SSL configure patch
Started by Nonameover 17 years ago3 messages
Here is the SSL patch we discussed previously for 8.3.1.
Attachments:
sslconfig.patch.8.3.1application/octet-stream; name=sslconfig.patch.8.3.1Download
diff -ur postgresql-8.3.1.ref/src/interfaces/libpq/fe-connect.c postgresql-8.3.1-ssl/src/interfaces/libpq/fe-connect.c
--- postgresql-8.3.1.ref/src/interfaces/libpq/fe-connect.c 2008-01-28 21:06:30.000000000 -0500
+++ postgresql-8.3.1-ssl/src/interfaces/libpq/fe-connect.c 2008-06-06 11:01:22.000000000 -0400
@@ -181,6 +181,19 @@
{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
"SSL-Mode", "", 8}, /* sizeof("disable") == 8 */
+ {"sslcert", "PGSSLCERT", NULL, NULL,
+ "SSL-Client-Cert", "", 64},
+
+ {"sslkey", "PGSSLKEY", NULL, NULL,
+ "SSL-Client-Key", "", 64},
+
+ {"ssltrustcrt", "PGSSLKEY", NULL, NULL,
+ "SSL-Trusted-Keys", "", 64},
+
+ {"sslcrl", "PGSSLKEY", NULL, NULL,
+ "SSL-Revocation-List", "", 64},
+
+
#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
/* Kerberos and GSSAPI authentication support specifying the service name */
{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
@@ -413,6 +426,14 @@
conn->connect_timeout = tmp ? strdup(tmp) : NULL;
tmp = conninfo_getval(connOptions, "sslmode");
conn->sslmode = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "sslkey");
+ conn->sslkey = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "sslcert");
+ conn->sslcert = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "ssltrustcrt");
+ conn->ssltrustcrt = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "sslcrl");
+ conn->sslcrl = tmp ? strdup(tmp) : NULL;
#ifdef USE_SSL
tmp = conninfo_getval(connOptions, "requiressl");
if (tmp && tmp[0] == '1')
diff -ur postgresql-8.3.1.ref/src/interfaces/libpq/fe-secure.c postgresql-8.3.1-ssl/src/interfaces/libpq/fe-secure.c
--- postgresql-8.3.1.ref/src/interfaces/libpq/fe-secure.c 2008-01-28 21:03:39.000000000 -0500
+++ postgresql-8.3.1-ssl/src/interfaces/libpq/fe-secure.c 2008-06-06 11:12:56.000000000 -0400
@@ -631,7 +631,11 @@
}
/* read the user certificate */
- snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
+
+ if(conn->sslcert)
+ strncpy(fnbuf, conn->sslcert, sizeof(fnbuf));
+ else
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
/*
* OpenSSL <= 0.9.8 lacks error stack handling, which means it's likely to
@@ -682,7 +686,7 @@
BIO_free(bio);
#if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE)
- if (getenv("PGSSLKEY"))
+ if (getenv("PGSSLKEY") && !conn->sslkey)
{
/* read the user key from engine */
char *engine_env = getenv("PGSSLKEY");
@@ -734,7 +738,11 @@
#endif /* use PGSSLKEY */
{
/* read the user key from file */
- snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
+ if(conn->sslkey)
+ strncpy(fnbuf, conn->sslkey, sizeof(fnbuf));
+ else
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
+
if (stat(fnbuf, &buf) == -1)
{
printfPQExpBuffer(&conn->errorMessage,
@@ -921,7 +929,10 @@
/* Set up to verify server cert, if root.crt is present */
if (pqGetHomeDirectory(homedir, sizeof(homedir)))
{
- snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
+ if(conn->ssltrustcrt)
+ strncpy(fnbuf, conn->ssltrustcrt, sizeof(fnbuf));
+ else
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
if (stat(fnbuf, &buf) == 0)
{
X509_STORE *cvstore;
@@ -939,8 +950,13 @@
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
+ if(conn->sslcrl)
+ strncpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
+ else
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
+
/* setting the flags to check against the complete CRL chain */
- if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+ if (X509_STORE_load_locations(cvstore, fnbuf, NULL) != 0)
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
#ifdef X509_V_FLAG_CRL_CHECK
X509_STORE_set_flags(cvstore,
diff -ur postgresql-8.3.1.ref/src/interfaces/libpq/libpq-int.h postgresql-8.3.1-ssl/src/interfaces/libpq/libpq-int.h
--- postgresql-8.3.1.ref/src/interfaces/libpq/libpq-int.h 2008-01-01 14:46:00.000000000 -0500
+++ postgresql-8.3.1-ssl/src/interfaces/libpq/libpq-int.h 2008-06-06 11:15:09.000000000 -0400
@@ -293,6 +293,11 @@
char *pgpass;
bool pgpass_from_client; /* did password come from connect args? */
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
+ char *sslkey; /* ssl key file filename for call back */
+ char *sslcert; /* ssl certificate filename for call back */
+ char *ssltrustcrt; /* Trusted certificuits */
+ char *sslcrl; /* certificates revoked by certificate authorities */
+
#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
char *krbsrvname; /* Kerberos service name */
#endif
diff -ur postgresql-8.3.1.ref/src/interfaces/libpq/libpq.rc postgresql-8.3.1-ssl/src/interfaces/libpq/libpq.rc
--- postgresql-8.3.1.ref/src/interfaces/libpq/libpq.rc 2008-03-14 23:24:54.000000000 -0400
+++ postgresql-8.3.1-ssl/src/interfaces/libpq/libpq.rc 2008-06-06 11:19:28.000000000 -0400
@@ -1,8 +1,8 @@
#include <winver.h>
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 8,3,1,8075
- PRODUCTVERSION 8,3,1,8075
+ FILEVERSION 8,3,1,8158
+ PRODUCTVERSION 8,3,1,8158
FILEFLAGSMASK 0x3fL
FILEFLAGS 0
FILEOS VOS__WINDOWS32
Re: [HACKERS] SSL configure patch
pgsql@mohawksoft.com writes:
Here is the SSL patch we discussed previously for 8.3.1.
This appears to change user-facing behavior, which makes the lack of
documentation updates unacceptable. Also, it would be helpful to
reviewers if you provided a link to that previous discussion.
regards, tom lane
