[[ Postgresql SSL ]] Updated the postgresql database driver to allow secure connections.

livecodemichael · livecodemichael · commit 1fd2122ac897 · 2015-10-14T09:57:53.000+01:00
The dbpostgresql database driver was updated to weakly link against libcrypto and libssl.
The revOpenDatabase function was updated for postgres to take 6 extra parameters that determine the nature of the SSL connection.
dbpostgresql was updated to connect using PQconnectdbParams, passing through the extra SSL paramters.
diff --git a/revdb/revdb.gyp b/revdb/revdb.gyp
@@ -24,6 +24,7 @@
 			'src/dbmysqlapi.cpp',
 			'src/mysql_connection.cpp',
 			'src/mysql_cursor.cpp',
+			'src/ssl.cpp',
 		],
 		
 		'dbodbc_sources':
@@ -42,6 +43,7 @@
 			'src/dbpostgresqlapi.cpp',
 			'src/postgresql_connection.cpp',
 			'src/postgresql_cursor.cpp',
+			'src/ssl.cpp',
 		],
 		
 		'dbsqlite_sources':
@@ -319,6 +321,7 @@
 			[
 				'../libexternal/libexternal.gyp:libExternal',
 				'../thirdparty/libpq/libpq.gyp:libpq',
+				'../thirdparty/libopenssl/libopenssl.gyp:libopenssl',
 			],
 			
 			'include_dirs':
@@ -364,6 +367,7 @@
 			[
 				'../libexternal/libexternal.gyp:libExternal',
 				'../thirdparty/libpq/libpq.gyp:libpq',
+				'../thirdparty/libopenssl/libopenssl.gyp:libopenssl',
 			],
 			
 			'include_dirs':
diff --git a/revdb/src/mysql_connection.cpp b/revdb/src/mysql_connection.cpp
@@ -15,53 +15,8 @@ You should have received a copy of the GNU General Public License
 along with LiveCode.  If not see <http://www.gnu.org/licenses/>.  */
 
 #include "dbmysql.h"
-static bool s_ssl_loaded = false;
 
-#if !defined(_SERVER)
-extern "C" int initialise_weak_link_crypto(void);
-extern "C" int initialise_weak_link_ssl(void);
-bool load_ssl_library()
-{
-	if (s_ssl_loaded)
-		return true;
-
-	s_ssl_loaded = initialise_weak_link_crypto() && initialise_weak_link_ssl();
-
-	return s_ssl_loaded;
-}
-#elif defined(_SERVER)
-bool load_ssl_library()
-{
-	return true;
-}
-#endif
-
-#ifdef TARGET_SUBPLATFORM_IPHONE
-#if defined(__i386__) || defined(__x86_64__)
-#include <dlfcn.h>
-extern "C" void *IOS_LoadModule(const char *mod)
-{
-    return dlopen(mod, RTLD_NOW);
-}
-
-extern "C" void *IOS_ResolveSymbol(void *mod, const char *sym)
-{
-    return dlsym(mod, sym);
-}
-#else
-extern "C" void *load_module(const char *);
-extern "C" void *resolve_symbol(void *, const char *);
-extern "C" void *IOS_LoadModule(const char *mod)
-{
-    return load_module(mod);
-}
-
-extern "C" void *IOS_ResolveSymbol(void *mod, const char *sym)
-{
-    return resolve_symbol(mod, sym);
-}
-#endif
-#endif
+extern bool load_ssl_library();
 
 #if defined(_WINDOWS)
 #define strcasecmp stricmp
diff --git a/revdb/src/postgresql_connection.cpp b/revdb/src/postgresql_connection.cpp
@@ -16,6 +16,8 @@ along with LiveCode.  If not see <http://www.gnu.org/licenses/>.  */
 
 #include "dbpostgresql.h"
 
+extern bool load_ssl_library();
+
 /*DBCONNECTION_POSTGRESQL - CONNECTION OBJECT FOR MYSQL DATABASES CHILD OF DBCONNECTION*/
 
