Re: [PATCHES] be-secure.c patch

Fri, 05 May 2006 19:26:15 -0700 

Bruce Momjian wrote:
> 
> I am now wondering if fe-secure.c, the front-end code, should also check
> for "root.crl".  The attached patch implents it.

Updated patch attached and applied.  It adds CRL checking to libpq.  It
returns an error if the CRL file exists, but the library can't process
it, just like the backend.

-- 
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +

Index: src/interfaces/libpq/fe-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.79
diff -c -c -r1.79 fe-secure.c
*** src/interfaces/libpq/fe-secure.c	27 Apr 2006 14:02:36 -0000	1.79
--- src/interfaces/libpq/fe-secure.c	6 May 2006 02:21:50 -0000
***************
*** 125,135 ****
--- 125,137 ----
  #define USER_CERT_FILE		".postgresql/postgresql.crt"
  #define USER_KEY_FILE		".postgresql/postgresql.key"
  #define ROOT_CERT_FILE		".postgresql/root.crt"
+ #define ROOT_CRL_FILE		".postgresql/root.crl"
  #else
  /* On Windows, the "home" directory is already PostgreSQL-specific */
  #define USER_CERT_FILE		"postgresql.crt"
  #define USER_KEY_FILE		"postgresql.key"
  #define ROOT_CERT_FILE		"root.crt"
+ #define ROOT_CRL_FILE		"root.crl"
  #endif
  
  #ifdef NOT_USED
***************
*** 784,789 ****
--- 786,793 ----
  		snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
  		if (stat(fnbuf, &buf) == 0)
  		{
+ 			X509_STORE *cvstore;
+ 			
  			if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL))
  			{
  				char	   *err = SSLerrmessage();
***************
*** 795,800 ****
--- 799,826 ----
  				return -1;
  			}
  
+ 			if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
+ 			{
+ 				/* setting the flags to check against the complete CRL chain */
+ 				if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+ /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
+ #ifdef X509_V_FLAG_CRL_CHECK
+ 				   X509_STORE_set_flags(cvstore,
+ 								X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+ 				/* if not found, silently ignore;  we do not require CRL */
+ #else
+ 				{
+ 					char	   *err = SSLerrmessage();
+ 	
+ 					printfPQExpBuffer(&conn->errorMessage,
+ 									  libpq_gettext("Installed SSL library does not support CRL certificates, file \"%s\"\n"),
+ 									  fnbuf);
+ 					SSLerrfree(err);
+ 					return -1;
+ 				}
+ #endif
+ 			}
+ 	
  			SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb);
  		}
  	}

---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings

Reply via email to