#include "libpq-fe.h"

Include dependency graph for fe-secure-common.h:

This graph shows which files directly or indirectly include this file:

Functions
int	pq_verify_peer_name_matches_certificate_name (PGconn conn, const char namedata, size_t namelen, char **store_name)

int	pq_verify_peer_name_matches_certificate_ip (PGconn conn, const unsigned char ipdata, size_t iplen, char **store_name)

bool	pq_verify_peer_name_matches_certificate (PGconn *conn)

Function Documentation

◆ pq_verify_peer_name_matches_certificate()

bool pq_verify_peer_name_matches_certificate ( PGconn * conn )

Definition at line 252 of file fe-secure-common.c.

 {
     char       *host = conn->connhost[conn->whichhost].host;
     int         rc;
     int         names_examined = 0;
     char       *first_name = NULL;
  
     /*
      * If told not to verify the peer name, don't do it. Return true
      * indicating that the verification was successful.
      */
     if (strcmp(conn->sslmode, "verify-full") != 0)
         return true;
  
     /* Check that we have a hostname to compare with. */
     if (!(host && host[0] != '\0'))
     {
         libpq_append_conn_error(conn, "host name must be specified for a verified SSL connection");
         return false;
     }
  
     rc = pgtls_verify_peer_name_matches_certificate_guts(conn, &names_examined, &first_name);
  
     if (rc == 0)
     {
         /*
          * No match. Include the name from the server certificate in the error
          * message, to aid debugging broken configurations. If there are
          * multiple names, only print the first one to avoid an overly long
          * error message.
          */
         if (names_examined > 1)
         {
             appendPQExpBuffer(&conn->errorMessage,
                               libpq_ngettext("server certificate for \"%s\" (and %d other name) does not match host name \"%s\"",
                                              "server certificate for \"%s\" (and %d other names) does not match host name \"%s\"",
                                              names_examined - 1),
                               first_name, names_examined - 1, host);
             appendPQExpBufferChar(&conn->errorMessage, '\n');
         }
         else if (names_examined == 1)
         {
             libpq_append_conn_error(conn, "server certificate for \"%s\" does not match host name \"%s\"",
                                     first_name, host);
         }
         else
         {
             libpq_append_conn_error(conn, "could not get server's host name from server certificate");
         }
     }
  
     /* clean up */
     free(first_name);
  
     return (rc == 1);
 }

References appendPQExpBuffer(), appendPQExpBufferChar(), conn, pg_conn::connhost, pg_conn::errorMessage, free, pg_conn_host::host, libpq_append_conn_error(), libpq_ngettext, pgtls_verify_peer_name_matches_certificate_guts(), pg_conn::sslmode, and pg_conn::whichhost.

Referenced by open_client_SSL().

◆ pq_verify_peer_name_matches_certificate_ip()

int pq_verify_peer_name_matches_certificate_ip	(	PGconn *	conn,
		const unsigned char *	ipdata,
		size_t	iplen,
		char **	store_name
	)

Definition at line 157 of file fe-secure-common.c.

 {
     char       *addrstr;
     int         match = 0;
     char       *host = conn->connhost[conn->whichhost].host;
     int         family;
     char        tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"];
     char        sebuf[PG_STRERROR_R_BUFLEN];
  
     *store_name = NULL;
  
     if (!(host && host[0] != '\0'))
     {
         libpq_append_conn_error(conn, "host name must be specified");
         return -1;
     }
  
     /*
      * The data from the certificate is in network byte order. Convert our
      * host string to network-ordered bytes as well, for comparison. (The host
      * string isn't guaranteed to actually be an IP address, so if this
      * conversion fails we need to consider it a mismatch rather than an
      * error.)
      */
     if (iplen == 4)
     {
         /* IPv4 */
         struct in_addr addr;
  
         family = AF_INET;
  
         /*
          * The use of inet_aton() is deliberate; we accept alternative IPv4
          * address notations that are accepted by inet_aton() but not
          * inet_pton() as server addresses.
          */
         if (inet_aton(host, &addr))
         {
             if (memcmp(ipdata, &addr.s_addr, iplen) == 0)
                 match = 1;
         }
     }
  
     /*
      * If they don't have inet_pton(), skip this.  Then, an IPv6 address in a
      * certificate will cause an error.
      */
 #ifdef HAVE_INET_PTON
     else if (iplen == 16)
     {
         /* IPv6 */
         struct in6_addr addr;
  
         family = AF_INET6;
  
         if (inet_pton(AF_INET6, host, &addr) == 1)
         {
             if (memcmp(ipdata, &addr.s6_addr, iplen) == 0)
                 match = 1;
         }
     }
 #endif
     else
     {
         /*
          * Not IPv4 or IPv6. We could ignore the field, but leniency seems
          * wrong given the subject matter.
          */
         libpq_append_conn_error(conn, "certificate contains IP address with invalid length %zu",
                                 iplen);
         return -1;
     }
  
     /* Generate a human-readable representation of the certificate's IP. */
     addrstr = pg_inet_net_ntop(family, ipdata, 8 * iplen, tmp, sizeof(tmp));
     if (!addrstr)
     {
         libpq_append_conn_error(conn, "could not convert certificate's IP address to string: %s",
                                 strerror_r(errno, sebuf, sizeof(sebuf)));
         return -1;
     }
  
     *store_name = strdup(addrstr);
     return match;
 }

References conn, pg_conn::connhost, pg_conn_host::host, inet_aton(), libpq_append_conn_error(), pg_inet_net_ntop(), PG_STRERROR_R_BUFLEN, strerror_r, and pg_conn::whichhost.

Referenced by openssl_verify_peer_name_matches_certificate_ip().

◆ pq_verify_peer_name_matches_certificate_name()

int pq_verify_peer_name_matches_certificate_name	(	PGconn *	conn,
		const char *	namedata,
		size_t	namelen,
		char **	store_name
	)

Definition at line 87 of file fe-secure-common.c.

 {
     char       *name;
     int         result;
     char       *host = conn->connhost[conn->whichhost].host;
  
     *store_name = NULL;
  
     if (!(host && host[0] != '\0'))
     {
         libpq_append_conn_error(conn, "host name must be specified");
         return -1;
     }
  
     /*
      * There is no guarantee the string returned from the certificate is
      * NULL-terminated, so make a copy that is.
      */
     name = malloc(namelen + 1);
     if (name == NULL)
     {
         libpq_append_conn_error(conn, "out of memory");
         return -1;
     }
     memcpy(name, namedata, namelen);
     name[namelen] = '\0';
  
     /*
      * Reject embedded NULLs in certificate common or alternative name to
      * prevent attacks like CVE-2009-4034.
      */
     if (namelen != strlen(name))
     {
         free(name);
         libpq_append_conn_error(conn, "SSL certificate's name contains embedded null");
         return -1;
     }
  
     if (pg_strcasecmp(name, host) == 0)
     {
         /* Exact name match */
         result = 1;
     }
     else if (wildcard_certificate_match(name, host))
     {
         /* Matched wildcard name */
         result = 1;
     }
     else
     {
         result = 0;
     }
  
     *store_name = name;
     return result;
 }

References conn, pg_conn::connhost, free, pg_conn_host::host, libpq_append_conn_error(), malloc, name, pg_strcasecmp(), pg_conn::whichhost, and wildcard_certificate_match().

Referenced by openssl_verify_peer_name_matches_certificate_name().

Functions

Function Documentation

◆ pq_verify_peer_name_matches_certificate()

◆ pq_verify_peer_name_matches_certificate_ip()

◆ pq_verify_peer_name_matches_certificate_name()