Yet another SSL patch. :-) This one adds some informational messages

on the server, if DebugLvl >= 2.

The patch also includes a late addition to the last patch
(X509_check_private_key()).  I'm not sure why it the currect
revision wasn't tagged.


Bear Giles

1 files changed, 19 insertions, 2 deletions

diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 3240be892e0..26dcb438845 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.3 2002/06/14 04:36:58 momjian Exp $
+ *	  $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.4 2002/06/14 04:38:04 momjian Exp $
  *	  
  * NOTES
  *	  The client *requires* a valid server certificate.  Since
@@ -66,6 +66,12 @@
  *	    $HOME/.postgresql/postgresql.key
  *	  respectively.
  *
+ *	  ...
+ *
+ *	  We don't provide informational callbacks here (like
+ *	  info_cb() in be-secure.c), since there's mechanism to
+ *	  display that information to the client.
+ *
  * OS DEPENDENCIES
  *	  The code currently assumes a POSIX password entry.  How should
  *	  Windows and Mac users be handled?
@@ -88,7 +94,7 @@
  *	  [*] server verifies client certificates
  *
  *	  milestone 5: provide informational callbacks
- *	  [ ] provide informational callbacks
+ *	  [*] provide informational callbacks
  *
  *	  other changes
  *	  [ ] tcp-wrappers
@@ -721,6 +727,17 @@ client_cert_cb (SSL *ssl, X509 **x509, EVP_PKEY **pkey)
 	}
 	fclose(fp);
 
+	/* verify that the cert and key go together */
+	if (!X509_check_private_key(*x509, *pkey))
+	{
+		printfPQExpBuffer(&conn->errorMessage, 
+			libpq_gettext("certificate/private key mismatch (%s): %s\n"),
+			fnbuf, SSLerrmessage());
+		X509_free(*x509);
+		EVP_PKEY_free(*pkey);
+		return -1;
+	}
+
 	return 1;
 }