PostgreSQL Source Code  git master
fe-secure-openssl.c File Reference
#include "postgres_fe.h"
#include <signal.h>
#include <fcntl.h>
#include <ctype.h>
#include "libpq-fe.h"
#include "fe-auth.h"
#include "fe-secure-common.h"
#include "libpq-int.h"
#include "common/openssl.h"
#include <sys/socket.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/stat.h>
#include <openssl/ssl.h>
#include <openssl/conf.h>
#include <openssl/x509v3.h>
Include dependency graph for fe-secure-openssl.c:

Go to the source code of this file.

Macros

#define SSL_ERR_LEN   128
 
#define BIO_get_data(bio)   (bio->ptr)
 
#define BIO_set_data(bio, data)   (bio->ptr = data)
 

Functions

static int verify_cb (int ok, X509_STORE_CTX *ctx)
 
static int openssl_verify_peer_name_matches_certificate_name (PGconn *conn, ASN1_STRING *name, char **store_name)
 
static void destroy_ssl_system (void)
 
static int initialize_SSL (PGconn *conn)
 
static PostgresPollingStatusType open_client_SSL (PGconn *)
 
static char * SSLerrmessage (unsigned long ecode)
 
static void SSLerrfree (char *buf)
 
static int PQssl_passwd_cb (char *buf, int size, int rwflag, void *userdata)
 
static int my_sock_read (BIO *h, char *buf, int size)
 
static int my_sock_write (BIO *h, const char *buf, int size)
 
static BIO_METHOD * my_BIO_s_socket (void)
 
static int my_SSL_set_fd (PGconn *conn, int fd)
 
static int ssl_protocol_version_to_openssl (const char *protocol)
 
void pgtls_init_library (bool do_ssl, int do_crypto)
 
PostgresPollingStatusType pgtls_open_client (PGconn *conn)
 
ssize_t pgtls_read (PGconn *conn, void *ptr, size_t len)
 
bool pgtls_read_pending (PGconn *conn)
 
ssize_t pgtls_write (PGconn *conn, const void *ptr, size_t len)
 
int pgtls_verify_peer_name_matches_certificate_guts (PGconn *conn, int *names_examined, char **first_name)
 
int pgtls_init (PGconn *conn, bool do_ssl, bool do_crypto)
 
void pgtls_close (PGconn *conn)
 
void * PQgetssl (PGconn *conn)
 
void * PQsslStruct (PGconn *conn, const char *struct_name)
 
const char *const * PQsslAttributeNames (PGconn *conn)
 
const char * PQsslAttribute (PGconn *conn, const char *attribute_name)
 
int PQdefaultSSLKeyPassHook_OpenSSL (char *buf, int size, PGconn *conn)
 
PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL (void)
 
void PQsetSSLKeyPassHook_OpenSSL (PQsslKeyPassHook_OpenSSL_type hook)
 

Variables

static bool pq_init_ssl_lib = true
 
static bool pq_init_crypto_lib = true
 
static bool ssl_lib_initialized = false
 
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook = NULL
 
static char ssl_nomem [] = "out of memory allocating error description"
 
static BIO_METHOD * my_bio_methods
 

Macro Definition Documentation

◆ BIO_get_data

#define BIO_get_data (   bio)    (bio->ptr)

Definition at line 1622 of file fe-secure-openssl.c.

Referenced by my_sock_read(), and my_sock_write().

◆ BIO_set_data

#define BIO_set_data (   bio,
  data 
)    (bio->ptr = data)

Definition at line 1623 of file fe-secure-openssl.c.

Referenced by my_SSL_set_fd().

◆ SSL_ERR_LEN

#define SSL_ERR_LEN   128

Definition at line 1504 of file fe-secure-openssl.c.

Referenced by SSLerrmessage().

Function Documentation

◆ destroy_ssl_system()

static void destroy_ssl_system ( void  )
static

Definition at line 742 of file fe-secure-openssl.c.

References pq_init_crypto_lib, pthread_mutex_lock(), and pthread_mutex_unlock().

Referenced by pgtls_close().

743 {
744 #if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK)
745  /* Mutex is created in pgtls_init() */
746  if (pthread_mutex_lock(&ssl_config_mutex))
747  return;
748 
749  if (pq_init_crypto_lib && crypto_open_connections > 0)
750  --crypto_open_connections;
751 
752  if (pq_init_crypto_lib && crypto_open_connections == 0)
753  {
754  /*
755  * No connections left, unregister libcrypto callbacks, if no one
756  * registered different ones in the meantime.
757  */
758  if (CRYPTO_get_locking_callback() == pq_lockingcallback)
759  CRYPTO_set_locking_callback(NULL);
760  if (CRYPTO_get_id_callback() == pq_threadidcallback)
761  CRYPTO_set_id_callback(NULL);
762 
763  /*
764  * We don't free the lock array. If we get another connection in this
765  * process, we will just re-use them with the existing mutexes.
766  *
767  * This means we leak a little memory on repeated load/unload of the
768  * library.
769  */
770  }
771 
772  pthread_mutex_unlock(&ssl_config_mutex);
773 #endif
774 }
int pthread_mutex_lock(pthread_mutex_t *mp)
Definition: pthread-win32.c:45
int pthread_mutex_unlock(pthread_mutex_t *mp)
Definition: pthread-win32.c:54
static bool pq_init_crypto_lib

◆ initialize_SSL()

static int initialize_SSL ( PGconn conn)
static

Definition at line 783 of file fe-secure-openssl.c.

References appendPQExpBuffer(), appendPQExpBufferStr(), pg_conn::errorMessage, free, libpq_gettext, MAXPGPATH, my_SSL_set_fd(), PG_STRERROR_R_BUFLEN, pg_conn::pghost, pqGetHomeDirectory(), PQssl_passwd_cb(), PQsslKeyPassHook, S_IRWXG, S_IRWXO, S_ISREG, snprintf, pg_conn::sock, SSL_context, SSL_CTX_set_max_proto_version(), SSL_CTX_set_min_proto_version(), pg_conn::ssl_in_use, pg_conn::ssl_max_protocol_version, pg_conn::ssl_min_protocol_version, ssl_protocol_version_to_openssl(), pg_conn::sslcert, pg_conn::sslcompression, pg_conn::sslcrl, pg_conn::sslcrldir, SSLerrfree(), SSLerrmessage(), pg_conn::sslkey, pg_conn::sslmode, pg_conn::sslpassword, pg_conn::sslrootcert, pg_conn::sslsni, stat::st_mode, stat, strerror_r, strlcpy(), and verify_cb().

Referenced by pgtls_open_client().

