libpq: Fix SNI host handling

Fix handling of NULL host name (possibly by using hostaddr). It previously crashed. Also, we should look at connhost, not pghost, to handle multi-host specifications. Also remove an unnecessary SSL_CTX_free(). Reported-by: Jacob Champion <pchampion@vmware.com> Reviewed-by: Michael Paquier <michael@paquier.xyz> Discussion: https://www.postgresql.org/message-id/504c276ab6eee000bb23d571ea9b0ced4250774e.camel@vmware.com
2021-06-08 15:37:54 +02:00 · 2021-06-08 15:37:54 +02:00 · 37e1cce4dd
parent eab8195368
commit 37e1cce4dd
1 changed files with 16 additions and 12 deletions
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@ -1087,20 +1087,24 @@ initialize_SSL(PGconn *conn)
 	 * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
 	 * or IPv6).
 	 */
-	if (conn->sslsni && conn->sslsni[0] &&
-		!(strspn(conn->pghost, "0123456789.") == strlen(conn->pghost) ||
-		  strchr(conn->pghost, ':')))
+	if (conn->sslsni && conn->sslsni[0])
 	{
-		if (SSL_set_tlsext_host_name(conn->ssl, conn->pghost) != 1)
-		{
-			char	   *err = SSLerrmessage(ERR_get_error());
+		const char *host = conn->connhost[conn->whichhost].host;

-			appendPQExpBuffer(&conn->errorMessage,
-							  libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"),
-							  err);
-			SSLerrfree(err);
-			SSL_CTX_free(SSL_context);
-			return -1;
+		if (host && host[0] &&
+			!(strspn(host, "0123456789.") == strlen(host) ||
+			  strchr(host, ':')))
+		{
+			if (SSL_set_tlsext_host_name(conn->ssl, host) != 1)
+			{
+				char	   *err = SSLerrmessage(ERR_get_error());
+
+				appendPQExpBuffer(&conn->errorMessage,
+								  libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"),
+								  err);
+				SSLerrfree(err);
+				return -1;
+			}
 		}
 	}