Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit20f9b61

Browse files
committed
With gssencmode='require', check credential cache before connecting
Previously, libpq would establish the TCP connection, and thenimmediately disconnect if the credentials were not available. Thesame thing happened if you tried to use a Unix domain socket withgssencmode=require. Check those conditions before establishing the TCPconnection.This is a very minor issue, but my motivation to do this now is thatI'm about to add more detail to the tests for encryption negotiation.This makes the case of gssencmode=require but no credentialsconfigured fail at the same stage as with gssencmode=require andGSSAPI support not compiled at all. That avoids having to deal withvariations in expected output depending on build options.Discussion:https://www.postgresql.org/message-id/CAEze2Wja8VUoZygCepwUeiCrWa4jP316k0mvJrOW4PFmWP0Tcw@mail.gmail.com
1 parent1169920 commit20f9b61

File tree

1 file changed

+30
-2
lines changed

1 file changed

+30
-2
lines changed

‎src/interfaces/libpq/fe-connect.c

Lines changed: 30 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2855,6 +2855,33 @@ PQconnectPoll(PGconn *conn)
28552855
/* Remember current address for possible use later */
28562856
memcpy(&conn->raddr,&addr_cur->addr,sizeof(SockAddr));
28572857

2858+
#ifdefENABLE_GSS
2859+
2860+
/*
2861+
* Before establishing the connection, check if it's
2862+
* doomed to fail because gssencmode='require' but GSSAPI
2863+
* is not available.
2864+
*/
2865+
if (conn->gssencmode[0]=='r')
2866+
{
2867+
if (conn->raddr.addr.ss_family==AF_UNIX)
2868+
{
2869+
libpq_append_conn_error(conn,
2870+
"GSSAPI encryption required but it is not supported over a local socket)");
2871+
gotoerror_return;
2872+
}
2873+
if (conn->gcred==GSS_C_NO_CREDENTIAL)
2874+
{
2875+
if (!pg_GSS_have_cred_cache(&conn->gcred))
2876+
{
2877+
libpq_append_conn_error(conn,
2878+
"GSSAPI encryption required but no credential cache");
2879+
gotoerror_return;
2880+
}
2881+
}
2882+
}
2883+
#endif
2884+
28582885
/*
28592886
* Set connip, too. Note we purposely ignore strdup
28602887
* failure; not a big problem if it fails.
@@ -3218,7 +3245,7 @@ PQconnectPoll(PGconn *conn)
32183245
* for GSSAPI Encryption (and skip past SSL negotiation and
32193246
* regular startup below).
32203247
*/
3221-
if (conn->try_gss&& !conn->gctx)
3248+
if (conn->try_gss&& !conn->gctx&&conn->gcred==GSS_C_NO_CREDENTIAL)
32223249
conn->try_gss=pg_GSS_have_cred_cache(&conn->gcred);
32233250
if (conn->try_gss&& !conn->gctx)
32243251
{
@@ -3237,8 +3264,9 @@ PQconnectPoll(PGconn *conn)
32373264
}
32383265
elseif (!conn->gctx&&conn->gssencmode[0]=='r')
32393266
{
3267+
/* XXX: shouldn't happen */
32403268
libpq_append_conn_error(conn,
3241-
"GSSAPI encryption required but was impossible (possibly no credential cache, no server support, or using a local socket)");
3269+
"GSSAPI encryption required but was impossible");
32423270
gotoerror_return;
32433271
}
32443272
#endif

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp