diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 527676fd62..a82b79bd7d 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -1,5 +1,5 @@ @@ -337,6 +337,7 @@ hostnossl database user authentication. Since the password is sent in clear text over the network, this should not be used on untrusted networks. + It also does not usually work with threaded client applications. See for details. diff --git a/doc/src/sgml/libpq.sgml b/doc/src/sgml/libpq.sgml index 63fb3ab419..31980e9017 100644 --- a/doc/src/sgml/libpq.sgml +++ b/doc/src/sgml/libpq.sgml @@ -1,5 +1,5 @@ @@ -4032,6 +4032,15 @@ however.) fail if the server does not present a certificate; therefore, to use this feature the server must also have a root.crt file. + + + If you are using SSL inside your application (in addition to + inside libpq), you can use PQinitSSL(int) + to tell libpq that the SSL library + has already been initialized by your application. + + + @@ -4081,12 +4090,12 @@ are not thread-safe and should not be used in multithread programs. -libpq applications that use the -crypt authentication method rely on the -crypt() operating system function, which is often -not thread-safe.cryptthread -safety It is better to use the md5 method, -which is thread-safe on all platforms. +If you are using Kerberos inside your application (in addition to inside +libpq), you will need to do locking around +Kerberos calls because Kerberos functions are not thread-safe. See +function PQregisterThreadLock in the +libpq source code for a way to do cooperative +locking between libpq and your application. diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c index d2773134a2..bca9f46830 100644 --- a/src/interfaces/libpq/fe-auth.c +++ b/src/interfaces/libpq/fe-auth.c @@ -10,7 +10,7 @@ * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes). * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.106 2005/10/17 16:24:20 tgl Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.107 2005/10/24 15:38:37 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -500,6 +500,16 @@ pg_fe_getauthname(char *PQerrormsg) struct passwd *pw = NULL; #endif + /* + * pglock_thread() really only needs to be called around + * pg_krb5_authname(), but some users are using configure + * --enable-thread-safety-force, so we might as well do + * the locking within our library to protect pqGetpwuid(). + * In fact, application developers can use getpwuid() + * in their application if they use the locking call we + * provide, or install their own locking function using + * PQregisterThreadLock(). + */ pglock_thread(); #ifdef KRB5 diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index 316ea4ac26..9711b21085 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.72 2005/10/15 02:49:48 momjian Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.73 2005/10/24 15:38:37 momjian Exp $ * * NOTES * [ Most of these notes are wrong/obsolete, but perhaps not all ] @@ -220,8 +220,8 @@ KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=\n\ /* - * Exported (but as yet undocumented) function to allow application to - * tell us it's already initialized OpenSSL. + * Exported function to allow application to tell us it's already + * initialized OpenSSL. */ void PQinitSSL(int do_init)