sharpetronics/PostgreSQL
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-05 00:02:04 -04:00
Code Issues Projects Releases Wiki Activity

Add SSL CRL support to libpq. Recently added to the backend.

Browse Source
This commit is contained in:
Bruce Momjian 2006-05-06 02:24:39 +00:00
parent 3ecfdceaec
commit 069ad5fcc3
2 changed files with 29 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/backend/libpq/be-secure.c
View File

@ -11,7 +11,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31:38 momjian Exp $ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.69 2006/05/06 02:24:39 momjian Exp $
* *
* Since the server static private key ($DataDir/server.key) * Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database * will normally be stored unencrypted so that the database
@ -803,7 +803,7 @@ initialize_SSL(void)
if (cvstore) if (cvstore)
{ {
/* Set the flags to check against the complete CRL chain */ /* Set the flags to check against the complete CRL chain */
if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
#ifdef X509_V_FLAG_CRL_CHECK #ifdef X509_V_FLAG_CRL_CHECK

28
src/interfaces/libpq/fe-secure.c
View File

@ -11,7 +11,7 @@
* *
* *
* IDENTIFICATION * IDENTIFICATION
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.79 2006/04/27 14:02:36 momjian Exp $ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.80 2006/05/06 02:24:39 momjian Exp $
* *
* NOTES * NOTES
* [ Most of these notes are wrong/obsolete, but perhaps not all ] * [ Most of these notes are wrong/obsolete, but perhaps not all ]
@ -125,11 +125,13 @@
#define USER_CERT_FILE ".postgresql/postgresql.crt" #define USER_CERT_FILE ".postgresql/postgresql.crt"
#define USER_KEY_FILE ".postgresql/postgresql.key" #define USER_KEY_FILE ".postgresql/postgresql.key"
#define ROOT_CERT_FILE ".postgresql/root.crt" #define ROOT_CERT_FILE ".postgresql/root.crt"
#define ROOT_CRL_FILE ".postgresql/root.crl"
#else #else
/* On Windows, the "home" directory is already PostgreSQL-specific */ /* On Windows, the "home" directory is already PostgreSQL-specific */
#define USER_CERT_FILE "postgresql.crt" #define USER_CERT_FILE "postgresql.crt"
#define USER_KEY_FILE "postgresql.key" #define USER_KEY_FILE "postgresql.key"
#define ROOT_CERT_FILE "root.crt" #define ROOT_CERT_FILE "root.crt"
#define ROOT_CRL_FILE "root.crl"
#endif #endif
#ifdef NOT_USED #ifdef NOT_USED
@ -784,6 +786,8 @@ initialize_SSL(PGconn *conn)
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE); snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
if (stat(fnbuf, &buf) == 0) if (stat(fnbuf, &buf) == 0)
{ {
X509_STORE *cvstore;
if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL)) if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL))
{ {
char *err = SSLerrmessage(); char *err = SSLerrmessage();
@ -795,6 +799,28 @@ initialize_SSL(PGconn *conn)
return -1; return -1;
} }
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
/* setting the flags to check against the complete CRL chain */
if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
#ifdef X509_V_FLAG_CRL_CHECK
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
/* if not found, silently ignore; we do not require CRL */
#else
{
char *err = SSLerrmessage();
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("Installed SSL library does not support CRL certificates, file \"%s\"\n"),
fnbuf);
SSLerrfree(err);
return -1;
}
#endif
}
SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb); SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb);
} }
} }