Add support for sslverify connection parameter in libpq 8.4 that cont…

…rols

how server certificates are validated by the client when it connects.

This includes a new connection option in the Server dialog.


git-svn-id: svn://svn.pgadmin.org/trunk@7715 a7884b65-44f6-0310-8a51-81a127f17b15

pgadmin/db/pgConn.cpp

@@ -48,7 +48,7 @@ static void pgNoticeProcessor(void *arg, const char *message)
     ((pgConn*)arg)->Notice(message);
 }
 
-pgConn::pgConn(const wxString& server, const wxString& database, const wxString& username, const wxString& password, int port, int sslmode, OID oid)
+pgConn::pgConn(const wxString& server, const wxString& database, const wxString& username, const wxString& password, int port, int sslmode, int sslverifymode, OID oid)
 {
     wxString msg, hostip, hostname;
 
@@ -58,6 +58,7 @@ pgConn::pgConn(const wxString& server, const wxString& database, const wxString&
     save_password = password;
     save_port = port;
     save_sslmode = sslmode;
+    save_sslverifymode = sslverifymode;
     save_oid = oid;
 
     memset(features, 0, sizeof(features));
@@ -160,6 +161,15 @@ pgConn::pgConn(const wxString& server, const wxString& database, const wxString&
             case 2: connstr.Append(wxT(" requiressl=0"));   break;
         }
     }
+    if (libpqVersion >= 8.4)
+    {
+        switch (sslverifymode)
+        {
+            case 1: connstr.Append(wxT(" sslverify=cn"));   break;
+            case 2: connstr.Append(wxT(" sslverify=cert")); break;
+            case 3: connstr.Append(wxT(" sslverify=none")); break;
+        }
+    }
     connstr.Trim(false);
 
     // Open the connection
@@ -252,7 +262,7 @@ void pgConn::Close()
 
 pgConn *pgConn::Duplicate()
 {
-    return new pgConn(wxString(save_server), wxString(save_database), wxString(save_username), wxString(save_password), save_port, save_sslmode, save_oid);
+    return new pgConn(wxString(save_server), wxString(save_database), wxString(save_username), wxString(save_password), save_port, save_sslmode, save_sslverifymode, save_oid);
 }
 
 // Return the SSL mode name
@@ -262,19 +272,30 @@ wxString pgConn::GetSslModeName()
     {
         case 1: 
             return wxT("require");   
-            break;
         case 2: 
             return wxT("prefer");    
-            break;
         case 3: 
             return wxT("allow");     
-            break;
         case 4: 
             return wxT("disable");   
-            break;
         default: 
             return wxT("prefer");   
-            break;
+    }
+}
+
+// Return the SSL verify mode name
+wxString pgConn::GetSslVerifyModeName()
+{
+    switch (save_sslverifymode)
+    {
+        case 1:
+            return wxT("cn");
+        case 2:
+            return wxT("cert");
+        case 3:
+            return wxT("none");
+        default:
+            return wxT("cn");
     }
 }
 
@@ -481,8 +502,13 @@ void pgConn::ExamineLibpqVersion()
         {
             if (!strcmp(co->keyword, "sslmode"))
             {
-                libpqVersion=7.4;
-                break;
+                if (libpqVersion < 7.4)
+                    libpqVersion=7.4;
+            }
+            if (!strcmp(co->keyword, "sslverify"))
+            {
+                if (libpqVersion < 8.4)
+                    libpqVersion=8.4;
             }
             co++;
         }

pgadmin/debugger/dbgPgConn.cpp

@@ -42,19 +42,19 @@
 //
 //    The constructor creates a new thread and connects to the specified server
 
-dbgPgConn::dbgPgConn(frmDebugger *frame, const wxString &server, const wxString &database, const wxString &userName, const wxString &password, const wxString &port, int sslmode )
+dbgPgConn::dbgPgConn(frmDebugger *frame, const wxString &server, const wxString &database, const wxString &userName, const wxString &password, const wxString &port, int sslmode, int sslverify )
    : m_frame(frame)
 {
-    Init( server, database, userName, password, port, sslmode, true );
+    Init( server, database, userName, password, port, sslmode, sslverify, true );
 }
 
 dbgPgConn::dbgPgConn(frmDebugger *frame, const dbgConnProp & props, bool startThread )
    : m_frame(frame)
 {
-    Init(  props.m_host, props.m_database, props.m_userName, props.m_password, props.m_port, props.m_sslMode, startThread );
+    Init(  props.m_host, props.m_database, props.m_userName, props.m_password, props.m_port, props.m_sslMode, props.m_sslVerify, startThread );
 }
 
-void dbgPgConn::Init( const wxString &server, const wxString &database, const wxString &username, const wxString &password, const wxString &port, int sslmode, bool startThread )
+void dbgPgConn::Init( const wxString &server, const wxString &database, const wxString &username, const wxString &password, const wxString &port, int sslmode, int sslverify, bool startThread )
 {
     m_pgConn       = NULL;
     m_majorVersion = 0;
@@ -192,6 +192,24 @@ void dbgPgConn::Init( const wxString &server, const wxString &database, const wx
         default:
             break;
     }
+
+    switch (sslverify)
+    {
+        case 1:
+            connectParams.Append(wxT(" sslverify=cn"));
+            break;
+
+        case 2:
+            connectParams.Append(wxT(" sslverify=cert"));
+            break;
+
+        case 3:
+            connectParams.Append(wxT(" sslverify=none"));
+            break;
+
+        default:
+            break;
+    }
 
     connectParams.Trim(true);
     connectParams.Trim(false);

pgadmin/dlg/dlgSelectConnection.cpp

@@ -203,10 +203,10 @@ pgConn *dlgSelectConnection::CreateConn()
     }
 }
 
-pgConn *dlgSelectConnection::CreateConn(wxString& server, wxString& dbname, wxString& username, int port, int sslmode, bool writeMRU)
+pgConn *dlgSelectConnection::CreateConn(wxString& server, wxString& dbname, wxString& username, int port, int sslmode, int sslverify, bool writeMRU)
 {
 	pgConn *newconn;
-	newconn = new pgConn(server, dbname, username, wxT(""), port, sslmode);
+	newconn = new pgConn(server, dbname, username, wxT(""), port, sslmode, sslverify);
 	if (newconn->GetStatus() != PGCONN_OK &&
 		newconn->GetLastError().Cmp(wxString(PQnoPasswordSupplied, wxConvUTF8)) == 0)
 	{
@@ -220,7 +220,7 @@ pgConn *dlgSelectConnection::CreateConn(wxString& server, wxString& dbname, wxSt
 		if (dlg.Go() != wxID_OK)
 			return NULL;
 
-		newconn = new pgConn(server, dbname, username, dlg.GetPassword(), port, sslmode);
+		newconn = new pgConn(server, dbname, username, dlg.GetPassword(), port, sslmode, sslverify);
 	}
 
 	if (newconn)

pgadmin/dlg/dlgServer.cpp

@@ -29,6 +29,7 @@
 #define cbDatabase      CTRL_COMBOBOX("cbDatabase")
 #define txtPort         CTRL_TEXT("txtPort")
 #define cbSSL           CTRL_COMBOBOX("cbSSL")
+#define cbSSLverify     CTRL_COMBOBOX("cbSSLverify")
 #define txtUsername     CTRL_TEXT("txtUsername")
 #define stTryConnect    CTRL_STATIC("stTryConnect")
 #define chkTryConnect   CTRL_CHECKBOX("chkTryConnect")
@@ -53,6 +54,7 @@ BEGIN_EVENT_TABLE(dlgServer, dlgProperty)
     EVT_TEXT(XRCID("txtUsername"),                  dlgProperty::OnChange)
     EVT_TEXT(XRCID("txtDbRestriction"),             dlgServer::OnChangeRestr)
     EVT_COMBOBOX(XRCID("cbSSL"),                    dlgProperty::OnChange)
+    EVT_COMBOBOX(XRCID("cbSSLverify"),              dlgProperty::OnChange)
     EVT_CHECKBOX(XRCID("chkStorePwd"),              dlgProperty::OnChange)
     EVT_CHECKBOX(XRCID("chkRestore"),               dlgProperty::OnChange)
     EVT_CHECKBOX(XRCID("chkTryConnect"),            dlgServer::OnChangeTryConnect)
@@ -85,6 +87,8 @@ dlgServer::dlgServer(pgaFactory *f, frmMain *frame, pgServer *node)
     txtPort->SetValue(NumToStr((long)settings->GetLastPort()));    
     if (!cbSSL->IsEmpty())
         cbSSL->SetSelection(settings->GetLastSSL());
+    if (!cbSSLverify->IsEmpty())
+        cbSSLverify->SetSelection(settings->GetLastSSLverify());
     txtUsername->SetValue(settings->GetLastUsername());
 
     chkTryConnect->SetValue(true);
@@ -105,6 +109,7 @@ dlgServer::~dlgServer()
         settings->SetLastDatabase(cbDatabase->GetValue());
         settings->SetLastPort(StrToLong(txtPort->GetValue()));
         settings->SetLastSSL(cbSSL->GetCurrentSelection());
+        settings->SetLastSSLverify(cbSSLverify->GetCurrentSelection());
         settings->SetLastUsername(txtUsername->GetValue());
     }
 }
@@ -142,6 +147,7 @@ void dlgServer::OnOK(wxCommandEvent &ev)
         }
         server->iSetPort(StrToLong(txtPort->GetValue()));
         server->iSetSSL(cbSSL->GetCurrentSelection());
+        server->iSetSSLverify(cbSSLverify->GetCurrentSelection());
         server->iSetDatabase(cbDatabase->GetValue());
         server->iSetUsername(txtUsername->GetValue());
         server->iSetStorePwd(chkStorePwd->GetValue());
@@ -215,6 +221,7 @@ int dlgServer::GoNew()
 int dlgServer::Go(bool modal)
 {
     cbSSL->Append(wxT(" "));
+    cbSSLverify->Append(wxT(" "));
 
 #ifdef SSL
     cbSSL->Append(_("require"));
@@ -225,6 +232,13 @@ int dlgServer::Go(bool modal)
         cbSSL->Append(_("allow"));
         cbSSL->Append(_("disable"));
     }
+
+    if (pgConn::GetLibpqVersion() >= 8.4)
+    {
+    	cbSSLverify->Append(_("Full verification"));
+    	cbSSLverify->Append(_("Certificate only"));
+    	cbSSLverify->Append(_("No verification"));
+    }
 #endif
 
     if (server)
@@ -235,6 +249,7 @@ int dlgServer::Go(bool modal)
         txtService->SetValue(server->GetServiceID());
         txtPort->SetValue(NumToStr((long)server->GetPort()));
         cbSSL->SetSelection(server->GetSSL());
+        cbSSLverify->SetSelection(server->GetSSLverify());
         cbDatabase->SetValue(server->GetDatabaseName());
         txtUsername->SetValue(server->GetUsername());
         chkStorePwd->SetValue(server->GetStorePwd());
@@ -250,6 +265,7 @@ int dlgServer::Go(bool modal)
             cbDatabase->Disable();
             txtPort->Disable();
             cbSSL->Disable();
+            cbSSLverify->Disable();
             txtUsername->Disable();
             chkStorePwd->Disable();
         }
@@ -282,7 +298,8 @@ pgObject *dlgServer::CreateObject(pgCollection *collection)
     pgObject *obj=new pgServer(GetName(), txtDescription->GetValue(), cbDatabase->GetValue(), 
         txtUsername->GetValue(), StrToLong(txtPort->GetValue()), 
 		chkTryConnect->GetValue() && chkStorePwd->GetValue(), 
-		chkRestore->GetValue(), cbSSL->GetCurrentSelection(), txtColour->GetValue());
+		chkRestore->GetValue(), cbSSL->GetCurrentSelection(), 
+		cbSSLverify->GetCurrentSelection(), txtColour->GetValue());
 
     return obj;
 }
@@ -320,6 +337,7 @@ void dlgServer::CheckChange()
                || cbDatabase->GetValue() != server->GetDatabaseName()
                || txtUsername->GetValue() != server->GetUsername()
                || cbSSL->GetCurrentSelection() != server->GetSSL()
+               || cbSSLverify->GetCurrentSelection() != server->GetSSLverify()
                || chkStorePwd->GetValue() != server->GetStorePwd()
                || chkRestore->GetValue() != server->GetRestore()
                || txtDbRestriction->GetValue() != server->GetDbRestriction()
@@ -332,6 +350,7 @@ void dlgServer::CheckChange()
 #else
     bool isPipe = (name.IsEmpty() || name.StartsWith(wxT("/")));
     cbSSL->Enable(!isPipe);
+    cbSSLverify->Enable(!isPipe);
 #endif
     CheckValid(enable, !txtDescription->GetValue().IsEmpty(), _("Please specify description."));
     CheckValid(enable, StrToLong(txtPort->GetValue()) > 0, _("Please specify port."));

pgadmin/frm/frmBackup.cpp

@@ -80,6 +80,7 @@ frmBackup::frmBackup(frmMain *form, pgObject *obj) : ExternProcessDialog(form)
 
