[Pgpool-hackers] [PATCH 3/3] Add new SSL verification options ssl_ca_cert and ssl_ca_cert_dir
Sean Finney
sean at stickybit.se
Wed Jan 27 16:44:43 UTC 2010
These two options provide the ability to check the certificate
provided by a backend server against a specified CA (i.e. to determine
authenticity and validity of a certificate). By default the behavior
of postgres is followed--no checks are done. If either of these are
set and verification fails then the connection is aborted.
The documentation and sample config files have been updated to include
these options.
---
doc/pgpool-en.html | 35 +++++++++++++++++++
pgpool.conf.sample | 10 +++++
pgpool.conf.sample-master-slave | 10 +++++
pgpool.conf.sample-replication | 10 +++++
pool.h | 2 +
pool_config.c | 72 ++++++++++++++++++++++++++++++++++-----
pool_config.l | 40 +++++++++++++++++++++
pool_ssl.c | 16 +++++++++
8 files changed, 186 insertions(+), 9 deletions(-)
diff --git a/doc/pgpool-en.html b/doc/pgpool-en.html
index f3b8d2f..37c4605 100644
--- a/doc/pgpool-en.html
+++ b/doc/pgpool-en.html
@@ -718,6 +718,41 @@ You need to reload pgpool.conf if you change the value.
be disabled for incoming frontend connections.
</p>
</dd>
+
+ <dt>ssl_ca_cert</dt>
+ <dd>
+ <p>
+ The path to a PEM format file containing one or more CA root
+ certificates, which can be used to verify the backend server
+ certificate. This is analagous to the <code>-CAfile</code> option
+ to the OpenSSL <code>verify(1)</code> command.
+ </p>
+
+ <p>
+ The default value for this option is unset, such that no
+ verification takes place. Verification will still occur if
+ this option is not set but a value has been given for
+ <code>ssl_ca_cert_dir</code>.
+ </p>
+ </dd>
+
+ <dt>ssl_ca_cert_dir</dt>
+ <dd>
+ <p>
+ The path to a directory containing PEM format CA certficate
+ files, which can be used to verify the backend server
+ certificate. This is analagous to the <code>-CApath</code> option
+ to the OpenSSL <code>verify(1)</code> command.
+ </p>
+
+ <p>
+ The default value for this option is unset, such that no
+ verification takes place. Verification will still occur if
+ this option is not set but a value has been given for
+ <code>ssl_ca_cert</code>.
+ </p>
+ </dd>
+
</dl>
<h4>Generating SSL certificates</h4>
diff --git a/pgpool.conf.sample b/pgpool.conf.sample
index 8c7ffa1..5b59a52 100644
--- a/pgpool.conf.sample
+++ b/pgpool.conf.sample
@@ -228,3 +228,13 @@ ssl = false
#ssl_key = './server.key'
# path to the SSL public certificate file
#ssl_cert = './server.cert'
+
+# If either ssl_ca_cert or ssl_ca_cert_dir is set, then certificate
+# verification will be performed to establish the authenticity of the
+# certificate. If neither is set to a nonempty string then no such
+# verification takes place. ssl_ca_cert should be a path to a single
+# PEM format file containing CA root certificate(s), whereas ssl_ca_cert_dir
+# should be a directory containing such files. These are analagous to the
+# -CAfile and -CApath options to openssl verify(1), respectively.
+#ssl_ca_cert = ''
+#ssl_ca_cert_dir = ''
diff --git a/pgpool.conf.sample-master-slave b/pgpool.conf.sample-master-slave
index a77d467..d5931d8 100644
--- a/pgpool.conf.sample-master-slave
+++ b/pgpool.conf.sample-master-slave
@@ -228,3 +228,13 @@ ssl = false
#ssl_key = './server.key'
# path to the SSL public certificate file
#ssl_cert = './server.cert'
+
+# If either ssl_ca_cert or ssl_ca_cert_dir is set, then certificate
+# verification will be performed to establish the authenticity of the
+# certificate. If neither is set to a nonempty string then no such
+# verification takes place. ssl_ca_cert should be a path to a single
+# PEM format file containing CA root certificate(s), whereas ssl_ca_cert_dir
+# should be a directory containing such files. These are analagous to the
+# -CAfile and -CApath options to openssl verify(1), respectively.
