| From: | Michael Paquier <michael(at)paquier(dot)xyz> |
|---|---|
| To: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
| Cc: | Joel Jacobson <joel(at)compiler(dot)org>, Jacob Champion <pchampion(at)vmware(dot)com>, "daniel(at)yesql(dot)se" <daniel(at)yesql(dot)se>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Allow matching whole DN from a client certificate |
| Date: | 2021-03-30 01:08:33 |
| Message-ID: | YGJ6Efu3u4DAXsBV@paquier.xyz |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Mon, Mar 29, 2021 at 10:57:00AM +0900, Michael Paquier wrote:
> + switch (port->hba->clientcertname)
> + {
> + case clientCertDN:
> + peer_username = port->peer_dn;
> + break;
> + default:
> + peer_username = port->peer_cn;
> + }
>
> This does not need a "default". I think that you should use "case
> clientCertCN" instead here.
>
> + BIO_get_mem_ptr(bio, &bio_buf);
> No status checks? OpenSSL calls return 1 on success and 0 on failure,
> so I would check after <= 0 here.
>
> ++ if (port->hba->clientcertname == clientCertDN)
> ++ {
> ++ ereport(LOG,
> May be better to use a switch() here as well.
>
> It looks like this patch misses src/test/ssl/ssl/client-dn.crt,
> causing the SSL tests to fail.
For the sake of the archives, this has been applied as of 6d7a6fe with
all those nits from me addressed.
--
Michael
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kohei KaiGai | 2021-03-30 01:11:30 | Re: TRUNCATE on foreign table |
| Previous Message | Michael Paquier | 2021-03-30 01:06:19 | Re: Add missing function abs (interval) |