#include "postgres_fe.h"#include <signal.h>#include <fcntl.h>#include <ctype.h>#include "libpq-fe.h"#include "fe-auth.h"#include "fe-secure-common.h"#include "libpq-int.h"#include <sys/socket.h>#include <unistd.h>#include <netdb.h>#include <netinet/in.h>#include <netinet/tcp.h>#include <arpa/inet.h>#include <sys/stat.h>#include <pthread.h>#include "common/openssl.h"#include <openssl/ssl.h>#include <openssl/conf.h>#include <openssl/x509v3.h>
Include dependency graph for fe-secure-openssl.c:
Go to the source code of this file.
Macros | |
| #define | SSL_ERR_LEN 128 |
Functions | |
| static int | verify_cb (int ok, X509_STORE_CTX *ctx) |
| static int | openssl_verify_peer_name_matches_certificate_name (PGconn *conn, ASN1_STRING *name_entry, char **store_name) |
| static int | openssl_verify_peer_name_matches_certificate_ip (PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name) |
| static int | initialize_SSL (PGconn *conn) |
| static PostgresPollingStatusType | open_client_SSL (PGconn *conn) |
| static char * | SSLerrmessage (unsigned long ecode) |
| static void | SSLerrfree (char *buf) |
| static int | PQssl_passwd_cb (char *buf, int size, int rwflag, void *userdata) |
| static int | pgconn_bio_read (BIO *h, char *buf, int size) |
| static int | pgconn_bio_write (BIO *h, const char *buf, int size) |
| static BIO_METHOD * | pgconn_bio_method (void) |
| static int | ssl_set_pgconn_bio (PGconn *conn) |
| static int | ssl_protocol_version_to_openssl (const char *protocol) |
| PostgresPollingStatusType | pgtls_open_client (PGconn *conn) |
| ssize_t | pgtls_read (PGconn *conn, void *ptr, size_t len) |
| bool | pgtls_read_pending (PGconn *conn) |
| ssize_t | pgtls_write (PGconn *conn, const void *ptr, size_t len) |
| char * | pgtls_get_peer_certificate_hash (PGconn *conn, size_t *len) |
| static bool | is_ip_address (const char *host) |
| int | pgtls_verify_peer_name_matches_certificate_guts (PGconn *conn, int *names_examined, char **first_name) |
| void | pgtls_close (PGconn *conn) |
| void * | PQgetssl (PGconn *conn) |
| void * | PQsslStruct (PGconn *conn, const char *struct_name) |
| const char *const * | PQsslAttributeNames (PGconn *conn) |
| const char * | PQsslAttribute (PGconn *conn, const char *attribute_name) |
| static long | pgconn_bio_ctrl (BIO *h, int cmd, long num, void *ptr) |
| int | PQdefaultSSLKeyPassHook_OpenSSL (char *buf, int size, PGconn *conn) |
| PQsslKeyPassHook_OpenSSL_type | PQgetSSLKeyPassHook_OpenSSL (void) |
| void | PQsetSSLKeyPassHook_OpenSSL (PQsslKeyPassHook_OpenSSL_type hook) |
Variables | |
| static pthread_mutex_t | ssl_config_mutex = PTHREAD_MUTEX_INITIALIZER |
| static PQsslKeyPassHook_OpenSSL_type | PQsslKeyPassHook = NULL |
| static unsigned char | alpn_protos [] = PG_ALPN_PROTOCOL_VECTOR |
| static char | ssl_nomem [] = "out of memory allocating error description" |
| static BIO_METHOD * | pgconn_bio_method_ptr |
Macro Definition Documentation
◆ SSL_ERR_LEN
| #define SSL_ERR_LEN 128 |
Definition at line 1551 of file fe-secure-openssl.c.
Function Documentation
◆ initialize_SSL()
|
static |
Definition at line 739 of file fe-secure-openssl.c.
740{
741 SSL_CTX *SSL_context;
746 bool have_homedir;
747 bool have_cert;
748 bool have_rootcert;
749
750 /*
751 * We'll need the home directory if any of the relevant parameters are
752 * defaulted. If pqGetHomeDirectory fails, act as though none of the
753 * files could be found.
754 */
761 else /* won't need it */
762 have_homedir = false;
763
764 /*
765 * Create a new SSL_CTX object.
766 *
767 * We used to share a single SSL_CTX between all connections, but it was
768 * complicated if connections used different certificates. So now we
769 * create a separate context for each connection, and accept the overhead.
770 */
771 SSL_context = SSL_CTX_new(SSLv23_method());
773 {
775
778 return -1;
779 }
780
781 /*
782 * Delegate the client cert password prompt to the libpq wrapper callback
783 * if any is defined.
784 *
785 * If the application hasn't installed its own and the sslpassword
786 * parameter is non-null, we install ours now to make sure we supply
787 * PGconn->sslpassword to OpenSSL instead of letting it prompt on stdin.
788 *
789 * This will replace OpenSSL's default PEM_def_callback (which prompts on
790 * stdin), but we're only setting it for this SSL context so it's
791 * harmless.
792 */
795 {
798 }
799
800#ifdef HAVE_SSL_CTX_SET_CERT_CB
801 /* Set up a certificate selection callback. */
803#endif
804
805 /* Disable old protocol versions */
806 SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
807
808 /* Set the minimum and maximum protocol versions if necessary */
811 {
812 int ssl_min_ver;
813
815
816 if (ssl_min_ver == -1)
817 {
820 SSL_CTX_free(SSL_context);
821 return -1;
822 }
823
825 {
827
830 SSL_CTX_free(SSL_context);
831 return -1;
832 }
833 }
834
837 {
838 int ssl_max_ver;
839
841
842 if (ssl_max_ver == -1)
843 {
846 SSL_CTX_free(SSL_context);
847 return -1;
848 }
849
851 {
853
856 SSL_CTX_free(SSL_context);
857 return -1;
858 }
859 }
860
861 /*
862 * Disable OpenSSL's moving-write-buffer sanity check, because it causes
863 * unnecessary failures in nonblocking send cases.
864 */
865 SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
866
867 /*
868 * If the root cert file exists, load it so we can perform certificate
869 * verification. If sslmode is "verify-full" we will also do further
870 * verification after the connection has been completed.
871 */
874 else if (have_homedir)
876 else
877 fnbuf[0] = '\0';
878
879 if (strcmp(fnbuf, "system") == 0)
880 {
881 /*
882 * The "system" sentinel value indicates that we should load whatever
883 * root certificates are installed for use by OpenSSL; these locations
884 * differ by platform. Note that the default system locations may be
885 * further overridden by the SSL_CERT_DIR and SSL_CERT_FILE
886 * environment variables.
887 */
889 {
891
893 err);
895 SSL_CTX_free(SSL_context);
896 return -1;
897 }
898 have_rootcert = true;
899 }
900 else if (fnbuf[0] != '\0' &&
902 {
903 X509_STORE *cvstore;
904
906 {
908
910 fnbuf, err);
912 SSL_CTX_free(SSL_context);
913 return -1;
914 }
915
917 {
918 char *fname = NULL;
919 char *dname = NULL;
920
925
926 /* defaults to use the default CRL file */
927 if (!fname && !dname && have_homedir)
928 {
930 fname = fnbuf;
931 }
932
933 /* Set the flags to check against the complete CRL chain */
934 if ((fname || dname) &&
935 X509_STORE_load_locations(cvstore, fname, dname) == 1)
936 {
937 X509_STORE_set_flags(cvstore,
938 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
939 }
940
941 /* if not found, silently ignore; we do not require CRL */
942 ERR_clear_error();
943 }
944 have_rootcert = true;
945 }
946 else
947 {
948 /*
949 * stat() failed; assume root file doesn't exist. If sslmode is
950 * verify-ca or verify-full, this is an error. Otherwise, continue
951 * without performing any server cert verification.
952 */
954 {
955 /*
956 * The only way to reach here with an empty filename is if
957 * pqGetHomeDirectory failed. That's a sufficiently unusual case
958 * that it seems worth having a specialized error message for it.
959 */
960 if (fnbuf[0] == '\0')
962 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.");
963 else
965 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.", fnbuf);
966 SSL_CTX_free(SSL_context);
967 return -1;
968 }
969 have_rootcert = false;
970 }
971
972 /* Read the client certificate file */
975 else if (have_homedir)
977 else
978 fnbuf[0] = '\0';
979
981 {
982 /* don't send a client cert even if we have one */
983 have_cert = false;
984 }
985 else if (fnbuf[0] == '\0')
986 {
987 /* no home directory, proceed without a client cert */
988 have_cert = false;
989 }
991 {
992 /*
993 * If file is not present, just go on without a client cert; server
994 * might or might not accept the connection. Any other error,
995 * however, is grounds for complaint.
996 */
997 if (errno != ENOENT && errno != ENOTDIR)
998 {
1001 SSL_CTX_free(SSL_context);
1002 return -1;
1003 }
1004 have_cert = false;
1005 }
1006 else
1007 {
1008 /*
1009 * Cert file exists, so load it. Since OpenSSL doesn't provide the
1010 * equivalent of "SSL_use_certificate_chain_file", we have to load it
1011 * into the SSL context, rather than the SSL object.
1012 */
1014 {
1016
1018 fnbuf, err);
1020 SSL_CTX_free(SSL_context);
1021 return -1;
1022 }
1023
1024 /* need to load the associated private key, too */
1025 have_cert = true;
1026 }
1027
1028 /*
1029 * The SSL context is now loaded with the correct root and client
1030 * certificates. Create a connection-specific SSL object. The private key
1031 * is loaded directly into the SSL object. (We could load the private key
1032 * into the context, too, but we have done it this way historically, and
1033 * it doesn't really matter.)
1034 */
1038 {
1040
1043 SSL_CTX_free(SSL_context);
1044 return -1;
1045 }
1047
1048 /*
1049 * If SSL key logging is requested, set up the callback if a compatible
1050 * version of OpenSSL is used and libpq was compiled to support it.
1051 */
1053 {
1054#ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
1055 SSL_CTX_set_keylog_callback(SSL_context, SSL_CTX_keylog_cb);
1056#else
1057#ifdef LIBRESSL_VERSION_NUMBER
1059#else
1061#endif
1062#endif
1063 }
1064
1065 /*
1066 * SSL contexts are reference counted by OpenSSL. We can free it as soon
1067 * as we have created the SSL object, and it will stick around for as long
1068 * as it's actually needed.
1069 */
1070 SSL_CTX_free(SSL_context);
1071 SSL_context = NULL;
1072
1073 /*
1074 * Set Server Name Indication (SNI), if enabled by connection parameters.
1075 * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
1076 * or IPv6).
1077 */
1079 {
1081
1082 if (host && host[0] &&
1083 !(strspn(host, "0123456789.") == strlen(host) ||
1084 strchr(host, ':')))
1085 {
1087 {
1089
1092 return -1;
1093 }
1094 }
1095 }
1096
1097 /* Set ALPN */
1098 {
1099 int retval;
1100
1102
1103 if (retval != 0)
1104 {
1106
1109 return -1;
1110 }
1111 }
1112
1113 /*
1114 * Read the SSL key. If a key is specified, treat it as an engine:key
1115 * combination if there is colon present - we don't support files with
1116 * colon in the name. The exception is if the second character is a colon,
1117 * in which case it can be a Windows filename with drive specification.
1118 */
1120 {
1121#ifdef USE_SSL_ENGINE
1123#ifdef WIN32
1125#endif
1126 )
1127 {
1128 /* Colon, but not in second character, treat as engine:key */
1130 char *engine_colon;
1131 EVP_PKEY *pkey;
1132
1133 if (engine_str == NULL)
1134 {
1136 return -1;
1137 }
1138
1139 /* cannot return NULL because we already checked before strdup */
1140 engine_colon = strchr(engine_str, ':');
1141
1142 *engine_colon = '\0'; /* engine_str now has engine name */
1143 engine_colon++; /* engine_colon now has key name */
1144
1145 conn->engine = ENGINE_by_id(engine_str);
1147 {
1149
1151 engine_str, err);
1153 free(engine_str);
1154 return -1;
1155 }
1156
1158 {
1160
1162 engine_str, err);
1164 ENGINE_free(conn->engine);
1165 conn->engine = NULL;
1166 free(engine_str);
1167 return -1;
1168 }
1169
1170 pkey = ENGINE_load_private_key(conn->engine, engine_colon,
1171 NULL, NULL);
1172 if (pkey == NULL)
1173 {
1175
1177 engine_colon, engine_str, err);
1179 ENGINE_finish(conn->engine);
1180 ENGINE_free(conn->engine);
1181 conn->engine = NULL;
1182 free(engine_str);
1183 return -1;
1184 }
1186 {
1188
1190 engine_colon, engine_str, err);
1192 ENGINE_finish(conn->engine);
1193 ENGINE_free(conn->engine);
1194 conn->engine = NULL;
1195 free(engine_str);
1196 return -1;
1197 }
1198
1199 free(engine_str);
1200
1201 fnbuf[0] = '\0'; /* indicate we're not going to load from a
1202 * file */
1203 }
1204 else
1205#endif /* USE_SSL_ENGINE */
1206 {
1207 /* PGSSLKEY is not an engine, treat it as a filename */
1209 }
1210 }
1211 else if (have_homedir)
1212 {
1213 /* No PGSSLKEY specified, load default file */
1215 }
1216 else
1217 fnbuf[0] = '\0';
1218
1219 if (have_cert && fnbuf[0] != '\0')
1220 {
1221 /* read the client key from file */
1222
1224 {
1225 if (errno == ENOENT)
1227 fnbuf);
1228 else
1230 fnbuf);
1231 return -1;
1232 }
1233
1234 /* Key file must be a regular file */
1236 {
1238 fnbuf);
1239 return -1;
1240 }
1241
1242 /*
1243 * Refuse to load world-readable key files. We accept root-owned
1244 * files with mode 0640 or less, so that we can access system-wide
1245 * certificates if we have a supplementary group membership that
1246 * allows us to read 'em. For files with non-root ownership, require
1247 * mode 0600 or less. We need not check the file's ownership exactly;
1248 * if we're able to read it despite it having such restrictive
1249 * permissions, it must have the right ownership.
1250 *
1251 * Note: be very careful about tightening these rules. Some people
1252 * expect, for example, that a client process running as root should
1253 * be able to use a non-root-owned key file.
1254 *
1255 * Note that roughly similar checks are performed in
1256 * src/backend/libpq/be-secure-common.c so any changes here may need
1257 * to be made there as well. However, this code caters for the case
1258 * of current user == root, while that code does not.
1259 *
1260 * Ideally we would do similar permissions checks on Windows, but it
1261 * is not clear how that would work since Unix-style permissions may
1262 * not be available.
1263 */
1264#if !defined(WIN32) && !defined(__CYGWIN__)
1268 {
1270 "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
1271 fnbuf);
1272 return -1;
1273 }
1274#endif
1275
1277 {
1279
1280 /*
1281 * We'll try to load the file in DER (binary ASN.1) format, and if
1282 * that fails too, report the original error. This could mask
1283 * issues where there's something wrong with a DER-format cert,
1284 * but we'd have to duplicate openssl's format detection to be
1285 * smarter than this. We can't just probe for a leading -----BEGIN
1286 * because PEM can have leading non-matching lines and blanks.
1287 * OpenSSL doesn't expose its get_name(...) and its PEM routines
1288 * don't differentiate between failure modes in enough detail to
1289 * let us tell the difference between "not PEM, try DER" and
1290 * "wrong password".
1291 */
1293 {
1295 fnbuf, err);
1297 return -1;
1298 }
1299
1301 }
1302 }
1303
1304 /* verify that the cert and key go together */
1305 if (have_cert &&
1306 SSL_check_private_key(conn->ssl) != 1)
1307 {
1309
1311 fnbuf, err);
1313 return -1;
1314 }
1315
1316 /*
1317 * If a root cert was loaded, also set our certificate verification
1318 * callback.
1319 */
1320 if (have_rootcert)
1322
1323 /*
1324 * Set compression option if necessary.
1325 */
1327 SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1328 else
1329 SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1330
1331 return 0;
1332}
static int ssl_protocol_version_to_openssl(const char *protocol)
Definition: fe-secure-openssl.c:1960
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook
Definition: fe-secure-openssl.c:88
static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
Definition: fe-secure-openssl.c:1939
void libpq_append_conn_error(PGconn *conn, const char *fmt,...)
Definition: oauth-utils.c:95
Definition: win32_port.h:255
References alpn_protos, buf, conn, pg_conn::connhost, err(), fprintf, free, pg_conn_host::host, libpq_append_conn_error(), libpq_gettext, MAXPGPATH, PG_STRERROR_R_BUFLEN, pqGetHomeDirectory(), PQssl_passwd_cb(), PQsslKeyPassHook, S_IRWXG, S_IRWXO, S_ISREG, S_IWGRP, S_IXGRP, snprintf, SSL_context, pg_conn::ssl_in_use, pg_conn::ssl_max_protocol_version, pg_conn::ssl_min_protocol_version, ssl_protocol_version_to_openssl(), ssl_set_pgconn_bio(), pg_conn::sslcert, pg_conn::sslcertmode, pg_conn::sslcompression, pg_conn::sslcrl, pg_conn::sslcrldir, SSLerrfree(), SSLerrmessage(), pg_conn::sslkey, pg_conn::sslkeylogfile, pg_conn::sslmode, pg_conn::sslpassword, pg_conn::sslrootcert, pg_conn::sslsni, stat, strerror_r, strlcpy(), verify_cb(), and pg_conn::whichhost.
Referenced by pgtls_open_client().
◆ is_ip_address()
|
static |
Definition at line 524 of file fe-secure-openssl.c.
525{
526 struct in_addr dummy4;
527#ifdef HAVE_INET_PTON
528 struct in6_addr dummy6;
529#endif
530
532#ifdef HAVE_INET_PTON
533 || (inet_pton(AF_INET6, host, &dummy6) == 1)
534#endif
535 ;
536}
References inet_aton().
Referenced by pgtls_verify_peer_name_matches_certificate_guts().
◆ open_client_SSL()
|
static |
Definition at line 1338 of file fe-secure-openssl.c.
1339{
1340 int r;
1341
1342 SOCK_ERRNO_SET(0);
1343 ERR_clear_error();
1344 r = SSL_connect(conn->ssl);
1345 if (r <= 0)
1346 {
1349 unsigned long ecode;
1350
1351 ecode = ERR_get_error();
1353 {
1354 case SSL_ERROR_WANT_READ:
1356
1357 case SSL_ERROR_WANT_WRITE:
1359
1360 case SSL_ERROR_SYSCALL:
1361 {
1363 unsigned long vcode;
1364
1365 vcode = SSL_get_verify_result(conn->ssl);
1366
1367 /*
1368 * If we get an X509 error here for failing to load the
1369 * local issuer cert, without an error in the socket layer
1370 * it means that verification failed due to a missing
1371 * system CA pool without it being a protocol error. We
1372 * inspect the sslrootcert setting to ensure that the user
1373 * was using the system CA pool. For other errors, log
1374 * them using the normal SYSCALL logging.
1375 */
1376 if (save_errno == 0 &&
1377 vcode == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY &&
1380 X509_verify_cert_error_string(vcode));
1381 else if (r == -1 && save_errno != 0)
1384 else
1388 }
1389 case SSL_ERROR_SSL:
1390 {
1392
1395 switch (ERR_GET_REASON(ecode))
1396 {
1397 /*
1398 * UNSUPPORTED_PROTOCOL, WRONG_VERSION_NUMBER, and
1399 * TLSV1_ALERT_PROTOCOL_VERSION have been observed
1400 * when trying to communicate with an old OpenSSL
1401 * library, or when the client and server specify
1402 * disjoint protocol ranges.
1403 * NO_PROTOCOLS_AVAILABLE occurs if there's a
1404 * local misconfiguration (which can happen
1405 * despite our checks, if openssl.cnf injects a
1406 * limit we didn't account for). It's not very
1407 * clear what would make OpenSSL return the other
1408 * codes listed here, but a hint about protocol
1409 * versions seems like it's appropriate for all.
1410 */
1411 case SSL_R_NO_PROTOCOLS_AVAILABLE:
1412 case SSL_R_UNSUPPORTED_PROTOCOL:
1413 case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:
1414 case SSL_R_UNKNOWN_PROTOCOL:
1415 case SSL_R_UNKNOWN_SSL_VERSION:
1416 case SSL_R_UNSUPPORTED_SSL_VERSION:
1417 case SSL_R_WRONG_SSL_VERSION:
1418 case SSL_R_WRONG_VERSION_NUMBER:
1419 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
1420#ifdef SSL_R_VERSION_TOO_HIGH
1421 case SSL_R_VERSION_TOO_HIGH:
1422 case SSL_R_VERSION_TOO_LOW:
1423#endif
1424 libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",
1427 MIN_OPENSSL_TLS_VERSION,
1430 MAX_OPENSSL_TLS_VERSION);
1431 break;
1432 default:
1433 break;
1434 }
1437 }
1438
1439 default:
1443 }
1444 }
1445
1446 /* ALPN is mandatory with direct SSL connections */
1448 {
1449 const unsigned char *selected;
1451
1453
1454 if (selected == NULL)
1455 {
1456 libpq_append_conn_error(conn, "direct SSL connection was established without ALPN protocol negotiation extension");
1459 }
1460
1461 /*
1462 * We only support one protocol so that's what the negotiation should
1463 * always choose, but doesn't hurt to check.
1464 */
1467 {
1471 }
1472 }
1473
1474 /*
1475 * We already checked the server certificate in initialize_SSL() using
1476 * SSL_CTX_set_verify(), if root.crt exists.
1477 */
1478
1479 /* get server certificate */
1482 {
1484
1489 }
1490
1492 {
1495 }
1496
1497 /* SSL handshake is complete */
1499}
bool pq_verify_peer_name_matches_certificate(PGconn *conn)
Definition: fe-secure-common.c:252
References conn, pg_conn::current_enc_method, ENC_SSL, err(), len, libpq_append_conn_error(), PG_ALPN_PROTOCOL, PG_STRERROR_R_BUFLEN, PGRES_POLLING_FAILED, PGRES_POLLING_OK, PGRES_POLLING_READING, PGRES_POLLING_WRITING, pgtls_close(), pq_verify_peer_name_matches_certificate(), SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, pg_conn::ssl_max_protocol_version, pg_conn::ssl_min_protocol_version, SSLerrfree(), SSLerrmessage(), pg_conn::sslnegotiation, and pg_conn::sslrootcert.
Referenced by pgtls_open_client().
◆ openssl_verify_peer_name_matches_certificate_ip()
|
static |
Definition at line 499 of file fe-secure-openssl.c.
502{
504 const unsigned char *addrdata;
505
506 /* Should not happen... */
507 if (addr_entry == NULL)
508 {
510 return -1;
511 }
512
513 /*
514 * GEN_IPADD is an OCTET STRING containing an IP address in network byte
515 * order.
516 */
517 addrdata = ASN1_STRING_get0_data(addr_entry);
518 len = ASN1_STRING_length(addr_entry);
519
521}
int pq_verify_peer_name_matches_certificate_ip(PGconn *conn, const unsigned char *ipdata, size_t iplen, char **store_name)
Definition: fe-secure-common.c:157
References conn, len, libpq_append_conn_error(), and pq_verify_peer_name_matches_certificate_ip().
Referenced by pgtls_verify_peer_name_matches_certificate_guts().
◆ openssl_verify_peer_name_matches_certificate_name()
|
static |
Definition at line 470 of file fe-secure-openssl.c.
472{
474 const unsigned char *namedata;
475
476 /* Should not happen... */
477 if (name_entry == NULL)
478 {
480 return -1;
481 }
482
483 /*
484 * GEN_DNS can be only IA5String, equivalent to US ASCII.
485 */
486 namedata = ASN1_STRING_get0_data(name_entry);
487 len = ASN1_STRING_length(name_entry);
488
489 /* OK to cast from unsigned to plain char, since it's all ASCII. */
490 return pq_verify_peer_name_matches_certificate_name(conn, (const char *) namedata, len, store_name);
491}
int pq_verify_peer_name_matches_certificate_name(PGconn *conn, const char *namedata, size_t namelen, char **store_name)
Definition: fe-secure-common.c:87
References conn, len, libpq_append_conn_error(), and pq_verify_peer_name_matches_certificate_name().
Referenced by pgtls_verify_peer_name_matches_certificate_guts().
◆ pgconn_bio_ctrl()
|
static |
Definition at line 1803 of file fe-secure-openssl.c.
1804{
1805 long res;
1807
1808 switch (cmd)
1809 {
1810 case BIO_CTRL_EOF:
1811
1812 /*
1813 * This should not be needed. pgconn_bio_read already has a way to
1814 * signal EOF to OpenSSL. However, OpenSSL made an undocumented,
1815 * backwards-incompatible change and now expects EOF via BIO_ctrl.
1816 * See https://github.com/openssl/openssl/issues/8208
1817 */
1819 break;
1820 case BIO_CTRL_FLUSH:
1821 /* libssl expects all BIOs to support BIO_flush. */
1822 res = 1;
1823 break;
1824 default:
1825 res = 0;
1826 break;
1827 }
1828
1829 return res;
1830}
Definition: libpq-int.h:372
References conn, and pg_conn::last_read_was_eof.
Referenced by pgconn_bio_method().
◆ pgconn_bio_method()
|
static |
Definition at line 1833 of file fe-secure-openssl.c.
1834{
1835 BIO_METHOD *res;
1836
1838 return NULL;
1839
1840 res = pgconn_bio_method_ptr;
1841
1843 {
1844 int my_bio_index;
1845
1846 my_bio_index = BIO_get_new_index();
1847 if (my_bio_index == -1)
1849 my_bio_index |= BIO_TYPE_SOURCE_SINK;
1850 res = BIO_meth_new(my_bio_index, "libpq socket");
1851 if (!res)
1853
1854 /*
1855 * As of this writing, these functions never fail. But check anyway,
1856 * like OpenSSL's own examples do.
