Index: doc/src/sgml/libpq.sgml =================================================================== RCS file: /home/alvherre/Code/cvs/pgsql/doc/src/sgml/libpq.sgml,v retrieving revision 1.260 diff -c -p -r1.260 libpq.sgml *** doc/src/sgml/libpq.sgml 27 Jun 2008 02:44:31 -0000 1.260 --- doc/src/sgml/libpq.sgml 1 Aug 2008 18:52:07 -0000 *************** *** 281,286 **** --- 281,324 ---- + sslcert + + + This parameter specifies the file name of the client SSL + certificate. + + + + + + sslkey + + + This parameter specifies the file name of the client SSL key. + + + + + + sslrootcert + + + This parameter specifies the file name of the root SSL certificate. + + + + + + sslcrl + + + This parameter specifies the file name of the SSL certificate + revocation list (CRL) + + + + + krbsrvname *************** defaultNoticeProcessor(void *arg, const *** 4911,4916 **** --- 4949,4976 ---- + PGROOTCERT + + PGROOTCERT specifies the file name where the SSL + root certificate is stored. This can be overridden by the + sslrootcert connection parameter. + + + + + + + PGSSLCRL + + PGSSLCRL specifies the file name where the SSL certificate + revocation list is stored. This can be overridden by the + sslcrl connection parameter. + + + + + + PGKRBSRVNAME PGKRBSRVNAME sets the Kerberos service name to use Index: src/interfaces/libpq/fe-connect.c =================================================================== RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/fe-connect.c,v retrieving revision 1.359 diff -c -p -r1.359 fe-connect.c *** src/interfaces/libpq/fe-connect.c 29 May 2008 22:02:44 -0000 1.359 --- src/interfaces/libpq/fe-connect.c 1 Aug 2008 14:44:50 -0000 *************** static const PQconninfoOption PQconninfo *** 181,186 **** --- 181,198 ---- {"sslmode", "PGSSLMODE", DefaultSSLMode, NULL, "SSL-Mode", "", 8}, /* sizeof("disable") == 8 */ + {"sslcert", "PGSSLCERT", NULL, NULL, + "SSL-Client-Cert", "", 64}, + + {"sslkey", "PGSSLKEY", NULL, NULL, + "SSL-Client-Key", "", 64}, + + {"sslrootcert", "PGROOTCERT", NULL, NULL, + "SSL-Root-Certificate", "", 64}, + + {"sslcrl", "PGSSLCRL", NULL, NULL, + "SSL-Revocation-List", "", 64}, + #if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) /* Kerberos and GSSAPI authentication support specifying the service name */ {"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL, *************** connectOptions1(PGconn *conn, const char *** 413,418 **** --- 425,438 ---- conn->connect_timeout = tmp ? strdup(tmp) : NULL; tmp = conninfo_getval(connOptions, "sslmode"); conn->sslmode = tmp ? strdup(tmp) : NULL; + tmp = conninfo_getval(connOptions, "sslkey"); + conn->sslkey = tmp ? strdup(tmp) : NULL; + tmp = conninfo_getval(connOptions, "sslcert"); + conn->sslcert = tmp ? strdup(tmp) : NULL; + tmp = conninfo_getval(connOptions, "sslrootcert"); + conn->sslrootcert = tmp ? strdup(tmp) : NULL; + tmp = conninfo_getval(connOptions, "sslcrl"); + conn->sslcrl = tmp ? strdup(tmp) : NULL; #ifdef USE_SSL tmp = conninfo_getval(connOptions, "requiressl"); if (tmp && tmp[0] == '1') Index: src/interfaces/libpq/fe-secure.c =================================================================== RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/fe-secure.c,v retrieving revision 1.105 diff -c -p -r1.105 fe-secure.c *** src/interfaces/libpq/fe-secure.c 16 May 2008 18:30:53 -0000 1.105 --- src/interfaces/libpq/fe-secure.c 1 Aug 2008 14:44:00 -0000 *************** client_cert_cb(SSL *ssl, X509 **x509, EV *** 599,605 **** } /* read the user certificate */ ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE); /* * OpenSSL <= 0.9.8 lacks error stack handling, which means it's likely to --- 599,608 ---- } /* read the user certificate */ ! if (conn->sslcert) ! strncpy(fnbuf, conn->sslcert, sizeof(fnbuf)); ! else ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE); /* * OpenSSL <= 0.9.8 lacks error stack handling, which means it's likely to *************** client_cert_cb(SSL *ssl, X509 **x509, EV *** 650,656 **** BIO_free(bio); #if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE) ! if (getenv("PGSSLKEY")) { /* read the user key from engine */ char *engine_env = getenv("PGSSLKEY"); --- 653,659 ---- BIO_free(bio); #if (SSLEAY_VERSION_NUMBER >= 0x00907000L) && !defined(OPENSSL_NO_ENGINE) ! if (getenv("PGSSLKEY") && !conn->sslkey) { /* read the user key from engine */ char *engine_env = getenv("PGSSLKEY"); *************** client_cert_cb(SSL *ssl, X509 **x509, EV *** 702,708 **** #endif /* use PGSSLKEY */ { /* read the user key from file */ ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE); if (stat(fnbuf, &buf) != 0) { printfPQExpBuffer(&conn->errorMessage, --- 705,715 ---- #endif /* use PGSSLKEY */ { /* read the user key from file */ ! if (conn->sslkey) ! strncpy(fnbuf, conn->sslkey, sizeof(fnbuf)); ! else ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE); ! if (stat(fnbuf, &buf) != 0) { printfPQExpBuffer(&conn->errorMessage, *************** initialize_SSL(PGconn *conn) *** 904,910 **** /* Set up to verify server cert, if root.crt is present */ if (pqGetHomeDirectory(homedir, sizeof(homedir))) { ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE); if (stat(fnbuf, &buf) == 0) { X509_STORE *cvstore; --- 911,921 ---- /* Set up to verify server cert, if root.crt is present */ if (pqGetHomeDirectory(homedir, sizeof(homedir))) { ! if (conn->ssltrustcrt) ! strncpy(fnbuf, conn->ssltrustcrt, sizeof(fnbuf)); ! else ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE); ! if (stat(fnbuf, &buf) == 0) { X509_STORE *cvstore; *************** initialize_SSL(PGconn *conn) *** 922,929 **** if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL) { /* setting the flags to check against the complete CRL chain */ ! if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ #ifdef X509_V_FLAG_CRL_CHECK X509_STORE_set_flags(cvstore, --- 933,945 ---- if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL) { + if (conn->sslcrl) + strncpy(fnbuf, conn->sslcrl, sizeof(fnbuf)); + else + snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE); + /* setting the flags to check against the complete CRL chain */ ! if (X509_STORE_load_locations(cvstore, fnbuf, NULL) != 0) /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ #ifdef X509_V_FLAG_CRL_CHECK X509_STORE_set_flags(cvstore, Index: src/interfaces/libpq/libpq-int.h =================================================================== RCS file: /home/alvherre/Code/cvs/pgsql/src/interfaces/libpq/libpq-int.h,v retrieving revision 1.131 diff -c -p -r1.131 libpq-int.h *** src/interfaces/libpq/libpq-int.h 29 May 2008 22:02:44 -0000 1.131 --- src/interfaces/libpq/libpq-int.h 1 Aug 2008 14:34:15 -0000 *************** struct pg_conn *** 293,298 **** --- 293,303 ---- char *pgpass; bool pgpass_from_client; /* did password come from connect args? */ char *sslmode; /* SSL mode (require,prefer,allow,disable) */ + char *sslkey; /* client key filename */ + char *sslcert; /* client certificate filename */ + char *sslrootcert; /* root certificate filename */ + char *sslcrl; /* certificate revocation list filename */ + #if defined(KRB5) || defined(ENABLE_GSS) || defined(ENABLE_SSPI) char *krbsrvname; /* Kerberos service name */ #endif