diff options
Diffstat (limited to 'src/interfaces/libpq/fe-auth.c')
| -rw-r--r-- | src/interfaces/libpq/fe-auth.c | 281 |
1 files changed, 158 insertions, 123 deletions
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 1e61f3002e7..d05bf63ce2e 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -10,7 +10,7 @@ * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes). * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.40 2000/05/27 03:39:33 momjian Exp $ + * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.41 2000/05/27 03:58:20 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -39,7 +39,6 @@ #include "win32.h" #else #include <unistd.h> -#include <fcntl.h> #include <sys/param.h> /* for MAXHOSTNAMELEN on most */ #ifndef MAXHOSTNAMELEN #include <netdb.h> /* for MAXHOSTNAMELEN on some */ @@ -235,8 +234,7 @@ pg_krb4_sendauth(const char *PQerrormsg, int sock, *---------------------------------------------------------------- */ -#include <krb5.h> -#include <com_err.h> +#include "krb5/krb5.h" /* * pg_an_to_ln -- return the local name corresponding to an authentication @@ -252,7 +250,7 @@ pg_krb4_sendauth(const char *PQerrormsg, int sock, * and we can't afford to punt. */ static char * -pg_an_to_ln(char *aname) +pg_an_to_ln(const char *aname) { char *p; @@ -263,160 +261,197 @@ pg_an_to_ln(char *aname) /* - * Various krb5 state which is not connection specfic, and a flag to - * indicate whether we have initialised it yet. + * pg_krb5_init -- initialization performed before any Kerberos calls are made + * + * With v5, we can no longer set the ticket (credential cache) file name; + * we now have to provide a file handle for the open (well, "resolved") + * ticket file everywhere. + * */ -static int pg_krb5_initialised; -static krb5_context pg_krb5_context; -static krb5_ccache pg_krb5_ccache; -static krb5_principal pg_krb5_client; -static char *pg_krb5_name; - - static int -pg_krb5_init(char *PQerrormsg) + krb5_ccache +pg_krb5_init(void) { - krb5_error_code retval; + krb5_error_code code; + char *realm, + *defname; + char tktbuf[MAXPGPATH]; + static krb5_ccache ccache = (krb5_ccache) NULL; - if (pg_krb5_initialised) - return STATUS_OK; + if (ccache) + return ccache; - retval = krb5_init_context(&pg_krb5_context); - if (retval) { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb5_init: krb5_init_context: %s", - error_message(retval)); - return STATUS_ERROR; + /* + * If the user set PGREALM, then we use a ticket file with a special + * name: <usual-ticket-file-name>@<PGREALM-value> + */ + if (!(defname = krb5_cc_default_name())) + { + (void) sprintf(PQerrormsg, + "pg_krb5_init: krb5_cc_default_name failed\n"); + return (krb5_ccache) NULL; + } + strcpy(tktbuf, defname); + if (realm = getenv("PGREALM")) + { + strcat(tktbuf, "@"); + strcat(tktbuf, realm); } - retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache); - if (retval) { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb5_init: krb5_cc_default: %s", - error_message(retval)); - krb5_free_context(pg_krb5_context); - return STATUS_ERROR; - } - - retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache, - &pg_krb5_client); - if (retval) { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb5_init: krb5_cc_get_principal: %s", - error_message(retval)); - krb5_cc_close(pg_krb5_context, pg_krb5_ccache); - krb5_free_context(pg_krb5_context); - return STATUS_ERROR; - } - - retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name); - if (retval) { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb5_init: krb5_unparse_name: %s", - error_message(retval)); - krb5_free_principal(pg_krb5_context, pg_krb5_client); - krb5_cc_close(pg_krb5_context, pg_krb5_ccache); - krb5_free_context(pg_krb5_context); - return STATUS_ERROR; - } - - pg_krb5_name = pg_an_to_ln(pg_krb5_name); - - pg_krb5_initialised = 1; - return STATUS_OK; + if (code = krb5_cc_resolve(tktbuf, &ccache)) + { + (void) sprintf(PQerrormsg, + "pg_krb5_init: Kerberos error %d in krb5_cc_resolve\n", code); + com_err("pg_krb5_init", code, "in krb5_cc_resolve"); + return (krb5_ccache) NULL; + } + return ccache; } - /* * pg_krb5_authname -- returns a pointer to static space containing whatever * name the user has authenticated to the system - */ + * + * We obtain this information by digging around in the ticket file. + */ static const char * -pg_krb5_authname(char *PQerrormsg) +pg_krb5_authname(const char *PQerrormsg) { - if (pg_krb5_init(PQerrormsg) != STATUS_OK) - return NULL; + krb5_ccache ccache; + krb5_principal principal; + krb5_error_code code; + static char *authname = (char *) NULL; - return pg_krb5_name; -} + if (authname) + return authname; + ccache = pg_krb5_init(); /* don't free this */ + + if (code = krb5_cc_get_principal(ccache, &principal)) + { + (void) sprintf(PQerrormsg, + "pg_krb5_authname: Kerberos error %d in krb5_cc_get_principal\n", code); + com_err("pg_krb5_authname", code, "in krb5_cc_get_principal"); + return (char *) NULL; + } + if (code = krb5_unparse_name(principal, &authname)) + { + (void) sprintf(PQerrormsg, + "pg_krb5_authname: Kerberos error %d in krb5_unparse_name\n", code); + com_err("pg_krb5_authname", code, "in krb5_unparse_name"); + krb5_free_principal(principal); + return (char *) NULL; + } + krb5_free_principal(principal); + return pg_an_to_ln(authname); +} /* * pg_krb5_sendauth -- client routine to send authentication information to * the server + * + * This routine does not do mutual authentication, nor does it return enough + * information to do encrypted connections. But then, if we want to do + * encrypted connections, we'll have to redesign the whole RPC mechanism + * anyway. + * + * Server hostnames are canonicalized v4-style, i.e., all domain suffixes + * are simply chopped off. Hence, we are assuming that you've entered your + * server instances as + * <value-of-PG_KRB_SRVNAM>/<canonicalized-hostname> + * in the PGREALM (or local) database. This is probably a bad assumption. */ static int -pg_krb5_sendauth(char *PQerrormsg, int sock, +pg_krb5_sendauth(const char *PQerrormsg, int sock, struct sockaddr_in * laddr, struct sockaddr_in * raddr, const char *hostname) { - krb5_error_code retval; - int ret; - krb5_principal server; - krb5_auth_context auth_context = NULL; - krb5_error *err_ret = NULL; - int flags; - - ret = pg_krb5_init(PQerrormsg); - if (ret != STATUS_OK) - return ret; - - retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM, - KRB5_NT_SRV_HST, &server); - if (retval) { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb5_sendauth: krb5_sname_to_principal: %s", - error_message(retval)); + char servbuf[MAXHOSTNAMELEN + 1 + + sizeof(PG_KRB_SRVNAM)]; + const char *hostp; + const char *realm; + krb5_error_code code; + krb5_principal client, + server; + krb5_ccache ccache; + krb5_error *error = (krb5_error *) NULL; + + ccache = pg_krb5_init(); /* don't free this */ + + /* + * set up client -- this is easy, we can get it out of the ticket + * file. + */ + if (code = krb5_cc_get_principal(ccache, &client)) + { + (void) sprintf(PQerrormsg, + "pg_krb5_sendauth: Kerberos error %d in krb5_cc_get_principal\n", code); + com_err("pg_krb5_sendauth", code, "in krb5_cc_get_principal"); return STATUS_ERROR; } - /* - * libpq uses a non-blocking socket. But kerberos needs a blocking - * socket, and we have to block somehow to do mutual authentication - * anyway. So we temporarily make it blocking. + /* + * set up server -- canonicalize as described above */ - flags = fcntl(sock, F_GETFL); - if (flags < 0 || fcntl(sock, F_SETFL, (long)(flags & ~O_NONBLOCK))) { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb5_sendauth: fcntl: %s", strerror(errno)); - krb5_free_principal(pg_krb5_context, server); + strcpy(servbuf, PG_KRB_SRVNAM); + *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/'; + if (hostname || *hostname) + strncpy(++hostp, hostname, MAXHOSTNAMELEN); + else + { + if (gethostname(++hostp, MAXHOSTNAMELEN) < 0) + strcpy(hostp, "localhost"); + } + if (hostp = strchr(hostp, '.')) + *hostp = '\0'; + if (realm = getenv("PGREALM")) + { + strcat(servbuf, "@"); + strcat(servbuf, realm); + } + if (code = krb5_parse_name(servbuf, &server)) + { + (void) sprintf(PQerrormsg, + "pg_krb5_sendauth: Kerberos error %d in krb5_parse_name\n", code); + com_err("pg_krb5_sendauth", code, "in krb5_parse_name"); + krb5_free_principal(client); return STATUS_ERROR; } - retval = krb5_sendauth(pg_krb5_context, &auth_context, - (krb5_pointer) &sock, PG_KRB_SRVNAM, - pg_krb5_client, server, - AP_OPTS_MUTUAL_REQUIRED, - NULL, 0, /* no creds, use ccache instead */ - pg_krb5_ccache, &err_ret, NULL, NULL); - if (retval) { - if (retval == KRB5_SENDAUTH_REJECTED && err_ret) { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb5_sendauth: authentication rejected: \"%*s\"", - err_ret->text.length, err_ret->text.data); + /* + * The only thing we want back from krb5_sendauth is an error status + * and any error messages. + */ + if (code = krb5_sendauth((krb5_pointer) & sock, + PG_KRB5_VERSION, + client, + server, + (krb5_flags) 0, + (krb5_checksum *) NULL, + (krb5_creds *) NULL, + ccache, + (krb5_int32 *) NULL, + (krb5_keyblock **) NULL, + &error, + (krb5_ap_rep_enc_part **) NULL)) + { + if ((code == KRB5_SENDAUTH_REJECTED) && error) + { + (void) sprintf(PQerrormsg, + "pg_krb5_sendauth: authentication rejected: \"%*s\"\n", + error->text.length, error->text.data); } - else { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb5_sendauth: krb5_sendauth: %s", - error_message(retval)); + else + { + (void) sprintf(PQerrormsg, + "pg_krb5_sendauth: Kerberos error %d in krb5_sendauth\n", code); + com_err("pg_krb5_sendauth", code, "in krb5_sendauth"); } - - if (err_ret) - krb5_free_error(pg_krb5_context, err_ret); - - ret = STATUS_ERROR; - } - - krb5_free_principal(pg_krb5_context, server); - - if (fcntl(sock, F_SETFL, (long)flags)) { - snprintf(PQerrormsg, PQERRORMSG_LENGTH, - "pg_krb5_sendauth: fcntl: %s", strerror(errno)); - ret = STATUS_ERROR; } - - return ret; + krb5_free_principal(client); + krb5_free_principal(server); + return code ? STATUS_ERROR : STATUS_OK; } #endif /* KRB5 */ |