+#ssl_ca_cert = ''
+#ssl_ca_cert_dir = ''
diff --git a/pgpool.conf.sample-replication b/pgpool.conf.sample-replication
index 5d1c99c..1f50144 100644
--- a/pgpool.conf.sample-replication
+++ b/pgpool.conf.sample-replication
@@ -228,3 +228,13 @@ ssl = false
#ssl_key = './server.key'
# path to the SSL public certificate file
#ssl_cert = './server.cert'
+
+# If either ssl_ca_cert or ssl_ca_cert_dir is set, then certificate
+# verification will be performed to establish the authenticity of the
+# certificate. If neither is set to a nonempty string then no such
+# verification takes place. ssl_ca_cert should be a path to a single
+# PEM format file containing CA root certificate(s), whereas ssl_ca_cert_dir
+# should be a directory containing such files. These are analagous to the
+# -CAfile and -CApath options to openssl verify(1), respectively.
+#ssl_ca_cert = ''
+#ssl_ca_cert_dir = ''
diff --git a/pool.h b/pool.h
index 57e9415..42a375e 100644
--- a/pool.h
+++ b/pool.h
@@ -221,6 +221,8 @@ typedef struct {
int ssl; /* if non 0, activate ssl support (frontend+backend) */
char *ssl_cert; /* path to ssl certificate (frontend only) */
char *ssl_key; /* path to ssl key (frontend only) */
+ char *ssl_ca_cert; /* path to root (CA) certificate */
+ char *ssl_ca_cert_dir; /* path to directory containing CA certificates */
} POOL_CONFIG;
#define MAX_PASSWORD_SIZE 1024
diff --git a/pool_config.c b/pool_config.c
index 4d92840..8a2df3d 100644
--- a/pool_config.c
+++ b/pool_config.c
@@ -53,7 +53,6 @@ typedef int flex_int32_t;
typedef unsigned char flex_uint8_t;
typedef unsigned short int flex_uint16_t;
typedef unsigned int flex_uint32_t;
-#endif /* ! C99 */
/* Limits of integral types. */
#ifndef INT8_MIN
@@ -84,6 +83,8 @@ typedef unsigned int flex_uint32_t;
#define UINT32_MAX (4294967295U)
#endif
+#endif /* ! C99 */
+
#endif /* ! FLEXINT_H */
#ifdef __cplusplus
@@ -140,7 +141,15 @@ typedef unsigned int flex_uint32_t;
/* Size of default input buffer. */
#ifndef YY_BUF_SIZE
+#ifdef __ia64__
+/* On IA-64, the buffer size is 16k, not 8k.
+ * Moreover, YY_BUF_SIZE is 2*YY_READ_BUF_SIZE in the general case.
+ * Ditto for the __ia64__ case accordingly.
+ */
+#define YY_BUF_SIZE 32768
+#else
#define YY_BUF_SIZE 16384
+#endif /* __ia64__ */
#endif
/* The state buf must be large enough to hold one state per character in the main buffer.
@@ -485,7 +494,7 @@ char *yytext;
/* -*-pgsql-c-*- */
/*
*
- * $Header: /cvsroot/pgpool/pgpool-II/pool_config.c,v 1.34 2010/01/26 14:49:58 t-ishii Exp $
+ * $Header: /cvsroot/pgpool/pgpool-II/pool_config.l,v 1.30 2010/01/26 14:49:58 t-ishii Exp $
*
* pgpool: a language independent connection pool server for PostgreSQL
* written by Tatsuo Ishii
@@ -540,7 +549,7 @@ static char **extract_string_tokens(char *str, char *delim, int *n);
static int eval_logical(char *str);
static void clear_host_entry(int slot);
-#line 544 "pool_config.c"
+#line 553 "pool_config.c"
#define INITIAL 0
@@ -619,7 +628,12 @@ static int input (void );
/* Amount of stuff to slurp up with each read. */
#ifndef YY_READ_BUF_SIZE
+#ifdef __ia64__
+/* On IA-64, the buffer size is 16k, not 8k */
+#define YY_READ_BUF_SIZE 16384
+#else
#define YY_READ_BUF_SIZE 8192
+#endif /* __ia64__ */
#endif
/* Copy whatever the last rule matched to the standard output. */
@@ -627,7 +641,7 @@ static int input (void );
/* This used to be an fputs(), but since the string might contain NUL's,
* we now use fwrite().
*/
-#define ECHO fwrite( yytext, yyleng, 1, yyout )
+#define ECHO do { if (fwrite( yytext, yyleng, 1, yyout )) {} } while (0)
#endif
/* Gets input and stuffs it into "buf". number of characters read, or YY_NULL,
@@ -638,7 +652,7 @@ static int input (void );
if ( YY_CURRENT_BUFFER_LVALUE->yy_is_interactive ) \
{ \
int c = '*'; \
- int n; \
+ size_t n; \
for ( n = 0; n < max_size && \
(c = getc( yyin )) != EOF && c != '\n'; ++n ) \
buf[n] = (char) c; \
@@ -723,7 +737,7 @@ YY_DECL
#line 84 "pool_config.l"
-#line 727 "pool_config.c"
+#line 741 "pool_config.c"
if ( !(yy_init) )
{
@@ -861,7 +875,7 @@ YY_RULE_SETUP
#line 99 "pool_config.l"
ECHO;
YY_BREAK
-#line 865 "pool_config.c"
+#line 879 "pool_config.c"
case YY_STATE_EOF(INITIAL):
yyterminate();
@@ -1579,8 +1593,8 @@ YY_BUFFER_STATE yy_scan_string (yyconst char * yystr )
/** Setup the input buffer state to scan the given bytes. The next call to yylex() will
* scan from a @e copy of @a bytes.
- * @param bytes the byte buffer to scan
- * @param len the number of bytes in the buffer pointed to by @a bytes.
+ * @param yybytes the byte buffer to scan
+ * @param _yybytes_len the number of bytes in the buffer pointed to by @a bytes.
*
* @return the newly allocated buffer state object.
*/
@@ -1905,6 +1919,8 @@ int pool_init_config(void)
pool_config->ssl = 0;
pool_config->ssl_cert = "";
pool_config->ssl_key = "";
+ pool_config->ssl_ca_cert = "";
+ pool_config->ssl_ca_cert_dir = "";
res = gethostname(localhostname,sizeof(localhostname));
if(res !=0 )
@@ -3008,6 +3024,44 @@ int pool_get_config(char *confpath, POOL_CONFIG_CONTEXT context)
}
pool_config->ssl_key = str;
}
+ else if (!strcmp(key, "ssl_ca_cert") &&
+ CHECK_CONTEXT(INIT_CONFIG, context))
+ {
+ char *str;
+
+ if (token != POOL_STRING && token != POOL_UNQUOTED_STRING && token != POOL_KEY)
+ {
+ PARSE_ERROR();
+ fclose(fd);
+ return(-1);
+ }
+ str = extract_string(yytext, token);
+ if (str == NULL)
+ {
+ fclose(fd);
+ return(-1);
+ }
+ pool_config->ssl_ca_cert = str;
+ }
+ else if (!strcmp(key, "ssl_ca_cert_dir") &&
+ CHECK_CONTEXT(INIT_CONFIG, context))
+ {
+ char *str;
+
+ if (token != POOL_STRING && token != POOL_UNQUOTED_STRING && token != POOL_KEY)
+ {
+ PARSE_ERROR();
+ fclose(fd);
+ return(-1);
+ }
+ str = extract_string(yytext, token);
+ if (str == NULL)
+ {
+ fclose(fd);
+ return(-1);
+ }
+ pool_config->ssl_ca_cert_dir = str;
+ }
}
fclose(fd);
diff --git a/pool_config.l b/pool_config.l
index 51cfb2e..a0c4111 100644
--- a/pool_config.l
+++ b/pool_config.l
@@ -180,6 +180,8 @@ int pool_init_config(void)
pool_config->ssl = 0;
pool_config->ssl_cert = "";
pool_config->ssl_key = "";
+ pool_config->ssl_ca_cert = "";
+ pool_config->ssl_ca_cert_dir = "";
res = gethostname(localhostname,sizeof(localhostname));
if(res !=0 )
@@ -1283,6 +1285,44 @@ int pool_get_config(char *confpath, POOL_CONFIG_CONTEXT context)
}
pool_config->ssl_key = str;
}
+ else if (!strcmp(key, "ssl_ca_cert") &&
+ CHECK_CONTEXT(INIT_CONFIG, context))
+ {
+ char *str;
+
+ if (token != POOL_STRING && token != POOL_UNQUOTED_STRING && token != POOL_KEY)
+ {
+ PARSE_ERROR();
+ fclose(fd);
+ return(-1);
+ }
+ str = extract_string(yytext, token);
+ if (str == NULL)
+ {
+ fclose(fd);
+ return(-1);
+ }
+ pool_config->ssl_ca_cert = str;
+ }
+ else if (!strcmp(key, "ssl_ca_cert_dir") &&
+ CHECK_CONTEXT(INIT_CONFIG, context))
+ {
+ char *str;
+
+ if (token != POOL_STRING && token != POOL_UNQUOTED_STRING && token != POOL_KEY)
+ {
+ PARSE_ERROR();
+ fclose(fd);
+ return(-1);
+ }
+ str = extract_string(yytext, token);
+ if (str == NULL)
+ {
+ fclose(fd);
+ return(-1);
+ }
+ pool_config->ssl_ca_cert_dir = str;
+ }
}
fclose(fd);
diff --git a/pool_ssl.c b/pool_ssl.c
index b620022..bad76db 100644
--- a/pool_ssl.c
+++ b/pool_ssl.c
@@ -113,6 +113,7 @@ int pool_ssl_write(POOL_CONNECTION *cp, const void *buf, int size) {
static int init_ssl_ctx(POOL_CONNECTION *cp, enum ssl_conn_type conntype) {
int error = 0;
+ char *cacert = NULL, *cacert_dir = NULL;
/* initialize SSL members */
cp->ssl_ctx = SSL_CTX_new(TLSv1_method());
@@ -135,6 +136,21 @@ static int init_ssl_ctx(POOL_CONNECTION *cp, enum ssl_conn_type conntype) {
pool_error("pool_ssl: SSL key failure: %ld", ERR_get_error());
error = -1;
}
+ } else {
+ /* set extra verification if ssl_ca_cert or ssl_ca_cert_dir are set */
+ if (strlen(pool_config->ssl_ca_cert))
+ cacert = pool_config->ssl_ca_cert;
+ if (strlen(pool_config->ssl_ca_cert_dir))
+ cacert_dir = pool_config->ssl_ca_cert_dir;
+
+ if ( (!error) && (cacert || cacert_dir) ) {
+ if (! SSL_CTX_load_verify_locations(cp->ssl_ctx, cacert, cacert_dir)) {
+ pool_error("pool_ssl: SSL CA load error: %ld", ERR_get_error());
+ error = -1;
+ } else {
+ SSL_CTX_set_verify(cp->ssl_ctx, SSL_VERIFY_PEER, NULL);
+ }
+ }
}
if (! error) {
--
1.6.6
More information about the Pgpool-hackers
mailing list