784 {
785  SSL_CTX *SSL_context;
786  struct stat buf;
787  char homedir[MAXPGPATH];
788  char fnbuf[MAXPGPATH];
789  char sebuf[PG_STRERROR_R_BUFLEN];
790  bool have_homedir;
791  bool have_cert;
792  bool have_rootcert;
793  EVP_PKEY *pkey = NULL;
794 
795  /*
796  * We'll need the home directory if any of the relevant parameters are
797  * defaulted. If pqGetHomeDirectory fails, act as though none of the
798  * files could be found.
799  */
800  if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
801  !(conn->sslkey && strlen(conn->sslkey) > 0) ||
802  !(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
803  !((conn->sslcrl && strlen(conn->sslcrl) > 0) ||
804  (conn->sslcrldir && strlen(conn->sslcrldir) > 0)))
805  have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
806  else /* won't need it */
807  have_homedir = false;
808 
809  /*
810  * Create a new SSL_CTX object.
811  *
812  * We used to share a single SSL_CTX between all connections, but it was
813  * complicated if connections used different certificates. So now we
814  * create a separate context for each connection, and accept the overhead.
815  */
816  SSL_context = SSL_CTX_new(SSLv23_method());
817  if (!SSL_context)
818  {
819  char *err = SSLerrmessage(ERR_get_error());
820 
822  libpq_gettext("could not create SSL context: %s\n"),
823  err);
824  SSLerrfree(err);
825  return -1;
826  }
827 
828  /*
829  * Delegate the client cert password prompt to the libpq wrapper callback
830  * if any is defined.
831  *
832  * If the application hasn't installed its own and the sslpassword
833  * parameter is non-null, we install ours now to make sure we supply
834  * PGconn->sslpassword to OpenSSL instead of letting it prompt on stdin.
835  *
836  * This will replace OpenSSL's default PEM_def_callback (which prompts on
837  * stdin), but we're only setting it for this SSL context so it's
838  * harmless.
839  */
840  if (PQsslKeyPassHook
841  || (conn->sslpassword && strlen(conn->sslpassword) > 0))
842  {
843  SSL_CTX_set_default_passwd_cb(SSL_context, PQssl_passwd_cb);
844  SSL_CTX_set_default_passwd_cb_userdata(SSL_context, conn);
845  }
846 
847  /* Disable old protocol versions */
848  SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
849 
850  /* Set the minimum and maximum protocol versions if necessary */
851  if (conn->ssl_min_protocol_version &&
852  strlen(conn->ssl_min_protocol_version) != 0)
853  {
854  int ssl_min_ver;
855 
857 
858  if (ssl_min_ver == -1)
859  {
861  libpq_gettext("invalid value \"%s\" for minimum SSL protocol version\n"),
863  SSL_CTX_free(SSL_context);
864  return -1;
865  }
866 
867  if (!SSL_CTX_set_min_proto_version(SSL_context, ssl_min_ver))
868  {
869  char *err = SSLerrmessage(ERR_get_error());
870 
872  libpq_gettext("could not set minimum SSL protocol version: %s\n"),
873  err);
874  SSLerrfree(err);
875  SSL_CTX_free(SSL_context);
876  return -1;
877  }
878  }
879 
880  if (conn->ssl_max_protocol_version &&
881  strlen(conn->ssl_max_protocol_version) != 0)
882  {
883  int ssl_max_ver;
884 
886 
887  if (ssl_max_ver == -1)
888  {
890  libpq_gettext("invalid value \"%s\" for maximum SSL protocol version\n"),
892  SSL_CTX_free(SSL_context);
893  return -1;
894  }
895 
896  if (!SSL_CTX_set_max_proto_version(SSL_context, ssl_max_ver))
897  {
898  char *err = SSLerrmessage(ERR_get_error());
899 
901  libpq_gettext("could not set maximum SSL protocol version: %s\n"),
902  err);
903  SSLerrfree(err);
904  SSL_CTX_free(SSL_context);
905  return -1;
906  }
907  }
908 
909  /*
910  * Disable OpenSSL's moving-write-buffer sanity check, because it causes
911  * unnecessary failures in nonblocking send cases.
912  */
913  SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
914 
915  /*
916  * If the root cert file exists, load it so we can perform certificate
917  * verification. If sslmode is "verify-full" we will also do further
918  * verification after the connection has been completed.
919  */
920  if (conn->sslrootcert && strlen(conn->sslrootcert) > 0)
921  strlcpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
922  else if (have_homedir)
923  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
924  else
925  fnbuf[0] = '\0';
926 
927  if (fnbuf[0] != '\0' &&
928  stat(fnbuf, &buf) == 0)
929  {
930  X509_STORE *cvstore;
931 
932  if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)
933  {
934  char *err = SSLerrmessage(ERR_get_error());
935 
937  libpq_gettext("could not read root certificate file \"%s\": %s\n"),
938  fnbuf, err);
939  SSLerrfree(err);
940  SSL_CTX_free(SSL_context);
941  return -1;
942  }
943 
944  if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
945  {
946  char *fname = NULL;
947  char *dname = NULL;
948 
949  if (conn->sslcrl && strlen(conn->sslcrl) > 0)
950  fname = conn->sslcrl;
951  if (conn->sslcrldir && strlen(conn->sslcrldir) > 0)
952  dname = conn->sslcrldir;
953 
954  /* defaults to use the default CRL file */
955  if (!fname && !dname && have_homedir)
956  {
957  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
958  fname = fnbuf;
959  }
960 
961  /* Set the flags to check against the complete CRL chain */
962  if ((fname || dname) &&
963  X509_STORE_load_locations(cvstore, fname, dname) == 1)
964  {
965  X509_STORE_set_flags(cvstore,
966  X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
967  }
968 
969  /* if not found, silently ignore; we do not require CRL */
970  ERR_clear_error();
971  }
972  have_rootcert = true;
973  }
974  else
975  {
976  /*
977  * stat() failed; assume root file doesn't exist. If sslmode is
978  * verify-ca or verify-full, this is an error. Otherwise, continue
979  * without performing any server cert verification.
980  */
981  if (conn->sslmode[0] == 'v') /* "verify-ca" or "verify-full" */
982  {
983  /*
984  * The only way to reach here with an empty filename is if
985  * pqGetHomeDirectory failed. That's a sufficiently unusual case
986  * that it seems worth having a specialized error message for it.
987  */
988  if (fnbuf[0] == '\0')
990  libpq_gettext("could not get home directory to locate root certificate file\n"
991  "Either provide the file or change sslmode to disable server certificate verification.\n"));
992  else
994  libpq_gettext("root certificate file \"%s\" does not exist\n"
995  "Either provide the file or change sslmode to disable server certificate verification.\n"), fnbuf);
996  SSL_CTX_free(SSL_context);
997  return -1;
998  }
999  have_rootcert = false;
1000  }
1001 
1002  /* Read the client certificate file */
1003  if (conn->sslcert && strlen(conn->sslcert) > 0)
1004  strlcpy(fnbuf, conn->sslcert, sizeof(fnbuf));
1005  else if (have_homedir)
1006  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
1007  else
1008  fnbuf[0] = '\0';
1009 
1010  if (fnbuf[0] == '\0')
1011  {
1012  /* no home directory, proceed without a client cert */
1013  have_cert = false;
1014  }
1015  else if (stat(fnbuf, &buf) != 0)
1016  {
1017  /*
1018  * If file is not present, just go on without a client cert; server
1019  * might or might not accept the connection. Any other error,
1020  * however, is grounds for complaint.
1021  */
1022  if (errno != ENOENT && errno != ENOTDIR)
1023  {
1025  libpq_gettext("could not open certificate file \"%s\": %s\n"),
1026  fnbuf, strerror_r(errno, sebuf, sizeof(sebuf)));
1027  SSL_CTX_free(SSL_context);
1028  return -1;
1029  }
1030  have_cert = false;
1031  }
1032  else
1033  {
1034  /*
1035  * Cert file exists, so load it. Since OpenSSL doesn't provide the
1036  * equivalent of "SSL_use_certificate_chain_file", we have to load it
1037  * into the SSL context, rather than the SSL object.
1038  */
1039  if (SSL_CTX_use_certificate_chain_file(SSL_context, fnbuf) != 1)
1040  {
1041  char *err = SSLerrmessage(ERR_get_error());
1042 
1044  libpq_gettext("could not read certificate file \"%s\": %s\n"),
1045  fnbuf, err);
1046  SSLerrfree(err);
1047  SSL_CTX_free(SSL_context);
1048  return -1;
1049  }
1050 
1051  /* need to load the associated private key, too */
1052  have_cert = true;
1053  }
1054 
1055  /*
1056  * The SSL context is now loaded with the correct root and client
1057  * certificates. Create a connection-specific SSL object. The private key
1058  * is loaded directly into the SSL object. (We could load the private key
1059  * into the context, too, but we have done it this way historically, and
1060  * it doesn't really matter.)
1061  */
1062  if (!(conn->ssl = SSL_new(SSL_context)) ||
1063  !SSL_set_app_data(conn->ssl, conn) ||
1064  !my_SSL_set_fd(conn, conn->sock))
1065  {
1066  char *err = SSLerrmessage(ERR_get_error());
1067 
1069  libpq_gettext("could not establish SSL connection: %s\n"),
1070  err);
1071  SSLerrfree(err);
1072  SSL_CTX_free(SSL_context);
1073  return -1;
1074  }
1075  conn->ssl_in_use = true;
1076 
1077  /*
1078  * SSL contexts are reference counted by OpenSSL. We can free it as soon
1079  * as we have created the SSL object, and it will stick around for as long
1080  * as it's actually needed.
1081  */
1082  SSL_CTX_free(SSL_context);
1083  SSL_context = NULL;
1084 
1085  /*
1086  * Set Server Name Indication (SNI), if enabled by connection parameters.
1087  * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
1088  * or IPv6).
1089  */
1090  if (conn->sslsni && conn->sslsni[0] &&
1091  !(strspn(conn->pghost, "0123456789.") == strlen(conn->pghost) ||
1092  strchr(conn->pghost, ':')))
1093  {
1094  if (SSL_set_tlsext_host_name(conn->ssl, conn->pghost) != 1)
1095  {
1096  char *err = SSLerrmessage(ERR_get_error());
1097 
1099  libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"),
1100  err);
1101  SSLerrfree(err);
1102  SSL_CTX_free(SSL_context);
1103  return -1;
1104  }
1105  }
1106 
1107  /*
1108  * Read the SSL key. If a key is specified, treat it as an engine:key
1109  * combination if there is colon present - we don't support files with
1110  * colon in the name. The exception is if the second character is a colon,
1111  * in which case it can be a Windows filename with drive specification.
1112  */
1113  if (have_cert && conn->sslkey && strlen(conn->sslkey) > 0)
1114  {
1115 #ifdef USE_SSL_ENGINE
1116  if (strchr(conn->sslkey, ':')
1117 #ifdef WIN32
1118  && conn->sslkey[1] != ':'
1119 #endif
1120  )
1121  {
1122  /* Colon, but not in second character, treat as engine:key */
1123  char *engine_str = strdup(conn->sslkey);
1124  char *engine_colon;
1125 
1126  if (engine_str == NULL)
1127  {
1129  libpq_gettext("out of memory\n"));
1130  return -1;
1131  }
1132 
1133  /* cannot return NULL because we already checked before strdup */
1134  engine_colon = strchr(engine_str, ':');
1135 
1136  *engine_colon = '\0'; /* engine_str now has engine name */
1137  engine_colon++; /* engine_colon now has key name */
1138 
1139  conn->engine = ENGINE_by_id(engine_str);
1140  if (conn->engine == NULL)
1141  {
1142  char *err = SSLerrmessage(ERR_get_error());
1143 
1145  libpq_gettext("could not load SSL engine \"%s\": %s\n"),
1146  engine_str, err);
1147  SSLerrfree(err);
1148  free(engine_str);
1149  return -1;
1150  }
1151 
1152  if (ENGINE_init(conn->engine) == 0)
1153  {
1154  char *err = SSLerrmessage(ERR_get_error());
1155 
1157  libpq_gettext("could not initialize SSL engine \"%s\": %s\n"),
1158  engine_str, err);
1159  SSLerrfree(err);
1160  ENGINE_free(conn->engine);
1161  conn->engine = NULL;
1162  free(engine_str);
1163  return -1;
1164  }
1165 
1166  pkey = ENGINE_load_private_key(conn->engine, engine_colon,
1167  NULL, NULL);
1168  if (pkey == NULL)
1169  {
1170  char *err = SSLerrmessage(ERR_get_error());
1171 
1173  libpq_gettext("could not read private SSL key \"%s\" from engine \"%s\": %s\n"),
1174  engine_colon, engine_str, err);
1175  SSLerrfree(err);
1176  ENGINE_finish(conn->engine);
1177  ENGINE_free(conn->engine);
1178  conn->engine = NULL;
1179  free(engine_str);
1180  return -1;
1181  }
1182  if (SSL_use_PrivateKey(conn->ssl, pkey) != 1)
1183  {
1184  char *err = SSLerrmessage(ERR_get_error());
1185 
1187  libpq_gettext("could not load private SSL key \"%s\" from engine \"%s\": %s\n"),
1188  engine_colon, engine_str, err);
1189  SSLerrfree(err);
1190  ENGINE_finish(conn->engine);
1191  ENGINE_free(conn->engine);
1192  conn->engine = NULL;
1193  free(engine_str);
1194  return -1;
1195  }
1196 
1197  free(engine_str);
1198 
1199  fnbuf[0] = '\0'; /* indicate we're not going to load from a
1200  * file */
1201  }
1202  else
1203 #endif /* USE_SSL_ENGINE */
1204  {
1205  /* PGSSLKEY is not an engine, treat it as a filename */
1206  strlcpy(fnbuf, conn->sslkey, sizeof(fnbuf));
1207  }
1208  }
1209  else if (have_homedir)
1210  {
1211  /* No PGSSLKEY specified, load default file */
1212  snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
1213  }
1214  else
1215  fnbuf[0] = '\0';
1216 
1217  if (have_cert && fnbuf[0] != '\0')
1218  {
1219  /* read the client key from file */
1220 
1221  if (stat(fnbuf, &buf) != 0)
1222  {
1224  libpq_gettext("certificate present, but not private key file \"%s\"\n"),
1225  fnbuf);
1226  return -1;
1227  }
1228 #ifndef WIN32
1229  if (!S_ISREG(buf.st_mode) || buf.st_mode & (S_IRWXG | S_IRWXO))
1230  {
1232  libpq_gettext("private key file \"%s\" has group or world access; permissions should be u=rw (0600) or less\n"),
1233  fnbuf);
1234  return -1;
1235  }
1236 #endif
1237 
1238  if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)
1239  {
1240  char *err = SSLerrmessage(ERR_get_error());
1241 
1242  /*
1243  * We'll try to load the file in DER (binary ASN.1) format, and if
1244  * that fails too, report the original error. This could mask
1245  * issues where there's something wrong with a DER-format cert,
1246  * but we'd have to duplicate openssl's format detection to be
1247  * smarter than this. We can't just probe for a leading -----BEGIN
1248  * because PEM can have leading non-matching lines and blanks.
1249  * OpenSSL doesn't expose its get_name(...) and its PEM routines
1250  * don't differentiate between failure modes in enough detail to
1251  * let us tell the difference between "not PEM, try DER" and
1252  * "wrong password".
1253  */
1254  if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)
1255  {
1257  libpq_gettext("could not load private key file \"%s\": %s\n"),
1258  fnbuf, err);
1259  SSLerrfree(err);
1260  return -1;
1261  }
1262 
1263  SSLerrfree(err);
1264 
1265  }
1266  }
1267 
1268  /* verify that the cert and key go together */
1269  if (have_cert &&
1270  SSL_check_private_key(conn->ssl) != 1)
1271  {
1272  char *err = SSLerrmessage(ERR_get_error());
1273 
1275  libpq_gettext("certificate does not match private key file \"%s\": %s\n"),
1276  fnbuf, err);
1277  SSLerrfree(err);
1278  return -1;
1279  }
1280 
1281  /*
1282  * If a root cert was loaded, also set our certificate verification
1283  * callback.
1284  */
1285  if (have_rootcert)
1286  SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
1287 
1288  /*
1289  * Set compression option if necessary.
1290  */
1291  if (conn->sslcompression && conn->sslcompression[0] == '0')
1292  SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1293  else
1294  SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1295 
1296  return 0;
1297 }
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:369
#define PG_STRERROR_R_BUFLEN
Definition: port.h:234
char * sslsni
Definition: libpq-int.h:386
char * ssl_min_protocol_version
Definition: libpq-int.h:392
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook
static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
char * sslkey
Definition: libpq-int.h:380
char * sslcompression
Definition: libpq-int.h:379
#define MAXPGPATH
void appendPQExpBuffer(PQExpBuffer str, const char *fmt,...)
Definition: pqexpbuffer.c:267
bool ssl_in_use
Definition: libpq-int.h:506
static char * buf
Definition: pg_test_fsync.c:68
#define S_IRWXG
Definition: win32_port.h:301
char * sslpassword
Definition: libpq-int.h:382
static int verify_cb(int ok, X509_STORE_CTX *ctx)
pgsocket sock
Definition: libpq-int.h:443
#define S_ISREG(m)
Definition: win32_port.h:319
static int my_SSL_set_fd(PGconn *conn, int fd)
static void SSLerrfree(char *buf)
char * sslmode
Definition: libpq-int.h:378
PQExpBufferData errorMessage
Definition: libpq-int.h:569
char * sslcert
Definition: libpq-int.h:381
#define free(a)
Definition: header.h:65
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: strlcpy.c:45
int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
static int ssl_protocol_version_to_openssl(const char *protocol)
#define strerror_r
Definition: port.h:233
char * sslrootcert
Definition: libpq-int.h:383
static char * SSLerrmessage(unsigned long ecode)
static SSL_CTX * SSL_context
char * ssl_max_protocol_version
Definition: libpq-int.h:393
bool pqGetHomeDirectory(char *buf, int bufsize)
Definition: fe-connect.c:7225
char * sslcrldir
Definition: libpq-int.h:385
int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
#define snprintf
Definition: port.h:216
char * sslcrl
Definition: libpq-int.h:384
#define S_IRWXO
Definition: win32_port.h:313
#define libpq_gettext(x)
Definition: libpq-int.h:846
#define stat
Definition: win32_port.h:275
char * pghost
Definition: libpq-int.h:349

◆ my_BIO_s_socket()

static BIO_METHOD * my_BIO_s_socket ( void  )
static

Definition at line 1689 of file fe-secure-openssl.c.

References malloc, my_bio_methods, my_sock_read(), and my_sock_write().

Referenced by my_SSL_set_fd().

1690 {
1691  if (!my_bio_methods)
1692  {
1693  BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket();
1694 #ifdef HAVE_BIO_METH_NEW
1695  int my_bio_index;
1696 
1697  my_bio_index = BIO_get_new_index();
1698  if (my_bio_index == -1)
1699  return NULL;
1700  my_bio_methods = BIO_meth_new(my_bio_index, "libpq socket");
1701  if (!my_bio_methods)
1702  return NULL;
1703 
1704  /*
1705  * As of this writing, these functions never fail. But check anyway,
1706  * like OpenSSL's own examples do.
1707  */
1708  if (!BIO_meth_set_write(my_bio_methods, my_sock_write) ||
1709  !BIO_meth_set_read(my_bio_methods, my_sock_read) ||
1710  !BIO_meth_set_gets(my_bio_methods, BIO_meth_get_gets(biom)) ||
1711  !BIO_meth_set_puts(my_bio_methods, BIO_meth_get_puts(biom)) ||
1712  !BIO_meth_set_ctrl(my_bio_methods, BIO_meth_get_ctrl(biom)) ||
1713  !BIO_meth_set_create(my_bio_methods, BIO_meth_get_create(biom)) ||
1714  !BIO_meth_set_destroy(my_bio_methods, BIO_meth_get_destroy(biom)) ||
1715  !BIO_meth_set_callback_ctrl(my_bio_methods, BIO_meth_get_callback_ctrl(biom)))
1716  {
1717  BIO_meth_free(my_bio_methods);
1718  my_bio_methods = NULL;
1719  return NULL;
1720  }
1721 #else
1722  my_bio_methods = malloc(sizeof(BIO_METHOD));
1723  if (!my_bio_methods)
1724  return NULL;
1725  memcpy(my_bio_methods, biom, sizeof(BIO_METHOD));
1726  my_bio_methods->bread = my_sock_read;
1727  my_bio_methods->bwrite = my_sock_write;
1728 #endif
1729  }
1730  return my_bio_methods;
1731 }
static int my_sock_write(BIO *h, const char *buf, int size)
#define malloc(a)
Definition: header.h:50
static BIO_METHOD * my_bio_methods
static int my_sock_read(BIO *h, char *buf, int size)

◆ my_sock_read()

static int my_sock_read ( BIO *  h,
char *  buf,
int  size 
)
static

Definition at line 1629 of file fe-secure-openssl.c.

References BIO_get_data, EAGAIN, EINTR, EWOULDBLOCK, pqsecure_raw_read(), and SOCK_ERRNO.

Referenced by my_BIO_s_socket().

1630 {
1631  int res;
1632 
1633  res = pqsecure_raw_read((PGconn *) BIO_get_data(h), buf, size);
1634  BIO_clear_retry_flags(h);
1635  if (res < 0)
1636  {
1637  /* If we were interrupted, tell caller to retry */
1638  switch (SOCK_ERRNO)
1639  {
1640 #ifdef EAGAIN
1641  case EAGAIN:
1642 #endif
1643 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1644  case EWOULDBLOCK:
1645 #endif
1646  case EINTR:
1647  BIO_set_retry_read(h);
1648  break;
1649 
1650  default:
1651  break;
1652  }
1653  }
1654 
1655  return res;
1656 }
#define EAGAIN
Definition: win32_port.h:341
ssize_t pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
Definition: fe-secure.c:232
#define SOCK_ERRNO
Definition: libpq-int.h:859
static char * buf
Definition: pg_test_fsync.c:68
#define EWOULDBLOCK
Definition: win32_port.h:349
#define EINTR
Definition: win32_port.h:343
#define BIO_get_data(bio)

◆ my_sock_write()

static int my_sock_write ( BIO *  h,
const char *  buf,
int  size 
)
static

Definition at line 1659 of file fe-secure-openssl.c.

References BIO_get_data, EAGAIN, EINTR, EWOULDBLOCK, pqsecure_raw_write(), and SOCK_ERRNO.

Referenced by my_BIO_s_socket().

1660 {
1661  int res;
1662 
1663  res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
1664  BIO_clear_retry_flags(h);
1665  if (res <= 0)
1666  {
1667  /* If we were interrupted, tell caller to retry */
1668  switch (SOCK_ERRNO)
1669  {
1670 #ifdef EAGAIN
1671  case EAGAIN:
1672 #endif
1673 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1674  case EWOULDBLOCK:
1675 #endif
1676  case EINTR:
1677  BIO_set_retry_write(h);
1678  break;
1679 
1680  default:
1681  break;
1682  }
1683  }
1684 
1685  return res;
1686 }
#define EAGAIN
Definition: win32_port.h:341
#define SOCK_ERRNO
Definition: libpq-int.h:859
static char * buf
Definition: pg_test_fsync.c:68
ssize_t pqsecure_raw_write(PGconn *conn, const void *ptr, size_t len)
Definition: fe-secure.c:314
#define EWOULDBLOCK
Definition: win32_port.h:349
#define EINTR
Definition: win32_port.h:343
#define BIO_get_data(bio)

◆ my_SSL_set_fd()

static int my_SSL_set_fd ( PGconn conn,
int  fd 
)
static

Definition at line 1735 of file fe-secure-openssl.c.

References BIO_set_data, and my_BIO_s_socket().

Referenced by initialize_SSL().

1736 {
1737  int ret = 0;
1738  BIO *bio;
1739  BIO_METHOD *bio_method;
1740 
1741  bio_method = my_BIO_s_socket();
1742  if (bio_method == NULL)
1743  {
1744  SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
1745  goto err;
1746  }
1747  bio = BIO_new(bio_method);
1748  if (bio == NULL)
1749  {
1750  SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
1751  goto err;
1752  }
1753  BIO_set_data(bio, conn);
1754 
1755  SSL_set_bio(conn->ssl, bio, bio);
1756  BIO_set_fd(bio, fd, BIO_NOCLOSE);
1757  ret = 1;
1758 err:
1759  return ret;
1760 }
#define BIO_set_data(bio, data)
static int fd(const char *x, int i)
Definition: preproc-init.c:105
static BIO_METHOD * my_BIO_s_socket(void)

◆ open_client_SSL()

static PostgresPollingStatusType open_client_SSL ( PGconn conn)
static

Definition at line 1303 of file fe-secure-openssl.c.

References appendPQExpBuffer(), appendPQExpBufferStr(), pg_conn::errorMessage, libpq_gettext, PG_STRERROR_R_BUFLEN, PGRES_POLLING_FAILED, PGRES_POLLING_OK, PGRES_POLLING_READING, PGRES_POLLING_WRITING, pgtls_close(), pq_verify_peer_name_matches_certificate(), SOCK_ERRNO, SOCK_STRERROR, pg_conn::ssl_max_protocol_version, pg_conn::ssl_min_protocol_version, SSLerrfree(), and SSLerrmessage().

Referenced by pgtls_open_client().

1304 {
1305  int r;
1306 
1307  ERR_clear_error();
1308  r = SSL_connect(conn->ssl);
1309  if (r <= 0)
1310  {
1311  int err = SSL_get_error(conn->ssl, r);
1312  unsigned long ecode;
1313 
1314  ecode = ERR_get_error();
1315  switch (err)
1316  {
1317  case SSL_ERROR_WANT_READ:
1318  return PGRES_POLLING_READING;
1319 
1320  case SSL_ERROR_WANT_WRITE:
1321  return PGRES_POLLING_WRITING;
1322 
1323  case SSL_ERROR_SYSCALL:
1324  {
1325  char sebuf[PG_STRERROR_R_BUFLEN];
1326 
1327  if (r == -1)
1329  libpq_gettext("SSL SYSCALL error: %s\n"),
1330  SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
1331  else
1333  libpq_gettext("SSL SYSCALL error: EOF detected\n"));
1334  pgtls_close(conn);
1335  return PGRES_POLLING_FAILED;
1336  }
1337  case SSL_ERROR_SSL:
1338  {
1339  char *err = SSLerrmessage(ecode);
1340 
1342  libpq_gettext("SSL error: %s\n"),
1343  err);
1344  SSLerrfree(err);
1345  switch (ERR_GET_REASON(ecode))
1346  {
1347  /*
1348  * UNSUPPORTED_PROTOCOL, WRONG_VERSION_NUMBER, and
1349  * TLSV1_ALERT_PROTOCOL_VERSION have been observed
1350  * when trying to communicate with an old OpenSSL
1351  * library, or when the client and server specify
1352  * disjoint protocol ranges.
1353  * NO_PROTOCOLS_AVAILABLE occurs if there's a
1354  * local misconfiguration (which can happen
1355  * despite our checks, if openssl.cnf injects a
1356  * limit we didn't account for). It's not very
1357  * clear what would make OpenSSL return the other
1358  * codes listed here, but a hint about protocol
1359  * versions seems like it's appropriate for all.
1360  */
1361  case SSL_R_NO_PROTOCOLS_AVAILABLE:
1362  case SSL_R_UNSUPPORTED_PROTOCOL:
1363  case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:
1364  case SSL_R_UNKNOWN_PROTOCOL:
1365  case SSL_R_UNKNOWN_SSL_VERSION:
1366  case SSL_R_UNSUPPORTED_SSL_VERSION:
1367  case SSL_R_WRONG_SSL_VERSION:
1368  case SSL_R_WRONG_VERSION_NUMBER:
1369  case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
1370 #ifdef SSL_R_VERSION_TOO_HIGH
1371  case SSL_R_VERSION_TOO_HIGH:
1372  case SSL_R_VERSION_TOO_LOW:
1373 #endif
1375  libpq_gettext("This may indicate that the server does not support any SSL protocol version between %s and %s.\n"),
1376  conn->ssl_min_protocol_version ?
1377  conn->ssl_min_protocol_version :
1378  MIN_OPENSSL_TLS_VERSION,
1379  conn->ssl_max_protocol_version ?
1380  conn->ssl_max_protocol_version :
1381  MAX_OPENSSL_TLS_VERSION);
1382  break;
1383  default:
1384  break;
1385  }
1386  pgtls_close(conn);
1387  return PGRES_POLLING_FAILED;
1388  }
1389 
1390  default:
1392  libpq_gettext("unrecognized SSL error code: %d\n"),
1393  err);
1394  pgtls_close(conn);
1395  return PGRES_POLLING_FAILED;
1396  }
1397  }
1398 
1399  /*
1400  * We already checked the server certificate in initialize_SSL() using
1401  * SSL_CTX_set_verify(), if root.crt exists.
1402  */
1403 
1404  /* get server certificate */
1405  conn->peer = SSL_get_peer_certificate(conn->ssl);
1406  if (conn->peer == NULL)
1407  {
1408  char *err = SSLerrmessage(ERR_get_error());
1409 
1411  libpq_gettext("certificate could not be obtained: %s\n"),
1412  err);
1413  SSLerrfree(err);
1414  pgtls_close(conn);
1415  return PGRES_POLLING_FAILED;
1416  }
1417 
1419  {
1420  pgtls_close(conn);
1421  return PGRES_POLLING_FAILED;
1422  }
1423 
1424  /* SSL handshake is complete */
1425  return PGRES_POLLING_OK;
1426 }
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:369
#define PG_STRERROR_R_BUFLEN
Definition: port.h:234
char * ssl_min_protocol_version
Definition: libpq-int.h:392
#define SOCK_STRERROR
Definition: libpq-int.h:860
#define SOCK_ERRNO
Definition: libpq-int.h:859
void appendPQExpBuffer(PQExpBuffer str, const char *fmt,...)
Definition: pqexpbuffer.c:267
bool pq_verify_peer_name_matches_certificate(PGconn *conn)
static void SSLerrfree(char *buf)
void pgtls_close(PGconn *conn)
PQExpBufferData errorMessage
Definition: libpq-int.h:569
static char * SSLerrmessage(unsigned long ecode)
char * ssl_max_protocol_version
Definition: libpq-int.h:393
#define libpq_gettext(x)
Definition: libpq-int.h:846

◆ openssl_verify_peer_name_matches_certificate_name()

static int openssl_verify_peer_name_matches_certificate_name ( PGconn conn,
ASN1_STRING *  name,
char **  store_name 
)
static

Definition at line 478 of file fe-secure-openssl.c.

References appendPQExpBufferStr(), pg_conn::errorMessage, libpq_gettext, and pq_verify_peer_name_matches_certificate_name().

Referenced by pgtls_verify_peer_name_matches_certificate_guts().

480 {
481  int len;
482  const unsigned char *namedata;
483 
484  /* Should not happen... */
485  if (name_entry == NULL)
486  {
488  libpq_gettext("SSL certificate's name entry is missing\n"));
489  return -1;
490  }
491 
492  /*
493  * GEN_DNS can be only IA5String, equivalent to US ASCII.
494  */
495 #ifdef HAVE_ASN1_STRING_GET0_DATA
496  namedata = ASN1_STRING_get0_data(name_entry);
497 #else
498  namedata = ASN1_STRING_data(name_entry);
499 #endif
500  len = ASN1_STRING_length(name_entry);
501 
502  /* OK to cast from unsigned to plain char, since it's all ASCII. */
503  return pq_verify_peer_name_matches_certificate_name(conn, (const char *) namedata, len, store_name);
504 }
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:369
int pq_verify_peer_name_matches_certificate_name(PGconn *conn, const char *namedata, size_t namelen, char **store_name)
PQExpBufferData errorMessage
Definition: libpq-int.h:569
#define libpq_gettext(x)
Definition: libpq-int.h:846

◆ pgtls_close()

void pgtls_close ( PGconn conn)

Definition at line 1429 of file fe-secure-openssl.c.

References destroy_ssl_system(), and pg_conn::ssl_in_use.

Referenced by open_client_SSL(), pgtls_open_client(), and pqsecure_close().

1430 {
1431  bool destroy_needed = false;
1432 
1433  if (conn->ssl_in_use)
1434  {
1435  if (conn->ssl)
1436  {
1437  /*
1438  * We can't destroy everything SSL-related here due to the
1439  * possible later calls to OpenSSL routines which may need our
1440  * thread callbacks, so set a flag here and check at the end.
1441  */
1442 
1443  SSL_shutdown(conn->ssl);
1444  SSL_free(conn->ssl);
1445  conn->ssl = NULL;
1446  conn->ssl_in_use = false;
1447 
1448  destroy_needed = true;
1449  }
1450 
1451  if (conn->peer)
1452  {
1453  X509_free(conn->peer);
1454  conn->peer = NULL;
1455  }
1456 
1457 #ifdef USE_SSL_ENGINE
1458  if (conn->engine)
1459  {
1460  ENGINE_finish(conn->engine);
1461  ENGINE_free(conn->engine);
1462  conn->engine = NULL;
1463  }
1464 #endif
1465  }
1466  else
1467  {
1468  /*
1469  * In the non-SSL case, just remove the crypto callbacks if the
1470  * connection has then loaded. This code path has no dependency on
1471  * any pending SSL calls.
1472  */
1473  if (conn->crypto_loaded)
1474  destroy_needed = true;
1475  }
1476 
1477  /*
1478  * This will remove our crypto locking hooks if this is the last
1479  * connection using libcrypto which means we must wait to call it until
1480  * after all the potential SSL calls have been made, otherwise we can end
1481  * up with a race condition and possible deadlocks.
1482  *
1483  * See comments above destroy_ssl_system().
1484  */
1485  if (destroy_needed)
1486  {
1488  conn->crypto_loaded = false;
1489  }
1490 }
bool ssl_in_use
Definition: libpq-int.h:506
static void destroy_ssl_system(void)

◆ pgtls_init()

int pgtls_init ( PGconn conn,
bool  do_ssl,
bool  do_crypto 
)

Definition at line 638 of file fe-secure-openssl.c.

References free, i, malloc, pq_init_crypto_lib, pq_init_ssl_lib, pthread_mutex_init(), pthread_mutex_lock(), pthread_mutex_unlock(), and ssl_lib_initialized.

Referenced by pqsecure_initialize().

639 {
640 #ifdef ENABLE_THREAD_SAFETY
641 #ifdef WIN32
642  /* Also see similar code in fe-connect.c, default_threadlock() */
643  if (ssl_config_mutex == NULL)
644  {
645  while (InterlockedExchange(&win32_ssl_create_mutex, 1) == 1)
646  /* loop, another thread own the lock */ ;
647  if (ssl_config_mutex == NULL)
648  {
649  if (pthread_mutex_init(&ssl_config_mutex, NULL))
650  return -1;
651  }
652  InterlockedExchange(&win32_ssl_create_mutex, 0);
653  }
654 #endif
655  if (pthread_mutex_lock(&ssl_config_mutex))
656  return -1;
657 
658 #ifdef HAVE_CRYPTO_LOCK
659  if (pq_init_crypto_lib)
660  {
661  /*
662  * If necessary, set up an array to hold locks for libcrypto.
663  * libcrypto will tell us how big to make this array.
664  */
665  if (pq_lockarray == NULL)
666  {
667  int i;
668 
669  pq_lockarray = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
670  if (!pq_lockarray)
671  {
672  pthread_mutex_unlock(&ssl_config_mutex);
673  return -1;
674  }
675  for (i = 0; i < CRYPTO_num_locks(); i++)
676  {
677  if (pthread_mutex_init(&pq_lockarray[i], NULL))
678  {
679  free(pq_lockarray);
680  pq_lockarray = NULL;
681  pthread_mutex_unlock(&ssl_config_mutex);
682  return -1;
683  }
684  }
685  }
686 
687  if (do_crypto && !conn->crypto_loaded)
688  {
689  if (crypto_open_connections++ == 0)
690  {
691  /*
692  * These are only required for threaded libcrypto
693  * applications, but make sure we don't stomp on them if
694  * they're already set.
695  */
696  if (CRYPTO_get_id_callback() == NULL)
697  CRYPTO_set_id_callback(pq_threadidcallback);
698  if (CRYPTO_get_locking_callback() == NULL)
699  CRYPTO_set_locking_callback(pq_lockingcallback);
700  }
701 
702  conn->crypto_loaded = true;
703  }
704  }
705 #endif /* HAVE_CRYPTO_LOCK */
706 #endif /* ENABLE_THREAD_SAFETY */
707 
708  if (!ssl_lib_initialized && do_ssl)
709  {
710  if (pq_init_ssl_lib)
711  {
712 #ifdef HAVE_OPENSSL_INIT_SSL
713  OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
714 #else
715  OPENSSL_config(NULL);
716  SSL_library_init();
717  SSL_load_error_strings();
718 #endif
719  }
720  ssl_lib_initialized = true;
721  }
722 
723 #ifdef ENABLE_THREAD_SAFETY
724  pthread_mutex_unlock(&ssl_config_mutex);
725 #endif
726  return 0;
727 }
static bool pq_init_ssl_lib
CRITICAL_SECTION * pthread_mutex_t
Definition: pthread-win32.h:8
int pthread_mutex_init(pthread_mutex_t *mp, void *attr)
Definition: pthread-win32.c:35
#define malloc(a)
Definition: header.h:50
int pthread_mutex_lock(pthread_mutex_t *mp)
Definition: pthread-win32.c:45
int pthread_mutex_unlock(pthread_mutex_t *mp)
Definition: pthread-win32.c:54
static bool pq_init_crypto_lib
#define free(a)
Definition: header.h:65
int i
static bool ssl_lib_initialized

◆ pgtls_init_library()

void pgtls_init_library ( bool  do_ssl,
int  do_crypto 
)

Definition at line 106 of file fe-secure-openssl.c.

References pq_init_crypto_lib, and pq_init_ssl_lib.

Referenced by PQinitOpenSSL(), and PQinitSSL().

107 {
108 #ifdef ENABLE_THREAD_SAFETY
109 
110  /*
111  * Disallow changing the flags while we have open connections, else we'd
112  * get completely confused.
113  */
114  if (crypto_open_connections != 0)
115  return;
116 #endif
117 
118  pq_init_ssl_lib = do_ssl;
119  pq_init_crypto_lib = do_crypto;
120 }
static bool pq_init_ssl_lib
static bool pq_init_crypto_lib

◆ pgtls_open_client()

PostgresPollingStatusType pgtls_open_client ( PGconn conn)

Definition at line 123 of file fe-secure-openssl.c.

References initialize_SSL(), open_client_SSL(), PGRES_POLLING_FAILED, and pgtls_close().

Referenced by pqsecure_open_client().

124 {
125  /* First time through? */
126  if (conn->ssl == NULL)
127  {
128  /*
129  * Create a connection-specific SSL object, and load client
130  * certificate, private key, and trusted CA certs.
131  */
132  if (initialize_SSL(conn) != 0)
133  {
134  /* initialize_SSL already put a message in conn->errorMessage */
135  pgtls_close(conn);
136  return PGRES_POLLING_FAILED;
137  }
138  }
139 
140  /* Begin or continue the actual handshake */
141  return open_client_SSL(conn);
142 }
static PostgresPollingStatusType open_client_SSL(PGconn *)
static int initialize_SSL(PGconn *conn)
void pgtls_close(PGconn *conn)

◆ pgtls_read()

ssize_t pgtls_read ( PGconn conn,
void *  ptr,
size_t  len 
)

Definition at line 145 of file fe-secure-openssl.c.

References appendPQExpBuffer(), appendPQExpBufferStr(), ECONNRESET, pg_conn::errorMessage, libpq_gettext, PG_STRERROR_R_BUFLEN, SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, SSLerrfree(), and SSLerrmessage().

Referenced by pqsecure_read().

146 {
147  ssize_t n;
148  int result_errno = 0;
149  char sebuf[PG_STRERROR_R_BUFLEN];
150  int err;
151  unsigned long ecode;
152 
153 rloop:
154 
155  /*
156  * Prepare to call SSL_get_error() by clearing thread's OpenSSL error
157  * queue. In general, the current thread's error queue must be empty
158  * before the TLS/SSL I/O operation is attempted, or SSL_get_error() will
159  * not work reliably. Since the possibility exists that other OpenSSL
160  * clients running in the same thread but not under our control will fail
161  * to call ERR_get_error() themselves (after their own I/O operations),
162  * pro-actively clear the per-thread error queue now.
163  */
164  SOCK_ERRNO_SET(0);
165  ERR_clear_error();
166  n = SSL_read(conn->ssl, ptr, len);
167  err = SSL_get_error(conn->ssl, n);
168 
169  /*
170  * Other clients of OpenSSL may fail to call ERR_get_error(), but we
171  * always do, so as to not cause problems for OpenSSL clients that don't
172  * call ERR_clear_error() defensively. Be sure that this happens by
173  * calling now. SSL_get_error() relies on the OpenSSL per-thread error
174  * queue being intact, so this is the earliest possible point
175  * ERR_get_error() may be called.
176  */
177  ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
178  switch (err)
179  {
180  case SSL_ERROR_NONE:
181  if (n < 0)
182  {
183  /* Not supposed to happen, so we don't translate the msg */
185  "SSL_read failed but did not provide error information\n");
186  /* assume the connection is broken */
187  result_errno = ECONNRESET;
188  }
189  break;
190  case SSL_ERROR_WANT_READ:
191  n = 0;
192  break;
193  case SSL_ERROR_WANT_WRITE:
194 
195  /*
196  * Returning 0 here would cause caller to wait for read-ready,
197  * which is not correct since what SSL wants is wait for
198  * write-ready. The former could get us stuck in an infinite
199  * wait, so don't risk it; busy-loop instead.
200  */
201  goto rloop;
202  case SSL_ERROR_SYSCALL:
203  if (n < 0)
204  {
205  result_errno = SOCK_ERRNO;
206  if (result_errno == EPIPE ||
207  result_errno == ECONNRESET)
209  libpq_gettext("server closed the connection unexpectedly\n"
210  "\tThis probably means the server terminated abnormally\n"
211  "\tbefore or while processing the request.\n"));
212  else
214  libpq_gettext("SSL SYSCALL error: %s\n"),
215  SOCK_STRERROR(result_errno,
216  sebuf, sizeof(sebuf)));
217  }
218  else
219  {
221  libpq_gettext("SSL SYSCALL error: EOF detected\n"));
222  /* assume the connection is broken */
223  result_errno = ECONNRESET;
224  n = -1;
225  }
226  break;
227  case SSL_ERROR_SSL:
228  {
229  char *errm = SSLerrmessage(ecode);
230 
232  libpq_gettext("SSL error: %s\n"), errm);
233  SSLerrfree(errm);
234  /* assume the connection is broken */
235  result_errno = ECONNRESET;
236  n = -1;
237  break;
238  }
239  case SSL_ERROR_ZERO_RETURN:
240 
241  /*
242  * Per OpenSSL documentation, this error code is only returned for
243  * a clean connection closure, so we should not report it as a
244  * server crash.
245  */
247  libpq_gettext("SSL connection has been closed unexpectedly\n"));
248  result_errno = ECONNRESET;
249  n = -1;
250  break;
251  default:
253  libpq_gettext("unrecognized SSL error code: %d\n"),
254  err);
255  /* assume the connection is broken */
256  result_errno = ECONNRESET;
257  n = -1;
258  break;
259  }
260 
261  /* ensure we return the intended errno to caller */
262  SOCK_ERRNO_SET(result_errno);
263 
264  return n;
265 }
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:369
#define PG_STRERROR_R_BUFLEN
Definition: port.h:234
#define SOCK_STRERROR
Definition: libpq-int.h:860
#define SOCK_ERRNO
Definition: libpq-int.h:859
void appendPQExpBuffer(PQExpBuffer str, const char *fmt,...)
Definition: pqexpbuffer.c:267
#define SOCK_ERRNO_SET(e)
Definition: libpq-int.h:861
static void SSLerrfree(char *buf)
PQExpBufferData errorMessage
Definition: libpq-int.h:569
#define ECONNRESET
Definition: win32_port.h:353
static char * SSLerrmessage(unsigned long ecode)
#define libpq_gettext(x)
Definition: libpq-int.h:846

◆ pgtls_read_pending()

bool pgtls_read_pending ( PGconn conn)

Definition at line 268 of file fe-secure-openssl.c.

Referenced by pqSocketCheck().

269 {
270  return SSL_pending(conn->ssl) > 0;
271 }

◆ pgtls_verify_peer_name_matches_certificate_guts()

int pgtls_verify_peer_name_matches_certificate_guts ( PGconn conn,
int *  names_examined,
char **  first_name 
)

Definition at line 512 of file fe-secure-openssl.c.

References free, i, mode, name, openssl_verify_peer_name_matches_certificate_name(), pthread_mutex_lock(), pthread_mutex_unlock(), and pthread_self().

Referenced by pq_verify_peer_name_matches_certificate().

515 {
516  STACK_OF(GENERAL_NAME) * peer_san;
517  int i;
518  int rc = 0;
519 
520  /*
521  * First, get the Subject Alternative Names (SANs) from the certificate,
522  * and compare them against the originally given hostname.
523  */
524  peer_san = (STACK_OF(GENERAL_NAME) *)
525  X509_get_ext_d2i(conn->peer, NID_subject_alt_name, NULL, NULL);
526 
527  if (peer_san)
528  {
529  int san_len = sk_GENERAL_NAME_num(peer_san);
530 
531  for (i = 0; i < san_len; i++)
532  {
533  const GENERAL_NAME *name = sk_GENERAL_NAME_value(peer_san, i);
534 
535  if (name->type == GEN_DNS)
536  {
537  char *alt_name;
538 
539  (*names_examined)++;
541  name->d.dNSName,
542  &alt_name);
543 
544  if (alt_name)
545  {
546  if (!*first_name)
547  *first_name = alt_name;
548  else
549  free(alt_name);
550  }
551  }
552  if (rc != 0)
553  break;
554  }
555  sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
556  }
557 
558  /*
559  * If there is no subjectAltName extension of type dNSName, check the
560  * Common Name.
561  *
562  * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
563  * dNSName is present, the CN must be ignored.)
564  */
565  if (*names_examined == 0)
566  {
567  X509_NAME *subject_name;
568 
569  subject_name = X509_get_subject_name(conn->peer);
570  if (subject_name != NULL)
571  {
572  int cn_index;
573 
574  cn_index = X509_NAME_get_index_by_NID(subject_name,
575  NID_commonName, -1);
576  if (cn_index >= 0)
577  {
578  (*names_examined)++;
580  X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),
581  first_name);
582  }
583  }
584  }
585 
586  return rc;
587 }
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name, char **store_name)
#define free(a)
Definition: header.h:65
const char * name
Definition: encode.c:515
int i

◆ pgtls_write()

ssize_t pgtls_write ( PGconn conn,
const void *  ptr,
size_t  len 
)

Definition at line 274 of file fe-secure-openssl.c.

References appendPQExpBuffer(), appendPQExpBufferStr(), conn, ECONNRESET, pg_conn::errorMessage, hash(), libpq_gettext, malloc, PG_STRERROR_R_BUFLEN, SOCK_ERRNO, SOCK_ERRNO_SET, SOCK_STRERROR, SSLerrfree(), and SSLerrmessage().

Referenced by pqsecure_write().

275 {
276  ssize_t n;
277  int result_errno = 0;
278  char sebuf[PG_STRERROR_R_BUFLEN];
279  int err;
280  unsigned long ecode;
281 
282  SOCK_ERRNO_SET(0);
283  ERR_clear_error();
284  n = SSL_write(conn->ssl, ptr, len);
285  err = SSL_get_error(conn->ssl, n);
286  ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
287  switch (err)
288  {
289  case SSL_ERROR_NONE:
290  if (n < 0)
291  {
292  /* Not supposed to happen, so we don't translate the msg */
294  "SSL_write failed but did not provide error information\n");
295  /* assume the connection is broken */
296  result_errno = ECONNRESET;
297  }
298  break;
299  case SSL_ERROR_WANT_READ:
300 
301  /*
302  * Returning 0 here causes caller to wait for write-ready, which
303  * is not really the right thing, but it's the best we can do.
304  */
305  n = 0;
306  break;
307  case SSL_ERROR_WANT_WRITE:
308  n = 0;
309  break;
310  case SSL_ERROR_SYSCALL:
311  if (n < 0)
312  {
313  result_errno = SOCK_ERRNO;
314  if (result_errno == EPIPE || result_errno == ECONNRESET)
316  libpq_gettext("server closed the connection unexpectedly\n"
317  "\tThis probably means the server terminated abnormally\n"
318  "\tbefore or while processing the request.\n"));
319  else
321  libpq_gettext("SSL SYSCALL error: %s\n"),
322  SOCK_STRERROR(result_errno,
323  sebuf, sizeof(sebuf)));
324  }
325  else
326  {
328  libpq_gettext("SSL SYSCALL error: EOF detected\n"));
329  /* assume the connection is broken */
330  result_errno = ECONNRESET;
331  n = -1;
332  }
333  break;
334  case SSL_ERROR_SSL:
335  {
336  char *errm = SSLerrmessage(ecode);
337 
339  libpq_gettext("SSL error: %s\n"), errm);
340  SSLerrfree(errm);
341  /* assume the connection is broken */
342  result_errno = ECONNRESET;
343  n = -1;
344  break;
345  }
346  case SSL_ERROR_ZERO_RETURN:
347 
348  /*
349  * Per OpenSSL documentation, this error code is only returned for
350  * a clean connection closure, so we should not report it as a
351  * server crash.
352  */
354  libpq_gettext("SSL connection has been closed unexpectedly\n"));
355  result_errno = ECONNRESET;
356  n = -1;
357  break;
358  default:
360  libpq_gettext("unrecognized SSL error code: %d\n"),
361  err);
362  /* assume the connection is broken */
363  result_errno = ECONNRESET;
364  n = -1;
365  break;
366  }
367 
368  /* ensure we return the intended errno to caller */
369  SOCK_ERRNO_SET(result_errno);
370 
371  return n;
372 }
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition: pqexpbuffer.c:369
#define PG_STRERROR_R_BUFLEN
Definition: port.h:234
#define SOCK_STRERROR
Definition: libpq-int.h:860
#define SOCK_ERRNO
Definition: libpq-int.h:859
void appendPQExpBuffer(PQExpBuffer str, const char *fmt,...)
Definition: pqexpbuffer.c:267
#define SOCK_ERRNO_SET(e)
Definition: libpq-int.h:861
static void SSLerrfree(char *buf)
PQExpBufferData errorMessage
Definition: libpq-int.h:569
#define ECONNRESET
Definition: win32_port.h:353
static char * SSLerrmessage(unsigned long ecode)
#define libpq_gettext(x)
Definition: libpq-int.h:846

◆ PQdefaultSSLKeyPassHook_OpenSSL()

int PQdefaultSSLKeyPassHook_OpenSSL ( char *  buf,
int  size,
PGconn conn 
)

Definition at line 1768 of file fe-secure-openssl.c.

Referenced by PQssl_passwd_cb().

1769 {
1770  if (conn->sslpassword)
1771  {
1772  if (strlen(conn->sslpassword) + 1 > size)
1773  fprintf(stderr, libpq_gettext("WARNING: sslpassword truncated\n"));
1774  strncpy(buf, conn->sslpassword, size);
1775  buf[size - 1] = '\0';
1776  return strlen(buf);
1777  }
1778  else
1779  {
1780  buf[0] = '\0';
1781  return 0;
1782  }
1783 }
#define fprintf
Definition: port.h:220
static char * buf
Definition: pg_test_fsync.c:68
char * sslpassword
Definition: libpq-int.h:382
#define libpq_gettext(x)
Definition: libpq-int.h:846

◆ PQgetssl()

void* PQgetssl ( PGconn conn)

Definition at line 1545 of file fe-secure-openssl.c.

1546 {
1547  if (!conn)
1548  return NULL;
1549  return conn->ssl;
1550 }

◆ PQgetSSLKeyPassHook_OpenSSL()

PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL ( void  )

Definition at line 1786 of file fe-secure-openssl.c.

1787 {
1788  return PQsslKeyPassHook;
1789 }
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook

◆ PQsetSSLKeyPassHook_OpenSSL()

void PQsetSSLKeyPassHook_OpenSSL ( PQsslKeyPassHook_OpenSSL_type  hook)

Definition at line 1792 of file fe-secure-openssl.c.

1793 {
1794  PQsslKeyPassHook = hook;
1795 }
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook

◆ PQssl_passwd_cb()

static int PQssl_passwd_cb ( char *  buf,
int  size,
int  rwflag,
void *  userdata 
)
static

Definition at line 1803 of file fe-secure-openssl.c.

References PQdefaultSSLKeyPassHook_OpenSSL(), and PQsslKeyPassHook.

Referenced by initialize_SSL().

1804 {
1805  PGconn *conn = userdata;
1806 
1807  if (PQsslKeyPassHook)
1808  return PQsslKeyPassHook(buf, size, conn);
1809  else
1810  return PQdefaultSSLKeyPassHook_OpenSSL(buf, size, conn);
1811 }
int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook
PGconn * conn
Definition: streamutil.c:54
static char * buf
Definition: pg_test_fsync.c:68

◆ PQsslAttribute()

const char* PQsslAttribute ( PGconn conn,
const char *  attribute_name 
)

Definition at line 1578 of file fe-secure-openssl.c.

Referenced by printSSLInfo().

1579 {
1580  if (!conn)
1581  return NULL;
1582  if (conn->ssl == NULL)
1583  return NULL;
1584 
1585  if (strcmp(attribute_name, "library") == 0)
1586  return "OpenSSL";
1587 
1588  if (strcmp(attribute_name, "key_bits") == 0)
1589  {
1590  static char sslbits_str[12];
1591  int sslbits;
1592 
1593  SSL_get_cipher_bits(conn->ssl, &sslbits);
1594  snprintf(sslbits_str, sizeof(sslbits_str), "%d", sslbits);
1595  return sslbits_str;
1596  }
1597 
1598  if (strcmp(attribute_name, "cipher") == 0)
1599  return SSL_get_cipher(conn->ssl);
1600 
1601  if (strcmp(attribute_name, "compression") == 0)
1602  return SSL_get_current_compression(conn->ssl) ? "on" : "off";
1603 
1604  if (strcmp(attribute_name, "protocol") == 0)
1605  return SSL_get_version(conn->ssl);
1606 
1607  return NULL; /* unknown attribute */
1608 }
#define snprintf
Definition: port.h:216

◆ PQsslAttributeNames()

const char* const* PQsslAttributeNames ( PGconn conn)

Definition at line 1563 of file fe-secure-openssl.c.

1564 {
1565  static const char *const result[] = {
1566  "library",
1567  "key_bits",
1568  "cipher",
1569  "compression",
1570  "protocol",
1571  NULL
1572  };
1573 
1574  return result;
1575 }

◆ PQsslStruct()

void* PQsslStruct ( PGconn conn,
const char *  struct_name 
)

Definition at line 1553 of file fe-secure-openssl.c.

1554 {
1555  if (!conn)
1556  return NULL;
1557  if (strcmp(struct_name, "OpenSSL") == 0)
1558  return conn->ssl;
1559  return NULL;
1560 }

◆ ssl_protocol_version_to_openssl()

static int ssl_protocol_version_to_openssl ( const char *  protocol)
static

Definition at line 1824 of file fe-secure-openssl.c.

References pg_strcasecmp().

Referenced by initialize_SSL().

1825 {
1826  if (pg_strcasecmp("TLSv1", protocol) == 0)
1827  return TLS1_VERSION;
1828 
1829 #ifdef TLS1_1_VERSION
1830  if (pg_strcasecmp("TLSv1.1", protocol) == 0)
1831  return TLS1_1_VERSION;
1832 #endif
1833 
1834 #ifdef TLS1_2_VERSION
1835  if (pg_strcasecmp("TLSv1.2", protocol) == 0)
1836  return TLS1_2_VERSION;
1837 #endif
1838 
1839 #ifdef TLS1_3_VERSION
1840  if (pg_strcasecmp("TLSv1.3", protocol) == 0)
1841  return TLS1_3_VERSION;
1842 #endif
1843 
1844  return -1;
1845 }
int pg_strcasecmp(const char *s1, const char *s2)
Definition: pgstrcasecmp.c:36

◆ SSLerrfree()

static void SSLerrfree ( char *  buf)
static

Definition at line 1531 of file fe-secure-openssl.c.

References free, and ssl_nomem.

Referenced by initialize_SSL(), open_client_SSL(), pgtls_read(), and pgtls_write().

1532 {
1533  if (buf != ssl_nomem)
1534  free(buf);
1535 }
static char ssl_nomem[]
static char * buf
Definition: pg_test_fsync.c:68
#define free(a)
Definition: header.h:65

◆ SSLerrmessage()

static char * SSLerrmessage ( unsigned long  ecode)
static

Definition at line 1507 of file fe-secure-openssl.c.

References libpq_gettext, malloc, snprintf, SSL_ERR_LEN, ssl_nomem, and strlcpy().

Referenced by initialize_SSL(), open_client_SSL(), pgtls_read(), and pgtls_write().

1508 {
1509  const char *errreason;
1510  char *errbuf;
1511 
1512  errbuf = malloc(SSL_ERR_LEN);
1513  if (!errbuf)
1514  return ssl_nomem;
1515  if (ecode == 0)
1516  {
1517  snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("no SSL error reported"));
1518  return errbuf;
1519  }
1520  errreason = ERR_reason_error_string(ecode);
1521  if (errreason != NULL)
1522  {
1523  strlcpy(errbuf, errreason, SSL_ERR_LEN);
1524  return errbuf;
1525  }
1526  snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("SSL error code %lu"), ecode);
1527  return errbuf;
1528 }
#define malloc(a)
Definition: header.h:50
static char ssl_nomem[]
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition: strlcpy.c:45
#define snprintf
Definition: port.h:216
#define SSL_ERR_LEN
#define libpq_gettext(x)
Definition: libpq-int.h:846

◆ verify_cb()

static int verify_cb ( int  ok,
X509_STORE_CTX *  ctx 
)
static

Definition at line 466 of file fe-secure-openssl.c.

Referenced by initialize_SSL().

467 {
468  return ok;
469 }

Variable Documentation

◆ my_bio_methods

BIO_METHOD* my_bio_methods
static

Definition at line 1626 of file fe-secure-openssl.c.

Referenced by my_BIO_s_socket().

◆ pq_init_crypto_lib

bool pq_init_crypto_lib = true
static

Definition at line 83 of file fe-secure-openssl.c.

Referenced by destroy_ssl_system(), pgtls_init(), and pgtls_init_library().

◆ pq_init_ssl_lib

bool pq_init_ssl_lib = true
static

Definition at line 82 of file fe-secure-openssl.c.

Referenced by pgtls_init(), and pgtls_init_library().

◆ PQsslKeyPassHook

◆ ssl_lib_initialized

bool ssl_lib_initialized = false
static

Definition at line 85 of file fe-secure-openssl.c.

Referenced by pgtls_init().

◆ ssl_nomem

char ssl_nomem[] = "out of memory allocating error description"
static

Definition at line 1502 of file fe-secure-openssl.c.

Referenced by SSLerrfree(), and SSLerrmessage().