[PATCHES] SSL client configuration patch

pgsql Thu, 15 May 2008 11:58:11 -0700

This patch adds the ability to specify client certification and keys as
well as root certificates and revocation lists for the client as
parameters in PQconnectdb()


sslkey=fullepath_to_file
sslcert=fullpath_to_cert
ssltrustcrt=fullpath_to_trusted_cert_file
sslcrl=fullpath_to_revocation_list

Also, it fixes a but in client revocation lists that were never looking in
the application directory.

diff -u -r postgresql-8.2.7/src/interfaces/libpq/fe-connect.c postgresql-8.2.7-ssl/src/interfaces/libpq/fe-connect.c
--- postgresql-8.2.7/src/interfaces/libpq/fe-connect.c	2007-10-09 11:03:31.000000000 -0400
+++ postgresql-8.2.7-ssl/src/interfaces/libpq/fe-connect.c	2008-05-15 14:38:00.550668436 -0400
@@ -181,6 +181,18 @@
 	{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
 	"SSL-Mode", "", 8},			/* sizeof("disable") == 8 */
 
+	{"sslcert", "PGSSLCERT", NULL, NULL,
+	"SSL-Client-Cert", "", 64},
+
+	{"sslkey", "PGSSLKEY", NULL, NULL,
+	"SSL-Client-Key", "", 64},
+
+	{"ssltrustcrt", "PGSSLKEY", NULL, NULL,
+	"SSL-Trusted-Keys", "", 64},
+
+	{"sslcrl", "PGSSLKEY", NULL, NULL,
+	"SSL-Revocation-List", "", 64},
+
 #ifdef KRB5
 	/* Kerberos authentication supports specifying the service name */
 	{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
@@ -402,7 +414,17 @@
 	conn->connect_timeout = tmp ? strdup(tmp) : NULL;
 	tmp = conninfo_getval(connOptions, "sslmode");
 	conn->sslmode = tmp ? strdup(tmp) : NULL;
+	tmp = conninfo_getval(connOptions, "sslkey");
+	conn->sslkey = tmp ? strdup(tmp) : NULL;
+	tmp = conninfo_getval(connOptions, "sslcert");
+	conn->sslcert = tmp ? strdup(tmp) : NULL;
+	tmp = conninfo_getval(connOptions, "ssltrustcrt");
+	conn->ssltrustcrt = tmp ? strdup(tmp) : NULL;
+	tmp = conninfo_getval(connOptions, "sslcrl");
+	conn->sslcrl = tmp ? strdup(tmp) : NULL;
+	
 #ifdef USE_SSL
+
 	tmp = conninfo_getval(connOptions, "requiressl");
 	if (tmp && tmp[0] == '1')
 	{
diff -u -r postgresql-8.2.7/src/interfaces/libpq/fe-secure.c postgresql-8.2.7-ssl/src/interfaces/libpq/fe-secure.c
--- postgresql-8.2.7/src/interfaces/libpq/fe-secure.c	2006-10-06 13:14:01.000000000 -0400
+++ postgresql-8.2.7-ssl/src/interfaces/libpq/fe-secure.c	2008-05-15 14:48:56.244034272 -0400
@@ -586,7 +586,10 @@
 	}
 
 	/* read the user certificate */
-	snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
+	if(conn->sslcert)
+		strncpy(fnbuf, conn->sslcert, sizeof(fnbuf));
+	else
+		snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
 	if ((fp = fopen(fnbuf, "r")) == NULL)
 	{
 		printfPQExpBuffer(&conn->errorMessage,
@@ -608,7 +611,10 @@
 	fclose(fp);
 
 	/* read the user key */
-	snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
+	if(conn->sslcert)
+		strncpy(fnbuf, conn->sslkey, sizeof(fnbuf));
+	else
+		snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
 	if (stat(fnbuf, &buf) == -1)
 	{
 		printfPQExpBuffer(&conn->errorMessage,
@@ -740,6 +746,9 @@
 		{
 			SSL_library_init();
 			SSL_load_error_strings();
+                	ERR_load_BIO_strings ();
+                	ERR_load_SSL_strings();
+			OpenSSL_add_all_algorithms ();
 		}
 		SSL_context = SSL_CTX_new(TLSv1_method());
 		if (!SSL_context)
@@ -778,7 +787,10 @@
 	/* Set up to verify server cert, if root.crt is present */
 	if (pqGetHomeDirectory(homedir, sizeof(homedir)))
 	{
-		snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
+		if(conn->ssltrustcrt)
+			strncpy(fnbuf, conn->ssltrustcrt, sizeof(fnbuf));
+		else
+			snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
 		if (stat(fnbuf, &buf) == 0)
 		{
 			X509_STORE *cvstore;
@@ -796,8 +808,12 @@
 
 			if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
 			{
+				if(conn->sslcrl)
+					strncpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
+				else
+					snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
 				/* setting the flags to check against the complete CRL chain */
-				if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+				if (X509_STORE_load_locations(cvstore, fnbuf, NULL) != 0)
 /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
 #ifdef X509_V_FLAG_CRL_CHECK
 					X509_STORE_set_flags(cvstore,
diff -u -r postgresql-8.2.7/src/interfaces/libpq/libpq-int.h postgresql-8.2.7-ssl/src/interfaces/libpq/libpq-int.h
--- postgresql-8.2.7/src/interfaces/libpq/libpq-int.h	2007-07-23 14:13:10.000000000 -0400
+++ postgresql-8.2.7-ssl/src/interfaces/libpq/libpq-int.h	2008-05-15 14:05:07.614237197 -0400
@@ -271,6 +271,10 @@
 	char	   *pguser;			/* Postgres username and password, if any */
 	char	   *pgpass;
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
+	char       *sslkey;	/* ssl key file filename for call back */
+	char	   *sslcert;	/* ssl certificate filename for call back */
+	char	   *ssltrustcrt; /* Trusted certificuits */
+	char 	   *sslcrl;	/* certificates revoked by certificate authorities */
 #ifdef KRB5
 	char	   *krbsrvname;		/* Kerberos service name */
 #endif
diff -u -r postgresql-8.2.7/src/interfaces/libpq/libpq.rc postgresql-8.2.7-ssl/src/interfaces/libpq/libpq.rc
--- postgresql-8.2.7/src/interfaces/libpq/libpq.rc	2008-03-14 22:52:42.000000000 -0400
+++ postgresql-8.2.7-ssl/src/interfaces/libpq/libpq.rc	2008-05-15 14:51:41.529453351 -0400
@@ -1,8 +1,8 @@
 #include <winver.h>
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 8,2,7,8074
- PRODUCTVERSION 8,2,7,8074
+ FILEVERSION 8,2,7,8136
+ PRODUCTVERSION 8,2,7,8136
  FILEFLAGSMASK 0x3fL
  FILEFLAGS 0
  FILEOS VOS__WINDOWS32

-- 
Sent via pgsql-patches mailing list (pgsql-patches@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-patches

[PATCHES] SSL client configuration patch

Reply via email to