 char *strndup(const char *p_string, int p_length)
@@ -59,11 +61,101 @@ Bool DBConnection_POSTGRESQL::connect(char **args, int numargs)
 	if (t_delimiter != NULL)
 	{
 		t_port = (t_delimiter + (1 * sizeof(char)));
-		*t_delimiter = NULL;
+		*t_delimiter = '\0';
 	}
-	
-	dbconn = NULL;
-	dbconn = PQsetdbLogin(t_host, t_port, NULL, NULL, t_database, t_user, t_password);
+
+    bool t_have_ssl;
+    t_have_ssl = load_ssl_library();
+
+    // if an ssl mode (other than disable) has been passed, make sure we can load libopenssl
+    // if no ssl mode has been passed, use prefer if we have libopenssl (try an ssl connection,
+    // if that fails try non-ssl), if we don't have libopenssl, don't attempt an ssl connection (disable sslmode)
+    char *t_sslmode;
+    t_sslmode = NULL;
+    if (numargs > 4)
+    {
+        if (strcmp(args[4], "disable") != 0 && !t_have_ssl)
+        {
+            errorMessageSet("revdb,unable to load SSL library");
+            return false;
+        }
+        t_sslmode = strdup(args[4]);
+    }
+    else if (t_have_ssl)
+        t_sslmode = strdup("prefer");
+    else
+        t_sslmode = strdup("disable");
+
+    if (t_sslmode == NULL)
+    {
+        errorMessageSet("revdb,unable to extract SSL mode");
+        return false;
+    }
+
+    char *t_sslcompression;
+    t_sslcompression = NULL;
+    if (numargs > 5)
+        t_sslcompression = args[5];
+
+    char *t_sslcert;
+    t_sslcert = NULL;
+    if (numargs > 6)
+        t_sslcert = args[6];
+
+    char *t_sslkey;
+    t_sslkey = NULL;
+    if (numargs > 7)
+        t_sslkey = args[7];
+
+    char *t_sslrootcert;
+    t_sslrootcert = NULL;
+    if (numargs > 8)
+        t_sslrootcert = args[8];
+
+    char *t_sslcrl;
+    t_sslcrl = NULL;
+    if (numargs > 9)
+        t_sslcrl = args[9];
+
+    const char *t_connect_keys[] =
+    {
+        "host",
+        "port",
+        "dbname",
+        "user",
+        "password",
+
+        "sslmode",
+        "sslcompression",
+        "sslcert",
+        "sslkey",
+        "sslrootcert",
+        "sslcrl",
+
+        NULL,
+    };
+    const char *t_connect_values[] =
+    {
+        t_host,
+        t_port,
+        t_database,
+        t_user,
+        t_password,
+
+        t_sslmode,
+        t_sslcompression,
+        t_sslcert,
+        t_sslkey,
+        t_sslrootcert,
+        t_sslcrl,
+
+        NULL,
+    };
+
+    dbconn = NULL;
+    dbconn = PQconnectdbParams(t_connect_keys, t_connect_values, 0);
+
+    free(t_sslmode);
 
 	// OK-2008-05-16 : Bug where failed connections to postgres databases would
 	// not return any error information. According to the postgres docs, dbconn
diff --git a/revdb/src/ssl.cpp b/revdb/src/ssl.cpp
@@ -0,0 +1,63 @@
+/* Copyright (C) 2003-2015 LiveCode Ltd.
+ 
+ This file is part of LiveCode.
+ 
+ LiveCode is free software; you can redistribute it and/or modify it under
+ the terms of the GNU General Public License v3 as published by the Free
+ Software Foundation.
+ 
+ LiveCode is distributed in the hope that it will be useful, but WITHOUT ANY
+ WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ for more details.
+ 
+ You should have received a copy of the GNU General Public License
+ along with LiveCode.  If not see <http://www.gnu.org/licenses/>.  */
+
+static bool s_ssl_loaded = false;
+
+#if !defined(_SERVER)
+extern "C" int initialise_weak_link_crypto(void);
+extern "C" int initialise_weak_link_ssl(void);
+bool load_ssl_library()
+{
+	if (s_ssl_loaded)
+		return true;
+    
+	s_ssl_loaded = initialise_weak_link_crypto() && initialise_weak_link_ssl();
+    
+	return s_ssl_loaded;
+}
+#elif defined(_SERVER)
+bool load_ssl_library()
+{
+	return true;
+}
+#endif
+
+#ifdef TARGET_SUBPLATFORM_IPHONE
+#if defined(__i386__) || defined(__x86_64__)
+#include <dlfcn.h>
+extern "C" void *IOS_LoadModule(const char *mod)
+{
+    return dlopen(mod, RTLD_NOW);
+}
+
+extern "C" void *IOS_ResolveSymbol(void *mod, const char *sym)
+{
+    return dlsym(mod, sym);
+}
+#else
+extern "C" void *load_module(const char *);
+extern "C" void *resolve_symbol(void *, const char *);
+extern "C" void *IOS_LoadModule(const char *mod)
+{
+    return load_module(mod);
+}
+
+extern "C" void *IOS_ResolveSymbol(void *mod, const char *sym)
+{
+    return resolve_symbol(mod, sym);
+}
+#endif
+#endif
