be-gssapi-common_8c_source.html

/*-------------------------------------------------------------------------

 *

 * be-gssapi-common.c

 *     Common code for GSSAPI authentication and encryption

 *

 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group

 * Portions Copyright (c) 1994, Regents of the University of California

 *

 * IDENTIFICATION

 *       src/backend/libpq/be-gssapi-common.c

 *

 *-------------------------------------------------------------------------

 */


#include "postgres.h"


#include "libpq/be-gssapi-common.h"


/*

 * Fetch all errors of a specific type and append to "s" (buffer of size len).

 * If we obtain more than one string, separate them with spaces.

 * Call once for GSS_CODE and once for MECH_CODE.

 */

static void

pg_GSS_error_int(char *s, size_t len, OM_uint32 stat, int type)

{

    gss_buffer_desc gmsg;

    size_t      i = 0;

    OM_uint32   lmin_s,

                msg_ctx = 0;


    do

    {

        if (gss_display_status(&lmin_s, stat, type, GSS_C_NO_OID,

                               &msg_ctx, &gmsg) != GSS_S_COMPLETE)

            break;

        if (i > 0)

        {

            if (i < len)

                s[i] = ' ';

            i++;

        }

        if (i < len)

            memcpy(s + i, gmsg.value, Min(len - i, gmsg.length));

        i += gmsg.length;

        gss_release_buffer(&lmin_s, &gmsg);

    }

    while (msg_ctx);


    /* add nul termination */

    if (i < len)

        s[i] = '\0';

    else

    {

        elog(COMMERROR, "incomplete GSS error report");

        s[len - 1] = '\0';

    }

}


/*

 * Report the GSSAPI error described by maj_stat/min_stat.

 *

 * errmsg should be an already-translated primary error message.

 * The GSSAPI info is appended as errdetail.

 *

 * The error is always reported with elevel COMMERROR; we daren't try to

 * send it to the client, as that'd likely lead to infinite recursion

 * when elog.c tries to write to the client.

 *

 * To avoid memory allocation, total error size is capped (at 128 bytes for

 * each of major and minor).  No known mechanisms will produce error messages

 * beyond this cap.

 */

void

pg_GSS_error(const char *errmsg,

             OM_uint32 maj_stat, OM_uint32 min_stat)

{

    char        msg_major[128],

                msg_minor[128];


    /* Fetch major status message */

    pg_GSS_error_int(msg_major, sizeof(msg_major), maj_stat, GSS_C_GSS_CODE);


    /* Fetch mechanism minor status message */

    pg_GSS_error_int(msg_minor, sizeof(msg_minor), min_stat, GSS_C_MECH_CODE);


    /*

     * errmsg_internal, since translation of the first part must be done

     * before calling this function anyway.

     */

    ereport(COMMERROR,

            (errmsg_internal("%s", errmsg),

             errdetail_internal("%s: %s", msg_major, msg_minor)));

}


/*

 * Store the credentials passed in into the memory cache for later usage.

 *

 * This allows credentials to be delegated to us for us to use to connect

 * to other systems with, using, e.g. postgres_fdw or dblink.

 */

#define GSS_MEMORY_CACHE "MEMORY:"

void

pg_store_delegated_credential(gss_cred_id_t cred)

{

    OM_uint32   major,

                minor;

    gss_OID_set mech;

    gss_cred_usage_t usage;

    gss_key_value_element_desc cc;

    gss_key_value_set_desc ccset;


    cc.key = "ccache";

    cc.value = GSS_MEMORY_CACHE;

    ccset.count = 1;

    ccset.elements = &cc;


    /* Make the delegated credential only available to current process */

    major = gss_store_cred_into(&minor,

                                cred,

                                GSS_C_INITIATE, /* credential only used for

                                                 * starting libpq connection */

                                GSS_C_NULL_OID, /* store all */

                                true,   /* overwrite */

                                true,   /* make default */

                                &ccset,

                                &mech,

                                &usage);


    if (major != GSS_S_COMPLETE)

    {

        pg_GSS_error("gss_store_cred", major, minor);

    }


    /* Credential stored, so we can release our credential handle. */

    major = gss_release_cred(&minor, &cred);

    if (major != GSS_S_COMPLETE)

    {

        pg_GSS_error("gss_release_cred", major, minor);

    }


    /*

     * Set KRB5CCNAME for this backend, so that later calls to

     * gss_acquire_cred will find the delegated credentials we stored.

     */

    setenv("KRB5CCNAME", GSS_MEMORY_CACHE, 1);

}

GSS_MEMORY_CACHE
#define GSS_MEMORY_CACHE
Definition: be-gssapi-common.c:102

pg_store_delegated_credential
void pg_store_delegated_credential(gss_cred_id_t cred)
Definition: be-gssapi-common.c:104

pg_GSS_error_int
static void pg_GSS_error_int(char *s, size_t len, OM_uint32 stat, int type)
Definition: be-gssapi-common.c:25

pg_GSS_error
void pg_GSS_error(const char *errmsg, OM_uint32 maj_stat, OM_uint32 min_stat)
Definition: be-gssapi-common.c:75

be-gssapi-common.h

Min
#define Min(x, y)
Definition: c.h:961

errmsg_internal
int errmsg_internal(const char *fmt,...)
Definition: elog.c:1157

errdetail_internal
int errdetail_internal(const char *fmt,...)
Definition: elog.c:1230

errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:1070

COMMERROR
#define COMMERROR
Definition: elog.h:33

elog
#define elog(elevel,...)
Definition: elog.h:225

ereport
#define ereport(elevel,...)
Definition: elog.h:149

i
int i
Definition: isn.c:72

len
const void size_t len
Definition: pg_crc32c_sse42.c:25

postgres.h

stat
Definition: win32_port.h:255

usage
static void usage(const char *progname)
Definition: vacuumlo.c:414

type
const char * type
Definition: wait_event_funcs.c:27

setenv
#define setenv(x, y, z)
Definition: win32_port.h:545