Home

	Expand Search

Open Client Client-Library/C Reference Manual

Chapter 2 Topics

Security features

Adaptive Server security features

Adaptive Server security features

Client applications that connect to Adaptive Server, SQL Server version 10.0 or later, or Open Server version 10.0 or later can take advantage of password encryption and challenge/response security handshakes.

Servers use challenge/response security handshaking to provide an additional level of login security checking.

To provide the response that this handshake method requires, an application must be coded as follows:

• Before calling ct_connect, the application must call ct_con_props to set one of the following properties:

  • CS_SEC_CHALLENGE to request Sybase-defined challenge/response security handshaking.

  • CS_SEC_APPDEFINED to request Open Server application-defined challenge/response security handshaking.

  If either or both of these properties is CS_TRUE, ct_connect invokes the application's negotiation callback in response to server challenges.

• The application must contain a negotiation callback that is coded to return the required response.

• The application calls ct_callback to install the callback either at the context level or for a specific connection.

See "Defining a negotiation callback".

Sybase Servers uses encrypted password handshakes if the client requests password encryption. Encrypted password security handshaking occurs while the connection to the server is being established.

Applications must request password encryption by setting by the CS_SEC_ENCRYPTION connection property to CS_TRUE (the default is CS_FALSE). Otherwise, the password is sent to the server as plain text.

The password encryption process

When password encryption is enabled, the server receives the user passwords and remote-server passwords as follows:

1. Client-Library initially sends a dummy password to the server consisting of a zero-length string.

2. The server responds by asking the client for the encrypted passwords and sending an encryption key to the client.

   • If the client program has installed an encryption callback, Client-Library invokes the callback once for the local password and once for each remote-server password. Each time Client-Library invokes the encryption callback, it supplies the password to be encrypted and the encryption key as arguments.

   • If the client program has not installed an encryption callback, Client-Library performs the default encryption for all passwords.

Using password encryption in Client-Library applications

Password encryption is disabled by default, so applications that need password encryption must set the CS_SEC_ENCRYPTION property to CS_TRUE before calling ct_connect. The following code fragment enables password encryption:

CS_BOOL boolval;

 /*

 ** Enable password encryption for the connection 

 ** attempt. 

 */

 boolval = CS_TRUE; 

 if (ct_con_props(conn, CS_SET, 

                 CS_SEC_ENCRYPTION, 

                 (CS_VOID *)&boolval,

                 CS_UNUSED,(CS_INT *)NULL) 

     != CS_SUCCEED)

 {

   fprintf(stdout,

    "ct_con_props(SEC_ENCRYPTION) failed. Exiting\n"

          );

  (CS_VOID)ct_con_drop(conn);

   (CS_VOID)ct_exit(ctx, CS_FORCE_EXIT);

   (CS_VOID)cs_ctx_drop(ctx);

   exit(1);

 }

Password encryption is performed either by Client-Library's default encryption handler or by an application handler installed with ct_callback.

The default encryption handler performs the encryption expected by Adaptive Server. Applications that connect to Adaptive Server or an Open Server gateway to Adaptive Server should rely on the default encryption. Most applications fall into this category.

Applications that require an encryption handler include the following:

• Open Server gateways that connect to an Adaptive Server must support password encryption with an encryption callback that obtains encrypted passwords from the gateway's client (via srv_negotiate) and forwards each password to the remote server (via the callback's output parameters).

• Client applications that require a custom password encryption technique (for example, applications that connect to a custom Open Server) must install a custom encryption callback that performs the encryption expected by the server.

For information about defining a password encryption callback, see "Defining an encryption callback".