Merge pull request #291 from sabracrolleton/master

Flagging potential man-in-the-middle attack

cl-postgres/config.lisp

@@ -29,3 +29,7 @@ functionality, you will have to call LOG-QUERY from your callback function")
 (defvar *retry-connect-delay* 0.5
   "How many seconds to wait before trying to connect again. Borrowed from
 pgloader")
+
+(defparameter *on-evidence-of-man-in-the-middle-attack* :error
+  "If Postmodern sees evidence of an attempted man-in-the-middle attack,
+what should Postmodern do? Acceptable values are :error, :warn or :ignore")

cl-postgres/package.lisp

@@ -78,6 +78,7 @@
            #:parameter-lists-match-oid-types-p
            #:parameter-list-types
            #:param-to-oid
+           #:*on-evidence-of-man-in-the-middle-attack*
            #+(and sbcl unix) #:*unix-socket-dir*))
 
 (defpackage :cl-postgres-error

cl-postgres/protocol.lisp

@@ -213,13 +213,19 @@ a condition."
 
     (unless (eq use-ssl :no)
       (if (eq use-ssl :try)
-              (let ((old-socket socket)
-                    (new-socket (initiate-ssl socket nil nil nil)))
-                (if new-socket (setf socket new-socket)
-                    (setf socket old-socket)))
-              (setf socket (initiate-ssl socket (member use-ssl '(:require :yes :full))
-                                  (member use-ssl '(:yes :full))
-                                  (if (eq use-ssl :full) hostname)))))
+          (let ((old-socket socket)
+                (new-socket (initiate-ssl socket nil nil nil)))
+            (if new-socket (setf socket new-socket)
+                (setf socket old-socket)))
+          (setf socket (initiate-ssl socket (member use-ssl '(:require :yes :full))
+                                     (member use-ssl '(:yes :full))
+                                     (if (eq use-ssl :full) hostname))))
+      (when (listen socket) ; checks for attempted man-in-the-middle attack
+        (ecase *on-evidence-of-man-in-the-middle-attack*
+          (:error (error 'database-error
+                         :message "Postmodern received an unexpectedly large packet in response to the request to use ssl. This may be evidence of an attempt to run a man-in-the-middle type attack. If you want to retry the connect and not throw an error, please set cl-postgres:*on-evidence-of-man-in-the-middle-attack* to :warn or :ignore"))
+          (:warn (warn "Postmodern received an unexpectedly large packet in response to the request to use ssl. This may be evidence of an attempt to run a man-in-the-middle type attack. If you want to some response other than a warning, please set cl-postgres:*on-evidence-of-man-in-the-middle-attack* to :error or :ignore"))
+          (:ignore t))))
     (when (equal application-name "") (setf application-name "postmodern-default"))
     (startup-message socket user database application-name)
     (force-output socket)

doc/cl-postgres.org

@@ -185,6 +185,13 @@ will look for the socket file.
 When using SSL (see open-database), these can be used to provide client key
 and certificate files. They can be either NIL, for no file, or a pathname.
 
+** variable =*on-evidence-of-man-in-the-middle-attack*=
+   :PROPERTIES:
+   :CUSTOM_ID: variable-on-evidence-of-man-in-the-middle-attack
+   :END:
+
+When establishing an SSL connection, Postmodern will check to see if unexpected extra data was received prior to the connection being encrypted. Unexpected extra data may indicate an attempted man-in-the-middle attack. By default, this variable is set to :error. You can set the response to be a simple warning (by setting this to :warn) or you can set this to :ignore.
+
 ** variable =*retry-connect-times*= (5)
    :PROPERTIES:
    :CUSTOM_ID: variable-retry-connect-times