     // Pass the SSL mode via the environment
     environment.Add(wxT("PGSSLMODE=") + object->GetServer()->GetConnection()->GetSslModeName());
+    environment.Add(wxT("PGSSLVERIFY=") + object->GetServer()->GetConnection()->GetSslVerifyModeName());
 
     // Icon
     SetIcon(wxIcon(backup_xpm));

pgadmin/frm/frmBackupGlobals.cpp

@@ -61,7 +61,8 @@ frmBackupGlobals::frmBackupGlobals(frmMain *form, pgObject *obj) : ExternProcess
 			environment.Add(wxT("PGPASSWORD=") + ((pgServer *)object)->GetPassword());
 
 		// Pass the SSL mode via the environment
-		environment.Add(wxT("PGSSLMODE=") + ((pgServer *)object)->GetConnection()->GetSslModeName());
+		environment.Add(wxT("PGSSLMODE=") + ((pgServer *)object)->GetConnection()->GetSslModeName());
+		environment.Add(wxT("PGSSLVERIFY=") + ((pgServer *)object)->GetConnection()->GetSslVerifyModeName());
 	}
 	else
 	{
@@ -70,7 +71,7 @@ frmBackupGlobals::frmBackupGlobals(frmMain *form, pgObject *obj) : ExternProcess
 
 		// Pass the SSL mode via the environment
 		environment.Add(wxT("PGSSLMODE=") + object->GetServer()->GetConnection()->GetSslModeName());
-
+		environment.Add(wxT("PGSSLVERIFY=") + object->GetServer()->GetConnection()->GetSslVerifyModeName());
 	}
 
     // Icon

pgadmin/frm/frmBackupServer.cpp

@@ -59,7 +59,8 @@ frmBackupServer::frmBackupServer(frmMain *form, pgObject *obj) : ExternProcessDi
        environment.Add(wxT("PGPASSWORD=") + ((pgServer *)object)->GetPassword());
 
 	// Pass the SSL mode via the environment
-	environment.Add(wxT("PGSSLMODE=") + ((pgServer *)object)->GetConnection()->GetSslModeName());
+	environment.Add(wxT("PGSSLMODE=") + ((pgServer *)object)->GetConnection()->GetSslModeName());
+	environment.Add(wxT("PGSSLVERIFY=") + ((pgServer *)object)->GetConnection()->GetSslVerifyModeName());
 
 	// Icon
     SetIcon(wxIcon(backup_xpm));

pgadmin/frm/frmMain.cpp

@@ -1049,6 +1049,7 @@ void frmMain::StoreServers()
             settings->Write(key + wxT("DbRestriction"), server->GetDbRestriction());
             settings->Write(key + wxT("Colour"), server->GetColour());
             settings->Write(key + wxT("SSL"), server->GetSSL());
+            settings->Write(key + wxT("SSLverify"), server->GetSSLverify());
 
             pgCollection *coll=browser->FindCollection(databaseFactory, server->GetId());
             if (coll)

pgadmin/frm/frmRestore.cpp

@@ -115,6 +115,7 @@ frmRestore::frmRestore(frmMain *_form, pgObject *obj) : ExternProcessDialog(form
 
 	// Pass the SSL mode via the environment
 	environment.Add(wxT("PGSSLMODE=") + server->GetConnection()->GetSslModeName());
+	environment.Add(wxT("PGSSLVERIFY=") + server->GetConnection()->GetSslVerifyModeName());
 
     wxCommandEvent ev;
     OnChangeName(ev);

pgadmin/frm/plugins.cpp

@@ -243,15 +243,17 @@ wxWindow *pluginUtilityFactory::StartDialog(frmMain *form, pgObject *obj)
             wxSetEnv(wxT("PGPASSWORD"), obj->GetConnection()->GetPassword());
 
 		// Pass the SSL mode via the environment
-		wxSetEnv(wxT("PGSSLMODE"), obj->GetConnection()->GetSslModeName());
+		wxSetEnv(wxT("PGSSLMODE"), obj->GetConnection()->GetSslModeName());
+		wxSetEnv(wxT("PGSSLVERIFY"), obj->GetConnection()->GetSslVerifyModeName());
     }
     else
     {
         // Blank the rest
         execCmd.Replace(wxT("$$HOSTNAME"), wxEmptyString);
         execCmd.Replace(wxT("$$HOSTADDR"), wxEmptyString);
         execCmd.Replace(wxT("$$PORT"), wxEmptyString);
-        execCmd.Replace(wxT("$$SSLMODE"), wxEmptyString);
+        execCmd.Replace(wxT("$$SSLMODE"), wxEmptyString);
+        execCmd.Replace(wxT("$$SSLVERIFY"), wxEmptyString);
         execCmd.Replace(wxT("$$DATABASE"), wxEmptyString);
         execCmd.Replace(wxT("$$USERNAME"), wxEmptyString);
         execCmd.Replace(wxT("$$PASSWORD"), wxEmptyString);

pgadmin/include/db/pgConn.h

@@ -81,7 +81,7 @@ typedef struct pgError {
 class pgConn
 {
 public:
-    pgConn(const wxString& server = wxT(""), const wxString& database = wxT(""), const wxString& username = wxT(""), const wxString& password = wxT(""), int port = 5432, int sslmode=0, OID oid=0);
+    pgConn(const wxString& server = wxT(""), const wxString& database = wxT(""), const wxString& username = wxT(""), const wxString& password = wxT(""), int port = 5432, int sslmode=0, int sslverify=0, OID oid=0);
     ~pgConn();
 
     bool HasPrivilege(const wxString &objTyp, const wxString &objName, const wxString &priv);
@@ -117,7 +117,9 @@ class pgConn
     wxString GetTTY() const { return wxString(PQtty(conn), *conv); }
     wxString GetOptions() const { return wxString(PQoptions(conn), *conv); }
     int GetSslMode() const { return save_sslmode; }
+    int GetSslVerifyMode() const { return save_sslverifymode;}
     wxString GetSslModeName();
+    wxString GetSslVerifyModeName();
     int GetBackendPID() const { return PQbackendPID(conn); }
     int GetStatus() const;
     int GetLastResultStatus() const { return lastResultStatus; }
@@ -172,7 +174,7 @@ class pgConn
     wxString reservedNamespaces;
 
     wxString save_server, save_database, save_username, save_password;
-    int save_port, save_sslmode;
+    int save_port, save_sslmode, save_sslverifymode;
     OID save_oid;
 };
 

pgadmin/include/debugger/dbgConnProp.h

@@ -32,6 +32,7 @@ class dbgConnProp
 	wxString	m_port;			// Port number
 	wxString	m_debugPort;	// Port number for debugger connection
 	int		    m_sslMode;		// SSL Mode
+	int             m_sslVerify;            // SSL Certificate Verify Mode
 };
 
 #endif

pgadmin/include/debugger/dbgPgConn.h

@@ -57,7 +57,8 @@ class dbgPgConn
               const wxString &username = wxT( "" ), 
               const wxString &password = wxT( "" ), 
               const wxString &port     = wxT( "5432" ), 
-              int sslmode               = 0 );
+              int sslmode               = 0,
+              int sslverify            = 0 );
 
     dbgPgConn( frmDebugger *frame, const dbgConnProp & props, bool startThread = true );
 
@@ -83,7 +84,7 @@ class dbgPgConn
 
   private:
 
-    void Init( const wxString &server, const wxString &database, const wxString &userName, const wxString &password, const wxString &port, int sslmode, bool startThread );
+    void Init( const wxString &server, const wxString &database, const wxString &userName, const wxString &password, const wxString &port, int sslmode, int sslverify, bool startThread );
 
     PGconn *m_pgConn;               // libpq connection handler
     dbgPgThread *m_workerThread;    // Worker thread (this thread interacts with the server)