Re: [PATCH v14] GSSAPI encryption support - Mailing list pgsql-hackers

From Robbie Harwood
Subject Re: [PATCH v14] GSSAPI encryption support
Date
Msg-id jlg1se287n3.fsf@redhat.com
Whole thread Raw
In response to [PATCH v1] GSSAPI encryption support  (Robbie Harwood <rharwood@redhat.com>)
Responses Re: [PATCH v14] GSSAPI encryption support
Re: [PATCH v14] GSSAPI encryption support
Re: [PATCH v18] GSSAPI encryption support
List pgsql-hackers
Hello -hackers,

Zombie patch is back from the dead.  It's been a bit more than two years
since v12 (the last major revision) and almost three since it was
originally submitted.  (I do have enough pride to point out that it did
not actually /take/ anywhere close to two years to update it.)

CC'd are reviewers from before; I appreciate their input from before,
but there is of course no obligation for them to page all this back in,
especially if they don't want to.  A large chunk of this code is
unchanged from previous iterations of the patch, but this is a major
re-architect.  Various things have also been previously fixed as part of
the GSSAPI testing efforts, for which I am grateful.

So: this is GSSAPI encryption support for libpq.  Based on feedback on
previous versions, GSSAPI encryption has a separate negotiation step -
similar to SSL negotiation.  I've tried to incorporate all other
feedback I've received thus far, but very likely missed things (and
introduced new problems).

To actually see encryption, you'll first need to configure the server as
for GSSAPI authentication.  You'll also need to ensure the HBA
configuration has a rule that will permit it.  However, there should
hopefully be enough information to set this up in the corresponding docs
changes (and if there isn't, I should fix it).  The Kerberos/GSSAPI
implementation shouldn't matter, but I am testing using MIT krb5
(through freeIPA); I wrote a post a while back for my setup here:
https://mivehind.net/2015/06/11/kerberized-postgresql/

Finally, I've submitted this as a single patch because it was requested
previously.  I'm happy to break it apart into many commits instead, if
that's helpful.

Thanks,
--Robbie
From 45de59244e4b9ef887cf910a17cbe63c9043f17e Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 10 May 2018 16:12:03 -0400
Subject: [PATCH] libpq GSSAPI encryption support

On both the frontend and backend, prepare for GSSAPI encryption
support by moving common code for error handling into a separate file.
Fix a TODO for handling multiple status messages in the process.
Eliminate the OIDs, which have not been needed for some time.

Add frontend and backend encryption support functions.  Keep the
context initiation for authentication-only separate on both the
frontend and backend in order to avoid concerns about changing the
requested flags to include encryption support.

In postmaster, pull GSSAPI authorization checking into a shared
function.  Also share the initiator name between the encryption and
non-encryption codepaths.

Modify pqsecure_write() to take a non-const pointer.  The pointer will
not be modified, but this change (or a const-discarding cast, or a
malloc()+memcpy()) is necessary for GSSAPI due to const/struct
interactions in C.

For HBA, add "hostgss" and "hostnogss" entries that behave similarly
to their SSL counterparts.  "hostgss" requires either "gss", "trust",
or "reject" for its authentication.

Simiarly, add a "gssmode" parameter to libpq.  Supported values are
"disable", "require", and "prefer".  Notably, negotiation will only be
attempted if credentials can be acquired.  Move credential acquisition
into its own function to support this behavior.

Finally, add documentation for everything new, and update existing
documentation on connection security.

Thanks to Michael Paquier for the Windows fixes.
---
 doc/src/sgml/client-auth.sgml           |  75 ++++--
 doc/src/sgml/libpq.sgml                 |  60 ++++-
 doc/src/sgml/runtime.sgml               |  80 +++++-
 src/backend/libpq/Makefile              |   4 +
 src/backend/libpq/auth.c                | 103 +++----
 src/backend/libpq/be-gssapi-common.c    |  64 +++++
 src/backend/libpq/be-gssapi-common.h    |  26 ++
 src/backend/libpq/be-secure-gssapi.c    | 319 ++++++++++++++++++++++
 src/backend/libpq/be-secure.c           |  16 ++
 src/backend/libpq/hba.c                 |  51 +++-
 src/backend/postmaster/pgstat.c         |   3 +
 src/backend/postmaster/postmaster.c     |  64 ++++-
 src/include/libpq/hba.h                 |   4 +-
 src/include/libpq/libpq-be.h            |  11 +-
 src/include/libpq/libpq.h               |   3 +
 src/include/libpq/pqcomm.h              |   5 +-
 src/include/pgstat.h                    |   3 +-
 src/interfaces/libpq/Makefile           |   4 +
 src/interfaces/libpq/fe-auth.c          |  90 +------
 src/interfaces/libpq/fe-connect.c       | 232 +++++++++++++++-
 src/interfaces/libpq/fe-gssapi-common.c | 128 +++++++++
 src/interfaces/libpq/fe-gssapi-common.h |  23 ++
 src/interfaces/libpq/fe-secure-gssapi.c | 343 ++++++++++++++++++++++++
 src/interfaces/libpq/fe-secure.c        |  16 +-
 src/interfaces/libpq/libpq-fe.h         |   3 +-
 src/interfaces/libpq/libpq-int.h        |  30 ++-
 src/tools/msvc/Mkvcbuild.pm             |  20 +-
 27 files changed, 1578 insertions(+), 202 deletions(-)
 create mode 100644 src/backend/libpq/be-gssapi-common.c
 create mode 100644 src/backend/libpq/be-gssapi-common.h
 create mode 100644 src/backend/libpq/be-secure-gssapi.c
 create mode 100644 src/interfaces/libpq/fe-gssapi-common.c
 create mode 100644 src/interfaces/libpq/fe-gssapi-common.h
 create mode 100644 src/interfaces/libpq/fe-secure-gssapi.c

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 656d5f9417..38cf32e3be 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -108,6 +108,8 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
 host       <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>
<replaceable>IP-mask</replaceable>  <replaceable>auth-method</replaceable>
<optional><replaceable>auth-options</replaceable></optional>
 hostssl    <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>
<replaceable>IP-mask</replaceable>  <replaceable>auth-method</replaceable>
<optional><replaceable>auth-options</replaceable></optional>
 hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>
<replaceable>IP-mask</replaceable>  <replaceable>auth-method</replaceable>
<optional><replaceable>auth-options</replaceable></optional>
+hostgss    <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>
<replaceable>IP-mask</replaceable>  <replaceable>auth-method</replaceable>
<optional><replaceable>auth-options</replaceable></optional>
+hostnogss  <replaceable>database</replaceable>  <replaceable>user</replaceable>  <replaceable>IP-address</replaceable>
<replaceable>IP-mask</replaceable>  <replaceable>auth-method</replaceable>
<optional><replaceable>auth-options</replaceable></optional>
 </synopsis>
    The meaning of the fields is as follows:
 
@@ -128,9 +130,10 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
      <listitem>
       <para>
        This record matches connection attempts made using TCP/IP.
-       <literal>host</literal> records match either
+       <literal>host</literal> records match
        <acronym>SSL</acronym> or non-<acronym>SSL</acronym> connection
-       attempts.
+       attempts as well as <acronym>GSSAPI</acronym> or
+       non-<acronym>GSSAPI</acronym> connection attempts.
       </para>
      <note>
       <para>
@@ -176,6 +179,42 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
      </listitem>
     </varlistentry>
 
+    <varlistentry>
+     <term><literal>hostgss</literal></term>
+     <listitem>
+      <para>
+       This record matches connection attempts made using TCP/IP,
+       but only when the connection is made with <acronym>GSSAPI</acronym>
+       encryption.
+      </para>
+
+      <para>
+       To make use of this option the server must be built with
+       <acronym>GSSAPI</acronym> support.  Otherwise,
+       the <literal>hostgss</literal> record is ignored except for logging a
+       warning that it cannot match any connections.
+      </para>
+
+      <para>
+        Note that the only supported <xref linkend="auth-methods"/> for use
+        with <acronym>GSSAPI</acronym> encryption
+        are <literal>gss</literal>, <literal>reject</literal>,
+        and <literal>trust</literal>.
+      </para>
+     </listitem>
+    </varlistentry>
+
+    <varlistentry>
+     <term><literal>hostnogss</literal></term>
+     <listitem>
+      <para>
+       This record type has the opposite behavior of <literal>hostgss</literal>;
+       it only matches connection attempts made over
+       TCP/IP that do not use <acronym>GSSAPI</acronym>.
+      </para>
+     </listitem>
+    </varlistentry>
+
     <varlistentry>
      <term><replaceable>database</replaceable></term>
      <listitem>
@@ -450,8 +489,9 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
         <listitem>
          <para>
           Use GSSAPI to authenticate the user. This is only
-          available for TCP/IP connections. See <xref
-          linkend="gssapi-auth"/> for details.
+          available for TCP/IP connections . See <xref
+          linkend="gssapi-auth"/> for details.  It can be used in conjunction
+          with GSSAPI encryption.
          </para>
         </listitem>
        </varlistentry>
@@ -696,15 +736,17 @@ host    postgres        all             192.168.12.10/32        scram-sha-256
 host    all             mike            .example.com            md5
 host    all             all             .example.com            scram-sha-256
 
-# In the absence of preceding "host" lines, these two lines will
+# In the absence of preceding "host" lines, these three lines will
 # reject all connections from 192.168.54.1 (since that entry will be
-# matched first), but allow GSSAPI connections from anywhere else
-# on the Internet.  The zero mask causes no bits of the host IP
+# matched first), but allow GSSAPI-encrypted connections from anywhere else
+# on the Internet.  Unencrypted GSSAPI connections are allowed from
+# 192.168.12.10 only.  The zero mask causes no bits of the host IP
 # address to be considered, so it matches any host.
 #
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 host    all             all             192.168.54.1/32         reject
-host    all             all             0.0.0.0/0               gss
+hostgss all             all             0.0.0.0/0               gss
+host    all             all             192.168.12.10/32        gss
 
 # Allow users from 192.168.x.x hosts to connect to any database, if
 # they pass the ident check.  If, for example, ident says the user is
@@ -1051,13 +1093,16 @@ omicron         bryanh                  guest1
    <para>
     <productname>GSSAPI</productname> is an industry-standard protocol
     for secure authentication defined in RFC 2743.
-    <productname>PostgreSQL</productname> supports
-    <productname>GSSAPI</productname> with <productname>Kerberos</productname>
-    authentication according to RFC 1964. <productname>GSSAPI</productname>
-    provides automatic authentication (single sign-on) for systems
-    that support it. The authentication itself is secure, but the
-    data sent over the database connection will be sent unencrypted unless
-    <acronym>SSL</acronym> is used.
+
+    <productname>PostgreSQL</productname>
+    supports <productname>GSSAPI</productname> for use as either an encrypted,
+    authenticated layer, or as authentication
+    only.  <productname>GSSAPI</productname> provides automatic authentication
+    (single sign-on) for systems that support it. The authentication itself is
+    secure.  If <productname>GSSAPI</productname> encryption
+    (see <literal>hostgss</literal>) or <acronym>SSL</acronym> encryption are
+    used, the data sent along the database connection will be encrypted;
+    otherwise, it will not.
    </para>
 
    <para>
diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml
index 800e68a19e..24bf6d3f44 100644
--- a/doc/src/sgml/libpq.sgml
+++ b/doc/src/sgml/libpq.sgml
@@ -1320,6 +1320,64 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname
       </listitem>
      </varlistentry>
 
+     <varlistentry id="libpq-connect-gssmode" xreflabel="gssmode">
+      <term><literal>gssmode</literal></term>
+      <listitem>
+       <para>
+        This option determines whether or with what priority a secure
+        <acronym>GSS</acronym> TCP/IP connection will be negotiated with the
+        server. There are three modes:
+
+        <variablelist>
+         <varlistentry>
+          <term><literal>disable</literal></term>
+          <listitem>
+           <para>
+            only try a non-<acronym>GSSAPI</acronym>-encrypted connection
+           </para>
+          </listitem>
+         </varlistentry>
+
+         <varlistentry>
+          <term><literal>prefer</literal> (default)</term>
+          <listitem>
+           <para>
+            if there are <acronym>GSSAPI</acronym> credentials present (i.e.,
+            in a credentials cache), first try
+            a <acronym>GSSAPI</acronym>-encrypted connection; if that fails or
+            there are no credentials, try a
+            non-<acronym>GSSAPI</acronym>-encrypted connection
+           </para>
+          </listitem>
+         </varlistentry>
+
+         <varlistentry>
+          <term><literal>require</literal></term>
+          <listitem>
+           <para>
+            only try a <acronym>GSSAPI</acronym>-encrypted connection
+           </para>
+          </listitem>
+         </varlistentry>
+        </variablelist>
+
+        See <xref linkend="libpq-gss"/> for a detailed description of how
+        these options work.
+       </para>
+
+       <para>
+        <literal>gssmode</literal> is ignored for Unix domain socket
+        communication.  If <productname>PostgreSQL</productname> is compiled
+        without GSSAPI support, using the <literal>require</literal> option
+        will cause an error, while <literal>prefer</literal> will be accepted
+        but <application>libpq</application> will not actually attempt
+        a <acronym>GSSAPI</acronym>-encrypted
+        connection.<indexterm><primary>GSSAPI</primary><secondary sortas="libpq">with
+        libpq</secondary></indexterm>
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry id="libpq-connect-sslmode" xreflabel="sslmode">
       <term><literal>sslmode</literal></term>
       <listitem>
@@ -7872,7 +7930,7 @@ ldap://ldap.acme.com/cn=dbserver,cn=hosts?pgconnectinfo?base?(objectclass=*)
   </para>
 
   <para>
-   For a connection to be known secure, SSL usage must be configured
+   For a connection to be known SSL-secured, SSL usage must be configured
    on <emphasis>both the client and the server</emphasis> before the connection
    is made. If it is only configured on the server, the client may end up
    sending sensitive information (e.g. passwords) before
diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 330e38a29e..4e26644b37 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -2008,9 +2008,13 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
   </para>
 
   <para>
-   To prevent spoofing on TCP connections, the best solution is to use
-   SSL certificates and make sure that clients check the server's certificate.
-   To do that, the server
+   To prevent spoofing on TCP connections, either use
+   SSL certificates and make sure that clients check the server's certificate,
+   or use GSSAPI encryption (or both, if they're on separate connections).
+  </para>
+
+  <para>
+   To prevent spoofing with SSL, the server
    must be configured to accept only <literal>hostssl</literal> connections (<xref
    linkend="auth-pg-hba-conf"/>) and have SSL key and certificate files
    (<xref linkend="ssl-tcp"/>). The TCP client must connect using
@@ -2018,6 +2022,13 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
    <literal>verify-full</literal> and have the appropriate root certificate
    file installed (<xref linkend="libq-ssl-certificates"/>).
   </para>
+
+  <para>
+    To prevent spoofing with GSSAPI, the server must be configured to accept
+    only <literal>hostgss</literal> connections
+    (<xref linkend="auth-pg-hba.conf"/>) and use <literal>gss</literal>
+    authentication with them.  The TCP client must connect
+    using <literal>gssmode=require</literal>.
  </sect1>
 
  <sect1 id="encryption-options">
@@ -2114,8 +2125,28 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
       which hosts can use non-encrypted connections (<literal>host</literal>)
       and which require SSL-encrypted connections
       (<literal>hostssl</literal>). Also, clients can specify that they
-      connect to servers only via SSL. <application>Stunnel</application> or
-      <application>SSH</application> can also be used to encrypt transmissions.
+      connect to servers only via SSL.
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      GSSAPI-encrypted connections encrypt all data sent across the network,
+      including queries and data returned.  (No password is sent across the
+      network.)  The <filename>pg_hba.conf</filename> file allows
+      administrators to specify which hosts can use non-encrypted connections
+      (<literal>host</literal>) and which require GSSAPI-encrypted connections
+      (<literal>hostgss</literal>).  Also, clients can specify that they
+      connect to servers only on GSSAPI-encrypted connections
+      (<literal>gssmode=require</literal>).
+     </para>
+    </listitem>
+
+    <listitem>
+     <para>
+      <application>Stunnel</application> or
+      <application>SSH</application> can also be used to encrypt
+      transmissions.
      </para>
     </listitem>
   </varlistentry>
@@ -2505,6 +2536,45 @@ openssl x509 -req -in server.csr -text -days 365 \
 
  </sect1>
 
+ <sect1 id="gssapi-enc">
+  <title>Secure TCP/IP Connections with GSSAPI encryption</title>
+
+  <indexterm zone="gssapi-enc">
+   <primary>gssapi</primary>
+  </indexterm>
+
+  <para>
+   <productname>PostgreSQL</productname> also has native support for
+   using <acronym>GSSAPI</acronym> to encrypt client/server communications for
+   increased security.  Support requires that a <acronym>GSSAPI</acronym>
+   implementation (such as MIT krb5) is installed on both client and server
+   systems, and that support in <productname>PostgreSQL</productname> is
+   enabled at build time (see <xref linked="installation"/>).
+  </para>
+
+  <sect2 id="gssapi-setup">
+   <title>Basic Setup</title>
+
+   <para>
+    The <productname>PostgreSQL</productname> server will listen for both
+    normal and <acronym>GSSAPI</acronym>-encrypted connections on the same TCP
+    port, and will negotiate with any connecting client on whether to
+    use <acronym>GSSAPI</acronym> for encryption (and for authentication).  By
+    default, this decision is up to the client (which means it can be
+    downgraded by an attacker); see <xref linkend="auth-pg-hba-conf"/> about
+    setting up the server to require the use of <acronym>GSSAPI</acronym> for
+    some or all conections.
+   </para>
+
+   <para>
+    Other than configuration of the negotiation
+    behavior, <acronym>GSSAPI</acronym> encryption requires no setup beyond
+    that which necessary for GSSAPI authentication.  (For more information on
+    configuring that, see <xref linkend="gssapi-auth"/>.)
+   </para>
+  </sect2>
+ </sect1>
+
  <sect1 id="ssh-tunnels">
   <title>Secure TCP/IP Connections with <application>SSH</application> Tunnels</title>
 
diff --git a/src/backend/libpq/Makefile b/src/backend/libpq/Makefile
index 3dbec23e30..47efef0682 100644
--- a/src/backend/libpq/Makefile
+++ b/src/backend/libpq/Makefile
@@ -21,4 +21,8 @@ ifeq ($(with_openssl),yes)
 OBJS += be-secure-openssl.o
 endif
 
+ifeq ($(with_gssapi),yes)
+OBJS += be-gssapi-common.o be-secure-gssapi.o
+endif
+
 include $(top_srcdir)/src/backend/common.mk
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 3014b17a7c..6e4cd66a90 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -173,12 +173,9 @@ bool        pg_krb_caseins_users;
  *----------------------------------------------------------------
  */
 #ifdef ENABLE_GSS
-#if defined(HAVE_GSSAPI_H)
-#include <gssapi.h>
-#else
-#include <gssapi/gssapi.h>
-#endif
+#include "be-gssapi-common.h"
 
+static int    pg_GSS_checkauth(Port *port);
 static int    pg_GSS_recvauth(Port *port);
 #endif                            /* ENABLE_GSS */
 
@@ -384,6 +381,17 @@ ClientAuthentication(Port *port)
                      errmsg("connection requires a valid client certificate")));
     }
 
+#ifdef ENABLE_GSS
+    if (port->gss->enc && port->hba->auth_method != uaReject &&
+        port->hba->auth_method != uaImplicitReject &&
+        port->hba->auth_method != uaTrust &&
+        port->hba->auth_method != uaGSS)
+    {
+        ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
+                 errmsg("GSSAPI encryption cannot be combined with non-GSSAPI authentication")));
+    }
+#endif
+
     /*
      * Now proceed to do the actual authentication check
      */
@@ -524,8 +532,13 @@ ClientAuthentication(Port *port)
 
         case uaGSS:
 #ifdef ENABLE_GSS
-            sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
-            status = pg_GSS_recvauth(port);
+            if (port->gss->enc)
+                status = pg_GSS_checkauth(port);
+            else
+            {
+                sendAuthRequest(port, AUTH_REQ_GSS, NULL, 0);
+                status = pg_GSS_recvauth(port);
+            }
 #else
             Assert(false);
 #endif
@@ -1044,64 +1057,6 @@ CheckSCRAMAuth(Port *port, char *shadow_pass, char **logdetail)
  *----------------------------------------------------------------
  */
 #ifdef ENABLE_GSS
-
-#if defined(WIN32) && !defined(_MSC_VER)
-/*
- * MIT Kerberos GSSAPI DLL doesn't properly export the symbols for MingW
- * that contain the OIDs required. Redefine here, values copied
- * from src/athena/auth/krb5/src/lib/gssapi/generic/gssapi_generic.c
- */
-static const gss_OID_desc GSS_C_NT_USER_NAME_desc =
-{10, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"};
-static GSS_DLLIMP gss_OID GSS_C_NT_USER_NAME = &GSS_C_NT_USER_NAME_desc;
-#endif
-
-
-static void
-pg_GSS_error(int severity, const char *errmsg, OM_uint32 maj_stat, OM_uint32 min_stat)
-{
-    gss_buffer_desc gmsg;
-    OM_uint32    lmin_s,
-                msg_ctx;
-    char        msg_major[128],
-                msg_minor[128];
-
-    /* Fetch major status message */
-    msg_ctx = 0;
-    gss_display_status(&lmin_s, maj_stat, GSS_C_GSS_CODE,
-                       GSS_C_NO_OID, &msg_ctx, &gmsg);
-    strlcpy(msg_major, gmsg.value, sizeof(msg_major));
-    gss_release_buffer(&lmin_s, &gmsg);
-
-    if (msg_ctx)
-
-        /*
-         * More than one message available. XXX: Should we loop and read all
-         * messages? (same below)
-         */
-        ereport(WARNING,
-                (errmsg_internal("incomplete GSS error report")));
-
-    /* Fetch mechanism minor status message */
-    msg_ctx = 0;
-    gss_display_status(&lmin_s, min_stat, GSS_C_MECH_CODE,
-                       GSS_C_NO_OID, &msg_ctx, &gmsg);
-    strlcpy(msg_minor, gmsg.value, sizeof(msg_minor));
-    gss_release_buffer(&lmin_s, &gmsg);
-
-    if (msg_ctx)
-        ereport(WARNING,
-                (errmsg_internal("incomplete GSS minor error report")));
-
-    /*
-     * errmsg_internal, since translation of the first part must be done
-     * before calling this function anyway.
-     */
-    ereport(severity,
-            (errmsg_internal("%s", errmsg),
-             errdetail_internal("%s: %s", msg_major, msg_minor)));
-}
-
 static int
 pg_GSS_recvauth(Port *port)
 {
@@ -1110,7 +1065,6 @@ pg_GSS_recvauth(Port *port)
                 lmin_s,
                 gflags;
     int            mtype;
-    int            ret;
     StringInfoData buf;
     gss_buffer_desc gbuf;
 
@@ -1263,10 +1217,17 @@ pg_GSS_recvauth(Port *port)
          */
         gss_release_cred(&min_stat, &port->gss->cred);
     }
+    return pg_GSS_checkauth(port);
+}
+
+static int
+pg_GSS_checkauth(Port *port)
+{
+    int ret;
+    OM_uint32 maj_stat, min_stat;
+    gss_buffer_desc gbuf;
 
     /*
-     * GSS_S_COMPLETE indicates that authentication is now complete.
-     *
      * Get the name of the user that authenticated, and compare it to the pg
      * username that was specified for the connection.
      */
@@ -1308,7 +1269,7 @@ pg_GSS_recvauth(Port *port)
                 elog(DEBUG2,
                      "GSSAPI realm (%s) and configured realm (%s) don't match",
                      cp, port->hba->krb_realm);
-                gss_release_buffer(&lmin_s, &gbuf);
+                gss_release_buffer(&min_stat, &gbuf);
                 return STATUS_ERROR;
             }
         }
@@ -1318,14 +1279,14 @@ pg_GSS_recvauth(Port *port)
         elog(DEBUG2,
              "GSSAPI did not return realm but realm matching was requested");
 
-        gss_release_buffer(&lmin_s, &gbuf);
+        gss_release_buffer(&min_stat, &gbuf);
         return STATUS_ERROR;
     }
 
     ret = check_usermap(port->hba->usermap, port->user_name, gbuf.value,
                         pg_krb_caseins_users);
 
-    gss_release_buffer(&lmin_s, &gbuf);
+    gss_release_buffer(&min_stat, &gbuf);
 
     return ret;
 }
diff --git a/src/backend/libpq/be-gssapi-common.c b/src/backend/libpq/be-gssapi-common.c
new file mode 100644
index 0000000000..78d9f5d325
--- /dev/null
+++ b/src/backend/libpq/be-gssapi-common.c
@@ -0,0 +1,64 @@
+/*-------------------------------------------------------------------------
+ *
+ * be-gssapi-common.c
+ *     Common code for GSSAPI authentication and encryption
+ *
+ * Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * IDENTIFICATION
+ *       src/backend/libpq/be-gssapi-common.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres.h"
+
+#include "be-gssapi-common.h"
+
+static void
+pg_GSS_error_int(char *s, size_t len, OM_uint32 stat, int type)
+{
+    gss_buffer_desc gmsg;
+    size_t i = 0;
+    OM_uint32 lmin_s, msg_ctx = 0;
+
+    gmsg.value = NULL;
+    gmsg.length = 0;
+
+    do
+    {
+        gss_display_status(&lmin_s, stat, type,
+                           GSS_C_NO_OID, &msg_ctx, &gmsg);
+        strlcpy(s + i, gmsg.value, len - i);
+        i += gmsg.length;
+        gss_release_buffer(&lmin_s, &gmsg);
+    }
+    while (msg_ctx && i < len);
+
+    if (msg_ctx || i == len)
+        ereport(WARNING,
+                (errmsg_internal("incomplete GSS error report")));
+}
+
+void
+pg_GSS_error(int severity, const char *errmsg,
+             OM_uint32 maj_stat, OM_uint32 min_stat)
+{
+    char msg_major[128], msg_minor[128];
+
+    /* Fetch major status message */
+    pg_GSS_error_int(msg_major, sizeof(msg_major), maj_stat, GSS_C_GSS_CODE);
+
+    /* Fetch mechanism minor status message */
+    pg_GSS_error_int(msg_minor, sizeof(msg_minor), min_stat, GSS_C_MECH_CODE);
+
+    /*
+     * errmsg_internal, since translation of the first part must be done
+     * before calling this function anyway.
+     */
+    ereport(severity,
+            (errmsg_internal("%s", errmsg),
+             errdetail_internal("%s: %s", msg_major, msg_minor)));
+}
+
diff --git a/src/backend/libpq/be-gssapi-common.h b/src/backend/libpq/be-gssapi-common.h
new file mode 100644
index 0000000000..c020051d2e
--- /dev/null
+++ b/src/backend/libpq/be-gssapi-common.h
@@ -0,0 +1,26 @@
+/*-------------------------------------------------------------------------
+ *
+ * be-gssapi-common.h
+ *       Definitions for GSSAPI authentication and encryption handling
+ *
+ * Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/include/libpq/be-gssapi-common.h
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#ifndef BE_GSSAPI_COMMON_H
+#define BE_GSSAPI_COMMON_H
+
+#if defined(HAVE_GSSAPI_H)
+#include <gssapi.h>
+#else
+#include <gssapi/gssapi.h>
+#endif
+
+void pg_GSS_error(int severity, const char *errmsg,
+                  OM_uint32 maj_stat, OM_uint32 min_stat);
+
+#endif /* BE_GSSAPI_COMMON_H */
diff --git a/src/backend/libpq/be-secure-gssapi.c b/src/backend/libpq/be-secure-gssapi.c
new file mode 100644
index 0000000000..d860f71b71
--- /dev/null
+++ b/src/backend/libpq/be-secure-gssapi.c
@@ -0,0 +1,319 @@
+/*-------------------------------------------------------------------------
+ *
+ * be-secure-gssapi.c
+ *  GSSAPI encryption support
+ *
+ * Portions Copyright (c) 2018-2018, PostgreSQL Global Development Group
+ *
+ *
+ * IDENTIFICATION
+ *  src/backend/libpq/be-secure-gssapi.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres.h"
+
+#include "be-gssapi-common.h"
+
+#include "libpq/auth.h"
+#include "libpq/libpq.h"
+#include "libpq/libpq-be.h"
+#include "libpq/pqformat.h"
+#include "miscadmin.h"
+#include "pgstat.h"
+
+#include <unistd.h>
+
+static ssize_t
+send_buffered_data(Port *port, size_t len)
+{
+    ssize_t ret = secure_raw_write(
+        port,
+        port->gss->writebuf.data + port->gss->writebuf.cursor,
+        port->gss->writebuf.len - port->gss->writebuf.cursor);
+    if (ret < 0)
+        return ret;
+
+    /* update and possibly clear buffer state */
+    port->gss->writebuf.cursor += ret;
+
+    if (port->gss->writebuf.cursor == port->gss->writebuf.len)
+    {
+        /* entire request has now been written */
+        resetStringInfo(&port->gss->writebuf);
+        return len;
+    }
+
+    /* need to be called again */
+    errno = EWOULDBLOCK;
+    return -1;
+}
+
+ssize_t
+be_gssapi_write(Port *port, void *ptr, size_t len)
+{
+    OM_uint32 major, minor;
+    gss_buffer_desc input, output;
+    ssize_t ret = -1;
+    int conf = 0;
+    uint32 netlen;
+    pg_gssinfo *gss = port->gss;
+
+    if (gss->writebuf.len != 0)
+        return send_buffered_data(port, len);
+
+    /* encrypt the message */
+    output.value = NULL;
+    output.length = 0;
+    input.value = ptr;
+    input.length = len;
+
+    major = gss_wrap(&minor, gss->ctx, 1, GSS_C_QOP_DEFAULT,
+                     &input, &conf, &output);
+    if (GSS_ERROR(major))
+    {
+        pg_GSS_error(ERROR, gettext_noop("GSSAPI wrap error"), major, minor);
+        goto cleanup;
+    } else if (conf == 0)
+    {
+        ereport(FATAL, (errmsg("GSSAPI did not provide confidentiality")));
+        goto cleanup;
+    }
+
+    /* 4 network-order length bytes, then payload */
+    netlen = htonl(output.length);
+    appendBinaryStringInfo(&gss->writebuf, (char *)&netlen, 4);
+    appendBinaryStringInfo(&gss->writebuf, output.value, output.length);
+
+    ret = send_buffered_data(port, len);
+cleanup:
+    if (output.value != NULL)
+        gss_release_buffer(&minor, &output);
+    return ret;
+}
+
+static ssize_t
+read_from_buffer(pg_gssinfo *gss, void *ptr, size_t len)
+{
+    ssize_t ret = 0;
+
+    /* load up any available data */
+    if (gss->buf.len > 4 && gss->buf.cursor < gss->buf.len)
+    {
+        /* clamp length */
+        if (len > gss->buf.len - gss->buf.cursor)
+            len = gss->buf.len - gss->buf.cursor;
+
+        memcpy(ptr, gss->buf.data + gss->buf.cursor, len);
+        gss->buf.cursor += len;
+        ret = len;
+    }
+
+    /* reset buffer if all data has been read */
+    if (gss->buf.cursor == gss->buf.len)
+        resetStringInfo(&gss->buf);
+
+    return ret;
+}
+
+static ssize_t
+load_packetlen(Port *port)
+{
+    pg_gssinfo *gss = port->gss;
+    ssize_t ret;
+
+    if (gss->buf.len < 4)
+    {
+        enlargeStringInfo(&gss->buf, 4 - gss->buf.len);
+        ret = secure_raw_read(port, gss->buf.data + gss->buf.len,
+                              4 - gss->buf.len);
+        if (ret < 0)
+            return ret;
+
+        /* update buffer state */
+        gss->buf.len += ret;
+        gss->buf.data[gss->buf.len] = '\0';
+        if (gss->buf.len < 4)
+        {
+            errno = EWOULDBLOCK;
+            return -1;
+        }
+    }
+    return 0;
+}
+
+static ssize_t
+load_packet(Port *port, size_t len)
+{
+    ssize_t ret;
+    pg_gssinfo *gss = port->gss;
+
+    enlargeStringInfo(&gss->buf, len - gss->buf.len + 4);
+
+    ret = secure_raw_read(port, gss->buf.data + gss->buf.len,
+                          len - gss->buf.len + 4);
+    if (ret < 0)
+        return ret;
+
+    /* update buffer state */
+    gss->buf.len += ret;
+    gss->buf.data[gss->buf.len] = '\0';
+    if (gss->buf.len - 4 < len)
+    {
+        errno = EWOULDBLOCK;
+        return -1;
+    }
+    return 0;
+}
+
+ssize_t
+be_gssapi_read(Port *port, void *ptr, size_t len)
+{
+    OM_uint32 major, minor;
+    gss_buffer_desc input, output;
+    ssize_t ret;
+    int conf = 0;
+    pg_gssinfo *gss = port->gss;
+
+    if (gss->buf.cursor > 0)
+        return read_from_buffer(gss, ptr, len);
+
+    /* load length if not present */
+    ret = load_packetlen(port);
+    if (ret != 0)
+        return ret;
+
+    input.length = ntohl(*(uint32*)gss->buf.data);
+    ret = load_packet(port, input.length);
+    if (ret != 0)
+        return ret;
+
+    /* decrypt the packet */
+    output.value = NULL;
+    output.length = 0;
+    input.value = gss->buf.data + 4;
+
+    major = gss_unwrap(&minor, gss->ctx, &input, &output, &conf, NULL);
+    if (GSS_ERROR(major))
+    {
+        pg_GSS_error(ERROR, gettext_noop("GSSAPI unwrap error"),
+                     major, minor);
+        ret = -1;
+        goto cleanup;
+    }
+    else if (conf == 0)
+    {
+        ereport(FATAL, (errmsg("GSSAPI did not provide confidentiality")));
+        ret = -1;
+        goto cleanup;
+    }
+
+    /* put the decrypted packet in the buffer */
+    resetStringInfo(&gss->buf);
+    enlargeStringInfo(&gss->buf, output.length);
+
+    memcpy(gss->buf.data, output.value, output.length);
+    gss->buf.len = output.length;
+    gss->buf.data[gss->buf.len] = '\0';
+
+    ret = read_from_buffer(gss, ptr, len);
+cleanup:
+    if (output.value != NULL)
+        gss_release_buffer(&minor, &output);
+    return ret;
+}
+
+ssize_t
+secure_open_gssapi(Port *port)
+{
+    pg_gssinfo *gss = port->gss;
+    bool complete_next = false;
+
+    /*
+     * Use the configured keytab, if there is one.  Unfortunately, Heimdal
+     * doesn't support the cred store extensions, so use the env var.
+     */
+    if (pg_krb_server_keyfile != NULL && strlen(pg_krb_server_keyfile) > 0)
+        setenv("KRB5_KTNAME", pg_krb_server_keyfile, 1);
+
+    while (true)
+    {
+        OM_uint32 major, minor;
+        size_t ret;
+        gss_buffer_desc input, output = GSS_C_EMPTY_BUFFER;
+
+        /* Handle any outgoing data */
+        if (gss->writebuf.len != 0)
+        {
+            ret = send_buffered_data(port, 1);
+            if (ret != 1)
+            {
+                WaitLatchOrSocket(MyLatch, WL_SOCKET_WRITEABLE, port->sock, 0,
+                                  WAIT_EVENT_GSS_OPEN_SERVER);
+                continue;
+            }
+        }
+
+        if (complete_next)
+            break;
+
+        /* Load incoming data */
+        ret = load_packetlen(port);
+        if (ret != 0)
+        {
+            WaitLatchOrSocket(MyLatch, WL_SOCKET_READABLE, port->sock, 0,
+                              WAIT_EVENT_GSS_OPEN_SERVER);
+            continue;
+        }
+
+        input.length = ntohl(*(uint32*)gss->buf.data);
+        ret = load_packet(port, input.length);
+        if (ret != 0)
+        {
+            WaitLatchOrSocket(MyLatch, WL_SOCKET_READABLE, port->sock, 0,
+                              WAIT_EVENT_GSS_OPEN_SERVER);
+            continue;
+        }
+        input.value = gss->buf.data + 4;
+
+        /* Process incoming data.  (The client sends first.) */
+        major = gss_accept_sec_context(&minor, &port->gss->ctx,
+                                       GSS_C_NO_CREDENTIAL, &input,
+                                       GSS_C_NO_CHANNEL_BINDINGS,
+                                       &port->gss->name, NULL, &output, NULL,
+                                       NULL, NULL);
+        resetStringInfo(&gss->buf);
+        if (GSS_ERROR(major))
+        {
+            pg_GSS_error(ERROR, gettext_noop("GSSAPI context error"),
+                         major, minor);
+            gss_release_buffer(&minor, &output);
+            return -1;
+        }
+        else if (!(major & GSS_S_CONTINUE_NEEDED))
+        {
+            /*
+             * rfc2744 technically permits context negotiation to be complete
+             * both with and without a packet to be sent.
+             */
+            complete_next = true;
+        }
+
+        if (output.length != 0)
+        {
+            /* Queue packet for writing */
+            uint32 netlen = htonl(output.length);
+            appendBinaryStringInfo(&gss->writebuf, (char *)&netlen, 4);
+            appendBinaryStringInfo(&gss->writebuf,
+                                   output.value, output.length);
+            gss_release_buffer(&minor, &output);
+            continue;
+        }
+
+        /* We're done - woohoo! */
+        break;
+    }
+    port->gss->enc = true;
+    return 0;
+}
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index edfe2c0751..7dd1cf7090 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -152,6 +152,14 @@ retry:
         n = be_tls_read(port, ptr, len, &waitfor);
     }
     else
+#endif
+#ifdef ENABLE_GSS
+    if (port->gss->enc)
+    {
+        n = be_gssapi_read(port, ptr, len);
+        waitfor = WL_SOCKET_READABLE;
+    }
+    else
 #endif
     {
         n = secure_raw_read(port, ptr, len);
@@ -255,6 +263,14 @@ retry:
         n = be_tls_write(port, ptr, len, &waitfor);
     }
     else
+#endif
+#ifdef ENABLE_GSS
+    if (port->gss->enc)
+    {
+        n = be_gssapi_write(port, ptr, len);
+        waitfor = WL_SOCKET_WRITEABLE;
+    }
+    else
 #endif
     {
         n = secure_raw_write(port, ptr, len);
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index acf625e4ec..9a1aa4e5cc 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -994,7 +994,9 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
     }
     else if (strcmp(token->string, "host") == 0 ||
              strcmp(token->string, "hostssl") == 0 ||
-             strcmp(token->string, "hostnossl") == 0)
+             strcmp(token->string, "hostnossl") == 0 ||
+             strcmp(token->string, "hostgss") == 0 ||
+             strcmp(token->string, "hostnogss") == 0)
     {
 
         if (token->string[4] == 's')    /* "hostssl" */
@@ -1022,10 +1024,23 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
             *err_msg = "hostssl record cannot match because SSL is not supported by this build";
 #endif
         }
-        else if (token->string[4] == 'n')    /* "hostnossl" */
+        else if (token->string[4] == 'g')    /* "hostgss" */
         {
-            parsedline->conntype = ctHostNoSSL;
+            parsedline->conntype = ctHostGSS;
+#ifndef ENABLE_GSS
+            ereport(elevel,
+                    (errcode(ERRCODE_CONFIG_FILE_ERROR),
+                     errmsg("hostgss record cannot match because GSSAPI is not supported by this build"),
+                     errhint("Compile with --with-gssapi to use GSSAPI connections."),
+                     errcontext("line %d of configuration file \"%s\"",
+                                line_num, HbaFileName)));
+            *err_msg = "hostgss record cannot match because GSSAPI is not supported by this build";
+#endif
         }
+        else if (token->string[4] == 'n' && token->string[6] == 's')
+            parsedline->conntype = ctHostNoSSL;
+        else if (token->string[4] == 'n' && token->string[6] == 'g')
+            parsedline->conntype = ctHostNoGSS;
         else
         {
             /* "host" */
@@ -1404,6 +1419,19 @@ parse_hba_line(TokenizedLine *tok_line, int elevel)
         *err_msg = "gssapi authentication is not supported on local sockets";
         return NULL;
     }
+    if (parsedline->conntype == ctHostGSS &&
+        parsedline->auth_method != uaGSS &&
+        parsedline->auth_method != uaReject &&
+        parsedline->auth_method != uaTrust)
+    {
+        ereport(elevel,
+                (errcode(ERRCODE_CONFIG_FILE_ERROR),
+                 errmsg("GSSAPI encryption only supports gss, trust, or reject authentication"),
+                 errcontext("line %d of configuration file \"%s\"",
+                            line_num, HbaFileName)));
+        *err_msg = "GSSAPI encryption only supports gss, trust, or reject authenticaion";
+        return NULL;
+    }
 
     if (parsedline->conntype != ctLocal &&
         parsedline->auth_method == uaPeer)
@@ -2060,6 +2088,17 @@ check_hba(hbaPort *port)
                     continue;
             }
 
+            /* Check GSSAPI state */
+#ifdef ENABLE_GSS
+            if (port->gss->enc && hba->conntype == ctHostNoGSS)
+                continue;
+            else if (!port->gss->enc && hba->conntype == ctHostGSS)
+                continue;
+#else
+            if (hba->conntype == ctHostGSS)
+                continue;
+#endif
+
             /* Check IP address */
             switch (hba->ip_cmp_method)
             {
@@ -2393,6 +2432,12 @@ fill_hba_line(Tuplestorestate *tuple_store, TupleDesc tupdesc,
             case ctHostNoSSL:
                 typestr = "hostnossl";
                 break;
+            case ctHostGSS:
+                typestr = "hostgss";
+                break;
+            case ctHostNoGSS:
+                typestr = "hostnogss";
+                break;
         }
         if (typestr)
             values[index++] = CStringGetTextDatum(typestr);
diff --git a/src/backend/postmaster/pgstat.c b/src/backend/postmaster/pgstat.c
index 084573e77c..72ce147308 100644
--- a/src/backend/postmaster/pgstat.c
+++ b/src/backend/postmaster/pgstat.c
@@ -3562,6 +3562,9 @@ pgstat_get_wait_client(WaitEventClient w)
         case WAIT_EVENT_WAL_SENDER_WRITE_DATA:
             event_name = "WalSenderWriteData";
             break;
+        case WAIT_EVENT_GSS_OPEN_SERVER:
+            event_name = "GSSOpenServer";
+            break;
             /* no default case, so that compiler will warn */
     }
 
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index a4b53b33cd..87dbb33a88 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -1894,7 +1894,7 @@ initMasks(fd_set *rmask)
  * if we detect a communications failure.)
  */
 static int
-ProcessStartupPacket(Port *port, bool SSLdone)
+ProcessStartupPacket(Port *port, bool secure_done)
 {
     int32        len;
     void       *buf;
@@ -1905,11 +1905,11 @@ ProcessStartupPacket(Port *port, bool SSLdone)
     if (pq_getbytes((char *) &len, 4) == EOF)
     {
         /*
-         * EOF after SSLdone probably means the client didn't like our
+         * EOF after secure_done probably means the client didn't like our
          * response to NEGOTIATE_SSL_CODE.  That's not an error condition, so
          * don't clutter the log with a complaint.
          */
-        if (!SSLdone)
+        if (!secure_done)
             ereport(COMMERROR,
                     (errcode(ERRCODE_PROTOCOL_VIOLATION),
                      errmsg("incomplete startup packet")));
@@ -1961,7 +1961,7 @@ ProcessStartupPacket(Port *port, bool SSLdone)
         return STATUS_ERROR;
     }
 
-    if (proto == NEGOTIATE_SSL_CODE && !SSLdone)
+    if (proto == NEGOTIATE_SSL_CODE && !secure_done)
     {
         char        SSLok;
 
@@ -1994,6 +1994,32 @@ retry1:
         /* but not another SSL negotiation request */
         return ProcessStartupPacket(port, true);
     }
+    else if (proto == NEGOTIATE_GSS_CODE && !secure_done)
+    {
+        char GSSok = 'N';
+#ifdef ENABLE_GSS
+        /* No GSSAPI encryption when on Unix socket */
+        if (!IS_AF_UNIX(port->laddr.addr.ss_family))
+            GSSok = 'G';
+#endif
+
+        while (send(port->sock, &GSSok, 1, 0) != 1)
+        {
+            if (errno == EINTR)
+                continue;
+            ereport(COMMERROR,
+                    (errcode_for_socket_access(),
+                     errmsg("failed to send GSSAPI negotiation response: %m)")));
+                    return STATUS_ERROR; /* close the connection */
+        }
+
+#ifdef ENABLE_GSS
+        if (GSSok == 'G' && secure_open_gssapi(port) == -1)
+            return STATUS_ERROR;
+#endif
+        /* Won't ever see more than one negotiation request */
+        return ProcessStartupPacket(port, true);
+    }
 
     /* Could add additional special packet types here */
 
@@ -2413,6 +2439,17 @@ ConnCreate(int serverFd)
         ExitPostmaster(1);
     }
 #endif
+#ifdef ENABLE_GSS
+    {
+        MemoryContext save = CurrentMemoryContext;
+        CurrentMemoryContext = TopMemoryContext;
+
+        initStringInfo(&port->gss->buf);
+        initStringInfo(&port->gss->writebuf);
+
+        CurrentMemoryContext = save;
+    }
+#endif
 #endif
 
     return port;
@@ -2429,7 +2466,15 @@ ConnFree(Port *conn)
     secure_close(conn);
 #endif
     if (conn->gss)
+    {
+#ifdef ENABLE_GSS
+        if (conn->gss->buf.data)
+            pfree(conn->gss->buf.data);
+        if (conn->gss->writebuf.data)
+            pfree(conn->gss->writebuf.data);
+#endif
         free(conn->gss);
+    }
     free(conn);
 }
 
@@ -4761,6 +4806,17 @@ SubPostmasterMain(int argc, char *argv[])
                 (errcode(ERRCODE_OUT_OF_MEMORY),
                  errmsg("out of memory")));
 #endif
+#ifdef ENABLE_GSS
+    {
+        MemoryContext save = CurrentMemoryContext;
+        CurrentMemoryContext = TopMemoryContext;
+
+        initStringInfo(&port->gss->buf);
+        initStringInfo(&port->gss->writebuf);
+
+        CurrentMemoryContext = save;
+    }
+#endif
 
     /*
      * If appropriate, physically re-attach to shared memory segment. We want
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 5f68f4c666..830ddaa25a 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -55,7 +55,9 @@ typedef enum ConnType
     ctLocal,
     ctHost,
     ctHostSSL,
-    ctHostNoSSL
+    ctHostNoSSL,
+    ctHostGSS,
+    ctHostNoGSS,
 } ConnType;
 
 typedef struct HbaLine
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 7698cd1f88..3e46ac437a 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -66,7 +66,7 @@ typedef struct
 #include "datatype/timestamp.h"
 #include "libpq/hba.h"
 #include "libpq/pqcomm.h"
-
+#include "lib/stringinfo.h"
 
 typedef enum CAC_state
 {
@@ -86,6 +86,9 @@ typedef struct
     gss_cred_id_t cred;            /* GSSAPI connection cred's */
     gss_ctx_id_t ctx;            /* GSSAPI connection context */
     gss_name_t    name;            /* GSSAPI client name */
+    bool enc;                    /* GSSAPI encryption in use */
+    StringInfoData buf;            /* GSSAPI encryption data buffering */
+    StringInfoData writebuf;    /* GSSAPI nonblocking write buffering */
 #endif
 } pg_gssinfo;
 #endif
@@ -278,6 +281,12 @@ extern char *be_tls_get_peer_finished(Port *port, size_t *len);
 extern char *be_tls_get_certificate_hash(Port *port, size_t *len);
 #endif
 
+#ifdef ENABLE_GSS
+/* Read and write to a GSSAPI-encrypted connection. */
+extern ssize_t be_gssapi_read(Port *port, void *ptr, size_t len);
+extern ssize_t be_gssapi_write(Port *port, void *ptr, size_t len);
+#endif
+
 extern ProtocolVersion FrontendProtocol;
 
 /* TCP keepalives configuration. These are no-ops on an AF_UNIX socket. */
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index 7bf06c65e9..e34f552ef7 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -92,6 +92,9 @@ extern ssize_t secure_read(Port *port, void *ptr, size_t len);
 extern ssize_t secure_write(Port *port, void *ptr, size_t len);
 extern ssize_t secure_raw_read(Port *port, void *ptr, size_t len);
 extern ssize_t secure_raw_write(Port *port, const void *ptr, size_t len);
+#ifdef ENABLE_GSS
+extern ssize_t secure_open_gssapi(Port *port);
+#endif
 
 extern bool ssl_loaded_verify_locations;
 
diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h
index cc0e0b32c7..ade1190096 100644
--- a/src/include/libpq/pqcomm.h
+++ b/src/include/libpq/pqcomm.h
@@ -199,9 +199,10 @@ typedef struct CancelRequestPacket
 
 
 /*
- * A client can also start by sending a SSL negotiation request, to get a
- * secure channel.
+ * A client can also start by sending a SSL or GSSAPI negotiation request to
+ * get a secure channel.
  */
 #define NEGOTIATE_SSL_CODE PG_PROTOCOL(1234,5679)
+#define NEGOTIATE_GSS_CODE PG_PROTOCOL(1234,5680)
 
 #endif                            /* PQCOMM_H */
diff --git a/src/include/pgstat.h b/src/include/pgstat.h
index be2f59239b..4f06f7a2bc 100644
--- a/src/include/pgstat.h
+++ b/src/include/pgstat.h
@@ -787,7 +787,8 @@ typedef enum
     WAIT_EVENT_SSL_OPEN_SERVER,
     WAIT_EVENT_WAL_RECEIVER_WAIT_START,
     WAIT_EVENT_WAL_SENDER_WAIT_WAL,
-    WAIT_EVENT_WAL_SENDER_WRITE_DATA
+    WAIT_EVENT_WAL_SENDER_WRITE_DATA,
+    WAIT_EVENT_GSS_OPEN_SERVER,
 } WaitEventClient;
 
 /* ----------
diff --git a/src/interfaces/libpq/Makefile b/src/interfaces/libpq/Makefile
index abe0a50e98..c814e5e35a 100644
--- a/src/interfaces/libpq/Makefile
+++ b/src/interfaces/libpq/Makefile
@@ -57,6 +57,10 @@ else
 OBJS += sha2.o
 endif
 
+ifeq ($(with_gssapi),yes)
+OBJS += fe-gssapi-common.o fe-secure-gssapi.o
+endif
+
 ifeq ($(PORTNAME), cygwin)
 override shlib = cyg$(NAME)$(DLSUFFIX)
 endif
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 3b2073a47f..af2ef78d76 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -49,52 +49,7 @@
  * GSSAPI authentication system.
  */
 
-#if defined(WIN32) && !defined(_MSC_VER)
-/*
- * MIT Kerberos GSSAPI DLL doesn't properly export the symbols for MingW
- * that contain the OIDs required. Redefine here, values copied
- * from src/athena/auth/krb5/src/lib/gssapi/generic/gssapi_generic.c
- */
-static const gss_OID_desc GSS_C_NT_HOSTBASED_SERVICE_desc =
-{10, (void *) "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"};
-static GSS_DLLIMP gss_OID GSS_C_NT_HOSTBASED_SERVICE = &GSS_C_NT_HOSTBASED_SERVICE_desc;
-#endif
-
-/*
- * Fetch all errors of a specific type and append to "str".
- */
-static void
-pg_GSS_error_int(PQExpBuffer str, const char *mprefix,
-                 OM_uint32 stat, int type)
-{
-    OM_uint32    lmin_s;
-    gss_buffer_desc lmsg;
-    OM_uint32    msg_ctx = 0;
-
-    do
-    {
-        gss_display_status(&lmin_s, stat, type,
-                           GSS_C_NO_OID, &msg_ctx, &lmsg);
-        appendPQExpBuffer(str, "%s: %s\n", mprefix, (char *) lmsg.value);
-        gss_release_buffer(&lmin_s, &lmsg);
-    } while (msg_ctx);
-}
-
-/*
- * GSSAPI errors contain two parts; put both into conn->errorMessage.
- */
-static void
-pg_GSS_error(const char *mprefix, PGconn *conn,
-             OM_uint32 maj_stat, OM_uint32 min_stat)
-{
-    resetPQExpBuffer(&conn->errorMessage);
-
-    /* Fetch major error codes */
-    pg_GSS_error_int(&conn->errorMessage, mprefix, maj_stat, GSS_C_GSS_CODE);
-
-    /* Add the minor codes as well */
-    pg_GSS_error_int(&conn->errorMessage, mprefix, min_stat, GSS_C_MECH_CODE);
-}
+#include "fe-gssapi-common.h"
 
 /*
  * Continue GSS authentication with next token as needed.
@@ -195,18 +150,7 @@ pg_GSS_continue(PGconn *conn, int payloadlen)
 static int
 pg_GSS_startup(PGconn *conn, int payloadlen)
 {
-    OM_uint32    maj_stat,
-                min_stat;
-    int            maxlen;
-    gss_buffer_desc temp_gbuf;
-    char       *host = PQhost(conn);
-
-    if (!(host && host[0] != '\0'))
-    {
-        printfPQExpBuffer(&conn->errorMessage,
-                          libpq_gettext("host name must be specified\n"));
-        return STATUS_ERROR;
-    }
+    int ret;
 
     if (conn->gctx)
     {
@@ -215,33 +159,9 @@ pg_GSS_startup(PGconn *conn, int payloadlen)
         return STATUS_ERROR;
     }
 
-    /*
-     * Import service principal name so the proper ticket can be acquired by
-     * the GSSAPI system.
-     */
-    maxlen = NI_MAXHOST + strlen(conn->krbsrvname) + 2;
-    temp_gbuf.value = (char *) malloc(maxlen);
-    if (!temp_gbuf.value)
-    {
-        printfPQExpBuffer(&conn->errorMessage,
-                          libpq_gettext("out of memory\n"));
-        return STATUS_ERROR;
-    }
-    snprintf(temp_gbuf.value, maxlen, "%s@%s",
-             conn->krbsrvname, host);
-    temp_gbuf.length = strlen(temp_gbuf.value);
-
-    maj_stat = gss_import_name(&min_stat, &temp_gbuf,
-                               GSS_C_NT_HOSTBASED_SERVICE, &conn->gtarg_nam);
-    free(temp_gbuf.value);
-
-    if (maj_stat != GSS_S_COMPLETE)
-    {
-        pg_GSS_error(libpq_gettext("GSSAPI name import error"),
-                     conn,
-                     maj_stat, min_stat);
-        return STATUS_ERROR;
-    }
+    ret = pg_GSS_load_servicename(conn);
+    if (ret != STATUS_OK)
+        return ret;
 
     /*
      * Initial packet is the same as a continuation packet with no initial
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index a7e969d7c1..23270f7f6b 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -129,6 +129,12 @@ static int ldapServiceLookup(const char *purl, PQconninfoOption *options,
 #else
 #define DefaultSSLMode    "disable"
 #endif
+#ifdef ENABLE_GSS
+#include "fe-gssapi-common.h"
+#define DefaultGSSMode "prefer"
+#else
+#define DefaultGSSMode "disable"
+#endif
 
 /* ----------
  * Definition of the conninfo parameters and their fallback resources.
@@ -303,6 +309,14 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
         "Require-Peer", "", 10,
     offsetof(struct pg_conn, requirepeer)},
 
+    /*
+     * Expose gssmode similarly to sslmode - we can stil handle "disable" and
+     * "prefer".
+     */
+    {"gssmode", "PGGSSMODE", DefaultGSSMode, NULL,
+         "GSS-Mode", "", 7,     /* sizeof("disable") == 7 */
+     offsetof(struct pg_conn, gssmode)},
+
 #if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
     /* Kerberos and GSSAPI authentication support specifying the service name */
     {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
@@ -1166,6 +1180,39 @@ connectOptions2(PGconn *conn)
             goto oom_error;
     }
 
+    /*
+     * validate gssmode option
+     */
+    if (conn->gssmode)
+    {
+        if (strcmp(conn->gssmode, "disable") != 0 &&
+            strcmp(conn->gssmode, "prefer") != 0 &&
+            strcmp(conn->gssmode, "require") != 0)
+        {
+            conn->status = CONNECTION_BAD;
+            printfPQExpBuffer(&conn->errorMessage,
+                              libpq_gettext("invalid gssmode value: \"%s\"\n"),
+                              conn->gssmode);
+            return false;
+        }
+#ifndef ENABLE_GSS
+        if (strcmp(conn->gssmode, "require") != 0)
+        {
+            conn->status = CONNECTION_BAD;
+            printfPQExpBuffer(
+                &conn->errorMessage,
+                libpq_gettext("no GSSAPI support; cannot require GSSAPI\n"));
+            return false;
+        }
+#endif
+    }
+    else
+    {
+        conn->gssmode = strdup(DefaultGSSMode);
+        if (!conn->gssmode)
+            goto oom_error;
+    }
+
     /*
      * Resolve special "auto" client_encoding from the locale
      */
@@ -1804,6 +1851,11 @@ connectDBStart(PGconn *conn)
         conn->wait_ssl_try = true;
 #endif
 
+#ifdef ENABLE_GSS
+    if (conn->gssmode[0] == 'd')    /* "disable" */
+        conn->try_gss = false;
+#endif
+
     /*
      * Set up to try to connect, with protocol 3.0 as the first attempt.
      */
@@ -2051,6 +2103,7 @@ PQconnectPoll(PGconn *conn)
         case CONNECTION_NEEDED:
         case CONNECTION_CHECK_WRITABLE:
         case CONNECTION_CONSUME:
+        case CONNECTION_GSS_STARTUP:
             break;
 
         default:
@@ -2426,17 +2479,54 @@ keep_going:                        /* We will come back to here until there is
                 }
 #endif                            /* HAVE_UNIX_SOCKETS */
 
+                if (IS_AF_UNIX(conn->raddr.addr.ss_family))
+                {
+                    /* Don't request SSL or GSSAPI over Unix sockets */
 #ifdef USE_SSL
+                    conn->allow_ssl_try = false;
+#endif
+#ifdef ENABLE_GSS
+                    conn->try_gss = false;
+#endif
+                }
 
+#ifdef ENABLE_GSS
+                /*
+                 * If GSSAPI is enabled and we have a ccache, try to set it up
+                 * before sending startup messages.  If it's already
+                 * operating, don't try SSL and instead just build the startup
+                 * packet.
+                 */
+                if (conn->try_gss && !conn->gctx)
+                    conn->try_gss = pg_GSS_have_ccache(&conn->gcred);
+                if (conn->try_gss && !conn->gctx)
+                {
+                    ProtocolVersion pv = pg_hton32(NEGOTIATE_GSS_CODE);
+                    if (pqPacketSend(conn, 0, &pv, sizeof(pv)) != STATUS_OK)
+                    {
+                        appendPQExpBuffer(&conn->errorMessage,
+                                          libpq_gettext("could not send GSSAPI negotiation packet: %s\n"),
+                                          SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
+                        goto error_return;
+                    }
+
+                    /* Ok, wait for response */
+                    conn->status = CONNECTION_GSS_STARTUP;
+                    return PGRES_POLLING_READING;
+                }
+                else if (!conn->gctx && conn->gssmode[0] == 'r')
+                {
+                    appendPQExpBuffer(&conn->errorMessage,
+                                      libpq_gettext("GSSAPI encryption required, but was impossible (possibly no
ccache,no server support, or using a local socket)\n"));
 
+                    goto error_return;
+                }
+#endif
+
+#ifdef USE_SSL
                 /*
                  * If SSL is enabled and we haven't already got it running,
                  * request it instead of sending the startup message.
                  */
-                if (IS_AF_UNIX(conn->raddr.addr.ss_family))
-                {
-                    /* Don't bother requesting SSL over a Unix socket */
-                    conn->allow_ssl_try = false;
-                }
                 if (conn->allow_ssl_try && !conn->wait_ssl_try &&
                     !conn->ssl_in_use)
                 {
@@ -2629,6 +2719,97 @@ keep_going:                        /* We will come back to here until there is
 #endif                            /* USE_SSL */
             }
 
+        case CONNECTION_GSS_STARTUP:
+            {
+#ifdef ENABLE_GSS
+                PostgresPollingStatusType pollres;
+
+                /*
+                 * If we haven't yet, get the postmaster's response to our
+                 * negotiation packet
+                 */
+                if (conn->try_gss && !conn->gctx)
+                {
+                    char gss_ok;
+                    int rdresult = pqReadData(conn);
+                    if (rdresult < 0)
+                        /* pqReadData fills in error message */
+                        goto error_return;
+                    else if (rdresult == 0)
+                        /* caller failed to wait for data */
+                        return PGRES_POLLING_READING;
+                    if (pqGetc(&gss_ok, conn) < 0)
+                        /* shouldn't happen... */
+                        return PGRES_POLLING_READING;
+
+                    if (gss_ok == 'E')
+                    {
+                        /*
+                         * Server failure of some sort.  Assume it's a
+                         * protocol version support failure, and let's see if
+                         * we can't recover (if it's not, we'll get a better
+                         * error message on retry).  Server gets fussy if we
+                         * don't hang up the socket, though.
+                         */
+                        conn->try_gss = false;
+                        pqDropConnection(conn, true);
+                        conn->status = CONNECTION_NEEDED;
+                        goto keep_going;
+                    }
+
+                    /* mark byte consumed */
+                    conn->inStart = conn->inCursor;
+
+                    if (gss_ok == 'N')
+                    {
+                        /* Server doesn't want GSSAPI; fall back if we can */
+                        if (conn->gssmode[0] == 'r')
+                        {
+                            appendPQExpBufferStr(&conn->errorMessage,
+                                                 libpq_gettext("server doesn't support GSSAPI encryption, but it was
required\n"));
+                            goto error_return;
+                        }
+
+                        conn->try_gss = false;
+                        conn->status = CONNECTION_MADE;
+                        return PGRES_POLLING_WRITING;
+                    }
+                    else if (gss_ok != 'G')
+                    {
+                        appendPQExpBuffer(&conn->errorMessage,
+                                          libpq_gettext("received invalid response to GSSAPI negotiation: %c\n"),
+                                          gss_ok);
+                        goto error_return;
+                    }
+                }
+
+                /* Begin or continue GSSAPI negotiation */
+                pollres = pqsecure_open_gss(conn);
+                if (pollres == PGRES_POLLING_OK)
+                {
+                    /* All set for startup packet */
+                    conn->status = CONNECTION_MADE;
+                    return PGRES_POLLING_WRITING;
+                }
+                else if (pollres == PGRES_POLLING_FAILED &&
+                         conn->gssmode[0] == 'p')
+                {
+                    /*
+                     * We failed, but we can retry on "prefer".  Have to drop
+                     * the current connection to do so, though.
+                     */
+                    conn->try_gss = false;
+                    pqDropConnection(conn, true);
+                    conn->status = CONNECTION_NEEDED;
+                    goto keep_going;
+                }
+                return pollres;
+#else /* !ENABLE_GSS */
+                /* unreachable */
+                goto error_return;
+#endif /* ENABLE_GSS */
+            }
+
             /*
              * Handle authentication exchange: wait for postmaster messages
              * and respond as necessary.
@@ -2781,6 +2962,24 @@ keep_going:                        /* We will come back to here until there is
                     /* OK, we read the message; mark data consumed */
                     conn->inStart = conn->inCursor;
 
+#ifdef ENABLE_GSS
+                    /*
+                     * If gssmode is "prefer" and we're using GSSAPI, retry
+                     * without it.
+                     */
+                    if (conn->gssenc && conn->gssmode[0] == 'p')
+                    {
+                        OM_uint32 minor;
+                        /* postmaster expects us to drop the connection */
+                        conn->try_gss = false;
+                        conn->gssenc = false;
+                        gss_delete_sec_context(&minor, &conn->gctx, NULL);
+                        pqDropConnection(conn, true);
+                        conn->status = CONNECTION_NEEDED;
+                        goto keep_going;
+                    }
+#endif
+
 #ifdef USE_SSL
 
                     /*
@@ -3361,6 +3560,11 @@ makeEmptyPGconn(void)
     conn->wait_ssl_try = false;
     conn->ssl_in_use = false;
 #endif
+#ifdef ENABLE_GSS
+    conn->try_gss = true;
+    initPQExpBuffer(&conn->gbuf);
+    initPQExpBuffer(&conn->gwritebuf);
+#endif
 
     /*
      * We try to send at least 8K at a time, which is the usual size of pipe
@@ -3492,10 +3696,28 @@ freePGconn(PGconn *conn)
         free(conn->sslcompression);
     if (conn->requirepeer)
         free(conn->requirepeer);
+    if (conn->gssmode)
+        free(conn->gssmode);
 #if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
     if (conn->krbsrvname)
         free(conn->krbsrvname);
 #endif
+#ifdef ENABLE_GSS
+    if (conn->gcred != GSS_C_NO_CREDENTIAL)
+    {
+        OM_uint32 minor;
+        gss_release_cred(&minor, &conn->gcred);
+        conn->gcred = GSS_C_NO_CREDENTIAL;
+    }
+    if (conn->gctx)
+    {
+        OM_uint32 minor;
+        gss_delete_sec_context(&minor, &conn->gctx, GSS_C_NO_BUFFER);
+        conn->gctx = NULL;
+    }
+    termPQExpBuffer(&conn->gbuf);
+    termPQExpBuffer(&conn->gwritebuf);
+#endif
 #if defined(ENABLE_GSS) && defined(ENABLE_SSPI)
     if (conn->gsslib)
         free(conn->gsslib);
diff --git a/src/interfaces/libpq/fe-gssapi-common.c b/src/interfaces/libpq/fe-gssapi-common.c
new file mode 100644
index 0000000000..35e195b7a6
--- /dev/null
+++ b/src/interfaces/libpq/fe-gssapi-common.c
@@ -0,0 +1,128 @@
+/*-------------------------------------------------------------------------
+ *
+ * fe-gssapi-common.c
+ *     The front-end (client) GSSAPI common code
+ *
+ * Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * IDENTIFICATION
+ *      src/interfaces/libpq/fe-gssapi-common.c
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres_fe.h"
+
+#include "fe-gssapi-common.h"
+
+#include "libpq-int.h"
+#include "pqexpbuffer.h"
+
+/*
+ * Fetch all errors of a specific type and append to "str".
+ */
+static void
+pg_GSS_error_int(PQExpBuffer str, const char *mprefix,
+                 OM_uint32 stat, int type)
+{
+    OM_uint32    lmin_s;
+    gss_buffer_desc lmsg;
+    OM_uint32    msg_ctx = 0;
+
+    do
+    {
+        gss_display_status(&lmin_s, stat, type,
+                           GSS_C_NO_OID, &msg_ctx, &lmsg);
+        appendPQExpBuffer(str, "%s: %s\n", mprefix, (char *) lmsg.value);
+        gss_release_buffer(&lmin_s, &lmsg);
+    } while (msg_ctx);
+}
+
+/*
+ * GSSAPI errors contain two parts; put both into conn->errorMessage.
+ */
+void
+pg_GSS_error(const char *mprefix, PGconn *conn,
+             OM_uint32 maj_stat, OM_uint32 min_stat)
+{
+    resetPQExpBuffer(&conn->errorMessage);
+
+    /* Fetch major error codes */
+    pg_GSS_error_int(&conn->errorMessage, mprefix, maj_stat, GSS_C_GSS_CODE);
+
+    /* Add the minor codes as well */
+    pg_GSS_error_int(&conn->errorMessage, mprefix, min_stat, GSS_C_MECH_CODE);
+}
+
+/*
+ * Check if we can acquire credentials at all.
+ */
+bool
+pg_GSS_have_ccache(gss_cred_id_t *cred_out)
+{
+    OM_uint32 major, minor;
+    gss_cred_id_t cred = GSS_C_NO_CREDENTIAL;
+
+    major = gss_acquire_cred(&minor, GSS_C_NO_NAME, 0, GSS_C_NO_OID_SET,
+                             GSS_C_INITIATE, &cred, NULL, NULL);
+    if (GSS_ERROR(major))
+    {
+        *cred_out = NULL;
+        return false;
+    }
+    *cred_out = cred;
+    return true;
+}
+
+/*
+ * Try to load service name for a connection
+ */
+int
+pg_GSS_load_servicename(PGconn *conn)
+{
+    OM_uint32 maj_stat, min_stat;
+    int maxlen;
+    gss_buffer_desc temp_gbuf;
+    char *host;
+
+    if (conn->gtarg_nam != NULL)
+        /* Already taken care of - move along */
+        return STATUS_OK;
+
+    host = PQhost(conn);
+    if (!(host && host[0] != '\0'))
+    {
+        printfPQExpBuffer(&conn->errorMessage,
+                          libpq_gettext("host name must be specified\n"));
+        return STATUS_ERROR;
+    }
+
+    /*
+     * Import service principal name so the proper ticket can be acquired by
+     * the GSSAPI system.
+     */
+    maxlen = NI_MAXHOST + strlen(conn->krbsrvname) + 2;
+    temp_gbuf.value = (char *) malloc(maxlen);
+    if (!temp_gbuf.value)
+    {
+        printfPQExpBuffer(&conn->errorMessage,
+                          libpq_gettext("out of memory\n"));
+        return STATUS_ERROR;
+    }
+    snprintf(temp_gbuf.value, maxlen, "%s@%s",
+             conn->krbsrvname, host);
+    temp_gbuf.length = strlen(temp_gbuf.value);
+
+    maj_stat = gss_import_name(&min_stat, &temp_gbuf,
+                               GSS_C_NT_HOSTBASED_SERVICE, &conn->gtarg_nam);
+    free(temp_gbuf.value);
+
+    if (maj_stat != GSS_S_COMPLETE)
+    {
+        pg_GSS_error(libpq_gettext("GSSAPI name import error"),
+                     conn,
+                     maj_stat, min_stat);
+        return STATUS_ERROR;
+    }
+    return STATUS_OK;
+}
diff --git a/src/interfaces/libpq/fe-gssapi-common.h b/src/interfaces/libpq/fe-gssapi-common.h
new file mode 100644
index 0000000000..58811df9f1
--- /dev/null
+++ b/src/interfaces/libpq/fe-gssapi-common.h
@@ -0,0 +1,23 @@
+/*-------------------------------------------------------------------------
+ *
+ * fe-gssapi-common.h
+ *
+ *      Definitions for GSSAPI common routines
+ *
+ * Portions Copyright (c) 1996-2018, PostgreSQL Global Development Group
+ * Portions Copyright (c) 1994, Regents of the University of California
+ *
+ * src/interfaces/libpq/fe-gssapi-common.h
+ */
+
+#ifndef FE_GSSAPI_COMMON_H
+#define FE_GSSAPI_COMMON_H
+
+#include "libpq-fe.h"
+#include "libpq-int.h"
+
+void pg_GSS_error(const char *mprefix, PGconn *conn,
+                  OM_uint32 maj_stat, OM_uint32 min_stat);
+bool pg_GSS_have_ccache(gss_cred_id_t *cred_out);
+int pg_GSS_load_servicename(PGconn *conn);
+#endif /* FE_GSSAPI_COMMON_H */
diff --git a/src/interfaces/libpq/fe-secure-gssapi.c b/src/interfaces/libpq/fe-secure-gssapi.c
new file mode 100644
index 0000000000..a71df69ff2
--- /dev/null
+++ b/src/interfaces/libpq/fe-secure-gssapi.c
@@ -0,0 +1,343 @@
+/*-------------------------------------------------------------------------
+ *
+ * fe-secure-gssapi.c
+ *   The front-end (client) encryption support for GSSAPI
+ *
+ * Portions Copyright (c) 2016-2018, PostgreSQL Global Development Group
+ *
+ * IDENTIFICATION
+ *  src/interfaces/libpq/fe-secure-gssapi.c
+ *
+ *-------------------------------------------------------------------------
+ */
+
+#include "postgres_fe.h"
+
+#include "libpq-fe.h"
+#include "libpq-int.h"
+#include "fe-gssapi-common.h"
+
+/*
+ * Require encryption support, as well as mutual authentication and
+ * tamperproofing measures.
+ */
+#define GSS_REQUIRED_FLAGS GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | \
+    GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG
+
+static ssize_t
+send_buffered_data(PGconn *conn, size_t len)
+{
+    ssize_t ret = pqsecure_raw_write(conn,
+                                     conn->gwritebuf.data + conn->gwritecurs,
+                                     conn->gwritebuf.len - conn->gwritecurs);
+    if (ret < 0)
+        return ret;
+
+    conn->gwritecurs += ret;
+
+    if (conn->gwritecurs == conn->gwritebuf.len)
+    {
+        /* entire request has now been written */
+        resetPQExpBuffer(&conn->gwritebuf);
+        conn->gwritecurs = 0;
+        return len;
+    }
+
+    /* need to be called again */
+    errno = EWOULDBLOCK;
+    return -1;
+}
+
+ssize_t
+pg_GSS_write(PGconn *conn, void *ptr, size_t len)
+{
+    OM_uint32 major, minor;
+    gss_buffer_desc input, output = GSS_C_EMPTY_BUFFER;
+    ssize_t ret = -1;
+    int conf = 0;
+    uint32 netlen;
+
+    if (conn->gwritebuf.len != 0)
+        return send_buffered_data(conn, len);
+
+    /* encrypt the message */
+    input.value = ptr;
+    input.length = len;
+
+    major = gss_wrap(&minor, conn->gctx, 1, GSS_C_QOP_DEFAULT,
+                     &input, &conf, &output);
+    if (GSS_ERROR(major))
+    {
+        pg_GSS_error(libpq_gettext("GSSAPI wrap error"), conn, major, minor);
+        goto cleanup;
+    }
+    else if (conf == 0)
+    {
+        printfPQExpBuffer(&conn->errorMessage, libpq_gettext(
+                              "GSSAPI did not provide confidentiality\n"));
+        goto cleanup;
+    }
+
+    /* 4 network-order bytes of length, then payload */
+    netlen = htonl(output.length);
+    appendBinaryPQExpBuffer(&conn->gwritebuf, (char *)&netlen, 4);
+    appendBinaryPQExpBuffer(&conn->gwritebuf, output.value, output.length);
+
+    ret = send_buffered_data(conn, len);
+cleanup:
+    if (output.value != NULL)
+        gss_release_buffer(&minor, &output);
+    return ret;
+}
+
+static ssize_t
+read_from_buffer(PGconn *conn, void *ptr, size_t len)
+{
+    ssize_t ret = 0;
+
+    /* check for available data */
+    if (conn->gcursor < conn->gbuf.len)
+    {
+        /* clamp length */
+        if (len > conn->gbuf.len - conn->gcursor)
+            len = conn->gbuf.len - conn->gcursor;
+
+        memcpy(ptr, conn->gbuf.data + conn->gcursor, len);
+        conn->gcursor += len;
+        ret = len;
+    }
+
+    /* reset buffer if all data has been read */
+    if (conn->gcursor == conn->gbuf.len)
+    {
+        conn->gcursor = 0;
+        resetPQExpBuffer(&conn->gbuf);
+    }
+
+    return ret;
+}
+
+static ssize_t
+load_packet_length(PGconn *conn)
+{
+    ssize_t ret;
+    if (conn->gbuf.len < 4)
+    {
+        ret = enlargePQExpBuffer(&conn->gbuf, 4 - conn->gbuf.len);
+        if (ret != 1)
+        {
+            printfPQExpBuffer(&conn->errorMessage, libpq_gettext(
+                                  "Failed to fit packet length in buffer\n"));
+            return -1;
+        }
+
+        ret = pqsecure_raw_read(conn, conn->gbuf.data + conn->gbuf.len,
+                                4 - conn->gbuf.len);
+        if (ret < 0)
+            return ret;
+
+        /* update buffer state */
+        conn->gbuf.len += ret;
+        conn->gbuf.data[conn->gbuf.len] = '\0';
+        if (conn->gbuf.len < 4)
+        {
+            errno = EWOULDBLOCK;
+            return -1;
+        }
+    }
+    return 0;
+}
+
+static ssize_t
+load_packet(PGconn *conn, size_t len)
+{
+    ssize_t ret;
+
+    ret = enlargePQExpBuffer(&conn->gbuf, len - conn->gbuf.len + 4);
+    if (ret != 1)
+    {
+        printfPQExpBuffer(&conn->errorMessage, libpq_gettext(
+                              "GSSAPI encrypted packet length %ld too big\n"),
+                          len);
+        return -1;
+    }
+
+    /* load any missing parts of the packet */
+    if (conn->gbuf.len - 4 < len)
+    {
+        ret = pqsecure_raw_read(conn, conn->gbuf.data + conn->gbuf.len,
+                                len - conn->gbuf.len + 4);
+        if (ret < 0)
+            return ret;
+
+        /* update buffer state */
+        conn->gbuf.len += ret;
+        conn->gbuf.data[conn->gbuf.len] = '\0';
+        if (conn->gbuf.len - 4 < len)
+        {
+            errno = EWOULDBLOCK;
+            return -1;
+        }
+    }
+    return 0;
+}
+
+ssize_t
+pg_GSS_read(PGconn *conn, void *ptr, size_t len)
+{
+    OM_uint32 major, minor;
+    gss_buffer_desc input = GSS_C_EMPTY_BUFFER, output = GSS_C_EMPTY_BUFFER;
+    ssize_t ret = 0;
+    int conf = 0;
+
+    /* handle any buffered data */
+    if (conn->gcursor != 0)
+        return read_from_buffer(conn, ptr, len);
+
+    /* load in the packet length, if not yet loaded */
+    ret = load_packet_length(conn);
+    if (ret < 0)
+        return ret;
+
+    input.length = ntohl(*(uint32 *)conn->gbuf.data);
+    ret = load_packet(conn, input.length);
+    if (ret < 0)
+        return ret;
+
+    /* decrypt the packet */
+    input.value = conn->gbuf.data + 4;
+
+    major = gss_unwrap(&minor, conn->gctx, &input, &output, &conf, NULL);
+    if (GSS_ERROR(major))
+    {
+        pg_GSS_error(libpq_gettext("GSSAPI unwrap error"), conn,
+                     major, minor);
+        ret = -1;
+        goto cleanup;
+    }
+    else if (conf == 0)
+    {
+        printfPQExpBuffer(&conn->errorMessage, libpq_gettext(
+                              "GSSAPI did not provide confidentiality\n"));
+        ret = -1;
+        goto cleanup;
+    }
+
+    /* load decrypted packet into our buffer */
+    conn->gcursor = 0;
+    resetPQExpBuffer(&conn->gbuf);
+    ret = enlargePQExpBuffer(&conn->gbuf, output.length);
+    if (ret != 1)
+    {
+        printfPQExpBuffer(&conn->errorMessage, libpq_gettext(
+                              "GSSAPI decrypted packet length %ld too big\n"),
+                          output.length);
+        ret = -1;
+        goto cleanup;
+    }
+
+    memcpy(conn->gbuf.data, output.value, output.length);
+    conn->gbuf.len = output.length;
+    conn->gbuf.data[conn->gbuf.len] = '\0';
+
+    ret = read_from_buffer(conn, ptr, len);
+cleanup:
+    if (output.value != NULL)
+        gss_release_buffer(&minor, &output);
+    return ret;
+}
+
+PostgresPollingStatusType
+pqsecure_open_gss(PGconn *conn)
+{
+    ssize_t ret;
+    OM_uint32 major, minor;
+    uint32 netlen;
+    gss_buffer_desc input = GSS_C_EMPTY_BUFFER, output = GSS_C_EMPTY_BUFFER;
+
+    /* Send out any data we might have */
+    if (conn->gwritebuf.len != 0)
+    {
+        ret = send_buffered_data(conn, 1);
+        if (ret < 0 && errno == EWOULDBLOCK)
+            return PGRES_POLLING_WRITING;
+        else if (ret == 1)
+            /* sent all data */
+            return PGRES_POLLING_READING;
+        return PGRES_POLLING_FAILED;
+    }
+
+    /* Client sends first, and sending creates a context */
+    if (conn->gctx)
+    {
+        /* Process any incoming data we might have */
+        ret = load_packet_length(conn);
+        if (ret < 0 && errno == EWOULDBLOCK)
+            return PGRES_POLLING_READING;
+        else if (ret < 0)
+            return PGRES_POLLING_FAILED;
+
+        if (conn->gbuf.data[0] == 'E')
+        {
+            /*
+             * We can taken an error here, and it's my least favorite thing.
+             * How long can error messages be?  That's a good question, but
+             * backend's pg_gss_error() caps them at 256.  Do a single read
+             * for that and call it a day.  Cope with this here rather than in
+             * load_packet since expandPQExpBuffer will destroy any data in
+             * the buffer on failure.
+             */
+            load_packet(conn, 256);
+            printfPQExpBuffer(&conn->errorMessage,
+                              libpq_gettext("Server error: %s"),
+                              conn->gbuf.data + 1);
+            return PGRES_POLLING_FAILED;
+        }
+
+        input.length = ntohl(*(uint32 *)conn->gbuf.data);
+        ret = load_packet(conn, input.length);
+        if (ret < 0 && errno == EWOULDBLOCK)
+            return PGRES_POLLING_READING;
+        else if (ret < 0)
+            return PGRES_POLLING_FAILED;
+
+        input.value = conn->gbuf.data + 4;
+    }
+
+    ret = pg_GSS_load_servicename(conn);
+    if (ret != STATUS_OK)
+        return PGRES_POLLING_FAILED;
+
+    major = gss_init_sec_context(&minor, conn->gcred, &conn->gctx,
+                                 conn->gtarg_nam, GSS_C_NO_OID,
+                                 GSS_REQUIRED_FLAGS, 0, 0, &input, NULL,
+                                 &output, NULL, NULL);
+    resetPQExpBuffer(&conn->gbuf);
+    if (GSS_ERROR(major))
+    {
+        pg_GSS_error(libpq_gettext("GSSAPI context establishment error"),
+                     conn, major, minor);
+        return PGRES_POLLING_FAILED;
+    }
+    else if (output.length == 0)
+    {
+        /*
+         * We're done - hooray!  Kind of gross, but we need to disable SSL
+         * here so that we don't accidentally tunnel one over the other.
+         */
+#ifdef USE_SSL
+        conn->allow_ssl_try = false;
+#endif
+        gss_release_cred(&minor, &conn->gcred);
+        conn->gcred = GSS_C_NO_CREDENTIAL;
+        conn->gssenc = true;
+        return PGRES_POLLING_OK;
+    }
+
+    /* Queue the token for writing */
+    netlen = htonl(output.length);
+    appendBinaryPQExpBuffer(&conn->gwritebuf, (char *)&netlen, 4);
+    appendBinaryPQExpBuffer(&conn->gwritebuf, output.value, output.length);
+    gss_release_buffer(&minor, &output);
+    return PGRES_POLLING_WRITING;
+}
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index f7dc249bf0..18155e4b5e 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -220,6 +220,13 @@ pqsecure_read(PGconn *conn, void *ptr, size_t len)
         n = pgtls_read(conn, ptr, len);
     }
     else
+#endif
+#ifdef ENABLE_GSS
+    if (conn->gssenc)
+    {
+        n = pg_GSS_read(conn, ptr, len);
+    }
+    else
 #endif
     {
         n = pqsecure_raw_read(conn, ptr, len);
@@ -287,7 +294,7 @@ pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
  * to determine whether to continue/retry after error.
  */
 ssize_t
-pqsecure_write(PGconn *conn, const void *ptr, size_t len)
+pqsecure_write(PGconn *conn, void *ptr, size_t len)
 {
     ssize_t        n;
 
@@ -297,6 +304,13 @@ pqsecure_write(PGconn *conn, const void *ptr, size_t len)
         n = pgtls_write(conn, ptr, len);
     }
     else
+#endif
+#ifdef ENABLE_GSS
+    if (conn->gssenc)
+    {
+        n = pg_GSS_write(conn, ptr, len);
+    }
+    else
 #endif
     {
         n = pqsecure_raw_write(conn, ptr, len);
diff --git a/src/interfaces/libpq/libpq-fe.h b/src/interfaces/libpq/libpq-fe.h
index ed9c806861..bdd5a10cd8 100644
--- a/src/interfaces/libpq/libpq-fe.h
+++ b/src/interfaces/libpq/libpq-fe.h
@@ -65,8 +65,9 @@ typedef enum
     CONNECTION_NEEDED,            /* Internal state: connect() needed */
     CONNECTION_CHECK_WRITABLE,    /* Check if we could make a writable
                                  * connection. */
-    CONNECTION_CONSUME            /* Wait for any pending message and consume
+    CONNECTION_CONSUME,            /* Wait for any pending message and consume
                                  * them. */
+    CONNECTION_GSS_STARTUP,        /* Negotiating GSSAPI. */
 } ConnStatusType;
 
 typedef enum
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 9a586ff25a..6cf3459a8c 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -22,6 +22,7 @@
 
 /* We assume libpq-fe.h has already been included. */
 #include "libpq-events.h"
+#include "lib/stringinfo.h"
 
 #include <time.h>
 #ifndef WIN32
@@ -473,9 +474,19 @@ struct pg_conn
 #endif                            /* USE_OPENSSL */
 #endif                            /* USE_SSL */
 
+    char *gssmode;                /* GSS mode (require,prefer,disable) */
 #ifdef ENABLE_GSS
     gss_ctx_id_t gctx;            /* GSS context */
     gss_name_t    gtarg_nam;        /* GSS target name */
+
+    /* The following are encryption-only */
+    PQExpBufferData gbuf;        /* GSS encryption buffering */
+    size_t gcursor;                /* GSS buffering position */
+    PQExpBufferData gwritebuf;    /* GSS nonblocking write buffering */
+    size_t gwritecurs;            /* GSS write buffer position */
+    bool try_gss;                /* GSS attempting permitted */
+    bool gssenc;                /* GSS encryption is usable */
+    gss_cred_id_t gcred;        /* GSS credential temp storage. */
 #endif
 
 #ifdef ENABLE_SSPI
@@ -651,7 +662,7 @@ extern void pqsecure_destroy(void);
 extern PostgresPollingStatusType pqsecure_open_client(PGconn *);
 extern void pqsecure_close(PGconn *);
 extern ssize_t pqsecure_read(PGconn *, void *ptr, size_t len);
-extern ssize_t pqsecure_write(PGconn *, const void *ptr, size_t len);
+extern ssize_t pqsecure_write(PGconn *, void *ptr, size_t len);
 extern ssize_t pqsecure_raw_read(PGconn *, void *ptr, size_t len);
 extern ssize_t pqsecure_raw_write(PGconn *, const void *ptr, size_t len);
 
@@ -745,6 +756,23 @@ extern int pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
                                                 int *names_examined,
                                                 char **first_name);
 
+/* === GSSAPI === */
+
+#ifdef ENABLE_GSS
+
+/*
+ * Establish a GSSAPI-encrypted connection.
+ */
+extern PostgresPollingStatusType pqsecure_open_gss(PGconn *conn);
+
+/*
+ * Read and write functions for GSSAPI-encrypted connections, with internal
+ * buffering to handle nonblocking sockets.
+ */
+extern ssize_t pg_GSS_write(PGconn *conn, void *ptr, size_t len);
+extern ssize_t pg_GSS_read(PGconn *conn, void *ptr, size_t len);
+#endif
+
 /* === miscellaneous macros === */
 
 /*
diff --git a/src/tools/msvc/Mkvcbuild.pm b/src/tools/msvc/Mkvcbuild.pm
index 593732fd95..b38a41843d 100644
--- a/src/tools/msvc/Mkvcbuild.pm
+++ b/src/tools/msvc/Mkvcbuild.pm
@@ -183,13 +183,18 @@ sub mkvcbuild
     $postgres->AddLibrary('wldap32.lib') if ($solution->{options}->{ldap});
     $postgres->FullExportDLL('postgres.lib');
 
-    # The OBJS scraper doesn't know about ifdefs, so remove be-secure-openssl.c
-    # if building without OpenSSL
+    # The OBJS scraper doesn't know about ifdefs, so remove
+    # be-secure-openssl.c if building without OpenSSL, and
+    # be-gssapi-common.c when building with GSSAPI.
     if (!$solution->{options}->{openssl})
     {
         $postgres->RemoveFile('src/backend/libpq/be-secure-common.c');
         $postgres->RemoveFile('src/backend/libpq/be-secure-openssl.c');
     }
+    if (!$solution->{options}->{gss})
+    {
+        $postgres->RemoveFile('src/backennd/libpq/be-gssapi-common.c');
+    }
 
     my $snowball = $solution->AddProject('dict_snowball', 'dll', '',
         'src/backend/snowball');
@@ -243,9 +248,10 @@ sub mkvcbuild
         'src/interfaces/libpq/libpq.rc');
     $libpq->AddReference($libpgport);
 
-    # The OBJS scraper doesn't know about ifdefs, so remove fe-secure-openssl.c
-    # and sha2_openssl.c if building without OpenSSL, and remove sha2.c if
-    # building with OpenSSL.
+    # The OBJS scraper doesn't know about ifdefs, so remove
+    # fe-secure-openssl.c and sha2_openssl.c if building without
+    # OpenSSL, and remove sha2.c if building with OpenSSL.  Also
+    # remove fe-gssapi-common.c when building with GSSAPI.
     if (!$solution->{options}->{openssl})
     {
         $libpq->RemoveFile('src/interfaces/libpq/fe-secure-common.c');
@@ -256,6 +262,10 @@ sub mkvcbuild
     {
         $libpq->RemoveFile('src/common/sha2.c');
     }
+    if (!$solution->{options}->{gss})
+    {
+        $libpq->RemoveFile('src/interfaces/libpq/fe-gssapi-common.c');
+    }
 
     my $libpqwalreceiver =
       $solution->AddProject('libpqwalreceiver', 'dll', '',
-- 
2.17.0


Attachment

pgsql-hackers by date:

Previous
From: Matthew Stickney
Date:
Subject: Re: [PATCH] (Windows) psql echoes password when reading from pipe
Next
From: Stephen Frost
Date:
Subject: Re: [PATCH v14] GSSAPI encryption support