PostgreSQL Source Code: src/backend/libpq/be-gssapi-common.c Source File

PostgreSQL Source Code git master
be-gssapi-common.c
Go to the documentation of this file.
1/*-------------------------------------------------------------------------
2 *
3 * be-gssapi-common.c
4 * Common code for GSSAPI authentication and encryption
5 *
6 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
7 * Portions Copyright (c) 1994, Regents of the University of California
8 *
9 * IDENTIFICATION
10 * src/backend/libpq/be-gssapi-common.c
11 *
12 *-------------------------------------------------------------------------
13 */
14
15#include "postgres.h"
16
17#include "libpq/be-gssapi-common.h"
18
19/*
20 * Fetch all errors of a specific type and append to "s" (buffer of size len).
21 * If we obtain more than one string, separate them with spaces.
22 * Call once for GSS_CODE and once for MECH_CODE.
23 */
24static void
25 pg_GSS_error_int(char *s, size_t len, OM_uint32 stat, int type)
26{
27 gss_buffer_desc gmsg;
28 size_t i = 0;
29 OM_uint32 lmin_s,
30 msg_ctx = 0;
31
32 do
33 {
34 if (gss_display_status(&lmin_s, stat, type, GSS_C_NO_OID,
35 &msg_ctx, &gmsg) != GSS_S_COMPLETE)
36 break;
37 if (i > 0)
38 {
39 if (i < len)
40 s[i] = ' ';
41 i++;
42 }
43 if (i < len)
44 memcpy(s + i, gmsg.value, Min(len - i, gmsg.length));
45 i += gmsg.length;
46 gss_release_buffer(&lmin_s, &gmsg);
47 }
48 while (msg_ctx);
49
50 /* add nul termination */
51 if (i < len)
52 s[i] = '0円';
53 else
54 {
55 elog(COMMERROR, "incomplete GSS error report");
56 s[len - 1] = '0円';
57 }
58}
59
60/*
61 * Report the GSSAPI error described by maj_stat/min_stat.
62 *
63 * errmsg should be an already-translated primary error message.
64 * The GSSAPI info is appended as errdetail.
65 *
66 * The error is always reported with elevel COMMERROR; we daren't try to
67 * send it to the client, as that'd likely lead to infinite recursion
68 * when elog.c tries to write to the client.
69 *
70 * To avoid memory allocation, total error size is capped (at 128 bytes for
71 * each of major and minor). No known mechanisms will produce error messages
72 * beyond this cap.
73 */
74void
75 pg_GSS_error(const char *errmsg,
76 OM_uint32 maj_stat, OM_uint32 min_stat)
77{
78 char msg_major[128],
79 msg_minor[128];
80
81 /* Fetch major status message */
82 pg_GSS_error_int(msg_major, sizeof(msg_major), maj_stat, GSS_C_GSS_CODE);
83
84 /* Fetch mechanism minor status message */
85 pg_GSS_error_int(msg_minor, sizeof(msg_minor), min_stat, GSS_C_MECH_CODE);
86
87 /*
88 * errmsg_internal, since translation of the first part must be done
89 * before calling this function anyway.
90 */
91 ereport(COMMERROR,
92 (errmsg_internal("%s", errmsg),
93 errdetail_internal("%s: %s", msg_major, msg_minor)));
94}
95
96/*
97 * Store the credentials passed in into the memory cache for later usage.
98 *
99 * This allows credentials to be delegated to us for us to use to connect
100 * to other systems with, using, e.g. postgres_fdw or dblink.
101 */
102 #define GSS_MEMORY_CACHE "MEMORY:"
103void
104 pg_store_delegated_credential(gss_cred_id_t cred)
105{
106 OM_uint32 major,
107 minor;
108 gss_OID_set mech;
109 gss_cred_usage_t usage;
110 gss_key_value_element_desc cc;
111 gss_key_value_set_desc ccset;
112
113 cc.key = "ccache";
114 cc.value = GSS_MEMORY_CACHE;
115 ccset.count = 1;
116 ccset.elements = &cc;
117
118 /* Make the delegated credential only available to current process */
119 major = gss_store_cred_into(&minor,
120 cred,
121 GSS_C_INITIATE, /* credential only used for
122 * starting libpq connection */
123 GSS_C_NULL_OID, /* store all */
124 true, /* overwrite */
125 true, /* make default */
126 &ccset,
127 &mech,
128 &usage);
129
130 if (major != GSS_S_COMPLETE)
131 {
132 pg_GSS_error("gss_store_cred", major, minor);
133 }
134
135 /* Credential stored, so we can release our credential handle. */
136 major = gss_release_cred(&minor, &cred);
137 if (major != GSS_S_COMPLETE)
138 {
139 pg_GSS_error("gss_release_cred", major, minor);
140 }
141
142 /*
143 * Set KRB5CCNAME for this backend, so that later calls to
144 * gss_acquire_cred will find the delegated credentials we stored.
145 */
146 setenv("KRB5CCNAME", GSS_MEMORY_CACHE, 1);
147}
#define GSS_MEMORY_CACHE
void pg_store_delegated_credential(gss_cred_id_t cred)
static void pg_GSS_error_int(char *s, size_t len, OM_uint32 stat, int type)
void pg_GSS_error(const char *errmsg, OM_uint32 maj_stat, OM_uint32 min_stat)
#define Min(x, y)
Definition: c.h:1003
int errmsg_internal(const char *fmt,...)
Definition: elog.c:1161
int errdetail_internal(const char *fmt,...)
Definition: elog.c:1234
int errmsg(const char *fmt,...)
Definition: elog.c:1071
#define COMMERROR
Definition: elog.h:33
#define elog(elevel,...)
Definition: elog.h:226
#define ereport(elevel,...)
Definition: elog.h:150
i
int i
Definition: isn.c:77
const void size_t len
Definition: win32_port.h:255
static void usage(const char *progname)
Definition: vacuumlo.c:414
const char * type
#define setenv(x, y, z)
Definition: win32_port.h:545

AltStyle によって変換されたページ (->オリジナル) /