diff options
Diffstat (limited to 'src/backend/libpq/hba.c')
| -rw-r--r-- | src/backend/libpq/hba.c | 51 |
1 files changed, 48 insertions, 3 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index ce9bca868cc..37d5ad44a54 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -994,7 +994,9 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) } else if (strcmp(token->string, "host") == 0 || strcmp(token->string, "hostssl") == 0 || - strcmp(token->string, "hostnossl") == 0) + strcmp(token->string, "hostnossl") == 0 || + strcmp(token->string, "hostgssenc") == 0 || + strcmp(token->string, "hostnogssenc") == 0) { if (token->string[4] == 's') /* "hostssl" */ @@ -1022,10 +1024,23 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) *err_msg = "hostssl record cannot match because SSL is not supported by this build"; #endif } - else if (token->string[4] == 'n') /* "hostnossl" */ + else if (token->string[4] == 'g') /* "hostgssenc" */ { - parsedline->conntype = ctHostNoSSL; + parsedline->conntype = ctHostGSS; +#ifndef ENABLE_GSS + ereport(elevel, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("hostgssenc record cannot match because GSSAPI is not supported by this build"), + errhint("Compile with --with-gssapi to use GSSAPI connections."), + errcontext("line %d of configuration file \"%s\"", + line_num, HbaFileName))); + *err_msg = "hostgssenc record cannot match because GSSAPI is not supported by this build"; +#endif } + else if (token->string[4] == 'n' && token->string[6] == 's') + parsedline->conntype = ctHostNoSSL; + else if (token->string[4] == 'n' && token->string[6] == 'g') + parsedline->conntype = ctHostNoGSS; else { /* "host" */ @@ -1404,6 +1419,19 @@ parse_hba_line(TokenizedLine *tok_line, int elevel) *err_msg = "gssapi authentication is not supported on local sockets"; return NULL; } + if (parsedline->conntype == ctHostGSS && + parsedline->auth_method != uaGSS && + parsedline->auth_method != uaReject && + parsedline->auth_method != uaTrust) + { + ereport(elevel, + (errcode(ERRCODE_CONFIG_FILE_ERROR), + errmsg("GSSAPI encryption only supports gss, trust, or reject authentication"), + errcontext("line %d of configuration file \"%s\"", + line_num, HbaFileName))); + *err_msg = "GSSAPI encryption only supports gss, trust, or reject authenticaion"; + return NULL; + } if (parsedline->conntype != ctLocal && parsedline->auth_method == uaPeer) @@ -2078,6 +2106,17 @@ check_hba(hbaPort *port) continue; } + /* Check GSSAPI state */ +#ifdef ENABLE_GSS + if (port->gss->enc && hba->conntype == ctHostNoGSS) + continue; + else if (!port->gss->enc && hba->conntype == ctHostGSS) + continue; +#else + if (hba->conntype == ctHostGSS) + continue; +#endif + /* Check IP address */ switch (hba->ip_cmp_method) { @@ -2414,6 +2453,12 @@ fill_hba_line(Tuplestorestate *tuple_store, TupleDesc tupdesc, case ctHostNoSSL: typestr = "hostnossl"; break; + case ctHostGSS: + typestr = "hostgssenc"; + break; + case ctHostNoGSS: + typestr = "hostnogssenc"; + break; } if (typestr) values[index++] = CStringGetTextDatum(typestr); |