diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/backend/libpq/auth.c | 217 | ||||
-rw-r--r-- | src/backend/libpq/hba.c | 35 | ||||
-rw-r--r-- | src/backend/libpq/pg_hba.conf.sample | 2 | ||||
-rw-r--r-- | src/bin/initdb/initdb.c | 3 | ||||
-rw-r--r-- | src/include/libpq/hba.h | 1 | ||||
-rw-r--r-- | src/include/libpq/pqcomm.h | 2 | ||||
-rw-r--r-- | src/include/pg_config.h.in | 18 | ||||
-rw-r--r-- | src/include/pg_config.h.win32 | 15 | ||||
-rw-r--r-- | src/interfaces/libpq/fe-auth.c | 264 | ||||
-rw-r--r-- | src/interfaces/libpq/fe-connect.c | 4 | ||||
-rw-r--r-- | src/interfaces/libpq/libpq-int.h | 2 | ||||
-rw-r--r-- | src/tools/msvc/Solution.pm | 6 | ||||
-rw-r--r-- | src/tools/msvc/config_default.pl | 1 |
13 files changed, 11 insertions, 559 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 85899159843..882dc8faf1b 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -134,29 +134,6 @@ bool pg_krb_caseins_users; /*---------------------------------------------------------------- - * MIT Kerberos authentication system - protocol version 5 - *---------------------------------------------------------------- - */ -#ifdef KRB5 -static int pg_krb5_recvauth(Port *port); - -#include <krb5.h> -/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */ -#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__) -#include <com_err.h> -#endif -/* - * Various krb5 state which is not connection specific, and a flag to - * indicate whether we have initialised it yet. - */ -static int pg_krb5_initialised; -static krb5_context pg_krb5_context; -static krb5_keytab pg_krb5_keytab; -static krb5_principal pg_krb5_server; -#endif /* KRB5 */ - - -/*---------------------------------------------------------------- * GSSAPI Authentication *---------------------------------------------------------------- */ @@ -257,9 +234,6 @@ auth_failed(Port *port, int status) case uaImplicitReject: errstr = gettext_noop("authentication failed for user \"%s\": host rejected"); break; - case uaKrb5: - errstr = gettext_noop("Kerberos 5 authentication failed for user \"%s\""); - break; case uaTrust: errstr = gettext_noop("\"trust\" authentication failed for user \"%s\""); break; @@ -497,15 +471,6 @@ ClientAuthentication(Port *port) break; } - case uaKrb5: -#ifdef KRB5 - sendAuthRequest(port, AUTH_REQ_KRB5); - status = pg_krb5_recvauth(port); -#else - Assert(false); -#endif - break; - case uaGSS: #ifdef ENABLE_GSS sendAuthRequest(port, AUTH_REQ_GSS); @@ -735,188 +700,6 @@ recv_and_check_password_packet(Port *port) } -/*---------------------------------------------------------------- - * MIT Kerberos authentication system - protocol version 5 - *---------------------------------------------------------------- - */ -#ifdef KRB5 - -static int -pg_krb5_init(Port *port) -{ - krb5_error_code retval; - char *khostname; - - if (pg_krb5_initialised) - return STATUS_OK; - - retval = krb5_init_context(&pg_krb5_context); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos initialization returned error %d", - retval))); - com_err("postgres", retval, "while initializing krb5"); - return STATUS_ERROR; - } - - retval = krb5_kt_resolve(pg_krb5_context, pg_krb_server_keyfile, &pg_krb5_keytab); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos keytab resolving returned error %d", - retval))); - com_err("postgres", retval, "while resolving keytab file \"%s\"", - pg_krb_server_keyfile); - krb5_free_context(pg_krb5_context); - return