database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-06-25 01:02:05 +03:00
Code Activity

Allow specifying CRL directory

Browse Source 
Add another method to specify CRLs, hashed directory method, for both
server and client side.  This offers a means for server or libpq to
load only CRLs that are required to verify a certificate.  The CRL
directory is specifed by separate GUC variables or connection options
ssl_crl_dir and sslcrldir, alongside the existing ssl_crl_file and
sslcrl, so both methods can be used at the same time.

Author: Kyotaro Horiguchi <horikyota.ntt@gmail.com>
Discussion: https://www.postgresql.org/message-id/flat/20200731.173911.904649928639357911.horikyota.ntt@gmail.com
This commit is contained in:
Peter Eisentraut
2021-02-18 07:59:10 +01:00
parent 128dd901a5
commit f5465fade9
20 changed files with 255 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/interfaces/libpq/fe-secure-openssl.c
View File

@ -794,7 +794,8 @@ initialize_SSL(PGconn *conn)
if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
!(conn->sslkey && strlen(conn->sslkey) > 0) ||
!(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
!(conn->sslcrl && strlen(conn->sslcrl) > 0))
!((conn->sslcrl && strlen(conn->sslcrl) > 0) ||
(conn->sslcrldir && strlen(conn->sslcrldir) > 0)))
have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
else /* won't need it */
have_homedir = false;
@ -936,20 +937,29 @@ initialize_SSL(PGconn *conn)
if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
{
char *fname = NULL;
char *dname = NULL;
if (conn->sslcrl && strlen(conn->sslcrl) > 0)
strlcpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
else if (have_homedir)
fname = conn->sslcrl;
if (conn->sslcrldir && strlen(conn->sslcrldir) > 0)
dname = conn->sslcrldir;
/* defaults to use the default CRL file */
if (!fname && !dname && have_homedir)
{
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
else
fnbuf[0] = '\0';
fname = fnbuf;
}
/* Set the flags to check against the complete CRL chain */
if (fnbuf[0] != '\0' &&
X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
if ((fname || dname) &&
X509_STORE_load_locations(cvstore, fname, dname) == 1)
{
X509_STORE_set_flags(cvstore,
X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
}
/* if not found, silently ignore; we do not require CRL */
ERR_clear_error();
}