88 *
99 *
1010 * IDENTIFICATION
11- * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.163 2008/01/30 04:11:19 tgl Exp $
11+ * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.164 2008/02/08 17:58:46 tgl Exp $
1212 *
1313 *-------------------------------------------------------------------------
1414 */
@@ -307,12 +307,13 @@ pg_krb5_recvauth(Port *port)
307307}
308308#endif /* KRB5 */
309309
310- #ifdef ENABLE_GSS
311310/*----------------------------------------------------------------
312311 * GSSAPI authentication system
313312 *----------------------------------------------------------------
314313 */
315314
315+ #ifdef ENABLE_GSS
316+
316317#if defined(HAVE_GSSAPI_H )
317318#include <gssapi.h>
318319#else
@@ -389,6 +390,19 @@ pg_GSS_recvauth(Port *port)
389390StringInfoData buf ;
390391gss_buffer_desc gbuf ;
391392
393+ /*
394+ * GSS auth is not supported for protocol versions before 3, because it
395+ * relies on the overall message length word to determine the GSS payload
396+ * size in AuthenticationGSSContinue and PasswordMessage messages.
397+ * (This is, in fact, a design error in our GSS support, because protocol
398+ * messages are supposed to be parsable without relying on the length
399+ * word; but it's not worth changing it now.)
400+ */
401+ if (PG_PROTOCOL_MAJOR (FrontendProtocol )< 3 )
402+ ereport (FATAL ,
403+ (errcode (ERRCODE_FEATURE_NOT_SUPPORTED ),
404+ errmsg ("GSSAPI is not supported in protocol version 2" )));
405+
392406if (pg_krb_server_keyfile && strlen (pg_krb_server_keyfile )> 0 )
393407{
394408/*
@@ -594,7 +608,9 @@ pg_GSS_recvauth(Port *port)
594608
595609return STATUS_OK ;
596610}
611+
597612#else /* no ENABLE_GSS */
613+
598614static int
599615pg_GSS_recvauth (Port * port )
600616{
@@ -603,9 +619,20 @@ pg_GSS_recvauth(Port *port)
603619errmsg ("GSSAPI not implemented on this server" )));
604620return STATUS_ERROR ;
605621}
622+
606623#endif /* ENABLE_GSS */
607624
625+ /*----------------------------------------------------------------
626+ * SSPI authentication system
627+ *----------------------------------------------------------------
628+ */
629+
608630#ifdef ENABLE_SSPI
631+
632+ typedef SECURITY_STATUS
633+ (WINAPI * QUERY_SECURITY_CONTEXT_TOKEN_FN ) (
634+ PCtxtHandle ,void * * );
635+
609636static void
610637pg_SSPI_error (int severity ,char * errmsg ,SECURITY_STATUS r )
611638{
@@ -621,10 +648,6 @@ pg_SSPI_error(int severity, char *errmsg, SECURITY_STATUS r)
621648errdetail ("%s (%x)" ,sysmsg , (unsignedint )r )));
622649}
623650
624- typedef SECURITY_STATUS
625- (WINAPI * QUERY_SECURITY_CONTEXT_TOKEN_FN ) (
626- PCtxtHandle ,void * * );
627-
628651static int
629652pg_SSPI_recvauth (Port * port )
630653{
@@ -651,6 +674,18 @@ pg_SSPI_recvauth(Port *port)
651674HMODULE secur32 ;
652675QUERY_SECURITY_CONTEXT_TOKEN_FN _QuerySecurityContextToken ;
653676
677+ /*
678+ * SSPI auth is not supported for protocol versions before 3, because it
679+ * relies on the overall message length word to determine the SSPI payload
680+ * size in AuthenticationGSSContinue and PasswordMessage messages.
681+ * (This is, in fact, a design error in our SSPI support, because protocol
682+ * messages are supposed to be parsable without relying on the length
683+ * word; but it's not worth changing it now.)
684+ */
685+ if (PG_PROTOCOL_MAJOR (FrontendProtocol )< 3 )
686+ ereport (FATAL ,
687+ (errcode (ERRCODE_FEATURE_NOT_SUPPORTED ),
688+ errmsg ("SSPI is not supported in protocol version 2" )));
654689
655690/*
656691 * Acquire a handle to the server credentials.
@@ -878,7 +913,9 @@ pg_SSPI_recvauth(Port *port)
878913
879914return STATUS_OK ;
880915}
916+
881917#else /* no ENABLE_SSPI */
918+
882919static int
883920pg_SSPI_recvauth (Port * port )
884921{
@@ -887,6 +924,7 @@ pg_SSPI_recvauth(Port *port)
887924errmsg ("SSPI not implemented on this server" )));
888925return STATUS_ERROR ;
889926}
927+
890928#endif /* ENABLE_SSPI */
891929
892930