PostgreSQL Source Code  git master
Macros | Functions | Variables
fe-secure-openssl.c File Reference
#include "postgres_fe.h"
#include <signal.h>
#include <fcntl.h>
#include <ctype.h>
#include "libpq-fe.h"
#include "fe-auth.h"
#include "fe-secure-common.h"
#include "libpq-int.h"
#include <sys/socket.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <sys/stat.h>
#include "common/openssl.h"
#include <openssl/conf.h>
#include <openssl/x509v3.h>
Include dependency graph for fe-secure-openssl.c:

Go to the source code of this file.

Macros

#define SSL_ERR_LEN   128
 
#define BIO_get_data(bio)   (bio->ptr)
 
#define BIO_set_data(bio, data)   (bio->ptr = data)
 

Functions

static int verify_cb (int ok, X509_STORE_CTX *ctx)
 
static int openssl_verify_peer_name_matches_certificate_name (PGconn *conn, ASN1_STRING *name_entry, char **store_name)
 
static int openssl_verify_peer_name_matches_certificate_ip (PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)
 
static void destroy_ssl_system (void)
 
static int initialize_SSL (PGconn *conn)
 
static PostgresPollingStatusType open_client_SSL (PGconn *conn)
 
static char * SSLerrmessage (unsigned long ecode)
 
static void SSLerrfree (char *buf)
 
static int PQssl_passwd_cb (char *buf, int size, int rwflag, void *userdata)
 
static int my_sock_read (BIO *h, char *buf, int size)
 
static int my_sock_write (BIO *h, const char *buf, int size)
 
static BIO_METHOD * my_BIO_s_socket (void)
 
static int my_SSL_set_fd (PGconn *conn, int fd)
 
static int ssl_protocol_version_to_openssl (const char *protocol)
 
void pgtls_init_library (bool do_ssl, int do_crypto)
 
PostgresPollingStatusType pgtls_open_client (PGconn *conn)
 
ssize_t pgtls_read (PGconn *conn, void *ptr, size_t len)
 
bool pgtls_read_pending (PGconn *conn)
 
ssize_t pgtls_write (PGconn *conn, const void *ptr, size_t len)
 
static bool is_ip_address (const char *host)
 
int pgtls_verify_peer_name_matches_certificate_guts (PGconn *conn, int *names_examined, char **first_name)
 
int pgtls_init (PGconn *conn, bool do_ssl, bool do_crypto)
 
void pgtls_close (PGconn *conn)
 
void * PQgetssl (PGconn *conn)
 
void * PQsslStruct (PGconn *conn, const char *struct_name)
 
const char *const * PQsslAttributeNames (PGconn *conn)
 
const char * PQsslAttribute (PGconn *conn, const char *attribute_name)
 
int PQdefaultSSLKeyPassHook_OpenSSL (char *buf, int size, PGconn *conn)
 
PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL (void)
 
void PQsetSSLKeyPassHook_OpenSSL (PQsslKeyPassHook_OpenSSL_type hook)
 

Variables

static bool pq_init_ssl_lib = true
 
static bool pq_init_crypto_lib = true
 
static bool ssl_lib_initialized = false
 
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook = NULL
 
static char ssl_nomem [] = "out of memory allocating error description"
 
static BIO_METHOD * my_bio_methods
 

Macro Definition Documentation

◆ BIO_get_data

#define BIO_get_data (   bio)    (bio->ptr)

Definition at line 1795 of file fe-secure-openssl.c.

◆ BIO_set_data

#define BIO_set_data (   bio,
  data 
)    (bio->ptr = data)

Definition at line 1796 of file fe-secure-openssl.c.

◆ SSL_ERR_LEN

#define SSL_ERR_LEN   128

Definition at line 1659 of file fe-secure-openssl.c.

Function Documentation

◆ destroy_ssl_system()

static void destroy_ssl_system ( void  )
static

Definition at line 881 of file fe-secure-openssl.c.

882 {
883 #if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK)
884  /* Mutex is created in pgtls_init() */
885  if (pthread_mutex_lock(&ssl_config_mutex))
886  return;
887 
888  if (pq_init_crypto_lib && crypto_open_connections > 0)
889  --crypto_open_connections;
890 
891  if (pq_init_crypto_lib && crypto_open_connections == 0)
892  {
893  /*
894  * No connections left, unregister libcrypto callbacks, if no one
895  * registered different ones in the meantime.
896  */
897  if (CRYPTO_get_locking_callback() == pq_lockingcallback)
898  CRYPTO_set_locking_callback(NULL);
899  if (CRYPTO_get_id_callback() == pq_threadidcallback)
900  CRYPTO_set_id_callback(NULL);
901 
902  /*
903  * We don't free the lock array. If we get another connection in this
904  * process, we will just re-use them with the existing mutexes.
905  *
906  * This means we leak a little memory on repeated load/unload of the
907  * library.
908  */
909  }
910 
911  pthread_mutex_unlock(&ssl_config_mutex);
912 #endif
913 }
pq_init_crypto_lib
static bool pq_init_crypto_lib
Definition: fe-secure-openssl.c:90
pthread_mutex_unlock
int pthread_mutex_unlock(pthread_mutex_t *mp)
Definition: pthread-win32.c:54
pthread_mutex_lock
int pthread_mutex_lock(pthread_mutex_t *mp)
Definition: pthread-win32.c:45

References pq_init_crypto_lib, pthread_mutex_lock(), and pthread_mutex_unlock().

Referenced by pgtls_close().

◆ initialize_SSL()

static int initialize_SSL ( PGconn conn)
static

Definition at line 922 of file fe-secure-openssl.c.

