mirror of
https://github.com/FirebirdSQL/firebird.git
synced 2025-01-22 18:03:03 +01:00
Merge pull request #8274 from FirebirdSQL/work/win_sspi_reconnect
If client fails to connect using Win_SSPI plugin with Negotiate security package, try again using NTLM security package.
This commit is contained in:
commit
f62f1336e2
@ -67,6 +67,15 @@ namespace
|
|||||||
|
|
||||||
namespace Auth {
|
namespace Auth {
|
||||||
|
|
||||||
|
|
||||||
|
static thread_local bool legacySSP = false;
|
||||||
|
|
||||||
|
void setLegacySSP(bool value)
|
||||||
|
{
|
||||||
|
legacySSP = value;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
HINSTANCE AuthSspi::library = 0;
|
HINSTANCE AuthSspi::library = 0;
|
||||||
|
|
||||||
bool AuthSspi::initEntries()
|
bool AuthSspi::initEntries()
|
||||||
@ -109,7 +118,8 @@ AuthSspi::AuthSspi()
|
|||||||
groupNames(*getDefaultMemoryPool()), sessionKey(*getDefaultMemoryPool())
|
groupNames(*getDefaultMemoryPool()), sessionKey(*getDefaultMemoryPool())
|
||||||
{
|
{
|
||||||
TimeStamp timeOut;
|
TimeStamp timeOut;
|
||||||
hasCredentials = initEntries() && (fAcquireCredentialsHandle(0, NEGOSSP_NAME_A,
|
hasCredentials = initEntries() && (fAcquireCredentialsHandle(0,
|
||||||
|
legacySSP ? NTLMSP_NAME_A : NEGOSSP_NAME_A,
|
||||||
SECPKG_CRED_BOTH, 0, 0, 0, 0,
|
SECPKG_CRED_BOTH, 0, 0, 0, 0,
|
||||||
&secHndl, &timeOut) == SEC_E_OK);
|
&secHndl, &timeOut) == SEC_E_OK);
|
||||||
}
|
}
|
||||||
|
@ -145,6 +145,10 @@ private:
|
|||||||
void registerTrustedClient(Firebird::IPluginManager* iPlugin);
|
void registerTrustedClient(Firebird::IPluginManager* iPlugin);
|
||||||
void registerTrustedServer(Firebird::IPluginManager* iPlugin);
|
void registerTrustedServer(Firebird::IPluginManager* iPlugin);
|
||||||
|
|
||||||
|
// Set per-thread flag that specify which security package should be used by
|
||||||
|
// newly created plugin instances: true - use NTLM, false - use Negotiate.
|
||||||
|
void setLegacySSP(bool value);
|
||||||
|
|
||||||
} // namespace Auth
|
} // namespace Auth
|
||||||
|
|
||||||
#endif // TRUSTED_AUTH
|
#endif // TRUSTED_AUTH
|
||||||
|
@ -7405,91 +7405,123 @@ static rem_port* analyze(ClntAuthBlock& cBlock, PathName& attach_name, unsigned
|
|||||||
|
|
||||||
cBlock.loadClnt(pb, &parSet);
|
cBlock.loadClnt(pb, &parSet);
|
||||||
pb.deleteWithTag(parSet.auth_block);
|
pb.deleteWithTag(parSet.auth_block);
|
||||||
authenticateStep0(cBlock);
|
|
||||||
|
|
||||||
bool needFile = !(flags & ANALYZE_EMP_NAME);
|
bool needFile = !(flags & ANALYZE_EMP_NAME);
|
||||||
|
const PathName save_attach_name(attach_name);
|
||||||
|
|
||||||
#ifdef WIN_NT
|
#ifdef TRUSTED_AUTH
|
||||||
if (ISC_analyze_protocol(PROTOCOL_XNET, attach_name, node_name, NULL, needFile))
|
bool legacySSP = false;
|
||||||
port = XNET_analyze(&cBlock, attach_name, flags & ANALYZE_USER_VFY, cBlock.getConfig(), ref_db_name);
|
Auth::setLegacySSP(legacySSP);
|
||||||
else
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (ISC_analyze_protocol(PROTOCOL_INET4, attach_name, node_name, INET_SEPARATOR, needFile))
|
while (true)
|
||||||
inet_af = AF_INET;
|
|
||||||
else if (ISC_analyze_protocol(PROTOCOL_INET6, attach_name, node_name, INET_SEPARATOR, needFile))
|
|
||||||
inet_af = AF_INET6;
|
|
||||||
|
|
||||||
if (inet_af != AF_UNSPEC ||
|
|
||||||
ISC_analyze_protocol(PROTOCOL_INET, attach_name, node_name, INET_SEPARATOR, needFile) ||
|
|
||||||
ISC_analyze_tcp(attach_name, node_name, needFile))
|
|
||||||
{
|
{
|
||||||
if (node_name.isEmpty())
|
authenticateStep0(cBlock);
|
||||||
node_name = INET_LOCALHOST;
|
|
||||||
else
|
try
|
||||||
{
|
{
|
||||||
ISC_unescape(node_name);
|
|
||||||
ISC_utf8ToSystem(node_name);
|
|
||||||
}
|
|
||||||
|
|
||||||
port = INET_analyze(&cBlock, attach_name, node_name.c_str(), flags & ANALYZE_USER_VFY, pb,
|
|
||||||
cBlock.getConfig(), ref_db_name, cryptCb, inet_af);
|
|
||||||
}
|
|
||||||
|
|
||||||
// We have a local connection string. If it's a file on a network share,
|
|
||||||
// try to connect to the corresponding host remotely.
|
|
||||||
if (flags & ANALYZE_MOUNTS)
|
|
||||||
{
|
|
||||||
#ifdef WIN_NT
|
#ifdef WIN_NT
|
||||||
if (!port)
|
if (ISC_analyze_protocol(PROTOCOL_XNET, attach_name, node_name, NULL, needFile))
|
||||||
{
|
port = XNET_analyze(&cBlock, attach_name, flags & ANALYZE_USER_VFY, cBlock.getConfig(), ref_db_name);
|
||||||
PathName expanded_name = attach_name;
|
else
|
||||||
if (ISC_analyze_pclan(expanded_name, node_name))
|
#endif
|
||||||
{
|
|
||||||
ISC_unescape(node_name);
|
|
||||||
ISC_utf8ToSystem(node_name);
|
|
||||||
|
|
||||||
port = INET_analyze(&cBlock, expanded_name, node_name.c_str(), flags & ANALYZE_USER_VFY, pb,
|
if (ISC_analyze_protocol(PROTOCOL_INET4, attach_name, node_name, INET_SEPARATOR, needFile))
|
||||||
cBlock.getConfig(), ref_db_name, cryptCb);
|
inet_af = AF_INET;
|
||||||
|
else if (ISC_analyze_protocol(PROTOCOL_INET6, attach_name, node_name, INET_SEPARATOR, needFile))
|
||||||
|
inet_af = AF_INET6;
|
||||||
|
|
||||||
|
if (inet_af != AF_UNSPEC ||
|
||||||
|
ISC_analyze_protocol(PROTOCOL_INET, attach_name, node_name, INET_SEPARATOR, needFile) ||
|
||||||
|
ISC_analyze_tcp(attach_name, node_name, needFile))
|
||||||
|
{
|
||||||
|
if (node_name.isEmpty())
|
||||||
|
node_name = INET_LOCALHOST;
|
||||||
|
else
|
||||||
|
{
|
||||||
|
ISC_unescape(node_name);
|
||||||
|
ISC_utf8ToSystem(node_name);
|
||||||
|
}
|
||||||
|
|
||||||
|
port = INET_analyze(&cBlock, attach_name, node_name.c_str(), flags & ANALYZE_USER_VFY, pb,
|
||||||
|
cBlock.getConfig(), ref_db_name, cryptCb, inet_af);
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
// We have a local connection string. If it's a file on a network share,
|
||||||
|
// try to connect to the corresponding host remotely.
|
||||||
|
if (flags & ANALYZE_MOUNTS)
|
||||||
|
{
|
||||||
|
#ifdef WIN_NT
|
||||||
|
if (!port)
|
||||||
|
{
|
||||||
|
PathName expanded_name = attach_name;
|
||||||
|
if (ISC_analyze_pclan(expanded_name, node_name))
|
||||||
|
{
|
||||||
|
ISC_unescape(node_name);
|
||||||
|
ISC_utf8ToSystem(node_name);
|
||||||
|
|
||||||
|
port = INET_analyze(&cBlock, expanded_name, node_name.c_str(), flags & ANALYZE_USER_VFY, pb,
|
||||||
|
cBlock.getConfig(), ref_db_name, cryptCb);
|
||||||
|
}
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifndef NO_NFS
|
#ifndef NO_NFS
|
||||||
if (!port)
|
if (!port)
|
||||||
{
|
{
|
||||||
PathName expanded_name = attach_name;
|
PathName expanded_name = attach_name;
|
||||||
if (ISC_analyze_nfs(expanded_name, node_name))
|
if (ISC_analyze_nfs(expanded_name, node_name))
|
||||||
{
|
{
|
||||||
ISC_unescape(node_name);
|
ISC_unescape(node_name);
|
||||||
ISC_utf8ToSystem(node_name);
|
ISC_utf8ToSystem(node_name);
|
||||||
|
|
||||||
port = INET_analyze(&cBlock, expanded_name, node_name.c_str(), flags & ANALYZE_USER_VFY, pb,
|
port = INET_analyze(&cBlock, expanded_name, node_name.c_str(), flags & ANALYZE_USER_VFY, pb,
|
||||||
cBlock.getConfig(), ref_db_name, cryptCb);
|
cBlock.getConfig(), ref_db_name, cryptCb);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((flags & ANALYZE_LOOPBACK) && !port)
|
if ((flags & ANALYZE_LOOPBACK) && !port)
|
||||||
{
|
{
|
||||||
// We have a local connection string.
|
// We have a local connection string.
|
||||||
// If we are in loopback mode attempt connect to a localhost.
|
// If we are in loopback mode attempt connect to a localhost.
|
||||||
|
|
||||||
if (node_name.isEmpty())
|
if (node_name.isEmpty())
|
||||||
{
|
{
|
||||||
#ifdef WIN_NT
|
#ifdef WIN_NT
|
||||||
if (!port)
|
if (!port)
|
||||||
{
|
{
|
||||||
port = XNET_analyze(&cBlock, attach_name, flags & ANALYZE_USER_VFY,
|
port = XNET_analyze(&cBlock, attach_name, flags & ANALYZE_USER_VFY,
|
||||||
cBlock.getConfig(), ref_db_name);
|
cBlock.getConfig(), ref_db_name);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
if (!port)
|
if (!port)
|
||||||
{
|
{
|
||||||
port = INET_analyze(&cBlock, attach_name, INET_LOCALHOST, flags & ANALYZE_USER_VFY, pb,
|
port = INET_analyze(&cBlock, attach_name, INET_LOCALHOST, flags & ANALYZE_USER_VFY, pb,
|
||||||
cBlock.getConfig(), ref_db_name, cryptCb);
|
cBlock.getConfig(), ref_db_name, cryptCb);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
catch (const Exception&)
|
||||||
|
{
|
||||||
|
#ifdef TRUSTED_AUTH
|
||||||
|
const char* const pluginName = cBlock.plugins.name();
|
||||||
|
if (legacySSP || fb_utils::stricmp(pluginName, "WIN_SSPI") != 0)
|
||||||
|
throw;
|
||||||
|
|
||||||
|
// Retry connect with failed plugin only and using legacy security package
|
||||||
|
legacySSP = true;
|
||||||
|
Auth::setLegacySSP(legacySSP);
|
||||||
|
attach_name = save_attach_name;
|
||||||
|
|
||||||
|
cBlock.plugins.set(pluginName);
|
||||||
|
#else
|
||||||
|
throw;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user