npgsql
diff --git a/‎src/Npgsql/Internal/IntegratedSecurityHandler.cs‎
Lines changed: 9 additions & 3 deletions b/‎src/Npgsql/Internal/IntegratedSecurityHandler.cs‎
Lines changed: 9 additions & 3 deletions
diff --git a/‎src/Npgsql/Internal/NpgsqlConnector.Auth.cs‎
Lines changed: 14 additions & 8 deletions b/‎src/Npgsql/Internal/NpgsqlConnector.Auth.cs‎
Lines changed: 14 additions & 8 deletions
diff --git a/‎src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs‎
Lines changed: 13 additions & 0 deletions b/‎src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs‎
Lines changed: 13 additions & 0 deletions
@@ -16,7 +16,10 @@ class IntegratedSecurityHandler
         return new();
     }
 
-    public virtual ValueTask NegotiateAuthentication(bool async, NpgsqlConnector connector)
+    public virtual ValueTask NegotiateAuthentication(bool async, NpgsqlConnector connector, CancellationToken cancellationToken)
+        => throw new NotSupportedException(string.Format(NpgsqlStrings.IntegratedSecurityDisabled, nameof(NpgsqlSlimDataSourceBuilder.EnableIntegratedSecurity)));
+
+    public virtual ValueTask<GssEncryptionResult> GSSEncrypt(bool async, bool isRequired, NpgsqlConnector connector, CancellationToken cancellationToken)
         => throw new NotSupportedException(string.Format(NpgsqlStrings.IntegratedSecurityDisabled, nameof(NpgsqlSlimDataSourceBuilder.EnableIntegratedSecurity)));
 }
 
@@ -27,6 +30,9 @@ sealed class RealIntegratedSecurityHandler : IntegratedSecurityHandler
     public override ValueTask<string?> GetUsername(bool async, bool includeRealm, ILogger connectionLogger, CancellationToken cancellationToken)
         => KerberosUsernameProvider.GetUsername(async, includeRealm, connectionLogger, cancellationToken);
 
-    public override ValueTask NegotiateAuthentication(bool async, NpgsqlConnector connector)
-        => new(connector.AuthenticateGSS(async));
+    public override ValueTask NegotiateAuthentication(bool async, NpgsqlConnector connector, CancellationToken cancellationToken)
+        => connector.AuthenticateGSS(async, cancellationToken);
+
+    public override ValueTask<GssEncryptionResult> GSSEncrypt(bool async, bool isRequired, NpgsqlConnector connector, CancellationToken cancellationToken)
+        => connector.GSSEncrypt(async, isRequired, cancellationToken);
 }
@@ -33,7 +33,13 @@ async Task Authenticate(string username, NpgsqlTimeout timeout, bool async, Canc
             case AuthenticationRequestType.Ok:
                 // If we didn't complete authentication, check whether it's allowed
                 if (!authenticated)
+                {
+                    // User requested GSS authentication, but server said that no auth is required
+                    // If and only if our connection is gss encrypted, we consider us already authenticated
+                    if (requiredAuthModes.HasFlag(RequireAuthMode.GSS) && IsGssEncrypted)
+                        return;
                     ThrowIfNotAllowed(requiredAuthModes, RequireAuthMode.None);
+                }
                 return;
 
             case AuthenticationRequestType.CleartextPassword:
@@ -55,7 +61,7 @@ await AuthenticateSASL(((AuthenticationSASLMessage)msg).Mechanisms, username, as
             case AuthenticationRequestType.GSS:
             case AuthenticationRequestType.SSPI:
                 ThrowIfNotAllowed(requiredAuthModes, msg.AuthRequestType == AuthenticationRequestType.GSS ? RequireAuthMode.GSS : RequireAuthMode.SSPI);
-                await DataSource.IntegratedSecurityHandler.NegotiateAuthentication(async, this).ConfigureAwait(false);
+                await DataSource.IntegratedSecurityHandler.NegotiateAuthentication(async, this, cancellationToken).ConfigureAwait(false);
                 return;
 
             case AuthenticationRequestType.GSSContinue:
@@ -207,7 +213,7 @@ internal void AuthenticateSASLSha256Plus(ref string mechanism, ref string cbindF
         // try authenticate without channel binding even though both
         // the client and server supported it. The SCRAM exchange
         // checks for that, to prevent downgrade attacks.
-        if (!IsSecure)
+        if (!IsSslEncrypted)
             throw new NpgsqlException("Server offered SCRAM-SHA-256-PLUS authentication over a non-SSL connection");
 
         var sslStream = (SslStream)_stream;
@@ -321,7 +327,7 @@ async Task AuthenticateMD5(string username, byte[] salt, bool async, Cancellatio
         await Flush(async, cancellationToken).ConfigureAwait(false);
     }
 
-    internal async Task AuthenticateGSS(bool async)
+    internal async ValueTask AuthenticateGSS(bool async, CancellationToken cancellationToken)
     {
         var targetName = $"{KerberosServiceName}/{Host}";
 
@@ -331,24 +337,24 @@ internal async Task AuthenticateGSS(bool async)
         using var authContext = new NegotiateAuthentication(clientOptions);
         var data = authContext.GetOutgoingBlob(ReadOnlySpan<byte>.Empty, out var statusCode)!;
         Debug.Assert(statusCode == NegotiateAuthenticationStatusCode.ContinueNeeded);
-        await WritePassword(data, 0, data.Length, async, UserCancellationToken).ConfigureAwait(false);
-        await Flush(async, UserCancellationToken).ConfigureAwait(false);
+        await WritePassword(data, 0, data.Length, async, cancellationToken).ConfigureAwait(false);
+        await Flush(async, cancellationToken).ConfigureAwait(false);
         while (true)
         {
             var response = ExpectAny<AuthenticationRequestMessage>(await ReadMessage(async).ConfigureAwait(false), this);
             if (response.AuthRequestType == AuthenticationRequestType.Ok)
                 break;
             if (response is not AuthenticationGSSContinueMessage gssMsg)
                 throw new NpgsqlException($"Received unexpected authentication request message {response.AuthRequestType}");
-            data = authContext.GetOutgoingBlob(gssMsg.AuthenticationData.AsSpan(), out statusCode)!;
+            data = authContext.GetOutgoingBlob(gssMsg.AuthenticationData.AsSpan(), out statusCode);
             if (statusCode is not NegotiateAuthenticationStatusCode.Completed and not NegotiateAuthenticationStatusCode.ContinueNeeded)
                 throw new NpgsqlException($"Error while authenticating GSS/SSPI: {statusCode}");
             // We might get NegotiateAuthenticationStatusCode.Completed but the data will not be null
             // This can happen if it's the first cycle, in which case we have to send that data to complete handshake (#4888)
             if (data is null)
                 continue;
-            await WritePassword(data, 0, data.Length, async, UserCancellationToken).ConfigureAwait(false);
-            await Flush(async, UserCancellationToken).ConfigureAwait(false);
+            await WritePassword(data, 0, data.Length, async, cancellationToken).ConfigureAwait(false);
+            await Flush(async, cancellationToken).ConfigureAwait(false);
         }
     }
 
 
@@ -396,6 +396,19 @@ internal void WriteSslRequest()
         WriteBuffer.WriteInt32(80877103);
     }
 
+    internal void WriteGSSEncryptRequest()
+    {
+        const int len = sizeof(int) +  // Length
+                        sizeof(int);   // GSSEnc request code
+
+        WriteBuffer.StartMessage(len);
+        if (WriteBuffer.WriteSpaceLeft < len)
+            Flush(false).GetAwaiter().GetResult();
+
+        WriteBuffer.WriteInt32(len);
+        WriteBuffer.WriteInt32(80877104);
+    }
+
     internal void WriteStartup(Dictionary<string, string> parameters)
     {
         const int protocolVersion3 = 3 << 16; // 196608