STATUS_ERROR; - } - - /* - * If no hostname was specified, pg_krb_server_hostname is already NULL. - * If it's set to blank, force it to NULL. - */ - khostname = port->hba->krb_server_hostname; - if (khostname && khostname[0] == '\0') - khostname = NULL; - - retval = krb5_sname_to_principal(pg_krb5_context, - khostname, - pg_krb_srvnam, - KRB5_NT_SRV_HST, - &pg_krb5_server); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos sname_to_principal(\"%s\", \"%s\") returned error %d", - khostname ? khostname : "server hostname", pg_krb_srvnam, retval))); - com_err("postgres", retval, - "while getting server principal for server \"%s\" for service \"%s\"", - khostname ? khostname : "server hostname", pg_krb_srvnam); - krb5_kt_close(pg_krb5_context, pg_krb5_keytab); - krb5_free_context(pg_krb5_context); - return STATUS_ERROR; - } - - pg_krb5_initialised = 1; - return STATUS_OK; -} - - -/* - * pg_krb5_recvauth -- server routine to receive authentication information - * from the client - * - * We still need to compare the username obtained from the client's setup - * packet to the authenticated name. - * - * We have our own keytab file because postgres is unlikely to run as root, - * and so cannot read the default keytab. - */ -static int -pg_krb5_recvauth(Port *port) -{ - krb5_error_code retval; - int ret; - krb5_auth_context auth_context = NULL; - krb5_ticket *ticket; - char *kusername; - char *cp; - - ret = pg_krb5_init(port); - if (ret != STATUS_OK) - return ret; - - retval = krb5_recvauth(pg_krb5_context, &auth_context, - (krb5_pointer) & port->sock, pg_krb_srvnam, - pg_krb5_server, 0, pg_krb5_keytab, &ticket); - if (retval) - { - ereport(LOG, - (errmsg("Kerberos recvauth returned error %d", - retval))); - com_err("postgres", retval, "from krb5_recvauth"); - return STATUS_ERROR; - } - - /* - * The "client" structure comes out of the ticket and is therefore - * authenticated. Use it to check the username obtained from the - * postmaster startup packet. - */ -#if defined(HAVE_KRB5_TICKET_ENC_PART2) - retval = krb5_unparse_name(pg_krb5_context, - ticket->enc_part2->client, &kusername); -#elif defined(HAVE_KRB5_TICKET_CLIENT) - retval = krb5_unparse_name(pg_krb5_context, - ticket->client, &kusername); -#else -#error "bogus configuration" -#endif - if (retval) - { - ereport(LOG, - (errmsg("Kerberos unparse_name returned error %d", - retval))); - com_err("postgres", retval, "while unparsing client name"); - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - return STATUS_ERROR; - } - - cp = strchr(kusername, '@'); - if (cp) - { - /* - * If we are not going to include the realm in the username that is - * passed to the ident map, destructively modify it here to remove the - * realm. Then advance past the separator to check the realm. - */ - if (!port->hba->include_realm) - *cp = '\0'; - cp++; - - if (port->hba->krb_realm != NULL && strlen(port->hba->krb_realm)) - { - /* Match realm against configured */ - if (pg_krb_caseins_users) - ret = pg_strcasecmp(port->hba->krb_realm, cp); - else - ret = strcmp(port->hba->krb_realm, cp); - - if (ret) - { - elog(DEBUG2, - "krb5 realm (%s) and configured realm (%s) don't match", - cp, port->hba->krb_realm); - - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - return STATUS_ERROR; - } - } - } - else if (port->hba->krb_realm && strlen(port->hba->krb_realm)) - { - elog(DEBUG2, - "krb5 did not return realm but realm matching was requested"); - - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - return STATUS_ERROR; - } - - ret = check_usermap(port->hba->usermap, port->user_name, kusername, - pg_krb_caseins_users); - - krb5_free_ticket(pg_krb5_context, ticket); - krb5_auth_con_free(pg_krb5_context, auth_context); - free(kusername); - - return ret; -} -#endif /* KRB5 */ - /*---------------------------------------------------------------- * GSSAPI authentication system diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index ae25cf873f5..77434f410ae 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -1177,12 +1177,6 @@ parse_hba_line(List *line, int line_num, char *raw_line) parsedline->auth_method = uaPeer; else if (strcmp(token->string, "password") == 0) parsedline->auth_method = uaPassword; - else if (strcmp(token->string, "krb5") == 0) -#ifdef KRB5 - parsedline->auth_method = uaKrb5; -#else - unsupauth = "krb5"; -#endif else if (strcmp(token->string, "gss") == 0) #ifdef ENABLE_GSS parsedline->auth_method = uaGSS; @@ -1262,17 +1256,6 @@ parse_hba_line(List *line, int line_num, char *raw_line) /* Invalid authentication combinations */ if (parsedline->conntype == ctLocal && - parsedline->auth_method == uaKrb5) - { - ereport(LOG, - (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("krb5 authentication is not supported on local sockets"), - errcontext("line %d of configuration file \"%s\"", - line_num, HbaFileName))); - return NULL; - } - - if (parsedline->conntype == ctLocal && parsedline->auth_method == uaGSS) { ereport(LOG, @@ -1417,11 +1400,10 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) { if (hbaline->auth_method != uaIdent && hbaline->auth_method != uaPeer && - hbaline->auth_method != uaKrb5 && hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI && hbaline->auth_method != uaCert) - INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, krb5, gssapi, sspi, and cert")); + INVALID_AUTH_OPTION("map", gettext_noop("ident, peer, gssapi, sspi, and cert")); hbaline->usermap = pstrdup(val); } else if (strcmp(name, "clientcert") == 0) @@ -1578,25 +1560,18 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) REQUIRE_AUTH_OPTION(uaLDAP, "ldapsuffix", "ldap"); hbaline->ldapsuffix = pstrdup(val); } - else if (strcmp(name, "krb_server_hostname") == 0) - { - REQUIRE_AUTH_OPTION(uaKrb5, "krb_server_hostname", "krb5"); - hbaline->krb_server_hostname = pstrdup(val); - } else if (strcmp(name, "krb_realm") == 0) { - if (hbaline->auth_method != uaKrb5 && - hbaline->auth_method != uaGSS && + if (hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI) - INVALID_AUTH_OPTION("krb_realm", gettext_noop("krb5, gssapi, and sspi")); + INVALID_AUTH_OPTION("krb_realm", gettext_noop("gssapi and sspi")); hbaline->krb_realm = pstrdup(val); } else if (strcmp(name, "include_realm") == 0) { - if (hbaline->auth_method != uaKrb5 && - hbaline->auth_method != uaGSS && + if (hbaline->auth_method != uaGSS && hbaline->auth_method != uaSSPI) - INVALID_AUTH_OPTION("include_realm", gettext_noop("krb5, gssapi, and sspi")); + INVALID_AUTH_OPTION("include_realm", gettext_noop("gssapi and sspi")); if (strcmp(val, "1") == 0) hbaline->include_realm = true; else diff --git a/src/backend/libpq/pg_hba.conf.sample b/src/backend/libpq/pg_hba.conf.sample index a12ba26ad57..86a89edf9ad 100644 --- a/src/backend/libpq/pg_hba.conf.sample +++ b/src/backend/libpq/pg_hba.conf.sample @@ -43,7 +43,7 @@ # directly connected to. # # METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", -# "krb5", "ident", "peer", "pam", "ldap", "radius" or "cert". Note that +# "ident", "peer", "pam", "ldap", "radius" or "cert". Note that # "password" sends passwords in clear text; "md5" is preferred since # it sends encrypted passwords. # diff --git a/src/bin/initdb/initdb.c b/src/bin/initdb/initdb.c index a9aa7a487f6..7e934b75abb 100644 --- a/src/bin/initdb/initdb.c +++ b/src/bin/initdb/initdb.c @@ -76,9 +76,6 @@ static const char *auth_methods_host[] = {"trust", "reject", "md5", "password", #ifdef ENABLE_SSPI "sspi", #endif -#ifdef KRB5 - "krb5", -#endif #ifdef USE_PAM "pam", "pam ", #endif diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h index 73ae5105eb9..5a103aed195 100644 --- a/src/include/libpq/hba.h +++ b/src/include/libpq/hba.h @@ -20,7 +20,6 @@ typedef enum UserAuth { uaReject, uaImplicitReject, - uaKrb5, uaTrust, uaIdent, uaPassword, diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h index 0be839c23cc..969fe5e105d 100644 --- a/src/include/libpq/pqcomm.h +++ b/src/include/libpq/pqcomm.h @@ -164,7 +164,7 @@ extern bool Db_user_namespace; #define AUTH_REQ_OK 0 /* User is authenticated */ #define AUTH_REQ_KRB4 1 /* Kerberos V4. Not supported any more. */ -#define AUTH_REQ_KRB5 2 /* Kerberos V5 */ +#define AUTH_REQ_KRB5 2 /* Kerberos V5. Not supported any more. */ #define AUTH_REQ_PASSWORD 3 /* Password */ #define AUTH_REQ_CRYPT 4 /* crypt password. Not supported any more. */ #define AUTH_REQ_MD5 5 /* md5 password */ diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in index 64717dfcd41..0bade28b972 100644 --- a/src/include/pg_config.h.in +++ b/src/include/pg_config.h.in @@ -260,21 +260,6 @@ /* Define to 1 if you have isinf(). */ #undef HAVE_ISINF -/* Define to 1 if `e_data' is a member of `krb5_error'. */ -#undef HAVE_KRB5_ERROR_E_DATA - -/* Define to 1 if `text.data' is a member of `krb5_error'. */ -#undef HAVE_KRB5_ERROR_TEXT_DATA - -/* Define to 1 if you have krb5_free_unparsed_name. */ -#undef HAVE_KRB5_FREE_UNPARSED_NAME - -/* Define to 1 if `client' is a member of `krb5_ticket'. */ -#undef HAVE_KRB5_TICKET_CLIENT - -/* Define to 1 if `enc_part2' is a member of `krb5_ticket'. */ -#undef HAVE_KRB5_TICKET_ENC_PART2 - /* Define to 1 if you have the <langinfo.h> header file. */ #undef HAVE_LANGINFO_H @@ -656,9 +641,6 @@ /* Define to the appropriate snprintf format for 64-bit ints. */ #undef INT64_FORMAT -/* Define to build with Kerberos 5 support. (--with-krb5) */ -#undef KRB5 - /* Define to 1 if `locale_t' requires <xlocale.h>. */ #undef LOCALE_T_IN_XLOCALE diff --git a/src/include/pg_config.h.win32 b/src/include/pg_config.h.win32 index b69414fd484..19ef4c1a9fb 100644 --- a/src/include/pg_config.h.win32 +++ b/src/include/pg_config.h.win32 @@ -193,18 +193,6 @@ /* Define to 1 if you have isinf(). */ #define HAVE_ISINF 1 -/* Define to 1 if `e_data' is member of `krb5_error'. */ -/* #undef HAVE_KRB5_ERROR_E_DATA */ - -/* Define to 1 if `text.data' is member of `krb5_error'. */ -/* #undef HAVE_KRB5_ERROR_TEXT_DATA */ - -/* Define to 1 if `client' is member of `krb5_ticket'. */ -/* #undef HAVE_KRB5_TICKET_CLIENT */ - -/* Define to 1 if `enc_part2' is member of `krb5_ticket'. */ -/* #undef HAVE_KRB5_TICKET_ENC_PART2 */ - /* Define to 1 if you have the <langinfo.h> header file. */ /* #undef HAVE_LANGINFO_H */ @@ -541,9 +529,6 @@ /* Define to the appropriate snprintf format for 64-bit ints, if any. */ #define INT64_FORMAT "%lld" -/* Define to build with Kerberos 5 support. (--with-krb5) */ -/* #undef KRB5 */ - /* Define to 1 if `locale_t' requires <xlocale.h>. */ /* #undef LOCALE_T_IN_XLOCALE */ diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 91f7c501c78..e10c9709108 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -43,258 +43,6 @@ #include "libpq/md5.h" -#ifdef KRB5 -/* - * MIT Kerberos authentication system - protocol version 5 - */ - -#include <krb5.h> -/* Some old versions of Kerberos do not include <com_err.h> in <krb5.h> */ -#if !defined(__COM_ERR_H) && !defined(__COM_ERR_H__) -#include <com_err.h> -#endif - -/* - * Heimdal doesn't have a free function for unparsed names. Just pass it to - * standard free() which should work in these cases. - */ -#ifndef HAVE_KRB5_FREE_UNPARSED_NAME -static void -krb5_free_unparsed_name(krb5_context context, char *val) -{ - free(val); -} -#endif - -/* - * pg_an_to_ln -- return the local name corresponding to an authentication - * name - * - * XXX Assumes that the first aname component is the user name. This is NOT - * necessarily so, since an aname can actually be something out of your - * worst X.400 nightmare, like - * ORGANIZATION=U. C. Berkeley/NAME=Paul M. Aoki@CS.BERKELEY.EDU - * Note that the MIT an_to_ln code does the same thing if you don't - * provide an aname mapping database...it may be a better idea to use - * krb5_an_to_ln, except that it punts if multiple components are found, - * and we can't afford to punt. - * - * For WIN32, convert username to lowercase because the Win32 kerberos library - * generates tickets with the username as the user entered it instead of as - * it is entered in the directory. - */ -static char * -pg_an_to_ln(char *aname) -{ - char *p; - - if ((p = strchr(aname, '/')) || (p = strchr(aname, '@'))) - *p = '\0'; -#ifdef WIN32 - for (p = aname; *p; p++) - *p = pg_tolower((unsigned char) *p); -#endif - - return aname; -} - - -/* - * Various krb5 state which is not connection specific, and a flag to - * indicate whether we have initialised it yet. - */ -/* -static int pg_krb5_initialised; -static krb5_context pg_krb5_context; -static krb5_ccache pg_krb5_ccache; -static krb5_principal pg_krb5_client; -static char *pg_krb5_name; -*/ - -struct krb5_info -{ - int pg_krb5_initialised; - krb5_context pg_krb5_context; - krb5_ccache pg_krb5_ccache; - krb5_principal pg_krb5_client; - char *pg_krb5_name; -}; - - -static int -pg_krb5_init(PQExpBuffer errorMessage, struct krb5_info * info) -{ - krb5_error_code retval; - - if (info->pg_krb5_initialised) - return STATUS_OK; - - retval = krb5_init_context(&(info->pg_krb5_context)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_init_context: %s\n", - error_message(retval)); - return STATUS_ERROR; - } - - retval = krb5_cc_default(info->pg_krb5_context, &(info->pg_krb5_ccache)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_cc_default: %s\n", - error_message(retval)); - krb5_free_context(info->pg_krb5_context); - return STATUS_ERROR; - } - - retval = krb5_cc_get_principal(info->pg_krb5_context, info->pg_krb5_ccache, - &(info->pg_krb5_client)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_cc_get_principal: %s\n", - error_message(retval)); - krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); - krb5_free_context(info->pg_krb5_context); - return STATUS_ERROR; - } - - retval = krb5_unparse_name(info->pg_krb5_context, info->pg_krb5_client, &(info->pg_krb5_name)); - if (retval) - { - printfPQExpBuffer(errorMessage, - "pg_krb5_init: krb5_unparse_name: %s\n", - error_message(retval)); - krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client); - krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); - krb5_free_context(info->pg_krb5_context); - return STATUS_ERROR; - } - - info->pg_krb5_name = pg_an_to_ln(info->pg_krb5_name); - - info->pg_krb5_initialised = 1; - return STATUS_OK; -} - -static void -pg_krb5_destroy(struct krb5_info * info) -{ - krb5_free_principal(info->pg_krb5_context, info->pg_krb5_client); - krb5_cc_close(info->pg_krb5_context, info->pg_krb5_ccache); - krb5_free_unparsed_name(info->pg_krb5_context, info->pg_krb5_name); - krb5_free_context(info->pg_krb5_context); -} - - -/* - * pg_krb5_sendauth -- client routine to send authentication information to - * the server - */ -static int -pg_krb5_sendauth(PGconn *conn) -{ - krb5_error_code retval; - int ret; - krb5_principal server; - krb5_auth_context auth_context = NULL; - krb5_error *err_ret = NULL; - struct krb5_info info; - - info.pg_krb5_initialised = 0; - - if (!(conn->pghost && conn->pghost[0] != '\0')) - { - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("host name must be specified\n")); - return STATUS_ERROR; - } - - ret = pg_krb5_init(&conn->errorMessage, &info); - if (ret != STATUS_OK) - return ret; - - retval = krb5_sname_to_principal(info.pg_krb5_context, conn->pghost, - conn->krbsrvname, - KRB5_NT_SRV_HST, &server); - if (retval) - { - printfPQExpBuffer(&conn->errorMessage, - "pg_krb5_sendauth: krb5_sname_to_principal: %s\n", - error_message(retval)); - pg_krb5_destroy(&info); - return STATUS_ERROR; - } - - /* - * libpq uses a non-blocking socket. But kerberos needs a blocking socket, - * and we have to block somehow to do mutual authentication anyway. So we - * temporarily make it blocking. - */ - if (!pg_set_block(conn->sock)) - { - char sebuf[256]; - - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("could not set socket to blocking mode: %s\n"), pqStrerror(errno, sebuf, sizeof(sebuf))); - krb5_free_principal(info.pg_krb5_context, server); - pg_krb5_destroy(&info); - return STATUS_ERROR; - } - - retval = krb5_sendauth(info.pg_krb5_context, &auth_context, - (krb5_pointer) & conn->sock, (char *) conn->krbsrvname, - info.pg_krb5_client, server, - AP_OPTS_MUTUAL_REQUIRED, - NULL, 0, /* no creds, use ccache instead */ - info.pg_krb5_ccache, &err_ret, NULL, NULL); - if (retval) - { - if (retval == KRB5_SENDAUTH_REJECTED && err_ret) - { -#if defined(HAVE_KRB5_ERROR_TEXT_DATA) - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("Kerberos 5 authentication rejected: %*s\n"), - (int) err_ret->text.length, err_ret->text.data); -#elif defined(HAVE_KRB5_ERROR_E_DATA) - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("Kerberos 5 authentication rejected: %*s\n"), - (int) err_ret->e_data->length, - (const char *) err_ret->e_data->data); -#else -#error "bogus configuration" -#endif - } - else - { - printfPQExpBuffer(&conn->errorMessage, - "krb5_sendauth: %s\n", error_message(retval)); - } - - if (err_ret) - krb5_free_error(info.pg_krb5_context, err_ret); - - ret = STATUS_ERROR; - } - - krb5_free_principal(info.pg_krb5_context, server); - - if (!pg_set_noblock(conn->sock)) - { - char sebuf[256]; - - printfPQExpBuffer(&conn->errorMessage, - libpq_gettext("could not restore nonblocking mode on socket: %s\n"), - pqStrerror(errno, sebuf, sizeof(sebuf))); - ret = STATUS_ERROR; - } - pg_krb5_destroy(&info); - - return ret; -} -#endif /* KRB5 */ - #ifdef ENABLE_GSS /* * GSSAPI authentication system. @@ -816,21 +564,9 @@ pg_fe_sendauth(AuthRequest areq, PGconn *conn) return STATUS_ERROR; case AUTH_REQ_KRB5: -#ifdef KRB5 - pglock_thread(); - if (pg_krb5_sendauth(conn) != STATUS_OK) - { - /* Error message already filled in */ - pgunlock_thread(); - return STATUS_ERROR; - } - pgunlock_thread(); - break; -#else printfPQExpBuffer(&conn->errorMessage, libpq_gettext("Kerberos 5 authentication not supported\n")); return STATUS_ERROR; -#endif #if defined(ENABLE_GSS) || defined(ENABLE_SSPI) case AUTH_REQ_GSS: diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 3a9ddf19d7d..fa88c874945 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -278,7 +278,7 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "Require-Peer", "", 10, offsetof(struct pg_conn, requirepeer)}, -#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) +#if defined(ENABLE_GSS) || defined(ENABLE_SSPI) /* Kerberos and GSSAPI authentication support specifying the service name */ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, "Kerberos-service-name", "", 20, @@ -2823,7 +2823,7 @@ freePGconn(PGconn *conn) free(conn->sslcompression); if (conn->requirepeer) free(conn->requirepeer); -#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) +#if defined(ENABLE_GSS) || defined(ENABLE_SSPI) if (conn->krbsrvname) free(conn->krbsrvname); #endif diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 0fb926bbd45..22bbe4a48eb 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -331,7 +331,7 @@ struct pg_conn char *sslcrl; /* certificate revocation list filename */ char *requirepeer; /* required peer credentials for local sockets */ -#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) +#if defined(ENABLE_GSS) || defined(ENABLE_SSPI) char *krbsrvname; /* Kerberos service name */ #endif diff --git a/src/tools/msvc/Solution.pm b/src/tools/msvc/Solution.pm index bc52086fc8a..7921596a48f 100644 --- a/src/tools/msvc/Solution.pm +++ b/src/tools/msvc/Solution.pm @@ -221,10 +221,6 @@ s{PG_VERSION_STR "[^"]+"}{__STRINGIFY(x) #x\n#define __STRINGIFY2(z) __STRINGIFY } if ($self->{options}->{krb5}) { - print O "#define KRB5 1\n"; - print O "#define HAVE_KRB5_ERROR_TEXT_DATA 1\n"; - print O "#define HAVE_KRB5_TICKET_ENC_PART2 1\n"; - print O "#define HAVE_KRB5_FREE_UNPARSED_NAME 1\n"; print O "#define ENABLE_GSS 1\n"; } if (my $port = $self->{options}->{"--with-pgport"}) @@ -625,7 +621,7 @@ sub GetFakeConfigure $cfg .= ' --with-ossp-uuid' if ($self->{options}->{uuid}); $cfg .= ' --with-libxml' if ($self->{options}->{xml}); $cfg .= ' --with-libxslt' if ($self->{options}->{xslt}); - $cfg .= ' --with-krb5' if ($self->{options}->{krb5}); + $cfg .= ' --with-gssapi' if ($self->{options}->{krb5}); $cfg .= ' --with-tcl' if ($self->{options}->{tcl}); $cfg .= ' --with-perl' if ($self->{options}->{perl}); $cfg .= ' --with-python' if ($self->{options}->{python}); diff --git a/src/tools/msvc/config_default.pl b/src/tools/msvc/config_default.pl index 2489d3827fd..ebb47ab40e3 100644 --- a/src/tools/msvc/config_default.pl +++ b/src/tools/msvc/config_default.pl @@ -15,7 +15,6 @@ our $config = { tcl => undef, # --with-tls=<path> perl => undef, # --with-perl python => undef, # --with-python=<path> - krb5 => undef, # --with-krb5=<path> openssl => undef, # --with-ssl=<path> uuid => undef, # --with-ossp-uuid xml => undef, # --with-libxml=<path> |