fe-secure-common.h File Reference

#include "libpq-fe.h"

Include dependency graph for fe-secure-common.h:

This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Functions
int	pq_verify_peer_name_matches_certificate_name (PGconn *conn, const char *namedata, size_t namelen, char **store_name)
bool	pq_verify_peer_name_matches_certificate (PGconn *conn)

Function Documentation

pq_verify_peer_name_matches_certificate()

bool pq_verify_peer_name_matches_certificate

(

PGconn *

conn

)

Definition at line 153 of file fe-secure-common.c.

References pg_conn::connhost, pg_conn::errorMessage, free, pg_conn_host::host, libpq_gettext, libpq_ngettext, pgtls_verify_peer_name_matches_certificate_guts(), printfPQExpBuffer(), pg_conn::sslmode, and pg_conn::whichhost.

Referenced by open_client_SSL().

{
    char       *host = conn->connhost[conn->whichhost].host;
    int         rc;
    int         names_examined = 0;
    char       *first_name = NULL;

    /*
     * If told not to verify the peer name, don't do it. Return true
     * indicating that the verification was successful.
     */
    if (strcmp(conn->sslmode, "verify-full") != 0)
        return true;

    /* Check that we have a hostname to compare with. */
    if (!(host && host[0] != '\0'))
    {
        printfPQExpBuffer(&conn->errorMessage,
                          libpq_gettext("host name must be specified for a verified SSL connection\n"));
        return false;
    }

    rc = pgtls_verify_peer_name_matches_certificate_guts(conn, &names_examined, &first_name);

    if (rc == 0)
    {
        /*
         * No match. Include the name from the server certificate in the error
         * message, to aid debugging broken configurations. If there are
         * multiple names, only print the first one to avoid an overly long
         * error message.
         */
        if (names_examined > 1)
        {
            printfPQExpBuffer(&conn->errorMessage,
                              libpq_ngettext("server certificate for \"%s\" (and %d other name) does not match host name \"%s\"\n",
                                             "server certificate for \"%s\" (and %d other names) does not match host name \"%s\"\n",
                                             names_examined - 1),
                              first_name, names_examined - 1, host);
        }
        else if (names_examined == 1)
        {
            printfPQExpBuffer(&conn->errorMessage,
                              libpq_gettext("server certificate for \"%s\" does not match host name \"%s\"\n"),
                              first_name, host);
        }
        else
        {
            printfPQExpBuffer(&conn->errorMessage,
                              libpq_gettext("could not get server's host name from server certificate\n"));
        }
    }

    /* clean up */
    if (first_name)
        free(first_name);

    return (rc == 1);
}

pq_verify_peer_name_matches_certificate_name()

int pq_verify_peer_name_matches_certificate_name	(	PGconn *	conn,
		const char *	namedata,
		size_t	namelen,
		char **	store_name
	)

Definition at line 85 of file fe-secure-common.c.

References pg_conn::connhost, pg_conn::errorMessage, free, pg_conn_host::host, libpq_gettext, malloc, name, pg_strcasecmp(), printfPQExpBuffer(), pg_conn::whichhost, and wildcard_certificate_match().

Referenced by openssl_verify_peer_name_matches_certificate_name().

{
    char       *name;
    int         result;
    char       *host = conn->connhost[conn->whichhost].host;

    *store_name = NULL;

    if (!(host && host[0] != '\0'))
    {
        printfPQExpBuffer(&conn->errorMessage,
                          libpq_gettext("host name must be specified\n"));
        return -1;
    }

    /*
     * There is no guarantee the string returned from the certificate is
     * NULL-terminated, so make a copy that is.
     */
    name = malloc(namelen + 1);
    if (name == NULL)
    {
        printfPQExpBuffer(&conn->errorMessage,
                          libpq_gettext("out of memory\n"));
        return -1;
    }
    memcpy(name, namedata, namelen);
    name[namelen] = '\0';

    /*
     * Reject embedded NULLs in certificate common or alternative name to
     * prevent attacks like CVE-2009-4034.
     */
    if (namelen != strlen(name))
    {
        free(name);
        printfPQExpBuffer(&conn->errorMessage,
                          libpq_gettext("SSL certificate's name contains embedded null\n"));
        return -1;
    }

    if (pg_strcasecmp(name, host) == 0)
    {
        /* Exact name match */
        result = 1;
    }
    else if (wildcard_certificate_match(name, host))
    {
        /* Matched wildcard name */
        result = 1;
    }
    else
    {
        result = 0;
    }

    *store_name = name;
    return result;
}