From ba1dfcec9624d12f008e4e2d27a40a2d18b8479c Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Wed, 14 Jul 2010 17:10:03 +0000 Subject: Allow full SSL certificate verification (wherein libpq checks its host name parameter against server cert's CN field) to succeed in the case where both host and hostaddr are specified. As with the existing precedents for Kerberos, GSSAPI, SSPI, it is the calling application's responsibility that host and hostaddr match up --- we just use the host name as given. Per bug #5559 from Christopher Head. In passing, make the error handling and messages for the no-host-name-given failure more consistent among these four cases, and correct a lie in the documentation: we don't attempt to reverse-lookup host from hostaddr if host is missing. Back-patch to 8.4 where SSL cert verification was introduced. --- src/interfaces/libpq/fe-auth.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) (limited to 'src/interfaces/libpq/fe-auth.c') diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 71959fac8b0..34e884ec4da 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -7,7 +7,7 @@ * Portions Copyright (c) 1994, Regents of the University of California * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.142.2.1 2010/03/08 10:01:24 mha Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.142.2.2 2010/07/14 17:10:03 tgl Exp $ * *------------------------------------------------------------------------- */ @@ -206,10 +206,10 @@ pg_krb5_sendauth(PGconn *conn) info.pg_krb5_initialised = 0; - if (!conn->pghost) + if (!(conn->pghost && conn->pghost[0] != '\0')) { printfPQExpBuffer(&conn->errorMessage, - "pg_krb5_sendauth: hostname must be specified for Kerberos authentication\n"); + libpq_gettext("host name must be specified\n")); return STATUS_ERROR; } @@ -426,9 +426,10 @@ pg_GSS_startup(PGconn *conn) int maxlen; gss_buffer_desc temp_gbuf; - if (!conn->pghost) + if (!(conn->pghost && conn->pghost[0] != '\0')) { - printfPQExpBuffer(&conn->errorMessage, libpq_gettext("host name must be specified\n")); + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("host name must be specified\n")); return STATUS_ERROR; } @@ -652,9 +653,10 @@ pg_SSPI_startup(PGconn *conn, int use_negotiate) * but not more complex. We can skip the @REALM part, because Windows will * fill that in for us automatically. */ - if (conn->pghost == NULL) + if (!(conn->pghost && conn->pghost[0] != '\0')) { - printfPQExpBuffer(&conn->errorMessage, libpq_gettext("host name must be specified\n")); + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("host name must be specified\n")); return STATUS_ERROR; } conn->sspitarget = malloc(strlen(conn->krbsrvname) + strlen(conn->pghost) + 2); -- cgit v1.2.3