Reject extraneous data after SSL or GSS encryption handshake.

The server collects up to a bufferload of data whenever it reads data
from the client socket.  When SSL or GSS encryption is requested
during startup, any additional data received with the initial
request message remained in the buffer, and would be treated as
already-decrypted data once the encryption handshake completed.
Thus, a man-in-the-middle with the ability to inject data into the
TCP connection could stuff some cleartext data into the start of
a supposedly encryption-protected database session.

This could be abused to send faked SQL commands to the server,
although that would only work if the server did not demand any
authentication data.  (However, a server relying on SSL certificate
authentication might well not do so.)

To fix, throw a protocol-violation error if the internal buffer
is not empty after the encryption handshake.

Our thanks to Jacob Champion for reporting this problem.

Security: CVE-2021-23214

diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
index a4f6d4deeb40ca7424e6ff1ac2e013bc7997e100..95903d60f8e8bad77d69272b676259c9a66865af 100644 (file)
--- a/src/backend/libpq/pqcomm.c
+++ b/src/backend/libpq/pqcomm.c
@@ -1199,6 +1199,18 @@ pq_getstring(StringInfo s)
        }
 }
 
+/* --------------------------------
+ *             pq_buffer_has_data              - is any buffered data available to read?
+ *
+ * This will *not* attempt to read more data.
+ * --------------------------------
+ */
+bool
+pq_buffer_has_data(void)
+{
+       return (PqRecvPointer < PqRecvLength);
+}
+
 
 /* --------------------------------
  *             pq_startmsgread - begin reading a message from the client.

diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 11c61ca746f564f8c5343a4d6a40cfa758086ea0..b9098930744508651562679db2ee24e9001f35f8 100644 (file)
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -2012,6 +2012,19 @@ retry1:
                if (SSLok == 'S' && secure_open_server(port) == -1)
                        return STATUS_ERROR;
 #endif
+
+               /*
+                * At this point we should have no data already buffered.  If we do,
+                * it was received before we performed the SSL handshake, so it wasn't
+                * encrypted and indeed may have been injected by a man-in-the-middle.
+                * We report this case to the client.
+                */
+               if (pq_buffer_has_data())
+                       ereport(FATAL,
+                                       (errcode(ERRCODE_PROTOCOL_VIOLATION),
+                                        errmsg("received unencrypted data after SSL request"),
+                                        errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
+
                /* regular startup packet, cancel, etc packet should follow... */
                /* but not another SSL negotiation request */
                return ProcessStartupPacket(port, true);

diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index 7bf06c65e96ff03abcb37652675793795e29107f..23e9905b1e0b515fa050daed5092495151c5ae10 100644 (file)
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -70,6 +70,7 @@ extern int    pq_getmessage(StringInfo s, int maxlen);
 extern int     pq_getbyte(void);
 extern int     pq_peekbyte(void);
 extern int     pq_getbyte_if_available(unsigned char *c);
+extern bool pq_buffer_has_data(void);
 extern int     pq_putbytes(const char *s, size_t len);
 
 /*