PostgreSQL Source Code git master
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
Macros | Functions | Variables
fe-secure-openssl.c File Reference
#include "postgres_fe.h"
#include <signal.h>
#include <fcntl.h>
#include <ctype.h>
#include "libpq-fe.h"
#include "fe-auth.h"
#include "fe-secure-common.h"
#include "libpq-int.h"
#include <sys/socket.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <sys/stat.h>
#include <pthread.h>
#include "common/openssl.h"
#include <openssl/ssl.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
Include dependency graph for fe-secure-openssl.c:

Go to the source code of this file.

Macros

#define SSL_ERR_LEN   128
 

Functions

static int verify_cb (int ok, X509_STORE_CTX *ctx)
 
static int openssl_verify_peer_name_matches_certificate_name (PGconn *conn, ASN1_STRING *name_entry, char **store_name)
 
static int openssl_verify_peer_name_matches_certificate_ip (PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)
 
static int initialize_SSL (PGconn *conn)
 
static PostgresPollingStatusType open_client_SSL (PGconn *conn)
 
static char * SSLerrmessage (unsigned long ecode)
 
static void SSLerrfree (char *buf)
 
static int PQssl_passwd_cb (char *buf, int size, int rwflag, void *userdata)
 
static int pgconn_bio_read (BIO *h, char *buf, int size)
 
static int pgconn_bio_write (BIO *h, const char *buf, int size)
 
static BIO_METHOD * pgconn_bio_method (void)
 
static int ssl_set_pgconn_bio (PGconn *conn)
 
static int ssl_protocol_version_to_openssl (const char *protocol)
 
PostgresPollingStatusType pgtls_open_client (PGconn *conn)
 
ssize_t pgtls_read (PGconn *conn, void *ptr, size_t len)
 
bool pgtls_read_pending (PGconn *conn)
 
ssize_t pgtls_write (PGconn *conn, const void *ptr, size_t len)
 
char * pgtls_get_peer_certificate_hash (PGconn *conn, size_t *len)
 
static bool is_ip_address (const char *host)
 
int pgtls_verify_peer_name_matches_certificate_guts (PGconn *conn, int *names_examined, char **first_name)
 
void pgtls_close (PGconn *conn)
 
void * PQgetssl (PGconn *conn)
 
void * PQsslStruct (PGconn *conn, const char *struct_name)
 
const char *const * PQsslAttributeNames (PGconn *conn)
 
const char * PQsslAttribute (PGconn *conn, const char *attribute_name)
 
static long pgconn_bio_ctrl (BIO *h, int cmd, long num, void *ptr)
 
int PQdefaultSSLKeyPassHook_OpenSSL (char *buf, int size, PGconn *conn)
 
PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL (void)
 
void PQsetSSLKeyPassHook_OpenSSL (PQsslKeyPassHook_OpenSSL_type hook)
 

Variables

static pthread_mutex_t ssl_config_mutex = PTHREAD_MUTEX_INITIALIZER
 
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook = NULL
 
static unsigned char alpn_protos [] = PG_ALPN_PROTOCOL_VECTOR
 
static char ssl_nomem [] = "out of memory allocating error description"
 
static BIO_METHOD * pgconn_bio_method_ptr
 

Macro Definition Documentation

◆ SSL_ERR_LEN

#define SSL_ERR_LEN   128

Definition at line 1547 of file fe-secure-openssl.c.

Function Documentation

◆ initialize_SSL()

static int initialize_SSL ( PGconn conn)
static

Definition at line 738 of file fe-secure-openssl.c.

739{
740 SSL_CTX *SSL_context;
741 struct stat buf;
742 char homedir[MAXPGPATH];
743 char fnbuf[MAXPGPATH];
744 char sebuf[PG_STRERROR_R_BUFLEN];
745 bool have_homedir;
746 bool have_cert;
747 bool have_rootcert;
748
749 /*
750 * We'll need the home directory if any of the relevant parameters are
751 * defaulted. If pqGetHomeDirectory fails, act as though none of the
752 * files could be found.
753 */
754 if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
755 !(conn->sslkey && strlen(conn->sslkey) > 0) ||
756 !(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
757 !((conn->sslcrl && strlen(conn->sslcrl) > 0) ||
758 (conn->sslcrldir && strlen(conn->sslcrldir) > 0)))
759 have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
760 else /* won't need it */
761 have_homedir = false;
762
763 /*
764 * Create a new SSL_CTX object.
765 *
766 * We used to share a single SSL_CTX between all connections, but it was
767 * complicated if connections used different certificates. So now we
768 * create a separate context for each connection, and accept the overhead.
769 */
770 SSL_context = SSL_CTX_new(SSLv23_method());
771 if (!SSL_context)
772 {
773 char *err = SSLerrmessage(ERR_get_error());
774
775 libpq_append_conn_error(conn, "could not create SSL context: %s", err);
776 SSLerrfree(err);
777 return -1;
778 }
779
780 /*
781 * Delegate the client cert password prompt to the libpq wrapper callback
782 * if any is defined.
783 *
784 * If the application hasn't installed its own and the sslpassword
785 * parameter is non-null, we install ours now to make sure we supply
786 * PGconn->sslpassword to OpenSSL instead of letting it prompt on stdin.
787 *
788 * This will replace OpenSSL's default PEM_def_callback (which prompts on
789 * stdin), but we're only setting it for this SSL context so it's
790 * harmless.
791 */
792 if (PQsslKeyPassHook
793 || (conn->sslpassword && strlen(conn->sslpassword) > 0))
794 {
795 SSL_CTX_set_default_passwd_cb(SSL_context, PQssl_passwd_cb);
796 SSL_CTX_set_default_passwd_cb_userdata(SSL_context, conn);
797 }
798
799#ifdef HAVE_SSL_CTX_SET_CERT_CB
800 /* Set up a certificate selection callback. */
801 SSL_CTX_set_cert_cb(SSL_context, cert_cb, conn);
802#endif
803
804 /* Disable old protocol versions */
805 SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
806
807 /* Set the minimum and maximum protocol versions if necessary */
808 if (conn->ssl_min_protocol_version &&
809 strlen(conn->ssl_min_protocol_version) != 0)
810 {
811 int ssl_min_ver;
812
813 ssl_min_ver = ssl_protocol_version_to_openssl(conn->ssl_min_protocol_version);
814
815 if (ssl_min_ver == -1)
816 {
817 libpq_append_conn_error(conn, "invalid value \"%s\" for minimum SSL protocol version",
818 conn->ssl_min_protocol_version);
819 SSL_CTX_free(SSL_context);
820 return -1;
821 }
822
823 if (!SSL_CTX_set_min_proto_version(SSL_context, ssl_min_ver))
824 {
825 char *err = SSLerrmessage(ERR_get_error());
826
827 libpq_append_conn_error(conn, "could not set minimum SSL protocol version: %s", err);
828 SSLerrfree(err);
829 SSL_CTX_free(SSL_context);
830 return -1;
831 }
832 }
833
834 if (conn->ssl_max_protocol_version &&
835 strlen(conn->ssl_max_protocol_version) != 0)
836 {
837 int ssl_max_ver;
838
839 ssl_max_ver = ssl_protocol_version_to_openssl(conn->ssl_max_protocol_version);
840
841 if (ssl_max_ver == -1)
842 {
843 libpq_append_conn_error(conn, "invalid value \"%s\" for maximum SSL protocol version",
844 conn->ssl_max_protocol_version);
845 SSL_CTX_free(SSL_context);
846 return -1;
847 }
848
849 if (!SSL_CTX_set_max_proto_version(SSL_context, ssl_max_ver))
850 {
851 char *err = SSLerrmessage(ERR_get_error());
852
853 libpq_append_conn_error(conn, "could not set maximum SSL protocol version: %s", err);
854 SSLerrfree(err);
855 SSL_CTX_free(SSL_context);
856 return -1;
857 }
858 }
859
860 /*
861 * Disable OpenSSL's moving-write-buffer sanity check, because it causes
862 * unnecessary failures in nonblocking send cases.
863 */
864 SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
865
866 /*
867 * If the root cert file exists, load it so we can perform certificate
868 * verification. If sslmode is "verify-full" we will also do further
869 * verification after the connection has been completed.
870 */
871 if (conn->sslrootcert && strlen(conn->sslrootcert) > 0)
872 strlcpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
873 else if (have_homedir)
874 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
875 else
876 fnbuf[0] = '\0';
877
878 if (strcmp(fnbuf, "system") == 0)
879 {
880 /*
881 * The "system" sentinel value indicates that we should load whatever
882 * root certificates are installed for use by OpenSSL; these locations
883 * differ by platform. Note that the default system locations may be
884 * further overridden by the SSL_CERT_DIR and SSL_CERT_FILE
885 * environment variables.
886 */
887 if (SSL_CTX_set_default_verify_paths(SSL_context) != 1)
888 {
889 char *err = SSLerrmessage(ERR_get_error());
890
891 libpq_append_conn_error(conn, "could not load system root certificate paths: %s",
892 err);
893 SSLerrfree(err);
894 SSL_CTX_free(SSL_context);
895 return -1;
896 }
897 have_rootcert = true;
898 }
899 else if (fnbuf[0] != '\0' &&
900 stat(fnbuf, &buf) == 0)
901 {
902 X509_STORE *cvstore;
903
904 if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)
905 {
906 char *err = SSLerrmessage(ERR_get_error());
907
908 libpq_append_conn_error(conn, "could not read root certificate file \"%s\": %s",
909 fnbuf, err);
910 SSLerrfree(err);
911 SSL_CTX_free(SSL_context);
912 return -1;
913 }
914
915 if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
916 {
917 char *fname = NULL;
918 char *dname = NULL;
919
920 if (conn->sslcrl && strlen(conn->sslcrl) > 0)
921 fname = conn->sslcrl;
922 if (conn->sslcrldir && strlen(conn->sslcrldir) > 0)
923 dname = conn->sslcrldir;
924
925 /* defaults to use the default CRL file */
926 if (!fname && !dname && have_homedir)
927 {
928 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
929 fname = fnbuf;
930 }
931
932 /* Set the flags to check against the complete CRL chain */
933 if ((fname || dname) &&
934 X509_STORE_load_locations(cvstore, fname, dname) == 1)
935 {
936 X509_STORE_set_flags(cvstore,
937 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
938 }
939
940 /* if not found, silently ignore; we do not require CRL */
941 ERR_clear_error();
942 }
943 have_rootcert = true;
944 }
945 else
946 {
947 /*
948 * stat() failed; assume root file doesn't exist. If sslmode is
949 * verify-ca or verify-full, this is an error. Otherwise, continue
950 * without performing any server cert verification.
951 */
952 if (conn->sslmode[0] == 'v') /* "verify-ca" or "verify-full" */
953 {
954 /*
955 * The only way to reach here with an empty filename is if
956 * pqGetHomeDirectory failed. That's a sufficiently unusual case
957 * that it seems worth having a specialized error message for it.
958 */
959 if (fnbuf[0] == '\0')
960 libpq_append_conn_error(conn, "could not get home directory to locate root certificate file\n"
961 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.");
962 else
963 libpq_append_conn_error(conn, "root certificate file \"%s\" does not exist\n"
964 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.", fnbuf);
965 SSL_CTX_free(SSL_context);
966 return -1;
967 }
968 have_rootcert = false;
969 }
970
971 /* Read the client certificate file */
972 if (conn->sslcert && strlen(conn->sslcert) > 0)
973 strlcpy(fnbuf, conn->sslcert, sizeof(fnbuf));
974 else if (have_homedir)
975 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
976 else
977 fnbuf[0] = '\0';
978
979 if (conn->sslcertmode[0] == 'd') /* disable */
980 {
981 /* don't send a client cert even if we have one */
982 have_cert = false;
983 }
984 else if (fnbuf[0] == '\0')
985 {
986 /* no home directory, proceed without a client cert */
987 have_cert = false;
988 }
989 else if (stat(fnbuf, &buf) != 0)
990 {
991 /*
992 * If file is not present, just go on without a client cert; server
993 * might or might not accept the connection. Any other error,
994 * however, is grounds for complaint.
995 */
996 if (errno != ENOENT && errno != ENOTDIR)
997 {
998 libpq_append_conn_error(conn, "could not open certificate file \"%s\": %s",
999 fnbuf, strerror_r(errno, sebuf, sizeof(sebuf)));
1000 SSL_CTX_free(SSL_context);
1001 return -1;
1002 }
1003 have_cert = false;
1004 }
1005 else
1006 {
1007 /*
1008 * Cert file exists, so load it. Since OpenSSL doesn't provide the
1009 * equivalent of "SSL_use_certificate_chain_file", we have to load it
1010 * into the SSL context, rather than the SSL object.
1011 */
1012 if (SSL_CTX_use_certificate_chain_file(SSL_context, fnbuf) != 1)
1013 {
1014 char *err = SSLerrmessage(ERR_get_error());
1015
1016 libpq_append_conn_error(conn, "could not read certificate file \"%s\": %s",
1017 fnbuf, err);
1018 SSLerrfree(err);
1019 SSL_CTX_free(SSL_context);
1020 return -1;
1021 }
1022
1023 /* need to load the associated private key, too */
1024 have_cert = true;
1025 }
1026
1027 /*
1028 * The SSL context is now loaded with the correct root and client
1029 * certificates. Create a connection-specific SSL object. The private key
1030 * is loaded directly into the SSL object. (We could load the private key
1031 * into the context, too, but we have done it this way historically, and
1032 * it doesn't really matter.)
1033 */
1034 if (!(conn->ssl = SSL_new(SSL_context)) ||
1035 !SSL_set_app_data(conn->ssl, conn) ||
1036 !ssl_set_pgconn_bio(conn))
1037 {
1038 char *err = SSLerrmessage(ERR_get_error());
1039
1040 libpq_append_conn_error(conn, "could not establish SSL connection: %s", err);
1041 SSLerrfree(err);
1042 SSL_CTX_free(SSL_context);
1043 return -1;
1044 }
1045 conn->ssl_in_use = true;
1046
1047 if (conn->sslkeylogfile && strlen(conn->sslkeylogfile) > 0)
1048 {
1049#ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
1050 SSL_CTX_set_keylog_callback(SSL_context, SSL_CTX_keylog_cb);
1051#else
1052#ifdef LIBRESSL_VERSION_NUMBER
1053 fprintf(stderr, libpq_gettext("WARNING: sslkeylogfile support requires OpenSSL\n"));
1054#else
1055 fprintf(stderr, libpq_gettext("WARNING: libpq was not built with sslkeylogfile support\n"));
1056#endif
1057#endif
1058 }
1059
1060
1061 /*
1062 * SSL contexts are reference counted by OpenSSL. We can free it as soon
1063 * as we have created the SSL object, and it will stick around for as long
1064 * as it's actually needed.
1065 */
1066 SSL_CTX_free(SSL_context);
1067 SSL_context = NULL;
1068
1069 /*
1070 * Set Server Name Indication (SNI), if enabled by connection parameters.
1071 * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
1072 * or IPv6).
1073 */
1074 if (conn->sslsni && conn->sslsni[0] == '1')
1075 {
1076 const char *host = conn->connhost[conn->whichhost].host;
1077
1078 if (host && host[0] &&
1079 !(strspn(host, "0123456789.") == strlen(host) ||
1080 strchr(host, ':')))
1081 {
1082 if (SSL_set_tlsext_host_name(conn->ssl, host) != 1)
1083 {
1084 char *err = SSLerrmessage(ERR_get_error());
1085
1086 libpq_append_conn_error(conn, "could not set SSL Server Name Indication (SNI): %s", err);
1087 SSLerrfree(err);
1088 return -1;
1089 }
1090 }
1091 }
1092
1093 /* Set ALPN */
1094 {
1095 int retval;
1096
1097 retval = SSL_set_alpn_protos(conn->ssl, alpn_protos, sizeof(alpn_protos));
1098
1099 if (retval != 0)
1100 {
1101 char *err = SSLerrmessage(ERR_get_error());
1102
1103 libpq_append_conn_error(conn, "could not set SSL ALPN extension: %s", err);
1104 SSLerrfree(err);
1105 return -1;
1106 }
1107 }
1108
1109 /*
1110 * Read the SSL key. If a key is specified, treat it as an engine:key
1111 * combination if there is colon present - we don't support files with
1112 * colon in the name. The exception is if the second character is a colon,
1113 * in which case it can be a Windows filename with drive specification.
1114 */
1115 if (have_cert && conn->sslkey && strlen(conn->sslkey) > 0)
1116 {
1117#ifdef USE_SSL_ENGINE
1118 if (strchr(conn->sslkey, ':')
1119#ifdef WIN32
1120 && conn->sslkey[1] != ':'
1121#endif
1122 )
1123 {
1124 /* Colon, but not in second character, treat as engine:key */
1125 char *engine_str = strdup(conn->sslkey);
1126 char *engine_colon;
1127 EVP_PKEY *pkey;
1128
1129 if (engine_str == NULL)
1130 {
1131 libpq_append_conn_error(conn, "out of memory");
1132 return -1;
1133 }
1134
1135 /* cannot return NULL because we already checked before strdup */
1136 engine_colon = strchr(engine_str, ':');
1137
1138 *engine_colon = '\0'; /* engine_str now has engine name */
1139 engine_colon++; /* engine_colon now has key name */
1140
1141 conn->engine = ENGINE_by_id(engine_str);
1142 if (conn->engine == NULL)
1143 {
1144 char *err = SSLerrmessage(ERR_get_error());
1145
1146 libpq_append_conn_error(conn, "could not load SSL engine \"%s\": %s",
1147 engine_str, err);
1148 SSLerrfree(err);
1149 free(engine_str);
1150 return -1;
1151 }
1152
1153 if (ENGINE_init(conn->engine) == 0)
1154 {
1155 char *err = SSLerrmessage(ERR_get_error());
1156
1157 libpq_append_conn_error(conn, "could not initialize SSL engine \"%s\": %s",
1158 engine_str, err);
1159 SSLerrfree(err);
1160 ENGINE_free(conn->engine);
1161 conn->engine = NULL;
1162 free(engine_str);
1163 return -1;
1164 }
1165
1166 pkey = ENGINE_load_private_key(conn->engine, engine_colon,
1167 NULL, NULL);
1168 if (pkey == NULL)
1169 {
1170 char *err = SSLerrmessage(ERR_get_error());
1171
1172 libpq_append_conn_error(conn, "could not read private SSL key \"%s\" from engine \"%s\": %s",
1173 engine_colon, engine_str, err);
1174 SSLerrfree(err);
1175 ENGINE_finish(conn->engine);
1176 ENGINE_free(conn->engine);
1177 conn->engine = NULL;
1178 free(engine_str);
1179 return -1;
1180 }
1181 if (SSL_use_PrivateKey(conn->ssl, pkey) != 1)
1182 {
1183 char *err = SSLerrmessage(ERR_get_error());
1184
1185 libpq_append_conn_error(conn, "could not load private SSL key \"%s\" from engine \"%s\": %s",
1186 engine_colon, engine_str, err);
1187 SSLerrfree(err);
1188 ENGINE_finish(conn->engine);
1189 ENGINE_free(conn->engine);
1190 conn->engine = NULL;
1191 free(engine_str);
1192 return -1;
1193 }
1194
1195 free(engine_str);
1196
1197 fnbuf[0] = '\0'; /* indicate we're not going to load from a
1198 * file */
1199 }
1200 else
1201#endif /* USE_SSL_ENGINE */
1202 {
1203 /* PGSSLKEY is not an engine, treat it as a filename */
1204 strlcpy(fnbuf, conn->sslkey, sizeof(fnbuf));
1205 }
1206 }
1207 else if (have_homedir)
1208 {
1209 /* No PGSSLKEY specified, load default file */
1210 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
1211 }
1212 else
1213 fnbuf[0] = '\0';
1214
1215 if (have_cert && fnbuf[0] != '\0')
1216 {
1217 /* read the client key from file */
1218
1219 if (stat(fnbuf, &buf) != 0)
1220 {
1221 if (errno == ENOENT)
1222 libpq_append_conn_error(conn, "certificate present, but not private key file \"%s\"",
1223 fnbuf);
1224 else
1225 libpq_append_conn_error(conn, "could not stat private key file \"%s\": %m",
1226 fnbuf);
1227 return -1;
1228 }
1229
1230 /* Key file must be a regular file */
1231 if (!S_ISREG(buf.st_mode))
1232 {
1233 libpq_append_conn_error(conn, "private key file \"%s\" is not a regular file",
1234 fnbuf);
1235 return -1;
1236 }
1237
1238 /*
1239 * Refuse to load world-readable key files. We accept root-owned
1240 * files with mode 0640 or less, so that we can access system-wide
1241 * certificates if we have a supplementary group membership that
1242 * allows us to read 'em. For files with non-root ownership, require
1243 * mode 0600 or less. We need not check the file's ownership exactly;
1244 * if we're able to read it despite it having such restrictive
1245 * permissions, it must have the right ownership.
1246 *
1247 * Note: be very careful about tightening these rules. Some people
1248 * expect, for example, that a client process running as root should
1249 * be able to use a non-root-owned key file.
1250 *
1251 * Note that roughly similar checks are performed in
1252 * src/backend/libpq/be-secure-common.c so any changes here may need
1253 * to be made there as well. However, this code caters for the case
1254 * of current user == root, while that code does not.
1255 *
1256 * Ideally we would do similar permissions checks on Windows, but it
1257 * is not clear how that would work since Unix-style permissions may
1258 * not be available.
1259 */
1260#if !defined(WIN32) && !defined(__CYGWIN__)
1261 if (buf.st_uid == 0 ?
1262 buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO) :
1263 buf.st_mode & (S_IRWXG | S_IRWXO))
1264 {
1265 libpq_append_conn_error(conn,
1266 "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
1267 fnbuf);
1268 return -1;
1269 }
1270#endif
1271
1272 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)
1273 {
1274 char *err = SSLerrmessage(ERR_get_error());
1275
1276 /*
1277 * We'll try to load the file in DER (binary ASN.1) format, and if
1278 * that fails too, report the original error. This could mask
1279 * issues where there's something wrong with a DER-format cert,
1280 * but we'd have to duplicate openssl's format detection to be
1281 * smarter than this. We can't just probe for a leading -----BEGIN
1282 * because PEM can have leading non-matching lines and blanks.
1283 * OpenSSL doesn't expose its get_name(...) and its PEM routines
1284 * don't differentiate between failure modes in enough detail to
1285 * let us tell the difference between "not PEM, try DER" and
1286 * "wrong password".
1287 */
1288 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)
1289 {
1290 libpq_append_conn_error(conn, "could not load private key file \"%s\": %s",
1291 fnbuf, err);
1292 SSLerrfree(err);
1293 return -1;
1294 }
1295
1296 SSLerrfree(err);
1297 }
1298 }
1299
1300 /* verify that the cert and key go together */
1301 if (have_cert &&
1302 SSL_check_private_key(conn->ssl) != 1)
1303 {
1304 char *err = SSLerrmessage(ERR_get_error());
1305
1306 libpq_append_conn_error(conn, "certificate does not match private key file \"%s\": %s",
1307 fnbuf, err);
1308 SSLerrfree(err);
1309 return -1;
1310 }
1311
1312 /*
1313 * If a root cert was loaded, also set our certificate verification
1314 * callback.
1315 */
1316 if (have_rootcert)
1317 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
1318
1319 /*
1320 * Set compression option if necessary.
1321 */
1322 if (conn->sslcompression && conn->sslcompression[0] == '0')
1323 SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1324 else
1325 SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1326
1327 return 0;
1328}
SSL_context
static SSL_CTX * SSL_context
Definition: be-secure-openssl.c:83
fprintf
#define fprintf(file, fmt, msg)
Definition: cubescan.l:21
err
void err(int eval, const char *fmt,...)
Definition: err.c:43
pqGetHomeDirectory
bool pqGetHomeDirectory(char *buf, int bufsize)
Definition: fe-connect.c:8136
libpq_append_conn_error
void libpq_append_conn_error(PGconn *conn, const char *fmt,...)
Definition: fe-misc.c:1381
ssl_protocol_version_to_openssl
static int ssl_protocol_version_to_openssl(const char *protocol)
Definition: fe-secure-openssl.c:1956
SSLerrfree
static void SSLerrfree(char *buf)
Definition: fe-secure-openssl.c:1608
PQsslKeyPassHook
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook
Definition: fe-secure-openssl.c:88
verify_cb
static int verify_cb(int ok, X509_STORE_CTX *ctx)
Definition: fe-secure-openssl.c:430
PQssl_passwd_cb
static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
Definition: fe-secure-openssl.c:1935
SSLerrmessage
static char * SSLerrmessage(unsigned long ecode)
Definition: fe-secure-openssl.c:1550
alpn_protos
static unsigned char alpn_protos[]
Definition: fe-secure-openssl.c:686
ssl_set_pgconn_bio
static int ssl_set_pgconn_bio(PGconn *conn)
Definition: fe-secure-openssl.c:1874
free
#define free(a)
Definition: header.h:65
libpq_gettext
#define libpq_gettext(x)
Definition: libpq-int.h:938
MAXPGPATH
#define MAXPGPATH
Definition: pg_config_manual.h:100
buf
static char * buf
Definition: pg_test_fsync.c:72
PG_STRERROR_R_BUFLEN
#define PG_STRERROR_R_BUFLEN
Definition: port.h:257
snprintf
#define snprintf
Definition: port.h:239
strerror_r
#define strerror_r
Definition: port.h:256
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: strlcpy.c:45
conn
PGconn * conn
Definition: streamutil.c:52
pg_conn_host::host
char * host
Definition: libpq-int.h:358
pg_conn::sslrootcert
char * sslrootcert
Definition: libpq-int.h:410
pg_conn::sslcompression
char * sslcompression
Definition: libpq-int.h:405
pg_conn::sslcrldir
char * sslcrldir
Definition: libpq-int.h:412
pg_conn::sslcrl
char * sslcrl
Definition: libpq-int.h:411
pg_conn::ssl_max_protocol_version
char * ssl_max_protocol_version
Definition: libpq-int.h:423
pg_conn::sslcert
char * sslcert
Definition: libpq-int.h:407
pg_conn::sslcertmode
char * sslcertmode
Definition: libpq-int.h:409
pg_conn::sslpassword
char * sslpassword
Definition: libpq-int.h:408
pg_conn::sslmode
char * sslmode
Definition: libpq-int.h:403
pg_conn::ssl_min_protocol_version
char * ssl_min_protocol_version
Definition: libpq-int.h:422
pg_conn::sslkey
char * sslkey
Definition: libpq-int.h:406
pg_conn::sslkeylogfile
char * sslkeylogfile
Definition: libpq-int.h:429
pg_conn::whichhost
int whichhost
Definition: libpq-int.h:478
pg_conn::sslsni
char * sslsni
Definition: libpq-int.h:413
pg_conn::connhost
pg_conn_host * connhost
Definition: libpq-int.h:479
pg_conn::ssl_in_use
bool ssl_in_use
Definition: libpq-int.h:608
S_IXGRP
#define S_IXGRP
Definition: win32_port.h:297
stat
#define stat
Definition: win32_port.h:274
S_IRWXG
#define S_IRWXG
Definition: win32_port.h:300
S_IRWXO
#define S_IRWXO
Definition: win32_port.h:312
S_ISREG
#define S_ISREG(m)
Definition: win32_port.h:318
S_IWGRP
#define S_IWGRP
Definition: win32_port.h:294

References alpn_protos, buf, conn, pg_conn::connhost, err(), fprintf, free, pg_conn_host::host, libpq_append_conn_error(), libpq_gettext, MAXPGPATH, PG_STRERROR_R_BUFLEN, pqGetHomeDirectory(), PQssl_passwd_cb(), PQsslKeyPassHook, S_IRWXG, S_IRWXO, S_ISREG, S_IWGRP, S_IXGRP, snprintf, SSL_context, pg_conn::ssl_in_use, pg_conn::ssl_max_protocol_version, pg_conn::ssl_min_protocol_version, ssl_protocol_version_to_openssl(), ssl_set_pgconn_bio(), pg_conn::sslcert, pg_conn::sslcertmode, pg_conn::sslcompression, pg_conn::sslcrl, pg_conn::sslcrldir, SSLerrfree(), SSLerrmessage(), pg_conn::sslkey, pg_conn::sslkeylogfile, pg_conn::sslmode, pg_conn::sslpassword, pg_conn::sslrootcert, pg_conn::sslsni, stat, strerror_r, strlcpy(), verify_cb(), and pg_conn::whichhost.

Referenced by pgtls_open_client().

◆ is_ip_address()

static bool is_ip_address ( const char *  host)
static

Definition at line 524 of file fe-secure-openssl.c.

525{
526 struct in_addr dummy4;
527#ifdef HAVE_INET_PTON
528 struct in6_addr dummy6;
529#endif
530
531 return inet_aton(host, &dummy4)
532#ifdef HAVE_INET_PTON
533 || (inet_pton(AF_INET6, host, &dummy6) == 1)
534#endif
535 ;
536}
inet_aton
int inet_aton(const char *cp, struct in_addr *addr)
Definition: inet_aton.c:56

References inet_aton().

Referenced by pgtls_verify_peer_name_matches_certificate_guts().

◆ open_client_SSL()

static PostgresPollingStatusType open_client_SSL ( PGconn conn)
static

Definition at line 1334 of file fe-secure-openssl.c.

1335{
1336 int r;
1337
1338 SOCK_ERRNO_SET(0);
1339 ERR_clear_error();
1340 r = SSL_connect(conn->ssl);
1341 if (r <= 0)
1342 {
1343 int save_errno = SOCK_ERRNO;
1344 int err = SSL_get_error(conn->ssl, r);
1345 unsigned long ecode;
1346
1347 ecode = ERR_get_error();
1348 switch (err)
1349 {
1350 case SSL_ERROR_WANT_READ:
1351 return PGRES_POLLING_READING;
1352
1353 case SSL_ERROR_WANT_WRITE:
1354 return PGRES_POLLING_WRITING;
1355
1356 case SSL_ERROR_SYSCALL:
1357 {
1358 char sebuf[PG_STRERROR_R_BUFLEN];
1359 unsigned long vcode;
1360
1361 vcode = SSL_get_verify_result(conn->ssl);
1362
1363 /*
1364 * If we get an X509 error here for failing to load the
1365 * local issuer cert, without an error in the socket layer
1366 * it means that verification failed due to a missing
1367 * system CA pool without it being a protocol error. We
1368 * inspect the sslrootcert setting to ensure that the user
1369 * was using the system CA pool. For other errors, log
1370 * them using the normal SYSCALL logging.
1371 */
1372 if (save_errno == 0 &&
1373 vcode == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY &&
1374 strcmp(conn->sslrootcert, "system") == 0)
1375 libpq_append_conn_error(conn, "SSL error: certificate verify failed: %s",
1376 X509_verify_cert_error_string(vcode));
1377 else if (r == -1 && save_errno != 0)
1378 libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
1379 SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
1380 else
1381 libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
1382 pgtls_close(conn);
1383 return PGRES_POLLING_FAILED;
1384 }
1385 case SSL_ERROR_SSL:
1386 {
1387 char *err = SSLerrmessage(ecode);
1388
1389 libpq_append_conn_error(conn, "SSL error: %s", err);
1390 SSLerrfree(err);
1391 switch (ERR_GET_REASON(ecode))
1392 {
1393 /*
1394 * UNSUPPORTED_PROTOCOL, WRONG_VERSION_NUMBER, and
1395 * TLSV1_ALERT_PROTOCOL_VERSION have been observed
1396 * when trying to communicate with an old OpenSSL
1397 * library, or when the client and server specify
1398 * disjoint protocol ranges.
1399 * NO_PROTOCOLS_AVAILABLE occurs if there's a
1400 * local misconfiguration (which can happen
1401 * despite our checks, if openssl.cnf injects a
1402 * limit we didn't account for). It's not very
1403 * clear what would make OpenSSL return the other
1404 * codes listed here, but a hint about protocol
1405 * versions seems like it's appropriate for all.
1406 */
1407 case SSL_R_NO_PROTOCOLS_AVAILABLE:
1408 case SSL_R_UNSUPPORTED_PROTOCOL:
1409 case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:
1410 case SSL_R_UNKNOWN_PROTOCOL:
1411 case SSL_R_UNKNOWN_SSL_VERSION:
1412 case SSL_R_UNSUPPORTED_SSL_VERSION:
1413 case SSL_R_WRONG_SSL_VERSION:
1414 case SSL_R_WRONG_VERSION_NUMBER:
1415 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
1416#ifdef SSL_R_VERSION_TOO_HIGH
1417 case SSL_R_VERSION_TOO_HIGH:
1418 case SSL_R_VERSION_TOO_LOW:
1419#endif
1420 libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",
1421 conn->ssl_min_protocol_version ?
1422 conn->ssl_min_protocol_version :
1423 MIN_OPENSSL_TLS_VERSION,
1424 conn->ssl_max_protocol_version ?
1425 conn->ssl_max_protocol_version :
1426 MAX_OPENSSL_TLS_VERSION);
1427 break;
1428 default:
1429 break;
1430 }
1431 pgtls_close(conn);
1432 return PGRES_POLLING_FAILED;
1433 }
1434
1435 default:
1436 libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
1437 pgtls_close(conn);
1438 return PGRES_POLLING_FAILED;
1439 }
1440 }
1441
1442 /* ALPN is mandatory with direct SSL connections */
1443 if (conn->current_enc_method == ENC_SSL && conn->sslnegotiation[0] == 'd')
1444 {
1445 const unsigned char *selected;
1446 unsigned int len;
1447
1448 SSL_get0_alpn_selected(conn->ssl, &selected, &len);
1449
1450 if (selected == NULL)
1451 {
1452 libpq_append_conn_error(conn, "direct SSL connection was established without ALPN protocol negotiation extension");
1453 pgtls_close(conn);
1454 return PGRES_POLLING_FAILED;
1455 }
1456
1457 /*
1458 * We only support one protocol so that's what the negotiation should
1459 * always choose, but doesn't hurt to check.
1460 */
1461 if (len != strlen(PG_ALPN_PROTOCOL) ||
1462 memcmp(selected, PG_ALPN_PROTOCOL, strlen(PG_ALPN_PROTOCOL)) != 0)
1463 {
1464 libpq_append_conn_error(conn, "SSL connection was established with unexpected ALPN protocol");
1465 pgtls_close(conn);
1466 return PGRES_POLLING_FAILED;
1467 }
1468 }
1469
1470 /*
1471 * We already checked the server certificate in initialize_SSL() using
1472 * SSL_CTX_set_verify(), if root.crt exists.
1473 */
1474
1475 /* get server certificate */
1476 conn->peer = SSL_get_peer_certificate(conn->ssl);
1477 if (conn->peer == NULL)
1478 {
1479 char *err = SSLerrmessage(ERR_get_error());
1480
1481 libpq_append_conn_error(conn, "certificate could not be obtained: %s", err);
1482 SSLerrfree(err);
1483 pgtls_close(conn);
1484 return PGRES_POLLING_FAILED;
1485 }
1486
1487 if (!pq_verify_peer_name_matches_certificate(conn))
1488 {
1489 pgtls_close(conn);
1490 return PGRES_POLLING_FAILED;
1491 }
1492
1493 /* SSL handshake is complete */
1494 return PGRES_POLLING_OK;
1495}
pq_verify_peer_name_matches_certificate
bool pq_verify_peer_name_matches_certificate(PGconn *conn)
Definition: fe-secure-common.c:252
pgtls_close
void pgtls_close(PGconn *conn)
Definition: fe-secure-openssl.c:1498
PGRES_POLLING_OK
@ PGRES_POLLING_OK
Definition: libpq-fe.h:118
PGRES_POLLING_READING
@ PGRES_POLLING_READING
Definition: libpq-fe.h:116
PGRES_POLLING_WRITING
@ PGRES_POLLING_WRITING
Definition: libpq-fe.h:117
PGRES_POLLING_FAILED
@ PGRES_POLLING_FAILED
Definition: libpq-fe.h:115
SOCK_STRERROR
#define SOCK_STRERROR
Definition: libpq-int.h:960
SOCK_ERRNO
#define SOCK_ERRNO
Definition: libpq-int.h:959
ENC_SSL
#define ENC_SSL
Definition: libpq-int.h:232
SOCK_ERRNO_SET
#define SOCK_ERRNO_SET(e)
Definition: libpq-int.h:961
len
const void size_t len
Definition: pg_crc32c_sse42.c:28
PG_ALPN_PROTOCOL
#define PG_ALPN_PROTOCOL
Definition: pqcomm.h:165
pg_conn::sslnegotiation
char * sslnegotiation
Definition: libpq-int.h:404
pg_conn::current_enc_method
uint8 current_enc_method
Definition: libpq-int.h:605

References conn, pg_conn::current_enc_method, ENC_SSL, err(), len, libpq_append_conn_error(), PG_ALPN_PROTOCOL, PG_STRERROR_R_BUFLEN, PGRES_POLLING_FAILED, PGRES_POLLING_OK, PGRES_POLLING_READING, PGRES_POLLING_WRITING, pgtls_close(), pq_verify_peer_name_matches_certificate(), SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, pg_conn::ssl_max_protocol_version, pg_conn::ssl_min_protocol_version, SSLerrfree(), SSLerrmessage(), pg_conn::sslnegotiation, and pg_conn::sslrootcert.

Referenced by pgtls_open_client().

◆ openssl_verify_peer_name_matches_certificate_ip()

static int openssl_verify_peer_name_matches_certificate_ip ( PGconn conn,
ASN1_OCTET_STRING *  addr_entry,
char **  store_name 
)
static

Definition at line 499 of file fe-secure-openssl.c.

502{
503 int len;
504 const unsigned char *addrdata;
505
506 /* Should not happen... */
507 if (addr_entry == NULL)
508 {
509 libpq_append_conn_error(conn, "SSL certificate's address entry is missing");
510 return -1;
511 }
512
513 /*
514 * GEN_IPADD is an OCTET STRING containing an IP address in network byte
515 * order.
516 */
517 addrdata = ASN1_STRING_get0_data(addr_entry);
518 len = ASN1_STRING_length(addr_entry);
519
520 return pq_verify_peer_name_matches_certificate_ip(conn, addrdata, len, store_name);
521}
pq_verify_peer_name_matches_certificate_ip
int pq_verify_peer_name_matches_certificate_ip(PGconn *conn, const unsigned char *ipdata, size_t iplen, char **store_name)
Definition: fe-secure-common.c:157

References conn, len, libpq_append_conn_error(), and pq_verify_peer_name_matches_certificate_ip().

Referenced by pgtls_verify_peer_name_matches_certificate_guts().

◆ openssl_verify_peer_name_matches_certificate_name()

static int openssl_verify_peer_name_matches_certificate_name ( PGconn conn,
ASN1_STRING *  name_entry,
char **  store_name 
)
static

Definition at line 470 of file fe-secure-openssl.c.

472{
473 int len;
474 const unsigned char *namedata;
475
476 /* Should not happen... */
477 if (name_entry == NULL)
478 {
479 libpq_append_conn_error(conn, "SSL certificate's name entry is missing");
480 return -1;
481 }
482
483 /*
484 * GEN_DNS can be only IA5String, equivalent to US ASCII.
485 */
486 namedata = ASN1_STRING_get0_data(name_entry);
487 len = ASN1_STRING_length(name_entry);
488
489 /* OK to cast from unsigned to plain char, since it's all ASCII. */
490 return pq_verify_peer_name_matches_certificate_name(conn, (const char *) namedata, len, store_name);
491}
pq_verify_peer_name_matches_certificate_name
int pq_verify_peer_name_matches_certificate_name(PGconn *conn, const char *namedata, size_t namelen, char **store_name)
Definition: fe-secure-common.c:87

References conn, len, libpq_append_conn_error(), and pq_verify_peer_name_matches_certificate_name().

Referenced by pgtls_verify_peer_name_matches_certificate_guts().

◆ pgconn_bio_ctrl()

static long pgconn_bio_ctrl ( BIO *  h,
int  cmd,
long  num,
void *  ptr 
)
static

Definition at line 1799 of file fe-secure-openssl.c.

1800{
1801 long res;
1802 PGconn *conn = (PGconn *) BIO_get_data(h);
1803
1804 switch (cmd)
1805 {
1806 case BIO_CTRL_EOF:
1807
1808 /*
1809 * This should not be needed. pgconn_bio_read already has a way to
1810 * signal EOF to OpenSSL. However, OpenSSL made an undocumented,
1811 * backwards-incompatible change and now expects EOF via BIO_ctrl.
1812 * See https://github.com/openssl/openssl/issues/8208
1813 */
1814 res = conn->last_read_was_eof;
1815 break;
1816 case BIO_CTRL_FLUSH:
1817 /* libssl expects all BIOs to support BIO_flush. */
1818 res = 1;
1819 break;
1820 default:
1821 res = 0;
1822 break;
1823 }
1824
1825 return res;
1826}
pg_conn
Definition: libpq-int.h:371
pg_conn::last_read_was_eof
bool last_read_was_eof
Definition: libpq-int.h:612

References conn, and pg_conn::last_read_was_eof.

Referenced by pgconn_bio_method().

◆ pgconn_bio_method()

static BIO_METHOD * pgconn_bio_method ( void  )
static

Definition at line 1829 of file fe-secure-openssl.c.

1830{
1831 BIO_METHOD *res;
1832
1833 if (pthread_mutex_lock(&ssl_config_mutex))
1834 return NULL;
1835
1836 res = pgconn_bio_method_ptr;
1837
1838 if (!pgconn_bio_method_ptr)
1839 {
1840 int my_bio_index;
1841
1842 my_bio_index = BIO_get_new_index();
1843 if (my_bio_index == -1)
1844 goto err;
1845 my_bio_index |= BIO_TYPE_SOURCE_SINK;
1846 res = BIO_meth_new(my_bio_index, "libpq socket");
1847 if (!res)
1848 goto err;
1849
1850 /*
1851 * As of this writing, these functions never fail. But check anyway,
1852 * like OpenSSL's own examples do.
1853 */
1854 if (!BIO_meth_set_write(res, pgconn_bio_write) ||
1855 !BIO_meth_set_read(res, pgconn_bio_read) ||
1856 !BIO_meth_set_ctrl(res, pgconn_bio_ctrl))
1857 {
1858 goto err;
1859 }
1860 }
1861
1862 pgconn_bio_method_ptr = res;
1863 pthread_mutex_unlock(&ssl_config_mutex);
1864 return res;
1865
1866err:
1867 if (res)
1868 BIO_meth_free(res);
1869 pthread_mutex_unlock(&ssl_config_mutex);
1870 return NULL;
1871}
pgconn_bio_method_ptr
static BIO_METHOD * pgconn_bio_method_ptr
Definition: fe-secure-openssl.c:1731
pgconn_bio_read
static int pgconn_bio_read(BIO *h, char *buf, int size)
Definition: fe-secure-openssl.c:1734
pgconn_bio_ctrl
static long pgconn_bio_ctrl(BIO *h, int cmd, long num, void *ptr)
Definition: fe-secure-openssl.c:1799
pgconn_bio_write
static int pgconn_bio_write(BIO *h, const char *buf, int size)
Definition: fe-secure-openssl.c:1769
ssl_config_mutex
static pthread_mutex_t ssl_config_mutex
Definition: fe-secure-openssl.c:86
pthread_mutex_unlock
int pthread_mutex_unlock(pthread_mutex_t *mp)
Definition: pthread-win32.c:60
pthread_mutex_lock
int pthread_mutex_lock(pthread_mutex_t *mp)
Definition: pthread-win32.c:42

References err(), pgconn_bio_ctrl(), pgconn_bio_method_ptr, pgconn_bio_read(), pgconn_bio_write(), pthread_mutex_lock(), pthread_mutex_unlock(), and ssl_config_mutex.

Referenced by ssl_set_pgconn_bio().

◆ pgconn_bio_read()

static int pgconn_bio_read ( BIO *  h,
char *  buf,
int  size 
)
static

Definition at line 1734 of file fe-secure-openssl.c.

1735{
1736 PGconn *conn = (PGconn *) BIO_get_data(h);
1737 int res;
1738
1739 res = pqsecure_raw_read(conn, buf, size);
1740 BIO_clear_retry_flags(h);
1741 conn->last_read_was_eof = res == 0;
1742 if (res < 0)
1743 {
1744 /* If we were interrupted, tell caller to retry */
1745 switch (SOCK_ERRNO)
1746 {
1747#ifdef EAGAIN
1748 case EAGAIN:
1749#endif
1750#if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1751 case EWOULDBLOCK:
1752#endif
1753 case EINTR:
1754 BIO_set_retry_read(h);
1755 break;
1756
1757 default:
1758 break;
1759 }
1760 }
1761
1762 if (res > 0)
1763 conn->ssl_handshake_started = true;
1764
1765 return res;
1766}
pqsecure_raw_read
ssize_t pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
Definition: fe-secure.c:193
pg_conn::ssl_handshake_started
bool ssl_handshake_started
Definition: libpq-int.h:609
EINTR
#define EINTR
Definition: win32_port.h:364
EWOULDBLOCK
#define EWOULDBLOCK
Definition: win32_port.h:370
EAGAIN
#define EAGAIN
Definition: win32_port.h:362

References buf, conn, EAGAIN, EINTR, EWOULDBLOCK, pg_conn::last_read_was_eof, pqsecure_raw_read(), SOCK_ERRNO, and pg_conn::ssl_handshake_started.

Referenced by pgconn_bio_method().

◆ pgconn_bio_write()

static int pgconn_bio_write ( BIO *  h,
const char *  buf,
int  size 
)
static

Definition at line 1769 of file fe-secure-openssl.c.

1770{
1771 int res;
1772
1773 res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
1774 BIO_clear_retry_flags(h);
1775 if (res < 0)
1776 {
1777 /* If we were interrupted, tell caller to retry */
1778 switch (SOCK_ERRNO)
1779 {
1780#ifdef EAGAIN
1781 case EAGAIN:
1782#endif
1783#if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1784 case EWOULDBLOCK:
1785#endif
1786 case EINTR:
1787 BIO_set_retry_write(h);
1788 break;
1789
1790 default:
1791 break;
1792 }
1793 }
1794
1795 return res;
1796}
pqsecure_raw_write
ssize_t pqsecure_raw_write(PGconn *conn, const void *ptr, size_t len)
Definition: fe-secure.c:316

References buf, EAGAIN, EINTR, EWOULDBLOCK, pqsecure_raw_write(), and SOCK_ERRNO.

Referenced by pgconn_bio_method().

◆ pgtls_close()

void pgtls_close ( PGconn conn)

Definition at line 1498 of file fe-secure-openssl.c.

1499{
1500 if (conn->ssl_in_use)
1501 {
1502 if (conn->ssl)
1503 {
1504 /*
1505 * We can't destroy everything SSL-related here due to the
1506 * possible later calls to OpenSSL routines which may need our
1507 * thread callbacks, so set a flag here and check at the end.
1508 */
1509
1510 SSL_shutdown(conn->ssl);
1511 SSL_free(conn->ssl);
1512 conn->ssl = NULL;
1513 conn->ssl_in_use = false;
1514 conn->ssl_handshake_started = false;
1515 }
1516
1517 if (conn->peer)
1518 {
1519 X509_free(conn->peer);
1520 conn->peer = NULL;
1521 }
1522
1523#ifdef USE_SSL_ENGINE
1524 if (conn->engine)
1525 {
1526 ENGINE_finish(conn->engine);
1527 ENGINE_free(conn->engine);
1528 conn->engine = NULL;
1529 }
1530#endif
1531 }
1532}

References conn, pg_conn::ssl_handshake_started, and pg_conn::ssl_in_use.

Referenced by open_client_SSL(), pgtls_open_client(), and pqsecure_close().

◆ pgtls_get_peer_certificate_hash()

char * pgtls_get_peer_certificate_hash ( PGconn conn,
size_t *  len 
)

Definition at line 340 of file fe-secure-openssl.c.

341{
342 X509 *peer_cert;
343 const EVP_MD *algo_type;
344 unsigned char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */
345 unsigned int hash_size;
346 int algo_nid;
347 char *cert_hash;
348
349 *len = 0;
350
351 if (!conn->peer)
352 return NULL;
353
354 peer_cert = conn->peer;
355
356 /*
357 * Get the signature algorithm of the certificate to determine the hash
358 * algorithm to use for the result. Prefer X509_get_signature_info(),
359 * introduced in OpenSSL 1.1.1, which can handle RSA-PSS signatures.
360 */
361#if HAVE_X509_GET_SIGNATURE_INFO
362 if (!X509_get_signature_info(peer_cert, &algo_nid, NULL, NULL, NULL))
363#else
364 if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
365 &algo_nid, NULL))
366#endif
367 {
368 libpq_append_conn_error(conn, "could not determine server certificate signature algorithm");
369 return NULL;
370 }
371
372 /*
373 * The TLS server's certificate bytes need to be hashed with SHA-256 if
374 * its signature algorithm is MD5 or SHA-1 as per RFC 5929
375 * (https://tools.ietf.org/html/rfc5929#section-4.1). If something else
376 * is used, the same hash as the signature algorithm is used.
377 */
378 switch (algo_nid)
379 {
380 case NID_md5:
381 case NID_sha1:
382 algo_type = EVP_sha256();
383 break;
384 default:
385 algo_type = EVP_get_digestbynid(algo_nid);
386 if (algo_type == NULL)
387 {
388 libpq_append_conn_error(conn, "could not find digest for NID %s",
389 OBJ_nid2sn(algo_nid));
390 return NULL;
391 }
392 break;
393 }
394
395 if (!X509_digest(peer_cert, algo_type, hash, &hash_size))
396 {
397 libpq_append_conn_error(conn, "could not generate peer certificate hash");
398 return NULL;
399 }
400
401 /* save result */
402 cert_hash = malloc(hash_size);
403 if (cert_hash == NULL)
404 {
405 libpq_append_conn_error(conn, "out of memory");
406 return NULL;
407 }
408 memcpy(cert_hash, hash, hash_size);
409 *len = hash_size;
410
411 return cert_hash;
412}
malloc
#define malloc(a)
Definition: header.h:50
hash
static unsigned hash(unsigned *uv, int n)
Definition: rege_dfa.c:715

References conn, hash(), len, libpq_append_conn_error(), and malloc.

Referenced by build_client_final_message().

◆ pgtls_open_client()

PostgresPollingStatusType pgtls_open_client ( PGconn conn)

Definition at line 96 of file fe-secure-openssl.c.

97{
98 /* First time through? */
99 if (conn->ssl == NULL)
100 {
101 /*
102 * Create a connection-specific SSL object, and load client
103 * certificate, private key, and trusted CA certs.
104 */
105 if (initialize_SSL(conn) != 0)
106 {
107 /* initialize_SSL already put a message in conn->errorMessage */
108 pgtls_close(conn);
109 return PGRES_POLLING_FAILED;
110 }
111 }
112
113 /* Begin or continue the actual handshake */
114 return open_client_SSL(conn);
115}
initialize_SSL
static int initialize_SSL(PGconn *conn)
Definition: fe-secure-openssl.c:738
open_client_SSL
static PostgresPollingStatusType open_client_SSL(PGconn *conn)
Definition: fe-secure-openssl.c:1334

References conn, initialize_SSL(), open_client_SSL(), PGRES_POLLING_FAILED, and pgtls_close().

Referenced by pqsecure_open_client().

◆ pgtls_read()

ssize_t pgtls_read ( PGconn conn,
void *  ptr,
size_t  len 
)

Definition at line 118 of file fe-secure-openssl.c.

119{
120 ssize_t n;
121 int result_errno = 0;
122 char sebuf[PG_STRERROR_R_BUFLEN];
123 int err;
124 unsigned long ecode;
125
126rloop:
127
128 /*
129 * Prepare to call SSL_get_error() by clearing thread's OpenSSL error
130 * queue. In general, the current thread's error queue must be empty
131 * before the TLS/SSL I/O operation is attempted, or SSL_get_error() will
132 * not work reliably. Since the possibility exists that other OpenSSL
133 * clients running in the same thread but not under our control will fail
134 * to call ERR_get_error() themselves (after their own I/O operations),
135 * pro-actively clear the per-thread error queue now.
136 */
137 SOCK_ERRNO_SET(0);
138 ERR_clear_error();
139 n = SSL_read(conn->ssl, ptr, len);
140 err = SSL_get_error(conn->ssl, n);
141
142 /*
143 * Other clients of OpenSSL may fail to call ERR_get_error(), but we
144 * always do, so as to not cause problems for OpenSSL clients that don't
145 * call ERR_clear_error() defensively. Be sure that this happens by
146 * calling now. SSL_get_error() relies on the OpenSSL per-thread error
147 * queue being intact, so this is the earliest possible point
148 * ERR_get_error() may be called.
149 */
150 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
151 switch (err)
152 {
153 case SSL_ERROR_NONE:
154 if (n < 0)
155 {
156 /* Not supposed to happen, so we don't translate the msg */
157 appendPQExpBufferStr(&conn->errorMessage,
158 "SSL_read failed but did not provide error information\n");
159 /* assume the connection is broken */
160 result_errno = ECONNRESET;
161 }
162 break;
163 case SSL_ERROR_WANT_READ:
164 n = 0;
165 break;
166 case SSL_ERROR_WANT_WRITE:
167
168 /*
169 * Returning 0 here would cause caller to wait for read-ready,
170 * which is not correct since what SSL wants is wait for
171 * write-ready. The former could get us stuck in an infinite
172 * wait, so don't risk it; busy-loop instead.
173 */
174 goto rloop;
175 case SSL_ERROR_SYSCALL:
176 if (n < 0 && SOCK_ERRNO != 0)
177 {
178 result_errno = SOCK_ERRNO;
179 if (result_errno == EPIPE ||
180 result_errno == ECONNRESET)
181 libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
182 "\tThis probably means the server terminated abnormally\n"
183 "\tbefore or while processing the request.");
184 else
185 libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
186 SOCK_STRERROR(result_errno,
187 sebuf, sizeof(sebuf)));
188 }
189 else
190 {
191 libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
192 /* assume the connection is broken */
193 result_errno = ECONNRESET;
194 n = -1;
195 }
196 break;
197 case SSL_ERROR_SSL:
198 {
199 char *errm = SSLerrmessage(ecode);
200
201 libpq_append_conn_error(conn, "SSL error: %s", errm);
202 SSLerrfree(errm);
203 /* assume the connection is broken */
204 result_errno = ECONNRESET;
205 n = -1;
206 break;
207 }
208 case SSL_ERROR_ZERO_RETURN:
209
210 /*
211 * Per OpenSSL documentation, this error code is only returned for
212 * a clean connection closure, so we should not report it as a
213 * server crash.
214 */
215 libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
216 result_errno = ECONNRESET;
217 n = -1;
218 break;
219 default:
220 libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
221 /* assume the connection is broken */
222 result_errno = ECONNRESET;
223 n = -1;
224 break;
225 }
226
227 /* ensure we return the intended errno to caller */
228 SOCK_ERRNO_SET(result_errno);
229
230 return n;
231}
appendPQExpBufferStr
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:367
pg_conn::errorMessage
PQExpBufferData errorMessage
Definition: libpq-int.h:671
ECONNRESET
#define ECONNRESET
Definition: win32_port.h:374

References appendPQExpBufferStr(), conn, ECONNRESET, err(), pg_conn::errorMessage, len, libpq_append_conn_error(), PG_STRERROR_R_BUFLEN, SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, SSLerrfree(), and SSLerrmessage().

Referenced by pqsecure_read().

◆ pgtls_read_pending()

bool pgtls_read_pending ( PGconn conn)

Definition at line 234 of file fe-secure-openssl.c.

235{
236 return SSL_pending(conn->ssl) > 0;
237}

References conn.

Referenced by pqSocketCheck().

◆ pgtls_verify_peer_name_matches_certificate_guts()

int pgtls_verify_peer_name_matches_certificate_guts ( PGconn conn,
int *  names_examined,
char **  first_name 
)

Definition at line 544 of file fe-secure-openssl.c.

547{
548 STACK_OF(GENERAL_NAME) * peer_san;
549 int i;
550 int rc = 0;
551 char *host = conn->connhost[conn->whichhost].host;
552 int host_type;
553 bool check_cn = true;
554
555 Assert(host && host[0]); /* should be guaranteed by caller */
556
557 /*
558 * We try to match the NSS behavior here, which is a slight departure from
559 * the spec but seems to make more intuitive sense:
560 *
561 * If connhost contains a DNS name, and the certificate's SANs contain any
562 * dNSName entries, then we'll ignore the Subject Common Name entirely;
563 * otherwise, we fall back to checking the CN. (This behavior matches the
564 * RFC.)
565 *
566 * If connhost contains an IP address, and the SANs contain iPAddress
567 * entries, we again ignore the CN. Otherwise, we allow the CN to match,
568 * EVEN IF there is a dNSName in the SANs. (RFC 6125 prohibits this: "A
569 * client MUST NOT seek a match for a reference identifier of CN-ID if the
570 * presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any
571 * application-specific identifier types supported by the client.")
572 *
573 * NOTE: Prior versions of libpq did not consider iPAddress entries at
574 * all, so this new behavior might break a certificate that has different
575 * IP addresses in the Subject CN and the SANs.
576 */
577 if (is_ip_address(host))
578 host_type = GEN_IPADD;
579 else
580 host_type = GEN_DNS;
581
582 /*
583 * First, get the Subject Alternative Names (SANs) from the certificate,
584 * and compare them against the originally given hostname.
585 */
586 peer_san = (STACK_OF(GENERAL_NAME) *)
587 X509_get_ext_d2i(conn->peer, NID_subject_alt_name, NULL, NULL);
588
589 if (peer_san)
590 {
591 int san_len = sk_GENERAL_NAME_num(peer_san);
592
593 for (i = 0; i < san_len; i++)
594 {
595 const GENERAL_NAME *name = sk_GENERAL_NAME_value(peer_san, i);
596 char *alt_name = NULL;
597
598 if (name->type == host_type)
599 {
600 /*
601 * This SAN is of the same type (IP or DNS) as our host name,
602 * so don't allow a fallback check of the CN.
603 */
604 check_cn = false;
605 }
606
607 if (name->type == GEN_DNS)
608 {
609 (*names_examined)++;
610 rc = openssl_verify_peer_name_matches_certificate_name(conn,
611 name->d.dNSName,
612 &alt_name);
613 }
614 else if (name->type == GEN_IPADD)
615 {
616 (*names_examined)++;
617 rc = openssl_verify_peer_name_matches_certificate_ip(conn,
618 name->d.iPAddress,
619 &alt_name);
620 }
621
622 if (alt_name)
623 {
624 if (!*first_name)
625 *first_name = alt_name;
626 else
627 free(alt_name);
628 }
629
630 if (rc != 0)
631 {
632 /*
633 * Either we hit an error or a match, and either way we should
634 * not fall back to the CN.
635 */
636 check_cn = false;
637 break;
638 }
639 }
640 sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
641 }
642
643 /*
644 * If there is no subjectAltName extension of the matching type, check the
645 * Common Name.
646 *
647 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
648 * dNSName is present, the CN must be ignored. We break this rule if host
649 * is an IP address; see the comment above.)
650 */
651 if (check_cn)
652 {
653 X509_NAME *subject_name;
654
655 subject_name = X509_get_subject_name(conn->peer);
656 if (subject_name != NULL)
657 {
658 int cn_index;
659
660 cn_index = X509_NAME_get_index_by_NID(subject_name,
661 NID_commonName, -1);
662 if (cn_index >= 0)
663 {
664 char *common_name = NULL;
665
666 (*names_examined)++;
667 rc = openssl_verify_peer_name_matches_certificate_name(conn,
668 X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),
669 &common_name);
670
671 if (common_name)
672 {
673 if (!*first_name)
674 *first_name = common_name;
675 else
676 free(common_name);
677 }
678 }
679 }
680 }
681
682 return rc;
683}
openssl_verify_peer_name_matches_certificate_name
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name)
Definition: fe-secure-openssl.c:470
openssl_verify_peer_name_matches_certificate_ip
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)
Definition: fe-secure-openssl.c:499
is_ip_address
static bool is_ip_address(const char *host)
Definition: fe-secure-openssl.c:524
Assert
Assert(PointerIsAligned(start, uint64))
i
int i
Definition: isn.c:77
name
const char * name
Definition: wait_event_funcs.c:28

References Assert(), conn, pg_conn::connhost, free, pg_conn_host::host, i, is_ip_address(), name, openssl_verify_peer_name_matches_certificate_ip(), openssl_verify_peer_name_matches_certificate_name(), and pg_conn::whichhost.

Referenced by pq_verify_peer_name_matches_certificate().

◆ pgtls_write()

ssize_t pgtls_write ( PGconn conn,
const void *  ptr,
size_t  len 
)

Definition at line 240 of file fe-secure-openssl.c.

241{
242 ssize_t n;
243 int result_errno = 0;
244 char sebuf[PG_STRERROR_R_BUFLEN];
245 int err;
246 unsigned long ecode;
247
248 SOCK_ERRNO_SET(0);
249 ERR_clear_error();
250 n = SSL_write(conn->ssl, ptr, len);
251 err = SSL_get_error(conn->ssl, n);
252 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
253 switch (err)
254 {
255 case SSL_ERROR_NONE:
256 if (n < 0)
257 {
258 /* Not supposed to happen, so we don't translate the msg */
259 appendPQExpBufferStr(&conn->errorMessage,
260 "SSL_write failed but did not provide error information\n");
261 /* assume the connection is broken */
262 result_errno = ECONNRESET;
263 }
264 break;
265 case SSL_ERROR_WANT_READ:
266
267 /*
268 * Returning 0 here causes caller to wait for write-ready, which
269 * is not really the right thing, but it's the best we can do.
270 */
271 n = 0;
272 break;
273 case SSL_ERROR_WANT_WRITE:
274 n = 0;
275 break;
276 case SSL_ERROR_SYSCALL:
277
278 /*
279 * If errno is still zero then assume it's a read EOF situation,
280 * and report EOF. (This seems possible because SSL_write can
281 * also do reads.)
282 */
283 if (n < 0 && SOCK_ERRNO != 0)
284 {
285 result_errno = SOCK_ERRNO;
286 if (result_errno == EPIPE || result_errno == ECONNRESET)
287 libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
288 "\tThis probably means the server terminated abnormally\n"
289 "\tbefore or while processing the request.");
290 else
291 libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
292 SOCK_STRERROR(result_errno,
293 sebuf, sizeof(sebuf)));
294 }
295 else
296 {
297 libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
298 /* assume the connection is broken */
299 result_errno = ECONNRESET;
300 n = -1;
301 }
302 break;
303 case SSL_ERROR_SSL:
304 {
305 char *errm = SSLerrmessage(ecode);
306
307 libpq_append_conn_error(conn, "SSL error: %s", errm);
308 SSLerrfree(errm);
309 /* assume the connection is broken */
310 result_errno = ECONNRESET;
311 n = -1;
312 break;
313 }
314 case SSL_ERROR_ZERO_RETURN:
315
316 /*
317 * Per OpenSSL documentation, this error code is only returned for
318 * a clean connection closure, so we should not report it as a
319 * server crash.
320 */
321 libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
322 result_errno = ECONNRESET;
323 n = -1;
324 break;
325 default:
326 libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
327 /* assume the connection is broken */
328 result_errno = ECONNRESET;
329 n = -1;
330 break;
331 }
332
333 /* ensure we return the intended errno to caller */
334 SOCK_ERRNO_SET(result_errno);
335
336 return n;
337}

References appendPQExpBufferStr(), conn, ECONNRESET, err(), pg_conn::errorMessage, len, libpq_append_conn_error(), PG_STRERROR_R_BUFLEN, SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, SSLerrfree(), and SSLerrmessage().

Referenced by pqsecure_write().

◆ PQdefaultSSLKeyPassHook_OpenSSL()

int PQdefaultSSLKeyPassHook_OpenSSL ( char *  buf,
int  size,
PGconn conn 
)

Definition at line 1900 of file fe-secure-openssl.c.

1901{
1902 if (conn && conn->sslpassword)
1903 {
1904 if (strlen(conn->sslpassword) + 1 > size)
1905 fprintf(stderr, libpq_gettext("WARNING: sslpassword truncated\n"));
1906 strncpy(buf, conn->sslpassword, size);
1907 buf[size - 1] = '\0';
1908 return strlen(buf);
1909 }
1910 else
1911 {
1912 buf[0] = '\0';
1913 return 0;
1914 }
1915}

References buf, conn, fprintf, libpq_gettext, and pg_conn::sslpassword.

Referenced by PQssl_passwd_cb().

◆ PQgetssl()

void * PQgetssl ( PGconn conn)

Definition at line 1622 of file fe-secure-openssl.c.

1623{
1624 if (!conn)
1625 return NULL;
1626 return conn->ssl;
1627}

References conn.

◆ PQgetSSLKeyPassHook_OpenSSL()

PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL ( void  )

Definition at line 1918 of file fe-secure-openssl.c.

1919{
1920 return PQsslKeyPassHook;
1921}

References PQsslKeyPassHook.

◆ PQsetSSLKeyPassHook_OpenSSL()

void PQsetSSLKeyPassHook_OpenSSL ( PQsslKeyPassHook_OpenSSL_type  hook)

Definition at line 1924 of file fe-secure-openssl.c.

1925{
1926 PQsslKeyPassHook = hook;
1927}

References PQsslKeyPassHook.

◆ PQssl_passwd_cb()

static int PQssl_passwd_cb ( char *  buf,
int  size,
int  rwflag,
void *  userdata 
)
static

Definition at line 1935 of file fe-secure-openssl.c.

1936{
1937 PGconn *conn = userdata;
1938
1939 if (PQsslKeyPassHook)
1940 return PQsslKeyPassHook(buf, size, conn);
1941 else
1942 return PQdefaultSSLKeyPassHook_OpenSSL(buf, size, conn);
1943}
PQdefaultSSLKeyPassHook_OpenSSL
int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)
Definition: fe-secure-openssl.c:1900

References buf, conn, PQdefaultSSLKeyPassHook_OpenSSL(), and PQsslKeyPassHook.

Referenced by initialize_SSL().

◆ PQsslAttribute()

const char * PQsslAttribute ( PGconn conn,
const char *  attribute_name 
)

Definition at line 1667 of file fe-secure-openssl.c.

1668{
1669 if (!conn)
1670 {
1671 /* PQsslAttribute(NULL, "library") reports the default SSL library */
1672 if (strcmp(attribute_name, "library") == 0)
1673 return "OpenSSL";
1674 return NULL;
1675 }
1676
1677 /* All attributes read as NULL for a non-encrypted connection */
1678 if (conn->ssl == NULL)
1679 return NULL;
1680
1681 if (strcmp(attribute_name, "library") == 0)
1682 return "OpenSSL";
1683
1684 if (strcmp(attribute_name, "key_bits") == 0)
1685 {
1686 static char sslbits_str[12];
1687 int sslbits;
1688
1689 SSL_get_cipher_bits(conn->ssl, &sslbits);
1690 snprintf(sslbits_str, sizeof(sslbits_str), "%d", sslbits);
1691 return sslbits_str;
1692 }
1693
1694 if (strcmp(attribute_name, "cipher") == 0)
1695 return SSL_get_cipher(conn->ssl);
1696
1697 if (strcmp(attribute_name, "compression") == 0)
1698 return SSL_get_current_compression(conn->ssl) ? "on" : "off";
1699
1700 if (strcmp(attribute_name, "protocol") == 0)
1701 return SSL_get_version(conn->ssl);
1702
1703 if (strcmp(attribute_name, "alpn") == 0)
1704 {
1705 const unsigned char *data;
1706 unsigned int len;
1707 static char alpn_str[256]; /* alpn doesn't support longer than 255
1708 * bytes */
1709
1710 SSL_get0_alpn_selected(conn->ssl, &data, &len);
1711 if (data == NULL || len == 0 || len > sizeof(alpn_str) - 1)
1712 return "";
1713 memcpy(alpn_str, data, len);
1714 alpn_str[len] = 0;
1715 return alpn_str;
1716 }
1717
1718 return NULL; /* unknown attribute */
1719}
data
const void * data
Definition: pg_crc32c_sse42.c:27

References conn, data, len, and snprintf.

Referenced by exec_command_conninfo(), print_ssl_library(), and printSSLInfo().

◆ PQsslAttributeNames()

const char *const * PQsslAttributeNames ( PGconn conn)

Definition at line 1640 of file fe-secure-openssl.c.

1641{
1642 static const char *const openssl_attrs[] = {
1643 "library",
1644 "key_bits",
1645 "cipher",
1646 "compression",
1647 "protocol",
1648 "alpn",
1649 NULL
1650 };
1651 static const char *const empty_attrs[] = {NULL};
1652
1653 if (!conn)
1654 {
1655 /* Return attributes of default SSL library */
1656 return openssl_attrs;
1657 }
1658
1659 /* No attrs for unencrypted connection */
1660 if (conn->ssl == NULL)
1661 return empty_attrs;
1662
1663 return openssl_attrs;
1664}

References conn.

◆ PQsslStruct()

void * PQsslStruct ( PGconn conn,
const char *  struct_name 
)

Definition at line 1630 of file fe-secure-openssl.c.

1631{
1632 if (!conn)
1633 return NULL;
1634 if (strcmp(struct_name, "OpenSSL") == 0)
1635 return conn->ssl;
1636 return NULL;
1637}

References conn.

◆ ssl_protocol_version_to_openssl()

static int ssl_protocol_version_to_openssl ( const char *  protocol)
static

Definition at line 1956 of file fe-secure-openssl.c.

1957{
1958 if (pg_strcasecmp("TLSv1", protocol) == 0)
1959 return TLS1_VERSION;
1960
1961#ifdef TLS1_1_VERSION
1962 if (pg_strcasecmp("TLSv1.1", protocol) == 0)
1963 return TLS1_1_VERSION;
1964#endif
1965
1966#ifdef TLS1_2_VERSION
1967 if (pg_strcasecmp("TLSv1.2", protocol) == 0)
1968 return TLS1_2_VERSION;
1969#endif
1970
1971#ifdef TLS1_3_VERSION
1972 if (pg_strcasecmp("TLSv1.3", protocol) == 0)
1973 return TLS1_3_VERSION;
1974#endif
1975
1976 return -1;
1977}
pg_strcasecmp
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36

References pg_strcasecmp().

Referenced by initialize_SSL().

◆ ssl_set_pgconn_bio()

static int ssl_set_pgconn_bio ( PGconn conn)
static

Definition at line 1874 of file fe-secure-openssl.c.

1875{
1876 BIO *bio;
1877 BIO_METHOD *bio_method;
1878
1879 bio_method = pgconn_bio_method();
1880 if (bio_method == NULL)
1881 return 0;
1882
1883 bio = BIO_new(bio_method);
1884 if (bio == NULL)
1885 return 0;
1886
1887 BIO_set_data(bio, conn);
1888 BIO_set_init(bio, 1);
1889
1890 SSL_set_bio(conn->ssl, bio, bio);
1891 return 1;
1892}
pgconn_bio_method
static BIO_METHOD * pgconn_bio_method(void)
Definition: fe-secure-openssl.c:1829

References conn, and pgconn_bio_method().

Referenced by initialize_SSL().

◆ SSLerrfree()

static void SSLerrfree ( char *  buf)
static

Definition at line 1608 of file fe-secure-openssl.c.

1609{
1610 if (buf != ssl_nomem)
1611 free(buf);
1612}
ssl_nomem
static char ssl_nomem[]
Definition: fe-secure-openssl.c:1545

References buf, free, and ssl_nomem.

Referenced by initialize_SSL(), open_client_SSL(), pgtls_read(), and pgtls_write().

◆ SSLerrmessage()

static char * SSLerrmessage ( unsigned long  ecode)
static

Definition at line 1550 of file fe-secure-openssl.c.

1551{
1552 const char *errreason;
1553 char *errbuf;
1554
1555 errbuf = malloc(SSL_ERR_LEN);
1556 if (!errbuf)
1557 return ssl_nomem;
1558 if (ecode == 0)
1559 {
1560 snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("no SSL error reported"));
1561 return errbuf;
1562 }
1563 errreason = ERR_reason_error_string(ecode);
1564 if (errreason != NULL)
1565 {
1566 strlcpy(errbuf, errreason, SSL_ERR_LEN);
1567 return errbuf;
1568 }
1569
1570 /*
1571 * Server aborted the connection with TLS "no_application_protocol" alert.
1572 * The ERR_reason_error_string() function doesn't give any error string
1573 * for that for some reason, so do it ourselves. See
1574 * https://github.com/openssl/openssl/issues/24300. This is available in
1575 * OpenSSL 1.1.0 and later, as well as in LibreSSL 3.4.3 (OpenBSD 7.0) and
1576 * later.
1577 */
1578#ifdef SSL_AD_NO_APPLICATION_PROTOCOL
1579 if (ERR_GET_LIB(ecode) == ERR_LIB_SSL &&
1580 ERR_GET_REASON(ecode) == SSL_AD_REASON_OFFSET + SSL_AD_NO_APPLICATION_PROTOCOL)
1581 {
1582 snprintf(errbuf, SSL_ERR_LEN, "no application protocol");
1583 return errbuf;
1584 }
1585#endif
1586
1587 /*
1588 * In OpenSSL 3.0.0 and later, ERR_reason_error_string does not map system
1589 * errno values anymore. (See OpenSSL source code for the explanation.)
1590 * We can cover that shortcoming with this bit of code. Older OpenSSL
1591 * versions don't have the ERR_SYSTEM_ERROR macro, but that's okay because
1592 * they don't have the shortcoming either.
1593 */
1594#ifdef ERR_SYSTEM_ERROR
1595 if (ERR_SYSTEM_ERROR(ecode))
1596 {
1597 strerror_r(ERR_GET_REASON(ecode), errbuf, SSL_ERR_LEN);
1598 return errbuf;
1599 }
1600#endif
1601
1602 /* No choice but to report the numeric ecode */
1603 snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("SSL error code %lu"), ecode);
1604 return errbuf;
1605}
SSL_ERR_LEN
#define SSL_ERR_LEN
Definition: fe-secure-openssl.c:1547

References libpq_gettext, malloc, snprintf, SSL_ERR_LEN, ssl_nomem, strerror_r, and strlcpy().

Referenced by initialize_SSL(), open_client_SSL(), pgtls_read(), and pgtls_write().

◆ verify_cb()

static int verify_cb ( int  ok,
X509_STORE_CTX *  ctx 
)
static

Definition at line 430 of file fe-secure-openssl.c.

431{
432 return ok;
433}

Referenced by initialize_SSL().

Variable Documentation

◆ alpn_protos

unsigned char alpn_protos[] = PG_ALPN_PROTOCOL_VECTOR
static

Definition at line 686 of file fe-secure-openssl.c.

Referenced by initialize_SSL().

◆ pgconn_bio_method_ptr

BIO_METHOD* pgconn_bio_method_ptr
static

Definition at line 1731 of file fe-secure-openssl.c.

Referenced by pgconn_bio_method().

◆ PQsslKeyPassHook

PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook = NULL
static

Definition at line 88 of file fe-secure-openssl.c.

Referenced by initialize_SSL(), PQgetSSLKeyPassHook_OpenSSL(), PQsetSSLKeyPassHook_OpenSSL(), and PQssl_passwd_cb().

◆ ssl_config_mutex

pthread_mutex_t ssl_config_mutex = PTHREAD_MUTEX_INITIALIZER
static

Definition at line 86 of file fe-secure-openssl.c.

Referenced by pgconn_bio_method().

◆ ssl_nomem

char ssl_nomem[] = "out of memory allocating error description"
static

Definition at line 1545 of file fe-secure-openssl.c.

Referenced by SSLerrfree(), and SSLerrmessage().