Add SSL CRL support to libpq. Recently added to the backend.

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 75e3240f9122986d9d7e4d3d9f9e03252e7d95ee..8a4def4e11add3b5ebb19d0b0362d3073aee19f4 100644 (file)
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *   $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31:38 momjian Exp $
+ *   $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.69 2006/05/06 02:24:39 momjian Exp $
  *
  *   Since the server static private key ($DataDir/server.key)
  *   will normally be stored unencrypted so that the database
@@ -803,7 +803,7 @@ initialize_SSL(void)
 
        if (cvstore)
        {
-          /* Set the flags to check against the complete CRL chain */
+           /* Set the flags to check against the complete CRL chain */
            if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
 /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
 #ifdef X509_V_FLAG_CRL_CHECK

diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index ed6ecdd50858ddaf410320d983dd4dcb35f777a1..cd0ac14da5edd2a815cf37a0a9984791afba3e12 100644 (file)
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *   $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.79 2006/04/27 14:02:36 momjian Exp $
+ *   $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.80 2006/05/06 02:24:39 momjian Exp $
  *
  * NOTES
  *   [ Most of these notes are wrong/obsolete, but perhaps not all ]
@@ -125,11 +125,13 @@
 #define USER_CERT_FILE     ".postgresql/postgresql.crt"
 #define USER_KEY_FILE      ".postgresql/postgresql.key"
 #define ROOT_CERT_FILE     ".postgresql/root.crt"
+#define ROOT_CRL_FILE      ".postgresql/root.crl"
 #else
 /* On Windows, the "home" directory is already PostgreSQL-specific */
 #define USER_CERT_FILE     "postgresql.crt"
 #define USER_KEY_FILE      "postgresql.key"
 #define ROOT_CERT_FILE     "root.crt"
+#define ROOT_CRL_FILE      "root.crl"
 #endif
 
 #ifdef NOT_USED
@@ -784,6 +786,8 @@ initialize_SSL(PGconn *conn)
        snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
        if (stat(fnbuf, &buf) == 0)
        {
+           X509_STORE *cvstore;
+           
            if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL))
            {
                char       *err = SSLerrmessage();
@@ -795,6 +799,28 @@ initialize_SSL(PGconn *conn)
                return -1;
            }
 
+           if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
+           {
+               /* setting the flags to check against the complete CRL chain */
+               if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
+#ifdef X509_V_FLAG_CRL_CHECK
+                  X509_STORE_set_flags(cvstore,
+                               X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+               /* if not found, silently ignore;  we do not require CRL */
+#else
+               {
+                   char       *err = SSLerrmessage();
+   
+                   printfPQExpBuffer(&conn->errorMessage,
+                                     libpq_gettext("Installed SSL library does not support CRL certificates, file \"%s\"\n"),
+                                     fnbuf);
+                   SSLerrfree(err);
+                   return -1;
+               }
+#endif
+           }
+   
            SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb);
        }
    }