Skip to content

Commit e0e7dae

Browse files
bmomjianbmomjian
committed
Lots of patches coming in from me today :-)
When drawing up a very simple "text-drawing" of how the negotiation is done, I realised I had done this last part (fallback) in a very stupid way. Patch #4 fixes this, and does it in a much better way. Included is also the simple text-drawing of how the negotiation is done. //Magnus
1 parent 3114f92 commit e0e7dae

File tree

12 files changed

+390
-78
lines changed

12 files changed

+390
-78
lines changed

src/backend/libpq/auth.c

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@
77
*
88
*
99
* IDENTIFICATION
10-
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.40 1999/07/17 20:17:00 momjian Exp $
10+
* $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.41 1999/09/27 03:12:58 momjian Exp $
1111
*
1212
*-------------------------------------------------------------------------
1313
*/
@@ -452,8 +452,7 @@ be_recvauth(Port *port)
452452
* an error message into the postmaster logfile if it failed.
453453
*/
454454

455-
if (hba_getauthmethod(&port->raddr, port->user, port->database,
456-
port->auth_arg, &port->auth_method) != STATUS_OK)
455+
if (hba_getauthmethod(port) != STATUS_OK)
457456
PacketSendError(&port->pktInfo,
458457
"Missing or erroneous pg_hba.conf file, see postmaster log for details");
459458

@@ -470,7 +469,6 @@ be_recvauth(Port *port)
470469

471470
AuthRequest areq = AUTH_REQ_OK;
472471
PacketDoneProc auth_handler = NULL;
473-
474472
switch (port->auth_method)
475473
{
476474
case uaReject:

src/backend/libpq/hba.c

Lines changed: 47 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
* wherein you authenticate a user by seeing what IP address the system
66
* says he comes from and possibly using ident).
77
*
8-
* $Id: hba.c,v 1.47 1999/07/17 20:17:02 momjian Exp $
8+
* $Id: hba.c,v 1.48 1999/09/27 03:12:59 momjian Exp $
99
*
1010
*-------------------------------------------------------------------------
1111
*/
@@ -146,9 +146,7 @@ read_hba_entry2(FILE *file, UserAuth *userauth_p, char *auth_arg,
146146

147147

148148
static void
149-
process_hba_record(FILE *file, SockAddr *raddr, const char *user,
150-
const char *database, bool *matches_p, bool *error_p,
151-
UserAuth *userauth_p, char *auth_arg)
149+
process_hba_record(FILE *file, hbaPort *port, bool *matches_p, bool *error_p)
152150
{
153151
/*---------------------------------------------------------------------------
154152
Process the non-comment record in the config file that is next on the file.
@@ -182,16 +180,16 @@ process_hba_record(FILE *file, SockAddr *raddr, const char *user,
182180

183181
/* Read the rest of the line. */
184182

185-
read_hba_entry2(file, userauth_p, auth_arg, error_p);
183+
read_hba_entry2(file, &port->auth_method, port->auth_arg, error_p);
186184

187185
/*
188186
* For now, disallow methods that need AF_INET sockets to work.
189187
*/
190188

191189
if (!*error_p &&
192-
(*userauth_p == uaIdent ||
193-
*userauth_p == uaKrb4 ||
194-
*userauth_p == uaKrb5))
190+
(port->auth_method == uaIdent ||
191+
port->auth_method == uaKrb4 ||
192+
port->auth_method == uaKrb5))
195193
*error_p = true;
196194

197195
if (*error_p)
@@ -202,15 +200,33 @@ process_hba_record(FILE *file, SockAddr *raddr, const char *user,
202200
* sort of connection, ignore it.
203201
*/
204202

205-
if ((strcmp(db, database) != 0 && strcmp(db, "all") != 0 &&
206-
(strcmp(db, "sameuser") != 0 || strcmp(database, user) != 0)) ||
207-
raddr->sa.sa_family != AF_UNIX)
203+
if ((strcmp(db, port->database) != 0 && strcmp(db, "all") != 0 &&
204+
(strcmp(db, "sameuser") != 0 || strcmp(port->database, port->user) != 0)) ||
205+
port->raddr.sa.sa_family != AF_UNIX)
208206
return;
209207
}
210-
else if (strcmp(buf, "host") == 0)
208+
else if (strcmp(buf, "host") == 0 || strcmp(buf, "hostssl") == 0)
211209
{
212210
struct in_addr file_ip_addr,
213211
mask;
212+
bool discard = 0; /* Discard this entry */
213+
214+
#ifdef USE_SSL
215+
/* If SSL, then check that we are on SSL */
216+
if (strcmp(buf, "hostssl") == 0) {
217+
if (!port->ssl)
218+
discard = 1;
219+
220+
/* Placeholder to require specific SSL level, perhaps? */
221+
/* Or a client certificate */
222+
223+
/* Since we were on SSL, proceed as with normal 'host' mode */
224+
}
225+
#else
226+
/* If not SSL, we don't support this */
227+
if (strcmp(buf,"hostssl") == 0)
228+
goto syntax;
229+
#endif
214230

