diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 9080b133b2..f74f8f9275 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -11,13 +11,13 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.100 2010/05/26 15:52:37 tgl Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.101 2010/05/26 16:15:57 tgl Exp $ * * Since the server static private key ($DataDir/server.key) * will normally be stored unencrypted so that the database * backend can restart automatically, it is important that * we select an algorithm that continues to provide confidentiality - * even if the attacker has the server's private key. Empheral + * even if the attacker has the server's private key. Ephemeral * DH (EDH) keys provide this, and in fact provide Perfect Forward * Secrecy (PFS) except for situations where the session can * be hijacked during a periodic handshake/renegotiation. @@ -113,7 +113,7 @@ char *SSLCipherSuites = NULL; /* ------------------------------------------------------------ */ /* - * Hardcoded DH parameters, used in empheral DH keying. + * Hardcoded DH parameters, used in ephemeral DH keying. * As discussed above, EDH protects the confidentiality of * sessions even if the static private key is compromised, * so we are *highly* motivated to ensure that we can use @@ -411,7 +411,6 @@ wloop: * directly so it gets passed through the socket/signals layer on Win32. * * They are closely modelled on the original socket implementations in OpenSSL. - * */ static bool my_bio_initialized = false; @@ -501,7 +500,7 @@ err: * to verify that the DBA-generated DH parameters file contains * what we expect it to contain. */ -static DH * +static DH * load_dh_file(int keylength) { FILE *fp; @@ -559,7 +558,7 @@ load_dh_file(int keylength) * To prevent problems if the DH parameters files don't even * exist, we can load DH parameters hardcoded into this file. */ -static DH * +static DH * load_dh_buffer(const char *buffer, size_t len) { BIO *bio; @@ -579,7 +578,7 @@ load_dh_buffer(const char *buffer, size_t len) } /* - * Generate an empheral DH key. Because this can take a long + * Generate an ephemeral DH key. Because this can take a long * time to compute, we can use precomputed parameters of the * common key sizes. * @@ -591,7 +590,7 @@ load_dh_buffer(const char *buffer, size_t len) * the OpenSSL library can efficiently generate random keys from * the information provided. */ -static DH * +static DH * tmp_dh_cb(SSL *s, int is_export, int keylength) { DH *r = NULL; @@ -737,7 +736,7 @@ initialize_SSL(void) SSLerrmessage()))); /* - * Load and verify certificate and private key + * Load and verify server's certificate and private key */ if (SSL_CTX_use_certificate_chain_file(SSL_context, SERVER_CERT_FILE) != 1) @@ -782,11 +781,11 @@ initialize_SSL(void) SSLerrmessage()))); } - /* set up empheral DH keys */ + /* set up ephemeral DH keys, and disallow SSL v2 while at it */ SSL_CTX_set_tmp_dh_callback(SSL_context, tmp_dh_cb); SSL_CTX_set_options(SSL_context, SSL_OP_SINGLE_DH_USE | SSL_OP_NO_SSLv2); - /* setup the allowed cipher list */ + /* set up the allowed cipher list */ if (SSL_CTX_set_cipher_list(SSL_context, SSLCipherSuites) != 1) elog(FATAL, "could not set the cipher list (no valid ciphers available)"); @@ -794,42 +793,38 @@ initialize_SSL(void) * Attempt to load CA store, so we can verify client certificates if * needed. */ - if (access(ROOT_CERT_FILE, R_OK)) - { - ssl_loaded_verify_locations = false; + ssl_loaded_verify_locations = false; + if (access(ROOT_CERT_FILE, R_OK) != 0) + { /* - * If root certificate file simply not found. Don't log an error here, + * If root certificate file simply not found, don't log an error here, * because it's quite likely the user isn't planning on using client * certificates. If we can't access it for other reasons, it is an * error. */ if (errno != ENOENT) - { ereport(FATAL, (errmsg("could not access root certificate file \"%s\": %m", ROOT_CERT_FILE))); - } } else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1 || (root_cert_list = SSL_load_client_CA_file(ROOT_CERT_FILE)) == NULL) { /* * File was there, but we could not load it. This means the file is - * somehow broken, and we cannot do verification at all - so abort - * here. + * somehow broken, and we cannot do verification at all - so fail. */ - ssl_loaded_verify_locations = false; ereport(FATAL, (errmsg("could not load root certificate file \"%s\": %s", ROOT_CERT_FILE, SSLerrmessage()))); } else { - /* - * Check the Certificate Revocation List (CRL) if file exists. - * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160, - * 00.html + /*---------- + * Load the Certificate Revocation List (CRL) if file exists. + * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html + *---------- */ X509_STORE *cvstore = SSL_CTX_get_cert_store(SSL_context); @@ -837,7 +832,8 @@ initialize_SSL(void) { /* Set the flags to check against the complete CRL chain */ if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) == 1) -/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ + { + /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ #ifdef X509_V_FLAG_CRL_CHECK X509_STORE_set_flags(cvstore, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); @@ -847,6 +843,7 @@ initialize_SSL(void) ROOT_CRL_FILE), errdetail("SSL library does not support certificate revocation lists."))); #endif + } else { /* Not fatal - we do not require CRL */ @@ -858,14 +855,15 @@ initialize_SSL(void) /* * Always ask for SSL client cert, but don't fail if it's not - * presented. We'll fail later in this case, based on what we find - * in pg_hba.conf. + * presented. We might fail such connections later, depending on + * what we find in pg_hba.conf. */ SSL_CTX_set_verify(SSL_context, (SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE), verify_cb); + /* Set flag to remember CA store is successfully loaded */ ssl_loaded_verify_locations = true; }