PostgreSQL Source Code git master
Loading...
Searching...
No Matches
fe-secure-openssl.c
Go to the documentation of this file.
1/*-------------------------------------------------------------------------
2 *
3 * fe-secure-openssl.c
4 * OpenSSL support
5 *
6 *
7 * Portions Copyright (c) 1996-2026, PostgreSQL Global Development Group
8 * Portions Copyright (c) 1994, Regents of the University of California
9 *
10 *
11 * IDENTIFICATION
12 * src/interfaces/libpq/fe-secure-openssl.c
13 *
14 * NOTES
15 *
16 * We don't provide informational callbacks here (like
17 * info_cb() in be-secure-openssl.c), since there's no good mechanism to
18 * display such information to the user.
19 *
20 *-------------------------------------------------------------------------
21 */
22
23#include "postgres_fe.h"
24
25#include <signal.h>
26#include <fcntl.h>
27#include <ctype.h>
28
29#include "libpq-fe.h"
30#include "fe-auth.h"
31#include "fe-secure-common.h"
32#include "libpq-int.h"
33
34#ifdef WIN32
35#include "win32.h"
36#else
37#include <sys/socket.h>
38#include <unistd.h>
39#include <netdb.h>
40#include <netinet/in.h>
41#include <netinet/tcp.h>
42#include <arpa/inet.h>
43#endif
44
45#include <sys/stat.h>
46
47#ifdef WIN32
48#include "pthread-win32.h"
49#else
50#include <pthread.h>
51#endif
52
53/*
54 * These SSL-related #includes must come after all system-provided headers.
55 * This ensures that OpenSSL can take care of conflicts with Windows'
56 * <wincrypt.h> by #undef'ing the conflicting macros. (We don't directly
57 * include <wincrypt.h>, but some other Windows headers do.)
58 */
59#include "common/openssl.h"
60#include <openssl/ssl.h>
61#include <openssl/conf.h>
62#ifdef USE_SSL_ENGINE
63#include <openssl/engine.h>
64#endif
65#include <openssl/x509v3.h>
66
67
68static int verify_cb(int ok, X509_STORE_CTX *ctx);
69static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
70 ASN1_STRING *name_entry,
71 char **store_name);
72static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
73 ASN1_OCTET_STRING *addr_entry,
74 char **store_name);
75static int initialize_SSL(PGconn *conn);
76static PostgresPollingStatusType open_client_SSL(PGconn *conn);
77static char *SSLerrmessage(unsigned long ecode);
78static void SSLerrfree(char *buf);
79static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata);
80
81static int pgconn_bio_read(BIO *h, char *buf, int size);
82static int pgconn_bio_write(BIO *h, const char *buf, int size);
83static BIO_METHOD *pgconn_bio_method(void);
84static int ssl_set_pgconn_bio(PGconn *conn);
85
86static pthread_mutex_t ssl_config_mutex = PTHREAD_MUTEX_INITIALIZER;
87
88static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook = NULL;
89static int ssl_protocol_version_to_openssl(const char *protocol);
90
91/* ------------------------------------------------------------ */
92/* Procedures common to all secure sessions */
93/* ------------------------------------------------------------ */
94
95PostgresPollingStatusType
96pgtls_open_client(PGconn *conn)
97{
98 /* First time through? */
99 if (conn->ssl == NULL)
100 {
101 /*
102 * Create a connection-specific SSL object, and load client
103 * certificate, private key, and trusted CA certs.
104 */
105 if (initialize_SSL(conn) != 0)
106 {
107 /* initialize_SSL already put a message in conn->errorMessage */
108 pgtls_close(conn);
109 return PGRES_POLLING_FAILED;
110 }
111 }
112
113 /* Begin or continue the actual handshake */
114 return open_client_SSL(conn);
115}
116
117ssize_t
118pgtls_read(PGconn *conn, void *ptr, size_t len)
119{
120 ssize_t n;
121 int result_errno = 0;
122 char sebuf[PG_STRERROR_R_BUFLEN];
123 int err;
124 unsigned long ecode;
125
126rloop:
127
128 /*
129 * Prepare to call SSL_get_error() by clearing thread's OpenSSL error
130 * queue. In general, the current thread's error queue must be empty
131 * before the TLS/SSL I/O operation is attempted, or SSL_get_error() will
132 * not work reliably. Since the possibility exists that other OpenSSL
133 * clients running in the same thread but not under our control will fail
134 * to call ERR_get_error() themselves (after their own I/O operations),
135 * pro-actively clear the per-thread error queue now.
136 */
137 SOCK_ERRNO_SET(0);
138 ERR_clear_error();
139 n = SSL_read(conn->ssl, ptr, len);
140 err = SSL_get_error(conn->ssl, n);
141
142 /*
143 * Other clients of OpenSSL may fail to call ERR_get_error(), but we
144 * always do, so as to not cause problems for OpenSSL clients that don't
145 * call ERR_clear_error() defensively. Be sure that this happens by
146 * calling now. SSL_get_error() relies on the OpenSSL per-thread error
147 * queue being intact, so this is the earliest possible point
148 * ERR_get_error() may be called.
149 */
150 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
151 switch (err)
152 {
153 case SSL_ERROR_NONE:
154 if (n < 0)
155 {
156 /* Not supposed to happen, so we don't translate the msg */
157 appendPQExpBufferStr(&conn->errorMessage,
158 "SSL_read failed but did not provide error information\n");
159 /* assume the connection is broken */
160 result_errno = ECONNRESET;
161 }
162 break;
163 case SSL_ERROR_WANT_READ:
164 n = 0;
165 break;
166 case SSL_ERROR_WANT_WRITE:
167
168 /*
169 * Returning 0 here would cause caller to wait for read-ready,
170 * which is not correct since what SSL wants is wait for
171 * write-ready. The former could get us stuck in an infinite
172 * wait, so don't risk it; busy-loop instead.
173 */
174 goto rloop;
175 case SSL_ERROR_SYSCALL:
176 if (n < 0 && SOCK_ERRNO != 0)
177 {
178 result_errno = SOCK_ERRNO;
179 if (result_errno == EPIPE ||
180 result_errno == ECONNRESET)
181 libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
182 "\tThis probably means the server terminated abnormally\n"
183 "\tbefore or while processing the request.");
184 else
185 libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
186 SOCK_STRERROR(result_errno,
187 sebuf, sizeof(sebuf)));
188 }
189 else
190 {
191 libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
192 /* assume the connection is broken */
193 result_errno = ECONNRESET;
194 n = -1;
195 }
196 break;
197 case SSL_ERROR_SSL:
198 {
199 char *errm = SSLerrmessage(ecode);
200
201 libpq_append_conn_error(conn, "SSL error: %s", errm);
202 SSLerrfree(errm);
203 /* assume the connection is broken */
204 result_errno = ECONNRESET;
205 n = -1;
206 break;
207 }
208 case SSL_ERROR_ZERO_RETURN:
209
210 /*
211 * Per OpenSSL documentation, this error code is only returned for
212 * a clean connection closure, so we should not report it as a
213 * server crash.
214 */
215 libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
216 result_errno = ECONNRESET;
217 n = -1;
218 break;
219 default:
220 libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
221 /* assume the connection is broken */
222 result_errno = ECONNRESET;
223 n = -1;
224 break;
225 }
226
227 /* ensure we return the intended errno to caller */
228 SOCK_ERRNO_SET(result_errno);
229
230 return n;
231}
232
233bool
234pgtls_read_pending(PGconn *conn)
235{
236 return SSL_pending(conn->ssl) > 0;
237}
238
239ssize_t
240pgtls_write(PGconn *conn, const void *ptr, size_t len)
241{
242 ssize_t n;
243 int result_errno = 0;
244 char sebuf[PG_STRERROR_R_BUFLEN];
245 int err;
246 unsigned long ecode;
247
248 SOCK_ERRNO_SET(0);
249 ERR_clear_error();
250 n = SSL_write(conn->ssl, ptr, len);
251 err = SSL_get_error(conn->ssl, n);
252 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
253 switch (err)
254 {
255 case SSL_ERROR_NONE:
256 if (n < 0)
257 {
258 /* Not supposed to happen, so we don't translate the msg */
259 appendPQExpBufferStr(&conn->errorMessage,
260 "SSL_write failed but did not provide error information\n");
261 /* assume the connection is broken */
262 result_errno = ECONNRESET;
263 }
264 break;
265 case SSL_ERROR_WANT_READ:
266
267 /*
268 * Returning 0 here causes caller to wait for write-ready, which
269 * is not really the right thing, but it's the best we can do.
270 */
271 n = 0;
272 break;
273 case SSL_ERROR_WANT_WRITE:
274 n = 0;
275 break;
276 case SSL_ERROR_SYSCALL:
277
278 /*
279 * If errno is still zero then assume it's a read EOF situation,
280 * and report EOF. (This seems possible because SSL_write can
281 * also do reads.)
282 */
283 if (n < 0 && SOCK_ERRNO != 0)
284 {
285 result_errno = SOCK_ERRNO;
286 if (result_errno == EPIPE || result_errno == ECONNRESET)
287 libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
288 "\tThis probably means the server terminated abnormally\n"
289 "\tbefore or while processing the request.");
290 else
291 libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
292 SOCK_STRERROR(result_errno,
293 sebuf, sizeof(sebuf)));
294 }
295 else
296 {
297 libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
298 /* assume the connection is broken */
299 result_errno = ECONNRESET;
300 n = -1;
301 }
302 break;
303 case SSL_ERROR_SSL:
304 {
305 char *errm = SSLerrmessage(ecode);
306
307 libpq_append_conn_error(conn, "SSL error: %s", errm);
308 SSLerrfree(errm);
309 /* assume the connection is broken */
310 result_errno = ECONNRESET;
311 n = -1;
312 break;
313 }
314 case SSL_ERROR_ZERO_RETURN:
315
316 /*
317 * Per OpenSSL documentation, this error code is only returned for
318 * a clean connection closure, so we should not report it as a
319 * server crash.
320 */
321 libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
322 result_errno = ECONNRESET;
323 n = -1;
324 break;
325 default:
326 libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
327 /* assume the connection is broken */
328 result_errno = ECONNRESET;
329 n = -1;
330 break;
331 }
332
333 /* ensure we return the intended errno to caller */
334 SOCK_ERRNO_SET(result_errno);
335
336 return n;
337}
338
339char *
340pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
341{
342 X509 *peer_cert;
343 const EVP_MD *algo_type;
344 unsigned char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */
345 unsigned int hash_size;
346 int algo_nid;
347 char *cert_hash;
348
349 *len = 0;
350
351 if (!conn->peer)
352 return NULL;
353
354 peer_cert = conn->peer;
355
356 /*
357 * Get the signature algorithm of the certificate to determine the hash
358 * algorithm to use for the result. Prefer X509_get_signature_info(),
359 * introduced in OpenSSL 1.1.1, which can handle RSA-PSS signatures.
360 */
361#if HAVE_X509_GET_SIGNATURE_INFO
362 if (!X509_get_signature_info(peer_cert, &algo_nid, NULL, NULL, NULL))
363#else
364 if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
365 &algo_nid, NULL))
366#endif
367 {
368 libpq_append_conn_error(conn, "could not determine server certificate signature algorithm");
369 return NULL;
370 }
371
372 /*
373 * The TLS server's certificate bytes need to be hashed with SHA-256 if
374 * its signature algorithm is MD5 or SHA-1 as per RFC 5929
375 * (https://tools.ietf.org/html/rfc5929#section-4.1). If something else
376 * is used, the same hash as the signature algorithm is used.
377 */
378 switch (algo_nid)
379 {
380 case NID_md5:
381 case NID_sha1:
382 algo_type = EVP_sha256();
383 break;
384 default:
385 algo_type = EVP_get_digestbynid(algo_nid);
386 if (algo_type == NULL)
387 {
388 libpq_append_conn_error(conn, "could not find digest for NID %s",
389 OBJ_nid2sn(algo_nid));
390 return NULL;
391 }
392 break;
393 }
394
395 if (!X509_digest(peer_cert, algo_type, hash, &hash_size))
396 {
397 libpq_append_conn_error(conn, "could not generate peer certificate hash");
398 return NULL;
399 }
400
401 /* save result */
402 cert_hash = malloc(hash_size);
403 if (cert_hash == NULL)
404 {
405 libpq_append_conn_error(conn, "out of memory");
406 return NULL;
407 }
408 memcpy(cert_hash, hash, hash_size);
409 *len = hash_size;
410
411 return cert_hash;
412}
413
414/* ------------------------------------------------------------ */
415/* OpenSSL specific code */
416/* ------------------------------------------------------------ */
417
418/*
419 * Certificate verification callback
420 *
421 * This callback allows us to log intermediate problems during
422 * verification, but there doesn't seem to be a clean way to get
423 * our PGconn * structure. So we can't log anything!
424 *
425 * This callback also allows us to override the default acceptance
426 * criteria (e.g., accepting self-signed or expired certs), but
427 * for now we accept the default checks.
428 */
429static int
430verify_cb(int ok, X509_STORE_CTX *ctx)
431{
432 return ok;
433}
434
435#ifdef HAVE_SSL_CTX_SET_CERT_CB
436/*
437 * Certificate selection callback
438 *
439 * This callback lets us choose the client certificate we send to the server
440 * after seeing its CertificateRequest. We only support sending a single
441 * hard-coded certificate via sslcert, so we don't actually set any certificates
442 * here; we just use it to record whether or not the server has actually asked
443 * for one and whether we have one to send.
444 */
445static int
446cert_cb(SSL *ssl, void *arg)
447{
448 PGconn *conn = arg;
449
450 conn->ssl_cert_requested = true;
451
452 /* Do we have a certificate loaded to send back? */
453 if (SSL_get_certificate(ssl))
454 conn->ssl_cert_sent = true;
455
456 /*
457 * Tell OpenSSL that the callback succeeded; we're not required to
458 * actually make any changes to the SSL handle.
459 */
460 return 1;
461}
462#endif
463
464/*
465 * OpenSSL-specific wrapper around
466 * pq_verify_peer_name_matches_certificate_name(), converting the ASN1_STRING
467 * into a plain C string.
468 */
469static int
470openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
471 char **store_name)
472{
473 int len;
474 const unsigned char *namedata;
475
476 /* Should not happen... */
477 if (name_entry == NULL)
478 {
479 libpq_append_conn_error(conn, "SSL certificate's name entry is missing");
480 return -1;
481 }
482
483 /*
484 * GEN_DNS can be only IA5String, equivalent to US ASCII.
485 */
486 namedata = ASN1_STRING_get0_data(name_entry);
487 len = ASN1_STRING_length(name_entry);
488
489 /* OK to cast from unsigned to plain char, since it's all ASCII. */
490 return pq_verify_peer_name_matches_certificate_name(conn, (const char *) namedata, len, store_name);
491}
492
493/*
494 * OpenSSL-specific wrapper around
495 * pq_verify_peer_name_matches_certificate_ip(), converting the
496 * ASN1_OCTET_STRING into a plain C string.
497 */
498static int
499openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
500 ASN1_OCTET_STRING *addr_entry,
501 char **store_name)
502{
503 int len;
504 const unsigned char *addrdata;
505
506 /* Should not happen... */
507 if (addr_entry == NULL)
508 {
509 libpq_append_conn_error(conn, "SSL certificate's address entry is missing");
510 return -1;
511 }
512
513 /*
514 * GEN_IPADD is an OCTET STRING containing an IP address in network byte
515 * order.
516 */
517 addrdata = ASN1_STRING_get0_data(addr_entry);
518 len = ASN1_STRING_length(addr_entry);
519
520 return pq_verify_peer_name_matches_certificate_ip(conn, addrdata, len, store_name);
521}
522
523static bool
524is_ip_address(const char *host)
525{
526 struct in_addr dummy4;
527#ifdef HAVE_INET_PTON
528 struct in6_addr dummy6;
529#endif
530
531 return inet_aton(host, &dummy4)
532#ifdef HAVE_INET_PTON
533 || (inet_pton(AF_INET6, host, &dummy6) == 1)
534#endif
535 ;
536}
537
538/*
539 * Verify that the server certificate matches the hostname we connected to.
540 *
541 * The certificate's Common Name and Subject Alternative Names are considered.
542 */
543int
544pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
545 int *names_examined,
546 char **first_name)
547{
548 STACK_OF(GENERAL_NAME) * peer_san;
549 int i;
550 int rc = 0;
551 char *host = conn->connhost[conn->whichhost].host;
552 int host_type;
553 bool check_cn = true;
554
555 Assert(host && host[0]); /* should be guaranteed by caller */
556
557 /*
558 * We try to match the NSS behavior here, which is a slight departure from
559 * the spec but seems to make more intuitive sense:
560 *
561 * If connhost contains a DNS name, and the certificate's SANs contain any
562 * dNSName entries, then we'll ignore the Subject Common Name entirely;
563 * otherwise, we fall back to checking the CN. (This behavior matches the
564 * RFC.)
565 *
566 * If connhost contains an IP address, and the SANs contain iPAddress
567 * entries, we again ignore the CN. Otherwise, we allow the CN to match,
568 * EVEN IF there is a dNSName in the SANs. (RFC 6125 prohibits this: "A
569 * client MUST NOT seek a match for a reference identifier of CN-ID if the
570 * presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any
571 * application-specific identifier types supported by the client.")
572 *
573 * NOTE: Prior versions of libpq did not consider iPAddress entries at
574 * all, so this new behavior might break a certificate that has different
575 * IP addresses in the Subject CN and the SANs.
576 */
577 if (is_ip_address(host))
578 host_type = GEN_IPADD;
579 else
580 host_type = GEN_DNS;
581
582 /*
583 * First, get the Subject Alternative Names (SANs) from the certificate,
584 * and compare them against the originally given hostname.
585 */
586 peer_san = (STACK_OF(GENERAL_NAME) *)
587 X509_get_ext_d2i(conn->peer, NID_subject_alt_name, NULL, NULL);
588
589 if (peer_san)
590 {
591 int san_len = sk_GENERAL_NAME_num(peer_san);
592
593 for (i = 0; i < san_len; i++)
594 {
595 const GENERAL_NAME *name = sk_GENERAL_NAME_value(peer_san, i);
596 char *alt_name = NULL;
597
598 if (name->type == host_type)
599 {
600 /*
601 * This SAN is of the same type (IP or DNS) as our host name,
602 * so don't allow a fallback check of the CN.
603 */
604 check_cn = false;
605 }
606
607 if (name->type == GEN_DNS)
608 {
609 (*names_examined)++;
610 rc = openssl_verify_peer_name_matches_certificate_name(conn,
611 name->d.dNSName,
612 &alt_name);
613 }
614 else if (name->type == GEN_IPADD)
615 {
616 (*names_examined)++;
617 rc = openssl_verify_peer_name_matches_certificate_ip(conn,
618 name->d.iPAddress,
619 &alt_name);
620 }
621
622 if (alt_name)
623 {
624 if (!*first_name)
625 *first_name = alt_name;
626 else
627 free(alt_name);
628 }
629
630 if (rc != 0)
631 {
632 /*
633 * Either we hit an error or a match, and either way we should
634 * not fall back to the CN.
635 */
636 check_cn = false;
637 break;
638 }
639 }
640 sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
641 }
642
643 /*
644 * If there is no subjectAltName extension of the matching type, check the
645 * Common Name.
646 *
647 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
648 * dNSName is present, the CN must be ignored. We break this rule if host
649 * is an IP address; see the comment above.)
650 */
651 if (check_cn)
652 {
653 X509_NAME *subject_name;
654
655 subject_name = X509_get_subject_name(conn->peer);
656 if (subject_name != NULL)
657 {
658 int cn_index;
659
660 cn_index = X509_NAME_get_index_by_NID(subject_name,
661 NID_commonName, -1);
662 if (cn_index >= 0)
663 {
664 char *common_name = NULL;
665
666 (*names_examined)++;
667 rc = openssl_verify_peer_name_matches_certificate_name(conn,
668 X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),
669 &common_name);
670
671 if (common_name)
672 {
673 if (!*first_name)
674 *first_name = common_name;
675 else
676 free(common_name);
677 }
678 }
679 }
680 }
681
682 return rc;
683}
684
685/* See pqcomm.h comments on OpenSSL implementation of ALPN (RFC 7301) */
686static unsigned char alpn_protos[] = PG_ALPN_PROTOCOL_VECTOR;
687
688#ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
689/*
690 * SSL Key Logging callback
691 *
692 * This callback lets the user store all key material to a file for debugging
693 * purposes. The file will be written using the NSS keylog format. LibreSSL
694 * 3.5 introduced stub function to set the callback for OpenSSL compatibility
695 * but the callback is never invoked.
696 *
697 * Error messages added to the connection object won't be printed anywhere if
698 * the connection is successful. Errors in processing keylogging are printed
699 * to stderr to overcome this.
700 */
701static void
702SSL_CTX_keylog_cb(const SSL *ssl, const char *line)
703{
704 int fd;
705 ssize_t rc;
706 PGconn *conn = SSL_get_app_data(ssl);
707
708 if (conn == NULL)
709 return;
710
711 fd = open(conn->sslkeylogfile, O_WRONLY | O_APPEND | O_CREAT, 0600);
712
713 if (fd == -1)
714 {
715 fprintf(stderr, libpq_gettext("WARNING: could not open SSL key logging file \"%s\": %m\n"),
716 conn->sslkeylogfile);
717 return;
718 }
719
720 /* line is guaranteed by OpenSSL to be NUL terminated */
721 rc = write(fd, line, strlen(line));
722 if (rc < 0)
723 fprintf(stderr, libpq_gettext("WARNING: could not write to SSL key logging file \"%s\": %m\n"),
724 conn->sslkeylogfile);
725 else
726 rc = write(fd, "\n", 1);
727 (void) rc; /* silence compiler warnings */
728 close(fd);
729}
730#endif
731
732/*
733 * Create per-connection SSL object, and load the client certificate,
734 * private key, and trusted CA certs.
735 *
736 * Returns 0 if OK, -1 on failure (with a message in conn->errorMessage).
737 */
738static int
739initialize_SSL(PGconn *conn)
740{
741 SSL_CTX *SSL_context;
742 struct stat buf;
743 char homedir[MAXPGPATH];
744 char fnbuf[MAXPGPATH];
745 char sebuf[PG_STRERROR_R_BUFLEN];
746 bool have_homedir;
747 bool have_cert;
748 bool have_rootcert;
749
750 /*
751 * We'll need the home directory if any of the relevant parameters are
752 * defaulted. If pqGetHomeDirectory fails, act as though none of the
753 * files could be found.
754 */
755 if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
756 !(conn->sslkey && strlen(conn->sslkey) > 0) ||
757 !(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
758 !((conn->sslcrl && strlen(conn->sslcrl) > 0) ||
759 (conn->sslcrldir && strlen(conn->sslcrldir) > 0)))
760 have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
761 else /* won't need it */
762 have_homedir = false;
763
764 /*
765 * Create a new SSL_CTX object.
766 *
767 * We used to share a single SSL_CTX between all connections, but it was
768 * complicated if connections used different certificates. So now we
769 * create a separate context for each connection, and accept the overhead.
770 */
771 SSL_context = SSL_CTX_new(SSLv23_method());
772 if (!SSL_context)
773 {
774 char *err = SSLerrmessage(ERR_get_error());
775
776 libpq_append_conn_error(conn, "could not create SSL context: %s", err);
777 SSLerrfree(err);
778 return -1;
779 }
780
781 /*
782 * Delegate the client cert password prompt to the libpq wrapper callback
783 * if any is defined.
784 *
785 * If the application hasn't installed its own and the sslpassword
786 * parameter is non-null, we install ours now to make sure we supply
787 * PGconn->sslpassword to OpenSSL instead of letting it prompt on stdin.
788 *
789 * This will replace OpenSSL's default PEM_def_callback (which prompts on
790 * stdin), but we're only setting it for this SSL context so it's
791 * harmless.
792 */
793 if (PQsslKeyPassHook
794 || (conn->sslpassword && strlen(conn->sslpassword) > 0))
795 {
796 SSL_CTX_set_default_passwd_cb(SSL_context, PQssl_passwd_cb);
797 SSL_CTX_set_default_passwd_cb_userdata(SSL_context, conn);
798 }
799
800#ifdef HAVE_SSL_CTX_SET_CERT_CB
801 /* Set up a certificate selection callback. */
802 SSL_CTX_set_cert_cb(SSL_context, cert_cb, conn);
803#endif
804
805 /* Disable old protocol versions */
806 SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
807
808 /* Set the minimum and maximum protocol versions if necessary */
809 if (conn->ssl_min_protocol_version &&
810 strlen(conn->ssl_min_protocol_version) != 0)
811 {
812 int ssl_min_ver;
813
814 ssl_min_ver = ssl_protocol_version_to_openssl(conn->ssl_min_protocol_version);
815
816 if (ssl_min_ver == -1)
817 {
818 libpq_append_conn_error(conn, "invalid value \"%s\" for minimum SSL protocol version",
819 conn->ssl_min_protocol_version);
820 SSL_CTX_free(SSL_context);
821 return -1;
822 }
823
824 if (!SSL_CTX_set_min_proto_version(SSL_context, ssl_min_ver))
825 {
826 char *err = SSLerrmessage(ERR_get_error());
827
828 libpq_append_conn_error(conn, "could not set minimum SSL protocol version: %s", err);
829 SSLerrfree(err);
830 SSL_CTX_free(SSL_context);
831 return -1;
832 }
833 }
834
835 if (conn->ssl_max_protocol_version &&
836 strlen(conn->ssl_max_protocol_version) != 0)
837 {
838 int ssl_max_ver;
839
840 ssl_max_ver = ssl_protocol_version_to_openssl(conn->ssl_max_protocol_version);
841
842 if (ssl_max_ver == -1)
843 {
844 libpq_append_conn_error(conn, "invalid value \"%s\" for maximum SSL protocol version",
845 conn->ssl_max_protocol_version);
846 SSL_CTX_free(SSL_context);
847 return -1;
848 }
849
850 if (!SSL_CTX_set_max_proto_version(SSL_context, ssl_max_ver))
851 {
852 char *err = SSLerrmessage(ERR_get_error());
853
854 libpq_append_conn_error(conn, "could not set maximum SSL protocol version: %s", err);
855 SSLerrfree(err);
856 SSL_CTX_free(SSL_context);
857 return -1;
858 }
859 }
860
861 /*
862 * Disable OpenSSL's moving-write-buffer sanity check, because it causes
863 * unnecessary failures in nonblocking send cases.
864 */
865 SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
866
867 /*
868 * If the root cert file exists, load it so we can perform certificate
869 * verification. If sslmode is "verify-full" we will also do further
870 * verification after the connection has been completed.
871 */
872 if (conn->sslrootcert && strlen(conn->sslrootcert) > 0)
873 strlcpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
874 else if (have_homedir)
875 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
876 else
877 fnbuf[0] = '\0';
878
879 if (strcmp(fnbuf, "system") == 0)
880 {
881 /*
882 * The "system" sentinel value indicates that we should load whatever
883 * root certificates are installed for use by OpenSSL; these locations
884 * differ by platform. Note that the default system locations may be
885 * further overridden by the SSL_CERT_DIR and SSL_CERT_FILE
886 * environment variables.
887 */
888 if (SSL_CTX_set_default_verify_paths(SSL_context) != 1)
889 {
890 char *err = SSLerrmessage(ERR_get_error());
891
892 libpq_append_conn_error(conn, "could not load system root certificate paths: %s",
893 err);
894 SSLerrfree(err);
895 SSL_CTX_free(SSL_context);
896 return -1;
897 }
898 have_rootcert = true;
899 }
900 else if (fnbuf[0] != '\0' &&
901 stat(fnbuf, &buf) == 0)
902 {
903 X509_STORE *cvstore;
904
905 if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)
906 {
907 char *err = SSLerrmessage(ERR_get_error());
908
909 libpq_append_conn_error(conn, "could not read root certificate file \"%s\": %s",
910 fnbuf, err);
911 SSLerrfree(err);
912 SSL_CTX_free(SSL_context);
913 return -1;
914 }
915
916 if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
917 {
918 char *fname = NULL;
919 char *dname = NULL;
920
921 if (conn->sslcrl && strlen(conn->sslcrl) > 0)
922 fname = conn->sslcrl;
923 if (conn->sslcrldir && strlen(conn->sslcrldir) > 0)
924 dname = conn->sslcrldir;
925
926 /* defaults to use the default CRL file */
927 if (!fname && !dname && have_homedir)
928 {
929 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
930 fname = fnbuf;
931 }
932
933 /* Set the flags to check against the complete CRL chain */
934 if ((fname || dname) &&
935 X509_STORE_load_locations(cvstore, fname, dname) == 1)
936 {
937 X509_STORE_set_flags(cvstore,
938 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
939 }
940
941 /* if not found, silently ignore; we do not require CRL */
942 ERR_clear_error();
943 }
944 have_rootcert = true;
945 }
946 else
947 {
948 /*
949 * stat() failed; assume root file doesn't exist. If sslmode is
950 * verify-ca or verify-full, this is an error. Otherwise, continue
951 * without performing any server cert verification.
952 */
953 if (conn->sslmode[0] == 'v') /* "verify-ca" or "verify-full" */
954 {
955 /*
956 * The only way to reach here with an empty filename is if
957 * pqGetHomeDirectory failed. That's a sufficiently unusual case
958 * that it seems worth having a specialized error message for it.
959 */
960 if (fnbuf[0] == '\0')
961 libpq_append_conn_error(conn, "could not get home directory to locate root certificate file\n"
962 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.");
963 else
964 libpq_append_conn_error(conn, "root certificate file \"%s\" does not exist\n"
965 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.", fnbuf);
966 SSL_CTX_free(SSL_context);
967 return -1;
968 }
969 have_rootcert = false;
970 }
971
972 /* Read the client certificate file */
973 if (conn->sslcert && strlen(conn->sslcert) > 0)
974 strlcpy(fnbuf, conn->sslcert, sizeof(fnbuf));
975 else if (have_homedir)
976 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
977 else
978 fnbuf[0] = '\0';
979
980 if (conn->sslcertmode[0] == 'd') /* disable */
981 {
982 /* don't send a client cert even if we have one */
983 have_cert = false;
984 }
985 else if (fnbuf[0] == '\0')
986 {
987 /* no home directory, proceed without a client cert */
988 have_cert = false;
989 }
990 else if (stat(fnbuf, &buf) != 0)
991 {
992 /*
993 * If file is not present, just go on without a client cert; server
994 * might or might not accept the connection. Any other error,
995 * however, is grounds for complaint.
996 */
997 if (errno != ENOENT && errno != ENOTDIR)
998 {
999 libpq_append_conn_error(conn, "could not open certificate file \"%s\": %s",
1000 fnbuf, strerror_r(errno, sebuf, sizeof(sebuf)));
1001 SSL_CTX_free(SSL_context);
1002 return -1;
1003 }
1004 have_cert = false;
1005 }
1006 else
1007 {
1008 /*
1009 * Cert file exists, so load it. Since OpenSSL doesn't provide the
1010 * equivalent of "SSL_use_certificate_chain_file", we have to load it
1011 * into the SSL context, rather than the SSL object.
1012 */
1013 if (SSL_CTX_use_certificate_chain_file(SSL_context, fnbuf) != 1)
1014 {
1015 char *err = SSLerrmessage(ERR_get_error());
1016
1017 libpq_append_conn_error(conn, "could not read certificate file \"%s\": %s",
1018 fnbuf, err);
1019 SSLerrfree(err);
1020 SSL_CTX_free(SSL_context);
1021 return -1;
1022 }
1023
1024 /* need to load the associated private key, too */
1025 have_cert = true;
1026 }
1027
1028 /*
1029 * The SSL context is now loaded with the correct root and client
1030 * certificates. Create a connection-specific SSL object. The private key
1031 * is loaded directly into the SSL object. (We could load the private key
1032 * into the context, too, but we have done it this way historically, and
1033 * it doesn't really matter.)
1034 */
1035 if (!(conn->ssl = SSL_new(SSL_context)) ||
1036 !SSL_set_app_data(conn->ssl, conn) ||
1037 !ssl_set_pgconn_bio(conn))
1038 {
1039 char *err = SSLerrmessage(ERR_get_error());
1040
1041 libpq_append_conn_error(conn, "could not establish SSL connection: %s", err);
1042 SSLerrfree(err);
1043 SSL_CTX_free(SSL_context);
1044 return -1;
1045 }
1046 conn->ssl_in_use = true;
1047
1048 /*
1049 * If SSL key logging is requested, set up the callback if a compatible
1050 * version of OpenSSL is used and libpq was compiled to support it.
1051 */
1052 if (conn->sslkeylogfile && strlen(conn->sslkeylogfile) > 0)
1053 {
1054#ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
1055 SSL_CTX_set_keylog_callback(SSL_context, SSL_CTX_keylog_cb);
1056#else
1057#ifdef LIBRESSL_VERSION_NUMBER
1058 fprintf(stderr, libpq_gettext("WARNING: sslkeylogfile support requires OpenSSL\n"));
1059#else
1060 fprintf(stderr, libpq_gettext("WARNING: libpq was not built with sslkeylogfile support\n"));
1061#endif
1062#endif
1063 }
1064
1065 /*
1066 * SSL contexts are reference counted by OpenSSL. We can free it as soon
1067 * as we have created the SSL object, and it will stick around for as long
1068 * as it's actually needed.
1069 */
1070 SSL_CTX_free(SSL_context);
1071 SSL_context = NULL;
1072
1073 /*
1074 * Set Server Name Indication (SNI), if enabled by connection parameters.
1075 * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
1076 * or IPv6).
1077 */
1078 if (conn->sslsni && conn->sslsni[0] == '1')
1079 {
1080 const char *host = conn->connhost[conn->whichhost].host;
1081
1082 if (host && host[0] &&
1083 !(strspn(host, "0123456789.") == strlen(host) ||
1084 strchr(host, ':')))
1085 {
1086 if (SSL_set_tlsext_host_name(conn->ssl, host) != 1)
1087 {
1088 char *err = SSLerrmessage(ERR_get_error());
1089
1090 libpq_append_conn_error(conn, "could not set SSL Server Name Indication (SNI): %s", err);
1091 SSLerrfree(err);
1092 return -1;
1093 }
1094 }
1095 }
1096
1097 /* Set ALPN */
1098 {
1099 int retval;
1100
1101 retval = SSL_set_alpn_protos(conn->ssl, alpn_protos, sizeof(alpn_protos));
1102
1103 if (retval != 0)
1104 {
1105 char *err = SSLerrmessage(ERR_get_error());
1106
1107 libpq_append_conn_error(conn, "could not set SSL ALPN extension: %s", err);
1108 SSLerrfree(err);
1109 return -1;
1110 }
1111 }
1112
1113 /*
1114 * Read the SSL key. If a key is specified, treat it as an engine:key
1115 * combination if there is colon present - we don't support files with
1116 * colon in the name. The exception is if the second character is a colon,
1117 * in which case it can be a Windows filename with drive specification.
1118 */
1119 if (have_cert && conn->sslkey && strlen(conn->sslkey) > 0)
1120 {
1121#ifdef USE_SSL_ENGINE
1122 if (strchr(conn->sslkey, ':')
1123#ifdef WIN32
1124 && conn->sslkey[1] != ':'
1125#endif
1126 )
1127 {
1128 /* Colon, but not in second character, treat as engine:key */
1129 char *engine_str = strdup(conn->sslkey);
1130 char *engine_colon;
1131 EVP_PKEY *pkey;
1132
1133 if (engine_str == NULL)
1134 {
1135 libpq_append_conn_error(conn, "out of memory");
1136 return -1;
1137 }
1138
1139 /* cannot return NULL because we already checked before strdup */
1140 engine_colon = strchr(engine_str, ':');
1141
1142 *engine_colon = '\0'; /* engine_str now has engine name */
1143 engine_colon++; /* engine_colon now has key name */
1144
1145 conn->engine = ENGINE_by_id(engine_str);
1146 if (conn->engine == NULL)
1147 {
1148 char *err = SSLerrmessage(ERR_get_error());
1149
1150 libpq_append_conn_error(conn, "could not load SSL engine \"%s\": %s",
1151 engine_str, err);
1152 SSLerrfree(err);
1153 free(engine_str);
1154 return -1;
1155 }
1156
1157 if (ENGINE_init(conn->engine) == 0)
1158 {
1159 char *err = SSLerrmessage(ERR_get_error());
1160
1161 libpq_append_conn_error(conn, "could not initialize SSL engine \"%s\": %s",
1162 engine_str, err);
1163 SSLerrfree(err);
1164 ENGINE_free(conn->engine);
1165 conn->engine = NULL;
1166 free(engine_str);
1167 return -1;
1168 }
1169
1170 pkey = ENGINE_load_private_key(conn->engine, engine_colon,
1171 NULL, NULL);
1172 if (pkey == NULL)
1173 {
1174 char *err = SSLerrmessage(ERR_get_error());
1175
1176 libpq_append_conn_error(conn, "could not read private SSL key \"%s\" from engine \"%s\": %s",
1177 engine_colon, engine_str, err);
1178 SSLerrfree(err);
1179 ENGINE_finish(conn->engine);
1180 ENGINE_free(conn->engine);
1181 conn->engine = NULL;
1182 free(engine_str);
1183 return -1;
1184 }
1185 if (SSL_use_PrivateKey(conn->ssl, pkey) != 1)
1186 {
1187 char *err = SSLerrmessage(ERR_get_error());
1188
1189 libpq_append_conn_error(conn, "could not load private SSL key \"%s\" from engine \"%s\": %s",
1190 engine_colon, engine_str, err);
1191 SSLerrfree(err);
1192 ENGINE_finish(conn->engine);
1193 ENGINE_free(conn->engine);
1194 conn->engine = NULL;
1195 free(engine_str);
1196 return -1;
1197 }
1198
1199 free(engine_str);
1200
1201 fnbuf[0] = '\0'; /* indicate we're not going to load from a
1202 * file */
1203 }
1204 else
1205#endif /* USE_SSL_ENGINE */
1206 {
1207 /* PGSSLKEY is not an engine, treat it as a filename */
1208 strlcpy(fnbuf, conn->sslkey, sizeof(fnbuf));
1209 }
1210 }
1211 else if (have_homedir)
1212 {
1213 /* No PGSSLKEY specified, load default file */
1214 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
1215 }
1216 else
1217 fnbuf[0] = '\0';
1218
1219 if (have_cert && fnbuf[0] != '\0')
1220 {
1221 /* read the client key from file */
1222
1223 if (stat(fnbuf, &buf) != 0)
1224 {
1225 if (errno == ENOENT)
1226 libpq_append_conn_error(conn, "certificate present, but not private key file \"%s\"",
1227 fnbuf);
1228 else
1229 libpq_append_conn_error(conn, "could not stat private key file \"%s\": %m",
1230 fnbuf);
1231 return -1;
1232 }
1233
1234 /* Key file must be a regular file */
1235 if (!S_ISREG(buf.st_mode))
1236 {
1237 libpq_append_conn_error(conn, "private key file \"%s\" is not a regular file",
1238 fnbuf);
1239 return -1;
1240 }
1241
1242 /*
1243 * Refuse to load world-readable key files. We accept root-owned
1244 * files with mode 0640 or less, so that we can access system-wide
1245 * certificates if we have a supplementary group membership that
1246 * allows us to read 'em. For files with non-root ownership, require
1247 * mode 0600 or less. We need not check the file's ownership exactly;
1248 * if we're able to read it despite it having such restrictive
1249 * permissions, it must have the right ownership.
1250 *
1251 * Note: be very careful about tightening these rules. Some people
1252 * expect, for example, that a client process running as root should
1253 * be able to use a non-root-owned key file.
1254 *
1255 * Note that roughly similar checks are performed in
1256 * src/backend/libpq/be-secure-common.c so any changes here may need
1257 * to be made there as well. However, this code caters for the case
1258 * of current user == root, while that code does not.
1259 *
1260 * Ideally we would do similar permissions checks on Windows, but it
1261 * is not clear how that would work since Unix-style permissions may
1262 * not be available.
1263 */
1264#if !defined(WIN32) && !defined(__CYGWIN__)
1265 if (buf.st_uid == 0 ?
1266 buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO) :
1267 buf.st_mode & (S_IRWXG | S_IRWXO))
1268 {
1269 libpq_append_conn_error(conn,
1270 "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
1271 fnbuf);
1272 return -1;
1273 }
1274#endif
1275
1276 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)
1277 {
1278 char *err = SSLerrmessage(ERR_get_error());
1279
1280 /*
1281 * We'll try to load the file in DER (binary ASN.1) format, and if
1282 * that fails too, report the original error. This could mask
1283 * issues where there's something wrong with a DER-format cert,
1284 * but we'd have to duplicate openssl's format detection to be
1285 * smarter than this. We can't just probe for a leading -----BEGIN
1286 * because PEM can have leading non-matching lines and blanks.
1287 * OpenSSL doesn't expose its get_name(...) and its PEM routines
1288 * don't differentiate between failure modes in enough detail to
1289 * let us tell the difference between "not PEM, try DER" and
1290 * "wrong password".
1291 */
1292 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)
1293 {
1294 libpq_append_conn_error(conn, "could not load private key file \"%s\": %s",
1295 fnbuf, err);
1296 SSLerrfree(err);
1297 return -1;
1298 }
1299
1300 SSLerrfree(err);
1301 }
1302 }
1303
1304 /* verify that the cert and key go together */
1305 if (have_cert &&
1306 SSL_check_private_key(conn->ssl) != 1)
1307 {
1308 char *err = SSLerrmessage(ERR_get_error());
1309
1310 libpq_append_conn_error(conn, "certificate does not match private key file \"%s\": %s",
1311 fnbuf, err);
1312 SSLerrfree(err);
1313 return -1;
1314 }
1315
1316 /*
1317 * If a root cert was loaded, also set our certificate verification
1318 * callback.
1319 */
1320 if (have_rootcert)
1321 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
1322
1323 /*
1324 * Set compression option if necessary.
1325 */
1326 if (conn->sslcompression && conn->sslcompression[0] == '0')
1327 SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1328 else
1329 SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1330
1331 return 0;
1332}
1333
1334/*
1335 * Attempt to negotiate SSL connection.
1336 */
1337static PostgresPollingStatusType
1338open_client_SSL(PGconn *conn)
1339{
1340 int r;
1341
1342 SOCK_ERRNO_SET(0);
1343 ERR_clear_error();
1344 r = SSL_connect(conn->ssl);
1345 if (r <= 0)
1346 {
1347 int save_errno = SOCK_ERRNO;
1348 int err = SSL_get_error(conn->ssl, r);
1349 unsigned long ecode;
1350
1351 ecode = ERR_get_error();
1352 switch (err)
1353 {
1354 case SSL_ERROR_WANT_READ:
1355 return PGRES_POLLING_READING;
1356
1357 case SSL_ERROR_WANT_WRITE:
1358 return PGRES_POLLING_WRITING;
1359
1360 case SSL_ERROR_SYSCALL:
1361 {
1362 char sebuf[PG_STRERROR_R_BUFLEN];
1363 unsigned long vcode;
1364
1365 vcode = SSL_get_verify_result(conn->ssl);
1366
1367 /*
1368 * If we get an X509 error here for failing to load the
1369 * local issuer cert, without an error in the socket layer
1370 * it means that verification failed due to a missing
1371 * system CA pool without it being a protocol error. We
1372 * inspect the sslrootcert setting to ensure that the user
1373 * was using the system CA pool. For other errors, log
1374 * them using the normal SYSCALL logging.
1375 */
1376 if (save_errno == 0 &&
1377 vcode == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY &&
1378 strcmp(conn->sslrootcert, "system") == 0)
1379 libpq_append_conn_error(conn, "SSL error: certificate verify failed: %s",
1380 X509_verify_cert_error_string(vcode));
1381 else if (r == -1 && save_errno != 0)
1382 libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
1383 SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
1384 else
1385 libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
1386 pgtls_close(conn);
1387 return PGRES_POLLING_FAILED;
1388 }
1389 case SSL_ERROR_SSL:
1390 {
1391 char *err = SSLerrmessage(ecode);
1392
1393 libpq_append_conn_error(conn, "SSL error: %s", err);
1394 SSLerrfree(err);
1395 switch (ERR_GET_REASON(ecode))
1396 {
1397 /*
1398 * UNSUPPORTED_PROTOCOL, WRONG_VERSION_NUMBER, and
1399 * TLSV1_ALERT_PROTOCOL_VERSION have been observed
1400 * when trying to communicate with an old OpenSSL
1401 * library, or when the client and server specify
1402 * disjoint protocol ranges.
1403 * NO_PROTOCOLS_AVAILABLE occurs if there's a
1404 * local misconfiguration (which can happen
1405 * despite our checks, if openssl.cnf injects a
1406 * limit we didn't account for). It's not very
1407 * clear what would make OpenSSL return the other
1408 * codes listed here, but a hint about protocol
1409 * versions seems like it's appropriate for all.
1410 */
1411 case SSL_R_NO_PROTOCOLS_AVAILABLE:
1412 case SSL_R_UNSUPPORTED_PROTOCOL:
1413 case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:
1414 case SSL_R_UNKNOWN_PROTOCOL:
1415 case SSL_R_UNKNOWN_SSL_VERSION:
1416 case SSL_R_UNSUPPORTED_SSL_VERSION:
1417 case SSL_R_WRONG_SSL_VERSION:
1418 case SSL_R_WRONG_VERSION_NUMBER:
1419 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
1420#ifdef SSL_R_VERSION_TOO_HIGH
1421 case SSL_R_VERSION_TOO_HIGH:
1422 case SSL_R_VERSION_TOO_LOW:
1423#endif
1424 libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",
1425 conn->ssl_min_protocol_version ?
1426 conn->ssl_min_protocol_version :
1427 MIN_OPENSSL_TLS_VERSION,
1428 conn->ssl_max_protocol_version ?
1429 conn->ssl_max_protocol_version :
1430 MAX_OPENSSL_TLS_VERSION);
1431 break;
1432 default:
1433 break;
1434 }
1435 pgtls_close(conn);
1436 return PGRES_POLLING_FAILED;
1437 }
1438
1439 default:
1440 libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
1441 pgtls_close(conn);
1442 return PGRES_POLLING_FAILED;
1443 }
1444 }
1445
1446 /* ALPN is mandatory with direct SSL connections */
1447 if (conn->current_enc_method == ENC_SSL && conn->sslnegotiation[0] == 'd')
1448 {
1449 const unsigned char *selected;
1450 unsigned int len;
1451
1452 SSL_get0_alpn_selected(conn->ssl, &selected, &len);
1453
1454 if (selected == NULL)
1455 {
1456 libpq_append_conn_error(conn, "direct SSL connection was established without ALPN protocol negotiation extension");
1457 pgtls_close(conn);
1458 return PGRES_POLLING_FAILED;
1459 }
1460
1461 /*
1462 * We only support one protocol so that's what the negotiation should
1463 * always choose, but doesn't hurt to check.
1464 */
1465 if (len != strlen(PG_ALPN_PROTOCOL) ||
1466 memcmp(selected, PG_ALPN_PROTOCOL, strlen(PG_ALPN_PROTOCOL)) != 0)
1467 {
1468 libpq_append_conn_error(conn, "SSL connection was established with unexpected ALPN protocol");
1469 pgtls_close(conn);
1470 return PGRES_POLLING_FAILED;
1471 }
1472 }
1473
1474 /*
1475 * We already checked the server certificate in initialize_SSL() using
1476 * SSL_CTX_set_verify(), if root.crt exists.
1477 */
1478
1479 /* get server certificate */
1480 conn->peer = SSL_get_peer_certificate(conn->ssl);
1481 if (conn->peer == NULL)
1482 {
1483 char *err = SSLerrmessage(ERR_get_error());
1484
1485 libpq_append_conn_error(conn, "certificate could not be obtained: %s", err);
1486 SSLerrfree(err);
1487 pgtls_close(conn);
1488 return PGRES_POLLING_FAILED;
1489 }
1490
1491 if (!pq_verify_peer_name_matches_certificate(conn))
1492 {
1493 pgtls_close(conn);
1494 return PGRES_POLLING_FAILED;
1495 }
1496
1497 /* SSL handshake is complete */
1498 return PGRES_POLLING_OK;
1499}
1500
1501void
1502pgtls_close(PGconn *conn)
1503{
1504 if (conn->ssl_in_use)
1505 {
1506 if (conn->ssl)
1507 {
1508 /*
1509 * We can't destroy everything SSL-related here due to the
1510 * possible later calls to OpenSSL routines which may need our
1511 * thread callbacks, so set a flag here and check at the end.
1512 */
1513
1514 SSL_shutdown(conn->ssl);
1515 SSL_free(conn->ssl);
1516 conn->ssl = NULL;
1517 conn->ssl_in_use = false;
1518 conn->ssl_handshake_started = false;
1519 }
1520
1521 if (conn->peer)
1522 {
1523 X509_free(conn->peer);
1524 conn->peer = NULL;
1525 }
1526
1527#ifdef USE_SSL_ENGINE
1528 if (conn->engine)
1529 {
1530 ENGINE_finish(conn->engine);
1531 ENGINE_free(conn->engine);
1532 conn->engine = NULL;
1533 }
1534#endif
1535 }
1536}
1537
1538
1539/*
1540 * Obtain reason string for passed SSL errcode
1541 *
1542 * ERR_get_error() is used by caller to get errcode to pass here.
1543 * The result must be freed after use, using SSLerrfree.
1544 *
1545 * Some caution is needed here since ERR_reason_error_string will return NULL
1546 * if it doesn't recognize the error code, or (in OpenSSL >= 3) if the code
1547 * represents a system errno value. We don't want to return NULL ever.
1548 */
1549static char ssl_nomem[] = "out of memory allocating error description";
1550
1551#define SSL_ERR_LEN 128
1552
1553static char *
1554SSLerrmessage(unsigned long ecode)
1555{
1556 const char *errreason;
1557 char *errbuf;
1558
1559 errbuf = malloc(SSL_ERR_LEN);
1560 if (!errbuf)
1561 return ssl_nomem;
1562 if (ecode == 0)
1563 {
1564 snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("no SSL error reported"));
1565 return errbuf;
1566 }
1567 errreason = ERR_reason_error_string(ecode);
1568 if (errreason != NULL)
1569 {
1570 strlcpy(errbuf, errreason, SSL_ERR_LEN);
1571 return errbuf;
1572 }
1573
1574 /*
1575 * Server aborted the connection with TLS "no_application_protocol" alert.
1576 * The ERR_reason_error_string() function doesn't give any error string
1577 * for that for some reason, so do it ourselves. See
1578 * https://github.com/openssl/openssl/issues/24300. This is available in
1579 * OpenSSL 1.1.0 and later, as well as in LibreSSL 3.4.3 (OpenBSD 7.0) and
1580 * later.
1581 */
1582#ifdef SSL_AD_NO_APPLICATION_PROTOCOL
1583 if (ERR_GET_LIB(ecode) == ERR_LIB_SSL &&
1584 ERR_GET_REASON(ecode) == SSL_AD_REASON_OFFSET + SSL_AD_NO_APPLICATION_PROTOCOL)
1585 {
1586 snprintf(errbuf, SSL_ERR_LEN, "no application protocol");
1587 return errbuf;
1588 }
1589#endif
1590
1591 /*
1592 * In OpenSSL 3.0.0 and later, ERR_reason_error_string does not map system
1593 * errno values anymore. (See OpenSSL source code for the explanation.)
1594 * We can cover that shortcoming with this bit of code. Older OpenSSL
1595 * versions don't have the ERR_SYSTEM_ERROR macro, but that's okay because
1596 * they don't have the shortcoming either.
1597 */
1598#ifdef ERR_SYSTEM_ERROR
1599 if (ERR_SYSTEM_ERROR(ecode))
1600 {
1601 strerror_r(ERR_GET_REASON(ecode), errbuf, SSL_ERR_LEN);
1602 return errbuf;
1603 }
1604#endif
1605
1606 /* No choice but to report the numeric ecode */
1607 snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("SSL error code %lu"), ecode);
1608 return errbuf;
1609}
1610
1611static void
1612SSLerrfree(char *buf)
1613{
1614 if (buf != ssl_nomem)
1615 free(buf);
1616}
1617
1618/* ------------------------------------------------------------ */
1619/* SSL information functions */
1620/* ------------------------------------------------------------ */
1621
1622/*
1623 * Return pointer to OpenSSL object.
1624 */
1625void *
1626PQgetssl(PGconn *conn)
1627{
1628 if (!conn)
1629 return NULL;
1630 return conn->ssl;
1631}
1632
1633void *
1634PQsslStruct(PGconn *conn, const char *struct_name)
1635{
1636 if (!conn)
1637 return NULL;
1638 if (strcmp(struct_name, "OpenSSL") == 0)
1639 return conn->ssl;
1640 return NULL;
1641}
1642
1643const char *const *
1644PQsslAttributeNames(PGconn *conn)
1645{
1646 static const char *const openssl_attrs[] = {
1647 "library",
1648 "key_bits",
1649 "cipher",
1650 "compression",
1651 "protocol",
1652 "alpn",
1653 NULL
1654 };
1655 static const char *const empty_attrs[] = {NULL};
1656
1657 if (!conn)
1658 {
1659 /* Return attributes of default SSL library */
1660 return openssl_attrs;
1661 }
1662
1663 /* No attrs for unencrypted connection */
1664 if (conn->ssl == NULL)
1665 return empty_attrs;
1666
1667 return openssl_attrs;
1668}
1669
1670const char *
1671PQsslAttribute(PGconn *conn, const char *attribute_name)
1672{
1673 if (!conn)
1674 {
1675 /* PQsslAttribute(NULL, "library") reports the default SSL library */
1676 if (strcmp(attribute_name, "library") == 0)
1677 return "OpenSSL";
1678 return NULL;
1679 }
1680
1681 /* All attributes read as NULL for a non-encrypted connection */
1682 if (conn->ssl == NULL)
1683 return NULL;
1684
1685 if (strcmp(attribute_name, "library") == 0)
1686 return "OpenSSL";
1687
1688 if (strcmp(attribute_name, "key_bits") == 0)
1689 {
1690 static char sslbits_str[12];
1691 int sslbits;
1692
1693 SSL_get_cipher_bits(conn->ssl, &sslbits);
1694 snprintf(sslbits_str, sizeof(sslbits_str), "%d", sslbits);
1695 return sslbits_str;
1696 }
1697
1698 if (strcmp(attribute_name, "cipher") == 0)
1699 return SSL_get_cipher(conn->ssl);
1700
1701 if (strcmp(attribute_name, "compression") == 0)
1702 return SSL_get_current_compression(conn->ssl) ? "on" : "off";
1703
1704 if (strcmp(attribute_name, "protocol") == 0)
1705 return SSL_get_version(conn->ssl);
1706
1707 if (strcmp(attribute_name, "alpn") == 0)
1708 {
1709 const unsigned char *data;
1710 unsigned int len;
1711 static char alpn_str[256]; /* alpn doesn't support longer than 255
1712 * bytes */
1713
1714 SSL_get0_alpn_selected(conn->ssl, &data, &len);
1715 if (data == NULL || len == 0 || len > sizeof(alpn_str) - 1)
1716 return "";
1717 memcpy(alpn_str, data, len);
1718 alpn_str[len] = 0;
1719 return alpn_str;
1720 }
1721
1722 return NULL; /* unknown attribute */
1723}
1724
1725/*
1726 * Private substitute BIO: this does the sending and receiving using
1727 * pqsecure_raw_write() and pqsecure_raw_read() instead, to allow those
1728 * functions to disable SIGPIPE and give better error messages on I/O errors.
1729 *
1730 * These functions are closely modelled on the standard socket BIO in OpenSSL;
1731 * see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
1732 */
1733
1734/* protected by ssl_config_mutex */
1735static BIO_METHOD *pgconn_bio_method_ptr;
1736
1737static int
1738pgconn_bio_read(BIO *h, char *buf, int size)
1739{
1740 PGconn *conn = (PGconn *) BIO_get_data(h);
1741 int res;
1742
1743 res = pqsecure_raw_read(conn, buf, size);
1744 BIO_clear_retry_flags(h);
1745 conn->last_read_was_eof = res == 0;
1746 if (res < 0)
1747 {
1748 /* If we were interrupted, tell caller to retry */
1749 switch (SOCK_ERRNO)
1750 {
1751#ifdef EAGAIN
1752 case EAGAIN:
1753#endif
1754#if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1755 case EWOULDBLOCK:
1756#endif
1757 case EINTR:
1758 BIO_set_retry_read(h);
1759 break;
1760
1761 default:
1762 break;
1763 }
1764 }
1765
1766 if (res > 0)
1767 conn->ssl_handshake_started = true;
1768
1769 return res;
1770}
1771
1772static int
1773pgconn_bio_write(BIO *h, const char *buf, int size)
1774{
1775 int res;
1776
1777 res = pqsecure_raw_write((PGconn *) BIO_get_data(h), buf, size);
1778 BIO_clear_retry_flags(h);
1779 if (res < 0)
1780 {
1781 /* If we were interrupted, tell caller to retry */
1782 switch (SOCK_ERRNO)
1783 {
1784#ifdef EAGAIN
1785 case EAGAIN:
1786#endif
1787#if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1788 case EWOULDBLOCK:
1789#endif
1790 case EINTR:
1791 BIO_set_retry_write(h);
1792 break;
1793
1794 default:
1795 break;
1796 }
1797 }
1798
1799 return res;
1800}
1801
1802static long
1803pgconn_bio_ctrl(BIO *h, int cmd, long num, void *ptr)
1804{
1805 long res;
1806 PGconn *conn = (PGconn *) BIO_get_data(h);
1807
1808 switch (cmd)
1809 {
1810 case BIO_CTRL_EOF:
1811
1812 /*
1813 * This should not be needed. pgconn_bio_read already has a way to
1814 * signal EOF to OpenSSL. However, OpenSSL made an undocumented,
1815 * backwards-incompatible change and now expects EOF via BIO_ctrl.
1816 * See https://github.com/openssl/openssl/issues/8208
1817 */
1818 res = conn->last_read_was_eof;
1819 break;
1820 case BIO_CTRL_FLUSH:
1821 /* libssl expects all BIOs to support BIO_flush. */
1822 res = 1;
1823 break;
1824 default:
1825 res = 0;
1826 break;
1827 }
1828
1829 return res;
1830}
1831
1832static BIO_METHOD *
1833pgconn_bio_method(void)
1834{
1835 BIO_METHOD *res;
1836
1837 if (pthread_mutex_lock(&ssl_config_mutex))
1838 return NULL;
1839
1840 res = pgconn_bio_method_ptr;
1841
1842 if (!pgconn_bio_method_ptr)
1843 {
1844 int my_bio_index;
1845
1846 my_bio_index = BIO_get_new_index();
1847 if (my_bio_index == -1)
1848 goto err;
1849 my_bio_index |= BIO_TYPE_SOURCE_SINK;
1850 res = BIO_meth_new(my_bio_index, "libpq socket");
1851 if (!res)
1852 goto err;
1853
1854 /*
1855 * As of this writing, these functions never fail. But check anyway,
1856 * like OpenSSL's own examples do.
1857 */
1858 if (!BIO_meth_set_write(res, pgconn_bio_write) ||
1859 !BIO_meth_set_read(res, pgconn_bio_read) ||
1860 !BIO_meth_set_ctrl(res, pgconn_bio_ctrl))
1861 {
1862 goto err;
1863 }
1864 }
1865
1866 pgconn_bio_method_ptr = res;
1867 pthread_mutex_unlock(&ssl_config_mutex);
1868 return res;
1869
1870err:
1871 if (res)
1872 BIO_meth_free(res);
1873 pthread_mutex_unlock(&ssl_config_mutex);
1874 return NULL;
1875}
1876
1877static int
1878ssl_set_pgconn_bio(PGconn *conn)
1879{
1880 BIO *bio;
1881 BIO_METHOD *bio_method;
1882
1883 bio_method = pgconn_bio_method();
1884 if (bio_method == NULL)
1885 return 0;
1886
1887 bio = BIO_new(bio_method);
1888 if (bio == NULL)
1889 return 0;
1890
1891 BIO_set_data(bio, conn);
1892 BIO_set_init(bio, 1);
1893
1894 SSL_set_bio(conn->ssl, bio, bio);
1895 return 1;
1896}
1897
1898/*
1899 * This is the default handler to return a client cert password from
1900 * conn->sslpassword. Apps may install it explicitly if they want to
1901 * prevent openssl from ever prompting on stdin.
1902 */
1903int
1904PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)
1905{
1906 if (conn && conn->sslpassword)
1907 {
1908 if (strlen(conn->sslpassword) + 1 > size)
1909 fprintf(stderr, libpq_gettext("WARNING: sslpassword truncated\n"));
1910 strncpy(buf, conn->sslpassword, size);
1911 buf[size - 1] = '\0';
1912 return strlen(buf);
1913 }
1914 else
1915 {
1916 buf[0] = '\0';
1917 return 0;
1918 }
1919}
1920
1921PQsslKeyPassHook_OpenSSL_type
1922PQgetSSLKeyPassHook_OpenSSL(void)
1923{
1924 return PQsslKeyPassHook;
1925}
1926
1927void
1932
1933/*
1934 * Supply a password to decrypt a client certificate.
1935 *
1936 * This must match OpenSSL type pem_password_cb.
1937 */
1938static int
1939PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
1940{
1941 PGconn *conn = userdata;
1942
1943 if (PQsslKeyPassHook)
1944 return PQsslKeyPassHook(buf, size, conn);
1945 else
1946 return PQdefaultSSLKeyPassHook_OpenSSL(buf, size, conn);
1947}
1948
1949/*
1950 * Convert TLS protocol version string to OpenSSL values
1951 *
1952 * If a version is passed that is not supported by the current OpenSSL version,
1953 * then we return -1. If a non-negative value is returned, subsequent code can
1954 * assume it is working with a supported version.
1955 *
1956 * Note: this is rather similar to the backend routine in be-secure-openssl.c,
1957 * so make sure to update both routines if changing this one.
1958 */
1959static int
1960ssl_protocol_version_to_openssl(const char *protocol)
1961{
1962 if (pg_strcasecmp("TLSv1", protocol) == 0)
1963 return TLS1_VERSION;
1964
1965#ifdef TLS1_1_VERSION
1966 if (pg_strcasecmp("TLSv1.1", protocol) == 0)
1967 return TLS1_1_VERSION;
1968#endif
1969
1970#ifdef TLS1_2_VERSION
1971 if (pg_strcasecmp("TLSv1.2", protocol) == 0)
1972 return TLS1_2_VERSION;
1973#endif
1974
1975#ifdef TLS1_3_VERSION
1976 if (pg_strcasecmp("TLSv1.3", protocol) == 0)
1977 return TLS1_3_VERSION;
1978#endif
1979
1980 return -1;
1981}
SSL_context
static SSL_CTX * SSL_context
Definition be-secure-openssl.c:83
Assert
#define Assert(condition)
Definition c.h:873
fprintf
#define fprintf(file, fmt, msg)
Definition cubescan.l:21
err
void err(int eval, const char *fmt,...)
Definition err.c:43
pqGetHomeDirectory
bool pqGetHomeDirectory(char *buf, int bufsize)
Definition fe-connect.c:8232
pq_verify_peer_name_matches_certificate_name
int pq_verify_peer_name_matches_certificate_name(PGconn *conn, const char *namedata, size_t namelen, char **store_name)
Definition fe-secure-common.c:87
pq_verify_peer_name_matches_certificate_ip
int pq_verify_peer_name_matches_certificate_ip(PGconn *conn, const unsigned char *ipdata, size_t iplen, char **store_name)
Definition fe-secure-common.c:157
pq_verify_peer_name_matches_certificate
bool pq_verify_peer_name_matches_certificate(PGconn *conn)
Definition fe-secure-common.c:252
pgconn_bio_method_ptr
static BIO_METHOD * pgconn_bio_method_ptr
Definition fe-secure-openssl.c:1735
ssl_nomem
static char ssl_nomem[]
Definition fe-secure-openssl.c:1549
ssl_protocol_version_to_openssl
static int ssl_protocol_version_to_openssl(const char *protocol)
Definition fe-secure-openssl.c:1960
PQgetssl
void * PQgetssl(PGconn *conn)
Definition fe-secure-openssl.c:1626
SSLerrfree
static void SSLerrfree(char *buf)
Definition fe-secure-openssl.c:1612
PQgetSSLKeyPassHook_OpenSSL
PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL(void)
Definition fe-secure-openssl.c:1922
PQsslStruct
void * PQsslStruct(PGconn *conn, const char *struct_name)
Definition fe-secure-openssl.c:1634
pgtls_verify_peer_name_matches_certificate_guts
int pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn, int *names_examined, char **first_name)
Definition fe-secure-openssl.c:544
pgtls_open_client
PostgresPollingStatusType pgtls_open_client(PGconn *conn)
Definition fe-secure-openssl.c:96
pgtls_read_pending
bool pgtls_read_pending(PGconn *conn)
Definition fe-secure-openssl.c:234
PQdefaultSSLKeyPassHook_OpenSSL
int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)
Definition fe-secure-openssl.c:1904
pgconn_bio_read
static int pgconn_bio_read(BIO *h, char *buf, int size)
Definition fe-secure-openssl.c:1738
openssl_verify_peer_name_matches_certificate_name
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name)
Definition fe-secure-openssl.c:470
pgtls_read
ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len)
Definition fe-secure-openssl.c:118
pgconn_bio_ctrl
static long pgconn_bio_ctrl(BIO *h, int cmd, long num, void *ptr)
Definition fe-secure-openssl.c:1803
pgconn_bio_write
static int pgconn_bio_write(BIO *h, const char *buf, int size)
Definition fe-secure-openssl.c:1773
pgtls_write
ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len)
Definition fe-secure-openssl.c:240
PQsslKeyPassHook
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook
Definition fe-secure-openssl.c:88
pgtls_get_peer_certificate_hash
char * pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
Definition fe-secure-openssl.c:340
SSL_ERR_LEN
#define SSL_ERR_LEN
Definition fe-secure-openssl.c:1551
PQsslAttribute
const char * PQsslAttribute(PGconn *conn, const char *attribute_name)
Definition fe-secure-openssl.c:1671
initialize_SSL
static int initialize_SSL(PGconn *conn)
Definition fe-secure-openssl.c:739
ssl_config_mutex
static pthread_mutex_t ssl_config_mutex
Definition fe-secure-openssl.c:86
verify_cb
static int verify_cb(int ok, X509_STORE_CTX *ctx)
Definition fe-secure-openssl.c:430
PQssl_passwd_cb
static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
Definition fe-secure-openssl.c:1939
SSLerrmessage
static char * SSLerrmessage(unsigned long ecode)
Definition fe-secure-openssl.c:1554
openssl_verify_peer_name_matches_certificate_ip
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)
Definition fe-secure-openssl.c:499
open_client_SSL
static PostgresPollingStatusType open_client_SSL(PGconn *conn)
Definition fe-secure-openssl.c:1338
alpn_protos
static unsigned char alpn_protos[]
Definition fe-secure-openssl.c:686
ssl_set_pgconn_bio
static int ssl_set_pgconn_bio(PGconn *conn)
Definition fe-secure-openssl.c:1878
pgtls_close
void pgtls_close(PGconn *conn)
Definition fe-secure-openssl.c:1502
PQsslAttributeNames
const char *const * PQsslAttributeNames(PGconn *conn)
Definition fe-secure-openssl.c:1644
PQsetSSLKeyPassHook_OpenSSL
void PQsetSSLKeyPassHook_OpenSSL(PQsslKeyPassHook_OpenSSL_type hook)
Definition fe-secure-openssl.c:1928
pgconn_bio_method
static BIO_METHOD * pgconn_bio_method(void)
Definition fe-secure-openssl.c:1833
is_ip_address
static bool is_ip_address(const char *host)
Definition fe-secure-openssl.c:524
pqsecure_raw_read
ssize_t pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
Definition fe-secure.c:193
pqsecure_raw_write
ssize_t pqsecure_raw_write(PGconn *conn, const void *ptr, size_t len)
Definition fe-secure.c:316
close
#define close(a)
Definition win32.h:12
write
#define write(a, b, c)
Definition win32.h:14
i
int i
Definition isn.c:77
PQsslKeyPassHook_OpenSSL_type
int(* PQsslKeyPassHook_OpenSSL_type)(char *buf, int size, PGconn *conn)
Definition libpq-fe.h:828
PostgresPollingStatusType
PostgresPollingStatusType
Definition libpq-fe.h:114
PGRES_POLLING_OK
@ PGRES_POLLING_OK
Definition libpq-fe.h:118
PGRES_POLLING_READING
@ PGRES_POLLING_READING
Definition libpq-fe.h:116
PGRES_POLLING_WRITING
@ PGRES_POLLING_WRITING
Definition libpq-fe.h:117
PGRES_POLLING_FAILED
@ PGRES_POLLING_FAILED
Definition libpq-fe.h:115
SOCK_STRERROR
#define SOCK_STRERROR
Definition libpq-int.h:972
ENC_SSL
#define ENC_SSL
Definition libpq-int.h:232
SOCK_ERRNO
#define SOCK_ERRNO
Definition oauth-utils.c:164
SOCK_ERRNO_SET
#define SOCK_ERRNO_SET(e)
Definition oauth-utils.c:165
libpq_append_conn_error
void libpq_append_conn_error(PGconn *conn, const char *fmt,...)
Definition oauth-utils.c:95
libpq_gettext
#define libpq_gettext(x)
Definition oauth-utils.h:86
arg
void * arg
Definition pg_backup_utils.c:29
MAXPGPATH
#define MAXPGPATH
Definition pg_config_manual.h:105
len
const void size_t len
Definition pg_crc32c_sse42.c:28
data
const void * data
Definition pg_crc32c_sse42.c:27
buf
static char buf[DEFAULT_XLOG_SEG_SIZE]
Definition pg_test_fsync.c:71
PG_STRERROR_R_BUFLEN
#define PG_STRERROR_R_BUFLEN
Definition port.h:278
pg_strcasecmp
int pg_strcasecmp(const char *s1, const char *s2)
Definition pgstrcasecmp.c:32
inet_aton
int inet_aton(const char *cp, struct in_addr *addr)
Definition inet_aton.c:56
snprintf
#define snprintf
Definition port.h:260
strerror_r
#define strerror_r
Definition port.h:277
strlcpy
size_t strlcpy(char *dst, const char *src, size_t siz)
Definition strlcpy.c:45
postgres_fe.h
PG_ALPN_PROTOCOL
#define PG_ALPN_PROTOCOL
Definition pqcomm.h:179
PG_ALPN_PROTOCOL_VECTOR
#define PG_ALPN_PROTOCOL_VECTOR
Definition pqcomm.h:180
appendPQExpBufferStr
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
Definition pqexpbuffer.c:367
fd
static int fd(const char *x, int i)
Definition preproc-init.c:105
fb
static int fb(int x)
Definition preproc-init.c:92
pthread_mutex_unlock
int pthread_mutex_unlock(pthread_mutex_t *mp)
Definition pthread-win32.c:60
pthread_mutex_lock
int pthread_mutex_lock(pthread_mutex_t *mp)
Definition pthread-win32.c:42
PTHREAD_MUTEX_INITIALIZER
#define PTHREAD_MUTEX_INITIALIZER
Definition pthread-win32.h:16
hash
static unsigned hash(unsigned *uv, int n)
Definition rege_dfa.c:715
free
#define free(a)
Definition snowball_runtime.h:65
malloc
#define malloc(a)
Definition snowball_runtime.h:50
conn
PGconn * conn
Definition streamutil.c:52
pg_conn_host::host
char * host
Definition libpq-int.h:358
pg_conn
Definition libpq-int.h:372
pg_conn::sslrootcert
char * sslrootcert
Definition libpq-int.h:413
pg_conn::sslnegotiation
char * sslnegotiation
Definition libpq-int.h:407
pg_conn::sslcompression
char * sslcompression
Definition libpq-int.h:408
pg_conn::last_read_was_eof
bool last_read_was_eof
Definition libpq-int.h:624
pg_conn::sslcrldir
char * sslcrldir
Definition libpq-int.h:415
pg_conn::sslcrl
char * sslcrl
Definition libpq-int.h:414
pg_conn::ssl_max_protocol_version
char * ssl_max_protocol_version
Definition libpq-int.h:426
pg_conn::sslcert
char * sslcert
Definition libpq-int.h:410
pg_conn::sslcertmode
char * sslcertmode
Definition libpq-int.h:412
pg_conn::current_enc_method
uint8 current_enc_method
Definition libpq-int.h:617
pg_conn::sslpassword
char * sslpassword
Definition libpq-int.h:411
pg_conn::sslmode
char * sslmode
Definition libpq-int.h:406
pg_conn::ssl_min_protocol_version
char * ssl_min_protocol_version
Definition libpq-int.h:425
pg_conn::errorMessage
PQExpBufferData errorMessage
Definition libpq-int.h:683
pg_conn::sslkey
char * sslkey
Definition libpq-int.h:409
pg_conn::sslkeylogfile
char * sslkeylogfile
Definition libpq-int.h:432
pg_conn::ssl_cert_requested
bool ssl_cert_requested
Definition libpq-int.h:622
pg_conn::ssl_cert_sent
bool ssl_cert_sent
Definition libpq-int.h:623
pg_conn::ssl_handshake_started
bool ssl_handshake_started
Definition libpq-int.h:621
pg_conn::whichhost
int whichhost
Definition libpq-int.h:481
pg_conn::sslsni
char * sslsni
Definition libpq-int.h:416
pg_conn::connhost
pg_conn_host * connhost
Definition libpq-int.h:482
pg_conn::ssl_in_use
bool ssl_in_use
Definition libpq-int.h:620
pthread_mutex_t
Definition pthread-win32.h:10
name
const char * name
Definition wait_event_funcs.c:28
S_IXGRP
#define S_IXGRP
Definition win32_port.h:297
stat
#define stat
Definition win32_port.h:74
S_IRWXG
#define S_IRWXG
Definition win32_port.h:300
EINTR
#define EINTR
Definition win32_port.h:361
EWOULDBLOCK
#define EWOULDBLOCK
Definition win32_port.h:367
S_IRWXO
#define S_IRWXO
Definition win32_port.h:312
S_ISREG
#define S_ISREG(m)
Definition win32_port.h:318
ECONNRESET
#define ECONNRESET
Definition win32_port.h:371
S_IWGRP
#define S_IWGRP
Definition win32_port.h:294
EAGAIN
#define EAGAIN
Definition win32_port.h:359