NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commite1c8743

committed

GSSAPI error message improvements

Make the error messages around GSSAPI encryption a bit clearer. Tweaksome messages to avoid plural problems.Also make a code change for clarity. Using "conf" for "confidential"is quite confusing. Using "conf_state" is perhaps not much better butthat's what the GSSAPI documentation uses, so there is at least somehope of understanding it.

1 parent70377cf commite1c8743Copy full SHA for e1c8743

File tree

2 files changed

+39

-31

lines changed

src
- backend/libpq
  - be-secure-gssapi.c
- interfaces/libpq
  - fe-secure-gssapi.c

2 files changed

+39

-31

lines changed

`‎src/backend/libpq/be-secure-gssapi.c`

Lines changed: 21 additions & 17 deletions

Original file line number	Diff line number	Diff line change
`@@ -99,7 +99,7 @@ be_gssapi_write(Port port, void ptr, size_t len)`
`99`	`99`	`minor;`
`100`	`100`	`gss_buffer_descinput,`
`101`	`101`	`output;`
`102`		`-intconf=0;`
	`102`	`+intconf_state=0;`
`103`	`103`	`uint32netlen;`
`104`	`104`	`pg_gssinfo*gss=port->gss;`
`105`	`105`
`@@ -172,18 +172,19 @@ be_gssapi_write(Port port, void ptr, size_t len)`
`172`	`172`
`173`	`173`	`/* Create the next encrypted packet */`
`174`	`174`	`major=gss_wrap(&minor,gss->ctx,1,GSS_C_QOP_DEFAULT,`
`175`		`-&input,&conf,&output);`
	`175`	`+&input,&conf_state,&output);`
`176`	`176`	`if (major!=GSS_S_COMPLETE)`
`177`	`177`	`pg_GSS_error(FATAL,gettext_noop("GSSAPI wrap error"),major,minor);`
`178`	`178`
`179`		`-if (conf==0)`
	`179`	`+if (conf_state==0)`
`180`	`180`	`ereport(FATAL,`
`181`		`-(errmsg("GSSAPIdidnotprovide confidentiality")));`
	`181`	`+(errmsg("outgoingGSSAPImessage wouldnotuse confidentiality")));`
`182`	`182`
`183`	`183`	`if (output.length>PQ_GSS_SEND_BUFFER_SIZE-sizeof(uint32))`
`184`	`184`	`ereport(FATAL,`
`185`		`-(errmsg("server tried to send oversize GSSAPI packet: %zu bytes",`
`186`		`-(size_t)output.length)));`
	`185`	`+(errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",`
	`186`	`+(size_t)output.length,`
	`187`	`+PQ_GSS_SEND_BUFFER_SIZE-sizeof(uint32))));`
`187`	`188`
`188`	`189`	`bytes_encrypted+=input.length;`
`189`	`190`	`bytes_to_encrypt-=input.length;`
`@@ -216,7 +217,7 @@ be_gssapi_read(Port port, void ptr, size_t len)`
`216`	`217`	`ssize_tret;`
`217`	`218`	`size_tbytes_to_return=len;`
`218`	`219`	`size_tbytes_returned=0;`
`219`		`-intconf=0;`
	`220`	`+intconf_state=0;`
`220`	`221`	`pg_gssinfo*gss=port->gss;`
`221`	`222`
`222`	`223`	`/*`
`@@ -299,8 +300,9 @@ be_gssapi_read(Port port, void ptr, size_t len)`
`299`	`300`	`/* Check for over-length packet */`
`300`	`301`	`if (input.length>PQ_GSS_RECV_BUFFER_SIZE-sizeof(uint32))`
