Reject extraneous data after SSL or GSS encryption handshake.

The server collects up to a bufferload of data whenever it reads data
from the client socket.  When SSL or GSS encryption is requested
during startup, any additional data received with the initial
request message remained in the buffer, and would be treated as
already-decrypted data once the encryption handshake completed.
Thus, a man-in-the-middle with the ability to inject data into the
TCP connection could stuff some cleartext data into the start of
a supposedly encryption-protected database session.

This could be abused to send faked SQL commands to the server,
although that would only work if the server did not demand any
authentication data.  (However, a server relying on SSL certificate
authentication might well not do so.)

To fix, throw a protocol-violation error if the internal buffer
is not empty after the encryption handshake.

Our thanks to Jacob Champion for reporting this problem.

Security: CVE-2021-23214

diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
index 0015fb754e819a5dd45ca106526454bbff7cb6e3..d7f425de88c0bde2b8b10dad9c165d3e6aea176c 100644 (file)
--- a/src/backend/libpq/pqcomm.c
+++ b/src/backend/libpq/pqcomm.c
@@ -1197,6 +1197,18 @@ pq_getstring(StringInfo s)
        }
 }
 
+/* --------------------------------
+ *             pq_buffer_has_data              - is any buffered data available to read?
+ *
+ * This will *not* attempt to read more data.
+ * --------------------------------
+ */
+bool
+pq_buffer_has_data(void)
+{
+       return (PqRecvPointer < PqRecvLength);
+}
+
 
 /* --------------------------------
  *             pq_startmsgread - begin reading a message from the client.

diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 643ddfbcaef79fdc7cabf98b57d7e8c5f72cc52c..2b26766f021cffcfb7bf98334c70e2d5a47650ce 100644 (file)
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -2034,6 +2034,19 @@ retry1:
                if (SSLok == 'S' && secure_open_server(port) == -1)
                        return STATUS_ERROR;
 #endif
+
+               /*
+                * At this point we should have no data already buffered.  If we do,
+                * it was received before we performed the SSL handshake, so it wasn't
+                * encrypted and indeed may have been injected by a man-in-the-middle.
+                * We report this case to the client.
+                */
+               if (pq_buffer_has_data())
+                       ereport(FATAL,
+                                       (errcode(ERRCODE_PROTOCOL_VIOLATION),
+                                        errmsg("received unencrypted data after SSL request"),
+                                        errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
+
                /*
                 * regular startup packet, cancel, etc packet should follow, but not
                 * another SSL negotiation request, and a GSS request should only
@@ -2065,6 +2078,19 @@ retry1:
                if (GSSok == 'G' && secure_open_gssapi(port) == -1)
                        return STATUS_ERROR;
 #endif
+
+               /*
+                * At this point we should have no data already buffered.  If we do,
+                * it was received before we performed the GSS handshake, so it wasn't
+                * encrypted and indeed may have been injected by a man-in-the-middle.
+                * We report this case to the client.
+                */
+               if (pq_buffer_has_data())
+                       ereport(FATAL,
+                                       (errcode(ERRCODE_PROTOCOL_VIOLATION),
+                                        errmsg("received unencrypted data after GSSAPI encryption request"),
+                                        errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
+
                /*
                 * regular startup packet, cancel, etc packet should follow, but not
                 * another GSS negotiation request, and an SSL request should only

diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index 08a257616dcc4221450b302b40c1cd3d7896c667..4ebebe16fd62fa8b052b602c507a525c97974408 100644 (file)
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -72,6 +72,7 @@ extern int    pq_getmessage(StringInfo s, int maxlen);
 extern int     pq_getbyte(void);
 extern int     pq_peekbyte(void);
 extern int     pq_getbyte_if_available(unsigned char *c);
+extern bool pq_buffer_has_data(void);
 extern int     pq_putbytes(const char *s, size_t len);
 
 /*