From c1932e542863f0f646f005b3492452acc57c7e66 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Fri, 1 Apr 2022 15:41:44 +0200 Subject: libpq: Allow IP address SANs in server certificates The current implementation supports exactly one IP address in a server certificate's Common Name, which is brittle (the strings must match exactly). This patch adds support for IPv4 and IPv6 addresses in a server's Subject Alternative Names. Per discussion on-list: - If the client's expected host is an IP address, we allow fallback to the Subject Common Name if an iPAddress SAN is not present, even if a dNSName is present. This matches the behavior of NSS, in violation of the relevant RFCs. - We also, counter-intuitively, match IP addresses embedded in dNSName SANs. From inspection this appears to have been the behavior since the SAN matching feature was introduced in acd08d76. - Unlike NSS, we don't map IPv4 to IPv6 addresses, or vice-versa. Author: Jacob Champion Co-authored-by: Kyotaro Horiguchi Co-authored-by: Daniel Gustafsson Discussion: https://www.postgresql.org/message-id/flat/9f5f20974cd3a4091a788cf7f00ab663d5fcdffe.camel@vmware.com --- src/interfaces/libpq/fe-secure-common.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/interfaces/libpq/fe-secure-common.h') diff --git a/src/interfaces/libpq/fe-secure-common.h b/src/interfaces/libpq/fe-secure-common.h index 1cca6d785ac..d18db7138cc 100644 --- a/src/interfaces/libpq/fe-secure-common.h +++ b/src/interfaces/libpq/fe-secure-common.h @@ -21,6 +21,10 @@ extern int pq_verify_peer_name_matches_certificate_name(PGconn *conn, const char *namedata, size_t namelen, char **store_name); +extern int pq_verify_peer_name_matches_certificate_ip(PGconn *conn, + const unsigned char *addrdata, + size_t addrlen, + char **store_name); extern bool pq_verify_peer_name_matches_certificate(PGconn *conn); #endif /* FE_SECURE_COMMON_H */ -- cgit v1.2.3