Skip to content

Commit e1c8743

Browse files
peterepetere
committed
GSSAPI error message improvements
Make the error messages around GSSAPI encryption a bit clearer. Tweak some messages to avoid plural problems. Also make a code change for clarity. Using "conf" for "confidential" is quite confusing. Using "conf_state" is perhaps not much better but that's what the GSSAPI documentation uses, so there is at least some hope of understanding it.
1 parent 70377cf commit e1c8743

File tree

2 files changed

+39
-31
lines changed

2 files changed

+39
-31
lines changed

src/backend/libpq/be-secure-gssapi.c

Lines changed: 21 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ be_gssapi_write(Port *port, void *ptr, size_t len)
9999
minor;
100100
gss_buffer_desc input,
101101
output;
102-
int conf = 0;
102+
int conf_state = 0;
103103
uint32 netlen;
104104
pg_gssinfo *gss = port->gss;
105105

@@ -172,18 +172,19 @@ be_gssapi_write(Port *port, void *ptr, size_t len)
172172

173173
/* Create the next encrypted packet */
174174
major = gss_wrap(&minor, gss->ctx, 1, GSS_C_QOP_DEFAULT,
175-
&input, &conf, &output);
175+
&input, &conf_state, &output);
176176
if (major != GSS_S_COMPLETE)
177177
pg_GSS_error(FATAL, gettext_noop("GSSAPI wrap error"), major, minor);
178178

179-
if (conf == 0)
179+
if (conf_state == 0)
180180
ereport(FATAL,
181-
(errmsg("GSSAPI did not provide confidentiality")));
181+
(errmsg("outgoing GSSAPI message would not use confidentiality")));
182182

183183
if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
184184
ereport(FATAL,
185-
(errmsg("server tried to send oversize GSSAPI packet: %zu bytes",
186-
(size_t) output.length)));
185+
(errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",
186+
(size_t) output.length,
187+
PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))));
187188

188189
bytes_encrypted += input.length;
189190
bytes_to_encrypt -= input.length;
@@ -216,7 +217,7 @@ be_gssapi_read(Port *port, void *ptr, size_t len)
216217
ssize_t ret;
217218
size_t bytes_to_return = len;
218219
size_t bytes_returned = 0;
219-
int conf = 0;
220+
int conf_state = 0;
220221
pg_gssinfo *gss = port->gss;
221222

222223
/*
@@ -299,8 +300,9 @@ be_gssapi_read(Port *port, void *ptr, size_t len)
299300
/* Check for over-length packet */
300301
if (input.length > PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32))
301302
ereport(FATAL,
302-
(errmsg("oversize GSSAPI packet sent by the client: %zu bytes",
303-
(size_t) input.length)));
303+
(errmsg("oversize GSSAPI packet sent by the client (%zu > %zu)",
304+
(size_t) input.length,
305+
PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32))));
304306

305307
/*
306308
* Read as much of the packet as we are able to on this call into
@@ -338,14 +340,14 @@ be_gssapi_read(Port *port, void *ptr, size_t len)
338340
output.length = 0;
339341
input.value = PqGSSRecvBuffer + sizeof(uint32);
340342

341-
major = gss_unwrap(&minor, gss->ctx, &input, &output, &conf, NULL);
343+
major = gss_unwrap(&minor, gss->ctx, &input, &output, &conf_state, NULL);
342344
if (major != GSS_S_COMPLETE)
343345
pg_GSS_error(FATAL, gettext_noop("GSSAPI unwrap error"),
344346
major, minor);
345347

346-
if (conf == 0)
348+
if (conf_state == 0)
347349
ereport(FATAL,
348-
(errmsg("GSSAPI did not provide confidentiality")));
350+
(errmsg("incoming GSSAPI message did not use confidentiality")));
349351

350352
memcpy(PqGSSResultBuffer, output.value, output.length);
351353

@@ -497,8 +499,9 @@ secure_open_gssapi(Port *port)
497499
*/
498500
if (input.length > PQ_GSS_RECV_BUFFER_SIZE)
499501
ereport(FATAL,
500-
(errmsg("oversize GSSAPI packet sent by the client: %zu bytes",
501-
(size_t) input.length)));
502+
(errmsg("oversize GSSAPI packet sent by the client (%zu > %d)",
503+
(size_t) input.length,
504+
PQ_GSS_RECV_BUFFER_SIZE)));
502505

503506
/*
504507
* Get the rest of the packet so we can pass it to GSSAPI to accept
@@ -518,7 +521,7 @@ secure_open_gssapi(Port *port)
518521
NULL, NULL);
519522
if (GSS_ERROR(major))
520523
{
521-
pg_GSS_error(ERROR, gettext_noop("GSSAPI context error"),
524+
pg_GSS_error(ERROR, gettext_noop("could not accept GSSAPI security context"),
522525
major, minor);
523526
gss_release_buffer(&minor, &output);
524527
return -1;
@@ -545,8 +548,9 @@ secure_open_gssapi(Port *port)
545548

