Since GSSAPI and SSPI authentication don't work in protocol version 2,
issue a helpful error message instead of sending unparsable garbage. (It is clearly a design error that this doesn't work, but fixing it is not worth the trouble at this point.) Per discussion.
This commit is contained in:
parent
9b43c245e3
commit
81e770857d
|
@ -8,7 +8,7 @@
|
||||||
*
|
*
|
||||||
*
|
*
|
||||||
* IDENTIFICATION
|
* IDENTIFICATION
|
||||||
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.163 2008/01/30 04:11:19 tgl Exp $
|
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.164 2008/02/08 17:58:46 tgl Exp $
|
||||||
*
|
*
|
||||||
*-------------------------------------------------------------------------
|
*-------------------------------------------------------------------------
|
||||||
*/
|
*/
|
||||||
|
@ -307,12 +307,13 @@ pg_krb5_recvauth(Port *port)
|
||||||
}
|
}
|
||||||
#endif /* KRB5 */
|
#endif /* KRB5 */
|
||||||
|
|
||||||
#ifdef ENABLE_GSS
|
|
||||||
/*----------------------------------------------------------------
|
/*----------------------------------------------------------------
|
||||||
* GSSAPI authentication system
|
* GSSAPI authentication system
|
||||||
*----------------------------------------------------------------
|
*----------------------------------------------------------------
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#ifdef ENABLE_GSS
|
||||||
|
|
||||||
#if defined(HAVE_GSSAPI_H)
|
#if defined(HAVE_GSSAPI_H)
|
||||||
#include <gssapi.h>
|
#include <gssapi.h>
|
||||||
#else
|
#else
|
||||||
|
@ -389,6 +390,19 @@ pg_GSS_recvauth(Port *port)
|
||||||
StringInfoData buf;
|
StringInfoData buf;
|
||||||
gss_buffer_desc gbuf;
|
gss_buffer_desc gbuf;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* GSS auth is not supported for protocol versions before 3, because it
|
||||||
|
* relies on the overall message length word to determine the GSS payload
|
||||||
|
* size in AuthenticationGSSContinue and PasswordMessage messages.
|
||||||
|
* (This is, in fact, a design error in our GSS support, because protocol
|
||||||
|
* messages are supposed to be parsable without relying on the length
|
||||||
|
* word; but it's not worth changing it now.)
|
||||||
|
*/
|
||||||
|
if (PG_PROTOCOL_MAJOR(FrontendProtocol) < 3)
|
||||||
|
ereport(FATAL,
|
||||||
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
||||||
|
errmsg("GSSAPI is not supported in protocol version 2")));
|
||||||
|
|
||||||
if (pg_krb_server_keyfile && strlen(pg_krb_server_keyfile) > 0)
|
if (pg_krb_server_keyfile && strlen(pg_krb_server_keyfile) > 0)
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
|
@ -594,7 +608,9 @@ pg_GSS_recvauth(Port *port)
|
||||||
|
|
||||||
return STATUS_OK;
|
return STATUS_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
#else /* no ENABLE_GSS */
|
#else /* no ENABLE_GSS */
|
||||||
|
|
||||||
static int
|
static int
|
||||||
pg_GSS_recvauth(Port *port)
|
pg_GSS_recvauth(Port *port)
|
||||||
{
|
{
|
||||||
|
@ -603,9 +619,20 @@ pg_GSS_recvauth(Port *port)
|
||||||
errmsg("GSSAPI not implemented on this server")));
|
errmsg("GSSAPI not implemented on this server")));
|
||||||
return STATUS_ERROR;
|
return STATUS_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* ENABLE_GSS */
|
#endif /* ENABLE_GSS */
|
||||||
|
|
||||||
|
/*----------------------------------------------------------------
|
||||||
|
* SSPI authentication system
|
||||||
|
*----------------------------------------------------------------
|
||||||
|
*/
|
||||||
|
|
||||||
#ifdef ENABLE_SSPI
|
#ifdef ENABLE_SSPI
|
||||||
|
|
||||||
|
typedef SECURITY_STATUS
|
||||||
|
(WINAPI * QUERY_SECURITY_CONTEXT_TOKEN_FN) (
|
||||||
|
PCtxtHandle, void **);
|
||||||
|
|
||||||
static void
|
static void
|
||||||
pg_SSPI_error(int severity, char *errmsg, SECURITY_STATUS r)
|
pg_SSPI_error(int severity, char *errmsg, SECURITY_STATUS r)
|
||||||
{
|
{
|
||||||
|
@ -621,10 +648,6 @@ pg_SSPI_error(int severity, char *errmsg, SECURITY_STATUS r)
|
||||||
errdetail("%s (%x)", sysmsg, (unsigned int) r)));
|
errdetail("%s (%x)", sysmsg, (unsigned int) r)));
|
||||||
}
|
}
|
||||||
|
|
||||||
typedef SECURITY_STATUS
|
|
||||||
(WINAPI * QUERY_SECURITY_CONTEXT_TOKEN_FN) (
|
|
||||||
PCtxtHandle, void **);
|
|
||||||
|
|
||||||
static int
|
static int
|
||||||
pg_SSPI_recvauth(Port *port)
|
pg_SSPI_recvauth(Port *port)
|
||||||
{
|
{
|
||||||
|
@ -651,6 +674,18 @@ pg_SSPI_recvauth(Port *port)
|
||||||
HMODULE secur32;
|
HMODULE secur32;
|
||||||
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
|
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* SSPI auth is not supported for protocol versions before 3, because it
|
||||||
|
* relies on the overall message length word to determine the SSPI payload
|
||||||
|
* size in AuthenticationGSSContinue and PasswordMessage messages.
|
||||||
|
* (This is, in fact, a design error in our SSPI support, because protocol
|
||||||
|
* messages are supposed to be parsable without relying on the length
|
||||||
|
* word; but it's not worth changing it now.)
|
||||||
|
*/
|
||||||
|
if (PG_PROTOCOL_MAJOR(FrontendProtocol) < 3)
|
||||||
|
ereport(FATAL,
|
||||||
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
|
||||||
|
errmsg("SSPI is not supported in protocol version 2")));
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Acquire a handle to the server credentials.
|
* Acquire a handle to the server credentials.
|
||||||
|
@ -878,7 +913,9 @@ pg_SSPI_recvauth(Port *port)
|
||||||
|
|
||||||
return STATUS_OK;
|
return STATUS_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
#else /* no ENABLE_SSPI */
|
#else /* no ENABLE_SSPI */
|
||||||
|
|
||||||
static int
|
static int
|
||||||
pg_SSPI_recvauth(Port *port)
|
pg_SSPI_recvauth(Port *port)
|
||||||
{
|
{
|
||||||
|
@ -887,6 +924,7 @@ pg_SSPI_recvauth(Port *port)
|
||||||
errmsg("SSPI not implemented on this server")));
|
errmsg("SSPI not implemented on this server")));
|
||||||
return STATUS_ERROR;
|
return STATUS_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
#endif /* ENABLE_SSPI */
|
#endif /* ENABLE_SSPI */
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue