*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.5 2002/06/14 04:36:58 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.6 2002/06/14 04:38:04 momjian Exp $
*
* Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database
* [*] server verifies client certificates
*
* milestone 5: provide informational callbacks
- * [ ] provide informational callbacks
+ * [*] provide informational callbacks
*
* other changes
* [ ] tcp-wrappers
static DH *load_dh_buffer(const char *, size_t);
static DH *tmp_dh_cb(SSL *s, int is_export, int keylength);
static int verify_cb(int, X509_STORE_CTX *);
+static void info_cb(SSL *ssl, int type, int args);
static int initialize_SSL(void);
static void destroy_SSL(void);
static int open_server_SSL(Port *);
return ok;
}
+/*
+ * This callback is used to copy SSL information messages
+ * into the PostgreSQL log.
+ */
+static void
+info_cb (SSL *ssl, int type, int args)
+{
+ if (DebugLvl < 2)
+ return;
+
+ switch (type)
+ {
+ case SSL_CB_HANDSHAKE_START:
+ elog(DEBUG, "SSL: handshake start");
+ break;
+ case SSL_CB_HANDSHAKE_DONE:
+ elog(DEBUG, "SSL: handshake done");
+ break;
+ case SSL_CB_ACCEPT_LOOP:
+ if (DebugLvl >= 3)
+ elog(DEBUG, "SSL: accept loop");
+ break;
+ case SSL_CB_ACCEPT_EXIT:
+ elog(DEBUG, "SSL: accept exit (%d)", args);
+ break;
+ case SSL_CB_CONNECT_LOOP:
+ elog(DEBUG, "SSL: connect loop");
+ break;
+ case SSL_CB_CONNECT_EXIT:
+ elog(DEBUG, "SSL: connect exit (%d)", args);
+ break;
+ case SSL_CB_READ_ALERT:
+ elog(DEBUG, "SSL: read alert (0x%04x)", args);
+ break;
+ case SSL_CB_WRITE_ALERT:
+ elog(DEBUG, "SSL: write alert (0x%04x)", args);
+ break;
+ }
+}
/*
* Initialize global SSL context.
}
elog(DEBUG, "secure connection from '%s'", port->peer_cn);
+ /* set up debugging/info callback */
+ SSL_CTX_set_info_callback(SSL_context, info_cb);
+
return 0;
}
*
*
* IDENTIFICATION
- * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.3 2002/06/14 04:36:58 momjian Exp $
+ * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.4 2002/06/14 04:38:04 momjian Exp $
*
* NOTES
* The client *requires* a valid server certificate. Since
* $HOME/.postgresql/postgresql.key
* respectively.
*
+ * ...
+ *
+ * We don't provide informational callbacks here (like
+ * info_cb() in be-secure.c), since there's mechanism to
+ * display that information to the client.
+ *
* OS DEPENDENCIES
* The code currently assumes a POSIX password entry. How should
* Windows and Mac users be handled?
* [*] server verifies client certificates
*
* milestone 5: provide informational callbacks
- * [ ] provide informational callbacks
+ * [*] provide informational callbacks
*
* other changes
* [ ] tcp-wrappers
}
fclose(fp);
+ /* verify that the cert and key go together */
+ if (!X509_check_private_key(*x509, *pkey))
+ {
+ printfPQExpBuffer(&conn->errorMessage,
+ libpq_gettext("certificate/private key mismatch (%s): %s\n"),
+ fnbuf, SSLerrmessage());
+ X509_free(*x509);
+ EVP_PKEY_free(*pkey);
+ return -1;
+ }
+
return 1;
}
projects / users / c2main / postgres.git / commitdiff