aboutsummaryrefslogtreecommitdiff
path: root/src/interfaces/libpq/fe-secure.c
Commit message (Collapse)AuthorAge
...
* Don't require pqGetHomeDirectory to succeed if the user has specifiedMagnus Hagander2009-01-07
| | | | | | hardcoded paths for SSL rootcert/crl/clientcert/key. As noted by Andrew Chernow
* Update copyright for 2009.Bruce Momjian2009-01-01
|
* Support specifying filename for SSL certificate, key, root certificate storeMagnus Hagander2008-12-15
| | | | | | | | and certificate revokation list by using connection parameters or environment variables. Original patch by Mark Woodward, heavily reworked by Alvaro Herrera and Magnus Hagander.
* Comment said we don't free the lockarray, and why. The proper fix is toMagnus Hagander2008-12-04
| | | | make the code do what the comment says...
* Fix typo in recent SSL unload patch.Bruce Momjian2008-12-04
| | | | Kris Jurka
* Properly unregister OpenSSL callbacks when libpq is done withMagnus Hagander2008-12-03
| | | | | | | | | | | | | | it's connection. This is required for applications that unload the libpq library (such as PHP) in which case we'd otherwise have pointers to these functions when they no longer exist. This needs a bit more testing before we can consider a backpatch, so not doing that yet. In passing, remove unused functions in backend/libpq. Bruce Momjian and Magnus Hagander, per report and analysis by Russell Smith.
* Change wildcard cerfificate mapping to be much simler - we now only matchMagnus Hagander2008-12-02
| | | | | | | | the * character at the beginning of a pattern, and it does not match subdomains. Since this means we no longer need fnmatch, remove the imported implementation from port, along with the autoconf check for it.
* Disable FNM_CASEFOLD. Need a proper solution later, but just commentMagnus Hagander2008-11-24
| | | | it out for now so the buildfarm recovers.
* Add support for matching wildcard server certificates to the new SSL code.Magnus Hagander2008-11-24
| | | | | This uses the function fnmatch() which is not available on all platforms (notably Windows), so import the implementation from NetBSD into src/port.
* Fix libpq certificate validation for SSL connections.Magnus Hagander2008-11-13
| | | | | | | Add config parameter "sslverify" to control the verification. Default is to do full verification. Clean up some old SSL code that never really worked.
* Remove notes from the frontend SSL source that are incorrect orMagnus Hagander2008-10-24
| | | | end-user documentation that lives in the actual documentation.
* Implement error checking for pthreads calls in thread-safe mode. They reallyMagnus Hagander2008-05-16
| | | | | | | | | should always succeed, but in the likely event of a failure we would previously fall through *without locking* - the new code will exit(1). Printing the error message on stderr will not work for all applications, but it's better than nothing at all - and our API doesn't provide a way to return the error to the caller.
* Use error message wordings for permissions checks on .pgpass and SSL privateTom Lane2008-03-31
| | | | | | | | | | | | key files that are similar to the one for the postmaster's data directory permissions check. (I chose to standardize on that one since it's the most heavily used and presumably best-wordsmithed by now.) Also eliminate explicit tests on file ownership in these places, since the ensuing read attempt must fail anyway if it's wrong, and there seems no value in issuing the same error message for distinct problems. (But I left in the explicit ownership test in postmaster.c, since it had its own error message anyway.) Also be more specific in the documentation's descriptions of these checks. Per a gripe from Kevin Hunter.
* Rename a libpq NOT_USED SSL function toBruce Momjian2008-02-16
| | | | | | verify_peer_name_matches_certificate(), clarify some of the function's variables and logic, and update a comment. This should make SSL improvements easier in the future.
* Arrange to ignore SIGPIPE during SSL_read() and SSL_shutdown(), as theseTom Lane2008-01-29
| | | | | | | | | are known to write on the socket sometimes and thus we are vulnerable to being killed by the signal if the server happens to go away unexpectedly. Noticed while trying (futilely) to reproduce bug #3902. This bug has been there all along, but since the situation is usually only of interest to developers, I chose not to back-patch the changes.
* Update copyrights in source tree to 2008.Bruce Momjian2008-01-01
|
* pgindent run for 8.3.Bruce Momjian2007-11-15
|
* Minor improvements to hack for old OpenSSL libraries: avoid unusedTom Lane2007-10-03
| | | | variable warning on Windows, improve comment.
* Attempt to open certificate file "manually" using fopen beforeMagnus Hagander2007-10-03
| | | | | | | | trying BIO functions. Helps problem with older versions of OpenSSL that lacks error stack functions and would show an incorrect error message for file-not-found-or-not-openable. The problem may still exist for other errors, but file open error is by far the most common one.
* Fix a compiler warning on Win32. Hannes Eder.Neil Conway2007-10-02
|
* Cope with ERR_set_mark() and ERR_pop_to_mark() not existing in olderTom Lane2007-10-02
| | | | | | OpenSSL libraries --- just don't call them if they're not there. This might possibly lead to misleading error messages, but we'll just have to live with that.
* Use BIO functions to avoid passing FILE * pointers to OpenSSL functions.Magnus Hagander2007-10-01
| | | | | | | | This fixes potential crashes on old versions of OpenSSL and the requirement on "Applink" in new versions when building with MSVC and using different runtimes. Dave Page with fixes from me.
* Code review for SSLKEY patch.Tom Lane2007-02-16
|
* SSL improvements:Bruce Momjian2007-02-16
| | | | | | | | o read global SSL configuration file o add GUC "ssl_ciphers" to control allowed ciphers o add libpq environment variable PGSSLKEY to control SSL hardware keys Victor B. Wagner
* Normalize fgets() calls to use sizeof() for calculating the buffer sizePeter Eisentraut2007-02-08
| | | | | | | where possible, and fix some sites that apparently thought that fgets() will overwrite the buffer by one byte. Also add some strlcpy() to eliminate some weird memory handling.
* Squelch some VC++ compiler warnings. Mark float literals with the "f"Neil Conway2007-01-26
| | | | | | | suffix, to distinguish them from doubles. Make some function declarations and definitions use the "const" qualifier for arguments consistently. Ignore warning 4102 ("unreferenced label"), because such warnings are always emitted by bison-generated code. Patch from Magnus Hagander.
* Update CVS HEAD for 2007 copyright. Back branches are typically notBruce Momjian2007-01-05
| | | | back-stamped for this.
* Message style improvementsPeter Eisentraut2006-10-06
|
* pgindent run for 8.2.Bruce Momjian2006-10-04
|
* Remove separate strdup.h header file; it's redundant with port.h.Tom Lane2006-09-27
|
* Add missing gettext calls for some SSL errors.Peter Eisentraut2006-09-04
|
* Fix another passel of include-file breakage. Kris Jurka, Tom LaneTom Lane2006-07-14
|
* Remove 576 references of include files that were not needed.Bruce Momjian2006-07-14
|
* Revert part of recent include patch not ready for application.Bruce Momjian2006-07-14
|
* Add additional includes needed on some platforms.Bruce Momjian2006-07-14
|
* Fix typo in comment.Bruce Momjian2006-05-11
|
* Add SSL CRL support to libpq. Recently added to the backend.Bruce Momjian2006-05-06
|
* Tab alignment cleanup.Bruce Momjian2006-04-27
|
* Add underscores to SSL CERT macro names, for clarity and consistencyBruce Momjian2006-04-27
| | | | with be-secure.c.
* Change libpq's PQgetssl() to return a void*, rather than SSL *, so thatBruce Momjian2006-04-27
| | | | | | applications don't need the SSL headers. Martijn van Oosterhout
* Remove unused function SSL_CTX_set_tmp_dh_callback() from libpq:Bruce Momjian2006-04-27
| | | | | | | | | | | | | | | | | | | | | | | In the SSL code in libpq it does some processing with DH parameters: SSL_CTX_set_tmp_dh_callback() This function is marked as server use only[1], the client always uses the DH parameters in the server, so all the code in the client dealing with the DH parameters is useless. This patch removes it. It's not clear why the code was added in the first place, it's been there almost since the beginning[2]. At the time there was a suggestion of merging the front-end and backend SSL code, but looking at the changes since, that seems unlikely. As a further example, the s_server program allows you to specify DH params, but s_client doesn't. In the GnuTLS documentation under gnutls_dh_params_generate2() it says[3]: Also note that the DH parameters are only useful to servers. Since clients use the parameters sent by the server, it's of no use to call this in client side.
* Update copyright for 2006. Update scripts.Bruce Momjian2006-03-05
|
* Fix unportable usage of socklen_t: should use ACCEPT_TYPE_ARG3 macroTom Lane2006-01-24
| | | | provided by configure, instead. Per bug #2205.
* I have applied the following patch to document PQinitSSL() andBruce Momjian2005-10-24
| | | | | | | | | | | PQregisterThreadLock(). I also remove the crypt() mention in the libpq threading section and added a single sentence in the client-auth manual page under crypt(). Crypt authentication is so old now that a separate paragraph about it seemed unwise. I also added a comment about our use of locking around pqGetpwuid().
* Standard pgindent run for 8.1.Bruce Momjian2005-10-15
|
* Add comment about pthread_self() cast.Bruce Momjian2005-08-28
|
* The attached patch updates the thread test program to run stand-alone onBruce Momjian2005-08-23
| | | | | | | | Windows. The test itself is bypassed in configure as discussed, and libpq has been updated appropriately to allow it to build in thread-safe mode. Dave Page
* Back out incorrect commit.Bruce Momjian2005-08-23
|
* Fix function name.Bruce Momjian2005-08-23
|
* Comment out check for substitution of private key file on Windows,Tom Lane2005-01-10
| | | | since st_ino can't be trusted on that platform. Per report from T.J.
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-02 11:03:16 +0000