This patch adds the ability to specify client certification and keys as
well as root certificates and revocation lists for the client as
parameters in PQconnectdb()
sslkey=fullepath_to_file
sslcert=fullpath_to_cert
ssltrustcrt=fullpath_to_trusted_cert_file
sslcrl=fullpath_to_revocation_list
Also, it fixes a but in client revocation lists that were never looking in
the application directory.
diff -u -r postgresql-8.2.7/src/interfaces/libpq/fe-connect.c postgresql-8.2.7-ssl/src/interfaces/libpq/fe-connect.c
--- postgresql-8.2.7/src/interfaces/libpq/fe-connect.c 2007-10-09 11:03:31.000000000 -0400
+++ postgresql-8.2.7-ssl/src/interfaces/libpq/fe-connect.c 2008-05-15 14:38:00.550668436 -0400
@@ -181,6 +181,18 @@
{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
"SSL-Mode", "", 8}, /* sizeof("disable") == 8 */
+ {"sslcert", "PGSSLCERT", NULL, NULL,
+ "SSL-Client-Cert", "", 64},
+
+ {"sslkey", "PGSSLKEY", NULL, NULL,
+ "SSL-Client-Key", "", 64},
+
+ {"ssltrustcrt", "PGSSLKEY", NULL, NULL,
+ "SSL-Trusted-Keys", "", 64},
+
+ {"sslcrl", "PGSSLKEY", NULL, NULL,
+ "SSL-Revocation-List", "", 64},
+
#ifdef KRB5
/* Kerberos authentication supports specifying the service name */
{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
@@ -402,7 +414,17 @@
conn->connect_timeout = tmp ? strdup(tmp) : NULL;
tmp = conninfo_getval(connOptions, "sslmode");
conn->sslmode = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "sslkey");
+ conn->sslkey = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "sslcert");
+ conn->sslcert = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "ssltrustcrt");
+ conn->ssltrustcrt = tmp ? strdup(tmp) : NULL;
+ tmp = conninfo_getval(connOptions, "sslcrl");
+ conn->sslcrl = tmp ? strdup(tmp) : NULL;
+
#ifdef USE_SSL
+
tmp = conninfo_getval(connOptions, "requiressl");
if (tmp && tmp[0] == '1')
{
diff -u -r postgresql-8.2.7/src/interfaces/libpq/fe-secure.c postgresql-8.2.7-ssl/src/interfaces/libpq/fe-secure.c
--- postgresql-8.2.7/src/interfaces/libpq/fe-secure.c 2006-10-06 13:14:01.000000000 -0400
+++ postgresql-8.2.7-ssl/src/interfaces/libpq/fe-secure.c 2008-05-15 14:48:56.244034272 -0400
@@ -586,7 +586,10 @@
}
/* read the user certificate */
- snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
+ if(conn->sslcert)
+ strncpy(fnbuf, conn->sslcert, sizeof(fnbuf));
+ else
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
if ((fp = fopen(fnbuf, "r")) == NULL)
{
printfPQExpBuffer(&conn->errorMessage,
@@ -608,7 +611,10 @@
fclose(fp);
/* read the user key */
- snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
+ if(conn->sslcert)
+ strncpy(fnbuf, conn->sslkey, sizeof(fnbuf));
+ else
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
if (stat(fnbuf, &buf) == -1)
{
printfPQExpBuffer(&conn->errorMessage,
@@ -740,6 +746,9 @@
{
SSL_library_init();
SSL_load_error_strings();
+ ERR_load_BIO_strings ();
+ ERR_load_SSL_strings();
+ OpenSSL_add_all_algorithms ();
}
SSL_context = SSL_CTX_new(TLSv1_method());
if (!SSL_context)
@@ -778,7 +787,10 @@
/* Set up to verify server cert, if root.crt is present */
if (pqGetHomeDirectory(homedir, sizeof(homedir)))
{
- snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
+ if(conn->ssltrustcrt)
+ strncpy(fnbuf, conn->ssltrustcrt, sizeof(fnbuf));
+ else
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
if (stat(fnbuf, &buf) == 0)
{
X509_STORE *cvstore;
@@ -796,8 +808,12 @@
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
+ if(conn->sslcrl)
+ strncpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
+ else
+ snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
/* setting the flags to check against the complete CRL chain */
- if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+ if (X509_STORE_load_locations(cvstore, fnbuf, NULL) != 0)
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
#ifdef X509_V_FLAG_CRL_CHECK
X509_STORE_set_flags(cvstore,
diff -u -r postgresql-8.2.7/src/interfaces/libpq/libpq-int.h postgresql-8.2.7-ssl/src/interfaces/libpq/libpq-int.h
--- postgresql-8.2.7/src/interfaces/libpq/libpq-int.h 2007-07-23 14:13:10.000000000 -0400
+++ postgresql-8.2.7-ssl/src/interfaces/libpq/libpq-int.h 2008-05-15 14:05:07.614237197 -0400
@@ -271,6 +271,10 @@
char *pguser; /* Postgres username and password, if any */
char *pgpass;
char *sslmode; /* SSL mode (require,prefer,allow,disable) */
+ char *sslkey; /* ssl key file filename for call back */
+ char *sslcert; /* ssl certificate filename for call back */
+ char *ssltrustcrt; /* Trusted certificuits */
+ char *sslcrl; /* certificates revoked by certificate authorities */
#ifdef KRB5
char *krbsrvname; /* Kerberos service name */
#endif
diff -u -r postgresql-8.2.7/src/interfaces/libpq/libpq.rc postgresql-8.2.7-ssl/src/interfaces/libpq/libpq.rc
--- postgresql-8.2.7/src/interfaces/libpq/libpq.rc 2008-03-14 22:52:42.000000000 -0400
+++ postgresql-8.2.7-ssl/src/interfaces/libpq/libpq.rc 2008-05-15 14:51:41.529453351 -0400
@@ -1,8 +1,8 @@
#include <winver.h>
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 8,2,7,8074
- PRODUCTVERSION 8,2,7,8074
+ FILEVERSION 8,2,7,8136
+ PRODUCTVERSION 8,2,7,8136
FILEFLAGSMASK 0x3fL
FILEFLAGS 0
FILEOS VOS__WINDOWS32
--
Sent via pgsql-patches mailing list (pgsql-patches@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches