database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-14 08:21:07 +03:00
Code Activity

Allow full SSL certificate verification (wherein libpq checks its host name

Browse Source 
parameter against server cert's CN field) to succeed in the case where
both host and hostaddr are specified.  As with the existing precedents
for Kerberos, GSSAPI, SSPI, it is the calling application's responsibility
that host and hostaddr match up --- we just use the host name as given.
Per bug #5559 from Christopher Head.

In passing, make the error handling and messages for the no-host-name-given
failure more consistent among these four cases, and correct a lie in the
documentation: we don't attempt to reverse-lookup host from hostaddr
if host is missing.

Back-patch to 8.4 where SSL cert verification was introduced.
This commit is contained in:
Tom Lane
2010-07-14 17:09:45 +00:00
parent 1cc29fe7c6
commit d494e685c5
4 changed files with 38 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/interfaces/libpq/fe-auth.c
View File

@ -7,7 +7,7 @@
* Portions Copyright (c) 1994, Regents of the University of California
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.144 2010/03/08 10:01:12 mha Exp $
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.145 2010/07/14 17:09:45 tgl Exp $
*
*-------------------------------------------------------------------------
*/
@ -206,10 +206,10 @@ pg_krb5_sendauth(PGconn *conn)
info.pg_krb5_initialised = 0;
if (!conn->pghost)
if (!(conn->pghost && conn->pghost[0] != '\0'))
{
printfPQExpBuffer(&conn->errorMessage,
"pg_krb5_sendauth: hostname must be specified for Kerberos authentication\n");
libpq_gettext("host name must be specified\n"));
return STATUS_ERROR;
}
@ -426,9 +426,10 @@ pg_GSS_startup(PGconn *conn)
int maxlen;
gss_buffer_desc temp_gbuf;
if (!conn->pghost)
if (!(conn->pghost && conn->pghost[0] != '\0'))
{
printfPQExpBuffer(&conn->errorMessage, libpq_gettext("host name must be specified\n"));
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("host name must be specified\n"));
return STATUS_ERROR;
}
@ -652,9 +653,10 @@ pg_SSPI_startup(PGconn *conn, int use_negotiate)
* but not more complex. We can skip the @REALM part, because Windows will
* fill that in for us automatically.
*/
if (conn->pghost == NULL)
if (!(conn->pghost && conn->pghost[0] != '\0'))
{
printfPQExpBuffer(&conn->errorMessage, libpq_gettext("host name must be specified\n"));
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("host name must be specified\n"));
return STATUS_ERROR;
}
conn->sspitarget = malloc(strlen(conn->krbsrvname) + strlen(conn->pghost) + 2);