`301`	`302`	`ereport(FATAL,`
`302`		`-(errmsg("oversize GSSAPI packet sent by the client: %zu bytes",`
`303`		`-(size_t)input.length)));`
	`303`	`+(errmsg("oversize GSSAPI packet sent by the client (%zu > %zu)",`
	`304`	`+(size_t)input.length,`
	`305`	`+PQ_GSS_RECV_BUFFER_SIZE-sizeof(uint32))));`
`304`	`306`
`305`	`307`	`/*`
`306`	`308`	`* Read as much of the packet as we are able to on this call into`
`@@ -338,14 +340,14 @@ be_gssapi_read(Port port, void ptr, size_t len)`
`338`	`340`	`output.length=0;`
`339`	`341`	`input.value=PqGSSRecvBuffer+sizeof(uint32);`
`340`	`342`
`341`		`-major=gss_unwrap(&minor,gss->ctx,&input,&output,&conf,NULL);`
	`343`	`+major=gss_unwrap(&minor,gss->ctx,&input,&output,&conf_state,NULL);`
`342`	`344`	`if (major!=GSS_S_COMPLETE)`
`343`	`345`	`pg_GSS_error(FATAL,gettext_noop("GSSAPI unwrap error"),`
`344`	`346`	`major,minor);`
`345`	`347`
`346`		`-if (conf==0)`
	`348`	`+if (conf_state==0)`
`347`	`349`	`ereport(FATAL,`
`348`		`-(errmsg("GSSAPI did notprovide confidentiality")));`
	`350`	`+(errmsg("incomingGSSAPImessagedid notuse confidentiality")));`
`349`	`351`
`350`	`352`	`memcpy(PqGSSResultBuffer,output.value,output.length);`
`351`	`353`
`@@ -497,8 +499,9 @@ secure_open_gssapi(Port *port)`
`497`	`499`	`*/`
`498`	`500`	`if (input.length>PQ_GSS_RECV_BUFFER_SIZE)`
`499`	`501`	`ereport(FATAL,`
`500`		`-(errmsg("oversize GSSAPI packet sent by the client: %zu bytes",`
`501`		`-(size_t)input.length)));`
	`502`	`+(errmsg("oversize GSSAPI packet sent by the client (%zu > %d)",`
	`503`	`+(size_t)input.length,`
	`504`	`+PQ_GSS_RECV_BUFFER_SIZE)));`
`502`	`505`
`503`	`506`	`/*`
`504`	`507`	`* Get the rest of the packet so we can pass it to GSSAPI to accept`
`@@ -518,7 +521,7 @@ secure_open_gssapi(Port *port)`
`518`	`521`	`NULL,NULL);`
`519`	`522`	`if (GSS_ERROR(major))`
`520`	`523`	`{`
`521`		`-pg_GSS_error(ERROR,gettext_noop("GSSAPIcontext error"),`
	`524`	`+pg_GSS_error(ERROR,gettext_noop("could not acceptGSSAPIsecurity context"),`
`522`	`525`	`major,minor);`
`523`	`526`	`gss_release_buffer(&minor,&output);`
`524`	`527`	`return-1;`
`@@ -545,8 +548,9 @@ secure_open_gssapi(Port *port)`
`545`	`548`
`546`	`549`	`if (output.length>PQ_GSS_SEND_BUFFER_SIZE-sizeof(uint32))`
`547`	`550`	`ereport(FATAL,`
`548`		`-(errmsg("server tried to send oversize GSSAPI packet: %zu bytes",`
`549`		`-(size_t)output.length)));`
	`551`	`+(errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",`
	`552`	`+(size_t)output.length,`
	`553`	`+PQ_GSS_SEND_BUFFER_SIZE-sizeof(uint32))));`
`550`	`554`
`551`	`555`	`memcpy(PqGSSSendBuffer, (char*)&netlen,sizeof(uint32));`
`552`	`556`	`PqGSSSendPointer+=sizeof(uint32);`

`‎src/interfaces/libpq/fe-secure-gssapi.c`

Lines changed: 18 additions & 14 deletions

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ pg_GSS_write(PGconn conn, const void ptr, size_t len)`
`87`	`87`	`*/`
`88`	`88`	`while (bytes_to_encrypt\|\|PqGSSSendPointer)`
`89`	`89`	`{`
`90`		`-intconf=0;`
	`90`	`+intconf_state=0;`
`91`	`91`	`uint32netlen;`
`92`	`92`
`93`	`93`	`/*`
`@@ -154,24 +154,25 @@ pg_GSS_write(PGconn conn, const void ptr, size_t len)`
`154`	`154`
`155`	`155`	`/* Create the next encrypted packet */`
`156`	`156`	`major=gss_wrap(&minor,conn->gctx,1,GSS_C_QOP_DEFAULT,`
`157`		`-&input,&conf,&output);`
	`157`	`+&input,&conf_state,&output);`
`158`	`158`	`if (major!=GSS_S_COMPLETE)`
`159`	`159`	`{`
`160`	`160`	`pg_GSS_error(libpq_gettext("GSSAPI wrap error"),conn,major,minor);`
`161`	`161`	`gotocleanup;`
`162`	`162`	`}`
`163`		`-elseif (conf==0)`
	`163`	`+elseif (conf_state==0)`
`164`	`164`	`{`
`165`	`165`	`printfPQExpBuffer(&conn->errorMessage,`
`166`		`-libpq_gettext("GSSAPIdidnotprovide confidentiality\n"));`
	`166`	`+libpq_gettext("outgoingGSSAPImessage wouldnotuse confidentiality\n"));`
`167`	`167`	`gotocleanup;`
`168`	`168`	`}`
`169`	`169`
`170`	`170`	`if (output.length>PQ_GSS_SEND_BUFFER_SIZE-sizeof(uint32))`
`171`	`171`	`{`
`172`	`172`	`printfPQExpBuffer(&conn->errorMessage,`
`173`		`-libpq_gettext("client tried to send oversize GSSAPI packet: %zu bytes\n"),`
`174`		`- (size_t)output.length);`
	`173`	`+libpq_gettext("client tried to send oversize GSSAPI packet (%zu > %zu)\n"),`
	`174`	`+ (size_t)output.length,`
	`175`	`+PQ_GSS_SEND_BUFFER_SIZE-sizeof(uint32));`
`175`	`176`	`gotocleanup;`
`176`	`177`	`}`
`177`	`178`
`@@ -229,7 +230,7 @@ pg_GSS_read(PGconn conn, void ptr, size_t len)`
`229`	`230`	`*/`
`230`	`231`	`while (bytes_to_return)`
`231`	`232`	`{`
`232`		`-intconf=0;`
	`233`	`+intconf_state=0;`
`233`	`234`
`234`	`235`	`/* Check if we have data in our buffer that we can return immediately */`
`235`	`236`	`if (PqGSSResultPointer<PqGSSResultLength)`
`@@ -287,7 +288,9 @@ pg_GSS_read(PGconn conn, void ptr, size_t len)`
`287`	`288`	`if (input.length>PQ_GSS_RECV_BUFFER_SIZE-sizeof(uint32))`
`288`	`289`	`{`
`289`	`290`	`printfPQExpBuffer(&conn->errorMessage,`
`290`		`-libpq_gettext("GSSAPI did not provide confidentiality\n"));`
	`291`	`+libpq_gettext("oversize GSSAPI packet sent by the server (%zu > %zu)\n"),`
	`292`	`+ (size_t)input.length,`
	`293`	`+PQ_GSS_RECV_BUFFER_SIZE-sizeof(uint32));`
`291`	`294`	`ret=-1;`
`292`	`295`	`gotocleanup;`
`293`	`296`	`}`
`@@ -318,18 +321,18 @@ pg_GSS_read(PGconn conn, void ptr, size_t len)`
`318`	`321`	`output.length=0;`
`319`	`322`	`input.value=PqGSSRecvBuffer+sizeof(uint32);`
`320`	`323`
`321`		`-major=gss_unwrap(&minor,conn->gctx,&input,&output,&conf,NULL);`
	`324`	`+major=gss_unwrap(&minor,conn->gctx,&input,&output,&conf_state,NULL);`
`322`	`325`	`if (major!=GSS_S_COMPLETE)`
`323`	`326`	`{`
`324`	`327`	`pg_GSS_error(libpq_gettext("GSSAPI unwrap error"),conn,`
`325`	`328`	`major,minor);`
`326`	`329`	`ret=-1;`
`327`	`330`	`gotocleanup;`
`328`	`331`	`}`
`329`		`-elseif (conf==0)`
	`332`	`+elseif (conf_state==0)`
`330`	`333`	`{`
`331`	`334`	`printfPQExpBuffer(&conn->errorMessage,`
`332`		`-libpq_gettext("GSSAPI did notprovide confidentiality\n"));`
	`335`	`+libpq_gettext("incomingGSSAPImessagedid notuse confidentiality\n"));`
`333`	`336`	`ret=-1;`
`334`	`337`	`gotocleanup;`
`335`	`338`	`}`
`@@ -491,8 +494,9 @@ pqsecure_open_gss(PGconn *conn)`
`491`	`494`	`if (input.length>PQ_GSS_RECV_BUFFER_SIZE-sizeof(uint32))`
`492`	`495`	`{`
`493`	`496`	`printfPQExpBuffer(&conn->errorMessage,`
`494`		`-libpq_gettext("oversize GSSAPI packet sent by the server: %zu bytes\n"),`
`495`		`- (size_t)input.length);`
	`497`	`+libpq_gettext("oversize GSSAPI packet sent by the server (%zu > %zu)\n"),`
	`498`	`+ (size_t)input.length,`
	`499`	`+PQ_GSS_RECV_BUFFER_SIZE-sizeof(uint32));`
`496`	`500`	`returnPGRES_POLLING_FAILED;`
`497`	`501`	`}`
`498`	`502`
`@@ -536,7 +540,7 @@ pqsecure_open_gss(PGconn *conn)`
`536`	`540`
`537`	`541`	`if (GSS_ERROR(major))`
`538`	`542`	`{`
`539`		`-pg_GSS_error(libpq_gettext("GSSAPI context establishment error"),`
	`543`	`+pg_GSS_error(libpq_gettext("could not initiate GSSAPI security context"),`
`540`	`544`	`conn,major,minor);`
`541`	`545`	`returnPGRES_POLLING_FAILED;`
`542`	`546`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commite1c8743

File tree

2 files changed

2 files changed

`‎src/backend/libpq/be-secure-gssapi.c`

`‎src/interfaces/libpq/fe-secure-gssapi.c`

0 commit comments