Re: Support for NSS as a libpq TLS backend
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Heikki Linnakangas <hlinnaka@iki.fi>
Cc: Andres Freund <andres@anarazel.de>,
Postgres hackers <pgsql-hackers@lists.postgresql.org>,
Michael Paquier <michael@paquier.xyz>,
Andrew Dunstan <andrew.dunstan@2ndquadrant.com>,
Stephen Frost <sfrost@snowman.net>,
Thomas Munro <thomas.munro@gmail.com>
Date: 2020-11-04T13:09:52Z
Lists: pgsql-hackers
Attachments
- v17-0001-NSS-Frontend-Backend-and-build-infrastructure.patch (application/octet-stream) patch v17-0001
- v17-0002-NSS-Testharness-updates.patch (application/octet-stream) patch v17-0002
- v17-0003-NSS-pg_strong_random-support.patch (application/octet-stream) patch v17-0003
- v17-0004-NSS-Documentation.patch (application/octet-stream) patch v17-0004
- v17-0005-NSS-contrib-modules.patch (application/octet-stream) patch v17-0005
> On 27 Oct 2020, at 21:18, Heikki Linnakangas <hlinnaka@iki.fi> wrote: > > On 27/10/2020 22:07, Daniel Gustafsson wrote: >> /* >> * Track whether the NSS database has a password set or not. There is no API >> * function for retrieving password status, so we simply flip this to true in >> * case NSS invoked the password callback - as that will only happen in case >> * there is a password. The reason for tracking this is that there are calls >> * which require a password parameter, but doesn't use the callbacks provided, >> * so we must call the callback on behalf of these. >> */ >> static bool has_password = false; > > This is set in PQssl_passwd_cb function, but never reset. That seems wrong. The NSS database used in one connection might have a password, while another one might not. Or have I completely misunderstood this? (sorry for slow response). You are absolutely right, the has_password flag must be tracked per connection in PGconn. The attached v17 implements this as well a frontend bugfix which caused dropped connections and some smaller fixups to make strings more translateable. I've also included a WIP version of SCRAM channel binding in the attached patch, it's currently failing to connect but someone here might spot the bug before I do so I figured it's better to include it. The 0005 patch is now, thanks to the sslinfo patch going in on master, only containing NSS specific code. cheers ./daniel
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited