Index: configure Index: configure.in =================================================================== RCS file: /projects/cvsroot/pgsql/configure.in,v retrieving revision 1.464 diff -c -r1.464 configure.in *** configure.in 29 Apr 2006 20:47:29 -0000 1.464 --- configure.in 30 May 2006 10:51:30 -0000 *************** *** 489,498 **** # AC_MSG_CHECKING([whether to build with OpenSSL support]) PGAC_ARG_BOOL(with, openssl, no, [ --with-openssl build with OpenSSL support], ! [AC_DEFINE([USE_SSL], 1, [Define to build with (Open)SSL support. (--with-openssl)])]) AC_MSG_RESULT([$with_openssl]) AC_SUBST(with_openssl) # # Prefer libedit --- 489,515 ---- # AC_MSG_CHECKING([whether to build with OpenSSL support]) PGAC_ARG_BOOL(with, openssl, no, [ --with-openssl build with OpenSSL support], ! [AC_DEFINE([USE_SSL_OPENSSL], 1, [Define to build with (Open)SSL support. (--with-openssl)])]) AC_MSG_RESULT([$with_openssl]) AC_SUBST(with_openssl) + # + # GnuTLS + # + AC_MSG_CHECKING([whether to build with GnuTLS support]) + PGAC_ARG_BOOL(with, gnutls, no, [ --with-gnutls build with GnuTLS support], + [AC_DEFINE([USE_SSL_GNUTLS], 1, [Define to build with GnuTLS (SSL) support. (--with-gnutls)])]) + AC_MSG_RESULT([$with_gnutls]) + AC_SUBST(with_gnutls) + + if test "$with_openssl" = yes -o "$with_gnutls" = yes ; then + AC_DEFINE([USE_SSL], 1, [Define to build with SSL support (select either OpenSSL or GnuTLS)]) + fi + + if test "$with_openssl" = yes -a "$with_gnutls" = yes ; then + AC_MSG_ERROR([ + *** Cannot select both OpenSSL and GnuTLS.]) + fi # # Prefer libedit *************** *** 692,697 **** --- 709,720 ---- fi fi + if test "$with_gnutls" = yes ; then + AC_CHECK_LIB(gnutls, gnutls_init, [], [AC_MSG_ERROR([library 'gnutls' is required for GnuTLS])]) + # Technically we only need this with --enable-thread-safety + AC_CHECK_LIB(gcrypt, gcry_control, [], [AC_MSG_ERROR([library 'gcrypt' is required for GnuTLS])]) + fi + if test "$with_pam" = yes ; then AC_CHECK_LIB(pam, pam_start, [], [AC_MSG_ERROR([library 'pam' is required for PAM])]) fi *************** *** 774,779 **** --- 797,807 ---- AC_CHECK_HEADER(openssl/err.h, [], [AC_MSG_ERROR([header file is required for OpenSSL])]) fi + if test "$with_gnutls" = yes ; then + AC_CHECK_HEADER(gnutls/gnutls.h, [], [AC_MSG_ERROR([header file is required for GnuTLS])]) + AC_CHECK_HEADER(gcrypt.h, [], [AC_MSG_ERROR([header file is required for GnuTLS])]) + fi + if test "$with_pam" = yes ; then AC_CHECK_HEADERS(security/pam_appl.h, [], [AC_CHECK_HEADERS(pam/pam_appl.h, [], Index: src/backend/libpq/be-secure.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/backend/libpq/be-secure.c,v retrieving revision 1.70 diff -c -r1.70 be-secure.c *** src/backend/libpq/be-secure.c 12 May 2006 22:44:36 -0000 1.70 --- src/backend/libpq/be-secure.c 30 May 2006 10:51:32 -0000 *************** *** 89,99 **** #include #endif ! #ifdef USE_SSL #include #include #endif #include "libpq/libpq.h" #include "miscadmin.h" #include "tcop/tcopprot.h" --- 89,108 ---- #include #endif ! #ifdef USE_SSL_OPENSSL #include #include #endif + #ifdef USE_SSL_GNUTLS + #include + #include + + /* If thread safety ever becomes an issue for the backend, we will need to + * include this. See the frontend code in libpq. */ + /* #include */ + #endif + #include "libpq/libpq.h" #include "miscadmin.h" #include "tcop/tcopprot.h" *************** *** 106,132 **** #define SERVER_CERT_FILE "server.crt" #define SERVER_PRIVATE_KEY_FILE "server.key" - static DH *load_dh_file(int keylength); - static DH *load_dh_buffer(const char *, size_t); - static DH *tmp_dh_cb(SSL *s, int is_export, int keylength); - static int verify_cb(int, X509_STORE_CTX *); - static void info_cb(const SSL *ssl, int type, int args); static void initialize_SSL(void); static void destroy_SSL(void); static int open_server_SSL(Port *); static void close_SSL(Port *); - static const char *SSLerrmessage(void); - #endif - - #ifdef USE_SSL /* * How much data can be sent across a secure connection * (total in both directions) before we require renegotiation. */ #define RENEGOTIATION_LIMIT (512 * 1024 * 1024) static SSL_CTX *SSL_context = NULL; #endif /* ------------------------------------------------------------ */ /* Hardcoded values */ --- 115,148 ---- #define SERVER_CERT_FILE "server.crt" #define SERVER_PRIVATE_KEY_FILE "server.key" static void initialize_SSL(void); static void destroy_SSL(void); static int open_server_SSL(Port *); static void close_SSL(Port *); /* * How much data can be sent across a secure connection * (total in both directions) before we require renegotiation. */ #define RENEGOTIATION_LIMIT (512 * 1024 * 1024) + #endif + #ifdef USE_SSL_OPENSSL + static DH *load_dh_file(int keylength); + static DH *load_dh_buffer(const char *, size_t); + static DH *tmp_dh_cb(SSL *s, int is_export, int keylength); + static int verify_cb(int, X509_STORE_CTX *); + static void info_cb(const SSL *ssl, int type, int args); + static const char *SSLerrmessage(void); static SSL_CTX *SSL_context = NULL; #endif + #ifdef USE_SSL_GNUTLS + static const char *SSLerrmessage(int); + + static bool SSL_verify_client; + static gnutls_certificate_credentials SSL_cred; /* Credentials for connecting */ + + #define DH_BITS 1024 + #endif /* ------------------------------------------------------------ */ /* Hardcoded values */ *************** *** 153,160 **** * for fun and profit, review "Assigned Number for SKIP * Protocols" (http://www.skip-vpn.org/spec/numbers.html) * for suggestions. */ ! #ifdef USE_SSL static const char file_dh512[] = "-----BEGIN DH PARAMETERS-----\n\ --- 169,179 ---- * for fun and profit, review "Assigned Number for SKIP * Protocols" (http://www.skip-vpn.org/spec/numbers.html) * for suggestions. + * + * Note: GnuTLS does not use this. Instead it generates a random set + * each server restart. */ ! #ifdef USE_SSL_OPENSSL static const char file_dh512[] = "-----BEGIN DH PARAMETERS-----\n\ *************** *** 258,264 **** { ssize_t n; ! #ifdef USE_SSL if (port->ssl) { int err; --- 277,283 ---- { ssize_t n; ! #ifdef USE_SSL_OPENSSL if (port->ssl) { int err; *************** *** 312,317 **** --- 331,366 ---- } } else + #elif defined(USE_SSL_GNUTLS) + if (port->ssl) + { + rloop: + n = gnutls_record_recv(port->ssl, ptr, len); + if( n < 0 ) + { + if( n == GNUTLS_E_INTERRUPTED || + n == GNUTLS_E_AGAIN ) + { + #ifdef WIN32 + pgwin32_waitforsinglesocket(gnutls_transport_get_ptr(port->ssl), + (gnutls_record_get_direction(port->ssl) == 0) ? + FD_READ | FD_CLOSE : FD_WRITE | FD_CLOSE); + #endif + goto rloop; + } + else + { + ereport(COMMERROR, + (errcode(ERRCODE_PROTOCOL_VIOLATION), + errmsg("SSL error: %s", SSLerrmessage(n)))); + errno = ECONNRESET; + n = -1; + } + } + else + port->count += n; + } + else #endif { prepare_for_client_read(); *************** *** 332,338 **** { ssize_t n; ! #ifdef USE_SSL if (port->ssl) { int err; --- 381,387 ---- { ssize_t n; ! #ifdef USE_SSL_OPENSSL if (port->ssl) { int err; *************** *** 411,416 **** --- 460,530 ---- } } else + #elif defined(USE_SSL_GNUTLS) + if( port->ssl ) + { + int err; + + wloop: + n = gnutls_record_send(port->ssl, ptr, len); + if( n < 0 ) + { + if( n == GNUTLS_E_INTERRUPTED || + n == GNUTLS_E_AGAIN ) + { + #ifdef WIN32 + pgwin32_waitforsinglesocket(port->sock), + (gnutls_record_get_direction(port->ssl) == 0) ? + FD_READ | FD_CLOSE : FD_WRITE | FD_CLOSE); + #endif + goto wloop; + } + else + { + ereport(COMMERROR, + (errcode(ERRCODE_PROTOCOL_VIOLATION), + errmsg("SSL error: %s", SSLerrmessage(n)))); + errno = ECONNRESET; + n = -1; + } + return n; + } + port->count += n; + + if (port->count > RENEGOTIATION_LIMIT) + { + /* Note: we don't allow the user to ignore the renegotiation request. We could... */ + do { + err = gnutls_rehandshake(port->ssl); + } while( err == GNUTLS_E_INTERRUPTED || err == GNUTLS_E_AGAIN ); + + if (err < 0) + { + ereport(COMMERROR, + (errcode(ERRCODE_PROTOCOL_VIOLATION), + errmsg("SSL renegotiation failure: %s",SSLerrmessage(err)))); + errno = ECONNRESET; + return -1; + } + + do { + err = gnutls_handshake(port->ssl); + } while( err == GNUTLS_E_INTERRUPTED || err == GNUTLS_E_AGAIN ); + + if (err < 0) + { + ereport(COMMERROR, + (errcode(ERRCODE_PROTOCOL_VIOLATION), + errmsg("SSL renegotiation failure: %s", SSLerrmessage(err)))); + + errno = ECONNRESET; + return -1; + } + + port->count = 0; + } + } + else #endif n = send(port->sock, ptr, len, 0); *************** *** 418,426 **** } /* ------------------------------------------------------------ */ ! /* SSL specific code */ /* ------------------------------------------------------------ */ ! #ifdef USE_SSL /* * Private substitute BIO: this wraps the SSL library's standard socket BIO --- 532,540 ---- } /* ------------------------------------------------------------ */ ! /* OpenSSL specific code */ /* ------------------------------------------------------------ */ ! #ifdef USE_SSL_OPENSSL /* * Private substitute BIO: this wraps the SSL library's standard socket BIO *************** *** 995,998 **** return errbuf; } ! #endif /* USE_SSL */ --- 1109,1453 ---- return errbuf; } ! #endif /* USE_SSL_OPENSSL */ ! #ifdef USE_SSL_GNUTLS ! /* ! * Private substitute BIO: this wraps the SSL library's standard socket BIO ! * so that we can enable and disable interrupts just while calling recv(). ! * We cannot have interrupts occurring while the bulk of openssl runs, ! * because it uses malloc() and possibly other non-reentrant libc facilities. ! */ ! ! static int ! gnutls_raw_read(gnutls_transport_ptr fd, void *buf, size_t size) ! { ! int res; ! ! prepare_for_client_read(); ! ! res = read((int)fd, buf, size); ! ! client_read_ended(); ! ! return res; ! } ! ! /* ! * Certificate verification callback ! * ! * This callback allows us to log intermediate problems during ! * verification, but for now we'll see if the final error message ! * contains enough information. ! * ! * This callback also allows us to override the default acceptance ! * criteria (e.g., accepting self-signed or expired certs), but ! * for now we accept the default checks. ! */ ! #ifdef NOT_USED ! static int ! verify_cb(int ok, X509_STORE_CTX *ctx) ! { ! return ok; ! } ! #endif ! ! /* ! * This callback is used to copy SSL information messages ! * into the PostgreSQL log. ! */ ! #ifdef NOT_USED ! static void ! info_cb(const SSL *ssl, int type, int args) ! { ! } ! #endif ! ! /* ! * Initialize global SSL context. This will be called once, by the postmaster during startup ! */ ! static void ! initialize_SSL(void) ! { ! struct stat buf; ! gnutls_dh_params dh_params; ! int error; ! ! #ifdef ENABLE_THREAD_SAFETY ! /* GnuTLS is thread-safe by design, but gcrypt may not be. Here we assume that the lib is pthread */ ! /* Thread safety not an issue for server */ ! /* gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); */ ! #endif ! /* Do gnutls_check_version(LIBGNUTLS_VERSION) ? */ ! error = gnutls_global_init(); /* Check for error */ ! if( error < 0 ) ! ereport(FATAL, ! (errmsg("could not initialize GnuTLS: %s", ! SSLerrmessage(error)))); ! ! gnutls_certificate_allocate_credentials (&SSL_cred); ! ! if (stat(SERVER_PRIVATE_KEY_FILE, &buf) == -1) ! ereport(FATAL, ! (errcode_for_file_access(), ! errmsg("could not access private key file \"%s\": %m", ! SERVER_PRIVATE_KEY_FILE))); ! ! /* ! * Require no public access to key file. ! * ! * XXX temporarily suppress check when on Windows, because there may ! * not be proper support for Unix-y file permissions. Need to think ! * of a reasonable check to apply on Windows. (See also the data ! * directory permission check in postmaster.c) ! */ ! #if !defined(WIN32) && !defined(__CYGWIN__) ! if (!S_ISREG(buf.st_mode) || (buf.st_mode & (S_IRWXG | S_IRWXO)) || ! buf.st_uid != geteuid()) ! ereport(FATAL, ! (errcode(ERRCODE_CONFIG_FILE_ERROR), ! errmsg("unsafe permissions on private key file \"%s\"", ! SERVER_PRIVATE_KEY_FILE), ! errdetail("File must be owned by the database user and must have no permissions for \"group\" or \"other\"."))); ! #endif ! ! if( (error = gnutls_certificate_set_x509_key_file( SSL_cred, SERVER_CERT_FILE, SERVER_PRIVATE_KEY_FILE, GNUTLS_X509_FMT_PEM )) < 0 ) ! ereport(FATAL, ! (errmsg("could not load private key/certificate file \"%s\", \"%s\": %s", ! SERVER_PRIVATE_KEY_FILE, SERVER_CERT_FILE, SSLerrmessage(error)))); ! ! ! /* set up empheral DH keys */ ! #if 0 ! gnutls_certificate_set_params_function(SSL_cred, tmp_dh_cb); ! #else ! gnutls_dh_params_init (&dh_params); ! gnutls_dh_params_generate2 (dh_params, DH_BITS); ! gnutls_certificate_set_dh_params (SSL_cred, dh_params); ! #endif ! ! /* Cannot setup the allowed cipher list, must do that at connection start */ ! ! /* ! * Require and check client certificates only if we have a root.crt file. ! */ ! error = gnutls_certificate_set_x509_trust_file (SSL_cred, ROOT_CERT_FILE, GNUTLS_X509_FMT_PEM); ! if ( error < 0 ) ! { ! /* Not fatal - we do not require client certificates */ ! ereport(LOG, ! (errmsg("could not load root certificate file \"%s\": %s", ! ROOT_CERT_FILE, SSLerrmessage(error)), ! errdetail("Will not verify client certificates."))); ! } ! else ! { ! SSL_verify_client = TRUE; ! error = gnutls_certificate_set_x509_crl_file (SSL_cred, ROOT_CRL_FILE, GNUTLS_X509_FMT_PEM); ! if ( error < 0 ) ! { ! /* Not fatal - we do not require a CRL file */ ! ereport(LOG, ! (errmsg("SSL Certificate Revocation List (CRL) file \"%s\" not found, skipping: %s", ! ROOT_CRL_FILE, SSLerrmessage(error)), ! errdetail("Will not check certificates against CRL."))); ! } ! } ! ! #ifdef NOT_USED ! /* We don't use a verify function, but if we did, here's where we'd set it */ ! SSL_CTX_set_verify(SSL_context, ! (SSL_VERIFY_PEER | ! SSL_VERIFY_FAIL_IF_NO_PEER_CERT | ! SSL_VERIFY_CLIENT_ONCE), ! verify_cb); ! #endif ! } ! ! /* ! * Destroy global SSL context. ! */ ! static void ! destroy_SSL(void) ! { ! gnutls_certificate_free_credentials(SSL_cred); ! SSL_cred = NULL; ! gnutls_global_deinit(); ! } ! ! /* ! * Attempt to negotiate SSL connection. ! */ ! static int ! open_server_SSL(Port *port) ! { ! int err; ! int certcount; ! ! const int kx_prio[] = { GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS, 0 }; ! /* Only do X509 certificates */ ! const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; ! const int cipher_type_priority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0 }; ! const int mac_type_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_RMD160, 0 }; ! ! Assert(!port->ssl); ! Assert(!port->peer); ! ! err = gnutls_init (&port->ssl, GNUTLS_SERVER); ! if( err < 0 ) ! { ! ereport(COMMERROR, ! (errcode(ERRCODE_PROTOCOL_VIOLATION), ! errmsg("could not initialize SSL connection: %s", ! SSLerrmessage(err)))); ! close_SSL(port); ! return -1; ! } ! /* Use default priorities */ ! gnutls_set_default_priority (port->ssl); ! /* Server uses: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH. This means: ! * - No anonymous DH cipher suites. ! * - Low security keys ! * - No export algorithms ! * - No MD5 */ ! gnutls_kx_set_priority (port->ssl, kx_prio); /* DH keyexchange only */ ! gnutls_certificate_type_set_priority (port->ssl, cert_type_priority); /* X.509 certs only */ ! gnutls_cipher_set_priority( port->ssl, cipher_type_priority ); ! gnutls_mac_set_priority( port->ssl, mac_type_priority ); ! ! gnutls_transport_set_ptr (port->ssl, (gnutls_transport_ptr) port->sock); ! gnutls_session_set_ptr (port->ssl, port); ! ! /* setup customer read function */ ! gnutls_transport_set_pull_function( port->ssl, gnutls_raw_read ); ! ! /* set up mechanism to provide client certificate, if available */ ! gnutls_credentials_set (port->ssl, GNUTLS_CRD_CERTIFICATE, SSL_cred); ! ! /* Set the number of bits for DH */ ! gnutls_dh_set_prime_bits (port->ssl, DH_BITS); ! ! /* Request a certificate, if any */ ! gnutls_certificate_server_set_request (port->ssl, GNUTLS_CERT_REQUEST); ! ! aloop: ! err = gnutls_handshake (port->ssl); ! if (err < 0) ! { ! if( err == GNUTLS_E_AGAIN || ! err == GNUTLS_E_INTERRUPTED ) ! { ! #ifdef WIN32 ! pgwin32_waitforsinglesocket(port->sock), ! (gnutls_record_get_direction(port->ssl) == 0) ? ! FD_READ | FD_CLOSE | FD_ACCEPT : FD_WRITE | FD_CLOSE); ! #endif ! goto aloop; ! } ! ereport(COMMERROR, ! (errcode_for_socket_access(), ! errmsg("could not accept SSL connection: %s", SSLerrmessage(err)))); ! close_SSL(port); ! return -1; ! } ! ! port->count = 0; ! ! /* get server certificate */ ! port->peer = gnutls_certificate_get_peers(port->ssl, &certcount); ! ! strncpy(port->peer_dn, "(anonymous)", sizeof(port->peer_dn)); ! strncpy(port->peer_cn, "(anonymous)", sizeof(port->peer_cn)); ! ! if( port->peer ) ! { ! gnutls_x509_crt cert; ! ! err = gnutls_x509_crt_init (&cert); ! if(err == 0) ! err = gnutls_x509_crt_import (cert, &port->peer[0], GNUTLS_X509_FMT_DER); ! if(err < 0) ! { ! ereport(WARNING, ! (errmsg("gnutls_x509_crt_import failure: %s\n", SSLerrmessage(err)))); ! } ! else ! { ! int size = sizeof(port->peer_dn); ! gnutls_x509_crt_get_dn (cert, port->peer_dn, &size); ! port->peer_dn[sizeof(port->peer_dn) - 1] = '\0'; ! ! size = sizeof(port->peer_cn); ! gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, port->peer_cn, &size ); ! port->peer_cn[sizeof(port->peer_cn) - 1] = '\0'; ! ! gnutls_x509_crt_deinit( cert ); ! } ! } ! /* If asked to verify server, do so */ ! if( SSL_verify_client ) ! { ! int status; ! err = gnutls_certificate_verify_peers2 (port->ssl, &status); ! if(err < 0) ! { ! ereport(COMMERROR, ! (errmsg("SSL verification error: %s\n", SSLerrmessage(err)))); ! close_SSL(port); ! return -1; ! } ! if( status ) ! { ! ereport(COMMERROR, ! (errmsg("Server cert verification failure: %d\n", status))); ! close_SSL(port); ! return -1; ! } ! } ! ereport(DEBUG2, ! (errmsg("SSL connection from \"%s\"", port->peer_cn))); ! ! #ifdef NOT_USED ! /* set up debugging/info callback */ ! SSL_CTX_set_info_callback(SSL_context, info_cb); ! #endif ! ! return 0; ! } ! ! /* ! * Close SSL connection. ! */ ! static void ! close_SSL(Port *port) ! { ! /* Isn't allocated, so don't free */ ! if (port->peer) ! port->peer = NULL; ! /* Clear SSL data */ ! if (port->ssl) ! { ! gnutls_deinit(port->ssl); ! port->ssl = NULL; ! } ! ! } ! ! /* ! * Obtain reason string for last SSL error ! * ! * gnutls_strerror returns a useful string even if it doesn't recognise the error code ! */ ! static const char * ! SSLerrmessage(int errcode) ! { ! if (errcode == 0) ! return "No SSL error reported"; ! /* Error in push/pull function is error in socket send/recv */ ! if( errcode == GNUTLS_E_PUSH_ERROR || errcode == GNUTLS_E_PULL_ERROR ) ! return strerror(errno); ! ! return gnutls_strerror(errcode); ! } ! ! #endif ! Index: src/bin/psql/startup.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/bin/psql/startup.c,v retrieving revision 1.132 diff -c -r1.132 startup.c *** src/bin/psql/startup.c 27 Apr 2006 02:58:08 -0000 1.132 --- src/bin/psql/startup.c 30 May 2006 10:51:33 -0000 *************** *** 8,14 **** #include "postgres_fe.h" #include ! #ifdef USE_SSL #include #endif --- 8,14 ---- #include "postgres_fe.h" #include ! #ifdef USE_SSL_OPENSSL #include #endif *************** *** 731,736 **** --- 731,737 ---- static void printSSLInfo(void) { + #ifdef USE_SSL_OPENSSL int sslbits = -1; SSL *ssl; *************** *** 741,746 **** --- 742,752 ---- SSL_get_cipher_bits(ssl, &sslbits); printf(_("SSL connection (cipher: %s, bits: %i)\n\n"), SSL_get_cipher(ssl), sslbits); + #elif defined(USE_SSL_GNUTLS) + if( !PQgetssl(pset.db) ) + return; + printf(_("SSL connection\n\n")); + #endif } #endif Index: src/include/pg_config.h.in Index: src/include/libpq/libpq-be.h =================================================================== RCS file: /projects/cvsroot/pgsql/src/include/libpq/libpq-be.h,v retrieving revision 1.55 diff -c -r1.55 libpq-be.h *** src/include/libpq/libpq-be.h 5 Mar 2006 15:58:56 -0000 1.55 --- src/include/libpq/libpq-be.h 30 May 2006 10:51:33 -0000 *************** *** 21,29 **** #ifdef HAVE_SYS_TIME_H #include #endif ! #ifdef USE_SSL #include #include #endif #ifdef HAVE_NETINET_TCP_H #include --- 21,35 ---- #ifdef HAVE_SYS_TIME_H #include #endif ! #ifdef USE_SSL_OPENSSL #include #include + typedef SSL *pg_sslcontext; + typedef X509 *pg_sslcert; + #elif USE_SSL_GNUTLS + #include + typedef gnutls_session pg_sslcontext; + typedef const gnutls_datum *pg_sslcert; #endif #ifdef HAVE_NETINET_TCP_H #include *************** *** 100,107 **** * SSL structures */ #ifdef USE_SSL ! SSL *ssl; ! X509 *peer; char peer_dn[128 + 1]; char peer_cn[SM_USER + 1]; unsigned long count; --- 106,113 ---- * SSL structures */ #ifdef USE_SSL ! pg_sslcontext ssl; ! pg_sslcert peer; char peer_dn[128 + 1]; char peer_cn[SM_USER + 1]; unsigned long count; Index: src/interfaces/libpq/fe-misc.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-misc.c,v retrieving revision 1.127 diff -c -r1.127 fe-misc.c *** src/interfaces/libpq/fe-misc.c 23 May 2006 19:28:45 -0000 1.127 --- src/interfaces/libpq/fe-misc.c 30 May 2006 10:51:33 -0000 *************** *** 970,976 **** #ifdef USE_SSL /* Check for SSL library buffering read bytes */ ! if (forRead && conn->ssl && SSL_pending(conn->ssl) > 0) { /* short-circuit the select */ return 1; --- 970,976 ---- #ifdef USE_SSL /* Check for SSL library buffering read bytes */ ! if (forRead && conn->ssl && pqsecure_pending(conn) > 0) { /* short-circuit the select */ return 1; Index: src/interfaces/libpq/fe-secure.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v retrieving revision 1.81 diff -c -r1.81 fe-secure.c *** src/interfaces/libpq/fe-secure.c 11 May 2006 23:27:35 -0000 1.81 --- src/interfaces/libpq/fe-secure.c 30 May 2006 10:51:33 -0000 *************** *** 114,123 **** #include "strdup.h" #endif ! #ifdef USE_SSL #include ! #endif /* USE_SSL */ #ifdef USE_SSL --- 114,132 ---- #include "strdup.h" #endif ! #ifdef USE_SSL_OPENSSL #include ! #include ! #endif /* USE_SSL_OPENSSL */ + #ifdef USE_SSL_GNUTLS + #include + #include + + #ifdef ENABLE_THREAD_SAFETY + #include + #endif + #endif /* USE_SSL_GNUTLS */ #ifdef USE_SSL *************** *** 132,158 **** #define USER_KEY_FILE "postgresql.key" #define ROOT_CERT_FILE "root.crt" #define ROOT_CRL_FILE "root.crl" ! #endif #ifdef NOT_USED static int verify_peer(PGconn *); #endif static int verify_cb(int ok, X509_STORE_CTX *ctx); static int client_cert_cb(SSL *, X509 **, EVP_PKEY **); - static int init_ssl_system(PGconn *conn); - static int initialize_SSL(PGconn *); - static void destroy_SSL(void); - static PostgresPollingStatusType open_client_SSL(PGconn *); - static void close_SSL(PGconn *); static char *SSLerrmessage(void); static void SSLerrfree(char *buf); - #endif - #ifdef USE_SSL static bool pq_initssllib = true; static SSL_CTX *SSL_context = NULL; #endif /* ------------------------------------------------------------ */ /* Procedures common to all secure sessions */ --- 141,191 ---- #define USER_KEY_FILE "postgresql.key" #define ROOT_CERT_FILE "root.crt" #define ROOT_CRL_FILE "root.crl" ! #endif /* WIN32 */ + static int initialize_SSL(PGconn *); + static void destroy_SSL(void); + static void close_SSL(PGconn *); + static PostgresPollingStatusType open_client_SSL(PGconn *); + static int init_ssl_system(PGconn *conn); + + static char ssl_nomem[] = "Out of memory allocating error description"; + + #define SSL_ERR_LEN 128 + + #endif + + #ifdef USE_SSL_OPENSSL #ifdef NOT_USED static int verify_peer(PGconn *); #endif static int verify_cb(int ok, X509_STORE_CTX *ctx); static int client_cert_cb(SSL *, X509 **, EVP_PKEY **); static char *SSLerrmessage(void); static void SSLerrfree(char *buf); static bool pq_initssllib = true; static SSL_CTX *SSL_context = NULL; + #endif /* USE_SSL_OPENSSL */ + + #ifdef USE_SSL_GNUTLS + /* Define this for extra debugging info */ + /* #define GNUTLS_DEBUG */ + + static char *pq_gnutls_errmessage(int err); + static void pq_gnutls_errfree(char *buf); + + static int SSL_verify_server; + static int SSL_handshake; + static gnutls_certificate_credentials SSL_cred; /* Credentials for connecting */ + + #ifdef ENABLE_THREAD_SAFETY + GCRY_THREAD_OPTION_PTHREAD_IMPL; #endif + #endif /* USE_SSL_GNUTLS */ + + /* ------------------------------------------------------------ */ /* Procedures common to all secure sessions */ *************** *** 166,172 **** void PQinitSSL(int do_init) { ! #ifdef USE_SSL pq_initssllib = do_init; #endif } --- 199,205 ---- void PQinitSSL(int do_init) { ! #ifdef USE_SSL_OPENSSL pq_initssllib = do_init; #endif } *************** *** 203,209 **** PostgresPollingStatusType pqsecure_open_client(PGconn *conn) { ! #ifdef USE_SSL /* First time through? */ if (conn->ssl == NULL) { --- 236,242 ---- PostgresPollingStatusType pqsecure_open_client(PGconn *conn) { ! #if defined(USE_SSL_OPENSSL) /* First time through? */ if (conn->ssl == NULL) { *************** *** 229,234 **** --- 262,316 ---- } /* Begin or continue the actual handshake */ return open_client_SSL(conn); + #elif defined(USE_SSL_GNUTLS) + const int kx_prio[] = { GNUTLS_KX_DHE_RSA, GNUTLS_KX_DHE_DSS, 0 }; + /* Only do X509 certificates */ + const int cert_type_priority[] = { GNUTLS_CRT_X509, 0 }; + const int cipher_type_priority[] = { GNUTLS_CIPHER_AES_256_CBC, GNUTLS_CIPHER_AES_128_CBC, GNUTLS_CIPHER_ARCFOUR_128, 0 }; + const int mac_type_priority[] = { GNUTLS_MAC_SHA, GNUTLS_MAC_RMD160, 0 }; + + /* First time through? */ + if (conn->ssl == NULL) + { + int error = gnutls_init ( (gnutls_session*)(&conn->ssl), GNUTLS_CLIENT); + if (error) + { + char *err = pq_gnutls_errmessage(error); + + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("could not create SSL context: %s\n"), + err); + pq_gnutls_errfree(err); + + return -1; + } + // gnutls_credentials_set (conn->ssl, GNUTLS_CRD_ANON, SSL_anoncred); + + /* Use default priorities */ + gnutls_set_default_priority (conn->ssl); + /* Server uses: ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH. This means: + * - No anonymous DH cipher suites. + * - Low security keys + * - No export algorithms + * - No MD5 */ + gnutls_kx_set_priority (conn->ssl, kx_prio); /* DH keyexchange only */ + gnutls_certificate_type_set_priority (conn->ssl, cert_type_priority); /* X.509 certs only */ + gnutls_cipher_set_priority( conn->ssl, cipher_type_priority ); + gnutls_mac_set_priority( conn->ssl, mac_type_priority ); + + gnutls_transport_set_ptr (conn->ssl, (gnutls_transport_ptr) conn->sock); + gnutls_session_set_ptr (conn->ssl, conn); + + /* set up mechanism to provide client certificate, if available */ + gnutls_credentials_set (conn->ssl, GNUTLS_CRD_CERTIFICATE, SSL_cred); + /* + * Initialize errorMessage to empty. This allows open_client_SSL() to + * detect whether pg_gnutls_client_cert_cb() has stored a message. + */ + resetPQExpBuffer(&conn->errorMessage); + } + /* Begin or continue the actual handshake */ + return open_client_SSL(conn); #else /* shouldn't get here */ return PGRES_POLLING_FAILED; *************** *** 255,261 **** { ssize_t n; ! #ifdef USE_SSL if (conn->ssl) { int err; --- 337,343 ---- { ssize_t n; ! #if defined(USE_SSL_OPENSSL) if (conn->ssl) { int err; *************** *** 319,324 **** --- 401,455 ---- } } else + #elif defined(USE_SSL_GNUTLS) + if( conn->ssl ) + { + rloop: + if( SSL_handshake ) + n = gnutls_handshake(conn->ssl); + else + n = gnutls_record_recv(conn->ssl, ptr, len); + if( n < 0 ) + { + if( n == GNUTLS_E_INTERRUPTED || + n == GNUTLS_E_AGAIN ) + { + /* + * Returning 0 here would cause caller to wait for read-ready, + * which is not correct since what SSL wants is wait for + * write-ready. The former could get us stuck in an infinite + * wait, so don't risk it; busy-loop instead. + */ + if( gnutls_record_get_direction(conn->ssl) == 0 ) /* read */ + n = 0; + else + goto rloop; + } + else if( n == GNUTLS_E_REHANDSHAKE ) + { + /* Server wants a rehandshake. */ + SSL_handshake = true; + goto rloop; + } + else + { + char *err = pq_gnutls_errmessage(n); + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("SSL error: %s\n"), err); + pq_gnutls_errfree(err); + SOCK_ERRNO_SET(ECONNRESET); + n = -1; + } + } + /* If we get here, the handshake has completed */ + else if( SSL_handshake ) + { + SSL_handshake = false; + /* Go back and read actual data now */ + goto rloop; + } + } + else #endif n = recv(conn->sock, ptr, len, 0); *************** *** 347,353 **** #endif /* ENABLE_THREAD_SAFETY */ #endif /* WIN32 */ ! #ifdef USE_SSL if (conn->ssl) { int err; --- 478,484 ---- #endif /* ENABLE_THREAD_SAFETY */ #endif /* WIN32 */ ! #if defined(USE_SSL_OPENSSL) if (conn->ssl) { int err; *************** *** 415,420 **** --- 546,593 ---- } } else + #elif defined(USE_SSL_GNUTLS) + if( conn->ssl ) + { + #if defined(ENABLE_THREAD_SAFETY) && !defined(WIN32) + got_epipe = false; + #endif + if( SSL_handshake ) + n = gnutls_handshake(conn->ssl); + else + n = gnutls_record_send(conn->ssl, ptr, len); + if( n < 0 ) + { + #if defined(ENABLE_THREAD_SAFETY) && !defined(WIN32) + if (SOCK_ERRNO == EPIPE) + got_epipe = true; + #endif + if( n == GNUTLS_E_INTERRUPTED || + n == GNUTLS_E_AGAIN ) + { + /* + * Returning 0 here causes caller to wait + * for write-ready, which is may not really + * the right thing, but it's the best we can + * do. + */ + n = 0; + } + else + { + char *err = pq_gnutls_errmessage(n); + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("SSL error: %s\n"), err); + pq_gnutls_errfree(err); + SOCK_ERRNO_SET(ECONNRESET); + n = -1; + SSL_handshake = false; + } + } + else + SSL_handshake = false; + } + else #endif { n = send(conn->sock, ptr, len, 0); *************** *** 436,444 **** } /* ------------------------------------------------------------ */ ! /* SSL specific code */ /* ------------------------------------------------------------ */ ! #ifdef USE_SSL /* * Certificate verification callback --- 609,617 ---- } /* ------------------------------------------------------------ */ ! /* OpenSSL specific code */ /* ------------------------------------------------------------ */ ! #if defined(USE_SSL_OPENSSL) /* * Certificate verification callback *************** *** 932,957 **** #endif /* pull out server distinguished and common names */ - conn->peer = SSL_get_peer_certificate(conn->ssl); - if (conn->peer == NULL) { ! char *err = SSLerrmessage(); ! ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("certificate could not be obtained: %s\n"), ! err); ! SSLerrfree(err); ! close_SSL(conn); ! return PGRES_POLLING_FAILED; ! } ! X509_NAME_oneline(X509_get_subject_name(conn->peer), ! conn->peer_dn, sizeof(conn->peer_dn)); ! conn->peer_dn[sizeof(conn->peer_dn) - 1] = '\0'; ! X509_NAME_get_text_by_NID(X509_get_subject_name(conn->peer), NID_commonName, conn->peer_cn, SM_USER); ! conn->peer_cn[SM_USER] = '\0'; /* verify that the common name resolves to peer */ --- 1105,1135 ---- #endif /* pull out server distinguished and common names */ { ! X509 *peer = SSL_get_peer_certificate(conn->ssl); ! if (peer == NULL) ! { ! char *err = SSLerrmessage(); ! ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("certificate could not be obtained: %s\n"), ! err); ! SSLerrfree(err); ! close_SSL(conn); ! return PGRES_POLLING_FAILED; ! } ! X509_NAME_oneline(X509_get_subject_name(peer), ! conn->peer_dn, sizeof(conn->peer_dn)); ! conn->peer_dn[sizeof(conn->peer_dn) - 1] = '\0'; ! X509_NAME_get_text_by_NID(X509_get_subject_name(peer), NID_commonName, conn->peer_cn, SM_USER); ! conn->peer_cn[SM_USER] = '\0'; ! ! X509_free(peer); ! } ! /* verify that the common name resolves to peer */ *************** *** 986,997 **** SSL_free(conn->ssl); conn->ssl = NULL; } - - if (conn->peer) - { - X509_free(conn->peer); - conn->peer = NULL; - } } /* --- 1164,1169 ---- *************** *** 1001,1010 **** * return NULL if it doesn't recognize the error code. We don't * want to return NULL ever. */ - static char ssl_nomem[] = "Out of memory allocating error description"; - - #define SSL_ERR_LEN 128 - static char * SSLerrmessage(void) { --- 1173,1178 ---- *************** *** 1049,1055 **** return NULL; return conn->ssl; } ! #else /* !USE_SSL */ void * PQgetssl(PGconn *conn) --- 1217,1653 ---- return NULL; return conn->ssl; } ! ! int ! pqsecure_pending(PGconn *conn) ! { ! return SSL_pending(conn->ssl); ! } ! #elif defined(USE_SSL_GNUTLS) ! /*********************************************************************************** ! * GnuTLS specific code * ! ***********************************************************************************/ ! static void ! pq_gnutls_load_file( PGconn *conn, const char *filename, gnutls_datum *datum ) ! { ! int filesize; ! FILE *f; ! ! datum->size = 0; ! datum->data = NULL; ! ! if( (f = fopen( filename, "r" )) == NULL ) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("could not open file \"%s\": %m\n"), ! filename); ! return; ! } ! if( (filesize = fseek( f, SEEK_END, 0 )) < 0 ) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("could not seek file \"%s\": %m\n"), ! filename); ! return; ! } ! if( fseek( f, SEEK_SET, 0 ) < 0 ) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("could