Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit1ed4a92

Browse files
committed
Yet another SSL patch. :-) This one adds some informational messages
on the server, if DebugLvl >= 2.The patch also includes a late addition to the last patch(X509_check_private_key()). I'm not sure why it the currectrevision wasn't tagged.Bear Giles
1 parenteb7afc1 commit1ed4a92

File tree

2 files changed

+64
-4
lines changed

2 files changed

+64
-4
lines changed

‎src/backend/libpq/be-secure.c‎

Lines changed: 45 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
*
1212
*
1313
* IDENTIFICATION
14-
* $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.5 2002/06/14 04:36:58 momjian Exp $
14+
* $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.6 2002/06/14 04:38:04 momjian Exp $
1515
*
1616
* Since the server static private key ($DataDir/server.key)
1717
* will normally be stored unencrypted so that the database
@@ -65,7 +65,7 @@
6565
* [*] server verifies client certificates
6666
*
6767
* milestone 5: provide informational callbacks
68-
* [] provide informational callbacks
68+
* [*] provide informational callbacks
6969
*
7070
* other changes
7171
* [ ] tcp-wrappers
@@ -125,6 +125,7 @@ static DH *load_dh_file(int keylength);
125125
staticDH*load_dh_buffer(constchar*,size_t);
126126
staticDH*tmp_dh_cb(SSL*s,intis_export,intkeylength);
127127
staticintverify_cb(int,X509_STORE_CTX*);
128+
staticvoidinfo_cb(SSL*ssl,inttype,intargs);
128129
staticintinitialize_SSL(void);
129130
staticvoiddestroy_SSL(void);
130131
staticintopen_server_SSL(Port*);
@@ -539,6 +540,45 @@ verify_cb (int ok, X509_STORE_CTX *ctx)
539540
returnok;
540541
}
541542

543+
/*
544+
*This callback is used to copy SSL information messages
545+
*into the PostgreSQL log.
546+
*/
547+
staticvoid
548+
info_cb (SSL*ssl,inttype,intargs)
549+
{
550+
if (DebugLvl<2)
551+
return;
552+
553+
switch (type)
554+
{
555+
caseSSL_CB_HANDSHAKE_START:
556+
elog(DEBUG,"SSL: handshake start");
557+
break;
558+
caseSSL_CB_HANDSHAKE_DONE:
559+
elog(DEBUG,"SSL: handshake done");
560+
break;
561+
caseSSL_CB_ACCEPT_LOOP:
562+
if (DebugLvl >=3)
563+
elog(DEBUG,"SSL: accept loop");
564+
break;
565+
caseSSL_CB_ACCEPT_EXIT:
566+
elog(DEBUG,"SSL: accept exit (%d)",args);
567+
break;
568+
caseSSL_CB_CONNECT_LOOP:
569+
elog(DEBUG,"SSL: connect loop");
570+
break;
571+
caseSSL_CB_CONNECT_EXIT:
572+
elog(DEBUG,"SSL: connect exit (%d)",args);
573+
break;
574+
caseSSL_CB_READ_ALERT:
575+
elog(DEBUG,"SSL: read alert (0x%04x)",args);
576+
break;
577+
caseSSL_CB_WRITE_ALERT:
578+
elog(DEBUG,"SSL: write alert (0x%04x)",args);
579+
break;
580+
}
581+
}
542582

543583
/*
544584
*Initialize global SSL context.
@@ -663,6 +703,9 @@ open_server_SSL (Port *port)
663703
}
664704
elog(DEBUG,"secure connection from '%s'",port->peer_cn);
665705

706+
/* set up debugging/info callback */
707+
SSL_CTX_set_info_callback(SSL_context,info_cb);
708+
666709
return0;
667710
}
668711

‎src/interfaces/libpq/fe-secure.c‎

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
*
1212
*
1313
* IDENTIFICATION
14-
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.3 2002/06/14 04:36:58 momjian Exp $
14+
* $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.4 2002/06/14 04:38:04 momjian Exp $
1515
*
1616
* NOTES
1717
* The client *requires* a valid server certificate. Since
@@ -66,6 +66,12 @@
6666
* $HOME/.postgresql/postgresql.key
6767
* respectively.
6868
*
69+
* ...
70+
*
71+
* We don't provide informational callbacks here (like
72+
* info_cb() in be-secure.c), since there's mechanism to
73+
* display that information to the client.
74+
*
6975
* OS DEPENDENCIES
7076
* The code currently assumes a POSIX password entry. How should
7177
* Windows and Mac users be handled?
@@ -88,7 +94,7 @@
8894
* [*] server verifies client certificates
8995
*
9096
* milestone 5: provide informational callbacks
91-
* [] provide informational callbacks
97+
* [*] provide informational callbacks
9298
*
9399
* other changes
94100
* [ ] tcp-wrappers
@@ -721,6 +727,17 @@ client_cert_cb (SSL *ssl, X509 **x509, EVP_PKEY **pkey)
721727
}
722728
fclose(fp);
723729

730+
/* verify that the cert and key go together */
731+
if (!X509_check_private_key(*x509,*pkey))
732+
{
733+
printfPQExpBuffer(&conn->errorMessage,
734+
libpq_gettext("certificate/private key mismatch (%s): %s\n"),
735+
fnbuf,SSLerrmessage());
736+
X509_free(*x509);
737+
EVP_PKEY_free(*pkey);
738+
return-1;
739+
}
740+
724741
return1;
725742
}
726743

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp