Commit 81e77085 authored by Tom Lane's avatar Tom Lane

Since GSSAPI and SSPI authentication don't work in protocol version 2,

issue a helpful error message instead of sending unparsable garbage.
(It is clearly a design error that this doesn't work, but fixing it
is not worth the trouble at this point.)  Per discussion.
parent 9b43c245
...@@ -8,7 +8,7 @@ ...@@ -8,7 +8,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.163 2008/01/30 04:11:19 tgl Exp $ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.164 2008/02/08 17:58:46 tgl Exp $
* *
*------------------------------------------------------------------------- *-------------------------------------------------------------------------
*/ */
...@@ -307,12 +307,13 @@ pg_krb5_recvauth(Port *port) ...@@ -307,12 +307,13 @@ pg_krb5_recvauth(Port *port)
} }
#endif /* KRB5 */ #endif /* KRB5 */
#ifdef ENABLE_GSS
/*---------------------------------------------------------------- /*----------------------------------------------------------------
* GSSAPI authentication system * GSSAPI authentication system
*---------------------------------------------------------------- *----------------------------------------------------------------
*/ */
#ifdef ENABLE_GSS
#if defined(HAVE_GSSAPI_H) #if defined(HAVE_GSSAPI_H)
#include <gssapi.h> #include <gssapi.h>
#else #else
...@@ -389,6 +390,19 @@ pg_GSS_recvauth(Port *port) ...@@ -389,6 +390,19 @@ pg_GSS_recvauth(Port *port)
StringInfoData buf; StringInfoData buf;
gss_buffer_desc gbuf; gss_buffer_desc gbuf;
/*
* GSS auth is not supported for protocol versions before 3, because it
* relies on the overall message length word to determine the GSS payload
* size in AuthenticationGSSContinue and PasswordMessage messages.
* (This is, in fact, a design error in our GSS support, because protocol
* messages are supposed to be parsable without relying on the length
* word; but it's not worth changing it now.)
*/
if (PG_PROTOCOL_MAJOR(FrontendProtocol) < 3)
ereport(FATAL,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("GSSAPI is not supported in protocol version 2")));
if (pg_krb_server_keyfile && strlen(pg_krb_server_keyfile) > 0) if (pg_krb_server_keyfile && strlen(pg_krb_server_keyfile) > 0)
{ {
/* /*
...@@ -594,7 +608,9 @@ pg_GSS_recvauth(Port *port) ...@@ -594,7 +608,9 @@ pg_GSS_recvauth(Port *port)
return STATUS_OK; return STATUS_OK;
} }
#else /* no ENABLE_GSS */ #else /* no ENABLE_GSS */
static int static int
pg_GSS_recvauth(Port *port) pg_GSS_recvauth(Port *port)
{ {
...@@ -603,9 +619,20 @@ pg_GSS_recvauth(Port *port) ...@@ -603,9 +619,20 @@ pg_GSS_recvauth(Port *port)
errmsg("GSSAPI not implemented on this server"))); errmsg("GSSAPI not implemented on this server")));
return STATUS_ERROR; return STATUS_ERROR;
} }
#endif /* ENABLE_GSS */ #endif /* ENABLE_GSS */
/*----------------------------------------------------------------
* SSPI authentication system
*----------------------------------------------------------------
*/
#ifdef ENABLE_SSPI #ifdef ENABLE_SSPI
typedef SECURITY_STATUS
(WINAPI * QUERY_SECURITY_CONTEXT_TOKEN_FN) (
PCtxtHandle, void **);
static void static void
pg_SSPI_error(int severity, char *errmsg, SECURITY_STATUS r) pg_SSPI_error(int severity, char *errmsg, SECURITY_STATUS r)
{ {
...@@ -621,10 +648,6 @@ pg_SSPI_error(int severity, char *errmsg, SECURITY_STATUS r) ...@@ -621,10 +648,6 @@ pg_SSPI_error(int severity, char *errmsg, SECURITY_STATUS r)
errdetail("%s (%x)", sysmsg, (unsigned int) r))); errdetail("%s (%x)", sysmsg, (unsigned int) r)));
} }
typedef SECURITY_STATUS
(WINAPI * QUERY_SECURITY_CONTEXT_TOKEN_FN) (
PCtxtHandle, void **);
static int static int
pg_SSPI_recvauth(Port *port) pg_SSPI_recvauth(Port *port)
{ {
...@@ -651,6 +674,18 @@ pg_SSPI_recvauth(Port *port) ...@@ -651,6 +674,18 @@ pg_SSPI_recvauth(Port *port)
HMODULE secur32; HMODULE secur32;
QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken; QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken;
/*
* SSPI auth is not supported for protocol versions before 3, because it
* relies on the overall message length word to determine the SSPI payload
* size in AuthenticationGSSContinue and PasswordMessage messages.
* (This is, in fact, a design error in our SSPI support, because protocol
* messages are supposed to be parsable without relying on the length
* word; but it's not worth changing it now.)
*/
if (PG_PROTOCOL_MAJOR(FrontendProtocol) < 3)
ereport(FATAL,
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
errmsg("SSPI is not supported in protocol version 2")));
/* /*
* Acquire a handle to the server credentials. * Acquire a handle to the server credentials.
...@@ -878,7 +913,9 @@ pg_SSPI_recvauth(Port *port) ...@@ -878,7 +913,9 @@ pg_SSPI_recvauth(Port *port)
return STATUS_OK; return STATUS_OK;
} }
#else /* no ENABLE_SSPI */ #else /* no ENABLE_SSPI */
static int static int
pg_SSPI_recvauth(Port *port) pg_SSPI_recvauth(Port *port)
{ {
...@@ -887,6 +924,7 @@ pg_SSPI_recvauth(Port *port) ...@@ -887,6 +924,7 @@ pg_SSPI_recvauth(Port *port)
errmsg("SSPI not implemented on this server"))); errmsg("SSPI not implemented on this server")));
return STATUS_ERROR; return STATUS_ERROR;
} }
#endif /* ENABLE_SSPI */ #endif /* ENABLE_SSPI */
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment