diff options
| author | Bruce Momjian <bruce@momjian.us> | 2002-06-14 04:38:04 +0000 |
|---|---|---|
| committer | Bruce Momjian <bruce@momjian.us> | 2002-06-14 04:38:04 +0000 |
| commit | 1ed4a922b823ecd0784aa2755bc68783050734f6 (patch) | |
| tree | 9c77dbb7d59188909ac75650e98b3e66286eb4dc /src | |
| parent | eb7afc1407680a10be05ba18865051b539d434f2 (diff) | |
| download | postgresql-1ed4a922b823ecd0784aa2755bc68783050734f6.tar.gz postgresql-1ed4a922b823ecd0784aa2755bc68783050734f6.zip | |
Yet another SSL patch. :-) This one adds some informational messages
on the server, if DebugLvl >= 2.
The patch also includes a late addition to the last patch
(X509_check_private_key()). I'm not sure why it the currect
revision wasn't tagged.
Bear Giles
Diffstat (limited to 'src')
| -rw-r--r-- | src/backend/libpq/be-secure.c | 47 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-secure.c | 21 |
2 files changed, 64 insertions, 4 deletions
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index fab5e99aa9a..66f36a3b27b 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.5 2002/06/14 04:36:58 momjian Exp $ + * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.6 2002/06/14 04:38:04 momjian Exp $ * * Since the server static private key ($DataDir/server.key) * will normally be stored unencrypted so that the database @@ -65,7 +65,7 @@ * [*] server verifies client certificates * * milestone 5: provide informational callbacks - * [ ] provide informational callbacks + * [*] provide informational callbacks * * other changes * [ ] tcp-wrappers @@ -125,6 +125,7 @@ static DH *load_dh_file(int keylength); static DH *load_dh_buffer(const char *, size_t); static DH *tmp_dh_cb(SSL *s, int is_export, int keylength); static int verify_cb(int, X509_STORE_CTX *); +static void info_cb(SSL *ssl, int type, int args); static int initialize_SSL(void); static void destroy_SSL(void); static int open_server_SSL(Port *); @@ -539,6 +540,45 @@ verify_cb (int ok, X509_STORE_CTX *ctx) return ok; } +/* + * This callback is used to copy SSL information messages + * into the PostgreSQL log. + */ +static void +info_cb (SSL *ssl, int type, int args) +{ + if (DebugLvl < 2) + return; + + switch (type) + { + case SSL_CB_HANDSHAKE_START: + elog(DEBUG, "SSL: handshake start"); + break; + case SSL_CB_HANDSHAKE_DONE: + elog(DEBUG, "SSL: handshake done"); + break; + case SSL_CB_ACCEPT_LOOP: + if (DebugLvl >= 3) + elog(DEBUG, "SSL: accept loop"); + break; + case SSL_CB_ACCEPT_EXIT: + elog(DEBUG, "SSL: accept exit (%d)", args); + break; + case SSL_CB_CONNECT_LOOP: + elog(DEBUG, "SSL: connect loop"); + break; + case SSL_CB_CONNECT_EXIT: + elog(DEBUG, "SSL: connect exit (%d)", args); + break; + case SSL_CB_READ_ALERT: + elog(DEBUG, "SSL: read alert (0x%04x)", args); + break; + case SSL_CB_WRITE_ALERT: + elog(DEBUG, "SSL: write alert (0x%04x)", args); + break; + } +} /* * Initialize global SSL context. @@ -663,6 +703,9 @@ open_server_SSL (Port *port) } elog(DEBUG, "secure connection from '%s'", port->peer_cn); + /* set up debugging/info callback */ + SSL_CTX_set_info_callback(SSL_context, info_cb); + return 0; } diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index 3240be892e0..26dcb438845 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.3 2002/06/14 04:36:58 momjian Exp $ + * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.4 2002/06/14 04:38:04 momjian Exp $ * * NOTES * The client *requires* a valid server certificate. Since @@ -66,6 +66,12 @@ * $HOME/.postgresql/postgresql.key * respectively. * + * ... + * + * We don't provide informational callbacks here (like + * info_cb() in be-secure.c), since there's mechanism to + * display that information to the client. + * * OS DEPENDENCIES * The code currently assumes a POSIX password entry. How should * Windows and Mac users be handled? @@ -88,7 +94,7 @@ * [*] server verifies client certificates * * milestone 5: provide informational callbacks - * [ ] provide informational callbacks + * [*] provide informational callbacks * * other changes * [ ] tcp-wrappers @@ -721,6 +727,17 @@ client_cert_cb (SSL *ssl, X509 **x509, EVP_PKEY **pkey) } fclose(fp); + /* verify that the cert and key go together */ + if (!X509_check_private_key(*x509, *pkey)) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("certificate/private key mismatch (%s): %s\n"), + fnbuf, SSLerrmessage()); + X509_free(*x509); + EVP_PKEY_free(*pkey); + return -1; + } + return 1; } |