We realized years ago that it's better for libpq to accept all
connection parameters syntactically, even if some are ignored or
restricted due to lack of the feature in a particular build.
However, that lesson from the SSL support was for some reason never
applied to the GSSAPI support. This is causing various buildfarm
members to have problems with a test case added by commit
6136e94dc,
and it's just a bad idea from a user-experience standpoint anyway,
so fix it.
While at it, fix some places where parameter-related infrastructure
was added with the aid of a dartboard, or perhaps with the aid of
the anti-pattern "add new stuff at the end". It should be safe
to rearrange the contents of struct pg_conn even in released
branches, since that's private to libpq (and we'd have to move
some fields in some builds to fix this, anyway).
Back-patch to all supported branches.
Discussion: https://postgr.es/m/11297.
1576868677@sss.pgh.pa.us
-- ===================================================================
-- tests for validator
-- ===================================================================
--- requiressl, krbsrvname and gsslib are omitted because they depend on
--- configure options
+-- requiressl and some other parameters are omitted because
+-- valid values for them depend on configure options
ALTER SERVER testserver1 OPTIONS (
use_remote_estimate 'false',
updatable 'true',
sslcert 'value',
sslkey 'value',
sslrootcert 'value',
- sslcrl 'value'
+ sslcrl 'value',
--requirepeer 'value',
- -- krbsrvname 'value',
- -- gsslib 'value',
+ krbsrvname 'value',
+ gsslib 'value'
--replication 'value'
);
-- Error, invalid list syntax
-- ===================================================================
-- tests for validator
-- ===================================================================
--- requiressl, krbsrvname and gsslib are omitted because they depend on
--- configure options
+-- requiressl and some other parameters are omitted because
+-- valid values for them depend on configure options
ALTER SERVER testserver1 OPTIONS (
use_remote_estimate 'false',
updatable 'true',
sslcert 'value',
sslkey 'value',
sslrootcert 'value',
- sslcrl 'value'
+ sslcrl 'value',
--requirepeer 'value',
- -- krbsrvname 'value',
- -- gsslib 'value',
+ krbsrvname 'value',
+ gsslib 'value'
--replication 'value'
);
<term><literal>gsslib</literal></term>
<listitem>
<para>
- GSS library to use for GSSAPI authentication. Only used on Windows.
- Set to <literal>gssapi</literal> to force libpq to use the GSSAPI
+ GSS library to use for GSSAPI authentication.
+ Currently this is disregarded except on Windows builds that include
+ both GSSAPI and SSPI support. In that case, set
+ this to <literal>gssapi</literal> to cause libpq to use the GSSAPI
library for authentication instead of the default SSPI.
</para>
</listitem>
offsetof(struct pg_conn, requirepeer)},
/*
- * Expose gssencmode similarly to sslmode - we can still handle "disable"
- * and "prefer".
+ * As with SSL, all GSS options are exposed even in builds that don't have
+ * support.
*/
{"gssencmode", "PGGSSENCMODE", DefaultGSSMode, NULL,
"GSSENC-Mode", "", 7, /* sizeof("disable") == 7 */
offsetof(struct pg_conn, gssencmode)},
-#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
/* Kerberos and GSSAPI authentication support specifying the service name */
{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
"Kerberos-service-name", "", 20,
offsetof(struct pg_conn, krbsrvname)},
-#endif
-
-#if defined(ENABLE_GSS) && defined(ENABLE_SSPI)
- /*
- * GSSAPI and SSPI both enabled, give a way to override which is used by
- * default
- */
{"gsslib", "PGGSSLIB", NULL, NULL,
"GSS-library", "", 7, /* sizeof("gssapi") = 7 */
offsetof(struct pg_conn, gsslib)},
-#endif
{"replication", NULL, NULL, NULL,
"Replication", "D", 5,
free(conn->sslcompression);
if (conn->requirepeer)
free(conn->requirepeer);
- if (conn->connip)
- free(conn->connip);
if (conn->gssencmode)
free(conn->gssencmode);
-#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
if (conn->krbsrvname)
free(conn->krbsrvname);
-#endif
+ if (conn->gsslib)
+ free(conn->gsslib);
+ if (conn->connip)
+ free(conn->connip);
#ifdef ENABLE_GSS
if (conn->gcred != GSS_C_NO_CREDENTIAL)
{
gss_delete_sec_context(&minor, &conn->gctx, GSS_C_NO_BUFFER);
conn->gctx = NULL;
}
-#endif
-#if defined(ENABLE_GSS) && defined(ENABLE_SSPI)
- if (conn->gsslib)
- free(conn->gsslib);
#endif
/* Note that conn->Pfdebug is not ours to close or free */
if (conn->last_query)
char *sslrootcert; /* root certificate filename */
char *sslcrl; /* certificate revocation list filename */
char *requirepeer; /* required peer credentials for local sockets */
-
-#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
+ char *gssencmode; /* GSS mode (require,prefer,disable) */
char *krbsrvname; /* Kerberos service name */
-#endif
+ char *gsslib; /* What GSS library to use ("gssapi" or
+ * "sspi") */
/* Type of connection to make. Possible values: any, read-write. */
char *target_session_attrs;
#endif /* USE_OPENSSL */
#endif /* USE_SSL */
- char *gssencmode; /* GSS mode (require,prefer,disable) */
#ifdef ENABLE_GSS
gss_ctx_id_t gctx; /* GSS context */
gss_name_t gtarg_nam; /* GSS target name */
#endif
#ifdef ENABLE_SSPI
-#ifdef ENABLE_GSS
- char *gsslib; /* What GSS library to use ("gssapi" or
- * "sspi") */
-#endif
CredHandle *sspicred; /* SSPI credentials handle */
CtxtHandle *sspictx; /* SSPI context */
char *sspitarget; /* SSPI target name */
projects / thirdparty / postgresql.git / commitdiff
