60 #include <openssl/conf.h>
62 #include <openssl/engine.h>
64 #include <openssl/x509v3.h>
67 static int verify_cb(
int ok, X509_STORE_CTX *ctx);
69 ASN1_STRING *name_entry,
72 ASN1_OCTET_STRING *addr_entry,
121 if (
conn->ssl == NULL)
143 int result_errno = 0;
161 n = SSL_read(
conn->ssl, ptr,
len);
162 err = SSL_get_error(
conn->ssl, n);
172 ecode = (
err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
180 "SSL_read failed but did not provide error information\n");
185 case SSL_ERROR_WANT_READ:
188 case SSL_ERROR_WANT_WRITE:
197 case SSL_ERROR_SYSCALL:
201 if (result_errno == EPIPE ||
204 "\tThis probably means the server terminated abnormally\n"
205 "\tbefore or while processing the request.");
209 sebuf,
sizeof(sebuf)));
230 case SSL_ERROR_ZERO_RETURN:
258 return SSL_pending(
conn->ssl) > 0;
265 int result_errno = 0;
272 n = SSL_write(
conn->ssl, ptr,
len);
273 err = SSL_get_error(
conn->ssl, n);
274 ecode = (
err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
282 "SSL_write failed but did not provide error information\n");
287 case SSL_ERROR_WANT_READ:
295 case SSL_ERROR_WANT_WRITE:
298 case SSL_ERROR_SYSCALL:
308 if (result_errno == EPIPE || result_errno ==
ECONNRESET)
310 "\tThis probably means the server terminated abnormally\n"
311 "\tbefore or while processing the request.");
315 sebuf,
sizeof(sebuf)));
336 case SSL_ERROR_ZERO_RETURN:
365 const EVP_MD *algo_type;
366 unsigned char hash[EVP_MAX_MD_SIZE];
367 unsigned int hash_size;
376 peer_cert =
conn->peer;
383 #if HAVE_X509_GET_SIGNATURE_INFO
384 if (!X509_get_signature_info(peer_cert, &algo_nid, NULL, NULL, NULL))
386 if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
404 algo_type = EVP_sha256();
407 algo_type = EVP_get_digestbynid(algo_nid);
408 if (algo_type == NULL)
411 OBJ_nid2sn(algo_nid));
417 if (!X509_digest(peer_cert, algo_type,
hash, &hash_size))
424 cert_hash =
malloc(hash_size);
425 if (cert_hash == NULL)
430 memcpy(cert_hash,
hash, hash_size);
457 #ifdef HAVE_SSL_CTX_SET_CERT_CB
468 cert_cb(SSL *ssl,
void *
arg)
475 if (SSL_get_certificate(ssl))
496 const unsigned char *namedata;
499 if (name_entry == NULL)
508 #ifdef HAVE_ASN1_STRING_GET0_DATA
509 namedata = ASN1_STRING_get0_data(name_entry);
511 namedata = ASN1_STRING_data(name_entry);
513 len = ASN1_STRING_length(name_entry);
526 ASN1_OCTET_STRING *addr_entry,
530 const unsigned char *addrdata;
533 if (addr_entry == NULL)
543 #ifdef HAVE_ASN1_STRING_GET0_DATA
544 addrdata = ASN1_STRING_get0_data(addr_entry);
546 addrdata = ASN1_STRING_data(addr_entry);
548 len = ASN1_STRING_length(addr_entry);
556 struct in_addr dummy4;
557 #ifdef HAVE_INET_PTON
558 struct in6_addr dummy6;
562 #ifdef HAVE_INET_PTON
563 || (inet_pton(AF_INET6, host, &dummy6) == 1)
578 STACK_OF(GENERAL_NAME) * peer_san;
583 bool check_cn =
true;
608 host_type = GEN_IPADD;
616 peer_san = (STACK_OF(GENERAL_NAME) *)
617 X509_get_ext_d2i(
conn->peer, NID_subject_alt_name, NULL, NULL);
621 int san_len = sk_GENERAL_NAME_num(peer_san);
623 for (
i = 0;
i < san_len;
i++)
625 const GENERAL_NAME *
name = sk_GENERAL_NAME_value(peer_san,
i);
626 char *alt_name = NULL;
628 if (
name->type == host_type)
637 if (
name->type == GEN_DNS)
644 else if (
name->type == GEN_IPADD)
655 *first_name = alt_name;
670 sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
683 X509_NAME *subject_name;
685 subject_name = X509_get_subject_name(
conn->peer);
686 if (subject_name != NULL)
690 cn_index = X509_NAME_get_index_by_NID(subject_name,
694 char *common_name = NULL;
698 X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),
704 *first_name = common_name;
715 #if defined(HAVE_CRYPTO_LOCK)
725 pq_threadidcallback(
void)
738 pq_lockingcallback(
int mode,
int n,
const char *file,
int line)
745 if (
mode & CRYPTO_LOCK)
774 #ifdef HAVE_CRYPTO_LOCK
781 if (pq_lockarray == NULL)
791 for (
i = 0;
i < CRYPTO_num_locks();
i++)
803 if (do_crypto && !
conn->crypto_loaded)
812 if (CRYPTO_get_id_callback() == NULL)
813 CRYPTO_set_id_callback(pq_threadidcallback);
814 if (CRYPTO_get_locking_callback() == NULL)
815 CRYPTO_set_locking_callback(pq_lockingcallback);
818 conn->crypto_loaded =
true;
827 #ifdef HAVE_OPENSSL_INIT_SSL
828 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
830 OPENSSL_config(NULL);
832 SSL_load_error_strings();
857 #if defined(HAVE_CRYPTO_LOCK)
870 if (CRYPTO_get_locking_callback() == pq_lockingcallback)
871 CRYPTO_set_locking_callback(NULL);
872 if (CRYPTO_get_id_callback() == pq_threadidcallback)
873 CRYPTO_set_id_callback(NULL);
921 have_homedir =
false;
959 #ifdef HAVE_SSL_CTX_SET_CERT_CB
965 SSL_CTX_set_options(
SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
975 if (ssl_min_ver == -1)
1001 if (ssl_max_ver == -1)
1024 SSL_CTX_set_mode(
SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
1033 else if (have_homedir)
1034 snprintf(fnbuf,
sizeof(fnbuf),
"%s/%s", homedir, ROOT_CERT_FILE);
1038 if (strcmp(fnbuf,
"system") == 0)
1047 if (SSL_CTX_set_default_verify_paths(
SSL_context) != 1)
1057 have_rootcert =
true;
1059 else if (fnbuf[0] !=
'\0' &&
1062 X509_STORE *cvstore;
1064 if (SSL_CTX_load_verify_locations(
SSL_context, fnbuf, NULL) != 1)
1075 if ((cvstore = SSL_CTX_get_cert_store(
SSL_context)) != NULL)
1086 if (!fname && !dname && have_homedir)
1088 snprintf(fnbuf,
sizeof(fnbuf),
"%s/%s", homedir, ROOT_CRL_FILE);
1093 if ((fname || dname) &&
1094 X509_STORE_load_locations(cvstore, fname, dname) == 1)
1096 X509_STORE_set_flags(cvstore,
1097 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1103 have_rootcert =
true;
1119 if (fnbuf[0] ==
'\0')
1121 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.");
1124 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.", fnbuf);
1128 have_rootcert =
false;
1134 else if (have_homedir)
1135 snprintf(fnbuf,
sizeof(fnbuf),
"%s/%s", homedir, USER_CERT_FILE);
1144 else if (fnbuf[0] ==
'\0')
1149 else if (
stat(fnbuf, &
buf) != 0)
1156 if (errno != ENOENT && errno != ENOTDIR)
1159 fnbuf,
strerror_r(errno, sebuf,
sizeof(sebuf)));