923 {
924  SSL_CTX *SSL_context;
925  struct stat buf;
926  char homedir[MAXPGPATH];
927  char fnbuf[MAXPGPATH];
928  char sebuf[PG_STRERROR_R_BUFLEN];
929  bool have_homedir;
930  bool have_cert;
931  bool have_rootcert;
932  EVP_PKEY *pkey = NULL;
933 
934  /*
935  * We'll need the home directory if any of the relevant parameters are
936  * defaulted. If pqGetHomeDirectory fails, act as though none of the
937  * files could be found.
938  */
939  if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
940  !(conn->sslkey && strlen(conn->sslkey) > 0) ||
941  !(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
942  !((conn->sslcrl && strlen(conn->sslcrl) > 0) ||
943  (conn->sslcrldir && strlen(conn->sslcrldir) > 0)))
944  have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
945  else /* won't need it */
946  have_homedir = false;
947 
948  /*
949  * Create a new SSL_CTX object.
950  *
951  * We used to share a single SSL_CTX between all connections, but it was
952  * complicated if connections used different certificates. So now we
953  * create a separate context for each connection, and accept the overhead.
954  */
955  SSL_context = SSL_CTX_new(SSLv23_method());
956  if (!SSL_context)
957  {
958  char *err = SSLerrmessage(ERR_get_error());
959 
960  libpq_append_conn_error(conn, "could not create SSL context: %s", err);
961  SSLerrfree(err);
962  return -1;
963  }
964 
965  /*
966  * Delegate the client cert password prompt to the libpq wrapper callback
967  * if any is defined.
968  *
969  * If the application hasn't installed its own and the sslpassword
970  * parameter is non-null, we install ours now to make sure we supply
971  * PGconn->sslpassword to OpenSSL instead of letting it prompt on stdin.
972  *
973  * This will replace OpenSSL's default PEM_def_callback (which prompts on
974  * stdin), but we're only setting it for this SSL context so it's
975  * harmless.
976  */
977  if (PQsslKeyPassHook
978  || (conn->sslpassword && strlen(conn->sslpassword) > 0))
979  {
980  SSL_CTX_set_default_passwd_cb(SSL_context, PQssl_passwd_cb);
981  SSL_CTX_set_default_passwd_cb_userdata(SSL_context, conn);
982  }
983 
984 #ifdef HAVE_SSL_CTX_SET_CERT_CB
985  /* Set up a certificate selection callback. */
986  SSL_CTX_set_cert_cb(SSL_context, cert_cb, conn);
987 #endif
988 
989  /* Disable old protocol versions */
990  SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
991 
992  /* Set the minimum and maximum protocol versions if necessary */
993  if (conn->ssl_min_protocol_version &&
994  strlen(conn->ssl_min_protocol_version) != 0)
995  {
996  int ssl_min_ver;
997 
998  ssl_min_ver = ssl_protocol_version_to_openssl(conn->ssl_min_protocol_version);
999 
1000  if (ssl_min_ver == -1)
1001  {
1002  libpq_append_conn_error(conn, "invalid value \"%s\" for minimum SSL protocol version",
1003  conn->ssl_min_protocol_version);
1004  SSL_CTX_free(SSL_context);
1005  return -1;
1006  }
1007 
1008  if (!SSL_CTX_set_min_proto_version(SSL_context, ssl_min_ver))
1009  {
1010  char *err = SSLerrmessage(ERR_get_error());
1011 
1012  libpq_append_conn_error(conn, "could not set minimum SSL protocol version: %s", err);
1013  SSLerrfree(err);
1014  SSL_CTX_free(SSL_context);
1015  return -1;
1016  }
1017  }
1018 
1019  if (conn->ssl_max_protocol_version &&
1020  strlen(conn->ssl_max_protocol_version) != 0)
1021  {
1022  int ssl_max_ver;
1023 
1024  ssl_max_ver = ssl_protocol_version_to_openssl(conn->ssl_max_protocol_version);
1025 
1026  if (ssl_max_ver == -1)
1027  {
1028  libpq_append_conn_error(conn, "invalid value \"%s\" for maximum SSL protocol version",
1029  conn->ssl_max_protocol_version);
1030  SSL_CTX_free(SSL_context);
1031  return -1;
1032  }
1033 
1034  if (!SSL_CTX_set_max_proto_version(SSL_context, ssl_max_ver))
1035  {
1036  char *err = SSLerrmessage(ERR_get_error());
1037 
1038  libpq_append_conn_error(conn, "could not set maximum SSL protocol version: %s", err);
1039  SSLerrfree(err);
1040  SSL_CTX_free(SSL_context);
1041  return -1;
1042  }
1043  }
1044 
1045  /*
1046  * Disable OpenSSL's moving-write-buffer sanity check, because it causes
1047  * unnecessary failures in nonblocking send cases.
1048  */
1049  SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
1050 
1051  /*
1052  * If the root cert file exists, load it so we can perform certificate
1053  * verification. If sslmode is "verify-full" we will also do further
1054  * verification after the connection has been completed.
1055  */
1056  if (conn->sslrootcert && strlen(conn->sslrootcert) > 0)
1057  strlcpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
1058  else if (have_homedir)
1059  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
1060  else
1061  fnbuf[0] = '\0';
1062 
1063  if (fnbuf[0] != '\0' &&
1064  stat(fnbuf, &buf) == 0)
1065  {
1066  X509_STORE *cvstore;
1067 
1068  if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)
1069  {
1070  char *err = SSLerrmessage(ERR_get_error());
1071 
1072  libpq_append_conn_error(conn, "could not read root certificate file \"%s\": %s",
1073  fnbuf, err);
1074  SSLerrfree(err);
1075  SSL_CTX_free(SSL_context);
1076  return -1;
1077  }
1078 
1079  if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
1080  {
1081  char *fname = NULL;
1082  char *dname = NULL;
1083 
1084  if (conn->sslcrl && strlen(conn->sslcrl) > 0)
1085  fname = conn->sslcrl;
1086  if (conn->sslcrldir && strlen(conn->sslcrldir) > 0)
1087  dname = conn->sslcrldir;
1088 
1089  /* defaults to use the default CRL file */
1090  if (!fname && !dname && have_homedir)
1091  {
1092  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
1093  fname = fnbuf;
1094  }
1095 
1096  /* Set the flags to check against the complete CRL chain */
1097  if ((fname || dname) &&
1098  X509_STORE_load_locations(cvstore, fname, dname) == 1)
1099  {
1100  X509_STORE_set_flags(cvstore,
1101  X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1102  }
1103 
1104  /* if not found, silently ignore; we do not require CRL */
1105  ERR_clear_error();
1106  }
1107  have_rootcert = true;
1108  }
1109  else
1110  {
1111  /*
1112  * stat() failed; assume root file doesn't exist. If sslmode is
1113  * verify-ca or verify-full, this is an error. Otherwise, continue
1114  * without performing any server cert verification.
1115  */
1116  if (conn->sslmode[0] == 'v') /* "verify-ca" or "verify-full" */
1117  {
1118  /*
1119  * The only way to reach here with an empty filename is if
1120  * pqGetHomeDirectory failed. That's a sufficiently unusual case
1121  * that it seems worth having a specialized error message for it.
1122  */
1123  if (fnbuf[0] == '\0')
1124  libpq_append_conn_error(conn, "could not get home directory to locate root certificate file\n"
1125  "Either provide the file or change sslmode to disable server certificate verification.");
1126  else
1127  libpq_append_conn_error(conn, "root certificate file \"%s\" does not exist\n"
1128  "Either provide the file or change sslmode to disable server certificate verification.", fnbuf);
1129  SSL_CTX_free(SSL_context);
1130  return -1;
1131  }
1132  have_rootcert = false;
1133  }
1134 
1135  /* Read the client certificate file */
1136  if (conn->sslcert && strlen(conn->sslcert) > 0)
1137  strlcpy(fnbuf, conn->sslcert, sizeof(fnbuf));
1138  else if (have_homedir)
1139  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
1140  else
1141  fnbuf[0] = '\0';
1142 
1143  if (conn->sslcertmode[0] == 'd') /* disable */
1144  {
1145  /* don't send a client cert even if we have one */
1146  have_cert = false;
1147  }
1148  else if (fnbuf[0] == '\0')
1149  {
1150  /* no home directory, proceed without a client cert */
1151  have_cert = false;
1152  }
1153  else if (stat(fnbuf, &buf) != 0)
1154  {
1155  /*
1156  * If file is not present, just go on without a client cert; server
1157  * might or might not accept the connection. Any other error,
1158  * however, is grounds for complaint.
1159  */
1160  if (errno != ENOENT && errno != ENOTDIR)
1161  {
1162  libpq_append_conn_error(conn, "could not open certificate file \"%s\": %s",
1163  fnbuf, strerror_r(errno, sebuf, sizeof(sebuf)));
1164  SSL_CTX_free(SSL_context);
1165  return -1;
1166  }
1167  have_cert = false;
1168  }
1169  else
1170  {
1171  /*
1172  * Cert file exists, so load it. Since OpenSSL doesn't provide the
1173  * equivalent of "SSL_use_certificate_chain_file", we have to load it
1174  * into the SSL context, rather than the SSL object.
1175  */
1176  if (SSL_CTX_use_certificate_chain_file(SSL_context, fnbuf) != 1)
1177  {
1178  char *err = SSLerrmessage(ERR_get_error());
1179 
1180  libpq_append_conn_error(conn, "could not read certificate file \"%s\": %s",
1181  fnbuf, err);
1182  SSLerrfree(err);
1183  SSL_CTX_free(SSL_context);
1184  return -1;
1185  }
1186 
1187  /* need to load the associated private key, too */
1188  have_cert = true;
1189  }
1190 
1191  /*
1192  * The SSL context is now loaded with the correct root and client
1193  * certificates. Create a connection-specific SSL object. The private key
1194  * is loaded directly into the SSL object. (We could load the private key
1195  * into the context, too, but we have done it this way historically, and
1196  * it doesn't really matter.)
1197  */
1198  if (!(conn->ssl = SSL_new(SSL_context)) ||
1199  !SSL_set_app_data(conn->ssl, conn) ||
1200  !my_SSL_set_fd(conn, conn->sock))
1201  {
1202  char *err = SSLerrmessage(ERR_get_error());
1203 
1204  libpq_append_conn_error(conn, "could not establish SSL connection: %s", err);
1205  SSLerrfree(err);
1206  SSL_CTX_free(SSL_context);
1207  return -1;
1208  }
1209  conn->ssl_in_use = true;
1210 
1211  /*
1212  * SSL contexts are reference counted by OpenSSL. We can free it as soon
1213  * as we have created the SSL object, and it will stick around for as long
1214  * as it's actually needed.
1215  */
1216  SSL_CTX_free(SSL_context);
1217  SSL_context = NULL;
1218 
1219  /*
1220  * Set Server Name Indication (SNI), if enabled by connection parameters.
1221  * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
1222  * or IPv6).
1223  */
1224  if (conn->sslsni && conn->sslsni[0] == '1')
1225  {
1226  const char *host = conn->connhost[conn->whichhost].host;
1227 
1228  if (host && host[0] &&
1229  !(strspn(host, "0123456789.") == strlen(host) ||
1230  strchr(host, ':')))
1231  {
1232  if (SSL_set_tlsext_host_name(conn->ssl, host) != 1)
1233  {
1234  char *err = SSLerrmessage(ERR_get_error());
1235 
1236  libpq_append_conn_error(conn, "could not set SSL Server Name Indication (SNI): %s", err);
1237  SSLerrfree(err);
1238  return -1;
1239  }
1240  }
1241  }
1242 
1243  /*
1244  * Read the SSL key. If a key is specified, treat it as an engine:key
1245  * combination if there is colon present - we don't support files with
1246  * colon in the name. The exception is if the second character is a colon,
1247  * in which case it can be a Windows filename with drive specification.
1248  */
1249  if (have_cert && conn->sslkey && strlen(conn->sslkey) > 0)
1250  {
1251 #ifdef USE_SSL_ENGINE
1252  if (strchr(conn->sslkey, ':')
1253 #ifdef WIN32
1254  && conn->sslkey[1] != ':'
1255 #endif
1256  )
1257  {
1258  /* Colon, but not in second character, treat as engine:key */
1259  char *engine_str = strdup(conn->sslkey);
1260  char *engine_colon;
1261 
1262  if (engine_str == NULL)
1263  {
1264  libpq_append_conn_error(conn, "out of memory");
1265  return -1;
1266  }
1267 
1268  /* cannot return NULL because we already checked before strdup */
1269  engine_colon = strchr(engine_str, ':');
1270 
1271  *engine_colon = '\0'; /* engine_str now has engine name */
1272  engine_colon++; /* engine_colon now has key name */
1273 
1274  conn->engine = ENGINE_by_id(engine_str);
1275  if (conn->engine == NULL)
1276  {
1277  char *err = SSLerrmessage(ERR_get_error());
1278 
1279  libpq_append_conn_error(conn, "could not load SSL engine \"%s\": %s",
1280  engine_str, err);
1281  SSLerrfree(err);
1282  free(engine_str);
1283  return -1;
1284  }
1285 
1286  if (ENGINE_init(conn->engine) == 0)
1287  {
1288  char *err = SSLerrmessage(ERR_get_error());
1289 
1290  libpq_append_conn_error(conn, "could not initialize SSL engine \"%s\": %s",
1291  engine_str, err);
1292  SSLerrfree(err);
1293  ENGINE_free(conn->engine);
1294  conn->engine = NULL;
1295  free(engine_str);
1296  return -1;
1297  }
1298 
1299  pkey = ENGINE_load_private_key(conn->engine, engine_colon,
1300  NULL, NULL);
1301  if (pkey == NULL)
1302  {
1303  char *err = SSLerrmessage(ERR_get_error());
1304 
1305  libpq_append_conn_error(conn, "could not read private SSL key \"%s\" from engine \"%s\": %s",
1306  engine_colon, engine_str, err);
1307  SSLerrfree(err);
1308  ENGINE_finish(conn->engine);
1309  ENGINE_free(conn->engine);
1310  conn->engine = NULL;
1311  free(engine_str);
1312  return -1;
1313  }
1314  if (SSL_use_PrivateKey(conn->ssl, pkey) != 1)
1315  {
1316  char *err = SSLerrmessage(ERR_get_error());
1317 
1318  libpq_append_conn_error(conn, "could not load private SSL key \"%s\" from engine \"%s\": %s",
1319  engine_colon, engine_str, err);
1320  SSLerrfree(err);
1321  ENGINE_finish(conn->engine);
1322  ENGINE_free(conn->engine);
1323  conn->engine = NULL;
1324  free(engine_str);
1325  return -1;
1326  }
1327 
1328  free(engine_str);
1329 
1330  fnbuf[0] = '\0'; /* indicate we're not going to load from a
1331  * file */
1332  }
1333  else
1334 #endif /* USE_SSL_ENGINE */
1335  {
1336  /* PGSSLKEY is not an engine, treat it as a filename */
1337  strlcpy(fnbuf, conn->sslkey, sizeof(fnbuf));
1338  }
1339  }
1340  else if (have_homedir)
1341  {
1342  /* No PGSSLKEY specified, load default file */
1343  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
1344  }
1345  else
1346  fnbuf[0] = '\0';
1347 
1348  if (have_cert && fnbuf[0] != '\0')
1349  {
1350  /* read the client key from file */
1351 
1352  if (stat(fnbuf, &buf) != 0)
1353  {
1354  if (errno == ENOENT)
1355  libpq_append_conn_error(conn, "certificate present, but not private key file \"%s\"",
1356  fnbuf);
1357  else
1358  libpq_append_conn_error(conn, "could not stat private key file \"%s\": %m",
1359  fnbuf);
1360  return -1;
1361  }
1362 
1363  /* Key file must be a regular file */
1364  if (!S_ISREG(buf.st_mode))
1365  {
1366  libpq_append_conn_error(conn, "private key file \"%s\" is not a regular file",
1367  fnbuf);
1368  return -1;
1369  }
1370 
1371  /*
1372  * Refuse to load world-readable key files. We accept root-owned
1373  * files with mode 0640 or less, so that we can access system-wide
1374  * certificates if we have a supplementary group membership that
1375  * allows us to read 'em. For files with non-root ownership, require
1376  * mode 0600 or less. We need not check the file's ownership exactly;
1377  * if we're able to read it despite it having such restrictive
1378  * permissions, it must have the right ownership.
1379  *
1380  * Note: be very careful about tightening these rules. Some people
1381  * expect, for example, that a client process running as root should
1382  * be able to use a non-root-owned key file.
1383  *
1384  * Note that roughly similar checks are performed in
1385  * src/backend/libpq/be-secure-common.c so any changes here may need
1386  * to be made there as well. However, this code caters for the case
1387  * of current user == root, while that code does not.
1388  *
1389  * Ideally we would do similar permissions checks on Windows, but it
1390  * is not clear how that would work since Unix-style permissions may
1391  * not be available.
1392  */
1393 #if !defined(WIN32) && !defined(__CYGWIN__)
1394  if (buf.st_uid == 0 ?
1395  buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO) :
1396  buf.st_mode & (S_IRWXG | S_IRWXO))
1397  {
1398  libpq_append_conn_error(conn,
1399  "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
1400  fnbuf);
1401  return -1;
1402  }
1403 #endif
1404 
1405  if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)
1406  {
1407  char *err = SSLerrmessage(ERR_get_error());
1408 
1409  /*
1410  * We'll try to load the file in DER (binary ASN.1) format, and if
1411  * that fails too, report the original error. This could mask
1412  * issues where there's something wrong with a DER-format cert,
1413  * but we'd have to duplicate openssl's format detection to be
1414  * smarter than this. We can't just probe for a leading -----BEGIN
1415  * because PEM can have leading non-matching lines and blanks.
1416  * OpenSSL doesn't expose its get_name(...) and its PEM routines
1417  * don't differentiate between failure modes in enough detail to
1418  * let us tell the difference between "not PEM, try DER" and
1419  * "wrong password".
1420  */
1421  if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)
1422  {
1423  libpq_append_conn_error(conn, "could not load private key file \"%s\": %s",
1424  fnbuf, err);
1425  SSLerrfree(err);
1426  return -1;
1427  }
1428 
1429  SSLerrfree(err);
1430  }
1431  }
1432 
1433  /* verify that the cert and key go together */
1434  if (have_cert &&
1435  SSL_check_private_key(conn->ssl) != 1)
1436  {
1437  char *err = SSLerrmessage(ERR_get_error());
1438 
1439  libpq_append_conn_error(conn, "certificate does not match private key file \"%s\": %s",
1440  fnbuf, err);
1441  SSLerrfree(err);
1442  return -1;
1443  }
1444 
1445  /*
1446  * If a root cert was loaded, also set our certificate verification
1447  * callback.
1448  */
1449  if (have_rootcert)
1450  SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
1451 
1452  /*
1453  * Set compression option if necessary.
1454  */
1455  if (conn->sslcompression && conn->sslcompression[0] == '0')
1456  SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1457  else
1458  SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1459 
1460  return 0;
1461 }
SSL_context
static SSL_CTX * SSL_context
Definition: be-secure-openssl.c:76
err
void err(int eval, const char *fmt,...)
Definition: err.c:43
pqGetHomeDirectory
bool pqGetHomeDirectory(char *buf, int bufsize)
Definition: fe-connect.c:7517
libpq_append_conn_error
void libpq_append_conn_error(PGconn *conn, const char *fmt,...)
Definition: fe-misc.c:1312
ssl_protocol_version_to_openssl
static int ssl_protocol_version_to_openssl(const char *protocol)
Definition: fe-secure-openssl.c:1998
my_SSL_set_fd
static int my_SSL_set_fd(PGconn *conn, int fd)
Definition: fe-secure-openssl.c:1909
SSLerrfree
static void SSLerrfree(char *buf)
Definition: fe-secure-openssl.c:1686
PQsslKeyPassHook
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook
Definition: fe-secure-openssl.c:105
verify_cb
static int verify_cb(int ok, X509_STORE_CTX *ctx)
Definition: fe-secure-openssl.c:460
PQssl_passwd_cb
static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
Definition: fe-secure-openssl.c:1977
SSLerrmessage
static char * SSLerrmessage(unsigned long ecode)
Definition: fe-secure-openssl.c:1662
free
#define free(a)
Definition: header.h:65
MAXPGPATH
#define MAXPGPATH
Definition: pg_config_manual.h:115
buf
static char * buf
Definition: pg_test_fsync.c:67
PG_STRERROR_R_BUFLEN
#define PG_STRERROR_R_BUFLEN
Definition: port.h:256
snprintf
#define snprintf
Definition: port.h:238
strerror_r
#define strerror_r
Definition: port.h:255
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: strlcpy.c:45
SSL_CTX_set_max_proto_version
int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
Definition: protocol_openssl.c:80
SSL_CTX_set_min_proto_version
int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
Definition: protocol_openssl.c:41
conn
PGconn * conn
Definition: streamutil.c:54
pg_conn_host::host
char * host
Definition: libpq-int.h:338
pg_conn::sslrootcert
char * sslrootcert
Definition: libpq-int.h:388
pg_conn::sslcompression
char * sslcompression
Definition: libpq-int.h:383
pg_conn::sock
pgsocket sock
Definition: libpq-int.h:449
pg_conn::sslcrldir
char * sslcrldir
Definition: libpq-int.h:390
pg_conn::sslcrl
char * sslcrl
Definition: libpq-int.h:389
pg_conn::ssl_max_protocol_version
char * ssl_max_protocol_version
Definition: libpq-int.h:398
pg_conn::sslcert
char * sslcert
Definition: libpq-int.h:385
pg_conn::sslcertmode
char * sslcertmode
Definition: libpq-int.h:387
pg_conn::sslpassword
char * sslpassword
Definition: libpq-int.h:386
pg_conn::sslmode
char * sslmode
Definition: libpq-int.h:382
pg_conn::ssl_min_protocol_version
char * ssl_min_protocol_version
Definition: libpq-int.h:397
pg_conn::sslkey
char * sslkey
Definition: libpq-int.h:384
pg_conn::whichhost
int whichhost
Definition: libpq-int.h:431
pg_conn::sslsni
char * sslsni
Definition: libpq-int.h:391
pg_conn::connhost
pg_conn_host * connhost
Definition: libpq-int.h:432
pg_conn::ssl_in_use
bool ssl_in_use
Definition: libpq-int.h:531
S_IXGRP
#define S_IXGRP
Definition: win32_port.h:309
stat
#define stat
Definition: win32_port.h:286
S_IRWXG
#define S_IRWXG
Definition: win32_port.h:312
S_IRWXO
#define S_IRWXO
Definition: win32_port.h:324
S_ISREG
#define S_ISREG(m)
Definition: win32_port.h:330
S_IWGRP
#define S_IWGRP
Definition: win32_port.h:306

References buf, conn, pg_conn::connhost, err(), free, pg_conn_host::host, libpq_append_conn_error(), MAXPGPATH, my_SSL_set_fd(), PG_STRERROR_R_BUFLEN, pqGetHomeDirectory(), PQssl_passwd_cb(), PQsslKeyPassHook, S_IRWXG, S_IRWXO, S_ISREG, S_IWGRP, S_IXGRP, snprintf, pg_conn::sock, SSL_context, SSL_CTX_set_max_proto_version(), SSL_CTX_set_min_proto_version(), pg_conn::ssl_in_use, pg_conn::ssl_max_protocol_version, pg_conn::ssl_min_protocol_version, ssl_protocol_version_to_openssl(), pg_conn::sslcert, pg_conn::sslcertmode, pg_conn::sslcompression, pg_conn::sslcrl, pg_conn::sslcrldir, SSLerrfree(), SSLerrmessage(), pg_conn::sslkey, pg_conn::sslmode, pg_conn::sslpassword, pg_conn::sslrootcert, pg_conn::sslsni, stat, strerror_r, strlcpy(), verify_cb(), and pg_conn::whichhost.

Referenced by pgtls_open_client().

◆ is_ip_address()

static bool is_ip_address ( const char *  host)
static

Definition at line 562 of file fe-secure-openssl.c.

563 {
564  struct in_addr dummy4;
565 #ifdef HAVE_INET_PTON
566  struct in6_addr dummy6;
567 #endif
568 
569  return inet_aton(host, &dummy4)
570 #ifdef HAVE_INET_PTON
571  || (inet_pton(AF_INET6, host, &dummy6) == 1)
572 #endif
573  ;
574 }
inet_aton
int inet_aton(const char *cp, struct in_addr *addr)
Definition: inet_aton.c:56

References inet_aton().

Referenced by pgtls_verify_peer_name_matches_certificate_guts().

◆ my_BIO_s_socket()

static BIO_METHOD * my_BIO_s_socket ( void  )
static

Definition at line 1862 of file fe-secure-openssl.c.

1863 {
1864  if (!my_bio_methods)
1865  {
1866  BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket();
1867 #ifdef HAVE_BIO_METH_NEW
1868  int my_bio_index;
1869 
1870  my_bio_index = BIO_get_new_index();
1871  if (my_bio_index == -1)
1872  return NULL;
1873  my_bio_index |= (BIO_TYPE_DESCRIPTOR | BIO_TYPE_SOURCE_SINK);
1874  my_bio_methods = BIO_meth_new(my_bio_index, "libpq socket");
1875  if (!my_bio_methods)
1876  return NULL;
1877 
1878  /*
1879  * As of this writing, these functions never fail. But check anyway,
1880  * like OpenSSL's own examples do.
1881  */
1882  if (!BIO_meth_set_write(my_bio_methods, my_sock_write) ||
1883  !BIO_meth_set_read(my_bio_methods, my_sock_read) ||
1884  !BIO_meth_set_gets(my_bio_methods, BIO_meth_get_gets(biom)) ||
1885  !BIO_meth_set_puts(my_bio_methods, BIO_meth_get_puts(biom)) ||
1886  !BIO_meth_set_ctrl(my_bio_methods, BIO_meth_get_ctrl(biom)) ||
1887  !BIO_meth_set_create(my_bio_methods, BIO_meth_get_create(biom)) ||
1888  !BIO_meth_set_destroy(my_bio_methods, BIO_meth_get_destroy(biom)) ||
1889  !BIO_meth_set_callback_ctrl(my_bio_methods, BIO_meth_get_callback_ctrl(biom)))
1890  {
1891  BIO_meth_free(my_bio_methods);
1892  my_bio_methods = NULL;
1893  return NULL;
1894  }
1895 #else
1896  my_bio_methods = malloc(sizeof(BIO_METHOD));
1897  if (!my_bio_methods)
1898  return NULL;
1899  memcpy(my_bio_methods, biom, sizeof(BIO_METHOD));
1900  my_bio_methods->bread = my_sock_read;
1901  my_bio_methods->bwrite = my_sock_write;
1902 #endif
1903  }
1904  return my_bio_methods;
1905 }
my_bio_methods
static BIO_METHOD * my_bio_methods
Definition: fe-secure-openssl.c:1799
my_sock_write
static int my_sock_write(BIO *h, const char *buf, int size)
Definition: fe-secure-openssl.c:1832
my_sock_read
static int my_sock_read(BIO *h, char *buf, int size)
Definition: fe-secure-openssl.c:1802
malloc
#define malloc(a)
Definition: header.h:50

References malloc, my_bio_methods, my_sock_read(), and my_sock_write().

Referenced by my_SSL_set_fd().

◆ my_sock_read()

static int my_sock_read ( BIO *  h,
char *  buf,
int  size 
)
static

Definition at line 1802 of file fe-secure-openssl.c.

1803 {
1804  int res;
1805 
1806  res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size);
1807  BIO_clear_retry_flags(h);
1808  if (res < 0)
1809  {
1810  /* If we were interrupted, tell caller to retry */
1811  switch (SOCK_ERRNO)
1812  {
1813 #ifdef EAGAIN
1814  case EAGAIN:
1815 #endif
1816 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1817  case EWOULDBLOCK:
1818 #endif
1819  case EINTR:
1820  BIO_set_retry_read(h);
1821  break;
1822 
1823  default:
1824  break;
1825  }
1826  }
1827 
1828  return res;
1829 }
BIO_get_data
#define BIO_get_data(bio)
Definition: fe-secure-openssl.c:1795
pqsecure_raw_read
ssize_t pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
Definition: fe-secure.c:230
SOCK_ERRNO
#define SOCK_ERRNO
Definition: libpq-int.h:916
pg_conn
Definition: libpq-int.h:351
EINTR
#define EINTR
Definition: win32_port.h:376
EWOULDBLOCK
#define EWOULDBLOCK
Definition: win32_port.h:382
EAGAIN
#define EAGAIN
Definition: win32_port.h:374

References BIO_get_data, buf, EAGAIN, EINTR, EWOULDBLOCK, pqsecure_raw_read(), res, and SOCK_ERRNO.

Referenced by my_BIO_s_socket().

◆ my_sock_write()

static int my_sock_write ( BIO *  h,
const char *  buf,
int  size 
)
static

Definition at line 1832 of file fe-secure-openssl.c.

1833 {
1834  int res;
1835 
1836  res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
1837  BIO_clear_retry_flags(h);
1838  if (res < 0)
1839  {
1840  /* If we were interrupted, tell caller to retry */
1841  switch (SOCK_ERRNO)
1842  {
1843 #ifdef EAGAIN
1844  case EAGAIN:
1845 #endif
1846 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1847  case EWOULDBLOCK:
1848 #endif
1849  case EINTR:
1850  BIO_set_retry_write(h);
1851  break;
1852 
1853  default:
1854  break;
1855  }
1856  }
1857 
1858  return res;
1859 }
pqsecure_raw_write
ssize_t pqsecure_raw_write(PGconn *conn, const void *ptr, size_t len)
Definition: fe-secure.c:346

References BIO_get_data, buf, EAGAIN, EINTR, EWOULDBLOCK, pqsecure_raw_write(), res, and SOCK_ERRNO.

Referenced by my_BIO_s_socket().

◆ my_SSL_set_fd()

static int my_SSL_set_fd ( PGconn conn,
int  fd 
)
static

Definition at line 1909 of file fe-secure-openssl.c.

1910 {
1911  int ret = 0;
1912  BIO *bio;
1913  BIO_METHOD *bio_method;
1914 
1915  bio_method = my_BIO_s_socket();
1916  if (bio_method == NULL)
1917  {
1918  SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
1919  goto err;
1920  }
1921  bio = BIO_new(bio_method);
1922  if (bio == NULL)
1923  {
1924  SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
1925  goto err;
1926  }
1927  BIO_set_data(bio, conn);
1928 
1929  SSL_set_bio(conn->ssl, bio, bio);
1930  BIO_set_fd(bio, fd, BIO_NOCLOSE);
1931  ret = 1;
1932 err:
1933  return ret;
1934 }
my_BIO_s_socket
static BIO_METHOD * my_BIO_s_socket(void)
Definition: fe-secure-openssl.c:1862
BIO_set_data
#define BIO_set_data(bio, data)
Definition: fe-secure-openssl.c:1796
fd
static int fd(const char *x, int i)
Definition: preproc-init.c:105

References BIO_set_data, conn, err(), fd(), and my_BIO_s_socket().

Referenced by initialize_SSL().

◆ open_client_SSL()

static PostgresPollingStatusType open_client_SSL ( PGconn conn)
static

Definition at line 1467 of file fe-secure-openssl.c.

1468 {
1469  int r;
1470 
1471  ERR_clear_error();
1472  r = SSL_connect(conn->ssl);
1473  if (r <= 0)
1474  {
1475  int err = SSL_get_error(conn->ssl, r);
1476  unsigned long ecode;
1477 
1478  ecode = ERR_get_error();
1479  switch (err)
1480  {
1481  case SSL_ERROR_WANT_READ:
1482  return PGRES_POLLING_READING;
1483 
1484  case SSL_ERROR_WANT_WRITE:
1485  return PGRES_POLLING_WRITING;
1486 
1487  case SSL_ERROR_SYSCALL:
1488  {
1489  char sebuf[PG_STRERROR_R_BUFLEN];
1490 
1491  if (r == -1)
1492  libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
1493  SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
1494  else
1495  libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
1496  pgtls_close(conn);
1497  return PGRES_POLLING_FAILED;
1498  }
1499  case SSL_ERROR_SSL:
1500  {
1501  char *err = SSLerrmessage(ecode);
1502 
1503  libpq_append_conn_error(conn, "SSL error: %s", err);
1504  SSLerrfree(err);
1505  switch (ERR_GET_REASON(ecode))
1506  {
1507  /*
1508  * UNSUPPORTED_PROTOCOL, WRONG_VERSION_NUMBER, and
1509  * TLSV1_ALERT_PROTOCOL_VERSION have been observed
1510  * when trying to communicate with an old OpenSSL
1511  * library, or when the client and server specify
1512  * disjoint protocol ranges.
1513  * NO_PROTOCOLS_AVAILABLE occurs if there's a
1514  * local misconfiguration (which can happen
1515  * despite our checks, if openssl.cnf injects a
1516  * limit we didn't account for). It's not very
1517  * clear what would make OpenSSL return the other
1518  * codes listed here, but a hint about protocol
1519  * versions seems like it's appropriate for all.
1520  */
1521  case SSL_R_NO_PROTOCOLS_AVAILABLE:
1522  case SSL_R_UNSUPPORTED_PROTOCOL:
1523  case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:
1524  case SSL_R_UNKNOWN_PROTOCOL:
1525  case SSL_R_UNKNOWN_SSL_VERSION:
1526  case SSL_R_UNSUPPORTED_SSL_VERSION:
1527  case SSL_R_WRONG_SSL_VERSION:
1528  case SSL_R_WRONG_VERSION_NUMBER:
1529  case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
1530 #ifdef SSL_R_VERSION_TOO_HIGH
1531  case SSL_R_VERSION_TOO_HIGH:
1532  case SSL_R_VERSION_TOO_LOW:
1533 #endif
1534  libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",
1535  conn->ssl_min_protocol_version ?
1536  conn->ssl_min_protocol_version :
1537  MIN_OPENSSL_TLS_VERSION,
1538  conn->ssl_max_protocol_version ?
1539  conn->ssl_max_protocol_version :
1540  MAX_OPENSSL_TLS_VERSION);
1541  break;
1542  default:
1543  break;
1544  }
1545  pgtls_close(conn);
1546  return PGRES_POLLING_FAILED;
1547  }
1548 
1549  default:
1550  libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
1551  pgtls_close(conn);
1552  return PGRES_POLLING_FAILED;
1553  }
1554  }
1555 
1556  /*
1557  * We already checked the server certificate in initialize_SSL() using
1558  * SSL_CTX_set_verify(), if root.crt exists.
1559  */
1560 
1561  /* get server certificate */
1562  conn->peer = SSL_get_peer_certificate(conn->ssl);
1563  if (conn->peer == NULL)
1564  {
1565  char *err = SSLerrmessage(ERR_get_error());
1566 
1567  libpq_append_conn_error(conn, "certificate could not be obtained: %s", err);
1568  SSLerrfree(err);
1569  pgtls_close(conn);
1570  return PGRES_POLLING_FAILED;
1571  }
1572 
1573  if (!pq_verify_peer_name_matches_certificate(conn))
1574  {
1575  pgtls_close(conn);
1576  return PGRES_POLLING_FAILED;
1577  }
1578 
1579  /* SSL handshake is complete */
1580  return PGRES_POLLING_OK;
1581 }
pq_verify_peer_name_matches_certificate
bool pq_verify_peer_name_matches_certificate(PGconn *conn)
Definition: fe-secure-common.c:252
pgtls_close
void pgtls_close(PGconn *conn)
Definition: fe-secure-openssl.c:1584
PGRES_POLLING_OK
@ PGRES_POLLING_OK
Definition: libpq-fe.h:89
PGRES_POLLING_READING
@ PGRES_POLLING_READING
Definition: libpq-fe.h:87
PGRES_POLLING_WRITING
@ PGRES_POLLING_WRITING
Definition: libpq-fe.h:88
PGRES_POLLING_FAILED
@ PGRES_POLLING_FAILED
Definition: libpq-fe.h:86
SOCK_STRERROR
#define SOCK_STRERROR
Definition: libpq-int.h:917

References conn, err(), libpq_append_conn_error(), PG_STRERROR_R_BUFLEN, PGRES_POLLING_FAILED, PGRES_POLLING_OK, PGRES_POLLING_READING, PGRES_POLLING_WRITING, pgtls_close(), pq_verify_peer_name_matches_certificate(), SOCK_ERRNO, SOCK_STRERROR, pg_conn::ssl_max_protocol_version, pg_conn::ssl_min_protocol_version, SSLerrfree(), and SSLerrmessage().

Referenced by pgtls_open_client().

◆ openssl_verify_peer_name_matches_certificate_ip()

static int openssl_verify_peer_name_matches_certificate_ip ( PGconn conn,
ASN1_OCTET_STRING *  addr_entry,
char **  store_name 
)
static

Definition at line 533 of file fe-secure-openssl.c.

536 {
537  int len;
538  const unsigned char *addrdata;
539 
540  /* Should not happen... */
541  if (addr_entry == NULL)
542  {
543  libpq_append_conn_error(conn, "SSL certificate's address entry is missing");
544  return -1;
545  }
546 
547  /*
548  * GEN_IPADD is an OCTET STRING containing an IP address in network byte
549  * order.
550  */
551 #ifdef HAVE_ASN1_STRING_GET0_DATA
552  addrdata = ASN1_STRING_get0_data(addr_entry);
553 #else
554  addrdata = ASN1_STRING_data(addr_entry);
555 #endif
556  len = ASN1_STRING_length(addr_entry);
557 
558  return pq_verify_peer_name_matches_certificate_ip(conn, addrdata, len, store_name);
559 }
pq_verify_peer_name_matches_certificate_ip
int pq_verify_peer_name_matches_certificate_ip(PGconn *conn, const unsigned char *ipdata, size_t iplen, char **store_name)
Definition: fe-secure-common.c:157
len
const void size_t len
Definition: pg_crc32c_sse42.c:24

References conn, len, libpq_append_conn_error(), and pq_verify_peer_name_matches_certificate_ip().

Referenced by pgtls_verify_peer_name_matches_certificate_guts().

◆ openssl_verify_peer_name_matches_certificate_name()

static int openssl_verify_peer_name_matches_certificate_name ( PGconn conn,
ASN1_STRING *  name_entry,
char **  store_name 
)
static

Definition at line 500 of file fe-secure-openssl.c.

502 {
503  int len;
504  const unsigned char *namedata;
505 
506  /* Should not happen... */
507  if (name_entry == NULL)
508  {
509  libpq_append_conn_error(conn, "SSL certificate's name entry is missing");
510  return -1;
511  }
512 
513  /*
514  * GEN_DNS can be only IA5String, equivalent to US ASCII.
515  */
516 #ifdef HAVE_ASN1_STRING_GET0_DATA
517  namedata = ASN1_STRING_get0_data(name_entry);
518 #else
519  namedata = ASN1_STRING_data(name_entry);
520 #endif
521  len = ASN1_STRING_length(name_entry);
522 
523  /* OK to cast from unsigned to plain char, since it's all ASCII. */
524  return pq_verify_peer_name_matches_certificate_name(conn, (const char *) namedata, len, store_name);
525 }
pq_verify_peer_name_matches_certificate_name
int pq_verify_peer_name_matches_certificate_name(PGconn *conn, const char *namedata, size_t namelen, char **store_name)
Definition: fe-secure-common.c:87

References conn, len, libpq_append_conn_error(), and pq_verify_peer_name_matches_certificate_name().

Referenced by pgtls_verify_peer_name_matches_certificate_guts().

◆ pgtls_close()

void pgtls_close ( PGconn conn)

Definition at line 1584 of file fe-secure-openssl.c.

1585 {
1586  bool destroy_needed = false;
1587 
1588  if (conn->ssl_in_use)
1589  {
1590  if (conn->ssl)
1591  {
1592  /*
1593  * We can't destroy everything SSL-related here due to the
1594  * possible later calls to OpenSSL routines which may need our
1595  * thread callbacks, so set a flag here and check at the end.
1596  */
1597 
1598  SSL_shutdown(conn->ssl);
1599  SSL_free(conn->ssl);
1600  conn->ssl = NULL;
1601  conn->ssl_in_use = false;
1602 
1603  destroy_needed = true;
1604  }
1605 
1606  if (conn->peer)
1607  {
1608  X509_free(conn->peer);
1609  conn->peer = NULL;
1610  }
1611 
1612 #ifdef USE_SSL_ENGINE
1613  if (conn->engine)
1614  {
1615  ENGINE_finish(conn->engine);
1616  ENGINE_free(conn->engine);
1617  conn->engine = NULL;
1618  }
1619 #endif
1620  }
1621  else
1622  {
1623  /*
1624  * In the non-SSL case, just remove the crypto callbacks if the
1625  * connection has then loaded. This code path has no dependency on
1626  * any pending SSL calls.
1627  */
1628  if (conn->crypto_loaded)
1629  destroy_needed = true;
1630  }
1631 
1632  /*
1633  * This will remove our crypto locking hooks if this is the last
1634  * connection using libcrypto which means we must wait to call it until
1635  * after all the potential SSL calls have been made, otherwise we can end
1636  * up with a race condition and possible deadlocks.
1637  *
1638  * See comments above destroy_ssl_system().
1639  */
1640  if (destroy_needed)
1641  {
1642  destroy_ssl_system();
1643  conn->crypto_loaded = false;
1644  }
1645 }
destroy_ssl_system
static void destroy_ssl_system(void)
Definition: fe-secure-openssl.c:881

References conn, destroy_ssl_system(), and pg_conn::ssl_in_use.

Referenced by open_client_SSL(), pgtls_open_client(), and pqsecure_close().

◆ pgtls_init()

int pgtls_init ( PGconn conn,
bool  do_ssl,
bool  do_crypto 
)

Definition at line 777 of file fe-secure-openssl.c.

778 {
779 #ifdef ENABLE_THREAD_SAFETY
780 #ifdef WIN32
781  /* Also see similar code in fe-connect.c, default_threadlock() */
782  if (ssl_config_mutex == NULL)
783  {
784  while (InterlockedExchange(&win32_ssl_create_mutex, 1) == 1)
785  /* loop, another thread own the lock */ ;
786  if (ssl_config_mutex == NULL)
787  {
788  if (pthread_mutex_init(&ssl_config_mutex, NULL))
789  return -1;
790  }
791  InterlockedExchange(&win32_ssl_create_mutex, 0);
792  }
793 #endif
794  if (pthread_mutex_lock(&ssl_config_mutex))
795  return -1;
796 
797 #ifdef HAVE_CRYPTO_LOCK
798  if (pq_init_crypto_lib)
799  {
800  /*
801  * If necessary, set up an array to hold locks for libcrypto.
802  * libcrypto will tell us how big to make this array.
803  */
804  if (pq_lockarray == NULL)
805  {
806  int i;
807 
808  pq_lockarray = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
809  if (!pq_lockarray)
810  {
811  pthread_mutex_unlock(&ssl_config_mutex);
812  return -1;
813  }
814  for (i = 0; i < CRYPTO_num_locks(); i++)
815  {
816  if (pthread_mutex_init(&pq_lockarray[i], NULL))
817  {
818  free(pq_lockarray);
819  pq_lockarray = NULL;
820  pthread_mutex_unlock(&ssl_config_mutex);
821  return -1;
822  }
823  }
824  }
825 
826  if (do_crypto && !conn->crypto_loaded)
827  {
828  if (crypto_open_connections++ == 0)
829  {
830  /*
831  * These are only required for threaded libcrypto
832  * applications, but make sure we don't stomp on them if
833  * they're already set.
834  */
835  if (CRYPTO_get_id_callback() == NULL)
836  CRYPTO_set_id_callback(pq_threadidcallback);
837  if (CRYPTO_get_locking_callback() == NULL)
838  CRYPTO_set_locking_callback(pq_lockingcallback);
839  }
840 
841  conn->crypto_loaded = true;
842  }
843  }
844 #endif /* HAVE_CRYPTO_LOCK */
845 #endif /* ENABLE_THREAD_SAFETY */
846 
847  if (!ssl_lib_initialized && do_ssl)
848  {
849  if (pq_init_ssl_lib)
850  {
851 #ifdef HAVE_OPENSSL_INIT_SSL
852  OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
853 #else
854  OPENSSL_config(NULL);
855  SSL_library_init();
856  SSL_load_error_strings();
857 #endif
858  }
859  ssl_lib_initialized = true;
860  }
861 
862 #ifdef ENABLE_THREAD_SAFETY
863  pthread_mutex_unlock(&ssl_config_mutex);
864 #endif
865  return 0;
866 }
ssl_lib_initialized
static bool ssl_lib_initialized
Definition: fe-secure-openssl.c:92
pq_init_ssl_lib
static bool pq_init_ssl_lib
Definition: fe-secure-openssl.c:89
i
int i
Definition: isn.c:73
pthread_mutex_init
int pthread_mutex_init(pthread_mutex_t *mp, void *attr)
Definition: pthread-win32.c:35
pthread_mutex_t
CRITICAL_SECTION * pthread_mutex_t
Definition: pthread-win32.h:8

References conn, free, i, malloc, pq_init_crypto_lib, pq_init_ssl_lib, pthread_mutex_init(), pthread_mutex_lock(), pthread_mutex_unlock(), and ssl_lib_initialized.

Referenced by pqsecure_initialize().

◆ pgtls_init_library()

void pgtls_init_library ( bool  do_ssl,
int  do_crypto 
)

Definition at line 113 of file fe-secure-openssl.c.

114 {
115 #ifdef ENABLE_THREAD_SAFETY
116 
117  /*
118  * Disallow changing the flags while we have open connections, else we'd
119  * get completely confused.
120  */
121  if (crypto_open_connections != 0)
122  return;
123 #endif
124 
125  pq_init_ssl_lib = do_ssl;
126  pq_init_crypto_lib = do_crypto;
127 }

References pq_init_crypto_lib, and pq_init_ssl_lib.

Referenced by PQinitOpenSSL(), and PQinitSSL().

◆ pgtls_open_client()

PostgresPollingStatusType pgtls_open_client ( PGconn conn)

Definition at line 130 of file fe-secure-openssl.c.

131 {
132  /* First time through? */
133  if (conn->ssl == NULL)
134  {
135  /*
136  * Create a connection-specific SSL object, and load client
137  * certificate, private key, and trusted CA certs.
138  */
139  if (initialize_SSL(conn) != 0)
140  {
141  /* initialize_SSL already put a message in conn->errorMessage */
142  pgtls_close(conn);
143  return PGRES_POLLING_FAILED;
144  }
145  }
146 
147  /* Begin or continue the actual handshake */
148  return open_client_SSL(conn);
149 }
initialize_SSL
static int initialize_SSL(PGconn *conn)
Definition: fe-secure-openssl.c:922
open_client_SSL
static PostgresPollingStatusType open_client_SSL(PGconn *conn)
Definition: fe-secure-openssl.c:1467

References conn, initialize_SSL(), open_client_SSL(), PGRES_POLLING_FAILED, and pgtls_close().

Referenced by pqsecure_open_client().

◆ pgtls_read()

ssize_t pgtls_read ( PGconn conn,
void *  ptr,
size_t  len 
)

Definition at line 152 of file fe-secure-openssl.c.

153 {
154  ssize_t n;
155  int result_errno = 0;
156  char sebuf[PG_STRERROR_R_BUFLEN];
157  int err;
158  unsigned long ecode;
159 
160 rloop:
161 
162  /*
163  * Prepare to call SSL_get_error() by clearing thread's OpenSSL error
164  * queue. In general, the current thread's error queue must be empty
165  * before the TLS/SSL I/O operation is attempted, or SSL_get_error() will
166  * not work reliably. Since the possibility exists that other OpenSSL
167  * clients running in the same thread but not under our control will fail
168  * to call ERR_get_error() themselves (after their own I/O operations),
169  * pro-actively clear the per-thread error queue now.
170  */
171  SOCK_ERRNO_SET(0);
172  ERR_clear_error();
173  n = SSL_read(conn->ssl, ptr, len);
174  err = SSL_get_error(conn->ssl, n);
175 
176  /*
177  * Other clients of OpenSSL may fail to call ERR_get_error(), but we
178  * always do, so as to not cause problems for OpenSSL clients that don't
179  * call ERR_clear_error() defensively. Be sure that this happens by
180  * calling now. SSL_get_error() relies on the OpenSSL per-thread error
181  * queue being intact, so this is the earliest possible point
182  * ERR_get_error() may be called.
183  */
184  ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
185  switch (err)
186  {
187  case SSL_ERROR_NONE:
188  if (n < 0)
189  {
190  /* Not supposed to happen, so we don't translate the msg */
191  appendPQExpBufferStr(&conn->errorMessage,
192  "SSL_read failed but did not provide error information\n");
193  /* assume the connection is broken */
194  result_errno = ECONNRESET;
195  }
196  break;
197  case SSL_ERROR_WANT_READ:
198  n = 0;
199  break;
200  case SSL_ERROR_WANT_WRITE:
201 
202  /*
203  * Returning 0 here would cause caller to wait for read-ready,
204  * which is not correct since what SSL wants is wait for
205  * write-ready. The former could get us stuck in an infinite
206  * wait, so don't risk it; busy-loop instead.
207  */
208  goto rloop;
209  case SSL_ERROR_SYSCALL:
210  if (n < 0)
211  {
212  result_errno = SOCK_ERRNO;
213  if (result_errno == EPIPE ||
214  result_errno == ECONNRESET)
215  libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
216  "\tThis probably means the server terminated abnormally\n"
217  "\tbefore or while processing the request.");
218  else
219  libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
220  SOCK_STRERROR(result_errno,
221  sebuf, sizeof(sebuf)));
222  }
223  else
224  {
225  libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
226  /* assume the connection is broken */
227  result_errno = ECONNRESET;
228  n = -1;
229  }
230  break;
231  case SSL_ERROR_SSL:
232  {
233  char *errm = SSLerrmessage(ecode);
234 
235  libpq_append_conn_error(conn, "SSL error: %s", errm);
236  SSLerrfree(errm);
237  /* assume the connection is broken */
238  result_errno = ECONNRESET;
239  n = -1;
240  break;
241  }
242  case SSL_ERROR_ZERO_RETURN:
243 
244  /*
245  * Per OpenSSL documentation, this error code is only returned for
246  * a clean connection closure, so we should not report it as a
247  * server crash.
248  */
249  libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
250  result_errno = ECONNRESET;
251  n = -1;
252  break;
253  default:
254  libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
255  /* assume the connection is broken */
256  result_errno = ECONNRESET;
257  n = -1;
258  break;
259  }
260 
261  /* ensure we return the intended errno to caller */
262  SOCK_ERRNO_SET(result_errno);
263 
264  return n;
265 }
SOCK_ERRNO_SET
#define SOCK_ERRNO_SET(e)
Definition: libpq-int.h:918
appendPQExpBufferStr
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:367
pg_conn::errorMessage
PQExpBufferData errorMessage
Definition: libpq-int.h:601
ECONNRESET
#define ECONNRESET
Definition: win32_port.h:386

References appendPQExpBufferStr(), conn, ECONNRESET, err(), pg_conn::errorMessage, len, libpq_append_conn_error(), PG_STRERROR_R_BUFLEN, SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, SSLerrfree(), and SSLerrmessage().

Referenced by pqsecure_read().

◆ pgtls_read_pending()

bool pgtls_read_pending ( PGconn conn)

Definition at line 268 of file fe-secure-openssl.c.

269 {
270  return SSL_pending(conn->ssl) > 0;
271 }

References conn.

Referenced by pqSocketCheck().

◆ pgtls_verify_peer_name_matches_certificate_guts()

int pgtls_verify_peer_name_matches_certificate_guts ( PGconn conn,
int *  names_examined,
char **  first_name 
)

Definition at line 582 of file fe-secure-openssl.c.

585 {
586  STACK_OF(GENERAL_NAME) * peer_san;
587  int i;
588  int rc = 0;
589  char *host = conn->connhost[conn->whichhost].host;
590  int host_type;
591  bool check_cn = true;
592 
593  Assert(host && host[0]); /* should be guaranteed by caller */
594 
595  /*
596  * We try to match the NSS behavior here, which is a slight departure from
597  * the spec but seems to make more intuitive sense:
598  *
599  * If connhost contains a DNS name, and the certificate's SANs contain any
600  * dNSName entries, then we'll ignore the Subject Common Name entirely;
601  * otherwise, we fall back to checking the CN. (This behavior matches the
602  * RFC.)
603  *
604  * If connhost contains an IP address, and the SANs contain iPAddress
605  * entries, we again ignore the CN. Otherwise, we allow the CN to match,
606  * EVEN IF there is a dNSName in the SANs. (RFC 6125 prohibits this: "A
607  * client MUST NOT seek a match for a reference identifier of CN-ID if the
608  * presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any
609  * application-specific identifier types supported by the client.")
610  *
611  * NOTE: Prior versions of libpq did not consider iPAddress entries at
612  * all, so this new behavior might break a certificate that has different
613  * IP addresses in the Subject CN and the SANs.
614  */
615  if (is_ip_address(host))
616  host_type = GEN_IPADD;
617  else
618  host_type = GEN_DNS;
619 
620  /*
621  * First, get the Subject Alternative Names (SANs) from the certificate,
622  * and compare them against the originally given hostname.
623  */
624  peer_san = (STACK_OF(GENERAL_NAME) *)
625  X509_get_ext_d2i(conn->peer, NID_subject_alt_name, NULL, NULL);
626 
627  if (peer_san)
628  {
629  int san_len = sk_GENERAL_NAME_num(peer_san);
630 
631  for (i = 0; i < san_len; i++)
632  {
633  const GENERAL_NAME *name = sk_GENERAL_NAME_value(peer_san, i);
634  char *alt_name = NULL;
635 
636  if (name->type == host_type)
637  {
638  /*
639  * This SAN is of the same type (IP or DNS) as our host name,
640  * so don't allow a fallback check of the CN.
641  */
642  check_cn = false;
643  }
644 
645  if (name->type == GEN_DNS)
646  {
647  (*names_examined)++;
648  rc = openssl_verify_peer_name_matches_certificate_name(conn,
649  name->d.dNSName,
650  &alt_name);
651  }
652  else if (name->type == GEN_IPADD)
653  {
654  (*names_examined)++;
655  rc = openssl_verify_peer_name_matches_certificate_ip(conn,
656  name->d.iPAddress,
657  &alt_name);
658  }
659 
660  if (alt_name)
661  {
662  if (!*first_name)
663  *first_name = alt_name;
664  else
665  free(alt_name);
666  }
667 
668  if (rc != 0)
669  {
670  /*
671  * Either we hit an error or a match, and either way we should
672  * not fall back to the CN.
673  */
674  check_cn = false;
675  break;
676  }
677  }
678  sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
679  }
680 
681  /*
682  * If there is no subjectAltName extension of the matching type, check the
683  * Common Name.
684  *
685  * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
686  * dNSName is present, the CN must be ignored. We break this rule if host
687  * is an IP address; see the comment above.)
688  */
689  if (check_cn)
690  {
691  X509_NAME *subject_name;
692 
693  subject_name = X509_get_subject_name(conn->peer);
694  if (subject_name != NULL)
695  {
696  int cn_index;
697 
698  cn_index = X509_NAME_get_index_by_NID(subject_name,
699  NID_commonName, -1);
700  if (cn_index >= 0)
701  {
702  char *common_name = NULL;
703 
704  (*names_examined)++;
705  rc = openssl_verify_peer_name_matches_certificate_name(conn,
706  X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),
707  &common_name);
708 
709  if (common_name)
710  {
711  if (!*first_name)
712  *first_name = common_name;
713  else
714  free(common_name);
715  }
716  }
717  }
718  }
719 
720  return rc;
721 }
name
const char * name
Definition: encode.c:571
openssl_verify_peer_name_matches_certificate_name
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name)
Definition: fe-secure-openssl.c:500
openssl_verify_peer_name_matches_certificate_ip
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)
Definition: fe-secure-openssl.c:533
is_ip_address
static bool is_ip_address(const char *host)
Definition: fe-secure-openssl.c:562
Assert
Assert(fmt[strlen(fmt) - 1] !='\n')

References Assert(), conn, pg_conn::connhost, free, pg_conn_host::host, i, is_ip_address(), name, openssl_verify_peer_name_matches_certificate_ip(), openssl_verify_peer_name_matches_certificate_name(), and pg_conn::whichhost.

Referenced by pq_verify_peer_name_matches_certificate().

◆ pgtls_write()

ssize_t pgtls_write ( PGconn conn,
const void *  ptr,
size_t  len 
)

Definition at line 274 of file fe-secure-openssl.c.

275 {
276  ssize_t n;
277  int result_errno = 0;
278  char sebuf[PG_STRERROR_R_BUFLEN];
279  int err;
280  unsigned long ecode;
281 
282  SOCK_ERRNO_SET(0);
283  ERR_clear_error();
284  n = SSL_write(conn->ssl, ptr, len);
285  err = SSL_get_error(conn->ssl, n);
286  ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
287  switch (err)
288  {
289  case SSL_ERROR_NONE:
290  if (n < 0)
291  {
292  /* Not supposed to happen, so we don't translate the msg */
293  appendPQExpBufferStr(&conn->errorMessage,
294  "SSL_write failed but did not provide error information\n");
295  /* assume the connection is broken */
296  result_errno = ECONNRESET;
297  }
298  break;
299  case SSL_ERROR_WANT_READ:
300 
301  /*
302  * Returning 0 here causes caller to wait for write-ready, which
303  * is not really the right thing, but it's the best we can do.
304  */
305  n = 0;
306  break;
307  case SSL_ERROR_WANT_WRITE:
308  n = 0;
309  break;
310  case SSL_ERROR_SYSCALL:
311  if (n < 0)
312  {
313  result_errno = SOCK_ERRNO;
314  if (result_errno == EPIPE || result_errno == ECONNRESET)
315  libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
316  "\tThis probably means the server terminated abnormally\n"
317  "\tbefore or while processing the request.");
318  else
319  libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
320  SOCK_STRERROR(result_errno,
321  sebuf, sizeof(sebuf)));
322  }
323  else
324  {
325  libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
326  /* assume the connection is broken */
327  result_errno = ECONNRESET;
328  n = -1;
329  }
330  break;
331  case SSL_ERROR_SSL:
332  {
333  char *errm = SSLerrmessage(ecode);
334 
335  libpq_append_conn_error(conn, "SSL error: %s", errm);
336  SSLerrfree(errm);
337  /* assume the connection is broken */
338  result_errno = ECONNRESET;
339  n = -1;
340  break;
341  }
342  case SSL_ERROR_ZERO_RETURN:
343 
344  /*
345  * Per OpenSSL documentation, this error code is only returned for
346  * a clean connection closure, so we should not report it as a
347  * server crash.
348  */
349  libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
350  result_errno = ECONNRESET;
351  n = -1;
352  break;
353  default:
354  libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
355  /* assume the connection is broken */
356  result_errno = ECONNRESET;
357  n = -1;
358  break;
359  }
360 
361  /* ensure we return the intended errno to caller */
362  SOCK_ERRNO_SET(result_errno);
363 
364  return n;
365 }

References appendPQExpBufferStr(), conn, ECONNRESET, err(), pg_conn::errorMessage, len, libpq_append_conn_error(), PG_STRERROR_R_BUFLEN, SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, SSLerrfree(), and SSLerrmessage().

Referenced by pqsecure_write().

◆ PQdefaultSSLKeyPassHook_OpenSSL()

int PQdefaultSSLKeyPassHook_OpenSSL ( char *  buf,
int  size,
PGconn conn 
)

Definition at line 1942 of file fe-secure-openssl.c.

1943 {
1944  if (conn && conn->sslpassword)
1945  {
1946  if (strlen(conn->sslpassword) + 1 > size)
1947  fprintf(stderr, libpq_gettext("WARNING: sslpassword truncated\n"));
1948  strncpy(buf, conn->sslpassword, size);
1949  buf[size - 1] = '\0';
1950  return strlen(buf);
1951  }
1952  else
1953  {
1954  buf[0] = '\0';
1955  return 0;
1956  }
1957 }
libpq_gettext
#define libpq_gettext(x)
Definition: libpq-int.h:895
fprintf
#define fprintf
Definition: port.h:242

References buf, conn, fprintf, libpq_gettext, and pg_conn::sslpassword.

Referenced by PQssl_passwd_cb().

◆ PQgetssl()

void* PQgetssl ( PGconn conn)

Definition at line 1700 of file fe-secure-openssl.c.

1701 {
1702  if (!conn)
1703  return NULL;
1704  return conn->ssl;
1705 }

References conn.

◆ PQgetSSLKeyPassHook_OpenSSL()

PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL ( void  )

Definition at line 1960 of file fe-secure-openssl.c.

1961 {
1962  return PQsslKeyPassHook;
1963 }

References PQsslKeyPassHook.

◆ PQsetSSLKeyPassHook_OpenSSL()

void PQsetSSLKeyPassHook_OpenSSL ( PQsslKeyPassHook_OpenSSL_type  hook)

Definition at line 1966 of file fe-secure-openssl.c.

1967 {
1968  PQsslKeyPassHook = hook;
1969 }

References PQsslKeyPassHook.

◆ PQssl_passwd_cb()

static int PQssl_passwd_cb ( char *  buf,
int  size,
int  rwflag,
void *  userdata 
)
static

Definition at line 1977 of file fe-secure-openssl.c.

1978 {
1979  PGconn *conn = userdata;
1980 
1981  if (PQsslKeyPassHook)
1982  return PQsslKeyPassHook(buf, size, conn);
1983  else
1984  return PQdefaultSSLKeyPassHook_OpenSSL(buf, size, conn);
1985 }
PQdefaultSSLKeyPassHook_OpenSSL
int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)
Definition: fe-secure-openssl.c:1942

References buf, conn, PQdefaultSSLKeyPassHook_OpenSSL(), and PQsslKeyPassHook.

Referenced by initialize_SSL().

◆ PQsslAttribute()

const char* PQsslAttribute ( PGconn conn,
const char *  attribute_name 
)

Definition at line 1744 of file fe-secure-openssl.c.

1745 {
1746  if (!conn)
1747  {
1748  /* PQsslAttribute(NULL, "library") reports the default SSL library */
1749  if (strcmp(attribute_name, "library") == 0)
1750  return "OpenSSL";
1751  return NULL;
1752  }
1753 
1754  /* All attributes read as NULL for a non-encrypted connection */
1755  if (conn->ssl == NULL)
1756  return NULL;
1757 
1758  if (strcmp(attribute_name, "library") == 0)
1759  return "OpenSSL";
1760 
1761  if (strcmp(attribute_name, "key_bits") == 0)
1762  {
1763  static char sslbits_str[12];
1764  int sslbits;
1765 
1766  SSL_get_cipher_bits(conn->ssl, &sslbits);
1767  snprintf(sslbits_str, sizeof(sslbits_str), "%d", sslbits);
1768  return sslbits_str;
1769  }
1770 
1771  if (strcmp(attribute_name, "cipher") == 0)
1772  return SSL_get_cipher(conn->ssl);
1773 
1774  if (strcmp(attribute_name, "compression") == 0)
1775  return SSL_get_current_compression(conn->ssl) ? "on" : "off";
1776 
1777  if (strcmp(attribute_name, "protocol") == 0)
1778  return SSL_get_version(conn->ssl);
1779 
1780  return NULL; /* unknown attribute */
1781 }

References conn, and snprintf.

Referenced by print_ssl_library(), and printSSLInfo().

◆ PQsslAttributeNames()

const char* const* PQsslAttributeNames ( PGconn conn)

Definition at line 1718 of file fe-secure-openssl.c.

1719 {
1720  static const char *const openssl_attrs[] = {
1721  "library",
1722  "key_bits",
1723  "cipher",
1724  "compression",
1725  "protocol",
1726  NULL
1727  };
1728  static const char *const empty_attrs[] = {NULL};
1729 
1730  if (!conn)
1731  {
1732  /* Return attributes of default SSL library */
1733  return openssl_attrs;
1734  }
1735 
1736  /* No attrs for unencrypted connection */
1737  if (conn->ssl == NULL)
1738  return empty_attrs;
1739 
1740  return openssl_attrs;
1741 }

References conn.

◆ PQsslStruct()

void* PQsslStruct ( PGconn conn,
const char *  struct_name 
)

Definition at line 1708 of file fe-secure-openssl.c.

1709 {
1710  if (!conn)
1711  return NULL;
1712  if (strcmp(struct_name, "OpenSSL") == 0)
1713  return conn->ssl;
1714  return NULL;
1715 }

References conn.

◆ ssl_protocol_version_to_openssl()

static int ssl_protocol_version_to_openssl ( const char *  protocol)
static

Definition at line 1998 of file fe-secure-openssl.c.

1999 {
2000  if (pg_strcasecmp("TLSv1", protocol) == 0)
2001  return TLS1_VERSION;
2002 
2003 #ifdef TLS1_1_VERSION
2004  if (pg_strcasecmp("TLSv1.1", protocol) == 0)
2005  return TLS1_1_VERSION;
2006 #endif
2007 
2008 #ifdef TLS1_2_VERSION
2009  if (pg_strcasecmp("TLSv1.2", protocol) == 0)
2010  return TLS1_2_VERSION;
2011 #endif
2012 
2013 #ifdef TLS1_3_VERSION
2014  if (pg_strcasecmp("TLSv1.3", protocol) == 0)
2015  return TLS1_3_VERSION;
2016 #endif
2017 
2018  return -1;
2019 }
pg_strcasecmp
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36

References pg_strcasecmp().

Referenced by initialize_SSL().

◆ SSLerrfree()

static void SSLerrfree ( char *  buf)
static

Definition at line 1686 of file fe-secure-openssl.c.

1687 {
1688  if (buf != ssl_nomem)
1689  free(buf);
1690 }
ssl_nomem
static char ssl_nomem[]
Definition: fe-secure-openssl.c:1657

References buf, free, and ssl_nomem.

Referenced by initialize_SSL(), open_client_SSL(), pgtls_read(), and pgtls_write().

◆ SSLerrmessage()

static char * SSLerrmessage ( unsigned long  ecode)
static

Definition at line 1662 of file fe-secure-openssl.c.

1663 {
1664  const char *errreason;
1665  char *errbuf;
1666 
1667  errbuf = malloc(SSL_ERR_LEN);
1668  if (!errbuf)
1669  return ssl_nomem;
1670  if (ecode == 0)
1671  {
1672  snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("no SSL error reported"));
1673  return errbuf;
1674  }
1675  errreason = ERR_reason_error_string(ecode);
1676  if (errreason != NULL)
1677  {
1678  strlcpy(errbuf, errreason, SSL_ERR_LEN);
1679  return errbuf;
1680  }
1681  snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("SSL error code %lu"), ecode);
1682  return errbuf;
1683 }
SSL_ERR_LEN
#define SSL_ERR_LEN
Definition: fe-secure-openssl.c:1659

References libpq_gettext, malloc, snprintf, SSL_ERR_LEN, ssl_nomem, and strlcpy().

Referenced by initialize_SSL(), open_client_SSL(), pgtls_read(), and pgtls_write().

◆ verify_cb()

static int verify_cb ( int  ok,
X509_STORE_CTX *  ctx 
)
static

Definition at line 460 of file fe-secure-openssl.c.

461 {
462  return ok;
463 }

Referenced by initialize_SSL().

Variable Documentation

◆ my_bio_methods

BIO_METHOD* my_bio_methods
static

Definition at line 1799 of file fe-secure-openssl.c.

Referenced by my_BIO_s_socket().

◆ pq_init_crypto_lib

bool pq_init_crypto_lib = true
static

Definition at line 90 of file fe-secure-openssl.c.

Referenced by destroy_ssl_system(), pgtls_init(), and pgtls_init_library().

◆ pq_init_ssl_lib

bool pq_init_ssl_lib = true
static

Definition at line 89 of file fe-secure-openssl.c.

Referenced by pgtls_init(), and pgtls_init_library().

◆ PQsslKeyPassHook

PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook = NULL
static

Definition at line 105 of file fe-secure-openssl.c.

Referenced by initialize_SSL(), PQgetSSLKeyPassHook_OpenSSL(), PQsetSSLKeyPassHook_OpenSSL(), and PQssl_passwd_cb().

◆ ssl_lib_initialized

bool ssl_lib_initialized = false
static

Definition at line 92 of file fe-secure-openssl.c.

Referenced by pgtls_init().

◆ ssl_nomem

char ssl_nomem[] = "out of memory allocating error description"
static

Definition at line 1657 of file fe-secure-openssl.c.

Referenced by SSLerrfree(), and SSLerrmessage().