NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit37e1cce

committed

libpq: Fix SNI host handling

Fix handling of NULL host name (possibly by using hostaddr). Itpreviously crashed. Also, we should look at connhost, not pghost, tohandle multi-host specifications.Also remove an unnecessary SSL_CTX_free().Reported-by: Jacob Champion <pchampion@vmware.com>Reviewed-by: Michael Paquier <michael@paquier.xyz>Discussion:https://www.postgresql.org/message-id/504c276ab6eee000bb23d571ea9b0ced4250774e.camel@vmware.com

1 parenteab8195 commit37e1cceCopy full SHA for 37e1cce

File tree

1 file changed

+15

-11

lines changed

src/interfaces/libpq
- fe-secure-openssl.c

1 file changed

+15

-11

lines changed

`‎src/interfaces/libpq/fe-secure-openssl.c`

Lines changed: 15 additions & 11 deletions

Original file line number	Diff line number	Diff line change
`@@ -1087,20 +1087,24 @@ initialize_SSL(PGconn *conn)`
`1087`	`1087`	`* Per RFC 6066, do not set it if the host is a literal IP address (IPv4`
`1088`	`1088`	`* or IPv6).`
`1089`	`1089`	`*/`
`1090`		`-if (conn->sslsni&&conn->sslsni[0]&&`
`1091`		`-!(strspn(conn->pghost,"0123456789.")==strlen(conn->pghost)\|\|`
`1092`		`-strchr(conn->pghost,':')))`
	`1090`	`+if (conn->sslsni&&conn->sslsni[0])`
`1093`	`1091`	`{`
`1094`		`-if (SSL_set_tlsext_host_name(conn->ssl,conn->pghost)!=1)`
	`1092`	`+constchar*host=conn->connhost[conn->whichhost].host;`
	`1093`	`+`
	`1094`	`+if (host&&host[0]&&`
	`1095`	`+!(strspn(host,"0123456789.")==strlen(host)\|\|`
	`1096`	`+strchr(host,':')))`
`1095`	`1097`	`{`
`1096`		`-char*err=SSLerrmessage(ERR_get_error());`
	`1098`	`+if (SSL_set_tlsext_host_name(conn->ssl,host)!=1)`
	`1099`	`+{`
	`1100`	`+char*err=SSLerrmessage(ERR_get_error());`
`1097`	`1101`
`1098`		`-appendPQExpBuffer(&conn->errorMessage,`
`1099`		`-libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"),`
`1100`		`-err);`
`1101`		`-SSLerrfree(err);`
`1102`		`-SSL_CTX_free(SSL_context);`
`1103`		`-return-1;`
	`1102`	`+appendPQExpBuffer(&conn->errorMessage,`
	`1103`	`+libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"),`
	`1104`	`+err);`
	`1105`	`+SSLerrfree(err);`
	`1106`	`+return-1;`
	`1107`	`+}`
`1104`	`1108`	`}`
`1105`	`1109`	`}`
`1106`	`1110`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit37e1cce

File tree

1 file changed

1 file changed

`‎src/interfaces/libpq/fe-secure-openssl.c`

0 commit comments