Re: patch: Client certificate requirements

Alex Hunsaker wrote:
> On Thu, Oct 23, 2008 at 08:51, Magnus Hagander <magnus@hagander.net> wrote:
>> Magnus Hagander wrote:
>>> This patch adds a configuration option to pg_hba.conf for "clientcert".
>>> This makes it possible to have different client certificate requirements
>>> on different connections. It also makes sure that if you specify that
>>> you want client cert verification and the root store isn't there, we
>>> give an error instead of silently allowing the user in (like we do now).
>>>
>>> This still does not implement actual client certificate validation -
>>> that's for a later step. It just cleans up the handling we have now.
>> Uh, with docs.
>>
>> //Magnus
> 
> Hi in getting ready to view the other clientcert patch, I thought I
> should give this a quick look over.
> 
> this hunk will break non ssl builds (due to port->peer):
> 
> *** a/src/backend/libpq/auth.c
> --- b/src/backend/libpq/auth.c
> ***************
> *** 272,277 **** ClientAuthentication(Port *port)
> --- 272,303 ----
>                    errmsg("missing or erroneous pg_hba.conf file"),
>                    errhint("See server log for details.")));
> 
> +     /*
> +      * This is the first point where we have access to the hba record for
> +      * the current connection, so perform any verifications based on the
> +      * hba options field that should be done *before* the authentication
> +      * here.
> +      */
> +     if (port->hba->clientcert)
> +     {
> +         /*
> +          * When we parse pg_hba.conf, we have already made sure that we have
> +          * been able to load a certificate store. Thus, if a certificate is
> +          * present on the client, it has been verified against our root
> +          * certificate store, and the connection would have been aborted
> +          * already if it didn't verify ok.
> +          */
> +         if (!port->peer)
> +         {
> +             ereport(FATAL,
> +                     (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
> +                      errmsg("connection requires a valid client certificate")));
> +         }
> +     }
> +
> +     /*
> +      * Now proceed to do the actual authentication check
> +      */
>       switch (port->hba->auth_method)
>       {

Good point, thanks!
Added #ifdef USE_SSL around it.

(will address the other part of your response in a separate mail)

//Magnus