PostgreSQL Source Code: src/backend/libpq/be-secure-openssl.c Source File (original) (raw)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

18

19#include <sys/stat.h>

20#include <signal.h>

21#include <fcntl.h>

22#include <ctype.h>

29

38

39

40

41

42

43

44

46#include <openssl/bn.h>

47#include <openssl/conf.h>

48#include <openssl/dh.h>

49#ifndef OPENSSL_NO_ECDH

50#include <openssl/ec.h>

51#endif

52#include <openssl/x509v3.h>

53

54

55

58

63

68static int verify_cb(int ok, X509_STORE_CTX *ctx);

70static int alpn_cb(SSL *ssl,

71 const unsigned char **out,

72 unsigned char *outlen,

73 const unsigned char *in,

74 unsigned int inlen,

75 void *userdata);

76static bool initialize_dh(SSL_CTX *context, bool isServerStart);

77static bool initialize_ecdh(SSL_CTX *context, bool isServerStart);

78static const char *SSLerrmessageExt(unsigned long ecode, const char *replacement);

79static const char *SSLerrmessage(unsigned long ecode);

80

82

86

89

90

92

93

94

95

96

97int

99{

100 SSL_CTX *context;

101 int ssl_ver_min = -1;

102 int ssl_ver_max = -1;

103

104

105

106

107

108

109

110

111

112

113

114 context = SSL_CTX_new(SSLv23_method());

115 if (!context)

116 {

118 (errmsg("could not create SSL context: %s",

121 }

122

123

124

125

126

127 SSL_CTX_set_mode(context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

128

129

130

131

132 (*openssl_tls_init_hook) (context, isServerStart);

133

134

136

137

138

139

140 if (SSL_CTX_use_certificate_chain_file(context, ssl_cert_file) != 1)

141 {

143 (errcode(ERRCODE_CONFIG_FILE_ERROR),

144 errmsg("could not load server certificate file \"%s\": %s",

147 }

148

151

152

153

154

156

157 if (SSL_CTX_use_PrivateKey_file(context,

159 SSL_FILETYPE_PEM) != 1)

160 {

163 (errcode(ERRCODE_CONFIG_FILE_ERROR),

164 errmsg("private key file \"%s\" cannot be reloaded because it requires a passphrase",

166 else

168 (errcode(ERRCODE_CONFIG_FILE_ERROR),

169 errmsg("could not load private key file \"%s\": %s",

172 }

173

174 if (SSL_CTX_check_private_key(context) != 1)

175 {

177 (errcode(ERRCODE_CONFIG_FILE_ERROR),

178 errmsg("check of private key failed: %s",

181 }

182

184 {

186

187 if (ssl_ver_min == -1)

188 {

190

191 (errmsg("\"%s\" setting \"%s\" not supported by this build",

192 "ssl_min_protocol_version",

194 false, false))));

196 }

197

198 if (!SSL_CTX_set_min_proto_version(context, ssl_ver_min))

199 {

201 (errmsg("could not set minimum SSL protocol version")));

203 }

204 }

205

207 {

209

210 if (ssl_ver_max == -1)

211 {

213

214 (errmsg("\"%s\" setting \"%s\" not supported by this build",

215 "ssl_max_protocol_version",

217 false, false))));

219 }

220

221 if (!SSL_CTX_set_max_proto_version(context, ssl_ver_max))

222 {

224 (errmsg("could not set maximum SSL protocol version")));

226 }

227 }

228

229

232 {

233

234

235

236

237 if (ssl_ver_min > ssl_ver_max)

238 {

240 (errcode(ERRCODE_CONFIG_FILE_ERROR),

241 errmsg("could not set SSL protocol version range"),

242 errdetail("\"%s\" cannot be higher than \"%s\"",

243 "ssl_min_protocol_version",

244 "ssl_max_protocol_version")));

246 }

247 }

248

249

250

251

252

253

254

255

256

257

258#ifdef HAVE_SSL_CTX_SET_NUM_TICKETS

259 SSL_CTX_set_num_tickets(context, 0);

260#endif

261 SSL_CTX_set_options(context, SSL_OP_NO_TICKET);

262

263

264 SSL_CTX_set_session_cache_mode(context, SSL_SESS_CACHE_OFF);

265

266

267 SSL_CTX_set_options(context, SSL_OP_NO_COMPRESSION);

268

269

270

271

272

273

274

275

276

277#ifdef SSL_OP_NO_RENEGOTIATION

278 SSL_CTX_set_options(context, SSL_OP_NO_RENEGOTIATION);

279#endif

280#ifdef SSL_OP_NO_CLIENT_RENEGOTIATION

281 SSL_CTX_set_options(context, SSL_OP_NO_CLIENT_RENEGOTIATION);

282#endif

283

284

289

290

291 if (SSL_CTX_set_cipher_list(context, SSLCipherList) != 1)

292 {

294 (errcode(ERRCODE_CONFIG_FILE_ERROR),

295 errmsg("could not set the TLSv1.2 cipher list (no valid ciphers available)")));

297 }

298

299

300

301

302

304 {

305

306 if (SSL_CTX_set_ciphersuites(context, SSLCipherSuites) != 1)

307 {

309 (errcode(ERRCODE_CONFIG_FILE_ERROR),

310 errmsg("could not set the TLSv1.3 cipher suites (no valid ciphers available)")));

312 }

313 }

314

315

317 SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);

318

319

320

321

323 {

324 STACK_OF(X509_NAME) * root_cert_list;

325

326 if (SSL_CTX_load_verify_locations(context, ssl_ca_file, NULL) != 1 ||

327 (root_cert_list = SSL_load_client_CA_file(ssl_ca_file)) == NULL)

328 {

330 (errcode(ERRCODE_CONFIG_FILE_ERROR),

331 errmsg("could not load root certificate file \"%s\": %s",

334 }

335

336

337

338

339

340

341

342

343 SSL_CTX_set_client_CA_list(context, root_cert_list);

344

345

346

347

348

349

350 SSL_CTX_set_verify(context,

351 (SSL_VERIFY_PEER |

352 SSL_VERIFY_CLIENT_ONCE),

354 }

355

356

357

358

359

360

362 {

363 X509_STORE *cvstore = SSL_CTX_get_cert_store(context);

364

365 if (cvstore)

366 {

367

368 if (X509_STORE_load_locations(cvstore,

371 == 1)

372 {

373 X509_STORE_set_flags(cvstore,

374 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);

375 }

377 {

379 (errcode(ERRCODE_CONFIG_FILE_ERROR),

380 errmsg("could not load SSL certificate revocation list file \"%s\": %s",

383 }

385 {

387 (errcode(ERRCODE_CONFIG_FILE_ERROR),

388 errmsg("could not load SSL certificate revocation list directory \"%s\": %s",

391 }

392 else

393 {

395 (errcode(ERRCODE_CONFIG_FILE_ERROR),

396 errmsg("could not load SSL certificate revocation list file \"%s\" or directory \"%s\": %s",

400 }

401 }

402 }

403

404

405

406

409

411

412

413

414

416 ssl_loaded_verify_locations = true;

417 else

418 ssl_loaded_verify_locations = false;

419

420 return 0;

421

422

424 if (context)

425 SSL_CTX_free(context);

426 return -1;

427}

428

429void

431{

435 ssl_loaded_verify_locations = false;

436}

437

438int

440{

441 int r;

443 int waitfor;

444 unsigned long ecode;

445 bool give_proto_hint;

446

449

451 {

453 (errcode(ERRCODE_PROTOCOL_VIOLATION),

454 errmsg("could not initialize SSL connection: SSL context not set up")));

455 return -1;

456 }

457

458

460

461

463

465 {

467 (errcode(ERRCODE_PROTOCOL_VIOLATION),

468 errmsg("could not initialize SSL connection: %s",

470 return -1;

471 }

473 {

475 (errcode(ERRCODE_PROTOCOL_VIOLATION),

476 errmsg("could not set SSL socket: %s",

478 return -1;

479 }

480 port->ssl_in_use = true;

481

482aloop:

483

484

485

486

487

488

489

490

491

492 errno = 0;

493 ERR_clear_error();

494 r = SSL_accept(port->ssl);

495 if (r <= 0)

496 {

497 err = SSL_get_error(port->ssl, r);

498

499

500

501

502

503

504

505

506

507 ecode = ERR_get_error();

508 switch (err)

509 {

510 case SSL_ERROR_WANT_READ:

511 case SSL_ERROR_WANT_WRITE:

512

514

515

516

517

518

519

520 if (err == SSL_ERROR_WANT_READ)

522 else

524

526 WAIT_EVENT_SSL_OPEN_SERVER);

527 goto aloop;

528 case SSL_ERROR_SYSCALL:

529 if (r < 0 && errno != 0)

532 errmsg("could not accept SSL connection: %m")));

533 else

535 (errcode(ERRCODE_PROTOCOL_VIOLATION),

536 errmsg("could not accept SSL connection: EOF detected")));

537 break;

538 case SSL_ERROR_SSL:

539 switch (ERR_GET_REASON(ecode))

540 {

541

542

543

544

545

546

547

548

549

550

551

552

553

554 case SSL_R_NO_PROTOCOLS_AVAILABLE:

555 case SSL_R_UNSUPPORTED_PROTOCOL:

556 case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:

557 case SSL_R_UNKNOWN_PROTOCOL:

558 case SSL_R_UNKNOWN_SSL_VERSION:

559 case SSL_R_UNSUPPORTED_SSL_VERSION:

560 case SSL_R_WRONG_SSL_VERSION:

561 case SSL_R_WRONG_VERSION_NUMBER:

562 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:

563#ifdef SSL_R_VERSION_TOO_HIGH

564 case SSL_R_VERSION_TOO_HIGH:

565#endif

566#ifdef SSL_R_VERSION_TOO_LOW

567 case SSL_R_VERSION_TOO_LOW:

568#endif

569 give_proto_hint = true;

570 break;

571 default:

572 give_proto_hint = false;

573 break;

574 }

576 (errcode(ERRCODE_PROTOCOL_VIOLATION),

577 errmsg("could not accept SSL connection: %s",

580 give_proto_hint ?

581 errhint("This may indicate that the client does not support any SSL protocol version between %s and %s.",

584 MIN_OPENSSL_TLS_VERSION,

587 MAX_OPENSSL_TLS_VERSION) : 0));

589 break;

590 case SSL_ERROR_ZERO_RETURN:

592 (errcode(ERRCODE_PROTOCOL_VIOLATION),

593 errmsg("could not accept SSL connection: EOF detected")));

594 break;

595 default:

597 (errcode(ERRCODE_PROTOCOL_VIOLATION),

598 errmsg("unrecognized SSL error code: %d",

600 break;

601 }

602 return -1;

603 }

604

605

606 port->alpn_used = false;

607 {

608 const unsigned char *selected;

609 unsigned int len;

610

611 SSL_get0_alpn_selected(port->ssl, &selected, &len);

612

613

614 if (selected != NULL)

615 {

618 {

619 port->alpn_used = true;

620 }

621 else

622 {

623

625 (errcode(ERRCODE_PROTOCOL_VIOLATION),

626 errmsg("received SSL connection request with unexpected ALPN protocol")));

627 }

628 }

629 }

630

631

632 port->peer = SSL_get_peer_certificate(port->ssl);

633

634

635 port->peer_cn = NULL;

636 port->peer_dn = NULL;

637 port->peer_cert_valid = false;

638 if (port->peer != NULL)

639 {

641 X509_NAME *x509name = X509_get_subject_name(port->peer);

642 char *peer_dn;

643 BIO *bio = NULL;

644 BUF_MEM *bio_buf = NULL;

645

646 len = X509_NAME_get_text_by_NID(x509name, NID_commonName, NULL, 0);

647 if (len != -1)

648 {

649 char *peer_cn;

650

652 r = X509_NAME_get_text_by_NID(x509name, NID_commonName, peer_cn,

653 len + 1);

654 peer_cn[len] = '\0';

655 if (r != len)

656 {

657

659 return -1;

660 }

661

662

663

664

665

666 if (len != strlen(peer_cn))

667 {

669 (errcode(ERRCODE_PROTOCOL_VIOLATION),

670 errmsg("SSL certificate's common name contains embedded null")));

672 return -1;

673 }

674

675 port->peer_cn = peer_cn;

676 }

677

678 bio = BIO_new(BIO_s_mem());

679 if (!bio)

680 {

681 if (port->peer_cn != NULL)

682 {

684 port->peer_cn = NULL;

685 }

686 return -1;

687 }

688

689

690

691

692

693

694

695

696 if (X509_NAME_print_ex(bio, x509name, 0, XN_FLAG_RFC2253) == -1 ||

697 BIO_get_mem_ptr(bio, &bio_buf) <= 0)

698 {

699 BIO_free(bio);

700 if (port->peer_cn != NULL)

701 {

703 port->peer_cn = NULL;

704 }

705 return -1;

706 }

708 memcpy(peer_dn, bio_buf->data, bio_buf->length);

709 len = bio_buf->length;

710 BIO_free(bio);

711 peer_dn[len] = '\0';

712 if (len != strlen(peer_dn))

713 {

715 (errcode(ERRCODE_PROTOCOL_VIOLATION),

716 errmsg("SSL certificate's distinguished name contains embedded null")));

718 if (port->peer_cn != NULL)

719 {

721 port->peer_cn = NULL;

722 }

723 return -1;

724 }

725

726 port->peer_dn = peer_dn;

727

728 port->peer_cert_valid = true;

729 }

730

731 return 0;

732}

733

734void

736{

737 if (port->ssl)

738 {

739 SSL_shutdown(port->ssl);

740 SSL_free(port->ssl);

741 port->ssl = NULL;

742 port->ssl_in_use = false;

743 }

744

745 if (port->peer)

746 {

747 X509_free(port->peer);

748 port->peer = NULL;

749 }

750

751 if (port->peer_cn)

752 {

754 port->peer_cn = NULL;

755 }

756

757 if (port->peer_dn)

758 {

760 port->peer_dn = NULL;

761 }

762}

763

764ssize_t

766{

767 ssize_t n;

769 unsigned long ecode;

770

771 errno = 0;

772 ERR_clear_error();

773 n = SSL_read(port->ssl, ptr, len);

774 err = SSL_get_error(port->ssl, n);

775 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;

776 switch (err)

777 {

778 case SSL_ERROR_NONE:

779

780 break;

781 case SSL_ERROR_WANT_READ:

784 n = -1;

785 break;

786 case SSL_ERROR_WANT_WRITE:

789 n = -1;

790 break;

791 case SSL_ERROR_SYSCALL:

792

793 if (n != -1 || errno == 0)

794 {

796 n = -1;

797 }

798 break;

799 case SSL_ERROR_SSL:

801 (errcode(ERRCODE_PROTOCOL_VIOLATION),

804 n = -1;

805 break;

806 case SSL_ERROR_ZERO_RETURN:

807

808 n = 0;

809 break;

810 default:

812 (errcode(ERRCODE_PROTOCOL_VIOLATION),

813 errmsg("unrecognized SSL error code: %d",

816 n = -1;

817 break;

818 }

819

820 return n;

821}

822

823ssize_t

825{

826 ssize_t n;

828 unsigned long ecode;

829

830 errno = 0;

831 ERR_clear_error();

832 n = SSL_write(port->ssl, ptr, len);

833 err = SSL_get_error(port->ssl, n);

834 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;

835 switch (err)

836 {

837 case SSL_ERROR_NONE:

838

839 break;

840 case SSL_ERROR_WANT_READ:

843 n = -1;

844 break;

845 case SSL_ERROR_WANT_WRITE:

848 n = -1;

849 break;

850 case SSL_ERROR_SYSCALL:

851

852

853

854

855

856

857

858 if (n != -1 || errno == 0)

859 {

861 n = -1;

862 }

863 break;

864 case SSL_ERROR_SSL:

866 (errcode(ERRCODE_PROTOCOL_VIOLATION),

869 n = -1;

870 break;

871 case SSL_ERROR_ZERO_RETURN:

872

873

874

875

876

878 n = -1;

879 break;

880 default:

882 (errcode(ERRCODE_PROTOCOL_VIOLATION),

883 errmsg("unrecognized SSL error code: %d",

886 n = -1;

887 break;

888 }

889

890 return n;

891}

892

893

894

895

896

897

898

899

900

901

902

903

904

905

906

907

908

910

911static int

913{

914 int res = 0;

916

917 if (buf != NULL)

918 {

920 BIO_clear_retry_flags(h);

921 port->last_read_was_eof = res == 0;

922 if (res <= 0)

923 {

924

926 {

927 BIO_set_retry_read(h);

928 }

929 }

930 }

931

932 return res;

933}

934

935static int

937{

938 int res = 0;

939

941 BIO_clear_retry_flags(h);

942 if (res <= 0)

943 {

944

946 {

947 BIO_set_retry_write(h);

948 }

949 }

950

951 return res;

952}

953

954static long

956{

957 long res;

959

960 switch (cmd)

961 {

962 case BIO_CTRL_EOF:

963

964

965

966

967

968

969

970 res = port->last_read_was_eof;

971 break;

972 case BIO_CTRL_FLUSH:

973

974 res = 1;

975 break;

976 default:

977 res = 0;

978 break;

979 }

980

981 return res;

982}

983

984static BIO_METHOD *

986{

988 {

989 int my_bio_index;

990

991 my_bio_index = BIO_get_new_index();

992 if (my_bio_index == -1)

993 return NULL;

994 my_bio_index |= BIO_TYPE_SOURCE_SINK;

995 port_bio_method_ptr = BIO_meth_new(my_bio_index, "PostgreSQL backend socket");

997 return NULL;

1001 {

1004 return NULL;

1005 }

1006 }

1008}

1009

1010static int

1012{

1013 BIO *bio;

1014 BIO_METHOD *bio_method;

1015

1017 if (bio_method == NULL)

1018 return 0;

1019

1020 bio = BIO_new(bio_method);

1021 if (bio == NULL)

1022 return 0;

1023

1024 BIO_set_data(bio, port);

1025 BIO_set_init(bio, 1);

1026

1027 SSL_set_bio(port->ssl, bio, bio);

1028 return 1;

1029}

1030

1031

1032

1033

1034

1035

1036

1037

1038static DH *

1040{

1041 FILE *fp;

1042 DH *dh = NULL;

1043 int codes;

1044

1045

1047 {

1050 errmsg("could not open DH parameters file \"%s\": %m",

1052 return NULL;

1053 }

1054

1055 dh = PEM_read_DHparams(fp, NULL, NULL, NULL);

1057

1058 if (dh == NULL)

1059 {

1061 (errcode(ERRCODE_CONFIG_FILE_ERROR),

1062 errmsg("could not load DH parameters file: %s",

1064 return NULL;

1065 }

1066

1067

1068 if (DH_check(dh, &codes) == 0)

1069 {

1071 (errcode(ERRCODE_CONFIG_FILE_ERROR),

1072 errmsg("invalid DH parameters: %s",

1074 DH_free(dh);

1075 return NULL;

1076 }

1077 if (codes & DH_CHECK_P_NOT_PRIME)

1078 {

1080 (errcode(ERRCODE_CONFIG_FILE_ERROR),

1081 errmsg("invalid DH parameters: p is not prime")));

1082 DH_free(dh);

1083 return NULL;

1084 }

1085 if ((codes & DH_NOT_SUITABLE_GENERATOR) &&

1086 (codes & DH_CHECK_P_NOT_SAFE_PRIME))

1087 {

1089 (errcode(ERRCODE_CONFIG_FILE_ERROR),

1090 errmsg("invalid DH parameters: neither suitable generator or safe prime")));

1091 DH_free(dh);

1092 return NULL;

1093 }

1094

1095 return dh;

1096}

1097

1098

1099

1100

1101

1102

1103

1104

1105static DH *

1107{

1108 BIO *bio;

1109 DH *dh = NULL;

1110

1111 bio = BIO_new_mem_buf(buffer, len);

1112 if (bio == NULL)

1113 return NULL;

1114 dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);

1115 if (dh == NULL)

1119 BIO_free(bio);

1120

1121 return dh;

1122}

1123

1124

1125

1126

1127static int

1129{

1130

1131 const char *prompt = "Enter PEM pass phrase:";

1132

1133 Assert(rwflag == 0);

1134

1136}

1137

1138

1139

1140

1141

1142

1143

1144

1145

1146

1147static int

1149{

1150

1152

1154 buf[0] = '\0';

1155 return 0;

1156}

1157

1158

1159

1160

1161

1162

1163

1164static char *

1166{

1167 size_t namelen = strlen(name);

1168 char *truncated = name;

1169

1170

1171

1172

1173

1174

1175

1176#define MAXLEN 71

1177

1178 if (namelen > MAXLEN)

1179 {

1180

1181

1182

1183

1184 truncated = name + namelen - MAXLEN;

1185 truncated[0] = truncated[1] = truncated[2] = '.';

1187 }

1188

1189#undef MAXLEN

1190

1192}

1193

1194

1195

1196

1197

1198

1199

1200

1201

1202

1203

1204static int

1206{

1207 int depth;

1209 const char *errstring;

1211 X509 *cert;

1212

1213 if (ok)

1214 {

1215

1216 return ok;

1217 }

1218

1219

1220 depth = X509_STORE_CTX_get_error_depth(ctx);

1221 errcode = X509_STORE_CTX_get_error(ctx);

1222 errstring = X509_verify_cert_error_string(errcode);

1223

1226 _("Client certificate verification failed at depth %d: %s."),

1227 depth, errstring);

1228

1229 cert = X509_STORE_CTX_get_current_cert(ctx);

1230 if (cert)

1231 {

1232 char *subject,

1233 *issuer;

1234 char *sub_prepared,

1235 *iss_prepared;

1236 char *serialno;

1237 ASN1_INTEGER *sn;

1238 BIGNUM *b;

1239

1240

1241

1242

1243

1244

1248

1252

1253

1254

1255

1256

1257 sn = X509_get_serialNumber(cert);

1258 b = ASN1_INTEGER_to_BN(sn, NULL);

1259 serialno = BN_bn2dec(b);

1260

1263 _("Failed certificate data (unverified): subject \"%s\", serial number %s, issuer \"%s\"."),

1264 sub_prepared, serialno ? serialno : _("unknown"),

1265 iss_prepared);

1266

1267 BN_free(b);

1268 OPENSSL_free(serialno);

1269 pfree(iss_prepared);

1270 pfree(sub_prepared);

1271 }

1272

1273

1275

1276 return ok;

1277}

1278

1279

1280

1281

1282

1283static void

1285{

1286 const char *desc;

1287

1288 desc = SSL_state_string_long(ssl);

1289

1290 switch (type)

1291 {

1292 case SSL_CB_HANDSHAKE_START:

1294 (errmsg_internal("SSL: handshake start: \"%s\"", desc)));

1295 break;

1296 case SSL_CB_HANDSHAKE_DONE:

1298 (errmsg_internal("SSL: handshake done: \"%s\"", desc)));

1299 break;

1300 case SSL_CB_ACCEPT_LOOP:

1303 break;

1304 case SSL_CB_ACCEPT_EXIT:

1307 break;

1308 case SSL_CB_CONNECT_LOOP:

1311 break;

1312 case SSL_CB_CONNECT_EXIT:

1315 break;

1316 case SSL_CB_READ_ALERT:

1319 break;

1320 case SSL_CB_WRITE_ALERT:

1323 break;

1324 }

1325}

1326

1327

1329

1330

1331

1332

1333

1334static int

1336 const unsigned char **out,

1337 unsigned char *outlen,

1338 const unsigned char *in,

1339 unsigned int inlen,

1340 void *userdata)

1341{

1342

1343

1344

1345

1346

1347 int retval;

1348

1349 Assert(userdata != NULL);

1350 Assert(out != NULL);

1351 Assert(outlen != NULL);

1353

1354 retval = SSL_select_next_proto((unsigned char **) out, outlen,

1356 in, inlen);

1357 if (*out == NULL || *outlen > sizeof(alpn_protos) || *outlen <= 0)

1358 return SSL_TLSEXT_ERR_NOACK;

1359

1360 if (retval == OPENSSL_NPN_NEGOTIATED)

1361 return SSL_TLSEXT_ERR_OK;

1362 else

1363 {

1364

1365

1366

1367

1368 return SSL_TLSEXT_ERR_ALERT_FATAL;

1369 }

1370}

1371

1372

1373

1374

1375

1376

1377

1378

1379

1380

1381

1382

1383

1384

1385

1386static bool

1388{

1389 DH *dh = NULL;

1390

1391 SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);

1392

1395 if (!dh)

1396 dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));

1397 if (!dh)

1398 {

1400 (errcode(ERRCODE_CONFIG_FILE_ERROR),

1401 errmsg("DH: could not load DH parameters")));

1402 return false;

1403 }

1404

1405 if (SSL_CTX_set_tmp_dh(context, dh) != 1)

1406 {

1408 (errcode(ERRCODE_CONFIG_FILE_ERROR),

1409 errmsg("DH: could not set DH parameters: %s",

1411 DH_free(dh);

1412 return false;

1413 }

1414

1415 DH_free(dh);

1416 return true;

1417}

1418

1419

1420

1421

1422

1423

1424static bool

1426{

1427#ifndef OPENSSL_NO_ECDH

1428 if (SSL_CTX_set1_groups_list(context, SSLECDHCurve) != 1)

1429 {

1430

1431

1432

1433

1434

1435

1436

1438 errcode(ERRCODE_CONFIG_FILE_ERROR),

1439 errmsg("failed to set group names specified in ssl_groups: %s",

1441 _("No valid groups found"))),

1442 errhint("Ensure that each group name is spelled correctly and supported by the installed version of OpenSSL"));

1443 return false;

1444 }

1445#endif

1446

1447 return true;

1448}

1449

1450

1451

1452

1453

1454

1455

1456

1457

1458

1459

1460

1461

1462

1463static const char *

1465{

1466 if (ecode == 0)

1467 return replacement;

1468 else

1470}

1471

1472

1473

1474

1475

1476

1477

1478

1479

1480

1481static const char *

1483{

1484 const char *errreason;

1485 static char errbuf[36];

1486

1487 if (ecode == 0)

1488 return _("no SSL error reported");

1489 errreason = ERR_reason_error_string(ecode);

1490 if (errreason != NULL)

1491 return errreason;

1492

1493

1494

1495

1496

1497

1498

1499

1500#ifdef ERR_SYSTEM_ERROR

1501 if (ERR_SYSTEM_ERROR(ecode))

1502 return strerror(ERR_GET_REASON(ecode));

1503#endif

1504

1505

1506 snprintf(errbuf, sizeof(errbuf), _("SSL error code %lu"), ecode);

1507 return errbuf;

1508}

1509

1510int

1512{

1513 int bits;

1514

1515 if (port->ssl)

1516 {

1517 SSL_get_cipher_bits(port->ssl, &bits);

1518 return bits;

1519 }

1520 else

1521 return 0;

1522}

1523

1524const char *

1526{

1527 if (port->ssl)

1528 return SSL_get_version(port->ssl);

1529 else

1530 return NULL;

1531}

1532

1533const char *

1535{

1536 if (port->ssl)

1537 return SSL_get_cipher(port->ssl);

1538 else

1539 return NULL;

1540}

1541

1542void

1544{

1545 if (port->peer)

1547 else

1548 ptr[0] = '\0';

1549}

1550

1551void

1553{

1554 if (port->peer)

1556 else

1557 ptr[0] = '\0';

1558}

1559

1560void

1562{

1563 if (port->peer)

1564 {

1565 ASN1_INTEGER *serial;

1566 BIGNUM *b;

1568

1569 serial = X509_get_serialNumber(port->peer);

1570 b = ASN1_INTEGER_to_BN(serial, NULL);

1572

1573 BN_free(b);

1576 }

1577 else

1578 ptr[0] = '\0';

1579}

1580

1581char *

1583{

1584 X509 *server_cert;

1585 char *cert_hash;

1586 const EVP_MD *algo_type = NULL;

1587 unsigned char hash[EVP_MAX_MD_SIZE];

1588 unsigned int hash_size;

1589 int algo_nid;

1590

1591 *len = 0;

1592 server_cert = SSL_get_certificate(port->ssl);

1593 if (server_cert == NULL)

1594 return NULL;

1595

1596

1597

1598

1599

1600

1601#if HAVE_X509_GET_SIGNATURE_INFO

1602 if (!X509_get_signature_info(server_cert, &algo_nid, NULL, NULL, NULL))

1603#else

1604 if (!OBJ_find_sigid_algs(X509_get_signature_nid(server_cert),

1605 &algo_nid, NULL))

1606#endif

1607 elog(ERROR, "could not determine server certificate signature algorithm");

1608

1609

1610

1611

1612

1613

1614

1615 switch (algo_nid)

1616 {

1617 case NID_md5:

1618 case NID_sha1:

1619 algo_type = EVP_sha256();

1620 break;

1621 default:

1622 algo_type = EVP_get_digestbynid(algo_nid);

1623 if (algo_type == NULL)

1624 elog(ERROR, "could not find digest for NID %s",

1625 OBJ_nid2sn(algo_nid));

1626 break;

1627 }

1628

1629

1630 if (!X509_digest(server_cert, algo_type, hash, &hash_size))

1631 elog(ERROR, "could not generate server certificate hash");

1632

1633 cert_hash = palloc(hash_size);

1634 memcpy(cert_hash, hash, hash_size);

1635 *len = hash_size;

1636

1637 return cert_hash;

1638}

1639

1640

1641

1642

1643

1644static char *

1646{

1647 BIO *membuf = BIO_new(BIO_s_mem());

1648 int i,

1649 nid,

1650 count = X509_NAME_entry_count(name);

1651 X509_NAME_ENTRY *e;

1652 ASN1_STRING *v;

1653 const char *field_name;

1654 size_t size;

1655 char nullterm;

1656 char *sp;

1657 char *dp;

1658 char *result;

1659

1660 if (membuf == NULL)

1662 (errcode(ERRCODE_OUT_OF_MEMORY),

1663 errmsg("could not create BIO")));

1664

1665 (void) BIO_set_close(membuf, BIO_CLOSE);

1666 for (i = 0; i < count; i++)

1667 {

1668 e = X509_NAME_get_entry(name, i);

1669 nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(e));

1670 if (nid == NID_undef)

1672 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),

1673 errmsg("could not get NID for ASN1_OBJECT object")));

1674 v = X509_NAME_ENTRY_get_data(e);

1675 field_name = OBJ_nid2sn(nid);

1676 if (field_name == NULL)

1677 field_name = OBJ_nid2ln(nid);

1678 if (field_name == NULL)

1680 (errcode(ERRCODE_INVALID_PARAMETER_VALUE),

1681 errmsg("could not convert NID %d to an ASN1_OBJECT structure", nid)));

1682 BIO_printf(membuf, "/%s=", field_name);

1683 ASN1_STRING_print_ex(membuf, v,

1684 ((ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB)

1685 | ASN1_STRFLGS_UTF8_CONVERT));

1686 }

1687

1688

1689 nullterm = '\0';

1690 BIO_write(membuf, &nullterm, 1);

1691 size = BIO_get_mem_data(membuf, &sp);

1693

1695 if (dp != sp)

1697 if (BIO_free(membuf) != 1)

1698 elog(ERROR, "could not free OpenSSL BIO structure");

1699

1700 return result;

1701}

1702

1703

1704

1705

1706

1707

1708

1709

1710

1711

1712

1713

1714

1715

1716

1717static int

1719{

1720 switch (v)

1721 {

1723 return 0;

1725 return TLS1_VERSION;

1727#ifdef TLS1_1_VERSION

1728 return TLS1_1_VERSION;

1729#else

1730 break;

1731#endif

1733#ifdef TLS1_2_VERSION

1734 return TLS1_2_VERSION;

1735#else

1736 break;

1737#endif

1739#ifdef TLS1_3_VERSION

1740 return TLS1_3_VERSION;

1741#else

1742 break;

1743#endif

1744 }

1745

1746 return -1;

1747}

1748

1749

1750

1751

1752static const char *

1754{

1755 switch (v)

1756 {

1758 return "any";

1760 return "TLSv1";

1762 return "TLSv1.1";

1764 return "TLSv1.2";

1766 return "TLSv1.3";

1767 }

1768

1769 return "(unrecognized)";

1770}

1771

1772

1773static void

1775{

1776 if (isServerStart)

1777 {

1780 }

1781 else

1782 {

1785 else

1786

1787

1788

1789

1790

1791

1792

1794 }

1795}

bool check_ssl_key_file_permissions(const char *ssl_key_file, bool isServerStart)

int run_ssl_passphrase_command(const char *prompt, bool is_server_start, char *buf, int size)

const char * be_tls_get_version(Port *port)

static const char * ssl_protocol_version_to_string(int v)

static const char * cert_errdetail

static void info_cb(const SSL *ssl, int type, int args)

static const char * SSLerrmessage(unsigned long ecode)

ssize_t be_tls_write(Port *port, const void *ptr, size_t len, int *waitfor)

void be_tls_destroy(void)

int be_tls_init(bool isServerStart)

static long port_bio_ctrl(BIO *h, int cmd, long num, void *ptr)

openssl_tls_init_hook_typ openssl_tls_init_hook

int be_tls_get_cipher_bits(Port *port)

int be_tls_open_server(Port *port)

char * be_tls_get_certificate_hash(Port *port, size_t *len)

static int alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *userdata)

const char * be_tls_get_cipher(Port *port)

static const char * SSLerrmessageExt(unsigned long ecode, const char *replacement)

static DH * load_dh_buffer(const char *buffer, size_t len)

static int dummy_ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)

static void default_openssl_tls_init(SSL_CTX *context, bool isServerStart)

static int ssl_set_port_bio(Port *port)

void be_tls_get_peer_serial(Port *port, char *ptr, size_t len)

static int ssl_protocol_version_to_openssl(int v)

static bool initialize_dh(SSL_CTX *context, bool isServerStart)

void be_tls_close(Port *port)

void be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len)

ssize_t be_tls_read(Port *port, void *ptr, size_t len, int *waitfor)

static char * X509_NAME_to_cstring(X509_NAME *name)

static BIO_METHOD * port_bio_method(void)

static int ssl_external_passwd_cb(char *buf, int size, int rwflag, void *userdata)

static char * prepare_cert_name(char *name)

static SSL_CTX * SSL_context

static bool ssl_is_server_start

static int verify_cb(int ok, X509_STORE_CTX *ctx)

static BIO_METHOD * port_bio_method_ptr

static bool initialize_ecdh(SSL_CTX *context, bool isServerStart)

static int port_bio_read(BIO *h, char *buf, int size)

static int port_bio_write(BIO *h, const char *buf, int size)

static bool dummy_ssl_passwd_cb_called

static DH * load_dh_file(char *filename, bool isServerStart)

static const unsigned char alpn_protos[]

void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len)

char * ssl_dh_params_file

int ssl_min_protocol_version

ssize_t secure_raw_read(Port *port, void *ptr, size_t len)

bool SSLPreferServerCiphers

int ssl_max_protocol_version

char * ssl_passphrase_command

bool ssl_passphrase_command_supports_reload

ssize_t secure_raw_write(Port *port, const void *ptr, size_t len)

int errcode_for_socket_access(void)

int errmsg_internal(const char *fmt,...)

int errdetail_internal(const char *fmt,...)

int errcode_for_file_access(void)

int errdetail(const char *fmt,...)

int errhint(const char *fmt,...)

int errcode(int sqlerrcode)

int errmsg(const char *fmt,...)

#define ereport(elevel,...)

void err(int eval, const char *fmt,...)

FILE * AllocateFile(const char *name, const char *mode)

const char * GetConfigOption(const char *name, bool missing_ok, bool restrict_privileged)

Assert(PointerIsAligned(start, uint64))

int WaitLatchOrSocket(Latch *latch, int wakeEvents, pgsocket sock, long timeout, uint32 wait_event_info)

char * pg_any_to_server(const char *s, int len, int encoding)

void * MemoryContextAlloc(MemoryContext context, Size size)

char * pstrdup(const char *in)

void pfree(void *pointer)

MemoryContext TopMemoryContext

size_t strlcpy(char *dst, const char *src, size_t siz)

#define PG_ALPN_PROTOCOL_VECTOR

static unsigned hash(unsigned *uv, int n)

char * pg_clean_ascii(const char *str, int alloc_flags)

void appendStringInfo(StringInfo str, const char *fmt,...)

void appendStringInfoChar(StringInfo str, char ch)

void initStringInfo(StringInfo str)

#define WL_SOCKET_READABLE

#define WL_EXIT_ON_PM_DEATH

#define WL_SOCKET_WRITEABLE