From 1ed4a922b823ecd0784aa2755bc68783050734f6 Mon Sep 17 00:00:00 2001 From: Bruce Momjian Date: Fri, 14 Jun 2002 04:38:04 +0000 Subject: Yet another SSL patch. :-) This one adds some informational messages on the server, if DebugLvl >= 2. The patch also includes a late addition to the last patch (X509_check_private_key()). I'm not sure why it the currect revision wasn't tagged. Bear Giles --- src/interfaces/libpq/fe-secure.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) (limited to 'src/interfaces/libpq/fe-secure.c') diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index 3240be892e0..26dcb438845 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -11,7 +11,7 @@ * * * IDENTIFICATION - * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.3 2002/06/14 04:36:58 momjian Exp $ + * $Header: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v 1.4 2002/06/14 04:38:04 momjian Exp $ * * NOTES * The client *requires* a valid server certificate. Since @@ -66,6 +66,12 @@ * $HOME/.postgresql/postgresql.key * respectively. * + * ... + * + * We don't provide informational callbacks here (like + * info_cb() in be-secure.c), since there's mechanism to + * display that information to the client. + * * OS DEPENDENCIES * The code currently assumes a POSIX password entry. How should * Windows and Mac users be handled? @@ -88,7 +94,7 @@ * [*] server verifies client certificates * * milestone 5: provide informational callbacks - * [ ] provide informational callbacks + * [*] provide informational callbacks * * other changes * [ ] tcp-wrappers @@ -721,6 +727,17 @@ client_cert_cb (SSL *ssl, X509 **x509, EVP_PKEY **pkey) } fclose(fp); + /* verify that the cert and key go together */ + if (!X509_check_private_key(*x509, *pkey)) + { + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("certificate/private key mismatch (%s): %s\n"), + fnbuf, SSLerrmessage()); + X509_free(*x509); + EVP_PKEY_free(*pkey); + return -1; + } + return 1; } -- cgit v1.2.3