dev-java/jdbc-postgresql/files/jdbc-postgresql-9.4_p1201-remove-sspi.patch - platform/external/gentoo/overlays/gentoo - Git at Google

 --- a/org/postgresql/core/v3/ConnectionFactoryImpl.java	2015-03-23 07:32:15.000000000 +0100
 +++ b/org/postgresql/core/v3/ConnectionFactoryImpl.java	2015-03-23 07:41:53.160058718 +0100
 @@ -19,7 +19,6 @@

  import org.postgresql.PGProperty;
  import org.postgresql.core.*;
 -import org.postgresql.sspi.SSPIClient;
  import org.postgresql.hostchooser.GlobalHostStatusTracker;
  import org.postgresql.hostchooser.HostChooser;
  import org.postgresql.hostchooser.HostChooserFactory;
 @@ -387,11 +386,7 @@
          // or an authentication request

          String password = PGProperty.PASSWORD.get(info);
 -
 -        /* SSPI negotiation state, if used */
 -        SSPIClient sspiClient = null;

 -        try {
  	        authloop:
  	        while (true)
  	        {
 @@ -507,88 +502,16 @@
                      case AUTH_REQ_SSPI:
                          /*
                           * Use GSSAPI if requested on all platforms, via JSSE.
 -                         *
 -                         * For SSPI auth requests, if we're on Windows attempt native SSPI
 -                         * authentication if available, and if not disabled by setting a
 -                         * kerberosServerName. On other platforms, attempt JSSE GSSAPI
 -                         * negotiation with the SSPI server.
 -                         *
 -                         * Note that this is slightly different to libpq, which uses SSPI
 -                         * for GSSAPI where supported. We prefer to use the existing Java
 -                         * JSSE Kerberos support rather than going to native (via JNA) calls
 -                         * where possible, so that JSSE system properties etc continue
 -                         * to work normally.
 -                         *
 -                         * Note that while SSPI is often Kerberos-based there's no guarantee
 -                         * it will be; it may be NTLM or anything else. If the client responds
 -                         * to an SSPI request via GSSAPI and the other end isn't using Kerberos
 -                         * for SSPI then authentication will fail.
                           */
 -                        final String gsslib = PGProperty.GSS_LIB.get(info);
 -                        final boolean usespnego = PGProperty.USE_SPNEGO.getBoolean(info);
 -
 -                        boolean useSSPI = false;
 +                        org.postgresql.gss.MakeGSS.authenticate(pgStream, host,
 +                                user, password,
 +                                PGProperty.JAAS_APPLICATION_NAME.get(info),
 +                                PGProperty.KERBEROS_SERVER_NAME.get(info),
 +                                logger,
 +                                PGProperty.USE_SPNEGO.getBoolean(info));
 +
 +                        break;

 -                        /*
 -                         * Use SSPI if we're in auto mode on windows and have a
 -                         * request for SSPI auth, or if it's forced. Otherwise
 -                         * use gssapi. If the user has specified a Kerberos server
 -                         * name we'll always use JSSE GSSAPI.
 -                         */
 -                        if (gsslib.equals("gssapi"))
 -                            logger.debug("Using JSSE GSSAPI, param gsslib=gssapi");
 -                        else if (areq == AUTH_REQ_GSS && !gsslib.equals("sspi"))
 -                            logger.debug("Using JSSE GSSAPI, gssapi requested by server and gsslib=sspi not forced");
 -                        else
 -                        {
 -                            /* Determine if SSPI is supported by the client */
 -                            sspiClient = new SSPIClient(pgStream,
 -                                    PGProperty.SSPI_SERVICE_CLASS.get(info),
 -                                    /* Use negotiation for SSPI, or if explicitly requested for GSS */
 -                                    areq == AUTH_REQ_SSPI || (areq == AUTH_REQ_GSS && usespnego),
 -                                    logger);
 -
 -                            useSSPI = sspiClient.isSSPISupported();
 -                            logger.debug("SSPI support detected: " + useSSPI);
 -
 -                            if (!useSSPI) {
 -                                /* No need to dispose() if no SSPI used */
 -                                sspiClient = null;
 -
 -                                if (gsslib.equals("sspi"))
 -                                    throw new PSQLException("SSPI forced with gsslib=sspi, but SSPI not available; set loglevel=2 for details",
 -                                            PSQLState.CONNECTION_UNABLE_TO_CONNECT);
 -                            }
 -
 -                            logger.debug("Using SSPI: " + useSSPI + ", gsslib="+gsslib+" and SSPI support detected");
 -                        }
 -
 -                        if (useSSPI)
 -                        {
 -                            /* SSPI requested and detected as available */
 -    	                	sspiClient.startSSPI();
 -                        }
 -                        else
 -                        {
 -                            /* Use JGSS's GSSAPI for this request */
 -                            org.postgresql.gss.MakeGSS.authenticate(pgStream, host,
 -                                    user, password,
 -                                    PGProperty.JAAS_APPLICATION_NAME.get(info),
 -                                    PGProperty.KERBEROS_SERVER_NAME.get(info),
 -                                    logger,
 -                                    usespnego);
 -                        }
 -
 -	                	break;
 -
 -	                case AUTH_REQ_GSS_CONTINUE:
 -	                	 /*
 -	                	  * Only called for SSPI, as GSS is handled by an inner loop
 -	                	  * in MakeGSS.
 -	                	  */
 -	                	sspiClient.continueSSPI(l_msgLen - 8);
 -	                	break;
 -
  	                case AUTH_REQ_OK:
  	                    /* Cleanup after successful authentication */
  	                    if (logger.logDebug())
 @@ -609,18 +532,6 @@
  	                throw new PSQLException(GT.tr("Protocol error.  Session setup failed."), PSQLState.PROTOCOL_VIOLATION);
  	            }
  	        }
 -        } finally {
 -        	/* Cleanup after successful or failed authentication attempts */
 -        	if (sspiClient != null)
 -        	{
 -        		try {
 -        			sspiClient.dispose();
 -        		} catch (RuntimeException ex) {
 -        			logger.log("Unexpected error during SSPI context disposal", ex);
 -        		}
 -
 -        	}
 -        }

      }
	--- a/org/postgresql/core/v3/ConnectionFactoryImpl.java 2015-03-23 07:32:15.000000000 +0100
	+++ b/org/postgresql/core/v3/ConnectionFactoryImpl.java 2015-03-23 07:41:53.160058718 +0100
	@@ -19,7 +19,6 @@

	import org.postgresql.PGProperty;
	import org.postgresql.core.*;
	-import org.postgresql.sspi.SSPIClient;
	import org.postgresql.hostchooser.GlobalHostStatusTracker;
	import org.postgresql.hostchooser.HostChooser;
	import org.postgresql.hostchooser.HostChooserFactory;
	@@ -387,11 +386,7 @@
	// or an authentication request

	String password = PGProperty.PASSWORD.get(info);
	-
	- /* SSPI negotiation state, if used */
	- SSPIClient sspiClient = null;

	- try {
	authloop:
	while (true)
	{
	@@ -507,88 +502,16 @@
	case AUTH_REQ_SSPI:
	/*
	* Use GSSAPI if requested on all platforms, via JSSE.
	- *
	- * For SSPI auth requests, if we're on Windows attempt native SSPI
	- * authentication if available, and if not disabled by setting a
	- * kerberosServerName. On other platforms, attempt JSSE GSSAPI
	- * negotiation with the SSPI server.
	- *
	- * Note that this is slightly different to libpq, which uses SSPI
	- * for GSSAPI where supported. We prefer to use the existing Java
	- * JSSE Kerberos support rather than going to native (via JNA) calls
	- * where possible, so that JSSE system properties etc continue
	- * to work normally.
	- *
	- * Note that while SSPI is often Kerberos-based there's no guarantee
	- * it will be; it may be NTLM or anything else. If the client responds
	- * to an SSPI request via GSSAPI and the other end isn't using Kerberos
	- * for SSPI then authentication will fail.
	*/
	- final String gsslib = PGProperty.GSS_LIB.get(info);
	- final boolean usespnego = PGProperty.USE_SPNEGO.getBoolean(info);
	-
	- boolean useSSPI = false;
	+ org.postgresql.gss.MakeGSS.authenticate(pgStream, host,
	+ user, password,
	+ PGProperty.JAAS_APPLICATION_NAME.get(info),
	+ PGProperty.KERBEROS_SERVER_NAME.get(info),
	+ logger,
	+ PGProperty.USE_SPNEGO.getBoolean(info));
	+
	+ break;

	- /*
	- * Use SSPI if we're in auto mode on windows and have a
	- * request for SSPI auth, or if it's forced. Otherwise
	- * use gssapi. If the user has specified a Kerberos server
	- * name we'll always use JSSE GSSAPI.
	- */
	- if (gsslib.equals("gssapi"))
	- logger.debug("Using JSSE GSSAPI, param gsslib=gssapi");
	- else if (areq == AUTH_REQ_GSS && !gsslib.equals("sspi"))
	- logger.debug("Using JSSE GSSAPI, gssapi requested by server and gsslib=sspi not forced");
	- else
	- {
	- /* Determine if SSPI is supported by the client */
	- sspiClient = new SSPIClient(pgStream,
	- PGProperty.SSPI_SERVICE_CLASS.get(info),
	- /* Use negotiation for SSPI, or if explicitly requested for GSS */
	- areq == AUTH_REQ_SSPI \|\| (areq == AUTH_REQ_GSS && usespnego),
	- logger);
	-
	- useSSPI = sspiClient.isSSPISupported();
	- logger.debug("SSPI support detected: " + useSSPI);
	-
	- if (!useSSPI) {
	- /* No need to dispose() if no SSPI used */
	- sspiClient = null;
	-
	- if (gsslib.equals("sspi"))
	- throw new PSQLException("SSPI forced with gsslib=sspi, but SSPI not available; set loglevel=2 for details",
	- PSQLState.CONNECTION_UNABLE_TO_CONNECT);
	- }
	-
	- logger.debug("Using SSPI: " + useSSPI + ", gsslib="+gsslib+" and SSPI support detected");
	- }
	-
	- if (useSSPI)
	- {
	- /* SSPI requested and detected as available */
	- sspiClient.startSSPI();
	- }
	- else
	- {
	- /* Use JGSS's GSSAPI for this request */
	- org.postgresql.gss.MakeGSS.authenticate(pgStream, host,
	- user, password,
	- PGProperty.JAAS_APPLICATION_NAME.get(info),
	- PGProperty.KERBEROS_SERVER_NAME.get(info),
	- logger,
	- usespnego);
	- }
	-
	- break;
	-
	- case AUTH_REQ_GSS_CONTINUE:
	- /*
	- * Only called for SSPI, as GSS is handled by an inner loop
	- * in MakeGSS.
	- */
	- sspiClient.continueSSPI(l_msgLen - 8);
	- break;
	-
	case AUTH_REQ_OK:
	/* Cleanup after successful authentication */
	if (logger.logDebug())
	@@ -609,18 +532,6 @@
	throw new PSQLException(GT.tr("Protocol error. Session setup failed."), PSQLState.PROTOCOL_VIOLATION);
	}
	}
	- } finally {
	- /* Cleanup after successful or failed authentication attempts */
	- if (sspiClient != null)
	- {
	- try {
	- sspiClient.dispose();
	- } catch (RuntimeException ex) {
	- logger.log("Unexpected error during SSPI context disposal", ex);
	- }
	-
	- }
	- }

	}