Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit069ad5f

Browse files
committed
Add SSL CRL support to libpq. Recently added to the backend.
1 parent3ecfdce commit069ad5f

File tree

2 files changed

+29
-3
lines changed

2 files changed

+29
-3
lines changed

‎src/backend/libpq/be-secure.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
*
1212
*
1313
* IDENTIFICATION
14-
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/0601:31:38 momjian Exp $
14+
* $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.69 2006/05/0602:24:39 momjian Exp $
1515
*
1616
* Since the server static private key ($DataDir/server.key)
1717
* will normally be stored unencrypted so that the database
@@ -803,7 +803,7 @@ initialize_SSL(void)
803803

804804
if (cvstore)
805805
{
806-
/* Set the flags to check against the complete CRL chain */
806+
/* Set the flags to check against the complete CRL chain */
807807
if (X509_STORE_load_locations(cvstore,ROOT_CRL_FILE,NULL)!=0)
808808
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
809809
#ifdefX509_V_FLAG_CRL_CHECK

‎src/interfaces/libpq/fe-secure.c

Lines changed: 27 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
*
1212
*
1313
* IDENTIFICATION
14-
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.79 2006/04/27 14:02:36 momjian Exp $
14+
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.80 2006/05/0602:24:39 momjian Exp $
1515
*
1616
* NOTES
1717
* [ Most of these notes are wrong/obsolete, but perhaps not all ]
@@ -125,11 +125,13 @@
125125
#defineUSER_CERT_FILE".postgresql/postgresql.crt"
126126
#defineUSER_KEY_FILE".postgresql/postgresql.key"
127127
#defineROOT_CERT_FILE".postgresql/root.crt"
128+
#defineROOT_CRL_FILE".postgresql/root.crl"
128129
#else
129130
/* On Windows, the "home" directory is already PostgreSQL-specific */
130131
#defineUSER_CERT_FILE"postgresql.crt"
131132
#defineUSER_KEY_FILE"postgresql.key"
132133
#defineROOT_CERT_FILE"root.crt"
134+
#defineROOT_CRL_FILE"root.crl"
133135
#endif
134136

135137
#ifdefNOT_USED
@@ -784,6 +786,8 @@ initialize_SSL(PGconn *conn)
784786
snprintf(fnbuf,sizeof(fnbuf),"%s/%s",homedir,ROOT_CERT_FILE);
785787
if (stat(fnbuf,&buf)==0)
786788
{
789+
X509_STORE*cvstore;
790+
787791
if (!SSL_CTX_load_verify_locations(SSL_context,fnbuf,NULL))
788792
{
789793
char*err=SSLerrmessage();
@@ -795,6 +799,28 @@ initialize_SSL(PGconn *conn)
795799
return-1;
796800
}
797801

802+
if ((cvstore=SSL_CTX_get_cert_store(SSL_context))!=NULL)
803+
{
804+
/* setting the flags to check against the complete CRL chain */
805+
if (X509_STORE_load_locations(cvstore,ROOT_CRL_FILE,NULL)!=0)
806+
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
807+
#ifdefX509_V_FLAG_CRL_CHECK
808+
X509_STORE_set_flags(cvstore,
809+
X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
810+
/* if not found, silently ignore; we do not require CRL */
811+
#else
812+
{
813+
char*err=SSLerrmessage();
814+
815+
printfPQExpBuffer(&conn->errorMessage,
816+
libpq_gettext("Installed SSL library does not support CRL certificates, file \"%s\"\n"),
817+
fnbuf);
818+
SSLerrfree(err);
819+
return-1;
820+
}
821+
#endif
822+
}
823+
798824
SSL_CTX_set_verify(SSL_context,SSL_VERIFY_PEER,verify_cb);
799825
}
800826
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp