Skip to content

Commit

Permalink
fix(electric): Handle GSSAPI session encryption request (#630)
Browse files Browse the repository at this point in the history
  • Loading branch information
magnetised authored Nov 6, 2023
1 parent fe39c00 commit 1aa98bf
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 0 deletions.
5 changes: 5 additions & 0 deletions .changeset/pink-balloons-fly.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"@core/electric": patch
---

[VAX-1321] Proxy crashes when GSSAPI session encryption is requested
21 changes: 21 additions & 0 deletions components/electric/lib/electric/postgres/proxy/handler.ex
Original file line number Diff line number Diff line change
Expand Up @@ -134,11 +134,32 @@ defmodule Electric.Postgres.Proxy.Handler do
{:continue, state}
end

# > To initiate an SSL-encrypted connection, the frontend initially sends an SSLRequest message
# > rather than a StartupMessage. The server then responds with a single byte containing S or N,
# > indicating that it is willing or unwilling to perform SSL, respectively.
defp handle_messages([%M.SSLRequest{} | msgs], socket, state) do
downstream("N", socket, state)
handle_messages(msgs, socket, state)
end

# > To initiate a GSSAPI-encrypted connection, the frontend initially sends a GSSENCRequest
# > message rather than a StartupMessage. The server then responds with a single byte containing G
# > or N, indicating that it is willing or unwilling to perform GSSAPI encryption, respectively
defp handle_messages([%M.GSSENCRequest{} | msgs], socket, state) do
downstream("N", socket, state)
handle_messages(msgs, socket, state)
end

# https://www.postgresql.org/docs/current/protocol-flow.html#PROTOCOL-FLOW-CANCELING-REQUESTS
# > To issue a cancel request, the frontend opens a new connection to the server and sends a
# > CancelRequest message, rather than the StartupMessage message that would ordinarily be sent
# > across a new connection. The server will process this request and then close the connection.
# > For security reasons, no direct reply is made to the cancel request message.
defp handle_messages([%M.CancelRequest{} | _msgs], _socket, state) do
Logger.warning("Recieved unhandled CancelRequest message from client")
{:close, state}
end

defp handle_messages([%M.StartupMessage{} = msg | msgs], socket, state) do
case msg.params do
%{"user" => username, "database" => database, "password" => password} ->
Expand Down

0 comments on commit 1aa98bf

Please sign in to comment.