Re: [HACKERS] patch: Client certificate requirements

Mon, 17 Nov 2008 01:54:29 -0800 

Alex Hunsaker wrote:
> On Thu, Oct 23, 2008 at 08:51, Magnus Hagander <[EMAIL PROTECTED]> wrote:
>> Magnus Hagander wrote:
>>> This patch adds a configuration option to pg_hba.conf for "clientcert".
>>> This makes it possible to have different client certificate requirements
>>> on different connections. It also makes sure that if you specify that
>>> you want client cert verification and the root store isn't there, we
>>> give an error instead of silently allowing the user in (like we do now).
>>>
>>> This still does not implement actual client certificate validation -
>>> that's for a later step. It just cleans up the handling we have now.
>> Uh, with docs.
>>
>> //Magnus
> 
> Hi in getting ready to view the other clientcert patch, I thought I
> should give this a quick look over.
> 
> this hunk will break non ssl builds (due to port->peer):
> 
> *** a/src/backend/libpq/auth.c
> --- b/src/backend/libpq/auth.c
> ***************
> *** 272,277 **** ClientAuthentication(Port *port)
> --- 272,303 ----
>                                errmsg("missing or erroneous pg_hba.conf 
> file"),
>                                errhint("See server log for details.")));
> 
> +     /*
> +      * This is the first point where we have access to the hba record for
> +      * the current connection, so perform any verifications based on the
> +      * hba options field that should be done *before* the authentication
> +      * here.
> +      */
> +     if (port->hba->clientcert)
> +     {
> +             /*
> +              * When we parse pg_hba.conf, we have already made sure that we 
> have
> +              * been able to load a certificate store. Thus, if a 
> certificate is
> +              * present on the client, it has been verified against our root
> +              * certificate store, and the connection would have been aborted
> +              * already if it didn't verify ok.
> +              */
> +             if (!port->peer)
> +             {
> +                     ereport(FATAL,
> +                                     
> (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
> +                                      errmsg("connection requires a valid 
> client certificate")));
> +             }
> +     }
> +
> +     /*
> +      * Now proceed to do the actual authentication check
> +      */
>       switch (port->hba->auth_method)
>       {

Good point, thanks!
Added #ifdef USE_SSL around it.

(will address the other part of your response in a separate mail)

//Magnus

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to