Re: [HACKERS] Server ignores contents of SASLInitialResponse

On Thu, Jun 1, 2017 at 4:58 AM, Heikki Linnakangas <hlinnaka@iki.fi> wrote:
> I bisected that; the culprit was commit 61bf96cab0, where I refactored the
> libpq authentication code in preparation for SCRAM. The logic around that
> free() was always a bit wonky, but the refactoring made it outright broken.
> Attached is a patch for that, see commit message for details. (Review of
> that would be welcome.)

That looks fine to me.

> So, after fixing that, back to the original question; don't we have a
> similar "duplicate authentication request" problem with GSS? Yes, turns out
> that we do, even on stable branches:
>
> psql "sslmode=prefer dbname=postgres hostaddr=127.0.0.1 krbsrvname=postgres
> host=localhost user=krbtestuser"
> psql: duplicate GSS authentication request
>
> To fix, I suppose we can do what you did for SASL in your patch, and move
> the cleanup of conn->gctx from closePGconn to pgDropConnection. And I
> presume we need to do the same for the SSPI state too, but I don't have a
> Windows set up to test that at the moment.

SSPI does not complain with sslmode=prefer as each time
pg_SSPI_startup() is called conn->sspictx is enforced to NULL. This
looks wrong to me by the way as pg_SSPI_startup() is invoked only once
per authentication, and it leaks memory this way. That's also
inconsistent with SASL and GSS. At the same time this inconsistency is
not causing actual problems except a leak with SSPI in libpq, so not
doing anything except on HEAD looks fine to me.
-- 
Michael

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers