libpq: Fix SNI host handling

Fix handling of NULL host name (possibly by using hostaddr).  It
previously crashed.  Also, we should look at connhost, not pghost, to
handle multi-host specifications.

Also remove an unnecessary SSL_CTX_free().

Reported-by: Jacob Champion <pchampion@vmware.com>
Reviewed-by: Michael Paquier <michael@paquier.xyz>
Discussion: https://www.postgresql.org/message-id/504c276ab6eee000bb23d571ea9b0ced4250774e.camel@vmware.com

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 00d43f3efff1e1ef10c1661af1220846c50b5d27..67feaedc4e07b3fda8f8e8e52e28c4be67a88e5d 100644 (file)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -1087,20 +1087,24 @@ initialize_SSL(PGconn *conn)
         * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
         * or IPv6).
         */
-       if (conn->sslsni && conn->sslsni[0] &&
-               !(strspn(conn->pghost, "0123456789.") == strlen(conn->pghost) ||
-                 strchr(conn->pghost, ':')))
+       if (conn->sslsni && conn->sslsni[0])
        {
-               if (SSL_set_tlsext_host_name(conn->ssl, conn->pghost) != 1)
+               const char *host = conn->connhost[conn->whichhost].host;
+
+               if (host && host[0] &&
+                       !(strspn(host, "0123456789.") == strlen(host) ||
+                         strchr(host, ':')))
                {
-                       char       *err = SSLerrmessage(ERR_get_error());
+                       if (SSL_set_tlsext_host_name(conn->ssl, host) != 1)
+                       {
+                               char       *err = SSLerrmessage(ERR_get_error());
 
-                       appendPQExpBuffer(&conn->errorMessage,
-                                                         libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"),
-                                                         err);
-                       SSLerrfree(err);
-                       SSL_CTX_free(SSL_context);
-                       return -1;
+                               appendPQExpBuffer(&conn->errorMessage,
+                                                                 libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"),
+                                                                 err);
+                               SSLerrfree(err);
+                               return -1;
+                       }
                }
        }