215231
/* Get the database. */
216232

@@ -252,20 +268,27 @@ process_hba_record(FILE *file, SockAddr *raddr, const char *user,
252268
* info from it.
253269
*/
254270

255-
read_hba_entry2(file, userauth_p, auth_arg, error_p);
271+
read_hba_entry2(file, &port->auth_method, port->auth_arg, error_p);
256272

257273
if (*error_p)
258274
goto syntax;
259275

276+
/*
277+
* If told to discard earlier. Moved down here so we don't get
278+
* "out of sync" with the file.
279+
*/
280+
if (discard)
281+
return;
282+
260283
/*
261284
* If this record isn't for our database, or this is the wrong
262285
* sort of connection, ignore it.
263286
*/
264287

265-
if ((strcmp(db, database) != 0 && strcmp(db, "all") != 0 &&
266-
(strcmp(db, "sameuser") != 0 || strcmp(database, user) != 0)) ||
267-
raddr->sa.sa_family != AF_INET ||
268-
((file_ip_addr.s_addr ^ raddr->in.sin_addr.s_addr) & mask.s_addr) != 0x0000)
288+
if ((strcmp(db, port->database) != 0 && strcmp(db, "all") != 0 &&
289+
(strcmp(db, "sameuser") != 0 || strcmp(port->database, port->user) != 0)) ||
290+
port->raddr.sa.sa_family != AF_INET ||
291+
((file_ip_addr.s_addr ^ port->raddr.in.sin_addr.s_addr) & mask.s_addr) != 0x0000)
269292
return;
270293
}
271294
else
@@ -291,9 +314,7 @@ process_hba_record(FILE *file, SockAddr *raddr, const char *user,
291314

292315

293316
static void
294-
process_open_config_file(FILE *file, SockAddr *raddr, const char *user,
295-
const char *database, bool *hba_ok_p,
296-
UserAuth *userauth_p, char *auth_arg)
317+
process_open_config_file(FILE *file, hbaPort *port, bool *hba_ok_p)
297318
{
298319
/*---------------------------------------------------------------------------
299320
This function does the same thing as find_hba_entry, only with
@@ -316,8 +337,7 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char *user,
316337
if (c == '#')
317338
read_through_eol(file);
318339
else
319-
process_hba_record(file, raddr, user, database,
320-
&found_entry, &error, userauth_p, auth_arg);
340+
process_hba_record(file, port, &found_entry, &error);
321341
}
322342
}
323343

@@ -326,7 +346,7 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char *user,
326346
/* If no matching entry was found, synthesize 'reject' entry. */
327347

328348
if (!found_entry)
329-
*userauth_p = uaReject;
349+
port->auth_method = uaReject;
330350

331351
*hba_ok_p = true;
332352
}
@@ -335,8 +355,7 @@ process_open_config_file(FILE *file, SockAddr *raddr, const char *user,
335355

336356

337357
static void
338-
find_hba_entry(SockAddr *raddr, const char *user, const char *database,
339-
bool *hba_ok_p, UserAuth *userauth_p, char *auth_arg)
358+
find_hba_entry(hbaPort *port, bool *hba_ok_p)
340359
{
341360
/*
342361
* Read the config file and find an entry that allows connection from
@@ -412,8 +431,7 @@ find_hba_entry(SockAddr *raddr, const char *user, const char *database,
412431
}
413432
else
414433
{
415-
process_open_config_file(file, raddr, user, database, hba_ok_p,
416-
userauth_p, auth_arg);
434+
process_open_config_file(file, port, hba_ok_p);
417435
FreeFile(file);
418436
}
419437
pfree(conf_file);
@@ -1057,8 +1075,7 @@ GetCharSetByHost(char *TableName, int host, const char *DataDir)
10571075
#endif
10581076

10591077
int
1060-
hba_getauthmethod(SockAddr *raddr, char *user, char *database,
1061-
char *auth_arg, UserAuth *auth_method)
1078+
hba_getauthmethod(hbaPort *port)
10621079
{
10631080
/*---------------------------------------------------------------------------
10641081
Determine what authentication method should be used when accessing database
@@ -1070,7 +1087,7 @@ hba_getauthmethod(SockAddr *raddr, char *user, char *database,
10701087
----------------------------------------------------------------------------*/
10711088
bool hba_ok = false;
10721089

1073-
find_hba_entry(raddr, user, database, &hba_ok, auth_method, auth_arg);
1090+
find_hba_entry(port, &hba_ok);
10741091

10751092
return hba_ok ? STATUS_OK : STATUS_ERROR;
10761093
}

src/backend/libpq/pg_hba.conf.sample

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,18 @@
7979
#
8080
# krb5: Kerberos V5 authentication is used.
8181

82+
# Record type "hostssl"
83+
# ---------------------
84+
#
85+
# This record identifies the authentication to use when connecting to a
86+
# particular database via TCP/IP sockets over SSL. Note that normal
87+
# "host" records are also matched - "hostssl" records can be used to
88+
# require a SSL connection.
89+
# This keyword is only available if the server is compiled with SSL support
90+
# enabled.
91+
#
92+
# The format of this record is identical to that of "host".
93+
8294
# Record type "local"
8395
# ------------------
8496
#

src/backend/libpq/pqcomm.c

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
*
2929
* Copyright (c) 1994, Regents of the University of California
3030
*
31-
* $Id: pqcomm.c,v 1.83 1999/09/08 22:57:12 tgl Exp $
31+
* $Id: pqcomm.c,v 1.84 1999/09/27 03:12:59 momjian Exp $
3232
*
3333
*-------------------------------------------------------------------------
3434
*/
@@ -436,8 +436,16 @@ pq_recvbuf(void)
436436
/* Can fill buffer from PqRecvLength and upwards */
437437
for (;;)
438438
{
439-
int r = recv(MyProcPort->sock, PqRecvBuffer + PqRecvLength,
440-
PQ_BUFFER_SIZE - PqRecvLength, 0);
439+
int r;
440+
441+
#ifdef USE_SSL
442+
if (MyProcPort->ssl)
443+
r = SSL_read(MyProcPort->ssl, PqRecvBuffer + PqRecvLength,
444+
PQ_BUFFER_SIZE - PqRecvLength);
445+
else
446+
#endif
447+
r = recv(MyProcPort->sock, PqRecvBuffer + PqRecvLength,
448+
PQ_BUFFER_SIZE - PqRecvLength, 0);
441449

442450
if (r < 0)
443451
{
@@ -604,7 +612,13 @@ pq_flush(void)
604612

605613
while (bufptr < bufend)
606614
{
607-
int r = send(MyProcPort->sock, bufptr, bufend - bufptr, 0);
615+
int r;
616+
#ifdef USE_SSL
617+
if (MyProcPort->ssl)
618+
r = SSL_write(MyProcPort->ssl, bufptr, bufend - bufptr);
619+
else
620+
#endif
621+
r = send(MyProcPort->sock, bufptr, bufend - bufptr, 0);
608622

609623
if (r <= 0)
610624
{

src/backend/libpq/pqpacket.c

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
*
99
*
1010
* IDENTIFICATION
11-
* $Header: /cvsroot/pgsql/src/backend/libpq/Attic/pqpacket.c,v 1.22 1999/07/17 20:17:03 momjian Exp $
11+
* $Header: /cvsroot/pgsql/src/backend/libpq/Attic/pqpacket.c,v 1.23 1999/09/27 03:12:59 momjian Exp $
1212
*
1313
*-------------------------------------------------------------------------
1414
*/
@@ -50,13 +50,20 @@ PacketReceiveSetup(Packet *pkt, PacketDoneProc iodone, void *arg)
5050
*/
5151

5252
int
53-
PacketReceiveFragment(Packet *pkt, int sock)
53+
PacketReceiveFragment(Port *port)
5454
{
5555
int got;
56-
57-
if ((got = read(sock, pkt->ptr, pkt->nrtodo)) > 0)
56+
Packet *pkt = &port->pktInfo;
57+
58+
#ifdef USE_SSL
59+
if (port->ssl)
60+
got = SSL_read(port->ssl, pkt->ptr, pkt->nrtodo);
61+
else
62+
#endif
63+
got = read(port->sock, pkt->ptr, pkt->nrtodo);
64+
if (got > 0)
5865
{
59-
pkt->nrtodo -= got;
66+
pkt->nrtodo -= got;
6067
pkt->ptr += got;
6168

6269
/* See if we have got what we need for the packet length. */
@@ -132,11 +139,19 @@ PacketSendSetup(Packet *pkt, int nbytes, PacketDoneProc iodone, void *arg)
132139
*/
133140

134141
int
135-
PacketSendFragment(Packet *pkt, int sock)
142+
PacketSendFragment(Port *port)
136143
{
137144
int done;
145+
Packet *pkt = &port->pktInfo;
146+
147+
#ifdef USE_SSL
148+
if (port->ssl)
149+
done = SSL_write(port->ssl, pkt->ptr, pkt->nrtodo);
150+
else
151+
#endif
152+
done = write(port->sock, pkt->ptr, pkt->nrtodo);
138153

139-
if ((done = write(sock, pkt->ptr, pkt->nrtodo)) > 0)
154+
if (done > 0)
140155
{
141156
pkt->nrtodo -= done;
142157
pkt->ptr += done;

0 commit comments

Comments
 (0)