diff options
| author | Michael Paquier <michael@paquier.xyz> | 2023-03-13 16:36:28 +0900 |
|---|---|---|
| committer | Michael Paquier <michael@paquier.xyz> | 2023-03-13 16:36:28 +0900 |
| commit | 4493256c5c0b0dace8cec76d5c3962f50ea28144 (patch) | |
| tree | 4d19a8efd91285031c33e69df340774e14d9cd1c | |
| parent | 9e236f94367639308cff62a33bc1ed815cf0f50c (diff) | |
| download | postgresql-4493256c5c0b0dace8cec76d5c3962f50ea28144.tar.gz postgresql-4493256c5c0b0dace8cec76d5c3962f50ea28144.zip | |
Fix inconsistent error handling for GSS encryption in PQconnectPoll()
The error cases for TLS and GSS encryption were inconsistent. After TLS
fails, the connection is marked as dead and follow-up calls of
PQconnectPoll() would return immediately, but GSS encryption was not
doing that, so the connection would still have been allowed to enter the
GSS handling code. This was handled incorrectly when gssencmode was set
to "require". "prefer" was working correctly, and this could not happen
under "disable" as GSS encryption would not be attempted.
This commit makes the error handling of GSS encryption on par with TLS
portion, fixing the case of gssencmode=require.
Reported-by: Jacob Champion
Author: Michael Paquier
Reviewed-by: Jacob Champion, Stephen Frost
Discussion: https://postgr.es/m/23787477-5fe1-a161-6d2a-e459f74c4713@timescale.com
Backpatch-through: 12
| -rw-r--r-- | src/interfaces/libpq/fe-connect.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 6e936bbff30..a80901349b2 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -3231,17 +3231,22 @@ keep_going: /* We will come back to here until there is conn->status = CONNECTION_MADE; return PGRES_POLLING_WRITING; } - else if (pollres == PGRES_POLLING_FAILED && - conn->gssencmode[0] == 'p') + else if (pollres == PGRES_POLLING_FAILED) { - /* - * We failed, but we can retry on "prefer". Have to drop - * the current connection to do so, though. - */ - conn->try_gss = false; - need_new_connection = true; - goto keep_going; + if (conn->gssencmode[0] == 'p') + { + /* + * We failed, but we can retry on "prefer". Have to + * drop the current connection to do so, though. + */ + conn->try_gss = false; + need_new_connection = true; + goto keep_going; + } + /* Else it's a hard failure */ + goto error_return; } + /* Else, return POLLING_READING or POLLING_WRITING status */ return pollres; #else /* !ENABLE_GSS */ /* unreachable */ |