NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commitb6c9165

committed

Code review for SSLKEY patch.

1 parent5ce7599 commitb6c9165Copy full SHA for b6c9165

File tree

6 files changed

+38

-28

lines changed

src
- backend
  - libpq
    - be-secure.c
  - postmaster
    - postmaster.c
  - utils/misc
    - guc.c
    - postgresql.conf.sample
- include/postmaster
  - postmaster.h
- interfaces/libpq
  - fe-secure.c

6 files changed

+38

-28

lines changed

`‎src/backend/libpq/be-secure.c`

Lines changed: 4 additions & 5 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.78 2007/02/1602:59:40 momjian Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.79 2007/02/1617:06:59 tgl Exp $`
`15`	`15`	`*`
`16`	`16`	`* Since the server static private key ($DataDir/server.key)`
`17`	`17`	`* will normally be stored unencrypted so that the database`
`@@ -95,8 +95,7 @@`
`95`	`95`	`#ifSSLEAY_VERSION_NUMBER >=0x0907000L`
`96`	`96`	`#include<openssl/conf.h>`
`97`	`97`	`#endif`
`98`		`-`
`99`		`-#endif`
	`98`	`+#endif/* USE_SSL */`
`100`	`99`
`101`	`100`	`#include"libpq/libpq.h"`
`102`	`101`	`#include"tcop/tcopprot.h"`
`@@ -130,8 +129,8 @@ static const char *SSLerrmessage(void);`
`130`	`129`
`131`	`130`	`staticSSL_CTX*SSL_context=NULL;`
`132`	`131`
`133`		`-/* GUC variable controlling SSL cipher list*/`
`134`		`-externchar*SSLCipherSuites;`
	`132`	`+/* GUC variable controlling SSL cipher list*/`
	`133`	`+char*SSLCipherSuites=NULL;`
`135`	`134`
`136`	`135`	`#endif`
`137`	`136`

`‎src/backend/postmaster/postmaster.c`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@`
`37`	`37`	`*`
`38`	`38`	`*`
`39`	`39`	`* IDENTIFICATION`
`40`		`- * $PostgreSQL: pgsql/src/backend/postmaster/postmaster.c,v 1.524 2007/02/1602:59:41 momjian Exp $`
	`40`	`+ * $PostgreSQL: pgsql/src/backend/postmaster/postmaster.c,v 1.525 2007/02/1617:06:59 tgl Exp $`
`41`	`41`	`*`
`42`	`42`	`* NOTES`
`43`	`43`	`*`
`@@ -187,7 +187,6 @@ static intSendStop = false;`
`187`	`187`
`188`	`188`	`/* still more option variables */`
`189`	`189`	`boolEnableSSL= false;`
`190`		`-char*SSLCipherSuites;`
`191`	`190`	`boolSilentMode= false;/* silent mode (-S) */`
`192`	`191`
`193`	`192`	`intPreAuthDelay=0;`

`‎src/backend/utils/misc/guc.c`

Lines changed: 9 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@`
`10`	`10`	`* Written by Peter Eisentraut <peter_e@gmx.net>.`
`11`	`11`	`*`
`12`	`12`	`* IDENTIFICATION`
`13`		`- * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.375 2007/02/1602:59:41 momjian Exp $`
	`13`	`+ * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.376 2007/02/1617:07:00 tgl Exp $`
`14`	`14`	`*`
`15`	`15`	`*--------------------------------------------------------------------`
`16`	`16`	`*/`
`@@ -106,6 +106,11 @@ extern bool fullPageWrites;`
`106`	`106`	`externbooltrace_sort;`
`107`	`107`	`#endif`
`108`	`108`
	`109`	`+#ifdefUSE_SSL`
	`110`	`+externchar*SSLCipherSuites;`
	`111`	`+#endif`
	`112`	`+`
	`113`	`+`
`109`	`114`	`staticconstcharassign_log_destination(constcharvalue,`
`110`	`115`	`booldoit,GucSourcesource);`
`111`	`116`
`@@ -2314,6 +2319,7 @@ static struct config_string ConfigureNamesString[] =`
`2314`	`2319`	`NULL,assign_temp_tablespaces,NULL`
`2315`	`2320`	`},`
`2316`	`2321`
	`2322`	`+#ifdefUSE_SSL`
`2317`	`2323`	`{`
`2318`	`2324`	`{"ssl_ciphers",PGC_POSTMASTER,CONN_AUTH_SECURITY,`
`2319`	`2325`	`gettext_noop("Sets the list of allowed SSL ciphers."),`
`@@ -2323,7 +2329,8 @@ static struct config_string ConfigureNamesString[] =`
`2323`	`2329`	`&SSLCipherSuites,`
`2324`	`2330`	`"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH",NULL,NULL`
`2325`	`2331`	`},`
`2326`		`-`
	`2332`	`+#endif/* USE_SSL */`
	`2333`	`+`
`2327`	`2334`	`/* End-of-list marker */`
`2328`	`2335`	`{`
`2329`	`2336`	`{NULL,0,0,NULL,NULL},NULL,NULL,NULL,NULL`

`‎src/backend/utils/misc/postgresql.conf.sample`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,8 @@`
`74`	`74`
`75`	`75`	`#authentication_timeout = 1min# 1s-600s`
`76`	`76`	`#ssl = off# (change requires restart)`
`77`		`-#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH' # List of ciphers to use`
	`77`	`+#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'# Allowed SSL ciphers`
	`78`	`+# (change requires restart)`
`78`	`79`	`#password_encryption = on`
`79`	`80`	`#db_user_namespace = off`
`80`	`81`

`‎src/include/postmaster/postmaster.h`

Lines changed: 1 addition & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`	`* Portions Copyright (c) 1996-2007, PostgreSQL Global Development Group`
`7`	`7`	`* Portions Copyright (c) 1994, Regents of the University of California`
`8`	`8`	`*`
`9`		`- * $PostgreSQL: pgsql/src/include/postmaster/postmaster.h,v 1.16 2007/02/1602:59:41 momjian Exp $`
	`9`	`+ * $PostgreSQL: pgsql/src/include/postmaster/postmaster.h,v 1.17 2007/02/1617:07:00 tgl Exp $`
`10`	`10`	`*`
`11`	`11`	`*-------------------------------------------------------------------------`
`12`	`12`	`*/`
`@@ -15,7 +15,6 @@`
`15`	`15`
`16`	`16`	`/* GUC options */`
`17`	`17`	`externboolEnableSSL;`
`18`		`-externchar*SSLCipherSuites;`
`19`	`18`	`externboolSilentMode;`
`20`	`19`	`externintReservedBackends;`
`21`	`20`	`externintPostPortNumber;`

`‎src/interfaces/libpq/fe-secure.c`

Lines changed: 21 additions & 16 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.93 2007/02/1602:59:41 momjian Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.94 2007/02/1617:07:00 tgl Exp $`
`15`	`15`	`*`
`16`	`16`	`* NOTES`
`17`	`17`	`* [ Most of these notes are wrong/obsolete, but perhaps not all ]`
`@@ -619,7 +619,7 @@ client_cert_cb(SSL ssl, X509 x509, EVP_PKEY *pkey)`
`619`	`619`	`char*engine_env=getenv("PGSSLKEY");`
`620`	`620`	`char*engine_colon=strchr(engine_env,':');`
`621`	`621`	`char*engine_str;`
`622`		`-ENGINE*engine_ptr=NULL;`
	`622`	`+ENGINE*engine_ptr;`
`623`	`623`
`624`	`624`	`if (!engine_colon)`
`625`	`625`	`{`
`@@ -630,34 +630,38 @@ client_cert_cb(SSL ssl, X509 x509, EVP_PKEY *pkey)`
`630`	`630`
`631`	`631`	`engine_str=malloc(engine_colon-engine_env+1);`
`632`	`632`	`strlcpy(engine_str,engine_env,engine_colon-engine_env+1);`
`633`		`-if ((engine_ptr=ENGINE_by_id(engine_str))==NULL)`
	`633`	`+engine_ptr=ENGINE_by_id(engine_str);`
	`634`	`+if (engine_ptr==NULL)`
`634`	`635`	`{`
`635`	`636`	`char*err=SSLerrmessage();`
`636`	`637`
`637`	`638`	`printfPQExpBuffer(&conn->errorMessage,`
`638`		`-libpq_gettext("could not load SSL engine \"%s\":%s\n"),engine_str,err);`
`639`		`-free(engine_str);`
	`639`	`+libpq_gettext("could not load SSL engine \"%s\":%s\n"),`
	`640`	`+engine_str,err);`
`640`	`641`	`SSLerrfree(err);`
	`642`	`+free(engine_str);`
`641`	`643`	`return0;`
`642`	`644`	`}`
`643`		`-if ((*pkey=ENGINE_load_private_key(engine_ptr,`
`644`		`-engine_colon+1,NULL,NULL))==NULL)`
	`645`	`+`
	`646`	`+*pkey=ENGINE_load_private_key(engine_ptr,engine_colon+1,`
	`647`	`+NULL,NULL);`
	`648`	`+if (*pkey==NULL)`
`645`	`649`	`{`
`646`	`650`	`char*err=SSLerrmessage();`
`647`	`651`
`648`	`652`	`printfPQExpBuffer(&conn->errorMessage,`
`649`		`-libpq_gettext("could not read private SSL key%s from engine \"%s\": %s\n"),`
`650`		`-engine_colon+1,engine_str,err);`
	`653`	`+libpq_gettext("could not read private SSL key\"%s\" from engine \"%s\": %s\n"),`
	`654`	`+engine_colon+1,engine_str,err);`
`651`	`655`	`SSLerrfree(err);`
`652`	`656`	`free(engine_str);`
`653`	`657`	`return0;`
`654`	`658`	`}`
`655`	`659`	`free(engine_str);`
`656`	`660`	`}`
`657`	`661`	`else`
`658`		`-#endif`
	`662`	`+#endif/* use PGSSLKEY */`
`659`	`663`	`{`
`660`		`-/* read the user key from file*/`
	`664`	`+/* read the user key from file*/`
`661`	`665`	`snprintf(fnbuf,sizeof(fnbuf),"%s/%s",homedir,USER_KEY_FILE);`
`662`	`666`	`if (stat(fnbuf,&buf)==-1)`
`663`	`667`	`{`
`@@ -666,7 +670,7 @@ client_cert_cb(SSL ssl, X509 x509, EVP_PKEY *pkey)`
`666`	`670`	`fnbuf);`
`667`	`671`	`return0;`
`668`	`672`	`}`
`669`		`-#ifndefWIN32`
	`673`	`+#ifndefWIN32`
`670`	`674`	`if (!S_ISREG(buf.st_mode)\|\| (buf.st_mode&0077)\|\|`
`671`	`675`	`buf.st_uid!=geteuid())`
`672`	`676`	`{`
`@@ -675,23 +679,23 @@ client_cert_cb(SSL ssl, X509 x509, EVP_PKEY *pkey)`
`675`	`679`	`fnbuf);`
`676`	`680`	`return0;`
`677`	`681`	`}`
`678`		`-#endif`
	`682`	`+#endif`
`679`	`683`	`if ((fp=fopen(fnbuf,"r"))==NULL)`
`680`	`684`	`{`
`681`	`685`	`printfPQExpBuffer(&conn->errorMessage,`
`682`	`686`	`libpq_gettext("could not open private key file \"%s\": %s\n"),`
`683`	`687`	`fnbuf,pqStrerror(errno,sebuf,sizeof(sebuf)));`
`684`	`688`	`return0;`
`685`	`689`	`}`
`686`		`-#ifndefWIN32`
	`690`	`+#ifndefWIN32`
`687`	`691`	`if (fstat(fileno(fp),&buf2)==-1\|\|`
`688`	`692`	`buf.st_dev!=buf2.st_dev\|\|buf.st_ino!=buf2.st_ino)`
`689`	`693`	`{`
`690`	`694`	`printfPQExpBuffer(&conn->errorMessage,`
`691`	`695`	`libpq_gettext("private key file \"%s\" changed during execution\n"),fnbuf);`
`692`	`696`	`return0;`
`693`	`697`	`}`
`694`		`-#endif`
	`698`	`+#endif`
`695`	`699`	`if (PEM_read_PrivateKey(fp,pkey,NULL,NULL)==NULL)`
`696`	`700`	`{`
`697`	`701`	`char*err=SSLerrmessage();`
`@@ -705,6 +709,7 @@ client_cert_cb(SSL ssl, X509 x509, EVP_PKEY *pkey)`
`705`	`709`	`}`
`706`	`710`	`fclose(fp);`
`707`	`711`	`}`
	`712`	`+`
`708`	`713`	`/* verify that the cert and key go together */`
`709`	`714`	`if (!X509_check_private_key(x509,pkey))`
`710`	`715`	`{`
`@@ -788,7 +793,7 @@ init_ssl_system(PGconn *conn)`
`788`	`793`	`{`
`789`	`794`	`if (pq_initssllib)`
`790`	`795`	`{`
`791`		`-#if(SSLEAY_VERSION_NUMBER >=0x00907000L)`
	`796`	`+#ifSSLEAY_VERSION_NUMBER >=0x00907000L`
`792`	`797`	`OPENSSL_config(NULL);`
`793`	`798`	`#endif`
`794`	`799`	`SSL_library_init();`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitb6c9165

File tree

6 files changed

6 files changed

`‎src/backend/libpq/be-secure.c`

`‎src/backend/postmaster/postmaster.c`

`‎src/backend/utils/misc/guc.c`

`‎src/backend/utils/misc/postgresql.conf.sample`

`‎src/include/postmaster/postmaster.h`

`‎src/interfaces/libpq/fe-secure.c`

0 commit comments