*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.100 2010/05/26 15:52:37 tgl Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.101 2010/05/26 16:15:57 tgl Exp $
*
* Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database
* backend can restart automatically, it is important that
* we select an algorithm that continues to provide confidentiality
- * even if the attacker has the server's private key. Empheral
+ * even if the attacker has the server's private key. Ephemeral
* DH (EDH) keys provide this, and in fact provide Perfect Forward
* Secrecy (PFS) except for situations where the session can
* be hijacked during a periodic handshake/renegotiation.
/* ------------------------------------------------------------ */
/*
- * Hardcoded DH parameters, used in empheral DH keying.
+ * Hardcoded DH parameters, used in ephemeral DH keying.
* As discussed above, EDH protects the confidentiality of
* sessions even if the static private key is compromised,
* so we are *highly* motivated to ensure that we can use
* directly so it gets passed through the socket/signals layer on Win32.
*
* They are closely modelled on the original socket implementations in OpenSSL.
- *
*/
static bool my_bio_initialized = false;
* to verify that the DBA-generated DH parameters file contains
* what we expect it to contain.
*/
-static DH *
+static DH *
load_dh_file(int keylength)
{
FILE *fp;
* To prevent problems if the DH parameters files don't even
* exist, we can load DH parameters hardcoded into this file.
*/
-static DH *
+static DH *
load_dh_buffer(const char *buffer, size_t len)
{
BIO *bio;
}
/*
- * Generate an empheral DH key. Because this can take a long
+ * Generate an ephemeral DH key. Because this can take a long
* time to compute, we can use precomputed parameters of the
* common key sizes.
*
* the OpenSSL library can efficiently generate random keys from
* the information provided.
*/
-static DH *
+static DH *
tmp_dh_cb(SSL *s, int is_export, int keylength)
{
DH *r = NULL;
SSLerrmessage())));
/*
- * Load and verify certificate and private key
+ * Load and verify server's certificate and private key
*/
if (SSL_CTX_use_certificate_chain_file(SSL_context,
SERVER_CERT_FILE) != 1)
SSLerrmessage())));
}
- /* set up empheral DH keys */
+ /* set up ephemeral DH keys, and disallow SSL v2 while at it */
SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb);
SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2);
- /* setup the allowed cipher list */
+ /* set up the allowed cipher list */
if (SSL_CTX_set_cipher_list(SSL_context, SSLCipherSuites) != 1)
elog(FATAL, "could not set the cipher list (no valid ciphers available)");
* Attempt to load CA store, so we can verify client certificates if
* needed.
*/
- if (access(ROOT_CERT_FILE, R_OK))
- {
- ssl_loaded_verify_locations = false;
+ ssl_loaded_verify_locations = false;
+ if (access(ROOT_CERT_FILE, R_OK) != 0)
+ {
/*
- * If root certificate file simply not found. Don't log an error here,
+ * If root certificate file simply not found, don't log an error here,
* because it's quite likely the user isn't planning on using client
* certificates. If we can't access it for other reasons, it is an
* error.
*/
if (errno != ENOENT)
- {
ereport(FATAL,
(errmsg("could not access root certificate file \"%s\": %m",
ROOT_CERT_FILE)));
- }
}
else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1 ||
(root_cert_list = SSL_load_client_CA_file(ROOT_CERT_FILE)) == NULL)
{
/*
* File was there, but we could not load it. This means the file is
- * somehow broken, and we cannot do verification at all - so abort
- * here.
+ * somehow broken, and we cannot do verification at all - so fail.
*/
- ssl_loaded_verify_locations = false;
ereport(FATAL,
(errmsg("could not load root certificate file \"%s\": %s",
ROOT_CERT_FILE, SSLerrmessage())));
}
else
{
- /*
- * Check the Certificate Revocation List (CRL) if file exists.
- * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,
- * 00.html
+ /*----------
+ * Load the Certificate Revocation List (CRL) if file exists.
+ * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
+ *----------
*/
X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context);
{
/* Set the flags to check against the complete CRL chain */
if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) == 1)
-/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
+ {
+ /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
#ifdef X509_V_FLAG_CRL_CHECK
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
ROOT_CRL_FILE),
errdetail("SSL library does not support certificate revocation lists.")));
#endif
+ }
else
{
/* Not fatal - we do not require CRL */
/*
* Always ask for SSL client cert, but don't fail if it's not
- * presented. We'll fail later in this case, based on what we find
- * in pg_hba.conf.
+ * presented. We might fail such connections later, depending on
+ * what we find in pg_hba.conf.
*/
SSL_CTX_set_verify(SSL_context,
(SSL_VERIFY_PEER |
SSL_VERIFY_CLIENT_ONCE),
verify_cb);
+ /* Set flag to remember CA store is successfully loaded */
ssl_loaded_verify_locations = true;
}
projects / postgresql.git / commitdiff