aboutsummaryrefslogtreecommitdiff
path: root/src/interfaces/libpq/fe-auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/interfaces/libpq/fe-auth.c')
-rw-r--r--src/interfaces/libpq/fe-auth.c264
1 files changed, 0 insertions, 264 deletions
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 91f7c501c78..e10c9709108 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -43,258 +43,6 @@
#include "libpq/md5.h"
-#ifdef KRB5
-/*
- * MIT Kerberos authentication system - protocol version 5
- */
-
-#include <krb5.h>
-/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */
-#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__)
-#include <com_err.h>
-#endif
-
-/*
- * Heimdal doesn't have a free function for unparsed names. Just pass it to
- * standard free() which should work in these cases.
- */
-#ifndef HAVE_KRB5_FREE_UNPARSED_NAME
-static void
-krb5_free_unparsed_name(krb5_context context, char *val)
-{
- free(val);
-}
-#endif
-
-/*
- * pg_an_to_ln -- return the local name corresponding to an authentication
- * name
- *
- * XXX Assumes that the first aname component is the user name. This is NOT
- * necessarily so, since an aname can actually be something out of your
- * worst X.400 nightmare, like
- * ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU
- * Note that the MIT an_to_ln code does the same thing if you don't
- * provide an aname mapping database...it may be a better idea to use
- * krb5_an_to_ln, except that it punts if multiple components are found,
- * and we can't afford to punt.
- *
- * For WIN32, convert username to lowercase because the Win32 kerberos library
- * generates tickets with the username as the user entered it instead of as
- * it is entered in the directory.
- */
-static char *
-pg_an_to_ln(char *aname)
-{
- char *p;
-
- if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
- *p = '\0';
-#ifdef WIN32
- for (p = aname; *p; p++)
- *p = pg_tolower((unsigned char) *p);
-#endif
-
- return aname;
-}
-
-
-/*
- * Various krb5 state which is not connection specific, and a flag to
- * indicate whether we have initialised it yet.
- */
-/*
-static int pg_krb5_initialised;
-static krb5_context pg_krb5_context;
-static krb5_ccache pg_krb5_ccache;
-static krb5_principal pg_krb5_client;
-static char *pg_krb5_name;
-*/
-
-struct krb5_info
-{
- int pg_krb5_initialised;
- krb5_context pg_krb5_context;
- krb5_ccache pg_krb5_ccache;
- krb5_principal pg_krb5_client;
- char *pg_krb5_name;
-};
-
-
-static int
-pg_krb5_init(PQExpBuffer errorMessage, struct krb5_info * info)
-{
- krb5_error_code retval;
-
- if (info->pg_krb5_initialised)
- return STATUS_OK;
-
- retval = krb5_init_context(&(info->pg_krb5_context));
- if (retval)
- {
- printfPQExpBuffer(errorMessage,
- "pg_krb5_init: krb5_init_context: %s\n",
- error_message(retval));
- return STATUS_ERROR;
- }
-
- retval = krb5_cc_default(info->pg_krb5_context, &(info->pg_krb5_ccache));
- if (retval)
- {
- printfPQExpBuffer(errorMessage,
- "pg_krb5_init: krb5_cc_default: %s\n",
- error_message(retval));
- krb5_free_context(info->pg_krb5_context);
- return STATUS_ERROR;
- }
-
- retval = krb5_cc_get_principal(info->pg_krb5_context, info->pg_krb5_ccache,
- &(info->pg_krb5_client));
- if (retval)
- {
- printfPQExpBuffer(errorMessage,
- "pg_krb5_init: krb5_cc_get_principal: %s\n",
- error_message(retval));
- krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
- krb5_free_context(info->pg_krb5_context);
- return STATUS_ERROR;
- }
-
- retval = krb5_unparse_name(info->pg_krb5_context, info->pg_krb5_client, &(info->pg_krb5_name));
- if (retval)
- {
- printfPQExpBuffer(errorMessage,
- "pg_krb5_init: krb5_unparse_name: %s\n",
- error_message(retval));
- krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
- krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
- krb5_free_context(info->pg_krb5_context);
- return STATUS_ERROR;
- }
-
- info->pg_krb5_name = pg_an_to_ln(info->pg_krb5_name);
-
- info->pg_krb5_initialised = 1;
- return STATUS_OK;
-}
-
-static void
-pg_krb5_destroy(struct krb5_info * info)
-{
- krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client);
- krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache);
- krb5_free_unparsed_name(info->pg_krb5_context, info->pg_krb5_name);
- krb5_free_context(info->pg_krb5_context);
-}
-
-
-/*
- * pg_krb5_sendauth -- client routine to send authentication information to
- * the server
- */
-static int
-pg_krb5_sendauth(PGconn *conn)
-{
- krb5_error_code retval;
- int ret;
- krb5_principal server;
- krb5_auth_context auth_context = NULL;
- krb5_error *err_ret = NULL;
- struct krb5_info info;
-
- info.pg_krb5_initialised = 0;
-
- if (!(conn->pghost && conn->pghost[0] != '\0'))
- {
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("host name must be specified\n"));
- return STATUS_ERROR;
- }
-
- ret = pg_krb5_init(&conn->errorMessage, &info);
- if (ret != STATUS_OK)
- return ret;
-
- retval = krb5_sname_to_principal(info.pg_krb5_context, conn->pghost,
- conn->krbsrvname,
- KRB5_NT_SRV_HST, &server);
- if (retval)
- {
- printfPQExpBuffer(&conn->errorMessage,
- "pg_krb5_sendauth: krb5_sname_to_principal: %s\n",
- error_message(retval));
- pg_krb5_destroy(&info);
- return STATUS_ERROR;
- }
-
- /*
- * libpq uses a non-blocking socket. But kerberos needs a blocking socket,
- * and we have to block somehow to do mutual authentication anyway. So we
- * temporarily make it blocking.
- */
- if (!pg_set_block(conn->sock))
- {
- char sebuf[256];
-
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf)));
- krb5_free_principal(info.pg_krb5_context, server);
- pg_krb5_destroy(&info);
- return STATUS_ERROR;
- }
-
- retval = krb5_sendauth(info.pg_krb5_context, &auth_context,
- (krb5_pointer) & conn->sock, (char *) conn->krbsrvname,
- info.pg_krb5_client, server,
- AP_OPTS_MUTUAL_REQUIRED,
- NULL, 0, /* no creds, use ccache instead */
- info.pg_krb5_ccache, &err_ret, NULL, NULL);
- if (retval)
- {
- if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
- {
-#if defined(HAVE_KRB5_ERROR_TEXT_DATA)
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
- (int) err_ret->text.length, err_ret->text.data);
-#elif defined(HAVE_KRB5_ERROR_E_DATA)
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("Kerberos 5 authentication rejected: %*s\n"),
- (int) err_ret->e_data->length,
- (const char *) err_ret->e_data->data);
-#else
-#error "bogus configuration"
-#endif
- }
- else
- {
- printfPQExpBuffer(&conn->errorMessage,
- "krb5_sendauth: %s\n", error_message(retval));
- }
-
- if (err_ret)
- krb5_free_error(info.pg_krb5_context, err_ret);
-
- ret = STATUS_ERROR;
- }
-
- krb5_free_principal(info.pg_krb5_context, server);
-
- if (!pg_set_noblock(conn->sock))
- {
- char sebuf[256];
-
- printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not restore nonblocking mode on socket: %s\n"),
- pqStrerror(errno, sebuf, sizeof(sebuf)));
- ret = STATUS_ERROR;
- }
- pg_krb5_destroy(&info);
-
- return ret;
-}
-#endif /* KRB5 */
-
#ifdef ENABLE_GSS
/*
* GSSAPI authentication system.
@@ -816,21 +564,9 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn)
return STATUS_ERROR;
case AUTH_REQ_KRB5:
-#ifdef KRB5
- pglock_thread();
- if (pg_krb5_sendauth(conn) != STATUS_OK)
- {
- /* Error message already filled in */
- pgunlock_thread();
- return STATUS_ERROR;
- }
- pgunlock_thread();
- break;
-#else
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("Kerberos 5 authentication not supported\n"));
return STATUS_ERROR;
-#endif
#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
case AUTH_REQ_GSS:
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 08:42:06 +0000