| From: | Michael Paquier <michael(at)paquier(dot)xyz> | 
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> | 
| Cc: | Joel Jacobson <joel(at)compiler(dot)org>, Jacob Champion <pchampion(at)vmware(dot)com>, "daniel(at)yesql(dot)se" <daniel(at)yesql(dot)se>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> | 
| Subject: | Re: Allow matching whole DN from a client certificate | 
| Date: | 2021-03-29 01:57:00 | 
| Message-ID: | YGEz7N2dOh2Fjwun@paquier.xyz | 
| Views: | Whole Thread | Raw Message | Download mbox | Resend email | 
| Thread: | |
| Lists: | pgsql-hackers | 
On Fri, Mar 26, 2021 at 09:34:03AM -0400, Andrew Dunstan wrote:
> OK, here's a new patch. I hope to commit this within a few days.
Thanks!
+   switch (port->hba->clientcertname)
+   {
+       case clientCertDN:
+           peer_username = port->peer_dn;
+           break;
+       default:
+           peer_username = port->peer_cn;
+   }
This does not need a "default".  I think that you should use "case
clientCertCN" instead here.
+              BIO_get_mem_ptr(bio, &bio_buf);
No status checks?  OpenSSL calls return 1 on success and 0 on failure,
so I would check after <= 0 here.
++                      if (port->hba->clientcertname == clientCertDN)
++                      {
++                              ereport(LOG,
May be better to use a switch() here as well.
It looks like this patch misses src/test/ssl/ssl/client-dn.crt,
causing the SSL tests to fail.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Michael Paquier | 2021-03-29 02:04:24 | Re: multi-install PostgresNode | 
| Previous Message | Kyotaro Horiguchi | 2021-03-29 01:54:41 | Re: Bug on update timing of walrcv->flushedUpto variable |