Yet another SSL patch. :-) This one adds some informational messages

bmomjian · bmomjian · commit 1ed4a922b823 · 2002-06-14T04:38:04.000Z
on the server, if DebugLvl &gt;= 2.

The patch also includes a late addition to the last patch
(X509_check_private_key()).  I'm not sure why it the currect
revision wasn't tagged.


Bear Giles
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.5 2002/06/14 04:36:58 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.6 2002/06/14 04:38:04 momjian Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -65,7 +65,7 @@
  *	  [*] server verifies client certificates
  *
  *	  milestone 5: provide informational callbacks
- *	  [ ] provide informational callbacks
+ *	  [*] provide informational callbacks
  *
  *	  other changes
  *	  [ ] tcp-wrappers
@@ -125,6 +125,7 @@ static DH *load_dh_file(int keylength);
 static DH *load_dh_buffer(const char *, size_t);
 static DH *tmp_dh_cb(SSL *s, int is_export, int keylength);
 static int verify_cb(int, X509_STORE_CTX *);
+static void info_cb(SSL *ssl, int type, int args);
 static int initialize_SSL(void);
 static void destroy_SSL(void);
 static int open_server_SSL(Port *);
@@ -539,6 +540,45 @@ verify_cb (int ok, X509_STORE_CTX *ctx)
 	return ok;
 }
 
+/*
+ *	This callback is used to copy SSL information messages
+ *	into the PostgreSQL log.
+ */
+static void
+info_cb (SSL *ssl, int type, int args)
+{
+	if (DebugLvl < 2)
+		return;
+
+	switch (type)
+	{
+	case SSL_CB_HANDSHAKE_START:
+		elog(DEBUG, "SSL: handshake start");
+		break;
+	case SSL_CB_HANDSHAKE_DONE:
+		elog(DEBUG, "SSL: handshake done");
+		break;
+	case SSL_CB_ACCEPT_LOOP:
+		if (DebugLvl >= 3)
+			elog(DEBUG, "SSL: accept loop");
+		break;
+	case SSL_CB_ACCEPT_EXIT:
+		elog(DEBUG, "SSL: accept exit (%d)", args);
+		break;
+	case SSL_CB_CONNECT_LOOP:
+		elog(DEBUG, "SSL: connect loop");
+		break;
+	case SSL_CB_CONNECT_EXIT:
+		elog(DEBUG, "SSL: connect exit (%d)", args);
+		break;
+	case SSL_CB_READ_ALERT:
+		elog(DEBUG, "SSL: read alert (0x%04x)", args);
+		break;
+	case SSL_CB_WRITE_ALERT:
+		elog(DEBUG, "SSL: write alert (0x%04x)", args);
+		break;
+	}
+}
 
 /*
  *	Initialize global SSL context.
@@ -663,6 +703,9 @@ open_server_SSL (Port *port)
 	}
 	elog(DEBUG, "secure connection from '%s'", port->peer_cn);
 
+	/* set up debugging/info callback */
+	SSL_CTX_set_info_callback(SSL_context, info_cb);
+
 	return 0;
 }
 
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.3 2002/06/14 04:36:58 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.4 2002/06/14 04:38:04 momjian Exp $
  *	  
  * NOTES
  *	  The client *requires* a valid server certificate.  Since
@@ -66,6 +66,12 @@
  *	    $HOME/.postgresql/postgresql.key
  *	  respectively.
  *
+ *	  ...
+ *
+ *	  We don't provide informational callbacks here (like
+ *	  info_cb() in be-secure.c), since there's mechanism to
+ *	  display that information to the client.
+ *
  * OS DEPENDENCIES
  *	  The code currently assumes a POSIX password entry.  How should
  *	  Windows and Mac users be handled?
@@ -88,7 +94,7 @@
  *	  [*] server verifies client certificates
  *
  *	  milestone 5: provide informational callbacks
- *	  [ ] provide informational callbacks
+ *	  [*] provide informational callbacks
  *
  *	  other changes
  *	  [ ] tcp-wrappers
@@ -721,6 +727,17 @@ client_cert_cb (SSL *ssl, X509 **x509, EVP_PKEY **pkey)
 	}
 	fclose(fp);
 
+	/* verify that the cert and key go together */
+	if (!X509_check_private_key(*x509, *pkey))
+	{
+		printfPQExpBuffer(&conn->errorMessage, 
+			libpq_gettext("certificate/private key mismatch (%s): %s\n"),
+			fnbuf, SSLerrmessage());
+		X509_free(*x509);
+		EVP_PKEY_free(*pkey);
+		return -1;
+	}
+
 	return 1;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.3 2002/06/14 04:36:58 momjian Exp $`
	`14`	`+ * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.4 2002/06/14 04:38:04 momjian Exp $`
`15`	`15`	`*`
`16`	`16`	`* NOTES`
`17`	`17`	`* The client requires a valid server certificate. Since`
`@@ -66,6 +66,12 @@`
`66`	`66`	`* $HOME/.postgresql/postgresql.key`
`67`	`67`	`* respectively.`
`68`	`68`	`*`
	`69`	`+ * ...`
	`70`	`+ *`
	`71`	`+ * We don't provide informational callbacks here (like`
	`72`	`+ * info_cb() in be-secure.c), since there's mechanism to`
	`73`	`+ * display that information to the client.`
	`74`	`+ *`
`69`	`75`	`* OS DEPENDENCIES`
`70`	`76`	`* The code currently assumes a POSIX password entry. How should`
`71`	`77`	`* Windows and Mac users be handled?`
`@@ -88,7 +94,7 @@`
`88`	`94`	`* [*] server verifies client certificates`
`89`	`95`	`*`
`90`	`96`	`* milestone 5: provide informational callbacks`
`91`		`- * [ ] provide informational callbacks`
	`97`	`+ * [*] provide informational callbacks`
`92`	`98`	`*`
`93`	`99`	`* other changes`
`94`	`100`	`* [ ] tcp-wrappers`
`@@ -721,6 +727,17 @@ client_cert_cb (SSL ssl, X509 x509, EVP_PKEY *pkey)`
`721`	`727`	`}`
`722`	`728`	`fclose(fp);`
`723`	`729`
	`730`	`+ /* verify that the cert and key go together */`
	`731`	`+ if (!X509_check_private_key(x509, pkey))`
	`732`	`+ {`
	`733`	`+ printfPQExpBuffer(&conn->errorMessage,`
	`734`	`+ libpq_gettext("certificate/private key mismatch (%s): %s\n"),`
	`735`	`+ fnbuf, SSLerrmessage());`
	`736`	`+ X509_free(*x509);`
	`737`	`+ EVP_PKEY_free(*pkey);`
	`738`	`+ return -1;`
	`739`	`+ }`
	`740`	`+`
`724`	`741`	`return 1;`
`725`	`742`	`}`
`726`	`743`