When using GSSAPI encryption in non-blocking mode, libpq sometimes failed with "GSSAPI caller failed to retransmit all data needing to be retried". The cause is that pqPutMsgEnd rounds its transmit request down to an even multiple of 8K, and sometimes that can lead to not requesting a write of data that was requested to be written (but reported as not written) earlier. That can upset pg_GSS_write's logic for dealing with not-yet-written data, since it's possible the data in question had already been incorporated into an encrypted packet that we weren't able to send during the previous call. We could fix this with a one-or-two-line hack to disable pqPutMsgEnd's round-down behavior, but that seems like making the caller work around a behavior that pg_GSS_write shouldn't expose in this way. Instead, adjust pg_GSS_write to never report a partial write: it either reports a complete write, or reflects the failure of the lower-level pqsecure_raw_write call. The requirement still exists for the caller to present at least as much data as on the previous call, but with the caller-visible write start point not moving there is no temptation for it to present less. We lose some ability to reclaim buffer space early, but I doubt that that will make much difference in practice. This also gets rid of a rather dubious assumption that "any interesting failure condition (from pqsecure_raw_write) will recur on the next try". We've not seen failure reports traceable to that, but I've never trusted it particularly and am glad to remove it. Make the same adjustments to the equivalent backend routine be_gssapi_write(). It is probable that there's no bug on the backend side, since we don't have a notion of nonblock mode there; but we should keep the logic the same to ease future maintenance. Per bug #18210 from Lars Kanis. Back-patch to all supported branches. Discussion: https://postgr.es/m/18210-4c6d0b14627f2eb8@postgresql.org |
||
---|---|---|
.. | ||
Makefile | ||
README.SSL | ||
auth-sasl.c | ||
auth-scram.c | ||
auth.c | ||
be-fsstubs.c | ||
be-gssapi-common.c | ||
be-secure-common.c | ||
be-secure-gssapi.c | ||
be-secure-openssl.c | ||
be-secure.c | ||
crypt.c | ||
hba.c | ||
ifaddr.c | ||
meson.build | ||
pg_hba.conf.sample | ||
pg_ident.conf.sample | ||
pqcomm.c | ||
pqformat.c | ||
pqmq.c | ||
pqsignal.c |
README.SSL
src/backend/libpq/README.SSL SSL === >From the servers perspective: Receives StartupPacket | | (Is SSL_NEGOTIATE_CODE?) ----------- Normal startup | No | | Yes | | (Server compiled with USE_SSL?) ------- Send 'N' | No | | | | Yes Normal startup | | Send 'S' | | Establish SSL | | Normal startup >From the clients perspective (v6.6 client _with_ SSL): Connect | | Send packet with SSL_NEGOTIATE_CODE | | Receive single char ------- 'S' -------- Establish SSL | | | '<else>' | | Normal startup | | Is it 'E' for error ------------------- Retry connection | Yes without SSL | No | Is it 'N' for normal ------------------- Normal startup | Yes | Fail with unknown --------------------------------------------------------------------------- Ephemeral DH ============ Since the server static private key ($DataDir/server.key) will normally be stored unencrypted so that the database backend can restart automatically, it is important that we select an algorithm that continues to provide confidentiality even if the attacker has the server's private key. Ephemeral DH (EDH) keys provide this and more (Perfect Forward Secrecy aka PFS). N.B., the static private key should still be protected to the largest extent possible, to minimize the risk of impersonations. Another benefit of EDH is that it allows the backend and clients to use DSA keys. DSA keys can only provide digital signatures, not encryption, and are often acceptable in jurisdictions where RSA keys are unacceptable. The downside to EDH is that it makes it impossible to use ssldump(1) if there's a problem establishing an SSL session. In this case you'll need to temporarily disable EDH (see initialize_dh()).