546549
if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
547550
ereport(FATAL,
548-
(errmsg("server tried to send oversize GSSAPI packet: %zu bytes",
549-
(size_t) output.length)));
551+
(errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",
552+
(size_t) output.length,
553+
PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))));
550554

551555
memcpy(PqGSSSendBuffer, (char *) &netlen, sizeof(uint32));
552556
PqGSSSendPointer += sizeof(uint32);

src/interfaces/libpq/fe-secure-gssapi.c

Lines changed: 18 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,7 @@ pg_GSS_write(PGconn *conn, const void *ptr, size_t len)
8787
*/
8888
while (bytes_to_encrypt || PqGSSSendPointer)
8989
{
90-
int conf = 0;
90+
int conf_state = 0;
9191
uint32 netlen;
9292

9393
/*
@@ -154,24 +154,25 @@ pg_GSS_write(PGconn *conn, const void *ptr, size_t len)
154154

155155
/* Create the next encrypted packet */
156156
major = gss_wrap(&minor, conn->gctx, 1, GSS_C_QOP_DEFAULT,
157-
&input, &conf, &output);
157+
&input, &conf_state, &output);
158158
if (major != GSS_S_COMPLETE)
159159
{
160160
pg_GSS_error(libpq_gettext("GSSAPI wrap error"), conn, major, minor);
161161
goto cleanup;
162162
}
163-
else if (conf == 0)
163+
else if (conf_state == 0)
164164
{
165165
printfPQExpBuffer(&conn->errorMessage,
166-
libpq_gettext("GSSAPI did not provide confidentiality\n"));
166+
libpq_gettext("outgoing GSSAPI message would not use confidentiality\n"));
167167
goto cleanup;
168168
}
169169

170170
if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
171171
{
172172
printfPQExpBuffer(&conn->errorMessage,
173-
libpq_gettext("client tried to send oversize GSSAPI packet: %zu bytes\n"),
174-
(size_t) output.length);
173+
libpq_gettext("client tried to send oversize GSSAPI packet (%zu > %zu)\n"),
174+
(size_t) output.length,
175+
PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32));
175176
goto cleanup;
176177
}
177178

@@ -229,7 +230,7 @@ pg_GSS_read(PGconn *conn, void *ptr, size_t len)
229230
*/
230231
while (bytes_to_return)
231232
{
232-
int conf = 0;
233+
int conf_state = 0;
233234

234235
/* Check if we have data in our buffer that we can return immediately */
235236
if (PqGSSResultPointer < PqGSSResultLength)
@@ -287,7 +288,9 @@ pg_GSS_read(PGconn *conn, void *ptr, size_t len)
287288
if (input.length > PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32))
288289
{
289290
printfPQExpBuffer(&conn->errorMessage,
290-
libpq_gettext("GSSAPI did not provide confidentiality\n"));
291+
libpq_gettext("oversize GSSAPI packet sent by the server (%zu > %zu)\n"),
292+
(size_t) input.length,
293+
PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32));
291294
ret = -1;
292295
goto cleanup;
293296
}
@@ -318,18 +321,18 @@ pg_GSS_read(PGconn *conn, void *ptr, size_t len)
318321
output.length = 0;
319322
input.value = PqGSSRecvBuffer + sizeof(uint32);
320323

321-
major = gss_unwrap(&minor, conn->gctx, &input, &output, &conf, NULL);
324+
major = gss_unwrap(&minor, conn->gctx, &input, &output, &conf_state, NULL);
322325
if (major != GSS_S_COMPLETE)
323326
{
324327
pg_GSS_error(libpq_gettext("GSSAPI unwrap error"), conn,
325328
major, minor);
326329
ret = -1;
327330
goto cleanup;
328331
}
329-
else if (conf == 0)
332+
else if (conf_state == 0)
330333
{
331334
printfPQExpBuffer(&conn->errorMessage,
332-
libpq_gettext("GSSAPI did not provide confidentiality\n"));
335+
libpq_gettext("incoming GSSAPI message did not use confidentiality\n"));
333336
ret = -1;
334337
goto cleanup;
335338
}
@@ -491,8 +494,9 @@ pqsecure_open_gss(PGconn *conn)
491494
if (input.length > PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32))
492495
{
493496
printfPQExpBuffer(&conn->errorMessage,
494-
libpq_gettext("oversize GSSAPI packet sent by the server: %zu bytes\n"),
495-
(size_t) input.length);
497+
libpq_gettext("oversize GSSAPI packet sent by the server (%zu > %zu)\n"),
498+
(size_t) input.length,
499+
PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32));
496500
return PGRES_POLLING_FAILED;
497501
}
498502

@@ -536,7 +540,7 @@ pqsecure_open_gss(PGconn *conn)
536540

537541
if (GSS_ERROR(major))
538542
{
539-
pg_GSS_error(libpq_gettext("GSSAPI context establishment error"),
543+
pg_GSS_error(libpq_gettext("could not initiate GSSAPI security context"),
540544
conn, major, minor);
541545
return PGRES_POLLING_FAILED;
542546
}

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy