Abhijit Menon-Sen wrote: > At 2008-07-08 08:27:29 +0530, [EMAIL PROTECTED] wrote: > > > > (The patch is whitespace-damaged and the one fe-secure.c hunk doesn't > > apply cleanly to the latest source, but I'm ignoring both problems for > > the moment.) > > It wasn't hard to fix those, so I've attached an updated patch here. > > > Finally, I don't know enough (i.e. anything) about Windows to evaluate > > the changes to libpq.rc, but the file that should be patched is really > > libpq.rc.in. > > (But I didn't touch libpq.rc.in. I'm not sure if it even needs to be > changed any more.)
It doesn't look like it needs changing. I've hacked up a couple of SGML paragraphs to serve as documentation. The patch is attached. I'll revise it (and make sure it compiles properly) and see about committing it later today. -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc.
Index: doc/src/sgml/libpq.sgml =================================================================== RCS file: /home/alvherre/Code/cvs/pgsql/doc/src/sgml/libpq.sgml,v retrieving revision 1.260 diff -c -p -r1.260 libpq.sgml *** doc/src/sgml/libpq.sgml 27 Jun 2008 02:44:31 -0000 1.260 --- doc/src/sgml/libpq.sgml 1 Aug 2008 18:52:07 -0000 *************** *** 281,286 **** --- 281,324 ---- </varlistentry> <varlistentry> + <term><literal>sslcert</literal></term> + <listitem> + <para> + This parameter specifies the file name of the client SSL + certificate. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>sslkey</literal></term> + <listitem> + <para> + This parameter specifies the file name of the client SSL key. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>sslrootcert</literal></term> + <listitem> + <para> + This parameter specifies the file name of the root SSL certificate. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>sslcrl</literal></term> + <listitem> + <para> + This parameter specifies the file name of the SSL certificate + revocation list (CRL) + </para> + </listitem> + </varlistentry> + + <varlistentry> <term><literal>krbsrvname</literal></term> <listitem> <para> *************** defaultNoticeProcessor(void *arg, const *** 4911,4916 **** --- 4949,4976 ---- <listitem> <para> <indexterm> + <primary><envar>PGROOTCERT</envar></primary> + </indexterm> + <envar>PGROOTCERT</envar> specifies the file name where the SSL + root certificate is stored. This can be overridden by the + <literal>sslrootcert</literal> connection parameter. + </para> + </listitem> + + <listitem> + <para> + <indexterm> + <primary><envar>PGSSLCRL</envar></primary> + </indexterm> + <envar>PGSSLCRL</envar> specifies the file name where the SSL certificate + revocation list is stored. This can be overridden by the + <literal>sslcrl</literal> connection parameter. + </para> + </listitem> + + <listitem> + <para> + <indexterm> <primary><envar>PGKRBSRVNAME</envar></primary> </indexterm> <envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use Index: src/interfaces/libpq/fe-connect.c =================================================================== RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/fe-connect.c,v retrieving revision 1.359 diff -c -p -r1.359 fe-connect.c *** src/interfaces/libpq/fe-connect.c 29 May 2008 22:02:44 -0000 1.359 --- src/interfaces/libpq/fe-connect.c 1 Aug 2008 14:44:50 -0000 *************** static const PQconninfoOption PQconninfo *** 181,186 **** --- 181,198 ---- {"sslmode", "PGSSLMODE", DefaultSSLMode, NULL, "SSL-Mode", "", 8}, /* sizeof("disable") == 8 */ + {"sslcert", "PGSSLCERT", NULL, NULL, + "SSL-Client-Cert", "", 64}, + + {"sslkey", "PGSSLKEY", NULL, NULL, + "SSL-Client-Key", "", 64}, + + {"sslrootcert", "PGROOTCERT", NULL, NULL, + "SSL-Root-Certificate", "", 64}, + + {"sslcrl", "PGSSLCRL", NULL, NULL, + "SSL-Revocation-List", "", 64}, + #if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) /* Kerberos and GSSAPI authentication support specifying the service name */ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, *************** connectOptions1(PGconn *conn, const char *** 413,418 **** --- 425,438 ---- conn->connect_timeout = tmp ? strdup(tmp) : NULL; tmp = conninfo_getval(connOptions, "sslmode"); conn->sslmode = tmp ? strdup(tmp) : NULL; + tmp = conninfo_getval(connOptions, "sslkey"); + conn->sslkey = tmp ? strdup(tmp) : NULL; + tmp = conninfo_getval(connOptions, "sslcert"); + conn->sslcert = tmp ? strdup(tmp) : NULL; + tmp = conninfo_getval(connOptions, "sslrootcert"); + conn->sslrootcert = tmp ? strdup(tmp) : NULL; + tmp = conninfo_getval(connOptions, "sslcrl"); + conn->sslcrl = tmp ? strdup(tmp) : NULL; #ifdef USE_SSL tmp = conninfo_getval(connOptions, "requiressl"); if (tmp && tmp[0] == '1') Index: src/interfaces/libpq/fe-secure.c =================================================================== RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/fe-secure.c,v retrieving revision 1.105 diff -c -p -r1.105 fe-secure.c *** src/interfaces/libpq/fe-secure.c 16 May 2008 18:30:53 -0000 1.105 --- src/interfaces/libpq/fe-secure.c 1 Aug 2008 14:44:00 -0000 *************** client_cert_cb(SSL *ssl, X509 **x509, EV *** 599,605 **** } /* read the user certificate */ ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE); /* * OpenSSL <= 0.9.8 lacks error stack handling, which means it's likely to --- 599,608 ---- } /* read the user certificate */ ! if (conn->sslcert) ! strncpy(fnbuf, conn->sslcert, sizeof(fnbuf)); ! else ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE); /* * OpenSSL <= 0.9.8 lacks error stack handling, which means it's likely to *************** client_cert_cb(SSL *ssl, X509 **x509, EV *** 650,656 **** BIO_free(bio); #if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE) ! if (getenv("PGSSLKEY")) { /* read the user key from engine */ char *engine_env = getenv("PGSSLKEY"); --- 653,659 ---- BIO_free(bio); #if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE) ! if (getenv("PGSSLKEY") && !conn->sslkey) { /* read the user key from engine */ char *engine_env = getenv("PGSSLKEY"); *************** client_cert_cb(SSL *ssl, X509 **x509, EV *** 702,708 **** #endif /* use PGSSLKEY */ { /* read the user key from file */ ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE); if (stat(fnbuf, &buf) != 0) { printfPQExpBuffer(&conn->errorMessage, --- 705,715 ---- #endif /* use PGSSLKEY */ { /* read the user key from file */ ! if (conn->sslkey) ! strncpy(fnbuf, conn->sslkey, sizeof(fnbuf)); ! else ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE); ! if (stat(fnbuf, &buf) != 0) { printfPQExpBuffer(&conn->errorMessage, *************** initialize_SSL(PGconn *conn) *** 904,910 **** /* Set up to verify server cert, if root.crt is present */ if (pqGetHomeDirectory(homedir, sizeof(homedir))) { ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE); if (stat(fnbuf, &buf) == 0) { X509_STORE *cvstore; --- 911,921 ---- /* Set up to verify server cert, if root.crt is present */ if (pqGetHomeDirectory(homedir, sizeof(homedir))) { ! if (conn->ssltrustcrt) ! strncpy(fnbuf, conn->ssltrustcrt, sizeof(fnbuf)); ! else ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE); ! if (stat(fnbuf, &buf) == 0) { X509_STORE *cvstore; *************** initialize_SSL(PGconn *conn) *** 922,929 **** if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL) { /* setting the flags to check against the complete CRL chain */ ! if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ #ifdef X509_V_FLAG_CRL_CHECK X509_STORE_set_flags(cvstore, --- 933,945 ---- if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL) { + if (conn->sslcrl) + strncpy(fnbuf, conn->sslcrl, sizeof(fnbuf)); + else + snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE); + /* setting the flags to check against the complete CRL chain */ ! if (X509_STORE_load_locations(cvstore, fnbuf, NULL) != 0) /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ #ifdef X509_V_FLAG_CRL_CHECK X509_STORE_set_flags(cvstore, Index: src/interfaces/libpq/libpq-int.h =================================================================== RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/libpq-int.h,v retrieving revision 1.131 diff -c -p -r1.131 libpq-int.h *** src/interfaces/libpq/libpq-int.h 29 May 2008 22:02:44 -0000 1.131 --- src/interfaces/libpq/libpq-int.h 1 Aug 2008 14:34:15 -0000 *************** struct pg_conn *** 293,298 **** --- 293,303 ---- char *pgpass; bool pgpass_from_client; /* did password come from connect args? */ char *sslmode; /* SSL mode (require,prefer,allow,disable) */ + char *sslkey; /* client key filename */ + char *sslcert; /* client certificate filename */ + char *sslrootcert; /* root certificate filename */ + char *sslcrl; /* certificate revocation list filename */ + #if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) char *krbsrvname; /* Kerberos service name */ #endif
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers