Improve error handling of HMAC computations

This is similar to b69aba7, except that this completes the work for
HMAC with a new routine called pg_hmac_error() that would provide more
context about the type of error that happened during a HMAC computation:
- The fallback HMAC implementation in hmac.c relies on cryptohashes, so
in some code paths it is necessary to return back the error generated by
cryptohashes.
- For the OpenSSL implementation (hmac_openssl.c), the logic is very
similar to cryptohash_openssl.c, where the error context comes from
OpenSSL if one of its internal routines failed, with different error
codes if something internal to hmac_openssl.c failed or was incorrect.

Any in-core code paths that use the centralized HMAC interface are
related to SCRAM, for errors that are unlikely going to happen, with
only SHA-256.  It would be possible to see errors when computing some
HMACs with MD5 for example and OpenSSL FIPS enabled, and this commit
would help in reporting the correct errors but nothing in core uses
that.  So, at the end, no backpatch to v14 is done, at least for now.

Errors in SCRAM related to the computation of the server key, stored
key, etc. need to pass down the potential error context string across
more layers of their respective call stacks for the frontend and the
backend, so each surrounding routine is adapted for this purpose.

Reviewed-by: Sergey Shinderuk
Discussion: https://postgr.es/m/[email protected]

Author: michaelpq

src/backend/libpq/auth-scram.c

@@ -465,6 +465,7 @@ pg_be_scram_build_secret(const char *password)
 	pg_saslprep_rc rc;
 	char		saltbuf[SCRAM_DEFAULT_SALT_LEN];
 	char	   *result;
+	const char *errstr = NULL;
 
 	/*
 	 * Normalize the password with SASLprep.  If that doesn't work, because
@@ -482,7 +483,8 @@ pg_be_scram_build_secret(const char *password)
 				 errmsg("could not generate random salt")));
 
 	result = scram_build_secret(saltbuf, SCRAM_DEFAULT_SALT_LEN,
-								SCRAM_DEFAULT_ITERATIONS, password);
+								SCRAM_DEFAULT_ITERATIONS, password,
+								&errstr);
 
 	if (prep_password)
 		pfree(prep_password);
@@ -509,6 +511,7 @@ scram_verify_plain_password(const char *username, const char *password,
 	uint8		computed_key[SCRAM_KEY_LEN];
 	char	   *prep_password;
 	pg_saslprep_rc rc;
+	const char *errstr = NULL;
 
 	if (!parse_scram_secret(secret, &iterations, &encoded_salt,
 							stored_key, server_key))
@@ -539,10 +542,10 @@ scram_verify_plain_password(const char *username, const char *password,
 
 	/* Compute Server Key based on the user-supplied plaintext password */
 	if (scram_SaltedPassword(password, salt, saltlen, iterations,
-							 salted_password) < 0 ||
-		scram_ServerKey(salted_password, computed_key) < 0)
+							 salted_password, &errstr) < 0 ||
+		scram_ServerKey(salted_password, computed_key, &errstr) < 0)
 	{
-		elog(ERROR, "could not compute server key");
+		elog(ERROR, "could not compute server key: %s", errstr);
 	}
 
 	if (prep_password)
@@ -1113,6 +1116,7 @@ verify_client_proof(scram_state *state)
 	uint8		client_StoredKey[SCRAM_KEY_LEN];
 	pg_hmac_ctx *ctx = pg_hmac_create(PG_SHA256);
 	int			i;
+	const char *errstr = NULL;
 
 	/*
 	 * Calculate ClientSignature.  Note that we don't log directly a failure
@@ -1133,7 +1137,8 @@ verify_client_proof(scram_state *state)
 					   strlen(state->client_final_message_without_proof)) < 0 ||
 		pg_hmac_final(ctx, ClientSignature, sizeof(ClientSignature)) < 0)
 	{
-		elog(ERROR, "could not calculate client signature");
+		elog(ERROR, "could not calculate client signature: %s",
+			 pg_hmac_error(ctx));
 	}
 
 	pg_hmac_free(ctx);
@@ -1143,8 +1148,8 @@ verify_client_proof(scram_state *state)
 		ClientKey[i] = state->ClientProof[i] ^ ClientSignature[i];
 
 	/* Hash it one more time, and compare with StoredKey */
-	if (scram_H(ClientKey, SCRAM_KEY_LEN, client_StoredKey) < 0)
-		elog(ERROR, "could not hash stored key");
+	if (scram_H(ClientKey, SCRAM_KEY_LEN, client_StoredKey, &errstr) < 0)
+		elog(ERROR, "could not hash stored key: %s", errstr);
 
 	if (memcmp(client_StoredKey, state->StoredKey, SCRAM_KEY_LEN) != 0)
 		return false;
@@ -1389,7 +1394,8 @@ build_server_final_message(scram_state *state)
 					   strlen(state->client_final_message_without_proof)) < 0 ||
 		pg_hmac_final(ctx, ServerSignature, sizeof(ServerSignature)) < 0)
 	{
-		elog(ERROR, "could not calculate server signature");
+		elog(ERROR, "could not calculate server signature: %s",
+			 pg_hmac_error(ctx));
 	}
 
 	pg_hmac_free(ctx);

src/common/hmac.c

@@ -38,11 +38,21 @@
 #define FREE(ptr) free(ptr)
 #endif
 
+/* Set of error states */
+typedef enum pg_hmac_errno
+{
+	PG_HMAC_ERROR_NONE = 0,
+	PG_HMAC_ERROR_OOM,
+	PG_HMAC_ERROR_INTERNAL
+} pg_hmac_errno;
+
 /* Internal pg_hmac_ctx structure */
 struct pg_hmac_ctx
 {
 	pg_cryptohash_ctx *hash;
 	pg_cryptohash_type type;
+	pg_hmac_errno error;
+	const char *errreason;
 	int			block_size;
 	int			digest_size;
 
@@ -73,6 +83,8 @@ pg_hmac_create(pg_cryptohash_type type)
 		return NULL;
 	memset(ctx, 0, sizeof(pg_hmac_ctx));
 	ctx->type = type;
+	ctx->error = PG_HMAC_ERROR_NONE;
+	ctx->errreason = NULL;
 
 	/*
 	 * Initialize the context data.  This requires to know the digest and
@@ -150,12 +162,16 @@ pg_hmac_init(pg_hmac_ctx *ctx, const uint8 *key, size_t len)
 		/* temporary buffer for one-time shrink */
 		shrinkbuf = ALLOC(digest_size);
 		if (shrinkbuf == NULL)
+		{
+			ctx->error = PG_HMAC_ERROR_OOM;
 			return -1;
+		}
 		memset(shrinkbuf, 0, digest_size);
 
 		hash_ctx = pg_cryptohash_create(ctx->type);
 		if (hash_ctx == NULL)
 		{
+			ctx->error = PG_HMAC_ERROR_OOM;
 			FREE(shrinkbuf);
 			return -1;
 		}
@@ -164,6 +180,8 @@ pg_hmac_init(pg_hmac_ctx *ctx, const uint8 *key, size_t len)
 			pg_cryptohash_update(hash_ctx, key, len) < 0 ||
 			pg_cryptohash_final(hash_ctx, shrinkbuf, digest_size) < 0)
 		{
+			ctx->error = PG_HMAC_ERROR_INTERNAL;
+			ctx->errreason = pg_cryptohash_error(hash_ctx);
 			pg_cryptohash_free(hash_ctx);
 			FREE(shrinkbuf);
 			return -1;
@@ -184,6 +202,8 @@ pg_hmac_init(pg_hmac_ctx *ctx, const uint8 *key, size_t len)
 	if (pg_cryptohash_init(ctx->hash) < 0 ||
 		pg_cryptohash_update(ctx->hash, ctx->k_ipad, ctx->block_size) < 0)
 	{
+		ctx->error = PG_HMAC_ERROR_INTERNAL;
+		ctx->errreason = pg_cryptohash_error(ctx->hash);
 		if (shrinkbuf)
 			FREE(shrinkbuf);
 		return -1;
@@ -206,7 +226,11 @@ pg_hmac_update(pg_hmac_ctx *ctx, const uint8 *data, size_t len)
 		return -1;
 
 	if (pg_cryptohash_update(ctx->hash, data, len) < 0)
+	{
+		ctx->error = PG_HMAC_ERROR_INTERNAL;
+		ctx->errreason = pg_cryptohash_error(ctx->hash);
 		return -1;
+	}
 
 	return 0;
 }
@@ -226,11 +250,16 @@ pg_hmac_final(pg_hmac_ctx *ctx, uint8 *dest, size_t len)
 
 	h = ALLOC(ctx->digest_size);
 	if (h == NULL)
+	{
+		ctx->error = PG_HMAC_ERROR_OOM;
 		return -1;
+	}
 	memset(h, 0, ctx->digest_size);
 
 	if (pg_cryptohash_final(ctx->hash, h, ctx->digest_size) < 0)
 	{
+		ctx->error = PG_HMAC_ERROR_INTERNAL;
+		ctx->errreason = pg_cryptohash_error(ctx->hash);
 		FREE(h);
 		return -1;
 	}
@@ -241,6 +270,8 @@ pg_hmac_final(pg_hmac_ctx *ctx, uint8 *dest, size_t len)
 		pg_cryptohash_update(ctx->hash, h, ctx->digest_size) < 0 ||
 		pg_cryptohash_final(ctx->hash, dest, len) < 0)
 	{
+		ctx->error = PG_HMAC_ERROR_INTERNAL;
+		ctx->errreason = pg_cryptohash_error(ctx->hash);
 		FREE(h);
 		return -1;
 	}
@@ -264,3 +295,36 @@ pg_hmac_free(pg_hmac_ctx *ctx)
 	explicit_bzero(ctx, sizeof(pg_hmac_ctx));
 	FREE(ctx);
 }
+
+/*
+ * pg_hmac_error
+ *
+ * Returns a static string providing details about an error that happened
+ * during a HMAC computation.
+ */
+const char *
+pg_hmac_error(pg_hmac_ctx *ctx)
+{
+	if (ctx == NULL)
+		return _("out of memory");
+
+	/*
+	 * If a reason is provided, rely on it, else fallback to any error code
+	 * set.
+	 */
+	if (ctx->errreason)
+		return ctx->errreason;
+
+	switch (ctx->error)
+	{
+		case PG_HMAC_ERROR_NONE:
+			return _("success");
+		case PG_HMAC_ERROR_INTERNAL:
+			return _("internal error");
+		case PG_HMAC_ERROR_OOM:
+			return _("out of memory");
+	}
+
+	Assert(false);				/* cannot be reached */
+	return _("success");
+}

src/common/hmac_openssl.c

@@ -20,6 +20,8 @@
 #include "postgres_fe.h"
 #endif
 
+
+#include <openssl/err.h>
 #include <openssl/hmac.h>
 
 #include "common/hmac.h"
@@ -50,17 +52,40 @@
 #define FREE(ptr) free(ptr)
 #endif							/* FRONTEND */
 
+/* Set of error states */
+typedef enum pg_hmac_errno
+{
+	PG_HMAC_ERROR_NONE = 0,
+	PG_HMAC_ERROR_DEST_LEN,
+	PG_HMAC_ERROR_OPENSSL
+} pg_hmac_errno;
+
 /* Internal pg_hmac_ctx structure */
 struct pg_hmac_ctx
 {
 	HMAC_CTX   *hmacctx;
 	pg_cryptohash_type type;
+	pg_hmac_errno error;
+	const char *errreason;
 
 #ifndef FRONTEND
 	ResourceOwner resowner;
 #endif
 };
 
+static const char *
+SSLerrmessage(unsigned long ecode)
+{
+	if (ecode == 0)
+		return NULL;
+
+	/*
+	 * This may return NULL, but we would fall back to a default error path if
+	 * that were the case.
+	 */
+	return ERR_reason_error_string(ecode);
+}
+
 /*
  * pg_hmac_create
  *
@@ -78,6 +103,8 @@ pg_hmac_create(pg_cryptohash_type type)
 	memset(ctx, 0, sizeof(pg_hmac_ctx));
 
 	ctx->type = type;
+	ctx->error = PG_HMAC_ERROR_NONE;
+	ctx->errreason = NULL;
 
 	/*
 	 * Initialization takes care of assigning the correct type for OpenSSL.
@@ -152,7 +179,11 @@ pg_hmac_init(pg_hmac_ctx *ctx, const uint8 *key, size_t len)
 
 	/* OpenSSL internals return 1 on success, 0 on failure */
 	if (status <= 0)
+	{
+		ctx->errreason = SSLerrmessage(ERR_get_error());
+		ctx->error = PG_HMAC_ERROR_OPENSSL;
 		return -1;
+	}
 
 	return 0;
 }
@@ -174,7 +205,11 @@ pg_hmac_update(pg_hmac_ctx *ctx, const uint8 *data, size_t len)
 
 	/* OpenSSL internals return 1 on success, 0 on failure */
 	if (status <= 0)
+	{
+		ctx->errreason = SSLerrmessage(ERR_get_error());
+		ctx->error = PG_HMAC_ERROR_OPENSSL;
 		return -1;
+	}
 	return 0;
 }
 
@@ -196,35 +231,57 @@ pg_hmac_final(pg_hmac_ctx *ctx, uint8 *dest, size_t len)
 	{
 		case PG_MD5:
 			if (len < MD5_DIGEST_LENGTH)
+			{
+				ctx->error = PG_HMAC_ERROR_DEST_LEN;
 				return -1;
+			}
 			break;
 		case PG_SHA1:
 			if (len < SHA1_DIGEST_LENGTH)
+			{
+				ctx->error = PG_HMAC_ERROR_DEST_LEN;
 				return -1;
+			}
 			break;
 		case PG_SHA224:
 			if (len < PG_SHA224_DIGEST_LENGTH)
+			{
+				ctx->error = PG_HMAC_ERROR_DEST_LEN;
 				return -1;
+			}
 			break;
 		case PG_SHA256:
 			if (len < PG_SHA256_DIGEST_LENGTH)
+			{
+				ctx->error = PG_HMAC_ERROR_DEST_LEN;
 				return -1;
+			}
 			break;
 		case PG_SHA384:
 			if (len < PG_SHA384_DIGEST_LENGTH)
+			{
+				ctx->error = PG_HMAC_ERROR_DEST_LEN;
 				return -1;
+			}
 			break;
 		case PG_SHA512:
 			if (len < PG_SHA512_DIGEST_LENGTH)
+			{
+				ctx->error = PG_HMAC_ERROR_DEST_LEN;
 				return -1;
+			}
 			break;
 	}
 
 	status = HMAC_Final(ctx->hmacctx, dest, &outlen);
 
 	/* OpenSSL internals return 1 on success, 0 on failure */
 	if (status <= 0)
+	{
+		ctx->errreason = SSLerrmessage(ERR_get_error());
+		ctx->error = PG_HMAC_ERROR_OPENSSL;
 		return -1;
+	}
 	return 0;
 }
 
@@ -252,3 +309,36 @@ pg_hmac_free(pg_hmac_ctx *ctx)
 	explicit_bzero(ctx, sizeof(pg_hmac_ctx));
 	FREE(ctx);
 }
+
+/*
+ * pg_hmac_error
+ *
+ * Returns a static string providing details about an error that happened
+ * during a HMAC computation.
+ */
+const char *
+pg_hmac_error(pg_hmac_ctx *ctx)
+{
+	if (ctx == NULL)
+		return _("out of memory");
+
+	/*
+	 * If a reason is provided, rely on it, else fallback to any error code
+	 * set.
+	 */
+	if (ctx->errreason)
+		return ctx->errreason;
+
+	switch (ctx->error)
+	{
+		case PG_HMAC_ERROR_NONE:
+			return _("success");
+		case PG_HMAC_ERROR_DEST_LEN:
+			return _("destination buffer too small");
+		case PG_HMAC_ERROR_OPENSSL:
+			return _("OpenSSL failure");
+	}
+
+	Assert(false);				/* cannot be reached */
+	return _("success");
+}