libpq: Remove code for SCM credential authentication

Support for SCM credential authentication has been removed in the backend in 9.1, and libpq has kept some code to handle it for compatibility. Commit be4585b, that did the cleanup of the backend code, has done so because the code was not really portable originally. And, as there are likely little chances that this is used these days, this removes the remaining code from libpq. An error will now be raised by libpq if attempting to connect to a server that returns AUTH_REQ_SCM_CREDS, instead. References to SCM credential authentication are removed from the protocol documentation. This removes some meson and configure checks. Author: Michael Paquier Reviewed-by: Tom Lane Discussion: https://postgr.es/m/ZBLH8a4otfqgd6Kn@paquier.xyz
3 years ago · 98ae2c84a4
parent 10b6745d31
commit 98ae2c84a4
10 changed files with 1 additions and 178 deletions
--- a/16
+++ b/16
@ -15181,22 +15181,6 @@ cat >>confdefs.h <<_ACEOF
 _ACEOF
 ac_fn_c_check_type "$LINENO" "struct cmsgcred" "ac_cv_type_struct_cmsgcred" "#include <sys/socket.h>
 #include <sys/param.h>
 #ifdef HAVE_SYS_UCRED_H
 #include <sys/ucred.h>
 #endif
 "
 if test "x$ac_cv_type_struct_cmsgcred" = xyes; then :
 cat >>confdefs.h <<_ACEOF
 #define HAVE_STRUCT_CMSGCRED 1
 _ACEOF
 fi
 ac_fn_c_check_type "$LINENO" "struct option" "ac_cv_type_struct_option" "#ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
--- a/configure.ac
+++ b/configure.ac
@ -1682,13 +1682,6 @@ AC_DEFINE_UNQUOTED([pg_restrict], [$pg_restrict],
 [Define to keyword to use for C99 restrict support, or to nothing if not
 supported])
 AC_CHECK_TYPES([struct cmsgcred], [], [],
 [#include <sys/socket.h>
 #include <sys/param.h>
 #ifdef HAVE_SYS_UCRED_H
 #include <sys/ucred.h>
 #endif])
 AC_CHECK_TYPES([struct option], [], [],
 [#ifdef HAVE_GETOPT_H
 #include <getopt.h>
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@ -1300,16 +1300,6 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
          </listitem>
         </varlistentry>
         <varlistentry>
          <term><literal>creds</literal></term>
          <listitem>
           <para>
            The server must request SCM credential authentication (deprecated
            as of <productname>PostgreSQL</productname> 9.1).
           </para>
          </listitem>
         </varlistentry>
         <varlistentry>
          <term><literal>none</literal></term>
          <listitem>
--- a/doc/src/sgml/protocol.sgml
+++ b/doc/src/sgml/protocol.sgml
@ -315,24 +315,6 @@
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>AuthenticationSCMCredential</term>
      <listitem>
       <para>
        This response is only possible for local Unix-domain connections
        on platforms that support SCM credential messages.  The frontend
        must issue an SCM credential message and then send a single data
        byte.  (The contents of the data byte are uninteresting; it's
        only used to ensure that the server waits long enough to receive
        the credential message.)  If the credential is acceptable,
        the server responds with an
        AuthenticationOk, otherwise it responds with an ErrorResponse.
        (This message type is only issued by pre-9.1 servers.  It may
        eventually be removed from the protocol specification.)
       </para>
      </listitem>
     </varlistentry>
     <varlistentry>
      <term>AuthenticationGSS</term>
      <listitem>
@ -3449,40 +3431,6 @@ psql "dbname=postgres replication=database" -c "IDENTIFY_SYSTEM;"
    </listitem>
   </varlistentry>
   <varlistentry id="protocol-message-formats-AuthenticationSCMCredential">
    <term>AuthenticationSCMCredential (B)</term>
    <listitem>
     <variablelist>
      <varlistentry>
       <term>Byte1('R')</term>
       <listitem>
        <para>
         Identifies the message as an authentication request.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Int32(8)</term>
       <listitem>
        <para>
         Length of message contents in bytes, including self.
        </para>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term>Int32(6)</term>
       <listitem>
        <para>
         Specifies that an SCM credentials message is required.
        </para>
       </listitem>
      </varlistentry>
     </variablelist>
    </listitem>
   </varlistentry>
   <varlistentry id="protocol-message-formats-AuthenticationGSS">
    <term>AuthenticationGSS (B)</term>
    <listitem>
--- a/meson.build
+++ b/meson.build
@ -2144,20 +2144,6 @@ foreach c : decl_checks
 endforeach
 if cc.has_type('struct cmsgcred',
    args: test_c_args + ['@0@'.format(cdata.get('HAVE_SYS_UCRED_H')) == 'false' ? '' : '-DHAVE_SYS_UCRED_H'],
    include_directories: postgres_inc,
    prefix: '''
 #include <sys/socket.h>
 #include <sys/param.h>
 #ifdef HAVE_SYS_UCRED_H
 #include <sys/ucred.h>
 #endif''')
  cdata.set('HAVE_STRUCT_CMSGCRED', 1)
 else
  cdata.set('HAVE_STRUCT_CMSGCRED', false)
 endif
 if cc.has_type('struct option',
    args: test_c_args, include_directories: postgres_inc,
    prefix: '@0@'.format(cdata.get('HAVE_GETOPT_H')) == '1' ? '#include <getopt.h>' : '')
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@ -116,7 +116,7 @@ extern PGDLLIMPORT bool Db_user_namespace;
 #define AUTH_REQ_PASSWORD	3	/* Password */
 #define AUTH_REQ_CRYPT		4	/* crypt password. Not supported any more. */
 #define AUTH_REQ_MD5		5	/* md5 password */
-#define AUTH_REQ_SCM_CREDS	6	/* transfer SCM credentials */
+/* 6 is available.  It was used for SCM creds, not supported any more. */
 #define AUTH_REQ_GSS		7	/* GSSAPI without wrap() */
 #define AUTH_REQ_GSS_CONT	8	/* Continue GSS exchanges */
 #define AUTH_REQ_SSPI		9	/* SSPI negotiate without wrap() */
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@ -427,9 +427,6 @@
 /* Define to 1 if you have the `strsignal' function. */
 #undef HAVE_STRSIGNAL
 /* Define to 1 if the system has the type `struct cmsgcred'. */
 #undef HAVE_STRUCT_CMSGCRED
 /* Define to 1 if the system has the type `struct option'. */
 #undef HAVE_STRUCT_OPTION
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@ -688,68 +688,6 @@ pg_SASL_continue(PGconn *conn, int payloadlen, bool final)
 	return STATUS_OK;
 }
 /*
 * Respond to AUTH_REQ_SCM_CREDS challenge.
 *
 * Note: this is dead code as of Postgres 9.1, because current backends will
 * never send this challenge.  But we must keep it as long as libpq needs to
 * interoperate with pre-9.1 servers.  It is believed to be needed only on
 * Debian/kFreeBSD (ie, FreeBSD kernel with Linux userland, so that the
 * getpeereid() function isn't provided by libc).
 */
 static int
 pg_local_sendauth(PGconn *conn)
 {
 #ifdef HAVE_STRUCT_CMSGCRED
 	char		buf;
 	struct iovec iov;
 	struct msghdr msg;
 	struct cmsghdr *cmsg;
 	union
 	{
 		struct cmsghdr hdr;
 		unsigned char buf[CMSG_SPACE(sizeof(struct cmsgcred))];
 	}			cmsgbuf;
 	/*
 	 * The backend doesn't care what we send here, but it wants exactly one
 	 * character to force recvmsg() to block and wait for us.
 	 */
 	buf = '\0';
 	iov.iov_base = &buf;
 	iov.iov_len = 1;
 	memset(&msg, 0, sizeof(msg));
 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;
 	/* We must set up a message that will be filled in by kernel */
 	memset(&cmsgbuf, 0, sizeof(cmsgbuf));
 	msg.msg_control = &cmsgbuf.buf;
 	msg.msg_controllen = sizeof(cmsgbuf.buf);
 	cmsg = CMSG_FIRSTHDR(&msg);
 	cmsg->cmsg_len = CMSG_LEN(sizeof(struct cmsgcred));
 	cmsg->cmsg_level = SOL_SOCKET;
 	cmsg->cmsg_type = SCM_CREDS;
 	if (sendmsg(conn->sock, &msg, 0) == -1)
 	{
 		char		sebuf[PG_STRERROR_R_BUFLEN];
 		appendPQExpBuffer(&conn->errorMessage,
 						  "pg_local_sendauth: sendmsg: %s\n",
 						  strerror_r(errno, sebuf, sizeof(sebuf)));
 		return STATUS_ERROR;
 	}
 	conn->client_finished_auth = true;
 	return STATUS_OK;
 #else
 	libpq_append_conn_error(conn, "SCM_CRED authentication method not supported");
 	return STATUS_ERROR;
 #endif
 }
 static int
 pg_password_sendauth(PGconn *conn, const char *password, AuthRequest areq)
 {
@ -830,8 +768,6 @@ auth_method_description(AuthRequest areq)
 			return libpq_gettext("server requested GSSAPI authentication");
 		case AUTH_REQ_SSPI:
 			return libpq_gettext("server requested SSPI authentication");
 		case AUTH_REQ_SCM_CREDS:
 			return libpq_gettext("server requested UNIX socket credentials");
 		case AUTH_REQ_SASL:
 		case AUTH_REQ_SASL_CONT:
 		case AUTH_REQ_SASL_FIN:
@ -922,7 +858,6 @@ check_expected_areq(AuthRequest areq, PGconn *conn)
 			case AUTH_REQ_GSS:
 			case AUTH_REQ_GSS_CONT:
 			case AUTH_REQ_SSPI:
 			case AUTH_REQ_SCM_CREDS:
 			case AUTH_REQ_SASL:
 			case AUTH_REQ_SASL_CONT:
 			case AUTH_REQ_SASL_FIN:
@ -1183,11 +1118,6 @@ pg_fe_sendauth(AuthRequest areq, int payloadlen, PGconn *conn)
 			}
 			break;
 		case AUTH_REQ_SCM_CREDS:
 			if (pg_local_sendauth(conn) != STATUS_OK)
 				return STATUS_ERROR;
 			break;
 		default:
 			libpq_append_conn_error(conn, "authentication method %u not supported", areq);
 			return STATUS_ERROR;
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@ -1333,10 +1333,6 @@ connectOptions2(PGconn *conn)
 				bits |= (1 << AUTH_REQ_SASL_CONT);
 				bits |= (1 << AUTH_REQ_SASL_FIN);
 			}
 			else if (strcmp(method, "creds") == 0)
 			{
 				bits = (1 << AUTH_REQ_SCM_CREDS);
 			}
 			else if (strcmp(method, "none") == 0)
 			{
 				/*
--- a/src/tools/msvc/Solution.pm
+++ b/src/tools/msvc/Solution.pm
@ -338,7 +338,6 @@ sub GenerateFiles
 		HAVE_STRLCPY                             => undef,
 		HAVE_STRNLEN                             => 1,
 		HAVE_STRSIGNAL                           => undef,
 		HAVE_STRUCT_CMSGCRED                     => undef,
 		HAVE_STRUCT_OPTION                       => undef,
 		HAVE_STRUCT_SOCKADDR_SA_LEN              => undef,
 		HAVE_STRUCT_TM_TM_ZONE                   => undef,