diff options
| -rw-r--r-- | doc/src/sgml/protocol.sgml | 14 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-connect.c | 13 |
2 files changed, 27 insertions, 0 deletions
diff --git a/doc/src/sgml/protocol.sgml b/doc/src/sgml/protocol.sgml index 3a269640fcd..6a2d4a14fce 100644 --- a/doc/src/sgml/protocol.sgml +++ b/doc/src/sgml/protocol.sgml @@ -1349,6 +1349,20 @@ </para> <para> + When <acronym>SSL</acronym> encryption can be performed, the server + is expected to send only the single <literal>S</literal> byte and then + wait for the frontend to initiate an <acronym>SSL</acronym> handshake. + If additional bytes are available to read at this point, it likely + means that a man-in-the-middle is attempting to perform a + buffer-stuffing attack + (<ulink url="https://www.postgresql.org/support/security/CVE-2021-23222/">CVE-2021-23222</ulink>). + Frontends should be coded either to read exactly one byte from the + socket before turning the socket over to their SSL library, or to + treat it as a protocol violation if they find they have read additional + bytes. + </para> + + <para> An initial SSLRequest can also be used in a connection that is being opened to send a CancelRequest message. </para> diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 18c09472bed..03b7cd60d39 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -2719,6 +2719,19 @@ keep_going: /* We will come back to here until there is pollres = pqsecure_open_client(conn); if (pollres == PGRES_POLLING_OK) { + /* + * At this point we should have no data already buffered. + * If we do, it was received before we performed the SSL + * handshake, so it wasn't encrypted and indeed may have + * been injected by a man-in-the-middle. + */ + if (conn->inCursor != conn->inEnd) + { + appendPQExpBufferStr(&conn->errorMessage, + libpq_gettext("received unencrypted data after SSL response\n")); + goto error_return; + } + /* SSL handshake done, ready to send startup packet */ conn->status = CONNECTION_MADE; return PGRES_POLLING_WRITING; |