Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commite0e7dae

Browse files
committed
Lots of patches coming in from me today :-)
When drawing up a very simple "text-drawing" of how the negotiation is done,I realised I had done this last part (fallback) in a very stupid way. Patch#4 fixes this, and does it in a much better way.Included is also the simple text-drawing of how the negotiation is done.//Magnus
1 parent3114f92 commite0e7dae

File tree

12 files changed

+390
-78
lines changed

12 files changed

+390
-78
lines changed

‎src/backend/libpq/auth.c‎

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
*
88
*
99
* IDENTIFICATION
10-
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.40 1999/07/17 20:17:00 momjian Exp $
10+
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.41 1999/09/27 03:12:58 momjian Exp $
1111
*
1212
*-------------------------------------------------------------------------
1313
*/
@@ -452,8 +452,7 @@ be_recvauth(Port *port)
452452
* an error message into the postmaster logfile if it failed.
453453
*/
454454

455-
if (hba_getauthmethod(&port->raddr,port->user,port->database,
456-
port->auth_arg,&port->auth_method)!=STATUS_OK)
455+
if (hba_getauthmethod(port)!=STATUS_OK)
457456
PacketSendError(&port->pktInfo,
458457
"Missing or erroneous pg_hba.conf file, see postmaster log for details");
459458

@@ -470,7 +469,6 @@ be_recvauth(Port *port)
470469

471470
AuthRequestareq=AUTH_REQ_OK;
472471
PacketDoneProcauth_handler=NULL;
473-
474472
switch (port->auth_method)
475473
{
476474
caseuaReject:

‎src/backend/libpq/hba.c‎

Lines changed: 47 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
* wherein you authenticate a user by seeing what IP address the system
66
* says he comes from and possibly using ident).
77
*
8-
*$Id: hba.c,v 1.47 1999/07/17 20:17:02 momjian Exp $
8+
*$Id: hba.c,v 1.48 1999/09/27 03:12:59 momjian Exp $
99
*
1010
*-------------------------------------------------------------------------
1111
*/
@@ -146,9 +146,7 @@ read_hba_entry2(FILE *file, UserAuth *userauth_p, char *auth_arg,
146146

147147

148148
staticvoid
149-
process_hba_record(FILE*file,SockAddr*raddr,constchar*user,
150-
constchar*database,bool*matches_p,bool*error_p,
151-
UserAuth*userauth_p,char*auth_arg)
149+
process_hba_record(FILE*file,hbaPort*port,bool*matches_p,bool*error_p)
152150
{
153151
/*---------------------------------------------------------------------------
154152
Process the non-comment record in the config file that is next on the file.
@@ -182,16 +180,16 @@ process_hba_record(FILE *file, SockAddr *raddr, const char *user,
182180

183181
/* Read the rest of the line. */
184182

185-
read_hba_entry2(file,userauth_p,auth_arg,error_p);
183+
read_hba_entry2(file,&port->auth_method,port->auth_arg,error_p);
186184

187185
/*
188186
* For now, disallow methods that need AF_INET sockets to work.
189187
*/
190188

191189
if (!*error_p&&
192-
(*userauth_p==uaIdent||
193-
*userauth_p==uaKrb4||
194-
*userauth_p==uaKrb5))
190+
(port->auth_method==uaIdent||
191+
port->auth_method==uaKrb4||
192+
port->auth_method==uaKrb5))
195193
*error_p= true;
196194

197195
if (*error_p)
@@ -202,15 +200,33 @@ process_hba_record(FILE *file, SockAddr *raddr, const char *user,
202200
* sort of connection, ignore it.
203201
*/
204202

205-
if ((strcmp(db,database)!=0&&strcmp(db,"all")!=0&&
206-
(strcmp(db,"sameuser")!=0||strcmp(database,user)!=0))||
207-
raddr->sa.sa_family!=AF_UNIX)
203+
if ((strcmp(db,port->database)!=0&&strcmp(db,"all")!=0&&
204+
(strcmp(db,"sameuser")!=0||strcmp(port->database,port->user)!=0))||
205+
port->raddr.sa.sa_family!=AF_UNIX)
208206
return;
209207
}
210-
elseif (strcmp(buf,"host")==0)
208+
elseif (strcmp(buf,"host")==0||strcmp(buf,"hostssl")==0)
211209
{
212210
structin_addrfile_ip_addr,
213211
mask;
212+
booldiscard=0;/* Discard this entry */
213+
214+
#ifdefUSE_SSL
215+
/* If SSL, then check that we are on SSL */
216+
if (strcmp(buf,"hostssl")==0) {
217+
if (!port->ssl)
218+
discard=1;
219+
220+
/* Placeholder to require specific SSL level, perhaps? */
221+
/* Or a client certificate */
222+
223+
/* Since we were on SSL, proceed as with normal 'host' mode */
224+
}
225+
#else
226+
/* If not SSL, we don't support this */
227+
if (strcmp(buf,"hostssl")==0)
228+
gotosyntax;
229+
#endif
214230

215231
/* Get the database. */
216232

@@ -252,20 +268,27 @@ process_hba_record(FILE *file, SockAddr *raddr, const char *user,
252268
* info from it.
253269
*/
254270

255-
read_hba_entry2(file,userauth_p,auth_arg,error_p);
271+
read_hba_entry2(file,&port->auth_method,port->auth_arg,error_p);
256272

257273
if (*error_p)
258274
gotosyntax;
259275

276+
/*
277+
* If told to discard earlier. Moved down here so we don't get
278+
* "out of sync" with the file.
279+
*/
280+
if (discard)
281+
return;
282+
260283
/*
261284
* If this record isn't for our database, or this is the wrong
262285
* sort of connection, ignore it.
263286
*/
264287

265-
if ((strcmp(db,database)!=0&&strcmp(db,"all")!=0&&
266-
(strcmp(db,"sameuser")!=0||strcmp(database,user)!=0))||
267-
raddr->sa.sa_family!=AF_INET||
268-
((file_ip_addr.s_addr ^raddr->in.sin_addr.s_addr)&mask.s_addr)!=0x0000)
288+
if ((strcmp(db,port->database)!=0&&strcmp(db,"all")!=0&&
289+
(strcmp(db,"sameuser")!=0||strcmp(port->database,port->user)!=0))||
290+
port->raddr.sa.sa_family!=AF_INET||
291+
((file_ip_addr.s_addr ^port->raddr.in.sin_addr.s_addr)&mask.s_addr)!=0x0000)
269292
return;
270293
}
271294
else
@@ -291,9 +314,7 @@ process_hba_record(FILE *file, SockAddr *raddr, const char *user,
291314

292315

293316
staticvoid
294-
process_open_config_file(FILE*file,SockAddr*raddr,constchar*user,
295-
constchar*database,bool*hba_ok_p,
296-
UserAuth*userauth_p,char*auth_arg)
317+
process_open_config_file(FILE*file,hbaPort*port,bool*hba_ok_p)
297318
{
298319
/*---------------------------------------------------------------------------
299320
This function does the same thing as find_hba_entry, only with
@@ -316,8 +337,7 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char *user,
316337
if (c=='#')
317338
read_through_eol(file);
318339
else
319-
process_hba_record(file,raddr,user,database,
320-
&found_entry,&error,userauth_p,auth_arg);
340+
process_hba_record(file,port,&found_entry,&error);
321341
}
322342
}
323343

@@ -326,7 +346,7 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char *user,
326346
/* If no matching entry was found, synthesize 'reject' entry. */
327347

328348
if (!found_entry)
329-
*userauth_p=uaReject;
349+
port->auth_method=uaReject;
330350

331351
*hba_ok_p= true;
332352
}
@@ -335,8 +355,7 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char *user,
335355

336356

337357
staticvoid
338-
find_hba_entry(SockAddr*raddr,constchar*user,constchar*database,
339-
bool*hba_ok_p,UserAuth*userauth_p,char*auth_arg)
358+
find_hba_entry(hbaPort*port,bool*hba_ok_p)
340359
{
341360
/*
342361
* Read the config file and find an entry that allows connection from
@@ -412,8 +431,7 @@ find_hba_entry(SockAddr *raddr, const char *user, const char *database,
412431
}
413432
else
414433
{
415-
process_open_config_file(file,raddr,user,database,hba_ok_p,
416-
userauth_p,auth_arg);
434+
process_open_config_file(file,port,hba_ok_p);
417435
FreeFile(file);
418436
}
419437
pfree(conf_file);
@@ -1057,8 +1075,7 @@ GetCharSetByHost(char *TableName, int host, const char *DataDir)
10571075
#endif
10581076

10591077
int
1060-
hba_getauthmethod(SockAddr*raddr,char*user,char*database,
1061-
char*auth_arg,UserAuth*auth_method)
1078+
hba_getauthmethod(hbaPort*port)
10621079
{
10631080
/*---------------------------------------------------------------------------
10641081
Determine what authentication method should be used when accessing database
@@ -1070,7 +1087,7 @@ hba_getauthmethod(SockAddr *raddr, char *user, char *database,
10701087
----------------------------------------------------------------------------*/
10711088
boolhba_ok= false;
10721089

1073-
find_hba_entry(raddr,user,database,&hba_ok,auth_method,auth_arg);
1090+
find_hba_entry(port,&hba_ok);
10741091

10751092
returnhba_ok ?STATUS_OK :STATUS_ERROR;
10761093
}

‎src/backend/libpq/pg_hba.conf.sample‎

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,18 @@
7979
#
8080
# krb5: Kerberos V5 authentication is used.
8181

82+
# Record type "hostssl"
83+
# ---------------------
84+
#
85+
# This record identifies the authentication to use when connecting to a
86+
# particular database via TCP/IP sockets over SSL. Note that normal
87+
# "host" records are also matched - "hostssl" records can be used to
88+
# require a SSL connection.
89+
# This keyword is only available if the server is compiled with SSL support
90+
# enabled.
91+
#
92+
# The format of this record is identical to that of "host".
93+
8294
# Record type "local"
8395
# ------------------
8496
#

‎src/backend/libpq/pqcomm.c‎

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
*
2929
* Copyright (c) 1994, Regents of the University of California
3030
*
31-
*$Id: pqcomm.c,v 1.83 1999/09/08 22:57:12 tgl Exp $
31+
*$Id: pqcomm.c,v 1.84 1999/09/27 03:12:59 momjian Exp $
3232
*
3333
*-------------------------------------------------------------------------
3434
*/
@@ -436,8 +436,16 @@ pq_recvbuf(void)
436436
/* Can fill buffer from PqRecvLength and upwards */
437437
for (;;)
438438
{
439-
intr=recv(MyProcPort->sock,PqRecvBuffer+PqRecvLength,
440-
PQ_BUFFER_SIZE-PqRecvLength,0);
439+
intr;
440+
441+
#ifdefUSE_SSL
442+
if (MyProcPort->ssl)
443+
r=SSL_read(MyProcPort->ssl,PqRecvBuffer+PqRecvLength,
444+
PQ_BUFFER_SIZE-PqRecvLength);
445+
else
446+
#endif
447+
r=recv(MyProcPort->sock,PqRecvBuffer+PqRecvLength,
448+
PQ_BUFFER_SIZE-PqRecvLength,0);
441449

442450
if (r<0)
443451
{
@@ -604,7 +612,13 @@ pq_flush(void)
604612

605613
while (bufptr<bufend)
606614
{
607-
intr=send(MyProcPort->sock,bufptr,bufend-bufptr,0);
615+
intr;
616+
#ifdefUSE_SSL
617+
if (MyProcPort->ssl)
618+
r=SSL_write(MyProcPort->ssl,bufptr,bufend-bufptr);
619+
else
620+
#endif
621+
r=send(MyProcPort->sock,bufptr,bufend-bufptr,0);
608622

609623
if (r <=0)
610624
{

‎src/backend/libpq/pqpacket.c‎

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $Header: /cvsroot/pgsql/src/backend/libpq/Attic/pqpacket.c,v 1.22 1999/07/17 20:17:03 momjian Exp $
11+
* $Header: /cvsroot/pgsql/src/backend/libpq/Attic/pqpacket.c,v 1.23 1999/09/27 03:12:59 momjian Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -50,13 +50,20 @@ PacketReceiveSetup(Packet *pkt, PacketDoneProc iodone, void *arg)
5050
*/
5151

5252
int
53-
PacketReceiveFragment(Packet*pkt,intsock)
53+
PacketReceiveFragment(Port*port)
5454
{
5555
intgot;
56-
57-
if ((got=read(sock,pkt->ptr,pkt->nrtodo))>0)
56+
Packet*pkt=&port->pktInfo;
57+
58+
#ifdefUSE_SSL
59+
if (port->ssl)
60+
got=SSL_read(port->ssl,pkt->ptr,pkt->nrtodo);
61+
else
62+
#endif
63+
got=read(port->sock,pkt->ptr,pkt->nrtodo);
64+
if (got>0)
5865
{
59-
pkt->nrtodo-=got;
66+
pkt->nrtodo-=got;
6067
pkt->ptr+=got;
6168

6269
/* See if we have got what we need for the packet length. */
@@ -132,11 +139,19 @@ PacketSendSetup(Packet *pkt, int nbytes, PacketDoneProc iodone, void *arg)
132139
*/
133140

134141
int
135-
PacketSendFragment(Packet*pkt,intsock)
142+
PacketSendFragment(Port*port)
136143
{
137144
intdone;
145+
Packet*pkt=&port->pktInfo;
146+
147+
#ifdefUSE_SSL
148+
if (port->ssl)
149+
done=SSL_write(port->ssl,pkt->ptr,pkt->nrtodo);
150+
else
151+
#endif
152+
done=write(port->sock,pkt->ptr,pkt->nrtodo);
138153

139-
if ((done=write(sock,pkt->ptr,pkt->nrtodo))>0)
154+
if (done>0)
140155
{
141156
pkt->nrtodo-=done;
142157
pkt->ptr+=done;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp