PostgreSQL Source Code  git master
be-secure-openssl.c
Go to the documentation of this file.
1 /*-------------------------------------------------------------------------
2  *
3  * be-secure-openssl.c
4  * functions for OpenSSL support in the backend.
5  *
6  *
7  * Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
8  * Portions Copyright (c) 1994, Regents of the University of California
9  *
10  *
11  * IDENTIFICATION
12  * src/backend/libpq/be-secure-openssl.c
13  *
14  *-------------------------------------------------------------------------
15  */
16 
17 #include "postgres.h"
18 
19 #include <sys/stat.h>
20 #include <signal.h>
21 #include <fcntl.h>
22 #include <ctype.h>
23 #include <sys/socket.h>
24 #include <unistd.h>
25 #include <netdb.h>
26 #include <netinet/in.h>
27 #ifdef HAVE_NETINET_TCP_H
28 #include <netinet/tcp.h>
29 #include <arpa/inet.h>
30 #endif
31 
32 #include <openssl/ssl.h>
33 #include <openssl/dh.h>
34 #include <openssl/conf.h>
35 #ifndef OPENSSL_NO_ECDH
36 #include <openssl/ec.h>
37 #endif
38 
39 #include "common/openssl.h"
40 #include "libpq/libpq.h"
41 #include "miscadmin.h"
42 #include "pgstat.h"
43 #include "storage/fd.h"
44 #include "storage/latch.h"
45 #include "tcop/tcopprot.h"
46 #include "utils/memutils.h"
47 
48 /* default init hook can be overridden by a shared library */
49 static void default_openssl_tls_init(SSL_CTX *context, bool isServerStart);
50 openssl_tls_init_hook_typ openssl_tls_init_hook = default_openssl_tls_init;
51 
52 static int my_sock_read(BIO *h, char *buf, int size);
53 static int my_sock_write(BIO *h, const char *buf, int size);
54 static BIO_METHOD *my_BIO_s_socket(void);
55 static int my_SSL_set_fd(Port *port, int fd);
56 
57 static DH *load_dh_file(char *filename, bool isServerStart);
58 static DH *load_dh_buffer(const char *, size_t);
59 static int ssl_external_passwd_cb(char *buf, int size, int rwflag, void *userdata);
60 static int dummy_ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata);
61 static int verify_cb(int, X509_STORE_CTX *);
62 static void info_cb(const SSL *ssl, int type, int args);
63 static bool initialize_dh(SSL_CTX *context, bool isServerStart);
64 static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);
65 static const char *SSLerrmessage(unsigned long ecode);
66 
67 static char *X509_NAME_to_cstring(X509_NAME *name);
68 
69 static SSL_CTX *SSL_context = NULL;
70 static bool SSL_initialized = false;
71 static bool dummy_ssl_passwd_cb_called = false;
72 static bool ssl_is_server_start;
73 
74 static int ssl_protocol_version_to_openssl(int v);
75 static const char *ssl_protocol_version_to_string(int v);
76 
77 /* ------------------------------------------------------------ */
78 /* Public interface */
79 /* ------------------------------------------------------------ */
80 
81 int
82 be_tls_init(bool isServerStart)
83 {
84  STACK_OF(X509_NAME) * root_cert_list = NULL;
85  SSL_CTX *context;
86  int ssl_ver_min = -1;
87  int ssl_ver_max = -1;
88 
89  /* This stuff need be done only once. */
90  if (!SSL_initialized)
91  {
92 #ifdef HAVE_OPENSSL_INIT_SSL
93  OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
94 #else
95  OPENSSL_config(NULL);
96  SSL_library_init();
97  SSL_load_error_strings();
98 #endif
99  SSL_initialized = true;
100  }
101 
102  /*
103  * We use SSLv23_method() because it can negotiate use of the highest
104  * mutually supported protocol version, while alternatives like
105  * TLSv1_2_method() permit only one specific version. Note that we don't
106  * actually allow SSL v2 or v3, only TLS protocols (see below).
107  */
108  context = SSL_CTX_new(SSLv23_method());
109  if (!context)
110  {
111  ereport(isServerStart ? FATAL : LOG,
112  (errmsg("could not create SSL context: %s",
113  SSLerrmessage(ERR_get_error()))));
114  goto error;
115  }
116 
117  /*
118  * Disable OpenSSL's moving-write-buffer sanity check, because it causes
119  * unnecessary failures in nonblocking send cases.
120  */
121  SSL_CTX_set_mode(context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
122 
123  /*
124  * Call init hook (usually to set password callback)
125  */
126  (*openssl_tls_init_hook) (context, isServerStart);
127 
128  /* used by the callback */
129  ssl_is_server_start = isServerStart;
130 
131  /*
132  * Load and verify server's certificate and private key
133  */
134  if (SSL_CTX_use_certificate_chain_file(context, ssl_cert_file) != 1)
135  {
136  ereport(isServerStart ? FATAL : LOG,
137  (errcode(ERRCODE_CONFIG_FILE_ERROR),
138  errmsg("could not load server certificate file \"%s\": %s",
139  ssl_cert_file, SSLerrmessage(ERR_get_error()))));
140  goto error;
141  }
142 
143  if (!check_ssl_key_file_permissions(ssl_key_file, isServerStart))
144  goto error;
145 
146  /*
147  * OK, try to load the private key file.
148  */
150 
151  if (SSL_CTX_use_PrivateKey_file(context,
152  ssl_key_file,
153  SSL_FILETYPE_PEM) != 1)
154  {
156  ereport(isServerStart ? FATAL : LOG,
157  (errcode(ERRCODE_CONFIG_FILE_ERROR),
158  errmsg("private key file \"%s\" cannot be reloaded because it requires a passphrase",
159  ssl_key_file)));
160  else
161  ereport(isServerStart ? FATAL : LOG,
162  (errcode(ERRCODE_CONFIG_FILE_ERROR),
163  errmsg("could not load private key file \"%s\": %s",
164  ssl_key_file, SSLerrmessage(ERR_get_error()))));
165  goto error;
166  }
167 
168  if (SSL_CTX_check_private_key(context) != 1)
169  {
170  ereport(isServerStart ? FATAL : LOG,
171  (errcode(ERRCODE_CONFIG_FILE_ERROR),
172  errmsg("check of private key failed: %s",
173  SSLerrmessage(ERR_get_error()))));
174  goto error;
175  }
176 
178  {
180 
181  if (ssl_ver_min == -1)
182  {
183  ereport(isServerStart ? FATAL : LOG,
184  /*- translator: first %s is a GUC option name, second %s is its value */
185  (errmsg("\"%s\" setting \"%s\" not supported by this build",
186  "ssl_min_protocol_version",
187  GetConfigOption("ssl_min_protocol_version",
188  false, false))));
189  goto error;
190  }
191 
192  if (!SSL_CTX_set_min_proto_version(context, ssl_ver_min))
193  {
194  ereport(isServerStart ? FATAL : LOG,
195  (errmsg("could not set minimum SSL protocol version")));
196  goto error;
197  }
198  }
199 
201  {
203 
204  if (ssl_ver_max == -1)
205  {
206  ereport(isServerStart ? FATAL : LOG,
207  /*- translator: first %s is a GUC option name, second %s is its value */
208  (errmsg("\"%s\" setting \"%s\" not supported by this build",
209  "ssl_max_protocol_version",
210  GetConfigOption("ssl_max_protocol_version",
211  false, false))));
212  goto error;
213  }
214 
215  if (!SSL_CTX_set_max_proto_version(context, ssl_ver_max))
216  {
217  ereport(isServerStart ? FATAL : LOG,
218  (errmsg("could not set maximum SSL protocol version")));
219  goto error;
220  }
221  }
222 
223  /* Check compatibility of min/max protocols */
226  {
227  /*
228  * No need to check for invalid values (-1) for each protocol number
229  * as the code above would have already generated an error.
230  */
231  if (ssl_ver_min > ssl_ver_max)
232  {
233  ereport(isServerStart ? FATAL : LOG,
234  (errmsg("could not set SSL protocol version range"),
235  errdetail("\"%s\" cannot be higher than \"%s\"",
236  "ssl_min_protocol_version",
237  "ssl_max_protocol_version")));
238  goto error;
239  }
240  }
241 
242  /* disallow SSL session tickets */
243  SSL_CTX_set_options(context, SSL_OP_NO_TICKET);
244 
245  /* disallow SSL session caching, too */
246  SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);
247 
248  /* set up ephemeral DH and ECDH keys */
249  if (!initialize_dh(context, isServerStart))
250  goto error;
251  if (!initialize_ecdh(context, isServerStart))
252  goto error;
253 
254  /* set up the allowed cipher list */
255  if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1)
256  {
257  ereport(isServerStart ? FATAL : LOG,
258  (errcode(ERRCODE_CONFIG_FILE_ERROR),
259  errmsg("could not set the cipher list (no valid ciphers available)")));
260  goto error;
261  }
262 
263  /* Let server choose order */
265  SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
266 
267  /*
268  * Load CA store, so we can verify client certificates if needed.
269  */
270  if (ssl_ca_file[0])
271  {
272  if (SSL_CTX_load_verify_locations(context, ssl_ca_file, NULL) != 1 ||
273  (root_cert_list = SSL_load_client_CA_file(ssl_ca_file)) == NULL)
274  {
275  ereport(isServerStart ? FATAL : LOG,
276  (errcode(ERRCODE_CONFIG_FILE_ERROR),
277  errmsg("could not load root certificate file \"%s\": %s",
278  ssl_ca_file, SSLerrmessage(ERR_get_error()))));
279  goto error;
280  }
281  }
282 
283  /*----------
284  * Load the Certificate Revocation List (CRL).
285  * http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci803160,00.html
286  *----------
287  */
288  if (ssl_crl_file[0])
289  {
290  X509_STORE *cvstore = SSL_CTX_get_cert_store(context);
291 
292  if (cvstore)
293  {
294  /* Set the flags to check against the complete CRL chain */
295  if (X509_STORE_load_locations(cvstore, ssl_crl_file, NULL) == 1)
296  {
297  X509_STORE_set_flags(cvstore,
298  X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
299  }
300  else
301  {
302  ereport(isServerStart ? FATAL : LOG,
303  (errcode(ERRCODE_CONFIG_FILE_ERROR),
304  errmsg("could not load SSL certificate revocation list file \"%s\": %s",
305  ssl_crl_file, SSLerrmessage(ERR_get_error()))));
306  goto error;
307  }
308  }
309  }
310 
311  if (ssl_ca_file[0])
312  {
313  /*
314  * Always ask for SSL client cert, but don't fail if it's not
315  * presented. We might fail such connections later, depending on what
316  * we find in pg_hba.conf.
317  */
318  SSL_CTX_set_verify(context,
319  (SSL_VERIFY_PEER |
320  SSL_VERIFY_CLIENT_ONCE),
321  verify_cb);
322 
323  /*
324  * Tell OpenSSL to send the list of root certs we trust to clients in
325  * CertificateRequests. This lets a client with a keystore select the
326  * appropriate client certificate to send to us.
327  */
328  SSL_CTX_set_client_CA_list(context, root_cert_list);
329  }
330 
331  /*
332  * Success! Replace any existing SSL_context.
333  */
334  if (SSL_context)
335  SSL_CTX_free(SSL_context);
336 
337  SSL_context = context;
338 
339  /*
340  * Set flag to remember whether CA store has been loaded into SSL_context.
341  */
342  if (ssl_ca_file[0])
343  ssl_loaded_verify_locations = true;
344  else
345  ssl_loaded_verify_locations = false;
346 
347  return 0;
348 
349 error:
350  if (context)
351  SSL_CTX_free(context);
352  return -1;
353 }
354 
355 void
357 {
358  if (SSL_context)
359  SSL_CTX_free(SSL_context);
360  SSL_context = NULL;
361  ssl_loaded_verify_locations = false;
362 }
363 
364 int
366 {
367  int r;
368  int err;
369  int waitfor;
370  unsigned long ecode;
371  bool give_proto_hint;
372 
373  Assert(!port->ssl);
374  Assert(!port->peer);
375 
376  if (!SSL_context)
377  {
379  (errcode(ERRCODE_PROTOCOL_VIOLATION),
380  errmsg("could not initialize SSL connection: SSL context not set up")));
381  return -1;
382  }
383 
384  if (!(port->ssl = SSL_new(SSL_context)))
385  {
387  (errcode(ERRCODE_PROTOCOL_VIOLATION),
388  errmsg("could not initialize SSL connection: %s",
389  SSLerrmessage(ERR_get_error()))));
390  return -1;
391  }
392  if (!my_SSL_set_fd(port, port->sock))
393  {
395  (errcode(ERRCODE_PROTOCOL_VIOLATION),
396  errmsg("could not set SSL socket: %s",
397  SSLerrmessage(ERR_get_error()))));
398  return -1;
399  }
400  port->ssl_in_use = true;
401 
402 aloop:
403 
404  /*
405  * Prepare to call SSL_get_error() by clearing thread's OpenSSL error
406  * queue. In general, the current thread's error queue must be empty
407  * before the TLS/SSL I/O operation is attempted, or SSL_get_error() will
408  * not work reliably. An extension may have failed to clear the
409  * per-thread error queue following another call to an OpenSSL I/O
410  * routine.
411  */
412  ERR_clear_error();
413  r = SSL_accept(port->ssl);
414  if (r <= 0)
415  {
416  err = SSL_get_error(port->ssl, r);
417 
418  /*
419  * Other clients of OpenSSL in the backend may fail to call
420  * ERR_get_error(), but we always do, so as to not cause problems for
421  * OpenSSL clients that don't call ERR_clear_error() defensively. Be
422  * sure that this happens by calling now. SSL_get_error() relies on
423  * the OpenSSL per-thread error queue being intact, so this is the
424  * earliest possible point ERR_get_error() may be called.
425  */
426  ecode = ERR_get_error();
427  switch (err)
428  {
429  case SSL_ERROR_WANT_READ:
430  case SSL_ERROR_WANT_WRITE:
431  /* not allowed during connection establishment */
432  Assert(!port->noblock);
433 
434  /*
435  * No need to care about timeouts/interrupts here. At this
436  * point authentication_timeout still employs
437  * StartupPacketTimeoutHandler() which directly exits.
438  */
439  if (err == SSL_ERROR_WANT_READ)
441  else
443 
444  (void) WaitLatchOrSocket(MyLatch, waitfor, port->sock, 0,
446  goto aloop;
447  case SSL_ERROR_SYSCALL:
448  if (r < 0)
451  errmsg("could not accept SSL connection: %m")));
452  else
454  (errcode(ERRCODE_PROTOCOL_VIOLATION),
455  errmsg("could not accept SSL connection: EOF detected")));
456  break;
457  case SSL_ERROR_SSL:
458  switch (ERR_GET_REASON(ecode))
459  {
460  /*
461  * UNSUPPORTED_PROTOCOL, WRONG_VERSION_NUMBER, and
462  * TLSV1_ALERT_PROTOCOL_VERSION have been observed
463  * when trying to communicate with an old OpenSSL
464  * library, or when the client and server specify
465  * disjoint protocol ranges. NO_PROTOCOLS_AVAILABLE
466  * occurs if there's a local misconfiguration (which
467  * can happen despite our checks, if openssl.cnf
468  * injects a limit we didn't account for). It's not
469  * very clear what would make OpenSSL return the other
470  * codes listed here, but a hint about protocol
471  * versions seems like it's appropriate for all.
472  */
473  case SSL_R_NO_PROTOCOLS_AVAILABLE:
474  case SSL_R_UNSUPPORTED_PROTOCOL:
475  case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:
476  case SSL_R_UNKNOWN_PROTOCOL:
477  case SSL_R_UNKNOWN_SSL_VERSION:
478  case SSL_R_UNSUPPORTED_SSL_VERSION:
479  case SSL_R_WRONG_SSL_VERSION:
480  case SSL_R_WRONG_VERSION_NUMBER:
481  case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
482 #ifdef SSL_R_VERSION_TOO_HIGH
483  case SSL_R_VERSION_TOO_HIGH:
484  case SSL_R_VERSION_TOO_LOW:
485 #endif
486  give_proto_hint = true;
487  break;
488  default:
489  give_proto_hint = false;
490  break;
491  }
493  (errcode(ERRCODE_PROTOCOL_VIOLATION),
494  errmsg("could not accept SSL connection: %s",
495  SSLerrmessage(ecode)),
496  give_proto_hint ?
497  errhint("This may indicate that the client does not support any SSL protocol version between %s and %s.",
500  MIN_OPENSSL_TLS_VERSION,
503  MAX_OPENSSL_TLS_VERSION) : 0));
504  break;
505  case SSL_ERROR_ZERO_RETURN:
507  (errcode(ERRCODE_PROTOCOL_VIOLATION),
508  errmsg("could not accept SSL connection: EOF detected")));
509  break;
510  default:
512  (errcode(ERRCODE_PROTOCOL_VIOLATION),
513  errmsg("unrecognized SSL error code: %d",
514  err)));
515  break;
516  }
517  return -1;
518  }
519 
520  /* Get client certificate, if available. */
521  port->peer = SSL_get_peer_certificate(port->ssl);
522 
523  /* and extract the Common Name from it. */
524  port->peer_cn = NULL;
525  port->peer_cert_valid = false;
526  if (port->peer != NULL)
527  {
528  int len;
529 
530  len = X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),
531  NID_commonName, NULL, 0);
532  if (len != -1)
533  {
534  char *peer_cn;
535 
536  peer_cn = MemoryContextAlloc(TopMemoryContext, len + 1);
537  r = X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),
538  NID_commonName, peer_cn, len + 1);
539  peer_cn[len] = '\0';
540  if (r != len)
541  {
542  /* shouldn't happen */
543  pfree(peer_cn);
544  return -1;
545  }
546 
547  /*
548  * Reject embedded NULLs in certificate common name to prevent
549  * attacks like CVE-2009-4034.
550  */
551  if (len != strlen(peer_cn))
552  {
554  (errcode(ERRCODE_PROTOCOL_VIOLATION),
555  errmsg("SSL certificate's common name contains embedded null")));
556  pfree(peer_cn);
557  return -1;
558  }
559 
560  port->peer_cn = peer_cn;
561  }
562  port->peer_cert_valid = true;
563  }
564 
565  /* set up debugging/info callback */
566  SSL_CTX_set_info_callback(SSL_context, info_cb);
567 
568  return 0;
569 }
570 
571 void
573 {
574  if (port->ssl)
575  {
576  SSL_shutdown(port->ssl);
577  SSL_free(port->ssl);
578  port->ssl = NULL;
579  port->ssl_in_use = false;
580  }
581 
582  if (port->peer)
583  {
584  X509_free(port->peer);
585  port->peer = NULL;
586  }
587 
588  if (port->peer_cn)
589  {
590  pfree(port->peer_cn);
591  port->peer_cn = NULL;
592  }
593 }
594 
595 ssize_t
596 be_tls_read(Port *port, void *ptr, size_t len, int *waitfor)
597 {
598  ssize_t n;
599  int err;
600  unsigned long ecode;
601 
602  errno = 0;
603  ERR_clear_error();
604  n = SSL_read(port->ssl, ptr, len);
605  err = SSL_get_error(port->ssl, n);
606  ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
607  switch (err)
608  {
609  case SSL_ERROR_NONE:
610  /* a-ok */
611  break;
612  case SSL_ERROR_WANT_READ:
613  *waitfor = WL_SOCKET_READABLE;
614  errno = EWOULDBLOCK;
615  n = -1;
616  break;
617  case SSL_ERROR_WANT_WRITE:
618  *waitfor = WL_SOCKET_WRITEABLE;
619  errno = EWOULDBLOCK;
620  n = -1;
621  break;
622  case SSL_ERROR_SYSCALL:
623  /* leave it to caller to ereport the value of errno */
624  if (n != -1)
625  {
626  errno = ECONNRESET;
627  n = -1;
628  }
629  break;
630  case SSL_ERROR_SSL:
632  (errcode(ERRCODE_PROTOCOL_VIOLATION),
633  errmsg("SSL error: %s", SSLerrmessage(ecode))));
634  errno = ECONNRESET;
635  n = -1;
636  break;
637  case SSL_ERROR_ZERO_RETURN:
638  /* connection was cleanly shut down by peer */
639  n = 0;
640  break;
641  default:
643  (errcode(ERRCODE_PROTOCOL_VIOLATION),
644  errmsg("unrecognized SSL error code: %d",
645  err)));
646  errno = ECONNRESET;
647  n = -1;
648  break;
649  }
650 
651  return n;
652 }
653 
654 ssize_t
655 be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
656 {
657  ssize_t n;
658  int err;
659  unsigned long ecode;
660 
661  errno = 0;
662  ERR_clear_error();
663  n = SSL_write(port->ssl, ptr, len);
664  err = SSL_get_error(port->ssl, n);
665  ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
666  switch (err)
667  {
668  case SSL_ERROR_NONE:
669  /* a-ok */
670  break;
671  case SSL_ERROR_WANT_READ:
672  *waitfor = WL_SOCKET_READABLE;
673  errno = EWOULDBLOCK;
674  n = -1;
675  break;
676  case SSL_ERROR_WANT_WRITE:
677  *waitfor = WL_SOCKET_WRITEABLE;
678  errno = EWOULDBLOCK;
679  n = -1;
680  break;
681  case SSL_ERROR_SYSCALL:
682  /* leave it to caller to ereport the value of errno */
683  if (n != -1)
684  {
685  errno = ECONNRESET;
686  n = -1;
687  }
688  break;
689  case SSL_ERROR_SSL:
691  (errcode(ERRCODE_PROTOCOL_VIOLATION),
692  errmsg("SSL error: %s", SSLerrmessage(ecode))));
693  errno = ECONNRESET;
694  n = -1;
695  break;
696  case SSL_ERROR_ZERO_RETURN:
697 
698  /*
699  * the SSL connection was closed, leave it to the caller to
700  * ereport it
701  */
702  errno = ECONNRESET;
703  n = -1;
704  break;
705  default:
707  (errcode(ERRCODE_PROTOCOL_VIOLATION),
708  errmsg("unrecognized SSL error code: %d",
709  err)));
710  errno = ECONNRESET;
711  n = -1;
712  break;
713  }
714 
715  return n;
716 }
717 
718 /* ------------------------------------------------------------ */
719 /* Internal functions */
720 /* ------------------------------------------------------------ */
721 
722 /*
723  * Private substitute BIO: this does the sending and receiving using send() and
724  * recv() instead. This is so that we can enable and disable interrupts
725  * just while calling recv(). We cannot have interrupts occurring while
726  * the bulk of OpenSSL runs, because it uses malloc() and possibly other
727  * non-reentrant libc facilities. We also need to call send() and recv()
728  * directly so it gets passed through the socket/signals layer on Win32.
729  *
730  * These functions are closely modelled on the standard socket BIO in OpenSSL;
731  * see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
732  * XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons
733  * to retry; do we need to adopt their logic for that?
734  */
735 
736 #ifndef HAVE_BIO_GET_DATA
737 #define BIO_get_data(bio) (bio->ptr)
738 #define BIO_set_data(bio, data) (bio->ptr = data)
739 #endif
740 
741 static BIO_METHOD *my_bio_methods = NULL;
742 
743 static int
744 my_sock_read(BIO *h, char *buf, int size)
745 {
746  int res = 0;
747 
748  if (buf != NULL)
749  {
750  res = secure_raw_read(((Port *) BIO_get_data(h)), buf, size);
751  BIO_clear_retry_flags(h);
752  if (res <= 0)
753  {
754  /* If we were interrupted, tell caller to retry */
755  if (errno == EINTR || errno == EWOULDBLOCK || errno == EAGAIN)
756  {
757  BIO_set_retry_read(h);
758  }
759  }
760  }
761 
762  return res;
763 }
764 
765 static int
766 my_sock_write(BIO *h, const char *buf, int size)
767 {
768  int res = 0;
769 
770  res = secure_raw_write(((Port *) BIO_get_data(h)), buf, size);
771  BIO_clear_retry_flags(h);
772  if (res <= 0)
773  {
774  /* If we were interrupted, tell caller to retry */
775  if (errno == EINTR || errno == EWOULDBLOCK || errno == EAGAIN)
776  {
777  BIO_set_retry_write(h);
778  }
779  }
780 
781  return res;
782 }
783 
784 static BIO_METHOD *
786 {
787  if (!my_bio_methods)
788  {
789  BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket();
790 #ifdef HAVE_BIO_METH_NEW
791  int my_bio_index;
792 
793  my_bio_index = BIO_get_new_index();
794  if (my_bio_index == -1)
795  return NULL;
796  my_bio_methods = BIO_meth_new(my_bio_index, "PostgreSQL backend socket");
797  if (!my_bio_methods)
798  return NULL;
799  if (!BIO_meth_set_write(my_bio_methods, my_sock_write) ||
800  !BIO_meth_set_read(my_bio_methods, my_sock_read) ||
801  !BIO_meth_set_gets(my_bio_methods, BIO_meth_get_gets(biom)) ||
802  !BIO_meth_set_puts(my_bio_methods, BIO_meth_get_puts(biom)) ||
803  !BIO_meth_set_ctrl(my_bio_methods, BIO_meth_get_ctrl(biom)) ||
804  !BIO_meth_set_create(my_bio_methods, BIO_meth_get_create(biom)) ||
805  !BIO_meth_set_destroy(my_bio_methods, BIO_meth_get_destroy(biom)) ||
806  !BIO_meth_set_callback_ctrl(my_bio_methods, BIO_meth_get_callback_ctrl(biom)))
807  {
808  BIO_meth_free(my_bio_methods);
809  my_bio_methods = NULL;
810  return NULL;
811  }
812 #else
813  my_bio_methods = malloc(sizeof(BIO_METHOD));
814  if (!my_bio_methods)
815  return NULL;
816  memcpy(my_bio_methods, biom, sizeof(BIO_METHOD));
817  my_bio_methods->bread = my_sock_read;
818  my_bio_methods->bwrite = my_sock_write;
819 #endif
820  }
821  return my_bio_methods;
822 }
823 
824 /* This should exactly match OpenSSL's SSL_set_fd except for using my BIO */
825 static int
827 {
828  int ret = 0;
829  BIO *bio;
830  BIO_METHOD *bio_method;
831 
832  bio_method = my_BIO_s_socket();
833  if (bio_method == NULL)
834  {
835  SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
836  goto err;
837  }
838  bio = BIO_new(bio_method);
839 
840  if (bio == NULL)
841  {
842  SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
843  goto err;
844  }
845  BIO_set_data(bio, port);
846 
847  BIO_set_fd(bio, fd, BIO_NOCLOSE);
848  SSL_set_bio(port->ssl, bio, bio);
849  ret = 1;
850 err:
851  return ret;
852 }
853 
854 /*
855  * Load precomputed DH parameters.
856  *
857  * To prevent "downgrade" attacks, we perform a number of checks
858  * to verify that the DBA-generated DH parameters file contains
859  * what we expect it to contain.
860  */
861 static DH *
862 load_dh_file(char *filename, bool isServerStart)
863 {
864  FILE *fp;
865  DH *dh = NULL;
866  int codes;
867 
868  /* attempt to open file. It's not an error if it doesn't exist. */
869  if ((fp = AllocateFile(filename, "r")) == NULL)
870  {
871  ereport(isServerStart ? FATAL : LOG,
873  errmsg("could not open DH parameters file \"%s\": %m",
874  filename)));
875  return NULL;
876  }
877 
878  dh = PEM_read_DHparams(fp, NULL, NULL, NULL);
879  FreeFile(fp);
880 
881  if (dh == NULL)
882  {
883  ereport(isServerStart ? FATAL : LOG,
884  (errcode(ERRCODE_CONFIG_FILE_ERROR),
885  errmsg("could not load DH parameters file: %s",
886  SSLerrmessage(ERR_get_error()))));
887  return NULL;
888  }
889 
890  /* make sure the DH parameters are usable */
891  if (DH_check(dh, &codes) == 0)
892  {
893  ereport(isServerStart ? FATAL : LOG,
894  (errcode(ERRCODE_CONFIG_FILE_ERROR),
895  errmsg("invalid DH parameters: %s",
896  SSLerrmessage(ERR_get_error()))));
897  return NULL;
898  }
899  if (codes & DH_CHECK_P_NOT_PRIME)
900  {
901  ereport(isServerStart ? FATAL : LOG,
902  (errcode(ERRCODE_CONFIG_FILE_ERROR),
903  errmsg("invalid DH parameters: p is not prime")));
904  return NULL;
905  }
906  if ((codes & DH_NOT_SUITABLE_GENERATOR) &&
907  (codes & DH_CHECK_P_NOT_SAFE_PRIME))
908  {
909  ereport(isServerStart ? FATAL : LOG,
910  (errcode(ERRCODE_CONFIG_FILE_ERROR),
911  errmsg("invalid DH parameters: neither suitable generator or safe prime")));
912  return NULL;
913  }
914 
915  return dh;
916 }
917 
918 /*
919  * Load hardcoded DH parameters.
920  *
921  * If DH parameters cannot be loaded from a specified file, we can load
922  * the hardcoded DH parameters supplied with the backend to prevent
923  * problems.
924  */
925 static DH *
926 load_dh_buffer(const char *buffer, size_t len)
927 {
928  BIO *bio;
929  DH *dh = NULL;
930 
931  bio = BIO_new_mem_buf(unconstify(char *, buffer), len);
932  if (bio == NULL)
933  return NULL;
934  dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
935  if (dh == NULL)
936  ereport(DEBUG2,
937  (errmsg_internal("DH load buffer: %s",
938  SSLerrmessage(ERR_get_error()))));
939  BIO_free(bio);
940 
941  return dh;
942 }
943 
944 /*
945  * Passphrase collection callback using ssl_passphrase_command
946  */
947 static int
948 ssl_external_passwd_cb(char *buf, int size, int rwflag, void *userdata)
949 {
950  /* same prompt as OpenSSL uses internally */
951  const char *prompt = "Enter PEM pass phrase:";
952 
953  Assert(rwflag == 0);
954 
955  return run_ssl_passphrase_command(prompt, ssl_is_server_start, buf, size);
956 }
957 
958 /*
959  * Dummy passphrase callback
960  *
961  * If OpenSSL is told to use a passphrase-protected server key, by default
962  * it will issue a prompt on /dev/tty and try to read a key from there.
963  * That's no good during a postmaster SIGHUP cycle, not to mention SSL context
964  * reload in an EXEC_BACKEND postmaster child. So override it with this dummy
965  * function that just returns an empty passphrase, guaranteeing failure.
966  */
967 static int
968 dummy_ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
969 {
970  /* Set flag to change the error message we'll report */
972  /* And return empty string */
973  Assert(size > 0);
974  buf[0] = '\0';
975  return 0;
976 }
977 
978 /*
979  * Certificate verification callback
980  *
981  * This callback allows us to log intermediate problems during
982  * verification, but for now we'll see if the final error message
983  * contains enough information.
984  *
985  * This callback also allows us to override the default acceptance
986  * criteria (e.g., accepting self-signed or expired certs), but
987  * for now we accept the default checks.
988  */
989 static int
990 verify_cb(int ok, X509_STORE_CTX *ctx)
991 {
992  return ok;
993 }
994 
995 /*
996  * This callback is used to copy SSL information messages
997  * into the PostgreSQL log.
998  */
999 static void
1000 info_cb(const SSL *ssl, int type, int args)
1001 {
1002  switch (type)
1003  {
1004  case SSL_CB_HANDSHAKE_START:
1005  ereport(DEBUG4,
1006  (errmsg_internal("SSL: handshake start")));
1007  break;
1008  case SSL_CB_HANDSHAKE_DONE:
1009  ereport(DEBUG4,
1010  (errmsg_internal("SSL: handshake done")));
1011  break;
1012  case SSL_CB_ACCEPT_LOOP:
1013  ereport(DEBUG4,
1014  (errmsg_internal("SSL: accept loop")));
1015  break;
1016  case SSL_CB_ACCEPT_EXIT:
1017  ereport(DEBUG4,
1018  (errmsg_internal("SSL: accept exit (%d)", args)));
1019  break;
1020  case SSL_CB_CONNECT_LOOP:
1021  ereport(DEBUG4,
1022  (errmsg_internal("SSL: connect loop")));
1023  break;
1024  case SSL_CB_CONNECT_EXIT:
1025  ereport(DEBUG4,
1026  (errmsg_internal("SSL: connect exit (%d)", args)));
1027  break;
1028  case SSL_CB_READ_ALERT:
1029  ereport(DEBUG4,
1030  (errmsg_internal("SSL: read alert (0x%04x)", args)));
1031  break;
1032  case SSL_CB_WRITE_ALERT:
1033  ereport(DEBUG4,
1034  (errmsg_internal("SSL: write alert (0x%04x)", args)));
1035  break;
1036  }
1037 }
1038 
1039 /*
1040  * Set DH parameters for generating ephemeral DH keys. The
1041  * DH parameters can take a long time to compute, so they must be
1042  * precomputed.
1043  *
1044  * Since few sites will bother to create a parameter file, we also
1045  * provide a fallback to the parameters provided by the OpenSSL
1046  * project.
1047  *
1048  * These values can be static (once loaded or computed) since the
1049  * OpenSSL library can efficiently generate random keys from the
1050  * information provided.
1051  */
1052 static bool
1053 initialize_dh(SSL_CTX *context, bool isServerStart)
1054 {
1055  DH *dh = NULL;
1056 
1057  SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
1058 
1059  if (ssl_dh_params_file[0])
1060  dh = load_dh_file(ssl_dh_params_file, isServerStart);
1061  if (!dh)
1062  dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
1063  if (!dh)
1064  {
1065  ereport(isServerStart ? FATAL : LOG,
1066  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1067  errmsg("DH: could not load DH parameters")));
1068  return false;
1069  }
1070 
1071  if (SSL_CTX_set_tmp_dh(context, dh) != 1)
1072  {
1073  ereport(isServerStart ? FATAL : LOG,
1074  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1075  errmsg("DH: could not set DH parameters: %s",
1076  SSLerrmessage(ERR_get_error()))));
1077  DH_free(dh);
1078  return false;
1079  }
1080 
1081  DH_free(dh);
1082  return true;
1083 }
1084 
1085 /*
1086  * Set ECDH parameters for generating ephemeral Elliptic Curve DH
1087  * keys. This is much simpler than the DH parameters, as we just
1088  * need to provide the name of the curve to OpenSSL.
1089  */
1090 static bool
1091 initialize_ecdh(SSL_CTX *context, bool isServerStart)
1092 {
1093 #ifndef OPENSSL_NO_ECDH
1094  EC_KEY *ecdh;
1095  int nid;
1096 
1097  nid = OBJ_sn2nid(SSLECDHCurve);
1098  if (!nid)
1099  {
1100  ereport(isServerStart ? FATAL : LOG,
1101  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1102  errmsg("ECDH: unrecognized curve name: %s", SSLECDHCurve)));
1103  return false;
1104  }
1105 
1106  ecdh = EC_KEY_new_by_curve_name(nid);
1107  if (!ecdh)
1108  {
1109  ereport(isServerStart ? FATAL : LOG,
1110  (errcode(ERRCODE_CONFIG_FILE_ERROR),
1111  errmsg("ECDH: could not create key")));
1112  return false;
1113  }
1114 
1115  SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
1116  SSL_CTX_set_tmp_ecdh(context, ecdh);
1117  EC_KEY_free(ecdh);
1118 #endif
1119 
1120  return true;
1121 }
1122 
1123 /*
1124  * Obtain reason string for passed SSL errcode
1125  *
1126  * ERR_get_error() is used by caller to get errcode to pass here.
1127  *
1128  * Some caution is needed here since ERR_reason_error_string will
1129  * return NULL if it doesn't recognize the error code. We don't
1130  * want to return NULL ever.
1131  */
1132 static const char *
1133 SSLerrmessage(unsigned long ecode)
1134 {
1135  const char *errreason;
1136  static char errbuf[36];
1137 
1138  if (ecode == 0)
1139  return _("no SSL error reported");
1140  errreason = ERR_reason_error_string(ecode);
1141  if (errreason != NULL)
1142  return errreason;
1143  snprintf(errbuf, sizeof(errbuf), _("SSL error code %lu"), ecode);
1144  return errbuf;
1145 }
1146 
1147 int
1149 {
1150  int bits;
1151 
1152  if (port->ssl)
1153  {
1154  SSL_get_cipher_bits(port->ssl, &bits);
1155  return bits;
1156  }
1157  else
1158  return 0;
1159 }
1160 
1161 bool
1163 {
1164  if (port->ssl)
1165  return (SSL_get_current_compression(port->ssl) != NULL);
1166  else
1167  return false;
1168 }
1169 
1170 const char *
1172 {
1173  if (port->ssl)
1174  return SSL_get_version(port->ssl);
1175  else
1176  return NULL;
1177 }
1178 
1179 const char *
1181 {
1182  if (port->ssl)
1183  return SSL_get_cipher(port->ssl);
1184  else
1185  return NULL;
1186 }
1187 
1188 void
1189 be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len)
1190 {
1191  if (port->peer)
1192  strlcpy(ptr, X509_NAME_to_cstring(X509_get_subject_name(port->peer)), len);
1193  else
1194  ptr[0] = '\0';
1195 }
1196 
1197 void
1198 be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len)
1199 {
1200  if (port->peer)
1201  strlcpy(ptr, X509_NAME_to_cstring(X509_get_issuer_name(port->peer)), len);
1202  else
1203  ptr[0] = '\0';
1204 }
1205 
1206 void
1207 be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
1208 {
1209  if (port->peer)
1210  {
1211  ASN1_INTEGER *serial;
1212  BIGNUM *b;
1213  char *decimal;
1214 
1215  serial = X509_get_serialNumber(port->peer);
1216  b = ASN1_INTEGER_to_BN(serial, NULL);
1217  decimal = BN_bn2dec(b);
1218 
1219  BN_free(b);
1220  strlcpy(ptr, decimal, len);
1221  OPENSSL_free(decimal);
1222  }
1223  else
1224  ptr[0] = '\0';
1225 }
1226 
1227 #ifdef HAVE_X509_GET_SIGNATURE_NID
1228 char *
1229 be_tls_get_certificate_hash(Port *port, size_t *len)
1230 {
1231  X509 *server_cert;
1232  char *cert_hash;
1233  const EVP_MD *algo_type = NULL;
1234  unsigned char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */
1235  unsigned int hash_size;
1236  int algo_nid;
1237 
1238  *len = 0;
1239  server_cert = SSL_get_certificate(port->ssl);
1240  if (server_cert == NULL)
1241  return NULL;
1242 
1243  /*
1244  * Get the signature algorithm of the certificate to determine the hash
1245  * algorithm to use for the result.
1246  */
1247  if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),
1248  &algo_nid, NULL))
1249  elog(ERROR, "could not determine server certificate signature algorithm");
1250 
1251  /*
1252  * The TLS server's certificate bytes need to be hashed with SHA-256 if
1253  * its signature algorithm is MD5 or SHA-1 as per RFC 5929
1254  * (https://tools.ietf.org/html/rfc5929#section-4.1). If something else
1255  * is used, the same hash as the signature algorithm is used.
1256  */
1257  switch (algo_nid)
1258  {
1259  case NID_md5:
1260  case NID_sha1:
1261  algo_type = EVP_sha256();
1262  break;
1263  default:
1264  algo_type = EVP_get_digestbynid(algo_nid);
1265  if (algo_type == NULL)
1266  elog(ERROR, "could not find digest for NID %s",
1267  OBJ_nid2sn(algo_nid));
1268  break;
1269  }
1270 
1271  /* generate and save the certificate hash */
1272  if (!X509_digest(server_cert, algo_type, hash, &hash_size))
1273  elog(ERROR, "could not generate server certificate hash");
1274 
1275  cert_hash = palloc(hash_size);
1276  memcpy(cert_hash, hash, hash_size);
1277  *len = hash_size;
1278 
1279  return cert_hash;
1280 }
1281 #endif
1282 
1283 /*
1284  * Convert an X509 subject name to a cstring.
1285  *
1286  */
1287 static char *
1289 {
1290  BIO *membuf = BIO_new(BIO_s_mem());
1291  int i,
1292  nid,
1293  count = X509_NAME_entry_count(name);
1294  X509_NAME_ENTRY *e;
1295  ASN1_STRING *v;
1296  const char *field_name;
1297  size_t size;
1298  char nullterm;
1299  char *sp;
1300  char *dp;
1301  char *result;
1302 
1303  if (membuf == NULL)
1304  ereport(ERROR,
1305  (errcode(ERRCODE_OUT_OF_MEMORY),
1306  errmsg("failed to create BIO")));
1307 
1308  (void) BIO_set_close(membuf, BIO_CLOSE);
1309  for (i = 0; i < count; i++)
1310  {
1311  e = X509_NAME_get_entry(name, i);
1312  nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));
1313  if (nid == NID_undef)
1314  ereport(ERROR,
1315  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1316  errmsg("could not get NID for ASN1_OBJECT object")));
1317  v = X509_NAME_ENTRY_get_data(e);
1318  field_name = OBJ_nid2sn(nid);
1319  if (field_name == NULL)
1320  field_name = OBJ_nid2ln(nid);
1321  if (field_name == NULL)
1322  ereport(ERROR,
1323  (errcode(ERRCODE_INVALID_PARAMETER_VALUE),
1324  errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid)));
1325  BIO_printf(membuf, "/%s=", field_name);
1326  ASN1_STRING_print_ex(membuf, v,
1327  ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)
1328  | ASN1_STRFLGS_UTF8_CONVERT));
1329  }
1330 
1331  /* ensure null termination of the BIO's content */
1332  nullterm = '\0';
1333  BIO_write(membuf, &nullterm, 1);
1334  size = BIO_get_mem_data(membuf, &sp);
1335  dp = pg_any_to_server(sp, size - 1, PG_UTF8);
1336 
1337  result = pstrdup(dp);
1338  if (dp != sp)
1339  pfree(dp);
1340  if (BIO_free(membuf) != 1)
1341  elog(ERROR, "could not free OpenSSL BIO structure");
1342 
1343  return result;
1344 }
1345 
1346 /*
1347  * Convert TLS protocol version GUC enum to OpenSSL values
1348  *
1349  * This is a straightforward one-to-one mapping, but doing it this way makes
1350  * guc.c independent of OpenSSL availability and version.
1351  *
1352  * If a version is passed that is not supported by the current OpenSSL
1353  * version, then we return -1. If a nonnegative value is returned,
1354  * subsequent code can assume it's working with a supported version.
1355  *
1356  * Note: this is rather similar to libpq's routine in fe-secure-openssl.c,
1357  * so make sure to update both routines if changing this one.
1358  */
1359 static int
1361 {
1362  switch (v)
1363  {
1364  case PG_TLS_ANY:
1365  return 0;
1366  case PG_TLS1_VERSION:
1367  return TLS1_VERSION;
1368  case PG_TLS1_1_VERSION:
1369 #ifdef TLS1_1_VERSION
1370  return TLS1_1_VERSION;
1371 #else
1372  break;
1373 #endif
1374  case PG_TLS1_2_VERSION:
1375 #ifdef TLS1_2_VERSION
1376  return TLS1_2_VERSION;
1377 #else
1378  break;
1379 #endif
1380  case PG_TLS1_3_VERSION:
1381 #ifdef TLS1_3_VERSION
1382  return TLS1_3_VERSION;
1383 #else
1384  break;
1385 #endif
1386  }
1387 
1388  return -1;
1389 }
1390 
1391 /*
1392  * Likewise provide a mapping to strings.
1393  */
1394 static const char *
1396 {
1397  switch (v)
1398  {
1399  case PG_TLS_ANY:
1400  return "any";
1401  case PG_TLS1_VERSION:
1402  return "TLSv1";
1403  case PG_TLS1_1_VERSION:
1404  return "TLSv1.1";
1405  case PG_TLS1_2_VERSION:
1406  return "TLSv1.2";
1407  case PG_TLS1_3_VERSION:
1408  return "TLSv1.3";
1409  }
1410 
1411  return "(unrecognized)";
1412 }
1413 
1414 
1415 static void
1416 default_openssl_tls_init(SSL_CTX *context, bool isServerStart)
1417 {
1418  if (isServerStart)
1419  {
1420  if (ssl_passphrase_command[0])
1421  SSL_CTX_set_default_passwd_cb(context, ssl_external_passwd_cb);
1422  }
1423  else
1424  {
1426  SSL_CTX_set_default_passwd_cb(context, ssl_external_passwd_cb);
1427  else
1428 
1429  /*
1430  * If reloading and no external command is configured, override
1431  * OpenSSL's default handling of passphrase-protected files,
1432  * because we don't want to prompt for a passphrase in an
1433  * already-running server.
1434  */
1435  SSL_CTX_set_default_passwd_cb(context, dummy_ssl_passwd_cb);
1436  }
1437 }
static int ssl_protocol_version_to_openssl(int v)
ssize_t be_tls_read(Port *port, void *ptr, size_t len, int *waitfor)
#define WL_SOCKET_WRITEABLE
Definition: latch.h:126
int errhint(const char *fmt,...)
Definition: elog.c:1149
#define BIO_set_data(bio, data)
static void error(void)
Definition: sql-dyntest.c:147
static bool dummy_ssl_passwd_cb_called
#define EAGAIN
Definition: win32_port.h:341
static BIO_METHOD * my_BIO_s_socket(void)
static DH * load_dh_file(char *filename, bool isServerStart)
char * peer_cn
Definition: libpq-be.h:191
#define BIO_get_data(bio)
char * pstrdup(const char *in)
Definition: mcxt.c:1187
bool peer_cert_valid
Definition: libpq-be.h:192
ssize_t secure_raw_write(Port *port, const void *ptr, size_t len)
Definition: be-secure.c:330
static void info_cb(const SSL *ssl, int type, int args)
const char * GetConfigOption(const char *name, bool missing_ok, bool restrict_privileged)
Definition: guc.c:7766
int errcode(int sqlerrcode)
Definition: elog.c:691
Definition: libpq-be.h:120
bool ssl_in_use
Definition: libpq-be.h:190
#define WL_SOCKET_READABLE
Definition: latch.h:125
char * ssl_cert_file
Definition: be-secure.c:41
static bool initialize_ecdh(SSL_CTX *context, bool isServerStart)
#define LOG
Definition: elog.h:26
#define DEBUG4
Definition: elog.h:22
char * ssl_crl_file
Definition: be-secure.c:44
static int fd(const char *x, int i)
Definition: preproc-init.c:105
pgsocket sock
Definition: libpq-be.h:122
int be_tls_init(bool isServerStart)
int ssl_min_protocol_version
Definition: be-secure.c:62
#define malloc(a)
Definition: header.h:50
void pfree(void *pointer)
Definition: mcxt.c:1057
static int my_SSL_set_fd(Port *port, int fd)
#define ERROR
Definition: elog.h:43
bool be_tls_get_compression(Port *port)
#define FATAL
Definition: elog.h:52
char * SSLECDHCurve
Definition: be-secure.c:57
#define DEBUG2
Definition: elog.h:24
ssize_t be_tls_write(Port *port, void *ptr, size_t len, int *waitfor)
static char * buf
Definition: pg_test_fsync.c:68
int errdetail(const char *fmt,...)
Definition: elog.c:1035
#define COMMERROR
Definition: elog.h:30
int errcode_for_file_access(void)
Definition: elog.c:714
static bool SSL_initialized
char * SSLCipherSuites
Definition: be-secure.c:54
FILE * AllocateFile(const char *name, const char *mode)
Definition: fd.c:2322
static int verify_cb(int, X509_STORE_CTX *)
int WaitLatchOrSocket(Latch *latch, int wakeEvents, pgsocket sock, long timeout, uint32 wait_event_info)
Definition: latch.c:438
static DH * load_dh_buffer(const char *, size_t)
void be_tls_destroy(void)
MemoryContext TopMemoryContext
Definition: mcxt.c:44
static char * X509_NAME_to_cstring(X509_NAME *name)
bool ssl_passphrase_command_supports_reload
Definition: be-secure.c:47
int errcode_for_socket_access(void)
Definition: elog.c:785
static int port
Definition: pg_regress.c:92
#define unconstify(underlying_type, expr)
Definition: c.h:1239
static int ssl_external_passwd_cb(char *buf, int size, int rwflag, void *userdata)
int be_tls_get_cipher_bits(Port *port)
static bool ssl_is_server_start
static bool initialize_dh(SSL_CTX *context, bool isServerStart)
char * ssl_ca_file
Definition: be-secure.c:43
#define ereport(elevel,...)
Definition: elog.h:155
int be_tls_open_server(Port *port)
ssize_t secure_raw_read(Port *port, void *ptr, size_t len)
Definition: be-secure.c:234
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: strlcpy.c:45
int errmsg_internal(const char *fmt,...)
Definition: elog.c:989
static BIO_METHOD * my_bio_methods
int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
#define Assert(condition)
Definition: c.h:800
static int my_sock_read(BIO *h, char *buf, int size)
bool noblock
Definition: libpq-be.h:123
#define ECONNRESET
Definition: win32_port.h:353
char * ssl_dh_params_file
Definition: be-secure.c:45
const char * name
Definition: encode.c:561
const char * be_tls_get_version(Port *port)
void be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len)
int ssl_max_protocol_version
Definition: be-secure.c:63
int FreeFile(FILE *file)
Definition: fd.c:2521
static char * filename
Definition: pg_dumpall.c:91
e
Definition: preproc-init.c:82
void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len)
void * palloc(Size size)
Definition: mcxt.c:950
int errmsg(const char *fmt,...)
Definition: elog.c:902
static SSL_CTX * SSL_context
void * MemoryContextAlloc(MemoryContext context, Size size)
Definition: mcxt.c:797
void be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
static int my_sock_write(BIO *h, const char *buf, int size)
#define elog(elevel,...)
Definition: elog.h:228
int i
static const char * SSLerrmessage(unsigned long ecode)
void be_tls_close(Port *port)
struct Latch * MyLatch
Definition: globals.c:54
const char * be_tls_get_cipher(Port *port)
#define EWOULDBLOCK
Definition: win32_port.h:349
int run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf, int size)
char * ssl_passphrase_command
Definition: be-secure.c:46
static const char * ssl_protocol_version_to_string(int v)
#define EINTR
Definition: win32_port.h:343
int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
char * pg_any_to_server(const char *s, int len, int encoding)
Definition: mbutils.c:619
static int dummy_ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
static unsigned hash(unsigned *uv, int n)
Definition: rege_dfa.c:541
#define snprintf
Definition: port.h:215
#define _(x)
Definition: elog.c:88
openssl_tls_init_hook_typ openssl_tls_init_hook
char * ssl_key_file
Definition: be-secure.c:42
static void default_openssl_tls_init(SSL_CTX *context, bool isServerStart)
#define WL_EXIT_ON_PM_DEATH
Definition: latch.h:129
bool SSLPreferServerCiphers
Definition: be-secure.c:60
bool check_ssl_key_file_permissions(const char *ssl_key_file, bool isServerStart)