PostgreSQL Source Code  git master
be-secure-gssapi.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * be-secure-gssapi.c
4  * GSSAPI encryption support
5  *
6  * Portions Copyright (c) 2018-2024, PostgreSQL Global Development Group
7  *
8  * IDENTIFICATION
9  * src/backend/libpq/be-secure-gssapi.c
10  *
11  *-------------------------------------------------------------------------
12  */
13 
14 #include "postgres.h"
15 
16 #include <unistd.h>
17 
18 #include "libpq/auth.h"
19 #include "libpq/be-gssapi-common.h"
20 #include "libpq/libpq.h"
21 #include "libpq/pqformat.h"
22 #include "miscadmin.h"
23 #include "pgstat.h"
24 #include "utils/memutils.h"
25 
26 
27 /*
28  * Handle the encryption/decryption of data using GSSAPI.
29  *
30  * In the encrypted data stream on the wire, we break up the data
31  * into packets where each packet starts with a uint32-size length
32  * word (in network byte order), then encrypted data of that length
33  * immediately following. Decryption yields the same data stream
34  * that would appear when not using encryption.
35  *
36  * Encrypted data typically ends up being larger than the same data
37  * unencrypted, so we use fixed-size buffers for handling the
38  * encryption/decryption which are larger than PQComm's buffer will
39  * typically be to minimize the times where we have to make multiple
40  * packets (and therefore multiple recv/send calls for a single
41  * read/write call to us).
42  *
43  * NOTE: The client and server have to agree on the max packet size,
44  * because we have to pass an entire packet to GSSAPI at a time and we
45  * don't want the other side to send arbitrarily huge packets as we
46  * would have to allocate memory for them to then pass them to GSSAPI.
47  *
48  * Therefore, these two #define's are effectively part of the protocol
49  * spec and can't ever be changed.
50  */
51 #define PQ_GSS_SEND_BUFFER_SIZE 16384
52 #define PQ_GSS_RECV_BUFFER_SIZE 16384
53 
54 /*
55  * Since we manage at most one GSS-encrypted connection per backend,
56  * we can just keep all this state in static variables. The char *
57  * variables point to buffers that are allocated once and re-used.
58  */
59 static char *PqGSSSendBuffer; /* Encrypted data waiting to be sent */
60 static int PqGSSSendLength; /* End of data available in PqGSSSendBuffer */
61 static int PqGSSSendNext; /* Next index to send a byte from
62  * PqGSSSendBuffer */
63 static int PqGSSSendConsumed; /* Number of source bytes encrypted but not
64  * yet reported as sent */
65 
66 static char *PqGSSRecvBuffer; /* Received, encrypted data */
67 static int PqGSSRecvLength; /* End of data available in PqGSSRecvBuffer */
68 
69 static char *PqGSSResultBuffer; /* Decryption of data in gss_RecvBuffer */
70 static int PqGSSResultLength; /* End of data available in PqGSSResultBuffer */
71 static int PqGSSResultNext; /* Next index to read a byte from
72  * PqGSSResultBuffer */
73 
74 static uint32 PqGSSMaxPktSize; /* Maximum size we can encrypt and fit the
75  * results into our output buffer */
76 
77 
78 /*
79  * Attempt to write len bytes of data from ptr to a GSSAPI-encrypted connection.
80  *
81  * The connection must be already set up for GSSAPI encryption (i.e., GSSAPI
82  * transport negotiation is complete).
83  *
84  * On success, returns the number of data bytes consumed (possibly less than
85  * len). On failure, returns -1 with errno set appropriately. For retryable
86  * errors, caller should call again (passing the same or more data) once the
87  * socket is ready.
88  *
89  * Dealing with fatal errors here is a bit tricky: we can't invoke elog(FATAL)
90  * since it would try to write to the client, probably resulting in infinite
91  * recursion. Instead, use elog(COMMERROR) to log extra info about the
92  * failure if necessary, and then return an errno indicating connection loss.
93  */
94 ssize_t
95 be_gssapi_write(Port *port, void *ptr, size_t len)
96 {
97  OM_uint32 major,
98  minor;
99  gss_buffer_desc input,
100  output;
101  size_t bytes_to_encrypt;
102  size_t bytes_encrypted;
103  gss_ctx_id_t gctx = port->gss->ctx;
104 
105  /*
106  * When we get a retryable failure, we must not tell the caller we have
107  * successfully transmitted everything, else it won't retry. For
108  * simplicity, we claim we haven't transmitted anything until we have
109  * successfully transmitted all "len" bytes. Between calls, the amount of
110  * the current input data that's already been encrypted and placed into
111  * PqGSSSendBuffer (and perhaps transmitted) is remembered in
112  * PqGSSSendConsumed. On a retry, the caller *must* be sending that data
113  * again, so if it offers a len less than that, something is wrong.
114  *
115  * Note: it may seem attractive to report partial write completion once
116  * we've successfully sent any encrypted packets. However, that can cause
117  * problems for callers; notably, pqPutMsgEnd's heuristic to send only
118  * full 8K blocks interacts badly with such a hack. We won't save much,
119  * typically, by letting callers discard data early, so don't risk it.
120  */
121  if (len < PqGSSSendConsumed)
122  {
123  elog(COMMERROR, "GSSAPI caller failed to retransmit all data needing to be retried");
124  errno = ECONNRESET;
125  return -1;
126  }
127 
128  /* Discount whatever source data we already encrypted. */
129  bytes_to_encrypt = len - PqGSSSendConsumed;
130  bytes_encrypted = PqGSSSendConsumed;
131 
132  /*
133  * Loop through encrypting data and sending it out until it's all done or
134  * secure_raw_write() complains (which would likely mean that the socket
135  * is non-blocking and the requested send() would block, or there was some
136  * kind of actual error).
137  */
138  while (bytes_to_encrypt || PqGSSSendLength)
139  {
140  int conf_state = 0;
141  uint32 netlen;
142 
143  /*
144  * Check if we have data in the encrypted output buffer that needs to
145  * be sent (possibly left over from a previous call), and if so, try
146  * to send it. If we aren't able to, return that fact back up to the
147  * caller.
148  */
149  if (PqGSSSendLength)
150  {
151  ssize_t ret;
152  ssize_t amount = PqGSSSendLength - PqGSSSendNext;
153 
155  if (ret <= 0)
156  return ret;
157 
158  /*
159  * Check if this was a partial write, and if so, move forward that
160  * far in our buffer and try again.
161  */
162  if (ret < amount)
163  {
164  PqGSSSendNext += ret;
165  continue;
166  }
167 
168  /* We've successfully sent whatever data was in the buffer. */
170  }
171 
172  /*
173  * Check if there are any bytes left to encrypt. If not, we're done.
174  */
175  if (!bytes_to_encrypt)
176  break;
177 
178  /*
179  * Check how much we are being asked to send, if it's too much, then
180  * we will have to loop and possibly be called multiple times to get
181  * through all the data.
182  */
183  if (bytes_to_encrypt > PqGSSMaxPktSize)
184  input.length = PqGSSMaxPktSize;
185  else
186  input.length = bytes_to_encrypt;
187 
188  input.value = (char *) ptr + bytes_encrypted;
189 
190  output.value = NULL;
191  output.length = 0;
192 
193  /*
194  * Create the next encrypted packet. Any failure here is considered a
195  * hard failure, so we return -1 even if some data has been sent.
196  */
197  major = gss_wrap(&minor, gctx, 1, GSS_C_QOP_DEFAULT,
198  &input, &conf_state, &output);
199  if (major != GSS_S_COMPLETE)
200  {
201  pg_GSS_error(_("GSSAPI wrap error"), major, minor);
202  errno = ECONNRESET;
203  return -1;
204  }
205  if (conf_state == 0)
206  {
208  (errmsg("outgoing GSSAPI message would not use confidentiality")));
209  errno = ECONNRESET;
210  return -1;
211  }
212  if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
213  {
215  (errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",
216  (size_t) output.length,
217  PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))));
218  errno = ECONNRESET;
219  return -1;
220  }
221 
222  bytes_encrypted += input.length;
223  bytes_to_encrypt -= input.length;
224  PqGSSSendConsumed += input.length;
225 
226  /* 4 network-order bytes of length, then payload */
227  netlen = pg_hton32(output.length);
228  memcpy(PqGSSSendBuffer + PqGSSSendLength, &netlen, sizeof(uint32));
229  PqGSSSendLength += sizeof(uint32);
230 
231  memcpy(PqGSSSendBuffer + PqGSSSendLength, output.value, output.length);
232  PqGSSSendLength += output.length;
233 
234  /* Release buffer storage allocated by GSSAPI */
235  gss_release_buffer(&minor, &output);
236  }
237 
238  /* If we get here, our counters should all match up. */
240  Assert(len == bytes_encrypted);
241 
242  /* We're reporting all the data as sent, so reset PqGSSSendConsumed. */
243  PqGSSSendConsumed = 0;
244 
245  return bytes_encrypted;
246 }
247 
248 /*
249  * Read up to len bytes of data into ptr from a GSSAPI-encrypted connection.
250  *
251  * The connection must be already set up for GSSAPI encryption (i.e., GSSAPI
252  * transport negotiation is complete).
253  *
254  * Returns the number of data bytes read, or on failure, returns -1
255  * with errno set appropriately. For retryable errors, caller should call
256  * again once the socket is ready.
257  *
258  * We treat fatal errors the same as in be_gssapi_write(), even though the
259  * argument about infinite recursion doesn't apply here.
260  */
261 ssize_t
262 be_gssapi_read(Port *port, void *ptr, size_t len)
263 {
264  OM_uint32 major,
265  minor;
266  gss_buffer_desc input,
267  output;
268  ssize_t ret;
269  size_t bytes_returned = 0;
270  gss_ctx_id_t gctx = port->gss->ctx;
271 
272  /*
273  * The plan here is to read one incoming encrypted packet into
274  * PqGSSRecvBuffer, decrypt it into PqGSSResultBuffer, and then dole out
275  * data from there to the caller. When we exhaust the current input
276  * packet, read another.
277  */
278  while (bytes_returned < len)
279  {
280  int conf_state = 0;
281 
282  /* Check if we have data in our buffer that we can return immediately */
284  {
285  size_t bytes_in_buffer = PqGSSResultLength - PqGSSResultNext;
286  size_t bytes_to_copy = Min(bytes_in_buffer, len - bytes_returned);
287 
288  /*
289  * Copy the data from our result buffer into the caller's buffer,
290  * at the point where we last left off filling their buffer.
291  */
292  memcpy((char *) ptr + bytes_returned, PqGSSResultBuffer + PqGSSResultNext, bytes_to_copy);
293  PqGSSResultNext += bytes_to_copy;
294  bytes_returned += bytes_to_copy;
295 
296  /*
297  * At this point, we've either filled the caller's buffer or
298  * emptied our result buffer. Either way, return to caller. In
299  * the second case, we could try to read another encrypted packet,
300  * but the odds are good that there isn't one available. (If this
301  * isn't true, we chose too small a max packet size.) In any
302  * case, there's no harm letting the caller process the data we've
303  * already returned.
304  */
305  break;
306  }
307 
308  /* Result buffer is empty, so reset buffer pointers */
310 
311  /*
312  * Because we chose above to return immediately as soon as we emit
313  * some data, bytes_returned must be zero at this point. Therefore
314  * the failure exits below can just return -1 without worrying about
315  * whether we already emitted some data.
316  */
317  Assert(bytes_returned == 0);
318 
319  /*
320  * At this point, our result buffer is empty with more bytes being
321  * requested to be read. We are now ready to load the next packet and
322  * decrypt it (entirely) into our result buffer.
323  */
324 
325  /* Collect the length if we haven't already */
326  if (PqGSSRecvLength < sizeof(uint32))
327  {
329  sizeof(uint32) - PqGSSRecvLength);
330 
331  /* If ret <= 0, secure_raw_read already set the correct errno */
332  if (ret <= 0)
333  return ret;
334 
335  PqGSSRecvLength += ret;
336 
337  /* If we still haven't got the length, return to the caller */
338  if (PqGSSRecvLength < sizeof(uint32))
339  {
340  errno = EWOULDBLOCK;
341  return -1;
342  }
343  }
344 
345  /* Decode the packet length and check for overlength packet */
346  input.length = pg_ntoh32(*(uint32 *) PqGSSRecvBuffer);
347 
348  if (input.length > PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32))
349  {
351  (errmsg("oversize GSSAPI packet sent by the client (%zu > %zu)",
352  (size_t) input.length,
353  PQ_GSS_RECV_BUFFER_SIZE - sizeof(uint32))));
354  errno = ECONNRESET;
355  return -1;
356  }
357 
358  /*
359  * Read as much of the packet as we are able to on this call into
360  * wherever we left off from the last time we were called.
361  */
363  input.length - (PqGSSRecvLength - sizeof(uint32)));
364  /* If ret <= 0, secure_raw_read already set the correct errno */
365  if (ret <= 0)
366  return ret;
367 
368  PqGSSRecvLength += ret;
369 
370  /* If we don't yet have the whole packet, return to the caller */
371  if (PqGSSRecvLength - sizeof(uint32) < input.length)
372  {
373  errno = EWOULDBLOCK;
374  return -1;
375  }
376 
377  /*
378  * We now have the full packet and we can perform the decryption and
379  * refill our result buffer, then loop back up to pass data back to
380  * the caller.
381  */
382  output.value = NULL;
383  output.length = 0;
384  input.value = PqGSSRecvBuffer + sizeof(uint32);
385 
386  major = gss_unwrap(&minor, gctx, &input, &output, &conf_state, NULL);
387  if (major != GSS_S_COMPLETE)
388  {
389  pg_GSS_error(_("GSSAPI unwrap error"), major, minor);
390  errno = ECONNRESET;
391  return -1;
392  }
393  if (conf_state == 0)
394  {
396  (errmsg("incoming GSSAPI message did not use confidentiality")));
397  errno = ECONNRESET;
398  return -1;
399  }
400 
401  memcpy(PqGSSResultBuffer, output.value, output.length);
402  PqGSSResultLength = output.length;
403 
404  /* Our receive buffer is now empty, reset it */
405  PqGSSRecvLength = 0;
406 
407  /* Release buffer storage allocated by GSSAPI */
408  gss_release_buffer(&minor, &output);
409  }
410 
411  return bytes_returned;
412 }
413 
414 /*
415  * Read the specified number of bytes off the wire, waiting using
416  * WaitLatchOrSocket if we would block.
417  *
418  * Results are read into PqGSSRecvBuffer.
419  *
420  * Will always return either -1, to indicate a permanent error, or len.
421  */
422 static ssize_t
424 {
425  ssize_t ret;
426 
427  /*
428  * Keep going until we either read in everything we were asked to, or we
429  * error out.
430  */
431  while (PqGSSRecvLength < len)
432  {
434 
435  /*
436  * If we got back an error and it wasn't just
437  * EWOULDBLOCK/EAGAIN/EINTR, then give up.
438  */
439  if (ret < 0 &&
440  !(errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR))
441  return -1;
442 
443  /*
444  * Ok, we got back either a positive value, zero, or a negative result
445  * indicating we should retry.
446  *
447  * If it was zero or negative, then we wait on the socket to be
448  * readable again.
449  */
450  if (ret <= 0)
451  {
454  port->sock, 0, WAIT_EVENT_GSS_OPEN_SERVER);
455 
456  /*
457  * If we got back zero bytes, and then waited on the socket to be
458  * readable and got back zero bytes on a second read, then this is
459  * EOF and the client hung up on us.
460  *
461  * If we did get data here, then we can just fall through and
462  * handle it just as if we got data the first time.
463  *
464  * Otherwise loop back to the top and try again.
465  */
466  if (ret == 0)
467  {
469  if (ret == 0)
470  return -1;
471  }
472  if (ret < 0)
473  continue;
474  }
475 
476  PqGSSRecvLength += ret;
477  }
478 
479  return len;
480 }
481 
482 /*
483  * Start up a GSSAPI-encrypted connection. This performs GSSAPI
484  * authentication; after this function completes, it is safe to call
485  * be_gssapi_read and be_gssapi_write. Returns -1 and logs on failure;
486  * otherwise, returns 0 and marks the connection as ready for GSSAPI
487  * encryption.
488  *
489  * Note that unlike the be_gssapi_read/be_gssapi_write functions, this
490  * function WILL block on the socket to be ready for read/write (using
491  * WaitLatchOrSocket) as appropriate while establishing the GSSAPI
492  * session.
493  */
494 ssize_t
496 {
497  bool complete_next = false;
498  OM_uint32 major,
499  minor;
500  gss_cred_id_t delegated_creds;
501 
502  /*
503  * Allocate subsidiary Port data for GSSAPI operations.
504  */
505  port->gss = (pg_gssinfo *)
506  MemoryContextAllocZero(TopMemoryContext, sizeof(pg_gssinfo));
507 
508  delegated_creds = GSS_C_NO_CREDENTIAL;
509  port->gss->delegated_creds = false;
510 
511  /*
512  * Allocate buffers and initialize state variables. By malloc'ing the
513  * buffers at this point, we avoid wasting static data space in processes
514  * that will never use them, and we ensure that the buffers are
515  * sufficiently aligned for the length-word accesses that we do in some
516  * places in this file.
517  */
522  ereport(FATAL,
523  (errcode(ERRCODE_OUT_OF_MEMORY),
524  errmsg("out of memory")));
527 
528  /*
529  * Use the configured keytab, if there is one. As we now require MIT
530  * Kerberos, we might consider using the credential store extensions in
531  * the future instead of the environment variable.
532  */
533  if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
534  {
535  if (setenv("KRB5_KTNAME", pg_krb_server_keyfile, 1) != 0)
536  {
537  /* The only likely failure cause is OOM, so use that errcode */
538  ereport(FATAL,
539  (errcode(ERRCODE_OUT_OF_MEMORY),
540  errmsg("could not set environment: %m")));
541  }
542  }
543 
544  while (true)
545  {
546  ssize_t ret;
547  gss_buffer_desc input,
548  output = GSS_C_EMPTY_BUFFER;
549 
550  /*
551  * The client always sends first, so try to go ahead and read the
552  * length and wait on the socket to be readable again if that fails.
553  */
554  ret = read_or_wait(port, sizeof(uint32));
555  if (ret < 0)
556  return ret;
557 
558  /*
559  * Get the length for this packet from the length header.
560  */
561  input.length = pg_ntoh32(*(uint32 *) PqGSSRecvBuffer);
562 
563  /* Done with the length, reset our buffer */
564  PqGSSRecvLength = 0;
565 
566  /*
567  * During initialization, packets are always fully consumed and
568  * shouldn't ever be over PQ_GSS_RECV_BUFFER_SIZE in length.
569  *
570  * Verify on our side that the client doesn't do something funny.
571  */
572  if (input.length > PQ_GSS_RECV_BUFFER_SIZE)
573  {
575  (errmsg("oversize GSSAPI packet sent by the client (%zu > %d)",
576  (size_t) input.length,
578  return -1;
579  }
580 
581  /*
582  * Get the rest of the packet so we can pass it to GSSAPI to accept
583  * the context.
584  */
585  ret = read_or_wait(port, input.length);
586  if (ret < 0)
587  return ret;
588 
589  input.value = PqGSSRecvBuffer;
590 
591  /* Process incoming data. (The client sends first.) */
592  major = gss_accept_sec_context(&minor, &port->gss->ctx,
593  GSS_C_NO_CREDENTIAL, &input,
594  GSS_C_NO_CHANNEL_BINDINGS,
595  &port->gss->name, NULL, &output, NULL,
596  NULL, pg_gss_accept_delegation ? &delegated_creds : NULL);
597 
598  if (GSS_ERROR(major))
599  {
600  pg_GSS_error(_("could not accept GSSAPI security context"),
601  major, minor);
602  gss_release_buffer(&minor, &output);
603  return -1;
604  }
605  else if (!(major & GSS_S_CONTINUE_NEEDED))
606  {
607  /*
608  * rfc2744 technically permits context negotiation to be complete
609  * both with and without a packet to be sent.
610  */
611  complete_next = true;
612  }
613 
614  if (delegated_creds != GSS_C_NO_CREDENTIAL)
615  {
616  pg_store_delegated_credential(delegated_creds);
617  port->gss->delegated_creds = true;
618  }
619 
620  /* Done handling the incoming packet, reset our buffer */
621  PqGSSRecvLength = 0;
622 
623  /*
624  * Check if we have data to send and, if we do, make sure to send it
625  * all
626  */
627  if (output.length > 0)
628  {
629  uint32 netlen = pg_hton32(output.length);
630 
631  if (output.length > PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))
632  {
634  (errmsg("server tried to send oversize GSSAPI packet (%zu > %zu)",
635  (size_t) output.length,
636  PQ_GSS_SEND_BUFFER_SIZE - sizeof(uint32))));
637  gss_release_buffer(&minor, &output);
638  return -1;
639  }
640 
641  memcpy(PqGSSSendBuffer, (char *) &netlen, sizeof(uint32));
642  PqGSSSendLength += sizeof(uint32);
643 
644  memcpy(PqGSSSendBuffer + PqGSSSendLength, output.value, output.length);
645  PqGSSSendLength += output.length;
646 
647  /* we don't bother with PqGSSSendConsumed here */
648 
650  {
653 
654  /*
655  * If we got back an error and it wasn't just
656  * EWOULDBLOCK/EAGAIN/EINTR, then give up.
657  */
658  if (ret < 0 &&
659  !(errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR))
660  {
661  gss_release_buffer(&minor, &output);
662  return -1;
663  }
664 
665  /* Wait and retry if we couldn't write yet */
666  if (ret <= 0)
667  {
670  port->sock, 0, WAIT_EVENT_GSS_OPEN_SERVER);
671  continue;
672  }
673 
674  PqGSSSendNext += ret;
675  }
676 
677  /* Done sending the packet, reset our buffer */
679 
680  gss_release_buffer(&minor, &output);
681  }
682 
683  /*
684  * If we got back that the connection is finished being set up, now
685  * that we've sent the last packet, exit our loop.
686  */
687  if (complete_next)
688  break;
689  }
690 
691  /*
692  * Determine the max packet size which will fit in our buffer, after
693  * accounting for the length. be_gssapi_write will need this.
694  */
695  major = gss_wrap_size_limit(&minor, port->gss->ctx, 1, GSS_C_QOP_DEFAULT,
697  &PqGSSMaxPktSize);
698 
699  if (GSS_ERROR(major))
700  {
701  pg_GSS_error(_("GSSAPI size check error"), major, minor);
702  return -1;
703  }
704 
705  port->gss->enc = true;
706 
707  return 0;
708 }
709 
710 /*
711  * Return if GSSAPI authentication was used on this connection.
712  */
713 bool
715 {
716  if (!port || !port->gss)
717  return false;
718 
719  return port->gss->auth;
720 }
721 
722 /*
723  * Return if GSSAPI encryption is enabled and being used on this connection.
724  */
725 bool
727 {
728  if (!port || !port->gss)
729  return false;
730 
731  return port->gss->enc;
732 }
733 
734 /*
735  * Return the GSSAPI principal used for authentication on this connection
736  * (NULL if we did not perform GSSAPI authentication).
737  */
738 const char *
740 {
741  if (!port || !port->gss)
742  return NULL;
743 
744  return port->gss->princ;
745 }
746 
747 /*
748  * Return if GSSAPI delegated credentials were included on this
749  * connection.
750  */
751 bool
753 {
754  if (!port || !port->gss)
755  return false;
756 
757  return port->gss->delegated_creds;
758 }
char * pg_krb_server_keyfile
Definition: auth.c:164
bool pg_gss_accept_delegation
Definition: auth.c:166
void pg_store_delegated_credential(gss_cred_id_t cred)
void pg_GSS_error(const char *errmsg, OM_uint32 maj_stat, OM_uint32 min_stat)
static int PqGSSRecvLength
static int PqGSSResultLength
static char * PqGSSSendBuffer
bool be_gssapi_get_auth(Port *port)
static int PqGSSSendConsumed
#define PQ_GSS_RECV_BUFFER_SIZE
ssize_t be_gssapi_read(Port *port, void *ptr, size_t len)
ssize_t be_gssapi_write(Port *port, void *ptr, size_t len)
static ssize_t read_or_wait(Port *port, ssize_t len)
ssize_t secure_open_gssapi(Port *port)
static char * PqGSSRecvBuffer
static int PqGSSResultNext
static uint32 PqGSSMaxPktSize
bool be_gssapi_get_enc(Port *port)
#define PQ_GSS_SEND_BUFFER_SIZE
const char * be_gssapi_get_princ(Port *port)
static int PqGSSSendLength
static int PqGSSSendNext
static char * PqGSSResultBuffer
bool be_gssapi_get_delegation(Port *port)
ssize_t secure_raw_read(Port *port, void *ptr, size_t len)
Definition: be-secure.c:264
ssize_t secure_raw_write(Port *port, const void *ptr, size_t len)
Definition: be-secure.c:373
unsigned int uint32
Definition: c.h:506
#define Min(x, y)
Definition: c.h:1004
#define Assert(condition)
Definition: c.h:858
int errcode(int sqlerrcode)
Definition: elog.c:855
int errmsg(const char *fmt,...)
Definition: elog.c:1068
#define _(x)
Definition: elog.c:90
#define COMMERROR
Definition: elog.h:33
#define FATAL
Definition: elog.h:41
#define elog(elevel,...)
Definition: elog.h:224
#define ereport(elevel,...)
Definition: elog.h:149
struct Latch * MyLatch
Definition: globals.c:61
#define malloc(a)
Definition: header.h:50
FILE * input
FILE * output
int WaitLatchOrSocket(Latch *latch, int wakeEvents, pgsocket sock, long timeout, uint32 wait_event_info)
Definition: latch.c:565
#define WL_SOCKET_READABLE
Definition: latch.h:128
#define WL_EXIT_ON_PM_DEATH
Definition: latch.h:132
#define WL_SOCKET_WRITEABLE
Definition: latch.h:129
MemoryContext TopMemoryContext
Definition: mcxt.c:149
void * MemoryContextAllocZero(MemoryContext context, Size size)
Definition: mcxt.c:1215
#define pg_ntoh32(x)
Definition: pg_bswap.h:125
#define pg_hton32(x)
Definition: pg_bswap.h:121
const void size_t len
static int port
Definition: pg_regress.c:116
Definition: libpq-be.h:133
#define EINTR
Definition: win32_port.h:374
#define EWOULDBLOCK
Definition: win32_port.h:380
#define setenv(x, y, z)
Definition: win32_port.h:537
#define ECONNRESET
Definition: win32_port.h:384
#define EAGAIN
Definition: win32_port.h:372