From fe4d800eca235117601838f6f299f59caf108343 Mon Sep 17 00:00:00 2001 From: Dave Cramer Date: Fri, 7 Jan 2022 11:36:20 -0500 Subject: [PATCH 1/2] fix: we will ask the server if it supports GSS Encryption if gssEncryption is prefer or require --- .../postgresql/core/v3/ConnectionFactoryImpl.java | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/pgjdbc/src/main/java/org/postgresql/core/v3/ConnectionFactoryImpl.java b/pgjdbc/src/main/java/org/postgresql/core/v3/ConnectionFactoryImpl.java index 14ca6c8e0d..6297340798 100644 --- a/pgjdbc/src/main/java/org/postgresql/core/v3/ConnectionFactoryImpl.java +++ b/pgjdbc/src/main/java/org/postgresql/core/v3/ConnectionFactoryImpl.java @@ -31,7 +31,6 @@ import org.postgresql.sspi.ISSPIClient; import org.postgresql.util.GT; import org.postgresql.util.HostSpec; -import org.postgresql.util.KerberosTicket; import org.postgresql.util.MD5Digest; import org.postgresql.util.PSQLException; import org.postgresql.util.PSQLState; @@ -442,15 +441,13 @@ private PGStream enableGSSEncrypted(PGStream pgStream, GSSEncMode gssEncMode, St return pgStream; } - // If there is not credential cache there is little point in attempting this - if (!KerberosTicket.credentialCacheExists(info)) { - if ( gssEncMode == GSSEncMode.REQUIRE ) { - throw new PSQLException("GSSAPI encryption required but was impossible (possibly no credential cache)", PSQLState.CONNECTION_REJECTED); - } else { - return pgStream; - } + if ( gssEncMode != GSSEncMode.REQUIRE ) { + return pgStream; } + /* + let's see if the server will allow a GSS encrypted connection + */ String user = PGProperty.USER.get(info); if (user == null) { throw new PSQLException("GSSAPI encryption required but was impossible user is null", PSQLState.CONNECTION_REJECTED); From 6672db8828e2944ad21c076e0244fdac2a587f36 Mon Sep 17 00:00:00 2001 From: Dave Cramer Date: Mon, 10 Jan 2022 13:06:35 -0500 Subject: [PATCH 2/2] remove the need to have a ticket in the cache before asking the server if gss encryptions are supported --- .../org/postgresql/core/v3/ConnectionFactoryImpl.java | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/pgjdbc/src/main/java/org/postgresql/core/v3/ConnectionFactoryImpl.java b/pgjdbc/src/main/java/org/postgresql/core/v3/ConnectionFactoryImpl.java index 6297340798..3704018b26 100644 --- a/pgjdbc/src/main/java/org/postgresql/core/v3/ConnectionFactoryImpl.java +++ b/pgjdbc/src/main/java/org/postgresql/core/v3/ConnectionFactoryImpl.java @@ -441,10 +441,13 @@ private PGStream enableGSSEncrypted(PGStream pgStream, GSSEncMode gssEncMode, St return pgStream; } - if ( gssEncMode != GSSEncMode.REQUIRE ) { - return pgStream; - } - + /* + at this point gssEncMode is either PREFER or REQUIRE + libpq looks to see if there is a ticket in the cache before asking + the server if it supports encrypted GSS connections or not. + since the user has specifically asked or either prefer or require we can + assume they want it. + */ /* let's see if the server will allow a GSS encrypted connection */