|
8 | 8 | * |
9 | 9 | * |
10 | 10 | * IDENTIFICATION |
11 | | - * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.184 2009/08/29 19:26:51 tgl Exp $ |
| 11 | + * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.185 2009/10/14 07:27:13 heikki Exp $ |
12 | 12 | * |
13 | 13 | *------------------------------------------------------------------------- |
14 | 14 | */ |
@@ -183,6 +183,21 @@ static int pg_SSPI_recvauth(Port *port); |
183 | 183 | #endif |
184 | 184 |
|
185 | 185 |
|
| 186 | +/* |
| 187 | + * Maximum size of GSS and SSPI authentication tokens. |
| 188 | + * |
| 189 | + * Kerberos tickets are usually quite small, but the TGTs issued by Windows |
| 190 | + * domain controllers include an authorization field known as the Privilege |
| 191 | + * Attribute Certificate (PAC), which contains the user's Windows permissions |
| 192 | + * (group memberships etc.). The PAC is copied into all tickets obtained on |
| 193 | + * the basis of this TGT (even those issued by Unix realms which the Windows |
| 194 | + * realm trusts), and can be several kB in size. The maximum token size |
| 195 | + * accepted by Windows systems is determined by the MaxAuthToken Windows |
| 196 | + * registry setting. Microsoft recommends that it is not set higher than |
| 197 | + * 65535 bytes, so that seems like a reasonable limit for us as well. |
| 198 | + */ |
| 199 | +#define MAX_AUTH_TOKEN_LENGTH 65535 |
| 200 | + |
186 | 201 |
|
187 | 202 | /*---------------------------------------------------------------- |
188 | 203 | * Global authentication functions |
@@ -948,7 +963,7 @@ pg_GSS_recvauth(Port *port) |
948 | 963 |
|
949 | 964 | /* Get the actual GSS token */ |
950 | 965 | initStringInfo(&buf); |
951 | | - if (pq_getmessage(&buf, 2000)) |
| 966 | + if (pq_getmessage(&buf, MAX_AUTH_TOKEN_LENGTH)) |
952 | 967 | { |
953 | 968 | /* EOF - pq_getmessage already logged error */ |
954 | 969 | pfree(buf.data); |
@@ -1186,7 +1201,7 @@ pg_SSPI_recvauth(Port *port) |
1186 | 1201 |
|
1187 | 1202 | /* Get the actual SSPI token */ |
1188 | 1203 | initStringInfo(&buf); |
1189 | | - if (pq_getmessage(&buf, 2000)) |
| 1204 | + if (pq_getmessage(&buf, MAX_AUTH_TOKEN_LENGTH)) |
1190 | 1205 | { |
1191 | 1206 | /* EOF - pq_getmessage already logged error */ |
1192 | 1207 | pfree(buf.data); |
|
0 commit comments