Re: be-secure.c patch

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: be-secure.c patch
Дата
Msg-id 200605060226.k462Q1426316@candle.pha.pa.us
обсуждение исходный текст
Ответ на Re: be-secure.c patch  (Bruce Momjian <pgman@candle.pha.pa.us>)
Список pgsql-patches
Дерево обсуждения 
Bruce Momjian wrote:
>
> I am now wondering if fe-secure.c, the front-end code, should also check
> for "root.crl".  The attached patch implents it.

Updated patch attached and applied.  It adds CRL checking to libpq.  It
returns an error if the CRL file exists, but the library can't process
it, just like the backend.

--
  Bruce Momjian   http://candle.pha.pa.us
  EnterpriseDB    http://www.enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +
Index: src/interfaces/libpq/fe-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.79
diff -c -c -r1.79 fe-secure.c
*** src/interfaces/libpq/fe-secure.c    27 Apr 2006 14:02:36 -0000    1.79
--- src/interfaces/libpq/fe-secure.c    6 May 2006 02:21:50 -0000
***************
*** 125,135 ****
--- 125,137 ----
  #define USER_CERT_FILE        ".postgresql/postgresql.crt"
  #define USER_KEY_FILE        ".postgresql/postgresql.key"
  #define ROOT_CERT_FILE        ".postgresql/root.crt"
+ #define ROOT_CRL_FILE        ".postgresql/root.crl"
  #else
  /* On Windows, the "home" directory is already PostgreSQL-specific */
  #define USER_CERT_FILE        "postgresql.crt"
  #define USER_KEY_FILE        "postgresql.key"
  #define ROOT_CERT_FILE        "root.crt"
+ #define ROOT_CRL_FILE        "root.crl"
  #endif

  #ifdef NOT_USED
***************
*** 784,789 ****
--- 786,793 ----
          snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
          if (stat(fnbuf, &buf) == 0)
          {
+             X509_STORE *cvstore;
+
              if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL))
              {
                  char       *err = SSLerrmessage();
***************
*** 795,800 ****
--- 799,826 ----
                  return -1;
              }

+             if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
+             {
+                 /* setting the flags to check against the complete CRL chain */
+                 if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+ /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
+ #ifdef X509_V_FLAG_CRL_CHECK
+                    X509_STORE_set_flags(cvstore,
+                                 X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+                 /* if not found, silently ignore;  we do not require CRL */
+ #else
+                 {
+                     char       *err = SSLerrmessage();
+
+                     printfPQExpBuffer(&conn->errorMessage,
+                                       libpq_gettext("Installed SSL library does not support CRL certificates, file
\"%s\"\n"),
+                                       fnbuf);
+                     SSLerrfree(err);
+                     return -1;
+                 }
+ #endif
+             }
+
              SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb);
          }
      }

В списке pgsql-patches по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: Page at a time index scan
Следующее
От: Bruce Momjian
Дата:
Сообщение: Re: cast bytea to/from bit strings