diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 45c5228cfe..c06b0718cf 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1306,7 +1306,7 @@ postgresql://%2Fvar%2Flib%2Fpostgresql/dbname The server must not prompt the client for an authentication exchange. (This does not prohibit client certificate authentication - via TLS, nor GSS authentication via its encrypted transport.) + via TLS, nor GSS authentication via its encrypted transport.) diff --git a/meson.build b/meson.build index 925db70c9d..bad035c8e3 100644 --- a/meson.build +++ b/meson.build @@ -1173,8 +1173,9 @@ if get_option('ssl') == 'openssl' ['CRYPTO_new_ex_data', {'required': true}], ['SSL_new', {'required': true}], - # Function introduced in OpenSSL 1.0.2. + # Functions introduced in OpenSSL 1.0.2. LibreSSL doesn't have all of these. ['X509_get_signature_nid'], + ['SSL_CTX_set_cert_cb'], # Functions introduced in OpenSSL 1.1.0. We used to check for # OPENSSL_VERSION_NUMBER, but that didn't work with 1.1.0, because LibreSSL diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index 793888d30f..295b978525 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -837,7 +837,7 @@ pg_password_sendauth(PGconn *conn, const char *password, AuthRequest areq) } /* - * Translate an AuthRequest into a human-readable description. + * Translate a disallowed AuthRequest code into an error message. */ static const char * auth_description(AuthRequest areq) @@ -845,23 +845,23 @@ auth_description(AuthRequest areq) switch (areq) { case AUTH_REQ_PASSWORD: - return libpq_gettext("a cleartext password"); + return libpq_gettext("server requested a cleartext password"); case AUTH_REQ_MD5: - return libpq_gettext("a hashed password"); + return libpq_gettext("server requested a hashed password"); case AUTH_REQ_GSS: case AUTH_REQ_GSS_CONT: - return libpq_gettext("GSSAPI authentication"); + return libpq_gettext("server requested GSSAPI authentication"); case AUTH_REQ_SSPI: - return libpq_gettext("SSPI authentication"); + return libpq_gettext("server requested SSPI authentication"); case AUTH_REQ_SCM_CREDS: - return libpq_gettext("UNIX socket credentials"); + return libpq_gettext("server requested UNIX socket credentials"); case AUTH_REQ_SASL: case AUTH_REQ_SASL_CONT: case AUTH_REQ_SASL_FIN: - return libpq_gettext("SASL authentication"); + return libpq_gettext("server requested SASL authentication"); } - return libpq_gettext("an unknown authentication type"); + return libpq_gettext("server requested an unknown authentication type"); } /* @@ -883,7 +883,7 @@ static bool check_expected_areq(AuthRequest areq, PGconn *conn) { bool result = true; - char *reason = NULL; + const char *reason = NULL; if (conn->sslcertmode[0] == 'r' /* require */ && areq == AUTH_REQ_OK) @@ -984,19 +984,12 @@ check_expected_areq(AuthRequest areq, PGconn *conn) if (!result) { - if (reason) - { - appendPQExpBuffer(&conn->errorMessage, - libpq_gettext("auth method \"%s\" requirement failed: %s\n"), - conn->require_auth, reason); - } - else - { - appendPQExpBuffer(&conn->errorMessage, - libpq_gettext("auth method \"%s\" required, but server requested %s\n"), - conn->require_auth, - auth_description(areq)); - } + if (!reason) + reason = auth_description(areq); + + appendPQExpBuffer(&conn->errorMessage, + libpq_gettext("auth method \"%s\" requirement failed: %s\n"), + conn->require_auth, reason); return result; }