Обсуждение: pgsql: libq support for sslpassword connection param, DER format keys
libq support for sslpassword connection param, DER format keys This patch providies for support for password protected SSL client keys in libpq, and for DER format keys, both encrypted and unencrypted. There is a new connection parameter sslpassword, which is supplied to the OpenSSL libraries via a callback function. The callback function can also be set by an application by calling PQgetSSLKeyPassHook(). There is also a function to retreive the connection setting, PQsslpassword(). Craig Ringer and Andrew Dunstan Reviewed by: Greg Nancarrow Discussion: https://postgr.es/m/f7ee88ed-95c4-95c1-d4bf-7b415363ab62@2ndQuadrant.com Branch ------ master Details ------- https://git.postgresql.org/pg/commitdiff/4dc63552109f65cebbe168203bd62c5e4c753162 Modified Files -------------- contrib/dblink/expected/dblink.out | 2 +- doc/src/sgml/libpq.sgml | 134 ++++++++++++++++++++++++++++++ doc/src/sgml/postgres-fdw.sgml | 2 +- src/interfaces/libpq/exports.txt | 4 + src/interfaces/libpq/fe-connect.c | 14 ++++ src/interfaces/libpq/fe-secure-openssl.c | 99 +++++++++++++++++++++- src/interfaces/libpq/libpq-fe.h | 9 ++ src/interfaces/libpq/libpq-int.h | 2 + src/test/ssl/Makefile | 22 ++++- src/test/ssl/ssl/client-der.key | Bin 0 -> 1191 bytes src/test/ssl/ssl/client-encrypted-der.key | Bin 0 -> 1191 bytes src/test/ssl/ssl/client-encrypted-pem.key | 30 +++++++ src/test/ssl/t/001_ssltests.pl | 75 +++++++++++++++-- 13 files changed, 376 insertions(+), 17 deletions(-)
Andrew, On Sat, Nov 30, 2019 at 08:45:25PM +0000, Andrew Dunstan wrote: > libq support for sslpassword connection param, DER format keys > > This patch providies for support for password protected SSL client > keys in libpq, and for DER format keys, both encrypted and unencrypted. > There is a new connection parameter sslpassword, which is supplied to > the OpenSSL libraries via a callback function. The callback function can > also be set by an application by calling PQgetSSLKeyPassHook(). There is > also a function to retreive the connection setting, PQsslpassword(). Windows build is broken after this commit at link time on most animals: libpqdll.def : error LNK2001: unresolved external symbol PQdefaultSSLKeyPassHook [C:\buildfarm\buildenv\HEAD\pgsql.build\libpq.vcxproj] libpqdll.def : error LNK2001: unresolved external symbol PQgetSSLKeyPassHook [C:\buildfarm\buildenv\HEAD\pgsql.build\libpq.vcxproj] libpqdll.def : error LNK2001: unresolved external symbol PQsetSSLKeyPassHook [C:\buildfarm\buildenv\HEAD\pgsql.build\libpq.vcxproj] I have not checked the build, but it seems like the indentation in exports.txt is not right. Your patch has added tabs for the new entries, but spaces have been used up to now. -- Michael
Вложения
On 11/30/19 11:04 PM, Michael Paquier wrote: > Andrew, > > On Sat, Nov 30, 2019 at 08:45:25PM +0000, Andrew Dunstan wrote: >> libq support for sslpassword connection param, DER format keys >> >> This patch providies for support for password protected SSL client >> keys in libpq, and for DER format keys, both encrypted and unencrypted. >> There is a new connection parameter sslpassword, which is supplied to >> the OpenSSL libraries via a callback function. The callback function can >> also be set by an application by calling PQgetSSLKeyPassHook(). There is >> also a function to retreive the connection setting, PQsslpassword(). > Windows build is broken after this commit at link time on most animals: > libpqdll.def : error LNK2001: unresolved external symbol > PQdefaultSSLKeyPassHook > [C:\buildfarm\buildenv\HEAD\pgsql.build\libpq.vcxproj] > libpqdll.def : error LNK2001: unresolved external symbol > PQgetSSLKeyPassHook > [C:\buildfarm\buildenv\HEAD\pgsql.build\libpq.vcxproj] > libpqdll.def : error LNK2001: unresolved external symbol > PQsetSSLKeyPassHook [C:\buildfarm\buildenv\HEAD\pgsql.build\libpq.vcxproj] > > I have not checked the build, but it seems like the indentation in > exports.txt is not right. Your patch has added tabs for the new > entries, but spaces have been used up to now. No, that's not the issue. The problem is that if we're not building with openssl we don't link in fe-secure-openssl.c. It looks like I might need to move some stuff from there to fe-secure.c. cheers andrew -- Andrew Dunstan https://www.2ndQuadrant.com PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
On Sun, Dec 01, 2019 at 03:16:32PM -0500, Andrew Dunstan wrote: > No, that's not the issue. The problem is that if we're not building with > openssl we don't link in fe-secure-openssl.c. It looks like I might need > to move some stuff from there to fe-secure.c. We should try to keep as many things in fe-secure-openssl.c as we can because these are designed to be specific to OpenSSL. Your solution with c01ac6d was the right thing to do, thanks. -- Michael