Re: weird libpq GSSAPI comment

Mon, 06 Jan 2020 13:54:33 -0800 

Greetings,

* Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
> On 2020-Jan-06, Stephen Frost wrote:
> 
> > > I wonder if part of the confusion might be due to the synonyms we're
> > > using here for "in use".  Things seem to be "got running", "set up",
> > > "operating", "negotiated", ... - maybe that's part of the barrier to
> > > understanding?
> > 
> > How about something like this?
> > 
> >  * If GSSAPI Encryption is enabled, then call pg_GSS_have_cred_cache()
> >  * which will return true if we can acquire credentials (and give us a
> >  * handle to use in conn->gcred), and then send a packet to the server
> >  * asking for GSSAPI Encryption (and skip past SSL negotiation and
> >  * regular startup below).
> 
> WFM.  (I'm not sure why you uppercase Encryption, though.)

Ok, great, attached is an actual patch which I'll push soon if there
aren't any other comments.

Thanks!

Stephen

From 49a57d5040c487c65cd9968504e978d11b4aefca Mon Sep 17 00:00:00 2001
From: Stephen Frost <sfr...@snowman.net>
Date: Mon, 6 Jan 2020 16:49:02 -0500
Subject: [PATCH] Improve GSSAPI Encryption startup comment in libpq

The original comment was a bit confusing, pointed out by Alvaro Herrera.

Thread: https://postgr.es/m/20191224151520.GA16435%40alvherre.pgsql
---
 src/interfaces/libpq/fe-connect.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 3bd30482ec..89b134665b 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -2800,10 +2800,12 @@ keep_going:						/* We will come back to here until there is
 #ifdef ENABLE_GSS
 
 				/*
-				 * If GSSAPI is enabled and we have a credential cache, try to
-				 * set it up before sending startup messages.  If it's already
-				 * operating, don't try SSL and instead just build the startup
-				 * packet.
+				 * If GSSAPI encryption is enabled, then call
+				 * pg_GSS_have_cred_cache() which will return true if we can
+				 * acquire credentials (and give us a handle to use in
+				 * conn->gcred), and then send a packet to the server asking
+				 * for GSSAPI Encryption (and skip past SSL negotiation and
+				 * regular startup below).
 				 */
 				if (conn->try_gss && !conn->gctx)
 					conn->try_gss = pg_GSS_have_cred_cache(&conn->gcred);
-- 
2.20.1

Attachment: signature.asc
Description: PGP signature

Reply via email to