Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitb68a560

Browse files
committed
Fix GSS client to non-GSS server connection
If the client is compiled with GSSAPI support and tries to start up GSSwith the server, but the server is not compiled with GSSAPI support, wewould mistakenly end up falling through to call ProcessStartupPacketwith secure_done = true, but the client might then try to perform SSL,which the backend wouldn't understand and we'd end up failing theconnection with:FATAL: unsupported frontend protocol 1234.5679: server supports 2.0 to 3.0Fix by arranging to track ssl_done independently from gss_done, insteadof trying to use the same boolean for both.Author: Andrew GierthDiscussion:https://postgr.es/m/87h82kzwqn.fsf@news-spur.riddles.org.ukBackpatch: 12-, where GSSAPI encryption was added.
1 parentd5d0969 commitb68a560

File tree

1 file changed

+24
-13
lines changed

1 file changed

+24
-13
lines changed

‎src/backend/postmaster/postmaster.c

Lines changed: 24 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -404,7 +404,7 @@ static void BackendRun(Port *port) pg_attribute_noreturn();
404404
staticvoidExitPostmaster(intstatus)pg_attribute_noreturn();
405405
staticintServerLoop(void);
406406
staticintBackendStartup(Port*port);
407-
staticintProcessStartupPacket(Port*port,boolsecure_done);
407+
staticintProcessStartupPacket(Port*port,boolssl_done,boolgss_done);
408408
staticvoidSendNegotiateProtocolVersion(List*unrecognized_protocol_options);
409409
staticvoidprocessCancelRequest(Port*port,void*pkt);
410410
staticintinitMasks(fd_set*rmask);
@@ -1914,11 +1914,15 @@ initMasks(fd_set *rmask)
19141914
* send anything to the client, which would typically be appropriate
19151915
* if we detect a communications failure.)
19161916
*
1917-
* Set secure_done when negotiation of an encrypted layer (currently, TLS or
1918-
* GSSAPI) is already completed.
1917+
* Set ssl_done and/or gss_done when negotiation of an encrypted layer
1918+
* (currently, TLS or GSSAPI) is completed. A successful negotiation of either
1919+
* encryption layer sets both flags, but a rejected negotiation sets only the
1920+
* flag for that layer, since the client may wish to try the other one. We
1921+
* should make no assumption here about the order in which the client may make
1922+
* requests.
19191923
*/
19201924
staticint
1921-
ProcessStartupPacket(Port*port,boolsecure_done)
1925+
ProcessStartupPacket(Port*port,boolssl_done,boolgss_done)
19221926
{
19231927
int32len;
19241928
void*buf;
@@ -1951,7 +1955,7 @@ ProcessStartupPacket(Port *port, bool secure_done)
19511955
if (pq_getbytes(((char*)&len)+1,3)==EOF)
19521956
{
19531957
/* Got a partial length word, so bleat about that */
1954-
if (!secure_done)
1958+
if (!ssl_done&& !gss_done)
19551959
ereport(COMMERROR,
19561960
(errcode(ERRCODE_PROTOCOL_VIOLATION),
19571961
errmsg("incomplete startup packet")));
@@ -2003,7 +2007,7 @@ ProcessStartupPacket(Port *port, bool secure_done)
20032007
returnSTATUS_ERROR;
20042008
}
20052009

2006-
if (proto==NEGOTIATE_SSL_CODE&& !secure_done)
2010+
if (proto==NEGOTIATE_SSL_CODE&& !ssl_done)
20072011
{
20082012
charSSLok;
20092013

@@ -2032,11 +2036,14 @@ ProcessStartupPacket(Port *port, bool secure_done)
20322036
if (SSLok=='S'&&secure_open_server(port)==-1)
20332037
returnSTATUS_ERROR;
20342038
#endif
2035-
/* regular startup packet, cancel, etc packet should follow... */
2036-
/* but not another SSL negotiation request */
2037-
returnProcessStartupPacket(port, true);
2039+
/*
2040+
* regular startup packet, cancel, etc packet should follow, but not
2041+
* another SSL negotiation request, and a GSS request should only
2042+
* follow if SSL was rejected (client may negotiate in either order)
2043+
*/
2044+
returnProcessStartupPacket(port, true,SSLok=='S');
20382045
}
2039-
elseif (proto==NEGOTIATE_GSS_CODE&& !secure_done)
2046+
elseif (proto==NEGOTIATE_GSS_CODE&& !gss_done)
20402047
{
20412048
charGSSok='N';
20422049
#ifdefENABLE_GSS
@@ -2059,8 +2066,12 @@ ProcessStartupPacket(Port *port, bool secure_done)
20592066
if (GSSok=='G'&&secure_open_gssapi(port)==-1)
20602067
returnSTATUS_ERROR;
20612068
#endif
2062-
/* Won't ever see more than one negotiation request */
2063-
returnProcessStartupPacket(port, true);
2069+
/*
2070+
* regular startup packet, cancel, etc packet should follow, but not
2071+
* another GSS negotiation request, and an SSL request should only
2072+
* follow if GSS was rejected (client may negotiate in either order)
2073+
*/
2074+
returnProcessStartupPacket(port,GSSok=='G', true);
20642075
}
20652076

20662077
/* Could add additional special packet types here */
@@ -4412,7 +4423,7 @@ BackendInitialize(Port *port)
44124423
* Receive the startup packet (which might turn out to be a cancel request
44134424
* packet).
44144425
*/
4415-
status=ProcessStartupPacket(port, false);
4426+
status=ProcessStartupPacket(port, false, false);
44164427

44174428
/*
44184429
* Stop here if it was bad or a cancel packet. ProcessStartupPacket

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp