*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.78 2007/02/16 02:59:40 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.79 2007/02/16 17:06:59 tgl Exp $
*
* Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database
#if SSLEAY_VERSION_NUMBER >= 0x0907000L
#include <openssl/conf.h>
#endif
-
-#endif
+#endif /* USE_SSL */
#include "libpq/libpq.h"
#include "tcop/tcopprot.h"
static SSL_CTX *SSL_context = NULL;
-/* GUC variable controlling SSL cipher list*/
-extern char *SSLCipherSuites;
+/* GUC variable controlling SSL cipher list */
+char *SSLCipherSuites = NULL;
#endif
* Written by Peter Eisentraut <peter_e@gmx.net>.
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.375 2007/02/16 02:59:41 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.376 2007/02/16 17:07:00 tgl Exp $
*
*--------------------------------------------------------------------
*/
extern bool trace_sort;
#endif
+#ifdef USE_SSL
+extern char *SSLCipherSuites;
+#endif
+
+
static const char *assign_log_destination(const char *value,
bool doit, GucSource source);
NULL, assign_temp_tablespaces, NULL
},
+#ifdef USE_SSL
{
{"ssl_ciphers", PGC_POSTMASTER, CONN_AUTH_SECURITY,
gettext_noop("Sets the list of allowed SSL ciphers."),
&SSLCipherSuites,
"ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH", NULL, NULL
},
-
+#endif /* USE_SSL */
+
/* End-of-list marker */
{
{NULL, 0, 0, NULL, NULL}, NULL, NULL, NULL, NULL
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.93 2007/02/16 02:59:41 momjian Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.94 2007/02/16 17:07:00 tgl Exp $
*
* NOTES
* [ Most of these notes are wrong/obsolete, but perhaps not all ]
char *engine_env = getenv("PGSSLKEY");
char *engine_colon = strchr(engine_env, ':');
char *engine_str;
- ENGINE *engine_ptr = NULL;
+ ENGINE *engine_ptr;
if (!engine_colon)
{
engine_str = malloc(engine_colon - engine_env + 1);
strlcpy(engine_str, engine_env, engine_colon - engine_env + 1);
- if ((engine_ptr = ENGINE_by_id(engine_str)) == NULL)
+ engine_ptr = ENGINE_by_id(engine_str);
+ if (engine_ptr == NULL)
{
char *err = SSLerrmessage();
printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not load SSL engine \"%s\":%s\n"), engine_str, err);
- free(engine_str);
+ libpq_gettext("could not load SSL engine \"%s\": %s\n"),
+ engine_str, err);
SSLerrfree(err);
+ free(engine_str);
return 0;
}
- if ((*pkey = ENGINE_load_private_key(engine_ptr,
- engine_colon + 1, NULL, NULL)) == NULL)
+
+ *pkey = ENGINE_load_private_key(engine_ptr, engine_colon + 1,
+ NULL, NULL);
+ if (*pkey == NULL)
{
char *err = SSLerrmessage();
printfPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not read private SSL key %s from engine \"%s\": %s\n"),
- engine_colon + 1, engine_str, err);
+ libpq_gettext("could not read private SSL key \"%s\" from engine \"%s\": %s\n"),
+ engine_colon + 1, engine_str, err);
SSLerrfree(err);
free(engine_str);
return 0;
free(engine_str);
}
else
-#endif
+#endif /* use PGSSLKEY */
{
- /* read the user key from file*/
+ /* read the user key from file */
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
if (stat(fnbuf, &buf) == -1)
{
fnbuf);
return 0;
}
- #ifndef WIN32
+#ifndef WIN32
if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0077) ||
buf.st_uid != geteuid())
{
fnbuf);
return 0;
}
- #endif
+#endif
if ((fp = fopen(fnbuf, "r")) == NULL)
{
printfPQExpBuffer(&conn->errorMessage,
fnbuf, pqStrerror(errno, sebuf, sizeof(sebuf)));
return 0;
}
- #ifndef WIN32
+#ifndef WIN32
if (fstat(fileno(fp), &buf2) == -1 ||
buf.st_dev != buf2.st_dev || buf.st_ino != buf2.st_ino)
{
libpq_gettext("private key file \"%s\" changed during execution\n"), fnbuf);
return 0;
}
- #endif
+#endif
if (PEM_read_PrivateKey(fp, pkey, NULL, NULL) == NULL)
{
char *err = SSLerrmessage();
}
fclose(fp);
}
+
/* verify that the cert and key go together */
if (!X509_check_private_key(*x509, *pkey))
{
{
if (pq_initssllib)
{
-#if (SSLEAY_VERSION_NUMBER >= 0x00907000L)
+#if SSLEAY_VERSION_NUMBER >= 0x00907000L
OPENSSL_config(NULL);
#endif
SSL_library_init();