Yet another SSL patch. :-) This one adds some informational messages
on the server, if DebugLvl >= 2. The patch also includes a late addition to the last patch (X509_check_private_key()). I'm not sure why it the currect revision wasn't tagged. Bear Giles
This commit is contained in:
parent
eb7afc1407
commit
1ed4a922b8
|
@ -11,7 +11,7 @@
|
||||||
*
|
*
|
||||||
*
|
*
|
||||||
* IDENTIFICATION
|
* IDENTIFICATION
|
||||||
* $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.5 2002/06/14 04:36:58 momjian Exp $
|
* $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.6 2002/06/14 04:38:04 momjian Exp $
|
||||||
*
|
*
|
||||||
* Since the server static private key ($DataDir/server.key)
|
* Since the server static private key ($DataDir/server.key)
|
||||||
* will normally be stored unencrypted so that the database
|
* will normally be stored unencrypted so that the database
|
||||||
|
@ -65,7 +65,7 @@
|
||||||
* [*] server verifies client certificates
|
* [*] server verifies client certificates
|
||||||
*
|
*
|
||||||
* milestone 5: provide informational callbacks
|
* milestone 5: provide informational callbacks
|
||||||
* [ ] provide informational callbacks
|
* [*] provide informational callbacks
|
||||||
*
|
*
|
||||||
* other changes
|
* other changes
|
||||||
* [ ] tcp-wrappers
|
* [ ] tcp-wrappers
|
||||||
|
@ -125,6 +125,7 @@ static DH *load_dh_file(int keylength);
|
||||||
static DH *load_dh_buffer(const char *, size_t);
|
static DH *load_dh_buffer(const char *, size_t);
|
||||||
static DH *tmp_dh_cb(SSL *s, int is_export, int keylength);
|
static DH *tmp_dh_cb(SSL *s, int is_export, int keylength);
|
||||||
static int verify_cb(int, X509_STORE_CTX *);
|
static int verify_cb(int, X509_STORE_CTX *);
|
||||||
|
static void info_cb(SSL *ssl, int type, int args);
|
||||||
static int initialize_SSL(void);
|
static int initialize_SSL(void);
|
||||||
static void destroy_SSL(void);
|
static void destroy_SSL(void);
|
||||||
static int open_server_SSL(Port *);
|
static int open_server_SSL(Port *);
|
||||||
|
@ -539,6 +540,45 @@ verify_cb (int ok, X509_STORE_CTX *ctx)
|
||||||
return ok;
|
return ok;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This callback is used to copy SSL information messages
|
||||||
|
* into the PostgreSQL log.
|
||||||
|
*/
|
||||||
|
static void
|
||||||
|
info_cb (SSL *ssl, int type, int args)
|
||||||
|
{
|
||||||
|
if (DebugLvl < 2)
|
||||||
|
return;
|
||||||
|
|
||||||
|
switch (type)
|
||||||
|
{
|
||||||
|
case SSL_CB_HANDSHAKE_START:
|
||||||
|
elog(DEBUG, "SSL: handshake start");
|
||||||
|
break;
|
||||||
|
case SSL_CB_HANDSHAKE_DONE:
|
||||||
|
elog(DEBUG, "SSL: handshake done");
|
||||||
|
break;
|
||||||
|
case SSL_CB_ACCEPT_LOOP:
|
||||||
|
if (DebugLvl >= 3)
|
||||||
|
elog(DEBUG, "SSL: accept loop");
|
||||||
|
break;
|
||||||
|
case SSL_CB_ACCEPT_EXIT:
|
||||||
|
elog(DEBUG, "SSL: accept exit (%d)", args);
|
||||||
|
break;
|
||||||
|
case SSL_CB_CONNECT_LOOP:
|
||||||
|
elog(DEBUG, "SSL: connect loop");
|
||||||
|
break;
|
||||||
|
case SSL_CB_CONNECT_EXIT:
|
||||||
|
elog(DEBUG, "SSL: connect exit (%d)", args);
|
||||||
|
break;
|
||||||
|
case SSL_CB_READ_ALERT:
|
||||||
|
elog(DEBUG, "SSL: read alert (0x%04x)", args);
|
||||||
|
break;
|
||||||
|
case SSL_CB_WRITE_ALERT:
|
||||||
|
elog(DEBUG, "SSL: write alert (0x%04x)", args);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Initialize global SSL context.
|
* Initialize global SSL context.
|
||||||
|
@ -663,6 +703,9 @@ open_server_SSL (Port *port)
|
||||||
}
|
}
|
||||||
elog(DEBUG, "secure connection from '%s'", port->peer_cn);
|
elog(DEBUG, "secure connection from '%s'", port->peer_cn);
|
||||||
|
|
||||||
|
/* set up debugging/info callback */
|
||||||
|
SSL_CTX_set_info_callback(SSL_context, info_cb);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
*
|
*
|
||||||
*
|
*
|
||||||
* IDENTIFICATION
|
* IDENTIFICATION
|
||||||
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.3 2002/06/14 04:36:58 momjian Exp $
|
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.4 2002/06/14 04:38:04 momjian Exp $
|
||||||
*
|
*
|
||||||
* NOTES
|
* NOTES
|
||||||
* The client *requires* a valid server certificate. Since
|
* The client *requires* a valid server certificate. Since
|
||||||
|
@ -66,6 +66,12 @@
|
||||||
* $HOME/.postgresql/postgresql.key
|
* $HOME/.postgresql/postgresql.key
|
||||||
* respectively.
|
* respectively.
|
||||||
*
|
*
|
||||||
|
* ...
|
||||||
|
*
|
||||||
|
* We don't provide informational callbacks here (like
|
||||||
|
* info_cb() in be-secure.c), since there's mechanism to
|
||||||
|
* display that information to the client.
|
||||||
|
*
|
||||||
* OS DEPENDENCIES
|
* OS DEPENDENCIES
|
||||||
* The code currently assumes a POSIX password entry. How should
|
* The code currently assumes a POSIX password entry. How should
|
||||||
* Windows and Mac users be handled?
|
* Windows and Mac users be handled?
|
||||||
|
@ -88,7 +94,7 @@
|
||||||
* [*] server verifies client certificates
|
* [*] server verifies client certificates
|
||||||
*
|
*
|
||||||
* milestone 5: provide informational callbacks
|
* milestone 5: provide informational callbacks
|
||||||
* [ ] provide informational callbacks
|
* [*] provide informational callbacks
|
||||||
*
|
*
|
||||||
* other changes
|
* other changes
|
||||||
* [ ] tcp-wrappers
|
* [ ] tcp-wrappers
|
||||||
|
@ -721,6 +727,17 @@ client_cert_cb (SSL *ssl, X509 **x509, EVP_PKEY **pkey)
|
||||||
}
|
}
|
||||||
fclose(fp);
|
fclose(fp);
|
||||||
|
|
||||||
|
/* verify that the cert and key go together */
|
||||||
|
if (!X509_check_private_key(*x509, *pkey))
|
||||||
|
{
|
||||||
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
|
libpq_gettext("certificate/private key mismatch (%s): %s\n"),
|
||||||
|
fnbuf, SSLerrmessage());
|
||||||
|
X509_free(*x509);
|
||||||
|
EVP_PKEY_free(*pkey);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue