1 files changed, 147 insertions, 0 deletions
diff --git a/src/backend/libpq/be-gssapi-common.c b/src/backend/libpq/be-gssapi-common.c
new file mode 100644
index 0000000..64d41e5
--- /dev/null
+++ b/src/backend/libpq/be-gssapi-common.c
@@ -0,0 +1,147 @@
+/*-------------------------------------------------------------------------
+ *
+ * be-gssapi-common.c
+ *     Common code for GSSAPI authentication and encryption
+ *
+ * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * IDENTIFICATION
+ *       src/backend/libpq/be-gssapi-common.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres.h"
+
+#include "libpq/be-gssapi-common.h"
+
+/*
+ * Fetch all errors of a specific type and append to "s" (buffer of size len).
+ * If we obtain more than one string, separate them with spaces.
+ * Call once for GSS_CODE and once for MECH_CODE.
+ */
+static void
+pg_GSS_error_int(char *s, size_t len, OM_uint32 stat, int type)
+{
+	gss_buffer_desc gmsg;
+	size_t		i = 0;
+	OM_uint32	lmin_s,
+				msg_ctx = 0;
+
+	do
+	{
+		if (gss_display_status(&lmin_s, stat, type, GSS_C_NO_OID,
+							   &msg_ctx, &gmsg) != GSS_S_COMPLETE)
+			break;
+		if (i > 0)
+		{
+			if (i < len)
+				s[i] = ' ';
+			i++;
+		}
+		if (i < len)
+			memcpy(s + i, gmsg.value, Min(len - i, gmsg.length));
+		i += gmsg.length;
+		gss_release_buffer(&lmin_s, &gmsg);
+	}
+	while (msg_ctx);
+
+	/* add nul termination */
+	if (i < len)
+		s[i] = '\0';
+	else
+	{
+		elog(COMMERROR, "incomplete GSS error report");
+		s[len - 1] = '\0';
+	}
+}
+
+/*
+ * Report the GSSAPI error described by maj_stat/min_stat.
+ *
+ * errmsg should be an already-translated primary error message.
+ * The GSSAPI info is appended as errdetail.
+ *
+ * The error is always reported with elevel COMMERROR; we daren't try to
+ * send it to the client, as that'd likely lead to infinite recursion
+ * when elog.c tries to write to the client.
+ *
+ * To avoid memory allocation, total error size is capped (at 128 bytes for
+ * each of major and minor).  No known mechanisms will produce error messages
+ * beyond this cap.
+ */
+void
+pg_GSS_error(const char *errmsg,
+			 OM_uint32 maj_stat, OM_uint32 min_stat)
+{
+	char		msg_major[128],
+				msg_minor[128];
+
+	/* Fetch major status message */
+	pg_GSS_error_int(msg_major, sizeof(msg_major), maj_stat, GSS_C_GSS_CODE);
+
+	/* Fetch mechanism minor status message */
+	pg_GSS_error_int(msg_minor, sizeof(msg_minor), min_stat, GSS_C_MECH_CODE);
+
+	/*
+	 * errmsg_internal, since translation of the first part must be done
+	 * before calling this function anyway.
+	 */
+	ereport(COMMERROR,
+			(errmsg_internal("%s", errmsg),
+			 errdetail_internal("%s: %s", msg_major, msg_minor)));
+}
+
+/*
+ * Store the credentials passed in into the memory cache for later usage.
+ *
+ * This allows credentials to be delegated to us for us to use to connect
+ * to other systems with, using, e.g. postgres_fdw or dblink.
+ */
+#define GSS_MEMORY_CACHE "MEMORY:"
+void
+pg_store_delegated_credential(gss_cred_id_t cred)
+{
+	OM_uint32	major,
+				minor;
+	gss_OID_set mech;
+	gss_cred_usage_t usage;
+	gss_key_value_element_desc cc;
+	gss_key_value_set_desc ccset;
+
+	cc.key = "ccache";
+	cc.value = GSS_MEMORY_CACHE;
+	ccset.count = 1;
+	ccset.elements = &cc;
+
+	/* Make the delegated credential only available to current process */
+	major = gss_store_cred_into(&minor,
+								cred,
+								GSS_C_INITIATE, /* credential only used for
+												 * starting libpq connection */
+								GSS_C_NULL_OID, /* store all */
+								true,	/* overwrite */
+								true,	/* make default */
+								&ccset,
+								&mech,
+								&usage);
+
+	if (major != GSS_S_COMPLETE)
+	{
+		pg_GSS_error("gss_store_cred", major, minor);
+	}
+
+	/* Credential stored, so we can release our credential handle. */
+	major = gss_release_cred(&minor, &cred);
+	if (major != GSS_S_COMPLETE)
+	{
+		pg_GSS_error("gss_release_cred", major, minor);
+	}
+
+	/*
+	 * Set KRB5CCNAME for this backend, so that later calls to
+	 * gss_acquire_cred will find the delegated credentials we stored.
+	 */
+	setenv("KRB5CCNAME", GSS_MEMORY_CACHE, 1);
+}