1857 */
1859 !BIO_meth_set_read(res, pgconn_bio_read) ||
1860 !BIO_meth_set_ctrl(res, pgconn_bio_ctrl))
1861 {
1863 }
1864 }
1865
1866 pgconn_bio_method_ptr = res;
1868 return res;
1869
1870err:
1871 if (res)
1872 BIO_meth_free(res);
1874 return NULL;
1875}
static int pgconn_bio_read(BIO *h, char *buf, int size)
Definition: fe-secure-openssl.c:1738
static long pgconn_bio_ctrl(BIO *h, int cmd, long num, void *ptr)
Definition: fe-secure-openssl.c:1803
static int pgconn_bio_write(BIO *h, const char *buf, int size)
Definition: fe-secure-openssl.c:1773
References err(), pgconn_bio_ctrl(), pgconn_bio_method_ptr, pgconn_bio_read(), pgconn_bio_write(), pthread_mutex_lock(), pthread_mutex_unlock(), and ssl_config_mutex.
Referenced by ssl_set_pgconn_bio().
◆ pgconn_bio_read()
|
static |
Definition at line 1738 of file fe-secure-openssl.c.
1739{
1741 int res;
1742
1744 BIO_clear_retry_flags(h);
1746 if (res < 0)
1747 {
1748 /* If we were interrupted, tell caller to retry */
1750 {
1751#ifdef EAGAIN
1753#endif
1754#if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1756#endif
1758 BIO_set_retry_read(h);
1759 break;
1760
1761 default:
1762 break;
1763 }
1764 }
1765
1766 if (res > 0)
1768
1769 return res;
1770}
ssize_t pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
Definition: fe-secure.c:193
References buf, conn, EAGAIN, EINTR, EWOULDBLOCK, pg_conn::last_read_was_eof, pqsecure_raw_read(), SOCK_ERRNO, and pg_conn::ssl_handshake_started.
Referenced by pgconn_bio_method().
◆ pgconn_bio_write()
|
static |
Definition at line 1773 of file fe-secure-openssl.c.
1774{
1775 int res;
1776
1778 BIO_clear_retry_flags(h);
1779 if (res < 0)
1780 {
1781 /* If we were interrupted, tell caller to retry */
1783 {
1784#ifdef EAGAIN
1786#endif
1787#if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1789#endif
1791 BIO_set_retry_write(h);
1792 break;
1793
1794 default:
1795 break;
1796 }
1797 }
1798
1799 return res;
1800}
ssize_t pqsecure_raw_write(PGconn *conn, const void *ptr, size_t len)
Definition: fe-secure.c:316
References buf, EAGAIN, EINTR, EWOULDBLOCK, pqsecure_raw_write(), and SOCK_ERRNO.
Referenced by pgconn_bio_method().
◆ pgtls_close()
| void pgtls_close | ( | PGconn * | conn | ) |
Definition at line 1502 of file fe-secure-openssl.c.
1503{
1505 {
1507 {
1508 /*
1509 * We can't destroy everything SSL-related here due to the
1510 * possible later calls to OpenSSL routines which may need our
1511 * thread callbacks, so set a flag here and check at the end.
1512 */
1513
1514 SSL_shutdown(conn->ssl);
1515 SSL_free(conn->ssl);
1516 conn->ssl = NULL;
1519 }
1520
1522 {
1523 X509_free(conn->peer);
1524 conn->peer = NULL;
1525 }
1526
1527#ifdef USE_SSL_ENGINE
1529 {
1530 ENGINE_finish(conn->engine);
1531 ENGINE_free(conn->engine);
1532 conn->engine = NULL;
1533 }
1534#endif
1535 }
1536}
References conn, pg_conn::ssl_handshake_started, and pg_conn::ssl_in_use.
Referenced by open_client_SSL(), pgtls_open_client(), and pqsecure_close().
◆ pgtls_get_peer_certificate_hash()
| char * pgtls_get_peer_certificate_hash | ( | PGconn * | conn, |
| size_t * | len | ||
| ) |
Definition at line 340 of file fe-secure-openssl.c.
341{
342 X509 *peer_cert;
343 const EVP_MD *algo_type;
345 unsigned int hash_size;
346 int algo_nid;
347 char *cert_hash;
348
349 *len = 0;
350
352 return NULL;
353
354 peer_cert = conn->peer;
355
356 /*
357 * Get the signature algorithm of the certificate to determine the hash
358 * algorithm to use for the result. Prefer X509_get_signature_info(),
359 * introduced in OpenSSL 1.1.1, which can handle RSA-PSS signatures.
360 */
361#if HAVE_X509_GET_SIGNATURE_INFO
362 if (!X509_get_signature_info(peer_cert, &algo_nid, NULL, NULL, NULL))
363#else
364 if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
365 &algo_nid, NULL))
366#endif
367 {
369 return NULL;
370 }
371
372 /*
373 * The TLS server's certificate bytes need to be hashed with SHA-256 if
374 * its signature algorithm is MD5 or SHA-1 as per RFC 5929
375 * (https://tools.ietf.org/html/rfc5929#section-4.1). If something else
376 * is used, the same hash as the signature algorithm is used.
377 */
378 switch (algo_nid)
379 {
380 case NID_md5:
381 case NID_sha1:
382 algo_type = EVP_sha256();
383 break;
384 default:
385 algo_type = EVP_get_digestbynid(algo_nid);
386 if (algo_type == NULL)
387 {
389 OBJ_nid2sn(algo_nid));
390 return NULL;
391 }
392 break;
393 }
394
396 {
398 return NULL;
399 }
400
401 /* save result */
402 cert_hash = malloc(hash_size);
403 if (cert_hash == NULL)
404 {
406 return NULL;
407 }
408 memcpy(cert_hash, hash, hash_size);
409 *len = hash_size;
410
411 return cert_hash;
412}
References conn, hash(), len, libpq_append_conn_error(), and malloc.
Referenced by build_client_final_message().
◆ pgtls_open_client()
| PostgresPollingStatusType pgtls_open_client | ( | PGconn * | conn | ) |
Definition at line 96 of file fe-secure-openssl.c.
97{
98 /* First time through? */
100 {
101 /*
102 * Create a connection-specific SSL object, and load client
103 * certificate, private key, and trusted CA certs.
