From 069ad5fcc34e6a340ab10453e78c2e152e1e0ee2 Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Sat, 6 May 2006 02:24:39 +0000
Subject: [PATCH] Add SSL CRL support to libpq.  Recently added to the backend.

---
 src/backend/libpq/be-secure.c    |  4 ++--
 src/interfaces/libpq/fe-secure.c | 28 +++++++++++++++++++++++++++-
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 75e3240f91..8a4def4e11 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.68 2006/05/06 01:31:38 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.69 2006/05/06 02:24:39 momjian Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -803,7 +803,7 @@ initialize_SSL(void)
 
 		if (cvstore)
 		{
-		   /* Set the flags to check against the complete CRL chain */
+			/* Set the flags to check against the complete CRL chain */
 			if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
 /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
 #ifdef X509_V_FLAG_CRL_CHECK
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index ed6ecdd508..cd0ac14da5 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.79 2006/04/27 14:02:36 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.80 2006/05/06 02:24:39 momjian Exp $
  *
  * NOTES
  *	  [ Most of these notes are wrong/obsolete, but perhaps not all ]
@@ -125,11 +125,13 @@
 #define USER_CERT_FILE		".postgresql/postgresql.crt"
 #define USER_KEY_FILE		".postgresql/postgresql.key"
 #define ROOT_CERT_FILE		".postgresql/root.crt"
+#define ROOT_CRL_FILE		".postgresql/root.crl"
 #else
 /* On Windows, the "home" directory is already PostgreSQL-specific */
 #define USER_CERT_FILE		"postgresql.crt"
 #define USER_KEY_FILE		"postgresql.key"
 #define ROOT_CERT_FILE		"root.crt"
+#define ROOT_CRL_FILE		"root.crl"
 #endif
 
 #ifdef NOT_USED
@@ -784,6 +786,8 @@ initialize_SSL(PGconn *conn)
 		snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
 		if (stat(fnbuf, &buf) == 0)
 		{
+			X509_STORE *cvstore;
+			
 			if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL))
 			{
 				char	   *err = SSLerrmessage();
@@ -795,6 +799,28 @@ initialize_SSL(PGconn *conn)
 				return -1;
 			}
 
+			if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
+			{
+				/* setting the flags to check against the complete CRL chain */
+				if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
+#ifdef X509_V_FLAG_CRL_CHECK
+				   X509_STORE_set_flags(cvstore,
+								X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL);
+				/* if not found, silently ignore;  we do not require CRL */
+#else
+				{
+					char	   *err = SSLerrmessage();
+	
+					printfPQExpBuffer(&conn->errorMessage,
+									  libpq_gettext("Installed SSL library does not support CRL certificates, file \"%s\"\n"),
+									  fnbuf);
+					SSLerrfree(err);
+					return -1;
+				}
+#endif
+			}
+	
 			SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb);
 		}
 	}
-- 
2.11.0