1172 if (SSL_CTX_use_certificate_chain_file(
SSL_context, fnbuf) != 1)
1195 !SSL_set_app_data(
conn->ssl,
conn) ||
1224 if (host && host[0] &&
1225 !(strspn(host,
"0123456789.") == strlen(host) ||
1228 if (SSL_set_tlsext_host_name(
conn->ssl, host) != 1)
1263 #ifdef USE_SSL_ENGINE
1275 if (engine_str == NULL)
1282 engine_colon = strchr(engine_str,
':');
1284 *engine_colon =
'\0';
1287 conn->engine = ENGINE_by_id(engine_str);
1288 if (
conn->engine == NULL)
1299 if (ENGINE_init(
conn->engine) == 0)
1306 ENGINE_free(
conn->engine);
1307 conn->engine = NULL;
1312 pkey = ENGINE_load_private_key(
conn->engine, engine_colon,
1319 engine_colon, engine_str,
err);
1321 ENGINE_finish(
conn->engine);
1322 ENGINE_free(
conn->engine);
1323 conn->engine = NULL;
1327 if (SSL_use_PrivateKey(
conn->ssl, pkey) != 1)
1332 engine_colon, engine_str,
err);
1334 ENGINE_finish(
conn->engine);
1335 ENGINE_free(
conn->engine);
1336 conn->engine = NULL;
1353 else if (have_homedir)
1356 snprintf(fnbuf,
sizeof(fnbuf),
"%s/%s", homedir, USER_KEY_FILE);
1361 if (have_cert && fnbuf[0] !=
'\0')
1367 if (errno == ENOENT)
1406 #if !defined(WIN32) && !defined(__CYGWIN__)
1407 if (
buf.st_uid == 0 ?
1412 "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
1418 if (SSL_use_PrivateKey_file(
conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)
1434 if (SSL_use_PrivateKey_file(
conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)
1448 SSL_check_private_key(
conn->ssl) != 1)
1469 SSL_set_options(
conn->ssl, SSL_OP_NO_COMPRESSION);
1471 SSL_clear_options(
conn->ssl, SSL_OP_NO_COMPRESSION);
1486 r = SSL_connect(
conn->ssl);
1490 int err = SSL_get_error(
conn->ssl, r);
1491 unsigned long ecode;
1493 ecode = ERR_get_error();
1496 case SSL_ERROR_WANT_READ:
1499 case SSL_ERROR_WANT_WRITE:
1502 case SSL_ERROR_SYSCALL:
1505 unsigned long vcode;
1507 vcode = SSL_get_verify_result(
conn->ssl);
1518 if (save_errno == 0 &&
1519 vcode == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY &&
1522 X509_verify_cert_error_string(vcode));
1523 else if (r == -1 && save_errno != 0)
1537 switch (ERR_GET_REASON(ecode))
1553 case SSL_R_NO_PROTOCOLS_AVAILABLE:
1554 case SSL_R_UNSUPPORTED_PROTOCOL:
1555 case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:
1556 case SSL_R_UNKNOWN_PROTOCOL:
1557 case SSL_R_UNKNOWN_SSL_VERSION:
1558 case SSL_R_UNSUPPORTED_SSL_VERSION:
1559 case SSL_R_WRONG_SSL_VERSION:
1560 case SSL_R_WRONG_VERSION_NUMBER:
1561 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
1562 #ifdef SSL_R_VERSION_TOO_HIGH
1563 case SSL_R_VERSION_TOO_HIGH:
1564 case SSL_R_VERSION_TOO_LOW:
1569 MIN_OPENSSL_TLS_VERSION,
1572 MAX_OPENSSL_TLS_VERSION);
1594 conn->peer = SSL_get_peer_certificate(
conn->ssl);
1595 if (
conn->peer == NULL)
1618 bool destroy_needed =
false;
1630 SSL_shutdown(
conn->ssl);
1631 SSL_free(
conn->ssl);
1636 destroy_needed =
true;
1641 X509_free(
conn->peer);
1645 #ifdef USE_SSL_ENGINE
1648 ENGINE_finish(
conn->engine);
1649 ENGINE_free(
conn->engine);
1650 conn->engine = NULL;
1661 if (
conn->crypto_loaded)
1662 destroy_needed =
true;
1676 conn->crypto_loaded =
false;
1691 static char ssl_nomem[] =
"out of memory allocating error description";
1693 #define SSL_ERR_LEN 128
1698 const char *errreason;
1709 errreason = ERR_reason_error_string(ecode);
1710 if (errreason != NULL)
1722 #ifdef ERR_SYSTEM_ERROR
1723 if (ERR_SYSTEM_ERROR(ecode))
1762 if (strcmp(struct_name,
"OpenSSL") == 0)
1770 static const char *
const openssl_attrs[] = {
1779 static const char *
const empty_attrs[] = {NULL};
1784 return openssl_attrs;
1788 if (
conn->ssl == NULL)
1791 return openssl_attrs;
1800 if (strcmp(attribute_name,
"library") == 0)
1806 if (
conn->ssl == NULL)
1809 if (strcmp(attribute_name,
"library") == 0)
1812 if (strcmp(attribute_name,
"key_bits") == 0)
1814 static char sslbits_str[12];
1817 SSL_get_cipher_bits(
conn->ssl, &sslbits);
1818 snprintf(sslbits_str,
sizeof(sslbits_str),
"%d", sslbits);
1822 if (strcmp(attribute_name,
"cipher") == 0)
1823 return SSL_get_cipher(
conn->ssl);
1825 if (strcmp(attribute_name,
"compression") == 0)
1826 return SSL_get_current_compression(
conn->ssl) ?
"on" :
"off";
1828 if (strcmp(attribute_name,
"protocol") == 0)
1829 return SSL_get_version(
conn->ssl);
1831 if (strcmp(attribute_name,
"alpn") == 0)
1833 const unsigned char *
data;
1835 static char alpn_str[256];
1839 if (
data == NULL ||
len == 0 ||
len >
sizeof(alpn_str) - 1)
1868 BIO_clear_retry_flags(h);
1877 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1881 BIO_set_retry_read(h);
1901 BIO_clear_retry_flags(h);
1910 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1914 BIO_set_retry_write(h);
1937 BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket();
1938 #ifdef HAVE_BIO_METH_NEW
1941 my_bio_index = BIO_get_new_index();
1942 if (my_bio_index == -1)
1944 my_bio_index |= (BIO_TYPE_DESCRIPTOR | BIO_TYPE_SOURCE_SINK);
1945 res = BIO_meth_new(my_bio_index,
"libpq socket");
1955 !BIO_meth_set_gets(
res, BIO_meth_get_gets(biom)) ||
1956 !BIO_meth_set_puts(
res, BIO_meth_get_puts(biom)) ||
1957 !BIO_meth_set_ctrl(
res, BIO_meth_get_ctrl(biom)) ||
1958 !BIO_meth_set_create(
res, BIO_meth_get_create(biom)) ||
1959 !BIO_meth_set_destroy(
res, BIO_meth_get_destroy(biom)) ||
1960 !BIO_meth_set_callback_ctrl(
res, BIO_meth_get_callback_ctrl(biom)))
1968 memcpy(
res, biom,
sizeof(BIO_METHOD));
1979 #ifdef HAVE_BIO_METH_NEW
1996 BIO_METHOD *bio_method;
1999 if (bio_method == NULL)
2001 SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
2004 bio = BIO_new(bio_method);
2007 SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
2010 BIO_set_app_data(bio,
conn);
2012 SSL_set_bio(
conn->ssl, bio, bio);
2013 BIO_set_fd(bio,
fd, BIO_NOCLOSE);
2084 return TLS1_VERSION;
2086 #ifdef TLS1_1_VERSION
2088 return TLS1_1_VERSION;
2091 #ifdef TLS1_2_VERSION
2093 return TLS1_2_VERSION;
2096 #ifdef TLS1_3_VERSION
2098 return TLS1_3_VERSION;
static SSL_CTX * SSL_context
#define Assert(condition)
static void PGresult * res
void err(int eval, const char *fmt,...)
bool pqGetHomeDirectory(char *buf, int bufsize)
void libpq_append_conn_error(PGconn *conn, const char *fmt,...)
int pq_verify_peer_name_matches_certificate_name(PGconn *conn, const char *namedata, size_t namelen, char **store_name)
int pq_verify_peer_name_matches_certificate_ip(PGconn *conn, const unsigned char *ipdata, size_t iplen, char **store_name)
bool pq_verify_peer_name_matches_certificate(PGconn *conn)
static int ssl_protocol_version_to_openssl(const char *protocol)
static void destroy_ssl_system(void)
static int my_SSL_set_fd(PGconn *conn, int fd)
static void SSLerrfree(char *buf)
PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL(void)
int pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn, int *names_examined, char **first_name)
PostgresPollingStatusType pgtls_open_client(PGconn *conn)
bool pgtls_read_pending(PGconn *conn)
static bool pq_init_crypto_lib
int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)
static long crypto_open_connections
static BIO_METHOD * my_bio_methods
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name)
void pgtls_init_library(bool do_ssl, int do_crypto)
ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len)
static bool ssl_lib_initialized
ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len)
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook
int pgtls_init(PGconn *conn, bool do_ssl, bool do_crypto)
static BIO_METHOD * my_BIO_s_socket(void)
const char *const * PQsslAttributeNames(PGconn *conn)
static bool pq_init_ssl_lib
void * PQgetssl(PGconn *conn)
void * PQsslStruct(PGconn *conn, const char *struct_name)
static int initialize_SSL(PGconn *conn)
static pthread_mutex_t ssl_config_mutex
static int verify_cb(int ok, X509_STORE_CTX *ctx)
static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
static char * SSLerrmessage(unsigned long ecode)
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)
char * pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
static PostgresPollingStatusType open_client_SSL(PGconn *conn)
const char * PQsslAttribute(PGconn *conn, const char *attribute_name)
static unsigned char alpn_protos[]
void pgtls_close(PGconn *conn)
void PQsetSSLKeyPassHook_OpenSSL(PQsslKeyPassHook_OpenSSL_type hook)
static int my_sock_write(BIO *h, const char *buf, int size)
static int my_sock_read(BIO *h, char *buf, int size)
static bool is_ip_address(const char *host)
ssize_t pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
ssize_t pqsecure_raw_write(PGconn *conn, const void *ptr, size_t len)
int(* PQsslKeyPassHook_OpenSSL_type)(char *buf, int size, PGconn *conn)
PostgresPollingStatusType
#define SOCK_ERRNO_SET(e)
static PgChecksumMode mode
#define PG_STRERROR_R_BUFLEN
int pg_strcasecmp(const char *s1, const char *s2)
int inet_aton(const char *cp, struct in_addr *addr)
size_t strlcpy(char *dst, const char *src, size_t siz)
#define PG_ALPN_PROTOCOL_VECTOR
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
static int fd(const char *x, int i)
int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
int pthread_mutex_unlock(pthread_mutex_t *mp)
int pthread_mutex_lock(pthread_mutex_t *mp)
int pthread_mutex_init(pthread_mutex_t *mp, void *attr)
#define PTHREAD_MUTEX_INITIALIZER
static unsigned hash(unsigned *uv, int n)
static pg_noinline void Size size
char * ssl_max_protocol_version
char * ssl_min_protocol_version
PQExpBufferData errorMessage
bool ssl_handshake_started