104 */
106 {
107 /* initialize_SSL already put a message in conn->errorMessage */
110 }
111 }
112
113 /* Begin or continue the actual handshake */
115}
static PostgresPollingStatusType open_client_SSL(PGconn *conn)
Definition: fe-secure-openssl.c:1338
References conn, initialize_SSL(), open_client_SSL(), PGRES_POLLING_FAILED, and pgtls_close().
Referenced by pqsecure_open_client().
◆ pgtls_read()
| ssize_t pgtls_read | ( | PGconn * | conn, |
| void * | ptr, | ||
| size_t | len | ||
| ) |
Definition at line 118 of file fe-secure-openssl.c.
119{
120 ssize_t n;
121 int result_errno = 0;
124 unsigned long ecode;
125
126rloop:
127
128 /*
129 * Prepare to call SSL_get_error() by clearing thread's OpenSSL error
130 * queue. In general, the current thread's error queue must be empty
131 * before the TLS/SSL I/O operation is attempted, or SSL_get_error() will
132 * not work reliably. Since the possibility exists that other OpenSSL
133 * clients running in the same thread but not under our control will fail
134 * to call ERR_get_error() themselves (after their own I/O operations),
135 * pro-actively clear the per-thread error queue now.
136 */
137 SOCK_ERRNO_SET(0);
138 ERR_clear_error();
141
142 /*
143 * Other clients of OpenSSL may fail to call ERR_get_error(), but we
144 * always do, so as to not cause problems for OpenSSL clients that don't
145 * call ERR_clear_error() defensively. Be sure that this happens by
146 * calling now. SSL_get_error() relies on the OpenSSL per-thread error
147 * queue being intact, so this is the earliest possible point
148 * ERR_get_error() may be called.
149 */
150 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
152 {
153 case SSL_ERROR_NONE:
154 if (n < 0)
155 {
156 /* Not supposed to happen, so we don't translate the msg */
158 "SSL_read failed but did not provide error information\n");
159 /* assume the connection is broken */
160 result_errno = ECONNRESET;
161 }
162 break;
163 case SSL_ERROR_WANT_READ:
164 n = 0;
165 break;
166 case SSL_ERROR_WANT_WRITE:
167
168 /*
169 * Returning 0 here would cause caller to wait for read-ready,
170 * which is not correct since what SSL wants is wait for
171 * write-ready. The former could get us stuck in an infinite
172 * wait, so don't risk it; busy-loop instead.
173 */
174 goto rloop;
175 case SSL_ERROR_SYSCALL:
177 {
178 result_errno = SOCK_ERRNO;
179 if (result_errno == EPIPE ||
180 result_errno == ECONNRESET)
182 "\tThis probably means the server terminated abnormally\n"
183 "\tbefore or while processing the request.");
184 else
186 SOCK_STRERROR(result_errno,
187 sebuf, sizeof(sebuf)));
188 }
189 else
190 {
192 /* assume the connection is broken */
193 result_errno = ECONNRESET;
194 n = -1;
195 }
196 break;
197 case SSL_ERROR_SSL:
198 {
200
202 SSLerrfree(errm);
203 /* assume the connection is broken */
204 result_errno = ECONNRESET;
205 n = -1;
206 break;
207 }
208 case SSL_ERROR_ZERO_RETURN:
209
210 /*
211 * Per OpenSSL documentation, this error code is only returned for
212 * a clean connection closure, so we should not report it as a
213 * server crash.
214 */
216 result_errno = ECONNRESET;
217 n = -1;
218 break;
219 default:
221 /* assume the connection is broken */
222 result_errno = ECONNRESET;
223 n = -1;
224 break;
225 }
226
227 /* ensure we return the intended errno to caller */
228 SOCK_ERRNO_SET(result_errno);
229
230 return n;
231}
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:367
References appendPQExpBufferStr(), conn, ECONNRESET, err(), pg_conn::errorMessage, len, libpq_append_conn_error(), PG_STRERROR_R_BUFLEN, SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, SSLerrfree(), and SSLerrmessage().
Referenced by pqsecure_read().
◆ pgtls_read_pending()
| bool pgtls_read_pending | ( | PGconn * | conn | ) |
◆ pgtls_verify_peer_name_matches_certificate_guts()
| int pgtls_verify_peer_name_matches_certificate_guts | ( | PGconn * | conn, |
| int * | names_examined, | ||
| char ** | first_name | ||
| ) |
Definition at line 544 of file fe-secure-openssl.c.
547{
548 STACK_OF(GENERAL_NAME) * peer_san;
550 int rc = 0;
552 int host_type;
553 bool check_cn = true;
554
556
557 /*
558 * We try to match the NSS behavior here, which is a slight departure from
559 * the spec but seems to make more intuitive sense:
560 *
561 * If connhost contains a DNS name, and the certificate's SANs contain any
562 * dNSName entries, then we'll ignore the Subject Common Name entirely;
563 * otherwise, we fall back to checking the CN. (This behavior matches the
564 * RFC.)
565 *
566 * If connhost contains an IP address, and the SANs contain iPAddress
567 * entries, we again ignore the CN. Otherwise, we allow the CN to match,
568 * EVEN IF there is a dNSName in the SANs. (RFC 6125 prohibits this: "A
569 * client MUST NOT seek a match for a reference identifier of CN-ID if the
570 * presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any
571 * application-specific identifier types supported by the client.")
572 *
573 * NOTE: Prior versions of libpq did not consider iPAddress entries at
574 * all, so this new behavior might break a certificate that has different
575 * IP addresses in the Subject CN and the SANs.
576 */
578 host_type = GEN_IPADD;
579 else
580 host_type = GEN_DNS;
581
582 /*
583 * First, get the Subject Alternative Names (SANs) from the certificate,
584 * and compare them against the originally given hostname.
585 */
586 peer_san = (STACK_OF(GENERAL_NAME) *)
587 X509_get_ext_d2i(conn->peer, NID_subject_alt_name, NULL, NULL);
588
589 if (peer_san)
590 {
591 int san_len = sk_GENERAL_NAME_num(peer_san);
592
594 {
596 char *alt_name = NULL;
597
599 {
600 /*
601 * This SAN is of the same type (IP or DNS) as our host name,
602 * so don't allow a fallback check of the CN.
603 */
604 check_cn = false;
605 }
606
608 {
609 (*names_examined)++;
611 name->d.dNSName,
612 &alt_name);
613 }
615 {
616 (*names_examined)++;
618 name->d.iPAddress,
619 &alt_name);
620 }
621
622 if (alt_name)
623 {
624 if (!*first_name)
625 *first_name = alt_name;
626 else
627 free(alt_name);
628 }
629
630 if (rc != 0)
631 {
632 /*
633 * Either we hit an error or a match, and either way we should
634 * not fall back to the CN.
635 */
636 check_cn = false;
637 break;
638 }
639 }
640 sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
641 }
642
643 /*
644 * If there is no subjectAltName extension of the matching type, check the
645 * Common Name.
646 *
647 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
648 * dNSName is present, the CN must be ignored. We break this rule if host
649 * is an IP address; see the comment above.)
650 */
651 if (check_cn)
652 {
653 X509_NAME *subject_name;
654
655 subject_name = X509_get_subject_name(conn->peer);
656 if (subject_name != NULL)
657 {
658 int cn_index;
659
660 cn_index = X509_NAME_get_index_by_NID(subject_name,
661 NID_commonName, -1);
662 if (cn_index >= 0)
663 {
664 char *common_name = NULL;
665
666 (*names_examined)++;
668 X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),
669 &common_name);
670
671 if (common_name)
672 {
673 if (!*first_name)
674 *first_name = common_name;
675 else
676 free(common_name);
677 }
678 }
679 }
680 }
681
682 return rc;
683}
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name)
Definition: fe-secure-openssl.c:470
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)
Definition: fe-secure-openssl.c:499
Assert(PointerIsAligned(start, uint64))
References Assert(), conn, pg_conn::connhost, free, pg_conn_host::host, i, is_ip_address(), name, openssl_verify_peer_name_matches_certificate_ip(), openssl_verify_peer_name_matches_certificate_name(), and pg_conn::whichhost.
Referenced by pq_verify_peer_name_matches_certificate().
◆ pgtls_write()
| ssize_t pgtls_write | ( | PGconn * | conn, |
| const void * | ptr, | ||
| size_t | len | ||
| ) |
Definition at line 240 of file fe-secure-openssl.c.
241{
242 ssize_t n;
243 int result_errno = 0;
246 unsigned long ecode;
247
248 SOCK_ERRNO_SET(0);
249 ERR_clear_error();
252 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
254 {
255 case SSL_ERROR_NONE:
256 if (n < 0)
257 {
258 /* Not supposed to happen, so we don't translate the msg */
260 "SSL_write failed but did not provide error information\n");
261 /* assume the connection is broken */
262 result_errno = ECONNRESET;
263 }
264 break;
265 case SSL_ERROR_WANT_READ:
266
267 /*
268 * Returning 0 here causes caller to wait for write-ready, which
269 * is not really the right thing, but it's the best we can do.
270 */
271 n = 0;
272 break;
273 case SSL_ERROR_WANT_WRITE:
274 n = 0;
275 break;
276 case SSL_ERROR_SYSCALL:
277
278 /*
279 * If errno is still zero then assume it's a read EOF situation,
280 * and report EOF. (This seems possible because SSL_write can
281 * also do reads.)
282 */
284 {
285 result_errno = SOCK_ERRNO;
288 "\tThis probably means the server terminated abnormally\n"
289 "\tbefore or while processing the request.");
290 else
292 SOCK_STRERROR(result_errno,
293 sebuf, sizeof(sebuf)));
294 }
295 else
296 {
298 /* assume the connection is broken */
299 result_errno = ECONNRESET;
300 n = -1;
301 }
302 break;
303 case SSL_ERROR_SSL:
304 {
306
308 SSLerrfree(errm);
309 /* assume the connection is broken */
310 result_errno = ECONNRESET;
311 n = -1;
312 break;
313 }
314 case SSL_ERROR_ZERO_RETURN:
315
316 /*
317 * Per OpenSSL documentation, this error code is only returned for
318 * a clean connection closure, so we should not report it as a
319 * server crash.
320 */
322 result_errno = ECONNRESET;
323 n = -1;
324 break;
325 default:
327 /* assume the connection is broken */
328 result_errno = ECONNRESET;
329 n = -1;
330 break;
331 }
332
333 /* ensure we return the intended errno to caller */
334 SOCK_ERRNO_SET(result_errno);
335
336 return n;
337}
References appendPQExpBufferStr(), conn, ECONNRESET, err(), pg_conn::errorMessage, len, libpq_append_conn_error(), PG_STRERROR_R_BUFLEN, SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, SSLerrfree(), and SSLerrmessage().
Referenced by pqsecure_write().
◆ PQdefaultSSLKeyPassHook_OpenSSL()
| int PQdefaultSSLKeyPassHook_OpenSSL | ( | char * | buf, |
| int | size, | ||
| PGconn * | conn | ||
| ) |
Definition at line 1904 of file fe-secure-openssl.c.
1905{
1907 {
1913 }
1914 else
1915 {
1917 return 0;
1918 }
1919}
References buf, conn, fprintf, libpq_gettext, and pg_conn::sslpassword.
Referenced by PQssl_passwd_cb().
◆ PQgetssl()
| void * PQgetssl | ( | PGconn * | conn | ) |
Definition at line 1626 of file fe-secure-openssl.c.
References conn.
◆ PQgetSSLKeyPassHook_OpenSSL()
| PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL | ( | void | ) |
Definition at line 1922 of file fe-secure-openssl.c.
References PQsslKeyPassHook.
◆ PQsetSSLKeyPassHook_OpenSSL()
| void PQsetSSLKeyPassHook_OpenSSL | ( | PQsslKeyPassHook_OpenSSL_type | hook | ) |
Definition at line 1928 of file fe-secure-openssl.c.
References PQsslKeyPassHook.
◆ PQssl_passwd_cb()
|
static |
Definition at line 1939 of file fe-secure-openssl.c.
1940{
1942
1945 else
1947}
int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)
Definition: fe-secure-openssl.c:1904
References buf, conn, PQdefaultSSLKeyPassHook_OpenSSL(), and PQsslKeyPassHook.
Referenced by initialize_SSL().
◆ PQsslAttribute()
| const char * PQsslAttribute | ( | PGconn * | conn, |
| const char * | attribute_name | ||
| ) |
Definition at line 1671 of file fe-secure-openssl.c.
1672{
1674 {
1675 /* PQsslAttribute(NULL, "library") reports the default SSL library */
1676 if (strcmp(attribute_name, "library") == 0)
1677 return "OpenSSL";
1678 return NULL;
1679 }
1680
1681 /* All attributes read as NULL for a non-encrypted connection */
1683 return NULL;
1684
1685 if (strcmp(attribute_name, "library") == 0)
1686 return "OpenSSL";
1687
1688 if (strcmp(attribute_name, "key_bits") == 0)
1689 {
1690 static char sslbits_str[12];
1691 int sslbits;
1692
1693 SSL_get_cipher_bits(conn->ssl, &sslbits);
1695 return sslbits_str;
1696 }
1697
1698 if (strcmp(attribute_name, "cipher") == 0)
1700
1701 if (strcmp(attribute_name, "compression") == 0)
1703
1704 if (strcmp(attribute_name, "protocol") == 0)
1706
1707 if (strcmp(attribute_name, "alpn") == 0)
1708 {
1711 static char alpn_str[256]; /* alpn doesn't support longer than 255
1712 * bytes */
1713
1716 return "";
1718 alpn_str[len] = 0;
1719 return alpn_str;
1720 }
1721
1722 return NULL; /* unknown attribute */
1723}
References conn, data, len, and snprintf.
Referenced by exec_command_conninfo(), print_ssl_library(), and printSSLInfo().
◆ PQsslAttributeNames()
| const char *const * PQsslAttributeNames | ( | PGconn * | conn | ) |
Definition at line 1644 of file fe-secure-openssl.c.
1645{
1646 static const char *const openssl_attrs[] = {
1647 "library",
1648 "key_bits",
1649 "cipher",
1650 "compression",
1651 "protocol",
1652 "alpn",
1653 NULL
1654 };
1655 static const char *const empty_attrs[] = {NULL};
1656
1658 {
1659 /* Return attributes of default SSL library */
1660 return openssl_attrs;
1661 }
1662
1663 /* No attrs for unencrypted connection */
1665 return empty_attrs;
1666
1667 return openssl_attrs;
1668}
References conn.
◆ PQsslStruct()
| void * PQsslStruct | ( | PGconn * | conn, |
| const char * | struct_name | ||
| ) |
Definition at line 1634 of file fe-secure-openssl.c.
1635{
1637 return NULL;
1638 if (strcmp(struct_name, "OpenSSL") == 0)
1640 return NULL;
1641}
References conn.
◆ ssl_protocol_version_to_openssl()
|
static |
Definition at line 1960 of file fe-secure-openssl.c.
1961{
1963 return TLS1_VERSION;
1964
1965#ifdef TLS1_1_VERSION
1967 return TLS1_1_VERSION;
1968#endif
1969
1970#ifdef TLS1_2_VERSION
1972 return TLS1_2_VERSION;
1973#endif
1974
1975#ifdef TLS1_3_VERSION
1977 return TLS1_3_VERSION;
1978#endif
1979
1980 return -1;
1981}
References pg_strcasecmp().
Referenced by initialize_SSL().
◆ ssl_set_pgconn_bio()
|
static |
Definition at line 1878 of file fe-secure-openssl.c.
1879{
1880 BIO *bio;
1881 BIO_METHOD *bio_method;
1882
1883 bio_method = pgconn_bio_method();
1884 if (bio_method == NULL)
1885 return 0;
1886
1887 bio = BIO_new(bio_method);
1888 if (bio == NULL)
1889 return 0;
1890
1891 BIO_set_data(bio, conn);
1892 BIO_set_init(bio, 1);
1893
1894 SSL_set_bio(conn->ssl, bio, bio);
1895 return 1;
1896}
References conn, and pgconn_bio_method().
Referenced by initialize_SSL().
◆ SSLerrfree()
|
static |
Definition at line 1612 of file fe-secure-openssl.c.
1613{
1616}
References buf, free, and ssl_nomem.
Referenced by initialize_SSL(), open_client_SSL(), pgtls_read(), and pgtls_write().
◆ SSLerrmessage()
|
static |
Definition at line 1554 of file fe-secure-openssl.c.
1555{
1556 const char *errreason;
1557 char *errbuf;
1558
1560 if (!errbuf)
1562 if (ecode == 0)
1563 {
1565 return errbuf;
1566 }
1567 errreason = ERR_reason_error_string(ecode);
1568 if (errreason != NULL)
1569 {
1571 return errbuf;
1572 }
1573
1574 /*
1575 * Server aborted the connection with TLS "no_application_protocol" alert.
1576 * The ERR_reason_error_string() function doesn't give any error string
1577 * for that for some reason, so do it ourselves. See
1578 * https://github.com/openssl/openssl/issues/24300. This is available in
1579 * OpenSSL 1.1.0 and later, as well as in LibreSSL 3.4.3 (OpenBSD 7.0) and
1580 * later.
1581 */
1582#ifdef SSL_AD_NO_APPLICATION_PROTOCOL
1583 if (ERR_GET_LIB(ecode) == ERR_LIB_SSL &&
1584 ERR_GET_REASON(ecode) == SSL_AD_REASON_OFFSET + SSL_AD_NO_APPLICATION_PROTOCOL)
1585 {
1587 return errbuf;
1588 }
1589#endif
1590
1591 /*
1592 * In OpenSSL 3.0.0 and later, ERR_reason_error_string does not map system
1593 * errno values anymore. (See OpenSSL source code for the explanation.)
1594 * We can cover that shortcoming with this bit of code. Older OpenSSL
1595 * versions don't have the ERR_SYSTEM_ERROR macro, but that's okay because
1596 * they don't have the shortcoming either.
1597 */
1598#ifdef ERR_SYSTEM_ERROR
1599 if (ERR_SYSTEM_ERROR(ecode))
1600 {
1602 return errbuf;
1603 }
1604#endif
1605
1606 /* No choice but to report the numeric ecode */
1608 return errbuf;
1609}
References libpq_gettext, malloc, snprintf, SSL_ERR_LEN, ssl_nomem, strerror_r, and strlcpy().
Referenced by initialize_SSL(), open_client_SSL(), pgtls_read(), and pgtls_write().
◆ verify_cb()
|
static |
Definition at line 430 of file fe-secure-openssl.c.
431{
432 return ok;
433}
Referenced by initialize_SSL().
Variable Documentation
◆ alpn_protos
|
static |
Definition at line 686 of file fe-secure-openssl.c.
Referenced by initialize_SSL().
◆ pgconn_bio_method_ptr
|
static |
Definition at line 1735 of file fe-secure-openssl.c.
Referenced by pgconn_bio_method().
◆ PQsslKeyPassHook
|
static |
Definition at line 88 of file fe-secure-openssl.c.
Referenced by initialize_SSL(), PQgetSSLKeyPassHook_OpenSSL(), PQsetSSLKeyPassHook_OpenSSL(), and PQssl_passwd_cb().
◆ ssl_config_mutex
|
static |
Definition at line 86 of file fe-secure-openssl.c.
Referenced by pgconn_bio_method().
◆ ssl_nomem
|
static |
Definition at line 1549 of file fe-secure-openssl.c.
Referenced by SSLerrfree(), and SSLerrmessage().
