Abhijit Menon-Sen wrote:
> At 2008-07-08 08:27:29 +0530, [EMAIL PROTECTED] wrote:
> >
> > (The patch is whitespace-damaged and the one fe-secure.c hunk doesn't
> > apply cleanly to the latest source, but I'm ignoring both problems for
> > the moment.)
> 
> It wasn't hard to fix those, so I've attached an updated patch here.
> 
> > Finally, I don't know enough (i.e. anything) about Windows to evaluate
> > the changes to libpq.rc, but the file that should be patched is really
> > libpq.rc.in.
> 
> (But I didn't touch libpq.rc.in. I'm not sure if it even needs to be
> changed any more.)

It doesn't look like it needs changing.

I've hacked up a couple of SGML paragraphs to serve as documentation.
The patch is attached.  I'll revise it (and make sure it compiles
properly) and see about committing it later today.

-- 
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.
Index: doc/src/sgml/libpq.sgml
===================================================================
RCS file: /home/alvherre/Code/cvs/pgsql/doc/src/sgml/libpq.sgml,v
retrieving revision 1.260
diff -c -p -r1.260 libpq.sgml
*** doc/src/sgml/libpq.sgml	27 Jun 2008 02:44:31 -0000	1.260
--- doc/src/sgml/libpq.sgml	1 Aug 2008 18:52:07 -0000
***************
*** 281,286 ****
--- 281,324 ----
          </varlistentry>
  
          <varlistentry>
+          <term><literal>sslcert</literal></term>
+          <listitem>
+           <para>
+            This parameter specifies the file name of the client SSL
+            certificate.
+           </para>
+          </listitem>
+         </varlistentry>
+ 
+         <varlistentry>
+          <term><literal>sslkey</literal></term>
+          <listitem>
+           <para>
+            This parameter specifies the file name of the client SSL key.
+           </para>
+          </listitem>
+         </varlistentry>
+ 
+         <varlistentry>
+          <term><literal>sslrootcert</literal></term>
+          <listitem>
+           <para>
+            This parameter specifies the file name of the root SSL certificate.
+           </para>
+          </listitem>
+         </varlistentry>
+ 
+         <varlistentry>
+          <term><literal>sslcrl</literal></term>
+          <listitem>
+           <para>
+            This parameter specifies the file name of the SSL certificate
+            revocation list (CRL)
+           </para>
+          </listitem>
+         </varlistentry>
+ 
+         <varlistentry>
           <term><literal>krbsrvname</literal></term>
           <listitem>
            <para>
*************** defaultNoticeProcessor(void *arg, const 
*** 4911,4916 ****
--- 4949,4976 ----
      <listitem>
       <para>
        <indexterm>
+        <primary><envar>PGROOTCERT</envar></primary>
+       </indexterm>
+       <envar>PGROOTCERT</envar> specifies the file name where the SSL
+       root certificate is stored.  This can be overridden by the
+       <literal>sslrootcert</literal> connection parameter.
+      </para>
+     </listitem>
+ 
+     <listitem>
+      <para>
+       <indexterm>
+        <primary><envar>PGSSLCRL</envar></primary>
+       </indexterm>
+       <envar>PGSSLCRL</envar> specifies the file name where the SSL certificate
+       revocation list is stored.  This can be overridden by the
+       <literal>sslcrl</literal> connection parameter.
+      </para>
+     </listitem>
+ 
+     <listitem>
+      <para>
+       <indexterm>
         <primary><envar>PGKRBSRVNAME</envar></primary>
        </indexterm>
        <envar>PGKRBSRVNAME</envar> sets the Kerberos service name to use
Index: src/interfaces/libpq/fe-connect.c
===================================================================
RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/fe-connect.c,v
retrieving revision 1.359
diff -c -p -r1.359 fe-connect.c
*** src/interfaces/libpq/fe-connect.c	29 May 2008 22:02:44 -0000	1.359
--- src/interfaces/libpq/fe-connect.c	1 Aug 2008 14:44:50 -0000
*************** static const PQconninfoOption PQconninfo
*** 181,186 ****
--- 181,198 ----
  	{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
  	"SSL-Mode", "", 8},			/* sizeof("disable") == 8 */
  
+ 	{"sslcert", "PGSSLCERT", NULL, NULL,
+ 	"SSL-Client-Cert", "", 64},
+ 
+ 	{"sslkey", "PGSSLKEY", NULL, NULL,
+ 	"SSL-Client-Key", "", 64},
+ 
+ 	{"sslrootcert", "PGROOTCERT", NULL, NULL,
+ 	"SSL-Root-Certificate", "", 64},
+ 
+ 	{"sslcrl", "PGSSLCRL", NULL, NULL,
+ 	"SSL-Revocation-List", "", 64},
+ 
  #if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
  	/* Kerberos and GSSAPI authentication support specifying the service name */
  	{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
*************** connectOptions1(PGconn *conn, const char
*** 413,418 ****
--- 425,438 ----
  	conn->connect_timeout = tmp ? strdup(tmp) : NULL;
  	tmp = conninfo_getval(connOptions, "sslmode");
  	conn->sslmode = tmp ? strdup(tmp) : NULL;
+ 	tmp = conninfo_getval(connOptions, "sslkey");
+ 	conn->sslkey = tmp ? strdup(tmp) : NULL;
+ 	tmp = conninfo_getval(connOptions, "sslcert");
+ 	conn->sslcert = tmp ? strdup(tmp) : NULL;
+ 	tmp = conninfo_getval(connOptions, "sslrootcert");
+ 	conn->sslrootcert = tmp ? strdup(tmp) : NULL;
+ 	tmp = conninfo_getval(connOptions, "sslcrl");
+ 	conn->sslcrl = tmp ? strdup(tmp) : NULL;
  #ifdef USE_SSL
  	tmp = conninfo_getval(connOptions, "requiressl");
  	if (tmp && tmp[0] == '1')
Index: src/interfaces/libpq/fe-secure.c
===================================================================
RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.105
diff -c -p -r1.105 fe-secure.c
*** src/interfaces/libpq/fe-secure.c	16 May 2008 18:30:53 -0000	1.105
--- src/interfaces/libpq/fe-secure.c	1 Aug 2008 14:44:00 -0000
*************** client_cert_cb(SSL *ssl, X509 **x509, EV
*** 599,605 ****
  	}
  
  	/* read the user certificate */
! 	snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
  
  	/*
  	 * OpenSSL <= 0.9.8 lacks error stack handling, which means it's likely to
--- 599,608 ----
  	}
  
  	/* read the user certificate */
! 	if (conn->sslcert)
! 		strncpy(fnbuf, conn->sslcert, sizeof(fnbuf));
! 	else
! 		snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
  
  	/*
  	 * OpenSSL <= 0.9.8 lacks error stack handling, which means it's likely to
*************** client_cert_cb(SSL *ssl, X509 **x509, EV
*** 650,656 ****
  	BIO_free(bio);
  
  #if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE)
! 	if (getenv("PGSSLKEY"))
  	{
  		/* read the user key from engine */
  		char	   *engine_env = getenv("PGSSLKEY");
--- 653,659 ----
  	BIO_free(bio);
  
  #if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE)
! 	if (getenv("PGSSLKEY") && !conn->sslkey)
  	{
  		/* read the user key from engine */
  		char	   *engine_env = getenv("PGSSLKEY");
*************** client_cert_cb(SSL *ssl, X509 **x509, EV
*** 702,708 ****
  #endif   /* use PGSSLKEY */
  	{
  		/* read the user key from file */
! 		snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
  		if (stat(fnbuf, &buf) != 0)
  		{
  			printfPQExpBuffer(&conn->errorMessage,
--- 705,715 ----
  #endif   /* use PGSSLKEY */
  	{
  		/* read the user key from file */
! 		if (conn->sslkey)
! 			strncpy(fnbuf, conn->sslkey, sizeof(fnbuf));
! 		else
! 			snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
! 
  		if (stat(fnbuf, &buf) != 0)
  		{
  			printfPQExpBuffer(&conn->errorMessage,
*************** initialize_SSL(PGconn *conn)
*** 904,910 ****
  	/* Set up to verify server cert, if root.crt is present */
  	if (pqGetHomeDirectory(homedir, sizeof(homedir)))
  	{
! 		snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
  		if (stat(fnbuf, &buf) == 0)
  		{
  			X509_STORE *cvstore;
--- 911,921 ----
  	/* Set up to verify server cert, if root.crt is present */
  	if (pqGetHomeDirectory(homedir, sizeof(homedir)))
  	{
! 		if (conn->ssltrustcrt)
! 			strncpy(fnbuf, conn->ssltrustcrt, sizeof(fnbuf));
! 		else
! 			snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
! 
  		if (stat(fnbuf, &buf) == 0)
  		{
  			X509_STORE *cvstore;
*************** initialize_SSL(PGconn *conn)
*** 922,929 ****
  
  			if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
  			{
  				/* setting the flags to check against the complete CRL chain */
! 				if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
  /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
  #ifdef X509_V_FLAG_CRL_CHECK
  					X509_STORE_set_flags(cvstore,
--- 933,945 ----
  
  			if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
  			{
+ 				if (conn->sslcrl)
+ 					strncpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
+ 				else
+ 					snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
+ 
  				/* setting the flags to check against the complete CRL chain */
! 				if (X509_STORE_load_locations(cvstore, fnbuf, NULL) != 0)
  /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
  #ifdef X509_V_FLAG_CRL_CHECK
  					X509_STORE_set_flags(cvstore,
Index: src/interfaces/libpq/libpq-int.h
===================================================================
RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/libpq-int.h,v
retrieving revision 1.131
diff -c -p -r1.131 libpq-int.h
*** src/interfaces/libpq/libpq-int.h	29 May 2008 22:02:44 -0000	1.131
--- src/interfaces/libpq/libpq-int.h	1 Aug 2008 14:34:15 -0000
*************** struct pg_conn
*** 293,298 ****
--- 293,303 ----
  	char	   *pgpass;
  	bool		pgpass_from_client;	/* did password come from connect args? */
  	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
+ 	char       *sslkey;			/* client key filename */
+ 	char       *sslcert;		/* client certificate filename */
+ 	char       *sslrootcert;	/* root certificate filename */
+ 	char       *sslcrl;			/* certificate revocation list filename */
+ 
  #if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI)
  	char	   *krbsrvname;		/* Kerberos service name */
  #endif
-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to