diff options
| author | Magnus Hagander <magnus@hagander.net> | 2008-11-13 09:45:25 +0000 |
|---|---|---|
| committer | Magnus Hagander <magnus@hagander.net> | 2008-11-13 09:45:25 +0000 |
| commit | c89404edf3f3b35a4a599d71f407055bda8261b6 (patch) | |
| tree | 3cd9f1ab08da17b8a9de75eecef9e3466aadee20 /src/interfaces/libpq/fe-connect.c | |
| parent | e7d8bfb9342622971cfb326672c998934433546a (diff) | |
Fix libpq certificate validation for SSL connections.
Add config parameter "sslverify" to control the verification. Default
is to do full verification.
Clean up some old SSL code that never really worked.
Diffstat (limited to 'src/interfaces/libpq/fe-connect.c')
| -rw-r--r-- | src/interfaces/libpq/fe-connect.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index d8b243b8d69..e1376dc0173 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.367 2008/11/09 00:28:35 tgl Exp $ + * $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.368 2008/11/13 09:45:24 mha Exp $ * *------------------------------------------------------------------------- */ @@ -92,8 +92,10 @@ static int ldapServiceLookup(const char *purl, PQconninfoOption *options, #define DefaultPassword "" #ifdef USE_SSL #define DefaultSSLMode "prefer" +#define DefaultSSLVerify "cn" #else #define DefaultSSLMode "disable" +#define DefaultSSLVerify "none" #endif /* ---------- @@ -181,6 +183,9 @@ static const PQconninfoOption PQconninfoOptions[] = { {"sslmode", "PGSSLMODE", DefaultSSLMode, NULL, "SSL-Mode", "", 8}, /* sizeof("disable") == 8 */ + {"sslverify", "PGSSLVERIFY", DefaultSSLVerify, NULL, + "SSL-Verify", "", 5}, /* sizeof("chain") == 5 */ + #if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) /* Kerberos and GSSAPI authentication support specifying the service name */ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, @@ -415,6 +420,8 @@ connectOptions1(PGconn *conn, const char *conninfo) conn->connect_timeout = tmp ? strdup(tmp) : NULL; tmp = conninfo_getval(connOptions, "sslmode"); conn->sslmode = tmp ? strdup(tmp) : NULL; + tmp = conninfo_getval(connOptions, "sslverify"); + conn->sslverify = tmp ? strdup(tmp) : NULL; #ifdef USE_SSL tmp = conninfo_getval(connOptions, "requiressl"); if (tmp && tmp[0] == '1') @@ -530,6 +537,24 @@ connectOptions2(PGconn *conn) conn->sslmode = strdup(DefaultSSLMode); /* + * Validate sslverify option + */ + if (conn->sslverify) + { + if (strcmp(conn->sslverify, "none") != 0 + && strcmp(conn->sslverify, "cert") != 0 + && strcmp(conn->sslverify, "cn") != 0) + { + conn->status = CONNECTION_BAD; + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("invalid sslverify value: \"%s\"\n"), + conn->sslverify); + return false; + } + } + + + /* * Only if we get this far is it appropriate to try to connect. (We need a * state flag, rather than just the boolean result of this function, in * case someone tries to PQreset() the PGconn.) @@ -2008,6 +2033,8 @@ freePGconn(PGconn *conn) free(conn->pgpass); if (conn->sslmode) free(conn->sslmode); + if (conn->sslverify) + free(conn->sslverify); #if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) if (conn->krbsrvname) free(conn->krbsrvname); |