) { pg_GSS_error(libpq_gettext("GSSAPI context establishment error"), conn, major, minor); gss_release_buffer(&minor, &output); return PGRES_POLLING_FAILED; } /* Queue the token for writing */ netlen = pg_hton32(output.length); memcpy(PqGSSSendBuffer, (char *) &netlen, sizeof(uint32)); PqGSSSendLength += sizeof(uint32); memcpy(PqGSSSendBuffer + PqGSSSendLength, output.value, output.length); PqGSSSendLength += output.length; /* We don't bother with PqGSSSendConsumed here */ /* Release buffer storage allocated by GSSAPI */ gss_release_buffer(&minor, &output); /* Ask to be called again to write data */ return PGRES_POLLING_WRITING; } /* * GSSAPI Information functions. */ /* * Return the GSSAPI Context itself. */ void * PQgetgssctx(PGconn *conn) { if (!conn) return NULL; return conn->gctx; } /* * Return true if GSSAPI encryption is in use. */ int PQgssEncInUse(PGconn *conn) { if (!conn || !conn->gctx) return 0; return conn->gssenc; }