not seek file \"%s\": %m\n"), ! filename); ! return; ! } ! datum->data = malloc( filesize ); ! if( fread( datum->data, filesize, 1, f ) != 1 ) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("could not read file \"%s\": %m\n"), ! filename); ! return; ! } ! fclose(f); ! datum->size = filesize; ! return; ! } ! /* ! * Callback used by SSL to load client cert and key. ! * This callback is only called when the server wants a ! * client cert. ! * ! * Must return 0 on success. ! */ ! static int ! pg_gnutls_client_cert_cb(gnutls_session session, const gnutls_datum * req_ca_rdn, int nreqs, ! const gnutls_pk_algorithm * pk_algos, ! int pk_algos_length, gnutls_retr_st *st) ! { ! gnutls_certificate_type type; ! gnutls_x509_crt ssl_clientcrt; ! gnutls_x509_privkey ssl_clientkey; ! ! char homedir[MAXPGPATH]; ! struct stat buf; ! ! char crtfile[MAXPGPATH], keyfile[MAXPGPATH]; ! gnutls_datum crtdatum, keydatum; ! ! PGconn *conn = (PGconn *) gnutls_session_get_ptr(session); ! ! type = gnutls_certificate_type_get (session); ! if (type != GNUTLS_CRT_X509) ! return -1; ! ! /* Setup these values so we can return 0 at any time to try without cert */ ! st->type = type; ! st->ncerts = 0; ! st->cert.x509 = NULL; ! st->key.x509 = NULL; ! st->deinit_all = 0; ! ! if (!pqGetHomeDirectory(homedir, sizeof(homedir))) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("could not get user information\n")); ! return 0; ! } ! ! /* find the user certificate */ ! snprintf(crtfile, sizeof(crtfile), "%s/%s", homedir, USER_CERT_FILE); ! if (stat(crtfile, &buf) == -1) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("could not find certificate file \"%s\"\n"), ! crtfile); ! return 0; ! } ! /* find the user key */ ! snprintf(keyfile, sizeof(keyfile), "%s/%s", homedir, USER_KEY_FILE); ! if (stat(keyfile, &buf) == -1) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("certificate present, but not private key file \"%s\"\n"), ! keyfile); ! return 0; ! } ! #ifndef WIN32 ! if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0077) || ! buf.st_uid != geteuid()) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("private key file \"%s\" has wrong permissions\n"), ! keyfile); ! return 0; ! } ! #endif ! pq_gnutls_load_file( conn, crtfile, &crtdatum ); ! pq_gnutls_load_file( conn, keyfile, &keydatum ); ! ! if( crtdatum.size && keydatum.size ) ! { ! int err; ! ! gnutls_x509_crt_init( &ssl_clientcrt ); ! gnutls_x509_privkey_init( &ssl_clientkey ); ! ! err = gnutls_x509_crt_import( ssl_clientcrt, &crtdatum, GNUTLS_X509_FMT_PEM ); ! if( err == 0 ) ! err = gnutls_x509_privkey_import( ssl_clientkey, &keydatum, GNUTLS_X509_FMT_PEM ); ! if( err == 0 ) ! { ! st->ncerts = 1; ! st->key.x509 = ssl_clientkey; ! st->cert.x509 = malloc( sizeof(ssl_clientcrt)); /* No easy way to clean this up */ ! st->cert.x509[0] = ssl_clientcrt; ! st->deinit_all = 1; ! } ! else ! { ! char *error = pq_gnutls_errmessage(err); ! ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("could not parse key/cert files: %s\n"), ! error); ! pq_gnutls_errfree(error); ! } ! } ! if( crtdatum.data ) ! free( crtdatum.data ); ! if( keydatum.data ) ! free( keydatum.data ); ! ! ! return 0; ! } ! ! #ifdef GNUTLS_DEBUG ! static void ! pq_gnutls_log( int level, const char *str ) ! { ! fprintf( stderr, "%d: %s\n", level, str ); ! } ! #endif ! ! /* ! * Initialize global SSL context. ! */ ! static int ! initialize_SSL(PGconn *conn) ! { ! struct stat buf; ! char homedir[MAXPGPATH]; ! char fnbuf[MAXPGPATH]; ! ! if (init_ssl_system(conn)) ! return -1; ! ! gnutls_certificate_allocate_credentials (&SSL_cred); ! ! /* Set up to verify server cert, if root.crt is present */ ! if (pqGetHomeDirectory(homedir, sizeof(homedir))) ! { ! snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE); ! if (stat(fnbuf, &buf) == 0) ! { ! int error; ! error = gnutls_certificate_set_x509_trust_file (SSL_cred, fnbuf, GNUTLS_X509_FMT_PEM); ! if( error < 0 ) ! { ! char *err = pq_gnutls_errmessage(error); ! ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("could not read root certificate file \"%s\": %s\n"), ! fnbuf, err); ! pq_gnutls_errfree(err); ! return -1; ! } ! SSL_verify_server = TRUE; ! } ! } ! ! gnutls_certificate_client_set_retrieve_function(SSL_cred, pg_gnutls_client_cert_cb); ! ! return 0; ! } ! ! /* ! * Destroy global SSL context. ! */ ! void ! destroy_SSL(void) ! { ! if (SSL_cred) ! { ! gnutls_certificate_free_credentials (SSL_cred); ! SSL_cred = NULL; ! ! gnutls_global_deinit (); ! } ! } ! ! static int ! init_ssl_system(PGconn *conn) ! { ! int error; ! #ifdef ENABLE_THREAD_SAFETY ! /* GnuTLS is thread-safe by design, but gcrypt may not be. Here we assume that the lib is pthread */ ! gcry_control (GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread); ! #endif ! /* Do gnutls_check_version(LIBGNUTLS_VERSION) ? */ ! error = gnutls_global_init(); /* Check for error */ ! if (error) ! { ! char *err = pq_gnutls_errmessage(error); ! ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("could not create SSL context: %s\n"), ! err); ! pq_gnutls_errfree(err); ! return -1; ! } ! #ifdef GNUTLS_DEBUG ! gnutls_global_set_log_function( pq_gnutls_log ); ! gnutls_global_set_log_level (9); ! #endif ! return 0; ! } ! ! /* ! * Attempt to negotiate SSL connection. ! */ ! static PostgresPollingStatusType ! open_client_SSL(PGconn *conn) ! { ! int err; ! int cert_list_size, status, size; ! gnutls_x509_crt cert; ! ! err = gnutls_handshake(conn->ssl); ! if (err < 0) ! { ! if( err == GNUTLS_E_AGAIN || ! err == GNUTLS_E_INTERRUPTED ) ! { ! if( gnutls_record_get_direction(conn->ssl) == 0 ) ! return PGRES_POLLING_READING; ! else ! return PGRES_POLLING_WRITING; ! } ! if( gnutls_error_is_fatal(err) ) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("SSL error: %s\n"), ! gnutls_strerror(err)); ! close_SSL(conn); ! return PGRES_POLLING_FAILED; ! } ! else ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("Unexpected non-fatal SSL error: %s\n"), ! gnutls_strerror(err)); ! close_SSL(conn); ! return PGRES_POLLING_FAILED; ! } ! } ! ! /* If asked to verify server, do so */ ! if( SSL_verify_server ) ! { ! err = gnutls_certificate_verify_peers2 (conn->ssl, &status); ! if(err < 0) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("SSL verification error: %s\n"), ! gnutls_strerror(err)); ! close_SSL(conn); ! return PGRES_POLLING_FAILED; ! } ! if( status ) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("Server cert verification failure: %d\n"), ! status); ! close_SSL(conn); ! return PGRES_POLLING_FAILED; ! } ! } ! /* pull out server distinguished and common names */ ! const gnutls_datum *peer = gnutls_certificate_get_peers (conn->ssl, &cert_list_size); ! if (peer == NULL) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("certificate could not be obtained\n")); ! close_SSL(conn); ! return PGRES_POLLING_FAILED; ! } ! err = gnutls_x509_crt_init (&cert); ! if(err < 0) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("gnutls_x509_crt_init failure: %s\n"), ! gnutls_strerror(err)); ! close_SSL(conn); ! return PGRES_POLLING_FAILED; ! } ! ! err = gnutls_x509_crt_import (cert, &peer[0], GNUTLS_X509_FMT_DER); ! if(err < 0) ! { ! printfPQExpBuffer(&conn->errorMessage, ! libpq_gettext("gnutls_x509_crt_import failure: %s\n"), ! gnutls_strerror(err)); ! close_SSL(conn); ! return PGRES_POLLING_FAILED; ! } ! size = sizeof(conn->peer_dn); ! gnutls_x509_crt_get_dn (cert, conn->peer_dn, &size); ! conn->peer_dn[sizeof(conn->peer_dn) - 1] = '\0'; ! ! size = sizeof(conn->peer_cn); ! gnutls_x509_crt_get_dn_by_oid(cert, GNUTLS_OID_X520_COMMON_NAME, 0, 0, conn->peer_cn, &size ); ! conn->peer_cn[sizeof(conn->peer_cn) - 1] = '\0'; ! ! gnutls_x509_crt_deinit( cert ); ! /* SSL handshake is complete */ ! return PGRES_POLLING_OK; ! } ! ! /* ! * Close SSL connection. ! */ ! void ! close_SSL(PGconn *conn) ! { ! if (conn->ssl) ! { ! #ifdef NOT_USED ! conn->peer = NULL; /* Is allocated as part of session, no need to free */ ! #endif ! gnutls_bye (conn->ssl, GNUTLS_SHUT_RDWR); ! gnutls_deinit (conn->ssl); ! conn->ssl = NULL; ! } ! } ! ! /* ! * Obtain reason string for last SSL error ! * ! * Some caution is needed here since ERR_reason_error_string will ! * return NULL if it doesn't recognize the error code. We don't ! * want to return NULL ever. ! */ ! ! static char * ! pq_gnutls_errmessage(int errcode) ! { ! const char *errreason; ! char *errbuf; ! ! errbuf = malloc(SSL_ERR_LEN); ! if (!errbuf) ! return ssl_nomem; ! if (errcode >= 0) ! { ! strcpy(errbuf, "No SSL error reported"); ! return errbuf; ! } ! errreason = gnutls_strerror(errcode); ! if (errreason != NULL) ! { ! strncpy(errbuf, errreason, SSL_ERR_LEN - 1); ! errbuf[SSL_ERR_LEN - 1] = '\0'; ! return errbuf; ! } ! snprintf(errbuf, SSL_ERR_LEN, "SSL error code %u", errcode); ! return errbuf; ! } ! ! static void ! pq_gnutls_errfree(char *buf) ! { ! if (buf != ssl_nomem) ! free(buf); ! } ! ! /* ! * Return pointer to SSL object. ! * ! * Unfortunatly, this function was in the past defined to return a ! * pointer to an OpenSSL structure, so here we just return NULL. ! * ! */ ! void * ! PQgetssl(PGconn *conn) ! { ! return NULL; ! } ! ! int ! pqsecure_pending(PGconn *conn) ! { ! return gnutls_record_check_pending(conn->ssl); ! } ! #else /* !USE_SSL_OPENSSL && !USE_SSL_GNUTLS */ void * PQgetssl(PGconn *conn) Index: src/interfaces/libpq/libpq-int.h =================================================================== RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/libpq-int.h,v retrieving revision 1.113 diff -c -r1.113 libpq-int.h *** src/interfaces/libpq/libpq-int.h 21 May 2006 20:19:23 -0000 1.113 --- src/interfaces/libpq/libpq-int.h 30 May 2006 10:51:33 -0000 *************** *** 49,59 **** /* include stuff found in fe only */ #include "pqexpbuffer.h" - #ifdef USE_SSL - #include - #include - #endif - /* * POSTGRES backend dependent Constants. */ --- 49,54 ---- *************** *** 338,345 **** bool allow_ssl_try; /* Allowed to try SSL negotiation */ bool wait_ssl_try; /* Delay SSL negotiation until after * attempting normal connection */ ! SSL *ssl; /* SSL status, if have SSL connection */ ! X509 *peer; /* X509 cert of server */ char peer_dn[256 + 1]; /* peer distinguished name */ char peer_cn[SM_USER + 1]; /* peer common name */ #endif --- 333,339 ---- bool allow_ssl_try; /* Allowed to try SSL negotiation */ bool wait_ssl_try; /* Delay SSL negotiation until after * attempting normal connection */ ! void *ssl; /* SSL status, if have SSL connection */ char peer_dn[256 + 1]; /* peer distinguished name */ char peer_cn[SM_USER + 1]; /* peer common name */ #endif *************** *** 480,485 **** --- 474,480 ---- extern void pqsecure_close(PGconn *); extern ssize_t pqsecure_read(PGconn *, void *ptr, size_t len); extern ssize_t pqsecure_write(PGconn *, const void *ptr, size_t len); + extern int pqsecure_pending(PGconn *); #if defined(ENABLE_THREAD_SAFETY) && !defined(WIN32) extern int pq_block_sigpipe(sigset_t *osigset, bool *sigpipe_pending);