Patch for Kerberos V.
authorBruce Momjian <bruce@momjian.us>
Sat, 27 May 2000 03:39:33 +0000 (03:39 +0000)
committerBruce Momjian <bruce@momjian.us>
Sat, 27 May 2000 03:39:33 +0000 (03:39 +0000)
Most (nearly all) of the work was done by David Wragg <dpw@doc.ic.ac.uk>

He patched 6.5.3. I've updated it for 7.0RC5.

It works for MIT kerberos 1.1.1 (and previously for 1.0.6 as well).

I've got the patch against 6.5.3, plus kerberized RPMS.

Mike Wyer <mw@doc.ic.ac.uk>     ||         "Woof?"

src/Makefile.global.in
src/backend/libpq/auth.c
src/interfaces/libpq/Makefile.in
src/interfaces/libpq/fe-auth.c
src/interfaces/libpq/libpq-int.h

index 774a56c07f1fa0876c39d551426072992f08d45c..24ccbb750a16bb3632c20968366bf62c5f57abb5 100644 (file)
@@ -7,7 +7,7 @@
 #
 #
 # IDENTIFICATION
-#    $Header: /cvsroot/pgsql/src/Makefile.global.in,v 1.71 2000/05/23 02:12:46 tgl Exp $
+#    $Header: /cvsroot/pgsql/src/Makefile.global.in,v 1.72 2000/05/27 03:39:31 momjian Exp $
 #
 # NOTES
 #    Essentially all Postgres make files include this file and use the
@@ -120,7 +120,7 @@ ENFORCE_ALIGNMENT= true
 # Set KRBVERS to "4" for Kerberos v4, "5" for Kerberos v5.
 # XXX Edit the default Kerberos variables below!
 #
-#KRBVERS= 5
+KRBVERS=5
 
 # Globally pass Kerberos file locations.
 # these are used in the postmaster and all libpq applications.
@@ -132,9 +132,9 @@ ENFORCE_ALIGNMENT= true
 # PG_KRB_SRVTAB is the location of the server's keytab file.
 #
 ifdef KRBVERS
-KRBINCS= -I/usr/athena/include
-KRBLIBS= -L/usr/athena/lib
-KRBFLAGS+= $(KRBINCS) -DPG_KRB_SRVNAM='"postgres_dbms"'
+KRBINCS= -I/usr/krb5/include
+KRBLIBS= -L/usr/krb5/lib
+KRBFLAGS+= $(KRBINCS) -DPG_KRB_SRVNAM='"postgres"'
    ifeq ($(KRBVERS), 4)
 KRBFLAGS+= -DKRB4
 KRBFLAGS+= -DPG_KRB_SRVTAB='"/etc/srvtab"'
@@ -142,8 +142,8 @@ KRBLIBS+= -lkrb -ldes
    else
    ifeq ($(KRBVERS), 5)
 KRBFLAGS+= -DKRB5
-KRBFLAGS+= -DPG_KRB_SRVTAB='"FILE:/krb5/srvtab.postgres"'
-KRBLIBS+= -lkrb5 -lcrypto -lcom_err -lisode
+KRBFLAGS+= -DPG_KRB_SRVTAB='"FILE:/usr/local/postgres/krb5.keytab"'
+KRBLIBS+= -lkrb5 -lcrypto -lcom_err
    endif
    endif
 endif
index 890be537c2e745bf462e1d92e6b97c0aaccb2b41..2fc29a5712e89caedcb5084d037d83c89cc1fb03 100644 (file)
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.44 2000/04/12 17:15:13 momjian Exp $
+ *       $Header: /cvsroot/pgsql/src/backend/libpq/auth.c,v 1.45 2000/05/27 03:39:31 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -149,7 +149,8 @@ pg_krb4_recvauth(Port *port)
  *----------------------------------------------------------------
  */
 
-#include "krb5/krb5.h"
+#include <krb5.h>
+#include <com_err.h>
 
 /*
  * pg_an_to_ln -- return the local name corresponding to an authentication
@@ -174,130 +175,134 @@ pg_an_to_ln(char *aname)
        return aname;
 }
 
+
 /*
- * pg_krb5_recvauth -- server routine to receive authentication information
- *                                        from the client
- *
- * We still need to compare the username obtained from the client's setup
- * packet to the authenticated name, as described in pg_krb4_recvauth. This
- * is a bit more problematic in v5, as described above in pg_an_to_ln.
- *
- * In addition, as described above in pg_krb5_sendauth, we still need to
- * canonicalize the server name v4-style before constructing a principal
- * from it.  Again, this is kind of iffy.
- *
- * Finally, we need to tangle with the fact that v5 doesn't let you explicitly
- * set server keytab file names -- you have to feed lower-level routines a
- * function to retrieve the contents of a keytab, along with a single argument
- * that allows them to open the keytab.  We assume that a server keytab is
- * always a real file so we can allow people to specify their own filenames.
- * (This is important because the POSTGRES keytab needs to be readable by
- * non-root users/groups; the v4 tools used to force you do dump a whole
- * host's worth of keys into a file, effectively forcing you to use one file,
- * but kdb5_edit allows you to select which principals to dump.  Yay!)
+ * Various krb5 state which is not connection specfic, and a flag to
+ * indicate whether we have initialised it yet.
  */
+static int pg_krb5_initialised;
+static krb5_context pg_krb5_context;
+static krb5_keytab pg_krb5_keytab;
+static krb5_principal pg_krb5_server;
+
+
 static int
-pg_krb5_recvauth(Port *port)
+pg_krb5_init(void)
 {
-       char            servbuf[MAXHOSTNAMELEN + 1 +
-                                                                       sizeof(PG_KRB_SRVNAM)];
-       char       *hostp,
-                          *kusername = (char *) NULL;
-       krb5_error_code code;
-       krb5_principal client,
-                               server;
-       krb5_address sender_addr;
-       krb5_rdreq_key_proc keyproc = (krb5_rdreq_key_proc) NULL;
-       krb5_pointer keyprocarg = (krb5_pointer) NULL;
+       krb5_error_code retval;
 
-       /*
-        * Set up server side -- since we have no ticket file to make this
-        * easy, we construct our own name and parse it.  See note on
-        * canonicalization above.
-        */
-       strcpy(servbuf, PG_KRB_SRVNAM);
-       *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/';
-       if (gethostname(++hostp, MAXHOSTNAMELEN) < 0)
-               strcpy(hostp, "localhost");
-       if (hostp = strchr(hostp, '.'))
-               *hostp = '\0';
-       if (code = krb5_parse_name(servbuf, &server))
-       {
+       if (pg_krb5_initialised)
+               return STATUS_OK;
+
+       retval = krb5_init_context(&pg_krb5_context);
+       if (retval) {
                snprintf(PQerrormsg, PQERRORMSG_LENGTH,
-               "pg_krb5_recvauth: Kerberos error %d in krb5_parse_name\n", code);
-               com_err("pg_krb5_recvauth", code, "in krb5_parse_name");
+                                "pg_krb5_init: krb5_init_context returned"
+                                " Kerberos error %d\n", retval);
+               com_err("postgres", retval, "while initializing krb5");
                return STATUS_ERROR;
        }
 
-       /*
-        * krb5_sendauth needs this to verify the address in the client
-        * authenticator.
-        */
-       sender_addr.addrtype = port->raddr.in.sin_family;
-       sender_addr.length = sizeof(port->raddr.in.sin_addr);
-       sender_addr.contents = (krb5_octet *) & (port->raddr.in.sin_addr);
-
-       if (strcmp(PG_KRB_SRVTAB, ""))
-       {
-               keyproc = krb5_kt_read_service_key;
-               keyprocarg = PG_KRB_SRVTAB;
+       retval = krb5_kt_resolve(pg_krb5_context, PG_KRB_SRVTAB, &pg_krb5_keytab);
+       if (retval) {
+               snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                "pg_krb5_init: krb5_kt_resolve returned"
+                                " Kerberos error %d\n", retval);
+           com_err("postgres", retval, "while resolving keytab file %s",
+                               PG_KRB_SRVTAB);
+               krb5_free_context(pg_krb5_context);
+               return STATUS_ERROR;
        }
 
-       if (code = krb5_recvauth((krb5_pointer) & port->sock,
-                                                        PG_KRB5_VERSION,
-                                                        server,
-                                                        &sender_addr,
-                                                        (krb5_pointer) NULL,
-                                                        keyproc,
-                                                        keyprocarg,
-                                                        (char *) NULL,
-                                                        (krb5_int32 *) NULL,
-                                                        &client,
-                                                        (krb5_ticket **) NULL,
-                                                        (krb5_authenticator **) NULL))
-       {
+    retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM, 
+                                                                        KRB5_NT_SRV_HST, &pg_krb5_server);
+       if (retval) {
                snprintf(PQerrormsg, PQERRORMSG_LENGTH,
-                "pg_krb5_recvauth: Kerberos error %d in krb5_recvauth\n", code);
-               com_err("pg_krb5_recvauth", code, "in krb5_recvauth");
-               krb5_free_principal(server);
+                                "pg_krb5_init: krb5_sname_to_principal returned"
+                                " Kerberos error %d\n", retval);
+           com_err("postgres", retval, 
+                               "while getting server principal for service %s",
+                               PG_KRB_SRVTAB);
+               krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+               krb5_free_context(pg_krb5_context);
                return STATUS_ERROR;
        }
-       krb5_free_principal(server);
+
+       pg_krb5_initialised = 1;
+       return STATUS_OK;
+}
+
+
+/*
+ * pg_krb5_recvauth -- server routine to receive authentication information
+ *                                        from the client
+ *
+ * We still need to compare the username obtained from the client's setup
+ * packet to the authenticated name, as described in pg_krb4_recvauth. This
+ * is a bit more problematic in v5, as described above in pg_an_to_ln.
+ *
+ * We have our own keytab file because postgres is unlikely to run as root,
+ * and so cannot read the default keytab.
+ */
+static int
+pg_krb5_recvauth(Port *port)
+{
+       krb5_error_code retval;
+       int ret;
+       krb5_auth_context auth_context = NULL;
+       krb5_ticket *ticket;
+    char *kusername;
+
+       ret = pg_krb5_init();
+       if (ret != STATUS_OK)
+               return ret;
+
+       retval = krb5_recvauth(pg_krb5_context, &auth_context,
+                                                  (krb5_pointer)&port->sock, PG_KRB_SRVNAM,
+                                                  pg_krb5_server, 0, pg_krb5_keytab, &ticket);
+       if (retval) {
+               snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                "pg_krb5_recvauth: krb5_recvauth returned"
+                                " Kerberos error %d\n", retval);
+           com_err("postgres", retval, "from krb5_recvauth");
+               return STATUS_ERROR;
+       }                                                  
 
        /*
         * The "client" structure comes out of the ticket and is therefore
         * authenticated.  Use it to check the username obtained from the
         * postmaster startup packet.
+        *
+        * I have no idea why this is considered necessary.
         */
-       if ((code = krb5_unparse_name(client, &kusername)))
-       {
+    retval = krb5_unparse_name(pg_krb5_context, 
+                                                          ticket->enc_part2->client, &kusername);
+       if (retval) {
                snprintf(PQerrormsg, PQERRORMSG_LENGTH,
-                                "pg_krb5_recvauth: Kerberos error %d in krb5_unparse_name\n", code);
-               com_err("pg_krb5_recvauth", code, "in krb5_unparse_name");
-               krb5_free_principal(client);
-               return STATUS_ERROR;
-       }
-       krb5_free_principal(client);
-       if (!kusername)
-       {
-               snprintf(PQerrormsg, PQERRORMSG_LENGTH,
-                                "pg_krb5_recvauth: could not decode username\n");
-               fputs(PQerrormsg, stderr);
-               pqdebug("%s", PQerrormsg);
+                                "pg_krb5_recvauth: krb5_unparse_name returned"
+                                " Kerberos error %d\n", retval);
+           com_err("postgres", retval, "while unparsing client name");
+               krb5_free_ticket(pg_krb5_context, ticket);
+               krb5_auth_con_free(pg_krb5_context, auth_context);
                return STATUS_ERROR;
        }
+
        kusername = pg_an_to_ln(kusername);
-       if (strncmp(username, kusername, SM_USER))
+       if (strncmp(port->user, kusername, SM_USER))
        {
                snprintf(PQerrormsg, PQERRORMSG_LENGTH,
-                                "pg_krb5_recvauth: name \"%s\" != \"%s\"\n", port->user, kusername);
-               fputs(PQerrormsg, stderr);
-               pqdebug("%s", PQerrormsg);
-               pfree(kusername);
-               return STATUS_ERROR;
+                                "pg_krb5_recvauth: user name \"%s\" != krb5 name \"%s\"\n", 
+                                port->user, kusername);
+               ret = STATUS_ERROR;
        }
-       pfree(kusername);
-       return STATUS_OK;
+       else
+               ret = STATUS_OK;
+       
+       krb5_free_ticket(pg_krb5_context, ticket);
+       krb5_auth_con_free(pg_krb5_context, auth_context);
+       free(kusername);
+
+       return ret;
 }
 
 #else
index 0a4358a3faf13d06ea3725744982094fa454b666..90037ff5411bf1026c227aa1b3f0af1a07e37bde 100644 (file)
@@ -6,7 +6,7 @@
 # Copyright (c) 1994, Regents of the University of California
 #
 # IDENTIFICATION
-#    $Header: /cvsroot/pgsql/src/interfaces/libpq/Attic/Makefile.in,v 1.54 2000/04/14 00:42:06 tgl Exp $
+#    $Header: /cvsroot/pgsql/src/interfaces/libpq/Attic/Makefile.in,v 1.55 2000/05/27 03:39:33 momjian Exp $
 #
 #-------------------------------------------------------------------------
 
@@ -21,6 +21,7 @@ CFLAGS+= -DFRONTEND
 
 ifdef KRBVERS
 CFLAGS+= $(KRBFLAGS)
+SHLIB_LINK += $(KRBLIBS)
 endif
 
 OBJS= fe-auth.o fe-connect.o fe-exec.o fe-misc.o fe-print.o fe-lobj.o \
index bf5a21bee9aa3a3e1e014cda4fb23da7d3f9fe5f..1e61f3002e7e819c71b340c3554004cd2322f2ee 100644 (file)
@@ -10,7 +10,7 @@
  * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
  *
  * IDENTIFICATION
- *       $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.39 2000/04/12 17:17:13 momjian Exp $
+ *       $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v 1.40 2000/05/27 03:39:33 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -39,6 +39,7 @@
 #include "win32.h"
 #else
 #include <unistd.h>
+#include <fcntl.h>
 #include <sys/param.h>                 /* for MAXHOSTNAMELEN on most */
 #ifndef  MAXHOSTNAMELEN
 #include <netdb.h>                             /* for MAXHOSTNAMELEN on some */
@@ -234,7 +235,8 @@ pg_krb4_sendauth(const char *PQerrormsg, int sock,
  *----------------------------------------------------------------
  */
 
-#include "krb5/krb5.h"
+#include <krb5.h>
+#include <com_err.h>
 
 /*
  * pg_an_to_ln -- return the local name corresponding to an authentication
@@ -250,7 +252,7 @@ pg_krb4_sendauth(const char *PQerrormsg, int sock,
  *        and we can't afford to punt.
  */
 static char *
-pg_an_to_ln(const char *aname)
+pg_an_to_ln(char *aname)
 {
        char       *p;
 
@@ -261,197 +263,160 @@ pg_an_to_ln(const char *aname)
 
 
 /*
- * pg_krb5_init -- initialization performed before any Kerberos calls are made
- *
- * With v5, we can no longer set the ticket (credential cache) file name;
- * we now have to provide a file handle for the open (well, "resolved")
- * ticket file everywhere.
- *
+ * Various krb5 state which is not connection specfic, and a flag to
+ * indicate whether we have initialised it yet.
  */
+static int pg_krb5_initialised;
+static krb5_context pg_krb5_context;
+static krb5_ccache pg_krb5_ccache;
+static krb5_principal pg_krb5_client;
+static char *pg_krb5_name;
+
+
 static int
-                       krb5_ccache
-pg_krb5_init(void)
+pg_krb5_init(char *PQerrormsg)
 {
-       krb5_error_code code;
-       char       *realm,
-                          *defname;
-       char            tktbuf[MAXPGPATH];
-       static krb5_ccache ccache = (krb5_ccache) NULL;
+       krb5_error_code retval;
 
-       if (ccache)
-               return ccache;
+       if (pg_krb5_initialised)
+               return STATUS_OK;
 
-       /*
-        * If the user set PGREALM, then we use a ticket file with a special
-        * name: <usual-ticket-file-name>@<PGREALM-value>
-        */
-       if (!(defname = krb5_cc_default_name()))
-       {
-               (void) sprintf(PQerrormsg,
-                                          "pg_krb5_init: krb5_cc_default_name failed\n");
-               return (krb5_ccache) NULL;
-       }
-       strcpy(tktbuf, defname);
-       if (realm = getenv("PGREALM"))
-       {
-               strcat(tktbuf, "@");
-               strcat(tktbuf, realm);
+       retval = krb5_init_context(&pg_krb5_context);
+       if (retval) {
+               snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                "pg_krb5_init: krb5_init_context: %s",
+                                error_message(retval));
+               return STATUS_ERROR;
        }
 
-       if (code = krb5_cc_resolve(tktbuf, &ccache))
-       {
-               (void) sprintf(PQerrormsg,
-                  "pg_krb5_init: Kerberos error %d in krb5_cc_resolve\n", code);
-               com_err("pg_krb5_init", code, "in krb5_cc_resolve");
-               return (krb5_ccache) NULL;
-       }
-       return ccache;
+       retval = krb5_cc_default(pg_krb5_context, &pg_krb5_ccache);
+       if (retval) {
+               snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                "pg_krb5_init: krb5_cc_default: %s",
+                                error_message(retval));
+               krb5_free_context(pg_krb5_context);
+               return STATUS_ERROR;
+    }
+
+    retval = krb5_cc_get_principal(pg_krb5_context, pg_krb5_ccache, 
+                                                                  &pg_krb5_client);
+       if (retval) {
+               snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                "pg_krb5_init: krb5_cc_get_principal: %s",
+                                error_message(retval));
+               krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
+               krb5_free_context(pg_krb5_context);
+               return STATUS_ERROR;
+    }
+
+    retval = krb5_unparse_name(pg_krb5_context, pg_krb5_client, &pg_krb5_name);
+       if (retval) {
+               snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                "pg_krb5_init: krb5_unparse_name: %s",
+                                error_message(retval));
+               krb5_free_principal(pg_krb5_context, pg_krb5_client);
+               krb5_cc_close(pg_krb5_context, pg_krb5_ccache);
+               krb5_free_context(pg_krb5_context);
+               return STATUS_ERROR;
+       }       
+
+       pg_krb5_name = pg_an_to_ln(pg_krb5_name);
+
+       pg_krb5_initialised = 1;
+       return STATUS_OK;
 }
 
+
 /*
  * pg_krb5_authname -- returns a pointer to static space containing whatever
  *                                        name the user has authenticated to the system
- *
- * We obtain this information by digging around in the ticket file.
- */
+  */
 static const char *
-pg_krb5_authname(const char *PQerrormsg)
+pg_krb5_authname(char *PQerrormsg)
 {
-       krb5_ccache ccache;
-       krb5_principal principal;
-       krb5_error_code code;
-       static char *authname = (char *) NULL;
-
-       if (authname)
-               return authname;
+       if (pg_krb5_init(PQerrormsg) != STATUS_OK)
+               return NULL;
 
-       ccache = pg_krb5_init();        /* don't free this */
-
-       if (code = krb5_cc_get_principal(ccache, &principal))
-       {
-               (void) sprintf(PQerrormsg,
-                                          "pg_krb5_authname: Kerberos error %d in krb5_cc_get_principal\n", code);
-               com_err("pg_krb5_authname", code, "in krb5_cc_get_principal");
-               return (char *) NULL;
-       }
-       if (code = krb5_unparse_name(principal, &authname))
-       {
-               (void) sprintf(PQerrormsg,
-                                          "pg_krb5_authname: Kerberos error %d in krb5_unparse_name\n", code);
-               com_err("pg_krb5_authname", code, "in krb5_unparse_name");
-               krb5_free_principal(principal);
-               return (char *) NULL;
-       }
-       krb5_free_principal(principal);
-       return pg_an_to_ln(authname);
+       return pg_krb5_name;
 }
 
+
 /*
  * pg_krb5_sendauth -- client routine to send authentication information to
  *                                        the server
- *
- * This routine does not do mutual authentication, nor does it return enough
- * information to do encrypted connections.  But then, if we want to do
- * encrypted connections, we'll have to redesign the whole RPC mechanism
- * anyway.
- *
- * Server hostnames are canonicalized v4-style, i.e., all domain suffixes
- * are simply chopped off.     Hence, we are assuming that you've entered your
- * server instances as
- *             <value-of-PG_KRB_SRVNAM>/<canonicalized-hostname>
- * in the PGREALM (or local) database. This is probably a bad assumption.
  */
 static int
-pg_krb5_sendauth(const char *PQerrormsg, int sock,
+pg_krb5_sendauth(char *PQerrormsg, int sock,
                                 struct sockaddr_in * laddr,
                                 struct sockaddr_in * raddr,
                                 const char *hostname)
 {
-       char            servbuf[MAXHOSTNAMELEN + 1 +
-                                                                       sizeof(PG_KRB_SRVNAM)];
-       const char *hostp;
-       const char *realm;
-       krb5_error_code code;
-       krb5_principal client,
-                               server;
-       krb5_ccache ccache;
-       krb5_error *error = (krb5_error *) NULL;
-
-       ccache = pg_krb5_init();        /* don't free this */
-
-       /*
-        * set up client -- this is easy, we can get it out of the ticket
-        * file.
-        */
-       if (code = krb5_cc_get_principal(ccache, &client))
-       {
-               (void) sprintf(PQerrormsg,
-                                          "pg_krb5_sendauth: Kerberos error %d in krb5_cc_get_principal\n", code);
-               com_err("pg_krb5_sendauth", code, "in krb5_cc_get_principal");
+       krb5_error_code retval;
+       int ret;
+       krb5_principal server;
+       krb5_auth_context auth_context = NULL;
+    krb5_error *err_ret = NULL;
+       int flags;
+
+       ret = pg_krb5_init(PQerrormsg);
+       if (ret != STATUS_OK)
+               return ret;
+
+       retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM, 
+                                                                        KRB5_NT_SRV_HST, &server);
+       if (retval) {
+               snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                "pg_krb5_sendauth: krb5_sname_to_principal: %s",
+                                error_message(retval));
                return STATUS_ERROR;
        }
 
-       /*
-        * set up server -- canonicalize as described above
+       /* 
+        * libpq uses a non-blocking socket. But kerberos needs a blocking
+        * socket, and we have to block somehow to do mutual authentication
+        * anyway. So we temporarily make it blocking.
         */
-       strcpy(servbuf, PG_KRB_SRVNAM);
-       *(hostp = servbuf + (sizeof(PG_KRB_SRVNAM) - 1)) = '/';
-       if (hostname || *hostname)
-               strncpy(++hostp, hostname, MAXHOSTNAMELEN);
-       else
-       {
-               if (gethostname(++hostp, MAXHOSTNAMELEN) < 0)
-                       strcpy(hostp, "localhost");
-       }
-       if (hostp = strchr(hostp, '.'))
-               *hostp = '\0';
-       if (realm = getenv("PGREALM"))
-       {
-               strcat(servbuf, "@");
-               strcat(servbuf, realm);
-       }
-       if (code = krb5_parse_name(servbuf, &server))
-       {
-               (void) sprintf(PQerrormsg,
-               "pg_krb5_sendauth: Kerberos error %d in krb5_parse_name\n", code);
-               com_err("pg_krb5_sendauth", code, "in krb5_parse_name");
-               krb5_free_principal(client);
+       flags = fcntl(sock, F_GETFL);
+       if (flags < 0 || fcntl(sock, F_SETFL, (long)(flags & ~O_NONBLOCK))) {
+               snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                "pg_krb5_sendauth: fcntl: %s", strerror(errno));
+               krb5_free_principal(pg_krb5_context, server);
                return STATUS_ERROR;
        }
 
-       /*
-        * The only thing we want back from krb5_sendauth is an error status
-        * and any error messages.
-        */
-       if (code = krb5_sendauth((krb5_pointer) & sock,
-                                                        PG_KRB5_VERSION,
-                                                        client,
-                                                        server,
-                                                        (krb5_flags) 0,
-                                                        (krb5_checksum *) NULL,
-                                                        (krb5_creds *) NULL,
-                                                        ccache,
-                                                        (krb5_int32 *) NULL,
-                                                        (krb5_keyblock **) NULL,
-                                                        &error,
-                                                        (krb5_ap_rep_enc_part **) NULL))
-       {
-               if ((code == KRB5_SENDAUTH_REJECTED) && error)
-               {
-                       (void) sprintf(PQerrormsg,
-                                 "pg_krb5_sendauth: authentication rejected: \"%*s\"\n",
-                                                  error->text.length, error->text.data);
+       retval = krb5_sendauth(pg_krb5_context, &auth_context,
+                                                  (krb5_pointer) &sock, PG_KRB_SRVNAM,
+                                                  pg_krb5_client, server,
+                                                  AP_OPTS_MUTUAL_REQUIRED,
+                                                  NULL, 0,             /* no creds, use ccache instead */
+                                                  pg_krb5_ccache, &err_ret, NULL, NULL);
+       if (retval) {
+               if (retval == KRB5_SENDAUTH_REJECTED && err_ret) {
+                       snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                        "pg_krb5_sendauth: authentication rejected: \"%*s\"",
+                                        err_ret->text.length, err_ret->text.data);
                }
-               else
-               {
-                       (void) sprintf(PQerrormsg,
-                                                  "pg_krb5_sendauth: Kerberos error %d in krb5_sendauth\n", code);
-                       com_err("pg_krb5_sendauth", code, "in krb5_sendauth");
+               else {
+                       snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                        "pg_krb5_sendauth: krb5_sendauth: %s",
+                                        error_message(retval));
                }
+                       
+               if (err_ret)
+                       krb5_free_error(pg_krb5_context, err_ret);
+               
+               ret = STATUS_ERROR;
+       }
+
+       krb5_free_principal(pg_krb5_context, server);
+       
+       if (fcntl(sock, F_SETFL, (long)flags)) {
+               snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+                                "pg_krb5_sendauth: fcntl: %s", strerror(errno));
+               ret = STATUS_ERROR;
        }
-       krb5_free_principal(client);
-       krb5_free_principal(server);
-       return code ? STATUS_ERROR : STATUS_OK;
+
+       return ret;
 }
 
 #endif  /* KRB5 */
index fbad5fc7a81d780ea3bda8378ab4ed6f58f6dfef..2943f23830fb8085b7300f78e8278e4de737363b 100644 (file)
@@ -12,7 +12,7 @@
  * Portions Copyright (c) 1996-2000, PostgreSQL, Inc
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $Id: libpq-int.h,v 1.23 2000/04/12 17:17:15 momjian Exp $
+ * $Id: libpq-int.h,v 1.24 2000/05/27 03:39:33 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -50,6 +50,7 @@
  * POSTGRES backend dependent Constants.
  */
 
+#define PQERRORMSG_LENGTH 1024
 #define CMDSTATUS_LEN 40
 
 /*