Abhijit Menon-Sen wrote:
> At 2008-07-08 08:27:29 +0530, [EMAIL PROTECTED] wrote:
> >
> > (The patch is whitespace-damaged and the one fe-secure.c hunk doesn't
> > apply cleanly to the latest source, but I'm ignoring both problems for
> > the moment.)
>
> It wasn't hard to fix those, so I've attached an updated patch here.
>
> > Finally, I don't know enough (i.e. anything) about Windows to evaluate
> > the changes to libpq.rc, but the file that should be patched is really
> > libpq.rc.in.
>
> (But I didn't touch libpq.rc.in. I'm not sure if it even needs to be
> changed any more.)
It doesn't look like it needs changing.
I've hacked up a couple of SGML paragraphs to serve as documentation.
The patch is attached. I'll revise it (and make sure it compiles
properly) and see about committing it later today.
--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
Index: doc/src/sgml/libpq.sgml
===================================================================
RCS file: /home/alvherre/Code/cvs/pgsql/doc/src/sgml/libpq.sgml,v
retrieving revision 1.260
diff -c -p -r1.260 libpq.sgml
*** doc/src/sgml/libpq.sgml 27 Jun 2008 02:44:31 -0000 1.260
--- doc/src/sgml/libpq.sgml 1 Aug 2008 18:52:07 -0000
***************
*** 281,286 ****
--- 281,324 ----
</varlistentry>
<varlistentry>
+ <term><literal>sslcert</literal></term>
+ <listitem>
+ <para>
+ This parameter specifies the file name of the client SSL
+ certificate.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>sslkey</literal></term>
+ <listitem>
+ <para>
+ This parameter specifies the file name of the client SSL key.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>sslrootcert</literal></term>
+ <listitem>
+ <para>
+ This parameter specifies the file name of the root SSL certificate.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>sslcrl</literal></term>
+ <listitem>
+ <para>
+ This parameter specifies the file name of the SSL certificate
+ revocation list (CRL)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><literal>krbsrvname</literal></term>
<listitem>
<para>
*************** defaultNoticeProcessor(void *arg, const
*** 4911,4916 ****
--- 4949,4976 ----
<listitem>
<para>
<indexterm>
+ <primary><envar>PGROOTCERT</envar></primary>
+ </indexterm>
+ <envar>PGROOTCERT</envar> specifies the file name where the SSL
+ root certificate is stored. This can be overridden by the
+ <literal>sslrootcert</literal> connection parameter.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <indexterm>
+ <primary><envar>PGSSLCRL</envar></primary>
+ </indexterm>
+ <envar>PGSSLCRL</envar> specifies the file name where the SSL certificate
+ revocation list is stored. This can be overridden by the
+ <literal>sslcrl</literal> connection parameter.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ <indexterm>
<primary><envar>PGKRBSRVNAME</envar></primary>
</indexterm>
<envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use
Index: src/interfaces/libpq/fe-connect.c
===================================================================
RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/fe-connect.c,v
retrieving revision 1.359
diff -c -p -r1.359 fe-connect.c
*** src/interfaces/libpq/fe-connect.c 29 May 2008 22:02:44 -0000 1.359
--- src/interfaces/libpq/fe-connect.c 1 Aug 2008 14:44:50 -0000
*************** static const PQconninfoOption PQconninfo
*** 181,186 ****
--- 181,198 ----
{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
"SSL-Mode", "", 8}, /* sizeof("disable") == 8 */
+ {"sslcert", "PGSSLCERT", NULL, NULL,
+ "SSL-Client-Cert", "", 64},
+
+ {"sslkey", "PGSSLKEY", NULL, NULL,
+ "SSL-Client-Key", "", 64},
+
+ {"sslrootcert", "PGROOTCERT", NULL, NULL,
+ "SSL-Root-Certificate", "", 64},
+
+ {"sslcrl", "PGSSLCRL", NULL, NULL,
+ "SSL-Revocation-List", "", 64},
+
#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
/* Kerberos and GSSAPI authentication support specifying the service name */
{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
*************** connectOptions1(PGconn *conn, const char
*** 413,418 ****
--- 425,438 ----
conn->connect_timeout = tmp ? strdup(tmp) : NULL;
tmp = conninfo_getval(connOptions, "sslmode");
conn->sslmode = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "sslkey");
+ conn->sslkey = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "sslcert");
+ conn->sslcert = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "sslrootcert");
+ conn->sslrootcert = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "sslcrl");
+ conn->sslcrl = tmp ? strdup(tmp) : NULL;
#ifdef USE_SSL
tmp = conninfo_getval(connOptions, "requiressl");
if (tmp && tmp[0] == '1')
Index: src/interfaces/libpq/fe-secure.c
===================================================================
RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.105
diff -c -p -r1.105 fe-secure.c
*** src/interfaces/libpq/fe-secure.c 16 May 2008 18:30:53 -0000 1.105
--- src/interfaces/libpq/fe-secure.c 1 Aug 2008 14:44:00 -0000
*************** client_cert_cb(SSL *ssl, X509 **x509, EV
*** 599,605 ****
}
/* read the user certificate */
! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
/*
* OpenSSL <= 0.9.8 lacks error stack handling, which means it's likely to
--- 599,608 ----
}
/* read the user certificate */
! if (conn->sslcert)
! strncpy(fnbuf, conn->sslcert, sizeof(fnbuf));
! else
! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
/*
* OpenSSL <= 0.9.8 lacks error stack handling, which means it's likely to
*************** client_cert_cb(SSL *ssl, X509 **x509, EV
*** 650,656 ****
BIO_free(bio);
#if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE)
! if (getenv("PGSSLKEY"))
{
/* read the user key from engine */
char *engine_env = getenv("PGSSLKEY");
--- 653,659 ----
BIO_free(bio);
#if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE)
! if (getenv("PGSSLKEY") && !conn->sslkey)
{
/* read the user key from engine */
char *engine_env = getenv("PGSSLKEY");
*************** client_cert_cb(SSL *ssl, X509 **x509, EV
*** 702,708 ****
#endif /* use PGSSLKEY */
{
/* read the user key from file */
! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
if (stat(fnbuf, &buf) != 0)
{
printfPQExpBuffer(&conn->errorMessage,
--- 705,715 ----
#endif /* use PGSSLKEY */
{
/* read the user key from file */
! if (conn->sslkey)
! strncpy(fnbuf, conn->sslkey, sizeof(fnbuf));
! else
! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
!
if (stat(fnbuf, &buf) != 0)
{
printfPQExpBuffer(&conn->errorMessage,
*************** initialize_SSL(PGconn *conn)
*** 904,910 ****
/* Set up to verify server cert, if root.crt is present */
if (pqGetHomeDirectory(homedir, sizeof(homedir)))
{
! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
if (stat(fnbuf, &buf) == 0)
{
X509_STORE *cvstore;
--- 911,921 ----
/* Set up to verify server cert, if root.crt is present */
if (pqGetHomeDirectory(homedir, sizeof(homedir)))
{
! if (conn->ssltrustcrt)
! strncpy(fnbuf, conn->ssltrustcrt, sizeof(fnbuf));
! else
! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
!
if (stat(fnbuf, &buf) == 0)
{
X509_STORE *cvstore;
*************** initialize_SSL(PGconn *conn)
*** 922,929 ****
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
/* setting the flags to check against the complete CRL chain */
! if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
#ifdef X509_V_FLAG_CRL_CHECK
X509_STORE_set_flags(cvstore,
--- 933,945 ----
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
+ if (conn->sslcrl)
+ strncpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
+ else
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
+
/* setting the flags to check against the complete CRL chain */
! if (X509_STORE_load_locations(cvstore, fnbuf, NULL) != 0)
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
#ifdef X509_V_FLAG_CRL_CHECK
X509_STORE_set_flags(cvstore,
Index: src/interfaces/libpq/libpq-int.h
===================================================================
RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/libpq-int.h,v
retrieving revision 1.131
diff -c -p -r1.131 libpq-int.h
*** src/interfaces/libpq/libpq-int.h 29 May 2008 22:02:44 -0000 1.131
--- src/interfaces/libpq/libpq-int.h 1 Aug 2008 14:34:15 -0000
*************** struct pg_conn
*** 293,298 ****
--- 293,303 ----
char *pgpass;
bool pgpass_from_client; /* did password come from connect args? */
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
+ char *sslkey; /* client key filename */
+ char *sslcert; /* client certificate filename */
+ char *sslrootcert; /* root certificate filename */
+ char *sslcrl; /* certificate revocation list filename */
+
#if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
char *krbsrvname; /* Kerberos service name */
#endif
--
Sent via pgsql-hackers mailing list ([email protected])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
