PostgreSQL Source Code  git master
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Pages
fe-secure-openssl.c File Reference
#include "postgres_fe.h"
#include <signal.h>
#include <fcntl.h>
#include <ctype.h>
#include "libpq-fe.h"
#include "fe-auth.h"
#include "fe-secure-common.h"
#include "libpq-int.h"
#include <sys/socket.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <sys/stat.h>
#include <pthread.h>
#include "common/openssl.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
Include dependency graph for fe-secure-openssl.c:

Go to the source code of this file.

Macros

#define SSL_ERR_LEN   128
 

Functions

static int verify_cb (int ok, X509_STORE_CTX *ctx)
 
static int openssl_verify_peer_name_matches_certificate_name (PGconn *conn, ASN1_STRING *name_entry, char **store_name)
 
static int openssl_verify_peer_name_matches_certificate_ip (PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)
 
static int initialize_SSL (PGconn *conn)
 
static PostgresPollingStatusType open_client_SSL (PGconn *conn)
 
static char * SSLerrmessage (unsigned long ecode)
 
static void SSLerrfree (char *buf)
 
static int PQssl_passwd_cb (char *buf, int size, int rwflag, void *userdata)
 
static int pgconn_bio_read (BIO *h, char *buf, int size)
 
static int pgconn_bio_write (BIO *h, const char *buf, int size)
 
static BIO_METHOD * pgconn_bio_method (void)
 
static int ssl_set_pgconn_bio (PGconn *conn)
 
static int ssl_protocol_version_to_openssl (const char *protocol)
 
PostgresPollingStatusType pgtls_open_client (PGconn *conn)
 
ssize_t pgtls_read (PGconn *conn, void *ptr, size_t len)
 
bool pgtls_read_pending (PGconn *conn)
 
ssize_t pgtls_write (PGconn *conn, const void *ptr, size_t len)
 
char * pgtls_get_peer_certificate_hash (PGconn *conn, size_t *len)
 
static bool is_ip_address (const char *host)
 
int pgtls_verify_peer_name_matches_certificate_guts (PGconn *conn, int *names_examined, char **first_name)
 
void pgtls_close (PGconn *conn)
 
void * PQgetssl (PGconn *conn)
 
void * PQsslStruct (PGconn *conn, const char *struct_name)
 
const char *const * PQsslAttributeNames (PGconn *conn)
 
const char * PQsslAttribute (PGconn *conn, const char *attribute_name)
 
static long pgconn_bio_ctrl (BIO *h, int cmd, long num, void *ptr)
 
int PQdefaultSSLKeyPassHook_OpenSSL (char *buf, int size, PGconn *conn)
 
PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL (void)
 
void PQsetSSLKeyPassHook_OpenSSL (PQsslKeyPassHook_OpenSSL_type hook)
 

Variables

static pthread_mutex_t ssl_config_mutex = PTHREAD_MUTEX_INITIALIZER
 
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook = NULL
 
static unsigned char alpn_protos [] = PG_ALPN_PROTOCOL_VECTOR
 
static char ssl_nomem [] = "out of memory allocating error description"
 
static BIO_METHOD * pgconn_bio_method_ptr
 

Macro Definition Documentation

◆ SSL_ERR_LEN

#define SSL_ERR_LEN   128

Definition at line 1489 of file fe-secure-openssl.c.

Function Documentation

◆ initialize_SSL()

static int initialize_SSL ( PGconn conn)
static

Definition at line 694 of file fe-secure-openssl.c.

695 {
696  SSL_CTX *SSL_context;
697  struct stat buf;
698  char homedir[MAXPGPATH];
699  char fnbuf[MAXPGPATH];
700  char sebuf[PG_STRERROR_R_BUFLEN];
701  bool have_homedir;
702  bool have_cert;
703  bool have_rootcert;
704 
705  /*
706  * We'll need the home directory if any of the relevant parameters are
707  * defaulted. If pqGetHomeDirectory fails, act as though none of the
708  * files could be found.
709  */
710  if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
711  !(conn->sslkey && strlen(conn->sslkey) > 0) ||
712  !(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
713  !((conn->sslcrl && strlen(conn->sslcrl) > 0) ||
714  (conn->sslcrldir && strlen(conn->sslcrldir) > 0)))
715  have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
716  else /* won't need it */
717  have_homedir = false;
718 
719  /*
720  * Create a new SSL_CTX object.
721  *
722  * We used to share a single SSL_CTX between all connections, but it was
723  * complicated if connections used different certificates. So now we
724  * create a separate context for each connection, and accept the overhead.
725  */
726  SSL_context = SSL_CTX_new(SSLv23_method());
727  if (!SSL_context)
728  {
729  char *err = SSLerrmessage(ERR_get_error());
730 
731  libpq_append_conn_error(conn, "could not create SSL context: %s", err);
732  SSLerrfree(err);
733  return -1;
734  }
735 
736  /*
737  * Delegate the client cert password prompt to the libpq wrapper callback
738  * if any is defined.
739  *
740  * If the application hasn't installed its own and the sslpassword
741  * parameter is non-null, we install ours now to make sure we supply
742  * PGconn->sslpassword to OpenSSL instead of letting it prompt on stdin.
743  *
744  * This will replace OpenSSL's default PEM_def_callback (which prompts on
745  * stdin), but we're only setting it for this SSL context so it's
746  * harmless.
747  */
748  if (PQsslKeyPassHook
749  || (conn->sslpassword && strlen(conn->sslpassword) > 0))
750  {
751  SSL_CTX_set_default_passwd_cb(SSL_context, PQssl_passwd_cb);
752  SSL_CTX_set_default_passwd_cb_userdata(SSL_context, conn);
753  }
754 
755 #ifdef HAVE_SSL_CTX_SET_CERT_CB
756  /* Set up a certificate selection callback. */
757  SSL_CTX_set_cert_cb(SSL_context, cert_cb, conn);
758 #endif
759 
760  /* Disable old protocol versions */
761  SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
762 
763  /* Set the minimum and maximum protocol versions if necessary */
765  strlen(conn->ssl_min_protocol_version) != 0)
766  {
767  int ssl_min_ver;
768 
770 
771  if (ssl_min_ver == -1)
772  {
773  libpq_append_conn_error(conn, "invalid value \"%s\" for minimum SSL protocol version",
775  SSL_CTX_free(SSL_context);
776  return -1;
777  }
778 
779  if (!SSL_CTX_set_min_proto_version(SSL_context, ssl_min_ver))
780  {
781  char *err = SSLerrmessage(ERR_get_error());
782 
783  libpq_append_conn_error(conn, "could not set minimum SSL protocol version: %s", err);
784  SSLerrfree(err);
785  SSL_CTX_free(SSL_context);
786  return -1;
787  }
788  }
789 
791  strlen(conn->ssl_max_protocol_version) != 0)
792  {
793  int ssl_max_ver;
794 
796 
797  if (ssl_max_ver == -1)
798  {
799  libpq_append_conn_error(conn, "invalid value \"%s\" for maximum SSL protocol version",
801  SSL_CTX_free(SSL_context);
802  return -1;
803  }
804 
805  if (!SSL_CTX_set_max_proto_version(SSL_context, ssl_max_ver))
806  {
807  char *err = SSLerrmessage(ERR_get_error());
808 
809  libpq_append_conn_error(conn, "could not set maximum SSL protocol version: %s", err);
810  SSLerrfree(err);
811  SSL_CTX_free(SSL_context);
812  return -1;
813  }
814  }
815 
816  /*
817  * Disable OpenSSL's moving-write-buffer sanity check, because it causes
818  * unnecessary failures in nonblocking send cases.
819  */
820  SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
821 
822  /*
823  * If the root cert file exists, load it so we can perform certificate
824  * verification. If sslmode is "verify-full" we will also do further
825  * verification after the connection has been completed.
826  */
827  if (conn->sslrootcert && strlen(conn->sslrootcert) > 0)
828  strlcpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
829  else if (have_homedir)
830  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
831  else
832  fnbuf[0] = '\0';
833 
834  if (strcmp(fnbuf, "system") == 0)
835  {
836  /*
837  * The "system" sentinel value indicates that we should load whatever
838  * root certificates are installed for use by OpenSSL; these locations
839  * differ by platform. Note that the default system locations may be
840  * further overridden by the SSL_CERT_DIR and SSL_CERT_FILE
841  * environment variables.
842  */
843  if (SSL_CTX_set_default_verify_paths(SSL_context) != 1)
844  {
845  char *err = SSLerrmessage(ERR_get_error());
846 
847  libpq_append_conn_error(conn, "could not load system root certificate paths: %s",
848  err);
849  SSLerrfree(err);
850  SSL_CTX_free(SSL_context);
851  return -1;
852  }
853  have_rootcert = true;
854  }
855  else if (fnbuf[0] != '\0' &&
856  stat(fnbuf, &buf) == 0)
857  {
858  X509_STORE *cvstore;
859 
860  if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)
861  {
862  char *err = SSLerrmessage(ERR_get_error());
863 
864  libpq_append_conn_error(conn, "could not read root certificate file \"%s\": %s",
865  fnbuf, err);
866  SSLerrfree(err);
867  SSL_CTX_free(SSL_context);
868  return -1;
869  }
870 
871  if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
872  {
873  char *fname = NULL;
874  char *dname = NULL;
875 
876  if (conn->sslcrl && strlen(conn->sslcrl) > 0)
877  fname = conn->sslcrl;
878  if (conn->sslcrldir && strlen(conn->sslcrldir) > 0)
879  dname = conn->sslcrldir;
880 
881  /* defaults to use the default CRL file */
882  if (!fname && !dname && have_homedir)
883  {
884  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
885  fname = fnbuf;
886  }
887 
888  /* Set the flags to check against the complete CRL chain */
889  if ((fname || dname) &&
890  X509_STORE_load_locations(cvstore, fname, dname) == 1)
891  {
892  X509_STORE_set_flags(cvstore,
893  X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
894  }
895 
896  /* if not found, silently ignore; we do not require CRL */
897  ERR_clear_error();
898  }
899  have_rootcert = true;
900  }
901  else
902  {
903  /*
904  * stat() failed; assume root file doesn't exist. If sslmode is
905  * verify-ca or verify-full, this is an error. Otherwise, continue
906  * without performing any server cert verification.
907  */
908  if (conn->sslmode[0] == 'v') /* "verify-ca" or "verify-full" */
909  {
910  /*
911  * The only way to reach here with an empty filename is if
912  * pqGetHomeDirectory failed. That's a sufficiently unusual case
913  * that it seems worth having a specialized error message for it.
914  */
915  if (fnbuf[0] == '\0')
916  libpq_append_conn_error(conn, "could not get home directory to locate root certificate file\n"
917  "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.");
918  else
919  libpq_append_conn_error(conn, "root certificate file \"%s\" does not exist\n"
920  "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.", fnbuf);
921  SSL_CTX_free(SSL_context);
922  return -1;
923  }
924  have_rootcert = false;
925  }
926 
927  /* Read the client certificate file */
928  if (conn->sslcert && strlen(conn->sslcert) > 0)
929  strlcpy(fnbuf, conn->sslcert, sizeof(fnbuf));
930  else if (have_homedir)
931  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
932  else
933  fnbuf[0] = '\0';
934 
935  if (conn->sslcertmode[0] == 'd') /* disable */
936  {
937  /* don't send a client cert even if we have one */
938  have_cert = false;
939  }
940  else if (fnbuf[0] == '\0')
941  {
942  /* no home directory, proceed without a client cert */
943  have_cert = false;
944  }
945  else if (stat(fnbuf, &buf) != 0)
946  {
947  /*
948  * If file is not present, just go on without a client cert; server
949  * might or might not accept the connection. Any other error,
950  * however, is grounds for complaint.
951  */
952  if (errno != ENOENT && errno != ENOTDIR)
953  {
954  libpq_append_conn_error(conn, "could not open certificate file \"%s\": %s",
955  fnbuf, strerror_r(errno, sebuf, sizeof(sebuf)));
956  SSL_CTX_free(SSL_context);
957  return -1;
958  }
959  have_cert = false;
960  }
961  else
962  {
963  /*
964  * Cert file exists, so load it. Since OpenSSL doesn't provide the
965  * equivalent of "SSL_use_certificate_chain_file", we have to load it
966  * into the SSL context, rather than the SSL object.
967  */
968  if (SSL_CTX_use_certificate_chain_file(SSL_context, fnbuf) != 1)
969  {
970  char *err = SSLerrmessage(ERR_get_error());
971 
972  libpq_append_conn_error(conn, "could not read certificate file \"%s\": %s",
973  fnbuf, err);
974  SSLerrfree(err);
975  SSL_CTX_free(SSL_context);
976  return -1;
977  }
978 
979  /* need to load the associated private key, too */
980  have_cert = true;
981  }
982 
983  /*
984  * The SSL context is now loaded with the correct root and client
985  * certificates. Create a connection-specific SSL object. The private key
986  * is loaded directly into the SSL object. (We could load the private key
987  * into the context, too, but we have done it this way historically, and
988  * it doesn't really matter.)
989  */
990  if (!(conn->ssl = SSL_new(SSL_context)) ||
991  !SSL_set_app_data(conn->ssl, conn) ||
993  {
994  char *err = SSLerrmessage(ERR_get_error());
995 
996  libpq_append_conn_error(conn, "could not establish SSL connection: %s", err);
997  SSLerrfree(err);
998  SSL_CTX_free(SSL_context);
999  return -1;
1000  }
1001  conn->ssl_in_use = true;
1002 
1003  /*
1004  * SSL contexts are reference counted by OpenSSL. We can free it as soon
1005  * as we have created the SSL object, and it will stick around for as long
1006  * as it's actually needed.
1007  */
1008  SSL_CTX_free(SSL_context);
1009  SSL_context = NULL;
1010 
1011  /*
1012  * Set Server Name Indication (SNI), if enabled by connection parameters.
1013  * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
1014  * or IPv6).
1015  */
1016  if (conn->sslsni && conn->sslsni[0] == '1')
1017  {
1018  const char *host = conn->connhost[conn->whichhost].host;
1019 
1020  if (host && host[0] &&
1021  !(strspn(host, "0123456789.") == strlen(host) ||
1022  strchr(host, ':')))
1023  {
1024  if (SSL_set_tlsext_host_name(conn->ssl, host) != 1)
1025  {
1026  char *err = SSLerrmessage(ERR_get_error());
1027 
1028  libpq_append_conn_error(conn, "could not set SSL Server Name Indication (SNI): %s", err);
1029  SSLerrfree(err);
1030  return -1;
1031  }
1032  }
1033  }
1034 
1035  /* Set ALPN */
1036  {
1037  int retval;
1038 
1039  retval = SSL_set_alpn_protos(conn->ssl, alpn_protos, sizeof(alpn_protos));
1040 
1041  if (retval != 0)
1042  {
1043  char *err = SSLerrmessage(ERR_get_error());
1044 
1045  libpq_append_conn_error(conn, "could not set SSL ALPN extension: %s", err);
1046  SSLerrfree(err);
1047  return -1;
1048  }
1049  }
1050 
1051  /*
1052  * Read the SSL key. If a key is specified, treat it as an engine:key
1053  * combination if there is colon present - we don't support files with
1054  * colon in the name. The exception is if the second character is a colon,
1055  * in which case it can be a Windows filename with drive specification.
1056  */
1057  if (have_cert && conn->sslkey && strlen(conn->sslkey) > 0)
1058  {
1059 #ifdef USE_SSL_ENGINE
1060  if (strchr(conn->sslkey, ':')
1061 #ifdef WIN32
1062  && conn->sslkey[1] != ':'
1063 #endif
1064  )
1065  {
1066  /* Colon, but not in second character, treat as engine:key */
1067  char *engine_str = strdup(conn->sslkey);
1068  char *engine_colon;
1069  EVP_PKEY *pkey;
1070 
1071  if (engine_str == NULL)
1072  {
1073  libpq_append_conn_error(conn, "out of memory");
1074  return -1;
1075  }
1076 
1077  /* cannot return NULL because we already checked before strdup */
1078  engine_colon = strchr(engine_str, ':');
1079 
1080  *engine_colon = '\0'; /* engine_str now has engine name */
1081  engine_colon++; /* engine_colon now has key name */
1082 
1083  conn->engine = ENGINE_by_id(engine_str);
1084  if (conn->engine == NULL)
1085  {
1086  char *err = SSLerrmessage(ERR_get_error());
1087 
1088  libpq_append_conn_error(conn, "could not load SSL engine \"%s\": %s",
1089  engine_str, err);
1090  SSLerrfree(err);
1091  free(engine_str);
1092  return -1;
1093  }
1094 
1095  if (ENGINE_init(conn->engine) == 0)
1096  {
1097  char *err = SSLerrmessage(ERR_get_error());
1098 
1099  libpq_append_conn_error(conn, "could not initialize SSL engine \"%s\": %s",
1100  engine_str, err);
1101  SSLerrfree(err);
1102  ENGINE_free(conn->engine);
1103  conn->engine = NULL;
1104  free(engine_str);
1105  return -1;
1106  }
1107 
1108  pkey = ENGINE_load_private_key(conn->engine, engine_colon,
1109  NULL, NULL);
1110  if (pkey == NULL)
1111  {
1112  char *err = SSLerrmessage(ERR_get_error());
1113 
1114  libpq_append_conn_error(conn, "could not read private SSL key \"%s\" from engine \"%s\": %s",
1115  engine_colon, engine_str, err);
1116  SSLerrfree(err);
1117  ENGINE_finish(conn->engine);
1118  ENGINE_free(conn->engine);
1119  conn->engine = NULL;
1120  free(engine_str);
1121  return -1;
1122  }
1123  if (SSL_use_PrivateKey(conn->ssl, pkey) != 1)
1124  {
1125  char *err = SSLerrmessage(ERR_get_error());
1126 
1127  libpq_append_conn_error(conn, "could not load private SSL key \"%s\" from engine \"%s\": %s",
1128  engine_colon, engine_str, err);
1129  SSLerrfree(err);
1130  ENGINE_finish(conn->engine);
1131  ENGINE_free(conn->engine);
1132  conn->engine = NULL;
1133  free(engine_str);
1134  return -1;
1135  }
1136 
1137  free(engine_str);
1138 
1139  fnbuf[0] = '\0'; /* indicate we're not going to load from a
1140  * file */
1141  }
1142  else
1143 #endif /* USE_SSL_ENGINE */
1144  {
1145  /* PGSSLKEY is not an engine, treat it as a filename */
1146  strlcpy(fnbuf, conn->sslkey, sizeof(fnbuf));
1147  }
1148  }
1149  else if (have_homedir)
1150  {
1151  /* No PGSSLKEY specified, load default file */
1152  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
1153  }
1154  else
1155  fnbuf[0] = '\0';
1156 
1157  if (have_cert && fnbuf[0] != '\0')
1158  {
1159  /* read the client key from file */
1160 
1161  if (stat(fnbuf, &buf) != 0)
1162  {
1163  if (errno == ENOENT)
1164  libpq_append_conn_error(conn, "certificate present, but not private key file \"%s\"",
1165  fnbuf);
1166  else
1167  libpq_append_conn_error(conn, "could not stat private key file \"%s\": %m",
1168  fnbuf);
1169  return -1;
1170  }
1171 
1172  /* Key file must be a regular file */
1173  if (!S_ISREG(buf.st_mode))
1174  {
1175  libpq_append_conn_error(conn, "private key file \"%s\" is not a regular file",
1176  fnbuf);
1177  return -1;
1178  }
1179 
1180  /*
1181  * Refuse to load world-readable key files. We accept root-owned
1182  * files with mode 0640 or less, so that we can access system-wide
1183  * certificates if we have a supplementary group membership that
1184  * allows us to read 'em. For files with non-root ownership, require
1185  * mode 0600 or less. We need not check the file's ownership exactly;
1186  * if we're able to read it despite it having such restrictive
1187  * permissions, it must have the right ownership.
1188  *
1189  * Note: be very careful about tightening these rules. Some people
1190  * expect, for example, that a client process running as root should
1191  * be able to use a non-root-owned key file.
1192  *
1193  * Note that roughly similar checks are performed in
1194  * src/backend/libpq/be-secure-common.c so any changes here may need
1195  * to be made there as well. However, this code caters for the case
1196  * of current user == root, while that code does not.
1197  *
1198  * Ideally we would do similar permissions checks on Windows, but it
1199  * is not clear how that would work since Unix-style permissions may
1200  * not be available.
1201  */
1202 #if !defined(WIN32) && !defined(__CYGWIN__)
1203  if (buf.st_uid == 0 ?
1204  buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO) :
1205  buf.st_mode & (S_IRWXG | S_IRWXO))
1206  {
1208  "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
1209  fnbuf);
1210  return -1;
1211  }
1212 #endif
1213 
1214  if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)
1215  {
1216  char *err = SSLerrmessage(ERR_get_error());
1217 
1218  /*
1219  * We'll try to load the file in DER (binary ASN.1) format, and if
1220  * that fails too, report the original error. This could mask
1221  * issues where there's something wrong with a DER-format cert,
1222  * but we'd have to duplicate openssl's format detection to be
1223  * smarter than this. We can't just probe for a leading -----BEGIN
1224  * because PEM can have leading non-matching lines and blanks.
1225  * OpenSSL doesn't expose its get_name(...) and its PEM routines
1226  * don't differentiate between failure modes in enough detail to
1227  * let us tell the difference between "not PEM, try DER" and
1228  * "wrong password".
1229  */
1230  if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)
1231  {
1232  libpq_append_conn_error(conn, "could not load private key file \"%s\": %s",
1233  fnbuf, err);
1234  SSLerrfree(err);
1235  return -1;
1236  }
1237 
1238  SSLerrfree(err);
1239  }
1240  }
1241 
1242  /* verify that the cert and key go together */
1243  if (have_cert &&
1244  SSL_check_private_key(conn->ssl) != 1)
1245  {
1246  char *err = SSLerrmessage(ERR_get_error());
1247 
1248  libpq_append_conn_error(conn, "certificate does not match private key file \"%s\": %s",
1249  fnbuf, err);
1250  SSLerrfree(err);
1251  return -1;
1252  }
1253 
1254  /*
1255  * If a root cert was loaded, also set our certificate verification
1256  * callback.
1257  */
1258  if (have_rootcert)
1259  SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
1260 
1261  /*
1262  * Set compression option if necessary.
1263  */
1264  if (conn->sslcompression && conn->sslcompression[0] == '0')
1265  SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1266  else
1267  SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1268 
1269  return 0;
1270 }
static SSL_CTX * SSL_context
void err(int eval, const char *fmt,...)
Definition: err.c:43
bool pqGetHomeDirectory(char *buf, int bufsize)
Definition: fe-connect.c:7715
void libpq_append_conn_error(PGconn *conn, const char *fmt,...)
Definition: fe-misc.c:1372
static int ssl_protocol_version_to_openssl(const char *protocol)
static void SSLerrfree(char *buf)
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook
static int verify_cb(int ok, X509_STORE_CTX *ctx)
static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
static char * SSLerrmessage(unsigned long ecode)
static unsigned char alpn_protos[]
static int ssl_set_pgconn_bio(PGconn *conn)
#define free(a)
Definition: header.h:65
#define MAXPGPATH
static char * buf
Definition: pg_test_fsync.c:72
#define PG_STRERROR_R_BUFLEN
Definition: port.h:256
#define snprintf
Definition: port.h:238
#define strerror_r
Definition: port.h:255
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: strlcpy.c:45
PGconn * conn
Definition: streamutil.c:53
char * host
Definition: libpq-int.h:364
char * sslrootcert
Definition: libpq-int.h:415
char * sslcompression
Definition: libpq-int.h:410
char * sslcrldir
Definition: libpq-int.h:417
char * sslcrl
Definition: libpq-int.h:416
char * ssl_max_protocol_version
Definition: libpq-int.h:426
char * sslcert
Definition: libpq-int.h:412
char * sslcertmode
Definition: libpq-int.h:414
char * sslpassword
Definition: libpq-int.h:413
char * sslmode
Definition: libpq-int.h:408
char * ssl_min_protocol_version
Definition: libpq-int.h:425
char * sslkey
Definition: libpq-int.h:411
int whichhost
Definition: libpq-int.h:467
char * sslsni
Definition: libpq-int.h:418
pg_conn_host * connhost
Definition: libpq-int.h:468
bool ssl_in_use
Definition: libpq-int.h:580
#define S_IXGRP
Definition: win32_port.h:307
#define stat
Definition: win32_port.h:284
#define S_IRWXG
Definition: win32_port.h:310
#define S_IRWXO
Definition: win32_port.h:322
#define S_ISREG(m)
Definition: win32_port.h:328
#define S_IWGRP
Definition: win32_port.h:304

References alpn_protos, buf, conn, pg_conn::connhost, err(), free, pg_conn_host::host, libpq_append_conn_error(), MAXPGPATH, PG_STRERROR_R_BUFLEN, pqGetHomeDirectory(), PQssl_passwd_cb(), PQsslKeyPassHook, S_IRWXG, S_IRWXO, S_ISREG, S_IWGRP, S_IXGRP, snprintf, SSL_context, pg_conn::ssl_in_use, pg_conn::ssl_max_protocol_version, pg_conn::ssl_min_protocol_version, ssl_protocol_version_to_openssl(), ssl_set_pgconn_bio(), pg_conn::sslcert, pg_conn::sslcertmode, pg_conn::sslcompression, pg_conn::sslcrl, pg_conn::sslcrldir, SSLerrfree(), SSLerrmessage(), pg_conn::sslkey, pg_conn::sslmode, pg_conn::sslpassword, pg_conn::sslrootcert, pg_conn::sslsni, stat, strerror_r, strlcpy(), verify_cb(), and pg_conn::whichhost.

Referenced by pgtls_open_client().

◆ is_ip_address()

static bool is_ip_address ( const char *  host)
static

Definition at line 523 of file fe-secure-openssl.c.

524 {
525  struct in_addr dummy4;
526 #ifdef HAVE_INET_PTON
527  struct in6_addr dummy6;
528 #endif
529 
530  return inet_aton(host, &dummy4)
531 #ifdef HAVE_INET_PTON
532  || (inet_pton(AF_INET6, host, &dummy6) == 1)
533 #endif
534  ;
535 }
int inet_aton(const char *cp, struct in_addr *addr)
Definition: inet_aton.c:56

References inet_aton().

Referenced by pgtls_verify_peer_name_matches_certificate_guts().

◆ open_client_SSL()

static PostgresPollingStatusType open_client_SSL ( PGconn conn)
static

Definition at line 1276 of file fe-secure-openssl.c.

1277 {
1278  int r;
1279 
1280  SOCK_ERRNO_SET(0);
1281  ERR_clear_error();
1282  r = SSL_connect(conn->ssl);
1283  if (r <= 0)
1284  {
1285  int save_errno = SOCK_ERRNO;
1286  int err = SSL_get_error(conn->ssl, r);
1287  unsigned long ecode;
1288 
1289  ecode = ERR_get_error();
1290  switch (err)
1291  {
1292  case SSL_ERROR_WANT_READ:
1293  return PGRES_POLLING_READING;
1294 
1295  case SSL_ERROR_WANT_WRITE:
1296  return PGRES_POLLING_WRITING;
1297 
1298  case SSL_ERROR_SYSCALL:
1299  {
1300  char sebuf[PG_STRERROR_R_BUFLEN];
1301  unsigned long vcode;
1302 
1303  vcode = SSL_get_verify_result(conn->ssl);
1304 
1305  /*
1306  * If we get an X509 error here for failing to load the
1307  * local issuer cert, without an error in the socket layer
1308  * it means that verification failed due to a missing
1309  * system CA pool without it being a protocol error. We
1310  * inspect the sslrootcert setting to ensure that the user
1311  * was using the system CA pool. For other errors, log
1312  * them using the normal SYSCALL logging.
1313  */
1314  if (save_errno == 0 &&
1315  vcode == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY &&
1316  strcmp(conn->sslrootcert, "system") == 0)
1317  libpq_append_conn_error(conn, "SSL error: certificate verify failed: %s",
1318  X509_verify_cert_error_string(vcode));
1319  else if (r == -1 && save_errno != 0)
1320  libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
1321  SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
1322  else
1323  libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
1324  pgtls_close(conn);
1325  return PGRES_POLLING_FAILED;
1326  }
1327  case SSL_ERROR_SSL:
1328  {
1329  char *err = SSLerrmessage(ecode);
1330 
1331  libpq_append_conn_error(conn, "SSL error: %s", err);
1332  SSLerrfree(err);
1333  switch (ERR_GET_REASON(ecode))
1334  {
1335  /*
1336  * UNSUPPORTED_PROTOCOL, WRONG_VERSION_NUMBER, and
1337  * TLSV1_ALERT_PROTOCOL_VERSION have been observed
1338  * when trying to communicate with an old OpenSSL
1339  * library, or when the client and server specify
1340  * disjoint protocol ranges.
1341  * NO_PROTOCOLS_AVAILABLE occurs if there's a
1342  * local misconfiguration (which can happen
1343  * despite our checks, if openssl.cnf injects a
1344  * limit we didn't account for). It's not very
1345  * clear what would make OpenSSL return the other
1346  * codes listed here, but a hint about protocol
1347  * versions seems like it's appropriate for all.
1348  */
1349  case SSL_R_NO_PROTOCOLS_AVAILABLE:
1350  case SSL_R_UNSUPPORTED_PROTOCOL:
1351  case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:
1352  case SSL_R_UNKNOWN_PROTOCOL:
1353  case SSL_R_UNKNOWN_SSL_VERSION:
1354  case SSL_R_UNSUPPORTED_SSL_VERSION:
1355  case SSL_R_WRONG_SSL_VERSION:
1356  case SSL_R_WRONG_VERSION_NUMBER:
1357  case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
1358 #ifdef SSL_R_VERSION_TOO_HIGH
1359  case SSL_R_VERSION_TOO_HIGH:
1360  case SSL_R_VERSION_TOO_LOW:
1361 #endif
1362  libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",
1365  MIN_OPENSSL_TLS_VERSION,
1368  MAX_OPENSSL_TLS_VERSION);
1369  break;
1370  default:
1371  break;
1372  }
1373  pgtls_close(conn);
1374  return PGRES_POLLING_FAILED;
1375  }
1376 
1377  default:
1378  libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
1379  pgtls_close(conn);
1380  return PGRES_POLLING_FAILED;
1381  }
1382  }
1383 
1384  /* ALPN is mandatory with direct SSL connections */
1385  if (conn->current_enc_method == ENC_SSL && conn->sslnegotiation[0] == 'd')
1386  {
1387  const unsigned char *selected;
1388  unsigned int len;
1389 
1390  SSL_get0_alpn_selected(conn->ssl, &selected, &len);
1391 
1392  if (selected == NULL)
1393  {
1394  libpq_append_conn_error(conn, "direct SSL connection was established without ALPN protocol negotiation extension");
1395  pgtls_close(conn);
1396  return PGRES_POLLING_FAILED;
1397  }
1398 
1399  /*
1400  * We only support one protocol so that's what the negotiation should
1401  * always choose, but doesn't hurt to check.
1402  */
1403  if (len != strlen(PG_ALPN_PROTOCOL) ||
1404  memcmp(selected, PG_ALPN_PROTOCOL, strlen(PG_ALPN_PROTOCOL)) != 0)
1405  {
1406  libpq_append_conn_error(conn, "SSL connection was established with unexpected ALPN protocol");
1407  pgtls_close(conn);
1408  return PGRES_POLLING_FAILED;
1409  }
1410  }
1411 
1412  /*
1413  * We already checked the server certificate in initialize_SSL() using
1414  * SSL_CTX_set_verify(), if root.crt exists.
1415  */
1416 
1417  /* get server certificate */
1418  conn->peer = SSL_get_peer_certificate(conn->ssl);
1419  if (conn->peer == NULL)
1420  {
1421  char *err = SSLerrmessage(ERR_get_error());
1422 
1423  libpq_append_conn_error(conn, "certificate could not be obtained: %s", err);
1424  SSLerrfree(err);
1425  pgtls_close(conn);
1426  return PGRES_POLLING_FAILED;
1427  }
1428 
1430  {
1431  pgtls_close(conn);
1432  return PGRES_POLLING_FAILED;
1433  }
1434 
1435  /* SSL handshake is complete */
1436  return PGRES_POLLING_OK;
1437 }
bool pq_verify_peer_name_matches_certificate(PGconn *conn)
void pgtls_close(PGconn *conn)
@ PGRES_POLLING_OK
Definition: libpq-fe.h:113
@ PGRES_POLLING_READING
Definition: libpq-fe.h:111
@ PGRES_POLLING_WRITING
Definition: libpq-fe.h:112
@ PGRES_POLLING_FAILED
Definition: libpq-fe.h:110
#define SOCK_STRERROR
Definition: libpq-int.h:928
#define SOCK_ERRNO
Definition: libpq-int.h:927
#define ENC_SSL
Definition: libpq-int.h:238
#define SOCK_ERRNO_SET(e)
Definition: libpq-int.h:929
const void size_t len
#define PG_ALPN_PROTOCOL
Definition: pqcomm.h:160
char * sslnegotiation
Definition: libpq-int.h:409
uint8 current_enc_method
Definition: libpq-int.h:577

References conn, pg_conn::current_enc_method, ENC_SSL, err(), len, libpq_append_conn_error(), PG_ALPN_PROTOCOL, PG_STRERROR_R_BUFLEN, PGRES_POLLING_FAILED, PGRES_POLLING_OK, PGRES_POLLING_READING, PGRES_POLLING_WRITING, pgtls_close(), pq_verify_peer_name_matches_certificate(), SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, pg_conn::ssl_max_protocol_version, pg_conn::ssl_min_protocol_version, SSLerrfree(), SSLerrmessage(), pg_conn::sslnegotiation, and pg_conn::sslrootcert.

Referenced by pgtls_open_client().

◆ openssl_verify_peer_name_matches_certificate_ip()

static int openssl_verify_peer_name_matches_certificate_ip ( PGconn conn,
ASN1_OCTET_STRING *  addr_entry,
char **  store_name 
)
static

Definition at line 498 of file fe-secure-openssl.c.

501 {
502  int len;
503  const unsigned char *addrdata;
504 
505  /* Should not happen... */
506  if (addr_entry == NULL)
507  {
508  libpq_append_conn_error(conn, "SSL certificate's address entry is missing");
509  return -1;
510  }
511 
512  /*
513  * GEN_IPADD is an OCTET STRING containing an IP address in network byte
514  * order.
515  */
516  addrdata = ASN1_STRING_get0_data(addr_entry);
517  len = ASN1_STRING_length(addr_entry);
518 
519  return pq_verify_peer_name_matches_certificate_ip(conn, addrdata, len, store_name);
520 }
int pq_verify_peer_name_matches_certificate_ip(PGconn *conn, const unsigned char *ipdata, size_t iplen, char **store_name)

References conn, len, libpq_append_conn_error(), and pq_verify_peer_name_matches_certificate_ip().

Referenced by pgtls_verify_peer_name_matches_certificate_guts().

◆ openssl_verify_peer_name_matches_certificate_name()

static int openssl_verify_peer_name_matches_certificate_name ( PGconn conn,
ASN1_STRING *  name_entry,
char **  store_name 
)
static

Definition at line 469 of file fe-secure-openssl.c.

471 {
472  int len;
473  const unsigned char *namedata;
474 
475  /* Should not happen... */
476  if (name_entry == NULL)
477  {
478  libpq_append_conn_error(conn, "SSL certificate's name entry is missing");
479  return -1;
480  }
481 
482  /*
483  * GEN_DNS can be only IA5String, equivalent to US ASCII.
484  */
485  namedata = ASN1_STRING_get0_data(name_entry);
486  len = ASN1_STRING_length(name_entry);
487 
488  /* OK to cast from unsigned to plain char, since it's all ASCII. */
489  return pq_verify_peer_name_matches_certificate_name(conn, (const char *) namedata, len, store_name);
490 }
int pq_verify_peer_name_matches_certificate_name(PGconn *conn, const char *namedata, size_t namelen, char **store_name)

References conn, len, libpq_append_conn_error(), and pq_verify_peer_name_matches_certificate_name().

Referenced by pgtls_verify_peer_name_matches_certificate_guts().

◆ pgconn_bio_ctrl()

static long pgconn_bio_ctrl ( BIO *  h,
int  cmd,
long  num,
void *  ptr 
)
static

Definition at line 1741 of file fe-secure-openssl.c.

1742 {
1743  long res;
1744  PGconn *conn = (PGconn *) BIO_get_data(h);
1745 
1746  switch (cmd)
1747  {
1748  case BIO_CTRL_EOF:
1749 
1750  /*
1751  * This should not be needed. pgconn_bio_read already has a way to
1752  * signal EOF to OpenSSL. However, OpenSSL made an undocumented,
1753  * backwards-incompatible change and now expects EOF via BIO_ctrl.
1754  * See https://github.com/openssl/openssl/issues/8208
1755  */
1757  break;
1758  case BIO_CTRL_FLUSH:
1759  /* libssl expects all BIOs to support BIO_flush. */
1760  res = 1;
1761  break;
1762  default:
1763  res = 0;
1764  break;
1765  }
1766 
1767  return res;
1768 }
bool last_read_was_eof
Definition: libpq-int.h:584

References conn, pg_conn::last_read_was_eof, and res.

Referenced by pgconn_bio_method().

◆ pgconn_bio_method()

static BIO_METHOD * pgconn_bio_method ( void  )
static

Definition at line 1771 of file fe-secure-openssl.c.

1772 {
1773  BIO_METHOD *res;
1774 
1776  return NULL;
1777 
1779 
1780  if (!pgconn_bio_method_ptr)
1781  {
1782  int my_bio_index;
1783 
1784  my_bio_index = BIO_get_new_index();
1785  if (my_bio_index == -1)
1786  goto err;
1787  my_bio_index |= BIO_TYPE_SOURCE_SINK;
1788  res = BIO_meth_new(my_bio_index, "libpq socket");
1789  if (!res)
1790  goto err;
1791 
1792  /*
1793  * As of this writing, these functions never fail. But check anyway,
1794  * like OpenSSL's own examples do.
1795  */
1796  if (!BIO_meth_set_write(res, pgconn_bio_write) ||
1797  !BIO_meth_set_read(res, pgconn_bio_read) ||
1798  !BIO_meth_set_ctrl(res, pgconn_bio_ctrl))
1799  {
1800  goto err;
1801  }
1802  }
1803 
1806  return res;
1807 
1808 err:
1809  if (res)
1810  BIO_meth_free(res);
1812  return NULL;
1813 }
static BIO_METHOD * pgconn_bio_method_ptr
static int pgconn_bio_read(BIO *h, char *buf, int size)
static long pgconn_bio_ctrl(BIO *h, int cmd, long num, void *ptr)
static int pgconn_bio_write(BIO *h, const char *buf, int size)
static pthread_mutex_t ssl_config_mutex
int pthread_mutex_unlock(pthread_mutex_t *mp)
Definition: pthread-win32.c:60
int pthread_mutex_lock(pthread_mutex_t *mp)
Definition: pthread-win32.c:42

References err(), pgconn_bio_ctrl(), pgconn_bio_method_ptr, pgconn_bio_read(), pgconn_bio_write(), pthread_mutex_lock(), pthread_mutex_unlock(), res, and ssl_config_mutex.

Referenced by ssl_set_pgconn_bio().

◆ pgconn_bio_read()

static int pgconn_bio_read ( BIO *  h,
char *  buf,
int  size 
)
static

Definition at line 1676 of file fe-secure-openssl.c.

1677 {
1678  PGconn *conn = (PGconn *) BIO_get_data(h);
1679  int res;
1680 
1682  BIO_clear_retry_flags(h);
1683  conn->last_read_was_eof = res == 0;
1684  if (res < 0)
1685  {
1686  /* If we were interrupted, tell caller to retry */
1687  switch (SOCK_ERRNO)
1688  {
1689 #ifdef EAGAIN
1690  case EAGAIN:
1691 #endif
1692 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1693  case EWOULDBLOCK:
1694 #endif
1695  case EINTR:
1696  BIO_set_retry_read(h);
1697  break;
1698 
1699  default:
1700  break;
1701  }
1702  }
1703 
1704  if (res > 0)
1705  conn->ssl_handshake_started = true;
1706 
1707  return res;
1708 }
ssize_t pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
Definition: fe-secure.c:193
static pg_noinline void Size size
Definition: slab.c:607
bool ssl_handshake_started
Definition: libpq-int.h:581
#define EINTR
Definition: win32_port.h:374
#define EWOULDBLOCK
Definition: win32_port.h:380
#define EAGAIN
Definition: win32_port.h:372

References buf, conn, EAGAIN, EINTR, EWOULDBLOCK, pg_conn::last_read_was_eof, pqsecure_raw_read(), res, size, SOCK_ERRNO, and pg_conn::ssl_handshake_started.

Referenced by pgconn_bio_method().

◆ pgconn_bio_write()

static int pgconn_bio_write ( BIO *  h,
const char *  buf,
int  size 
)
static

Definition at line 1711 of file fe-secure-openssl.c.

1712 {
1713  int res;
1714 
1715  res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
1716  BIO_clear_retry_flags(h);
1717  if (res < 0)
1718  {
1719  /* If we were interrupted, tell caller to retry */
1720  switch (SOCK_ERRNO)
1721  {
1722 #ifdef EAGAIN
1723  case EAGAIN:
1724 #endif
1725 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1726  case EWOULDBLOCK:
1727 #endif
1728  case EINTR:
1729  BIO_set_retry_write(h);
1730  break;
1731 
1732  default:
1733  break;
1734  }
1735  }
1736 
1737  return res;
1738 }
ssize_t pqsecure_raw_write(PGconn *conn, const void *ptr, size_t len)
Definition: fe-secure.c:316

References buf, EAGAIN, EINTR, EWOULDBLOCK, pqsecure_raw_write(), res, size, and SOCK_ERRNO.

Referenced by pgconn_bio_method().

◆ pgtls_close()

void pgtls_close ( PGconn conn)

Definition at line 1440 of file fe-secure-openssl.c.

1441 {
1442  if (conn->ssl_in_use)
1443  {
1444  if (conn->ssl)
1445  {
1446  /*
1447  * We can't destroy everything SSL-related here due to the
1448  * possible later calls to OpenSSL routines which may need our
1449  * thread callbacks, so set a flag here and check at the end.
1450  */
1451 
1452  SSL_shutdown(conn->ssl);
1453  SSL_free(conn->ssl);
1454  conn->ssl = NULL;
1455  conn->ssl_in_use = false;
1456  conn->ssl_handshake_started = false;
1457  }
1458 
1459  if (conn->peer)
1460  {
1461  X509_free(conn->peer);
1462  conn->peer = NULL;
1463  }
1464 
1465 #ifdef USE_SSL_ENGINE
1466  if (conn->engine)
1467  {
1468  ENGINE_finish(conn->engine);
1469  ENGINE_free(conn->engine);
1470  conn->engine = NULL;
1471  }
1472 #endif
1473  }
1474 }

References conn, pg_conn::ssl_handshake_started, and pg_conn::ssl_in_use.

Referenced by open_client_SSL(), pgtls_open_client(), and pqsecure_close().

◆ pgtls_get_peer_certificate_hash()

char* pgtls_get_peer_certificate_hash ( PGconn conn,
size_t *  len 
)

Definition at line 339 of file fe-secure-openssl.c.

340 {
341  X509 *peer_cert;
342  const EVP_MD *algo_type;
343  unsigned char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */
344  unsigned int hash_size;
345  int algo_nid;
346  char *cert_hash;
347 
348  *len = 0;
349 
350  if (!conn->peer)
351  return NULL;
352 
353  peer_cert = conn->peer;
354 
355  /*
356  * Get the signature algorithm of the certificate to determine the hash
357  * algorithm to use for the result. Prefer X509_get_signature_info(),
358  * introduced in OpenSSL 1.1.1, which can handle RSA-PSS signatures.
359  */
360 #if HAVE_X509_GET_SIGNATURE_INFO
361  if (!X509_get_signature_info(peer_cert, &algo_nid, NULL, NULL, NULL))
362 #else
363  if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
364  &algo_nid, NULL))
365 #endif
366  {
367  libpq_append_conn_error(conn, "could not determine server certificate signature algorithm");
368  return NULL;
369  }
370 
371  /*
372  * The TLS server's certificate bytes need to be hashed with SHA-256 if
373  * its signature algorithm is MD5 or SHA-1 as per RFC 5929
374  * (https://tools.ietf.org/html/rfc5929#section-4.1). If something else
375  * is used, the same hash as the signature algorithm is used.
376  */
377  switch (algo_nid)
378  {
379  case NID_md5:
380  case NID_sha1:
381  algo_type = EVP_sha256();
382  break;
383  default:
384  algo_type = EVP_get_digestbynid(algo_nid);
385  if (algo_type == NULL)
386  {
387  libpq_append_conn_error(conn, "could not find digest for NID %s",
388  OBJ_nid2sn(algo_nid));
389  return NULL;
390  }
391  break;
392  }
393 
394  if (!X509_digest(peer_cert, algo_type, hash, &hash_size))
395  {
396  libpq_append_conn_error(conn, "could not generate peer certificate hash");
397  return NULL;
398  }
399 
400  /* save result */
401  cert_hash = malloc(hash_size);
402  if (cert_hash == NULL)
403  {
404  libpq_append_conn_error(conn, "out of memory");
405  return NULL;
406  }
407  memcpy(cert_hash, hash, hash_size);
408  *len = hash_size;
409 
410  return cert_hash;
411 }
#define malloc(a)
Definition: header.h:50
static unsigned hash(unsigned *uv, int n)
Definition: rege_dfa.c:715

References conn, hash(), len, libpq_append_conn_error(), and malloc.

Referenced by build_client_final_message().

◆ pgtls_open_client()

PostgresPollingStatusType pgtls_open_client ( PGconn conn)

Definition at line 95 of file fe-secure-openssl.c.

96 {
97  /* First time through? */
98  if (conn->ssl == NULL)
99  {
100  /*
101  * Create a connection-specific SSL object, and load client
102  * certificate, private key, and trusted CA certs.
103  */
104  if (initialize_SSL(conn) != 0)
105  {
106  /* initialize_SSL already put a message in conn->errorMessage */
107  pgtls_close(conn);
108  return PGRES_POLLING_FAILED;
109  }
110  }
111 
112  /* Begin or continue the actual handshake */
113  return open_client_SSL(conn);
114 }
static int initialize_SSL(PGconn *conn)
static PostgresPollingStatusType open_client_SSL(PGconn *conn)

References conn, initialize_SSL(), open_client_SSL(), PGRES_POLLING_FAILED, and pgtls_close().

Referenced by pqsecure_open_client().

◆ pgtls_read()

ssize_t pgtls_read ( PGconn conn,
void *  ptr,
size_t  len 
)

Definition at line 117 of file fe-secure-openssl.c.

118 {
119  ssize_t n;
120  int result_errno = 0;
121  char sebuf[PG_STRERROR_R_BUFLEN];
122  int err;
123  unsigned long ecode;
124 
125 rloop:
126 
127  /*
128  * Prepare to call SSL_get_error() by clearing thread's OpenSSL error
129  * queue. In general, the current thread's error queue must be empty
130  * before the TLS/SSL I/O operation is attempted, or SSL_get_error() will
131  * not work reliably. Since the possibility exists that other OpenSSL
132  * clients running in the same thread but not under our control will fail
133  * to call ERR_get_error() themselves (after their own I/O operations),
134  * pro-actively clear the per-thread error queue now.
135  */
136  SOCK_ERRNO_SET(0);
137  ERR_clear_error();
138  n = SSL_read(conn->ssl, ptr, len);
139  err = SSL_get_error(conn->ssl, n);
140 
141  /*
142  * Other clients of OpenSSL may fail to call ERR_get_error(), but we
143  * always do, so as to not cause problems for OpenSSL clients that don't
144  * call ERR_clear_error() defensively. Be sure that this happens by
145  * calling now. SSL_get_error() relies on the OpenSSL per-thread error
146  * queue being intact, so this is the earliest possible point
147  * ERR_get_error() may be called.
148  */
149  ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
150  switch (err)
151  {
152  case SSL_ERROR_NONE:
153  if (n < 0)
154  {
155  /* Not supposed to happen, so we don't translate the msg */
157  "SSL_read failed but did not provide error information\n");
158  /* assume the connection is broken */
159  result_errno = ECONNRESET;
160  }
161  break;
162  case SSL_ERROR_WANT_READ:
163  n = 0;
164  break;
165  case SSL_ERROR_WANT_WRITE:
166 
167  /*
168  * Returning 0 here would cause caller to wait for read-ready,
169  * which is not correct since what SSL wants is wait for
170  * write-ready. The former could get us stuck in an infinite
171  * wait, so don't risk it; busy-loop instead.
172  */
173  goto rloop;
174  case SSL_ERROR_SYSCALL:
175  if (n < 0 && SOCK_ERRNO != 0)
176  {
177  result_errno = SOCK_ERRNO;
178  if (result_errno == EPIPE ||
179  result_errno == ECONNRESET)
180  libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
181  "\tThis probably means the server terminated abnormally\n"
182  "\tbefore or while processing the request.");
183  else
184  libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
185  SOCK_STRERROR(result_errno,
186  sebuf, sizeof(sebuf)));
187  }
188  else
189  {
190  libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
191  /* assume the connection is broken */
192  result_errno = ECONNRESET;
193  n = -1;
194  }
195  break;
196  case SSL_ERROR_SSL:
197  {
198  char *errm = SSLerrmessage(ecode);
199 
200  libpq_append_conn_error(conn, "SSL error: %s", errm);
201  SSLerrfree(errm);
202  /* assume the connection is broken */
203  result_errno = ECONNRESET;
204  n = -1;
205  break;
206  }
207  case SSL_ERROR_ZERO_RETURN:
208 
209  /*
210  * Per OpenSSL documentation, this error code is only returned for
211  * a clean connection closure, so we should not report it as a
212  * server crash.
213  */
214  libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
215  result_errno = ECONNRESET;
216  n = -1;
217  break;
218  default:
219  libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
220  /* assume the connection is broken */
221  result_errno = ECONNRESET;
222  n = -1;
223  break;
224  }
225 
226  /* ensure we return the intended errno to caller */
227  SOCK_ERRNO_SET(result_errno);
228 
229  return n;
230 }
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:367
PQExpBufferData errorMessage
Definition: libpq-int.h:643
#define ECONNRESET
Definition: win32_port.h:384

References appendPQExpBufferStr(), conn, ECONNRESET, err(), pg_conn::errorMessage, len, libpq_append_conn_error(), PG_STRERROR_R_BUFLEN, SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, SSLerrfree(), and SSLerrmessage().

Referenced by pqsecure_read().

◆ pgtls_read_pending()

bool pgtls_read_pending ( PGconn conn)

Definition at line 233 of file fe-secure-openssl.c.

234 {
235  return SSL_pending(conn->ssl) > 0;
236 }

References conn.

Referenced by pqSocketCheck().

◆ pgtls_verify_peer_name_matches_certificate_guts()

int pgtls_verify_peer_name_matches_certificate_guts ( PGconn conn,
int *  names_examined,
char **  first_name 
)

Definition at line 543 of file fe-secure-openssl.c.

546 {
547  STACK_OF(GENERAL_NAME) * peer_san;
548  int i;
549  int rc = 0;
550  char *host = conn->connhost[conn->whichhost].host;
551  int host_type;
552  bool check_cn = true;
553 
554  Assert(host && host[0]); /* should be guaranteed by caller */
555 
556  /*
557  * We try to match the NSS behavior here, which is a slight departure from
558  * the spec but seems to make more intuitive sense:
559  *
560  * If connhost contains a DNS name, and the certificate's SANs contain any
561  * dNSName entries, then we'll ignore the Subject Common Name entirely;
562  * otherwise, we fall back to checking the CN. (This behavior matches the
563  * RFC.)
564  *
565  * If connhost contains an IP address, and the SANs contain iPAddress
566  * entries, we again ignore the CN. Otherwise, we allow the CN to match,
567  * EVEN IF there is a dNSName in the SANs. (RFC 6125 prohibits this: "A
568  * client MUST NOT seek a match for a reference identifier of CN-ID if the
569  * presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any
570  * application-specific identifier types supported by the client.")
571  *
572  * NOTE: Prior versions of libpq did not consider iPAddress entries at
573  * all, so this new behavior might break a certificate that has different
574  * IP addresses in the Subject CN and the SANs.
575  */
576  if (is_ip_address(host))
577  host_type = GEN_IPADD;
578  else
579  host_type = GEN_DNS;
580 
581  /*
582  * First, get the Subject Alternative Names (SANs) from the certificate,
583  * and compare them against the originally given hostname.
584  */
585  peer_san = (STACK_OF(GENERAL_NAME) *)
586  X509_get_ext_d2i(conn->peer, NID_subject_alt_name, NULL, NULL);
587 
588  if (peer_san)
589  {
590  int san_len = sk_GENERAL_NAME_num(peer_san);
591 
592  for (i = 0; i < san_len; i++)
593  {
594  const GENERAL_NAME *name = sk_GENERAL_NAME_value(peer_san, i);
595  char *alt_name = NULL;
596 
597  if (name->type == host_type)
598  {
599  /*
600  * This SAN is of the same type (IP or DNS) as our host name,
601  * so don't allow a fallback check of the CN.
602  */
603  check_cn = false;
604  }
605 
606  if (name->type == GEN_DNS)
607  {
608  (*names_examined)++;
610  name->d.dNSName,
611  &alt_name);
612  }
613  else if (name->type == GEN_IPADD)
614  {
615  (*names_examined)++;
617  name->d.iPAddress,
618  &alt_name);
619  }
620 
621  if (alt_name)
622  {
623  if (!*first_name)
624  *first_name = alt_name;
625  else
626  free(alt_name);
627  }
628 
629  if (rc != 0)
630  {
631  /*
632  * Either we hit an error or a match, and either way we should
633  * not fall back to the CN.
634  */
635  check_cn = false;
636  break;
637  }
638  }
639  sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
640  }
641 
642  /*
643  * If there is no subjectAltName extension of the matching type, check the
644  * Common Name.
645  *
646  * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
647  * dNSName is present, the CN must be ignored. We break this rule if host
648  * is an IP address; see the comment above.)
649  */
650  if (check_cn)
651  {
652  X509_NAME *subject_name;
653 
654  subject_name = X509_get_subject_name(conn->peer);
655  if (subject_name != NULL)
656  {
657  int cn_index;
658 
659  cn_index = X509_NAME_get_index_by_NID(subject_name,
660  NID_commonName, -1);
661  if (cn_index >= 0)
662  {
663  char *common_name = NULL;
664 
665  (*names_examined)++;
667  X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),
668  &common_name);
669 
670  if (common_name)
671  {
672  if (!*first_name)
673  *first_name = common_name;
674  else
675  free(common_name);
676  }
677  }
678  }
679  }
680 
681  return rc;
682 }
#define Assert(condition)
Definition: c.h:863
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name)
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)
static bool is_ip_address(const char *host)
int i
Definition: isn.c:72
const char * name

References Assert, conn, pg_conn::connhost, free, pg_conn_host::host, i, is_ip_address(), name, openssl_verify_peer_name_matches_certificate_ip(), openssl_verify_peer_name_matches_certificate_name(), and pg_conn::whichhost.

Referenced by pq_verify_peer_name_matches_certificate().

◆ pgtls_write()

ssize_t pgtls_write ( PGconn conn,
const void *  ptr,
size_t  len 
)

Definition at line 239 of file fe-secure-openssl.c.

240 {
241  ssize_t n;
242  int result_errno = 0;
243  char sebuf[PG_STRERROR_R_BUFLEN];
244  int err;
245  unsigned long ecode;
246 
247  SOCK_ERRNO_SET(0);
248  ERR_clear_error();
249  n = SSL_write(conn->ssl, ptr, len);
250  err = SSL_get_error(conn->ssl, n);
251  ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
252  switch (err)
253  {
254  case SSL_ERROR_NONE:
255  if (n < 0)
256  {
257  /* Not supposed to happen, so we don't translate the msg */
259  "SSL_write failed but did not provide error information\n");
260  /* assume the connection is broken */
261  result_errno = ECONNRESET;
262  }
263  break;
264  case SSL_ERROR_WANT_READ:
265 
266  /*
267  * Returning 0 here causes caller to wait for write-ready, which
268  * is not really the right thing, but it's the best we can do.
269  */
270  n = 0;
271  break;
272  case SSL_ERROR_WANT_WRITE:
273  n = 0;
274  break;
275  case SSL_ERROR_SYSCALL:
276 
277  /*
278  * If errno is still zero then assume it's a read EOF situation,
279  * and report EOF. (This seems possible because SSL_write can
280  * also do reads.)
281  */
282  if (n < 0 && SOCK_ERRNO != 0)
283  {
284  result_errno = SOCK_ERRNO;
285  if (result_errno == EPIPE || result_errno == ECONNRESET)
286  libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
287  "\tThis probably means the server terminated abnormally\n"
288  "\tbefore or while processing the request.");
289  else
290  libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
291  SOCK_STRERROR(result_errno,
292  sebuf, sizeof(sebuf)));
293  }
294  else
295  {
296  libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
297  /* assume the connection is broken */
298  result_errno = ECONNRESET;
299  n = -1;
300  }
301  break;
302  case SSL_ERROR_SSL:
303  {
304  char *errm = SSLerrmessage(ecode);
305 
306  libpq_append_conn_error(conn, "SSL error: %s", errm);
307  SSLerrfree(errm);
308  /* assume the connection is broken */
309  result_errno = ECONNRESET;
310  n = -1;
311  break;
312  }
313  case SSL_ERROR_ZERO_RETURN:
314 
315  /*
316  * Per OpenSSL documentation, this error code is only returned for
317  * a clean connection closure, so we should not report it as a
318  * server crash.
319  */
320  libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
321  result_errno = ECONNRESET;
322  n = -1;
323  break;
324  default:
325  libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
326  /* assume the connection is broken */
327  result_errno = ECONNRESET;
328  n = -1;
329  break;
330  }
331 
332  /* ensure we return the intended errno to caller */
333  SOCK_ERRNO_SET(result_errno);
334 
335  return n;
336 }

References appendPQExpBufferStr(), conn, ECONNRESET, err(), pg_conn::errorMessage, len, libpq_append_conn_error(), PG_STRERROR_R_BUFLEN, SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, SSLerrfree(), and SSLerrmessage().

Referenced by pqsecure_write().

◆ PQdefaultSSLKeyPassHook_OpenSSL()

int PQdefaultSSLKeyPassHook_OpenSSL ( char *  buf,
int  size,
PGconn conn 
)

Definition at line 1842 of file fe-secure-openssl.c.

1843 {
1844  if (conn && conn->sslpassword)
1845  {
1846  if (strlen(conn->sslpassword) + 1 > size)
1847  fprintf(stderr, libpq_gettext("WARNING: sslpassword truncated\n"));
1848  strncpy(buf, conn->sslpassword, size);
1849  buf[size - 1] = '\0';
1850  return strlen(buf);
1851  }
1852  else
1853  {
1854  buf[0] = '\0';
1855  return 0;
1856  }
1857 }
#define libpq_gettext(x)
Definition: libpq-int.h:906
#define fprintf
Definition: port.h:242

References buf, conn, fprintf, libpq_gettext, size, and pg_conn::sslpassword.

Referenced by PQssl_passwd_cb().

◆ PQgetssl()

void* PQgetssl ( PGconn conn)

Definition at line 1564 of file fe-secure-openssl.c.

1565 {
1566  if (!conn)
1567  return NULL;
1568  return conn->ssl;
1569 }

References conn.

◆ PQgetSSLKeyPassHook_OpenSSL()

PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL ( void  )

Definition at line 1860 of file fe-secure-openssl.c.

1861 {
1862  return PQsslKeyPassHook;
1863 }

References PQsslKeyPassHook.

◆ PQsetSSLKeyPassHook_OpenSSL()

void PQsetSSLKeyPassHook_OpenSSL ( PQsslKeyPassHook_OpenSSL_type  hook)

Definition at line 1866 of file fe-secure-openssl.c.

1867 {
1868  PQsslKeyPassHook = hook;
1869 }

References PQsslKeyPassHook.

◆ PQssl_passwd_cb()

static int PQssl_passwd_cb ( char *  buf,
int  size,
int  rwflag,
void *  userdata 
)
static

Definition at line 1877 of file fe-secure-openssl.c.

1878 {
1879  PGconn *conn = userdata;
1880 
1881  if (PQsslKeyPassHook)
1882  return PQsslKeyPassHook(buf, size, conn);
1883  else
1885 }
int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)

References buf, conn, PQdefaultSSLKeyPassHook_OpenSSL(), PQsslKeyPassHook, and size.

Referenced by initialize_SSL().

◆ PQsslAttribute()

const char* PQsslAttribute ( PGconn conn,
const char *  attribute_name 
)

Definition at line 1609 of file fe-secure-openssl.c.

1610 {
1611  if (!conn)
1612  {
1613  /* PQsslAttribute(NULL, "library") reports the default SSL library */
1614  if (strcmp(attribute_name, "library") == 0)
1615  return "OpenSSL";
1616  return NULL;
1617  }
1618 
1619  /* All attributes read as NULL for a non-encrypted connection */
1620  if (conn->ssl == NULL)
1621  return NULL;
1622 
1623  if (strcmp(attribute_name, "library") == 0)
1624  return "OpenSSL";
1625 
1626  if (strcmp(attribute_name, "key_bits") == 0)
1627  {
1628  static char sslbits_str[12];
1629  int sslbits;
1630 
1631  SSL_get_cipher_bits(conn->ssl, &sslbits);
1632  snprintf(sslbits_str, sizeof(sslbits_str), "%d", sslbits);
1633  return sslbits_str;
1634  }
1635 
1636  if (strcmp(attribute_name, "cipher") == 0)
1637  return SSL_get_cipher(conn->ssl);
1638 
1639  if (strcmp(attribute_name, "compression") == 0)
1640  return SSL_get_current_compression(conn->ssl) ? "on" : "off";
1641 
1642  if (strcmp(attribute_name, "protocol") == 0)
1643  return SSL_get_version(conn->ssl);
1644 
1645  if (strcmp(attribute_name, "alpn") == 0)
1646  {
1647  const unsigned char *data;
1648  unsigned int len;
1649  static char alpn_str[256]; /* alpn doesn't support longer than 255
1650  * bytes */
1651 
1652  SSL_get0_alpn_selected(conn->ssl, &data, &len);
1653  if (data == NULL || len == 0 || len > sizeof(alpn_str) - 1)
1654  return "";
1655  memcpy(alpn_str, data, len);
1656  alpn_str[len] = 0;
1657  return alpn_str;
1658  }
1659 
1660  return NULL; /* unknown attribute */
1661 }
const void * data

References conn, data, len, and snprintf.

Referenced by print_ssl_library(), and printSSLInfo().

◆ PQsslAttributeNames()

const char* const* PQsslAttributeNames ( PGconn conn)

Definition at line 1582 of file fe-secure-openssl.c.

1583 {
1584  static const char *const openssl_attrs[] = {
1585  "library",
1586  "key_bits",
1587  "cipher",
1588  "compression",
1589  "protocol",
1590  "alpn",
1591  NULL
1592  };
1593  static const char *const empty_attrs[] = {NULL};
1594 
1595  if (!conn)
1596  {
1597  /* Return attributes of default SSL library */
1598  return openssl_attrs;
1599  }
1600 
1601  /* No attrs for unencrypted connection */
1602  if (conn->ssl == NULL)
1603  return empty_attrs;
1604 
1605  return openssl_attrs;
1606 }

References conn.

◆ PQsslStruct()

void* PQsslStruct ( PGconn conn,
const char *  struct_name 
)

Definition at line 1572 of file fe-secure-openssl.c.

1573 {
1574  if (!conn)
1575  return NULL;
1576  if (strcmp(struct_name, "OpenSSL") == 0)
1577  return conn->ssl;
1578  return NULL;
1579 }

References conn.

◆ ssl_protocol_version_to_openssl()

static int ssl_protocol_version_to_openssl ( const char *  protocol)
static

Definition at line 1898 of file fe-secure-openssl.c.

1899 {
1900  if (pg_strcasecmp("TLSv1", protocol) == 0)
1901  return TLS1_VERSION;
1902 
1903 #ifdef TLS1_1_VERSION
1904  if (pg_strcasecmp("TLSv1.1", protocol) == 0)
1905  return TLS1_1_VERSION;
1906 #endif
1907 
1908 #ifdef TLS1_2_VERSION
1909  if (pg_strcasecmp("TLSv1.2", protocol) == 0)
1910  return TLS1_2_VERSION;
1911 #endif
1912 
1913 #ifdef TLS1_3_VERSION
1914  if (pg_strcasecmp("TLSv1.3", protocol) == 0)
1915  return TLS1_3_VERSION;
1916 #endif
1917 
1918  return -1;
1919 }
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36

References pg_strcasecmp().

Referenced by initialize_SSL().

◆ ssl_set_pgconn_bio()

static int ssl_set_pgconn_bio ( PGconn conn)
static

Definition at line 1816 of file fe-secure-openssl.c.

1817 {
1818  BIO *bio;
1819  BIO_METHOD *bio_method;
1820 
1821  bio_method = pgconn_bio_method();
1822  if (bio_method == NULL)
1823  return 0;
1824 
1825  bio = BIO_new(bio_method);
1826  if (bio == NULL)
1827  return 0;
1828 
1829  BIO_set_data(bio, conn);
1830  BIO_set_init(bio, 1);
1831 
1832  SSL_set_bio(conn->ssl, bio, bio);
1833  return 1;
1834 }
static BIO_METHOD * pgconn_bio_method(void)

References conn, and pgconn_bio_method().

Referenced by initialize_SSL().

◆ SSLerrfree()

static void SSLerrfree ( char *  buf)
static

Definition at line 1550 of file fe-secure-openssl.c.

1551 {
1552  if (buf != ssl_nomem)
1553  free(buf);
1554 }
static char ssl_nomem[]

References buf, free, and ssl_nomem.

Referenced by initialize_SSL(), open_client_SSL(), pgtls_read(), and pgtls_write().

◆ SSLerrmessage()

static char * SSLerrmessage ( unsigned long  ecode)
static

Definition at line 1492 of file fe-secure-openssl.c.

1493 {
1494  const char *errreason;
1495  char *errbuf;
1496 
1497  errbuf = malloc(SSL_ERR_LEN);
1498  if (!errbuf)
1499  return ssl_nomem;
1500  if (ecode == 0)
1501  {
1502  snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("no SSL error reported"));
1503  return errbuf;
1504  }
1505  errreason = ERR_reason_error_string(ecode);
1506  if (errreason != NULL)
1507  {
1508  strlcpy(errbuf, errreason, SSL_ERR_LEN);
1509  return errbuf;
1510  }
1511 
1512  /*
1513  * Server aborted the connection with TLS "no_application_protocol" alert.
1514  * The ERR_reason_error_string() function doesn't give any error string
1515  * for that for some reason, so do it ourselves. See
1516  * https://github.com/openssl/openssl/issues/24300. This is available in
1517  * OpenSSL 1.1.0 and later, as well as in LibreSSL 3.4.3 (OpenBSD 7.0) and
1518  * later.
1519  */
1520 #ifdef SSL_AD_NO_APPLICATION_PROTOCOL
1521  if (ERR_GET_LIB(ecode) == ERR_LIB_SSL &&
1522  ERR_GET_REASON(ecode) == SSL_AD_REASON_OFFSET + SSL_AD_NO_APPLICATION_PROTOCOL)
1523  {
1524  snprintf(errbuf, SSL_ERR_LEN, "no application protocol");
1525  return errbuf;
1526  }
1527 #endif
1528 
1529  /*
1530  * In OpenSSL 3.0.0 and later, ERR_reason_error_string does not map system
1531  * errno values anymore. (See OpenSSL source code for the explanation.)
1532  * We can cover that shortcoming with this bit of code. Older OpenSSL
1533  * versions don't have the ERR_SYSTEM_ERROR macro, but that's okay because
1534  * they don't have the shortcoming either.
1535  */
1536 #ifdef ERR_SYSTEM_ERROR
1537  if (ERR_SYSTEM_ERROR(ecode))
1538  {
1539  strerror_r(ERR_GET_REASON(ecode), errbuf, SSL_ERR_LEN);
1540  return errbuf;
1541  }
1542 #endif
1543 
1544  /* No choice but to report the numeric ecode */
1545  snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("SSL error code %lu"), ecode);
1546  return errbuf;
1547 }
#define SSL_ERR_LEN

References libpq_gettext, malloc, snprintf, SSL_ERR_LEN, ssl_nomem, strerror_r, and strlcpy().

Referenced by initialize_SSL(), open_client_SSL(), pgtls_read(), and pgtls_write().

◆ verify_cb()

static int verify_cb ( int  ok,
X509_STORE_CTX *  ctx 
)
static

Definition at line 429 of file fe-secure-openssl.c.

430 {
431  return ok;
432 }

Referenced by initialize_SSL().

Variable Documentation

◆ alpn_protos

unsigned char alpn_protos[] = PG_ALPN_PROTOCOL_VECTOR
static

Definition at line 685 of file fe-secure-openssl.c.

Referenced by initialize_SSL().

◆ pgconn_bio_method_ptr

BIO_METHOD* pgconn_bio_method_ptr
static

Definition at line 1673 of file fe-secure-openssl.c.

Referenced by pgconn_bio_method().

◆ PQsslKeyPassHook

◆ ssl_config_mutex

pthread_mutex_t ssl_config_mutex = PTHREAD_MUTEX_INITIALIZER
static

Definition at line 85 of file fe-secure-openssl.c.

Referenced by pgconn_bio_method().

◆ ssl_nomem

char ssl_nomem[] = "out of memory allocating error description"
static

Definition at line 1487 of file fe-secure-openssl.c.

Referenced by SSLerrfree(), and SSLerrmessage().