From: | Aleksander Alekseev <aleksander(at)timescale(dot)com> |
---|---|
To: | "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Cc: | Jacob Champion <jchampion(at)timescale(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, "David G(dot) Johnston" <david(dot)g(dot)johnston(at)gmail(dot)com> |
Subject: | Re: [PoC] Let libpq reject unexpected authentication requests |
Date: | 2022-11-11 13:52:56 |
Message-ID: | CAJ7c6TMVRupK3Wgb-mJZ8iUk8En0zK8W__0EsihpgCNkdQZiTQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Hi Jacob,
> v11 makes an attempt at this (see 0003), using the proposed string list.
I noticed that this patchset stuck a bit so I decided to take a look.
In 0001:
```
+ conn->auth_required = false;
+ conn->allowed_auth_methods = -1;
...
+ uint32 allowed_auth_methods; /* bitmask of acceptable
AuthRequest codes */
```
Assigning a negative number to uint32 doesn't necessarily work on all
platforms. I suggest using PG_UINT32_MAX.
In 0002:
```
+ <term><literal>require</literal></term>
+ <listitem>
+ <para>
+ the server <emphasis>must</emphasis> request a certificate. The
+ connection will fail if the server authenticates the client despite
+ not requesting or receiving one.
```
The commit message IMO has a better description of "require". I
suggest adding the part about "This doesn't add any additional
security ..." to the documentation.
```
+ * hard-coded certificate via sslcert, so we don't actually set any
certificates
+ * here; we just it to record whether or not the server has actually asked for
```
Something is off with the wording here in the "we just it to ..." part.
The patchset seems to be in very good shape except for these few
nitpicks. I'm inclined to change its status to "Ready for Committer"
as soon as the new version will pass cfbot unless there are going to
be any objections from the community.
--
Best regards,
Aleksander Alekseev
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Eisentraut | 2022-11-11 14:08:16 | Re: Privileges on PUBLICATION |
Previous Message | Pavel Borisov | 2022-11-11 12:39:10 | Re: Lockless queue of waiters in LWLock |