Re: be-secure.c patch - Mailing list pgsql-patches
| From | Bruce Momjian |
|---|---|
| Subject | Re: be-secure.c patch |
| Date | |
| Msg-id | 200605060226.k462Q1426316@candle.pha.pa.us Whole thread Raw |
| In response to | Re: be-secure.c patch (Bruce Momjian <pgman@candle.pha.pa.us>) |
| List | pgsql-patches |
Bruce Momjian wrote: > > I am now wondering if fe-secure.c, the front-end code, should also check > for "root.crl". The attached patch implents it. Updated patch attached and applied. It adds CRL checking to libpq. It returns an error if the CRL file exists, but the library can't process it, just like the backend. -- Bruce Momjian http://candle.pha.pa.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. + Index: src/interfaces/libpq/fe-secure.c =================================================================== RCS file: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v retrieving revision 1.79 diff -c -c -r1.79 fe-secure.c *** src/interfaces/libpq/fe-secure.c 27 Apr 2006 14:02:36 -0000 1.79 --- src/interfaces/libpq/fe-secure.c 6 May 2006 02:21:50 -0000 *************** *** 125,135 **** --- 125,137 ---- #define USER_CERT_FILE ".postgresql/postgresql.crt" #define USER_KEY_FILE ".postgresql/postgresql.key" #define ROOT_CERT_FILE ".postgresql/root.crt" + #define ROOT_CRL_FILE ".postgresql/root.crl" #else /* On Windows, the "home" directory is already PostgreSQL-specific */ #define USER_CERT_FILE "postgresql.crt" #define USER_KEY_FILE "postgresql.key" #define ROOT_CERT_FILE "root.crt" + #define ROOT_CRL_FILE "root.crl" #endif #ifdef NOT_USED *************** *** 784,789 **** --- 786,793 ---- snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE); if (stat(fnbuf, &buf) == 0) { + X509_STORE *cvstore; + if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL)) { char *err = SSLerrmessage(); *************** *** 795,800 **** --- 799,826 ---- return -1; } + if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL) + { + /* setting the flags to check against the complete CRL chain */ + if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) + /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ + #ifdef X509_V_FLAG_CRL_CHECK + X509_STORE_set_flags(cvstore, + X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); + /* if not found, silently ignore; we do not require CRL */ + #else + { + char *err = SSLerrmessage(); + + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("Installed SSL library does not support CRL certificates, file \"%s\"\n"), + fnbuf); + SSLerrfree(err); + return -1; + } + #endif + } + SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb); } }
pgsql-patches by date: