database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-03 09:13:20 +03:00
Code Activity

Don't require pqGetHomeDirectory to succeed if the user has specified

Browse Source 
hardcoded paths for SSL rootcert/crl/clientcert/key.

As noted by Andrew Chernow
This commit is contained in:
Magnus Hagander
2009-01-07 12:02:46 +00:00
parent 16785db18c
commit 75eafe965e
1 changed files with 76 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
src/interfaces/libpq/fe-secure.c
View File

@@ -11,7 +11,7 @@
*
*
* IDENTIFICATION
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.115 2009/01/01 17:24:03 momjian Exp $
* $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.116 2009/01/07 12:02:46 mha Exp $
*
* NOTES
*
@@ -560,12 +560,19 @@ client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
PGconn *conn = (PGconn *) SSL_get_app_data(ssl);
char sebuf[256];
/*
* If conn->sslcert or conn->sslkey is not set, we don't need the home
* directory to find the required files.
*/
if (!conn->sslcert || !conn->sslkey)
{
if (!pqGetHomeDirectory(homedir, sizeof(homedir)))
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not get user information\n"));
libpq_gettext("cannot find home directory to locate client certificate files"));
return 0;
}
}
/* read the user certificate */
if (conn->sslcert)
@@ -964,11 +971,30 @@ initialize_SSL(PGconn *conn)
* If sslverify is set to anything other than "none", perform certificate
* verification. If set to "cn" we will also do further verifications after
* the connection has been completed.
*
* If we are going to look for either root certificate or CRL in the home directory,
* we need pqGetHomeDirectory() to succeed. In other cases, we don't need to
* get the home directory explicitly.
*/
/* Set up to verify server cert, if root.crt is present */
if (pqGetHomeDirectory(homedir, sizeof(homedir)))
if (!conn->sslrootcert || !conn->sslcrl)
{
if (!pqGetHomeDirectory(homedir, sizeof(homedir)))
{
if (strcmp(conn->sslverify, "none") != 0)
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("cannot find home directory to locate root certificate file"));
return -1;
}
}
}
else
{
homedir[0] = '\0';
}
if (conn->sslrootcert)
strncpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
else
@@ -1017,7 +1043,7 @@ initialize_SSL(PGconn *conn)
}
SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb);
}
} /* root certificate exists */
else
{
if (strcmp(conn->sslverify, "none") != 0)
@@ -1027,16 +1053,6 @@ initialize_SSL(PGconn *conn)
return -1;
}
}
}
else
{
if (strcmp(conn->sslverify, "none") != 0)
{
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("cannot find home directory to locate root certificate file"));
return -1;
}
}
/* set up mechanism to provide client certificate, if available */
SSL_CTX_set_client_cert_cb(SSL_context, client_cert_cb);