PostgreSQL Source Code: src/interfaces/libpq/fe-secure-openssl.c Source File (original) (raw)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
24
25#include <signal.h>
26#include <fcntl.h>
27#include <ctype.h>
28
33
34#ifdef WIN32
35#include "win32.h"
36#else
43#endif
44
45#include <sys/stat.h>
46
47#ifdef WIN32
49#else
50#include <pthread.h>
51#endif
52
53
54
55
56
57
58
60#include <openssl/ssl.h>
61#include <openssl/conf.h>
62#ifdef USE_SSL_ENGINE
63#include <openssl/engine.h>
64#endif
65#include <openssl/x509v3.h>
66
67
68static int verify_cb(int ok, X509_STORE_CTX *ctx);
70 ASN1_STRING *name_entry,
71 char **store_name);
73 ASN1_OCTET_STRING *addr_entry,
74 char **store_name);
79static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata);
80
85
87
90
91
92
93
94
97{
98
99 if (conn->ssl == NULL)
100 {
101
102
103
104
106 {
107
110 }
111 }
112
113
115}
116
117ssize_t
119{
120 ssize_t n;
121 int result_errno = 0;
124 unsigned long ecode;
125
126rloop:
127
128
129
130
131
132
133
134
135
136
138 ERR_clear_error();
139 n = SSL_read(conn->ssl, ptr, len);
140 err = SSL_get_error(conn->ssl, n);
141
142
143
144
145
146
147
148
149
150 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
151 switch (err)
152 {
153 case SSL_ERROR_NONE:
154 if (n < 0)
155 {
156
158 "SSL_read failed but did not provide error information\n");
159
161 }
162 break;
163 case SSL_ERROR_WANT_READ:
164 n = 0;
165 break;
166 case SSL_ERROR_WANT_WRITE:
167
168
169
170
171
172
173
174 goto rloop;
175 case SSL_ERROR_SYSCALL:
177 {
179 if (result_errno == EPIPE ||
182 "\tThis probably means the server terminated abnormally\n"
183 "\tbefore or while processing the request.");
184 else
187 sebuf, sizeof(sebuf)));
188 }
189 else
190 {
192
194 n = -1;
195 }
196 break;
197 case SSL_ERROR_SSL:
198 {
200
203
205 n = -1;
206 break;
207 }
208 case SSL_ERROR_ZERO_RETURN:
209
210
211
212
213
214
217 n = -1;
218 break;
219 default:
221
223 n = -1;
224 break;
225 }
226
227
229
230 return n;
231}
232
233bool
235{
236 return SSL_pending(conn->ssl) > 0;
237}
238
239ssize_t
241{
242 ssize_t n;
243 int result_errno = 0;
246 unsigned long ecode;
247
249 ERR_clear_error();
250 n = SSL_write(conn->ssl, ptr, len);
251 err = SSL_get_error(conn->ssl, n);
252 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
253 switch (err)
254 {
255 case SSL_ERROR_NONE:
256 if (n < 0)
257 {
258
260 "SSL_write failed but did not provide error information\n");
261
263 }
264 break;
265 case SSL_ERROR_WANT_READ:
266
267
268
269
270
271 n = 0;
272 break;
273 case SSL_ERROR_WANT_WRITE:
274 n = 0;
275 break;
276 case SSL_ERROR_SYSCALL:
277
278
279
280
281
282
284 {
286 if (result_errno == EPIPE || result_errno == ECONNRESET)
288 "\tThis probably means the server terminated abnormally\n"
289 "\tbefore or while processing the request.");
290 else
293 sebuf, sizeof(sebuf)));
294 }
295 else
296 {
298
300 n = -1;
301 }
302 break;
303 case SSL_ERROR_SSL:
304 {
306
309
311 n = -1;
312 break;
313 }
314 case SSL_ERROR_ZERO_RETURN:
315
316
317
318
319
320
323 n = -1;
324 break;
325 default:
327
329 n = -1;
330 break;
331 }
332
333
335
336 return n;
337}
338
339char *
341{
342 X509 *peer_cert;
343 const EVP_MD *algo_type;
344 unsigned char hash[EVP_MAX_MD_SIZE];
345 unsigned int hash_size;
346 int algo_nid;
347 char *cert_hash;
348
349 *len = 0;
350
351 if (->peer)
352 return NULL;
353
354 peer_cert = conn->peer;
355
356
357
358
359
360
361#if HAVE_X509_GET_SIGNATURE_INFO
362 if (!X509_get_signature_info(peer_cert, &algo_nid, NULL, NULL, NULL))
363#else
364 if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
365 &algo_nid, NULL))
366#endif
367 {
369 return NULL;
370 }
371
372
373
374
375
376
377
378 switch (algo_nid)
379 {
380 case NID_md5:
381 case NID_sha1:
382 algo_type = EVP_sha256();
383 break;
384 default:
385 algo_type = EVP_get_digestbynid(algo_nid);
386 if (algo_type == NULL)
387 {
389 OBJ_nid2sn(algo_nid));
390 return NULL;
391 }
392 break;
393 }
394
395 if (!X509_digest(peer_cert, algo_type, hash, &hash_size))
396 {
398 return NULL;
399 }
400
401
402 cert_hash = malloc(hash_size);
403 if (cert_hash == NULL)
404 {
406 return NULL;
407 }
408 memcpy(cert_hash, hash, hash_size);
409 *len = hash_size;
410
411 return cert_hash;
412}
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429static int
431{
432 return ok;
433}
434
435#ifdef HAVE_SSL_CTX_SET_CERT_CB
436
437
438
439
440
441
442
443
444
445static int
446cert_cb(SSL *ssl, void *arg)
447{
449
451
452
453 if (SSL_get_certificate(ssl))
455
456
457
458
459
460 return 1;
461}
462#endif
463
464
465
466
467
468
469static int
471 char **store_name)
472{
474 const unsigned char *namedata;
475
476
477 if (name_entry == NULL)
478 {
480 return -1;
481 }
482
483
484
485
486 namedata = ASN1_STRING_get0_data(name_entry);
487 len = ASN1_STRING_length(name_entry);
488
489
491}
492
493
494
495
496
497
498static int
500 ASN1_OCTET_STRING *addr_entry,
501 char **store_name)
502{
504 const unsigned char *addrdata;
505
506
507 if (addr_entry == NULL)
508 {
510 return -1;
511 }
512
513
514
515
516
517 addrdata = ASN1_STRING_get0_data(addr_entry);
518 len = ASN1_STRING_length(addr_entry);
519
521}
522
523static bool
525{
526 struct in_addr dummy4;
527#ifdef HAVE_INET_PTON
528 struct in6_addr dummy6;
529#endif
530
532#ifdef HAVE_INET_PTON
533 || (inet_pton(AF_INET6, host, &dummy6) == 1)
534#endif
535 ;
536}
537
538
539
540
541
542
543int
545 int *names_examined,
546 char **first_name)
547{
548 STACK_OF(GENERAL_NAME) * peer_san;
549 int i;
550 int rc = 0;
552 int host_type;
553 bool check_cn = true;
554
555 Assert(host && host[0]);
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
578 host_type = GEN_IPADD;
579 else
580 host_type = GEN_DNS;
581
582
583
584
585
586 peer_san = (STACK_OF(GENERAL_NAME) *)
587 X509_get_ext_d2i(conn->peer, NID_subject_alt_name, NULL, NULL);
588
589 if (peer_san)
590 {
591 int san_len = sk_GENERAL_NAME_num(peer_san);
592
593 for (i = 0; i < san_len; i++)
594 {
595 const GENERAL_NAME *name = sk_GENERAL_NAME_value(peer_san, i);
596 char *alt_name = NULL;
597
598 if (name->type == host_type)
599 {
600
601
602
603
604 check_cn = false;
605 }
606
607 if (name->type == GEN_DNS)
608 {
609 (*names_examined)++;
611 name->d.dNSName,
612 &alt_name);
613 }
614 else if (name->type == GEN_IPADD)
615 {
616 (*names_examined)++;
618 name->d.iPAddress,
619 &alt_name);
620 }
621
622 if (alt_name)
623 {
624 if (!*first_name)
625 *first_name = alt_name;
626 else
627 free(alt_name);
628 }
629
630 if (rc != 0)
631 {
632
633
634
635
636 check_cn = false;
637 break;
638 }
639 }
640 sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
641 }
642
643
644
645
646
647
648
649
650
651 if (check_cn)
652 {
653 X509_NAME *subject_name;
654
655 subject_name = X509_get_subject_name(conn->peer);
656 if (subject_name != NULL)
657 {
658 int cn_index;
659
660 cn_index = X509_NAME_get_index_by_NID(subject_name,
661 NID_commonName, -1);
662 if (cn_index >= 0)
663 {
664 char *common_name = NULL;
665
666 (*names_examined)++;
668 X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),
669 &common_name);
670
671 if (common_name)
672 {
673 if (!*first_name)
674 *first_name = common_name;
675 else
676 free(common_name);
677 }
678 }
679 }
680 }
681
682 return rc;
683}
684
685
687
688#ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
689
690
691
692
693
694
695
696
697static void
698SSL_CTX_keylog_cb(const SSL *ssl, const char *line)
699{
700 int fd;
701 mode_t old_umask;
702 ssize_t rc;
703 PGconn *conn = SSL_get_app_data(ssl);
704
705 if (conn == NULL)
706 return;
707
708 old_umask = umask(077);
710 umask(old_umask);
711
712 if (fd == -1)
713 {
716 return;
717 }
718
719
720 rc = write(fd, line, strlen(line));
721 if (rc < 0)
724 else
726 (void) rc;
728}
729#endif
730
731
732
733
734
735
736
737static int
739{
745 bool have_homedir;
746 bool have_cert;
747 bool have_rootcert;
748
749
750
751
752
753
760 else
761 have_homedir = false;
762
763
764
765
766
767
768
769
770 SSL_context = SSL_CTX_new(SSLv23_method());
772 {
774
777 return -1;
778 }
779
780
781
782
783
784
785
786
787
788
789
790
791
794 {
796 SSL_CTX_set_default_passwd_cb_userdata(SSL_context, conn);
797 }
798
799#ifdef HAVE_SSL_CTX_SET_CERT_CB
800
802#endif
803
804
805 SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
806
807
810 {
811 int ssl_min_ver;
812
814
815 if (ssl_min_ver == -1)
816 {
820 return -1;
821 }
822
823 if (!SSL_CTX_set_min_proto_version(SSL_context, ssl_min_ver))
824 {
826
830 return -1;
831 }
832 }
833
836 {
837 int ssl_max_ver;
838
840
841 if (ssl_max_ver == -1)
842 {
846 return -1;
847 }
848
849 if (!SSL_CTX_set_max_proto_version(SSL_context, ssl_max_ver))
850 {
852
856 return -1;
857 }
858 }
859
860
861
862
863
864 SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
865
866
867
868
869
870
873 else if (have_homedir)
874 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
875 else
876 fnbuf[0] = '\0';
877
878 if (strcmp(fnbuf, "system") == 0)
879 {
880
881
882
883
884
885
886
887 if (SSL_CTX_set_default_verify_paths(SSL_context) != 1)
888 {
890
895 return -1;
896 }
897 have_rootcert = true;
898 }
899 else if (fnbuf[0] != '\0' &&
901 {
902 X509_STORE *cvstore;
903
904 if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)
905 {
907
909 fnbuf, err);
912 return -1;
913 }
914
915 if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
916 {
917 char *fname = NULL;
918 char *dname = NULL;
919
924
925
926 if (!fname && !dname && have_homedir)
927 {
928 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
929 fname = fnbuf;
930 }
931
932
933 if ((fname || dname) &&
934 X509_STORE_load_locations(cvstore, fname, dname) == 1)
935 {
936 X509_STORE_set_flags(cvstore,
937 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
938 }
939
940
941 ERR_clear_error();
942 }
943 have_rootcert = true;
944 }
945 else
946 {
947
948
949
950
951
952 if (conn->sslmode[0] == 'v')
953 {
954
955
956
957
958
959 if (fnbuf[0] == '\0')
961 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.");
962 else
964 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.", fnbuf);
966 return -1;
967 }
968 have_rootcert = false;
969 }
970
971
974 else if (have_homedir)
975 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
976 else
977 fnbuf[0] = '\0';
978
980 {
981
982 have_cert = false;
983 }
984 else if (fnbuf[0] == '\0')
985 {
986
987 have_cert = false;
988 }
989 else if (stat(fnbuf, &buf) != 0)
990 {
991
992
993
994
995
996 if (errno != ENOENT && errno != ENOTDIR)
997 {
999 fnbuf, strerror_r(errno, sebuf, sizeof(sebuf)));
1001 return -1;
1002 }
1003 have_cert = false;
1004 }
1005 else
1006 {
1007
1008
1009
1010
1011
1012 if (SSL_CTX_use_certificate_chain_file(SSL_context, fnbuf) != 1)
1013 {
1015
1017 fnbuf, err);
1020 return -1;
1021 }
1022
1023
1024 have_cert = true;
1025 }
1026
1027
1028
1029
1030
1031
1032
1033
1035 !SSL_set_app_data(conn->ssl, conn) ||
1037 {
1039
1043 return -1;
1044 }
1046
1048 {
1049#ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
1050 SSL_CTX_set_keylog_callback(SSL_context, SSL_CTX_keylog_cb);
1051#else
1052#ifdef LIBRESSL_VERSION_NUMBER
1053 fprintf(stderr, libpq_gettext("WARNING: sslkeylogfile support requires OpenSSL\n"));
1054#else
1055 fprintf(stderr, libpq_gettext("WARNING: libpq was not built with sslkeylogfile support\n"));
1056#endif
1057#endif
1058 }
1059
1060
1061
1062
1063
1064
1065
1068
1069
1070
1071
1072
1073
1075 {
1077
1078 if (host && host[0] &&
1079 !(strspn(host, "0123456789.") == strlen(host) ||
1080 strchr(host, ':')))
1081 {
1082 if (SSL_set_tlsext_host_name(conn->ssl, host) != 1)
1083 {
1085
1088 return -1;
1089 }
1090 }
1091 }
1092
1093
1094 {
1095 int retval;
1096
1098
1099 if (retval != 0)
1100 {
1102
1105 return -1;
1106 }
1107 }
1108
1109
1110
1111
1112
1113
1114
1116 {
1117#ifdef USE_SSL_ENGINE
1119#ifdef WIN32
1121#endif
1122 )
1123 {
1124
1125 char *engine_str = strdup(conn->sslkey);
1126 char *engine_colon;
1127 EVP_PKEY *pkey;
1128
1129 if (engine_str == NULL)
1130 {
1132 return -1;
1133 }
1134
1135
1136 engine_colon = strchr(engine_str, ':');
1137
1138 *engine_colon = '\0';
1139 engine_colon++;
1140
1141 conn->engine = ENGINE_by_id(engine_str);
1142 if (conn->engine == NULL)
1143 {
1145
1147 engine_str, err);
1149 free(engine_str);
1150 return -1;
1151 }
1152
1153 if (ENGINE_init(conn->engine) == 0)
1154 {
1156
1158 engine_str, err);
1160 ENGINE_free(conn->engine);
1161 conn->engine = NULL;
1162 free(engine_str);
1163 return -1;
1164 }
1165
1166 pkey = ENGINE_load_private_key(conn->engine, engine_colon,
1167 NULL, NULL);
1168 if (pkey == NULL)
1169 {
1171
1173 engine_colon, engine_str, err);
1175 ENGINE_finish(conn->engine);
1176 ENGINE_free(conn->engine);
1177 conn->engine = NULL;
1178 free(engine_str);
1179 return -1;
1180 }
1181 if (SSL_use_PrivateKey(conn->ssl, pkey) != 1)
1182 {
1184
1186 engine_colon, engine_str, err);
1188 ENGINE_finish(conn->engine);
1189 ENGINE_free(conn->engine);
1190 conn->engine = NULL;
1191 free(engine_str);
1192 return -1;
1193 }
1194
1195 free(engine_str);
1196
1197 fnbuf[0] = '\0';
1198
1199 }
1200 else
1201#endif
1202 {
1203
1205 }
1206 }
1207 else if (have_homedir)
1208 {
1209
1210 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
1211 }
1212 else
1213 fnbuf[0] = '\0';
1214
1215 if (have_cert && fnbuf[0] != '\0')
1216 {
1217
1218
1219 if (stat(fnbuf, &buf) != 0)
1220 {
1221 if (errno == ENOENT)
1223 fnbuf);
1224 else
1226 fnbuf);
1227 return -1;
1228 }
1229
1230
1232 {
1234 fnbuf);
1235 return -1;
1236 }
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260#if !defined(WIN32) && !defined(__CYGWIN__)
1261 if (buf.st_uid == 0 ?
1264 {
1266 "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
1267 fnbuf);
1268 return -1;
1269 }
1270#endif
1271
1272 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)
1273 {
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)
1289 {
1291 fnbuf, err);
1293 return -1;
1294 }
1295
1297 }
1298 }
1299
1300
1301 if (have_cert &&
1302 SSL_check_private_key(conn->ssl) != 1)
1303 {
1305
1307 fnbuf, err);
1309 return -1;
1310 }
1311
1312
1313
1314
1315
1316 if (have_rootcert)
1317 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
1318
1319
1320
1321
1323 SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1324 else
1325 SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1326
1327 return 0;
1328}
1329
1330
1331
1332
1335{
1336 int r;
1337
1339 ERR_clear_error();
1340 r = SSL_connect(conn->ssl);
1341 if (r <= 0)
1342 {
1344 int err = SSL_get_error(conn->ssl, r);
1345 unsigned long ecode;
1346
1347 ecode = ERR_get_error();
1348 switch (err)
1349 {
1350 case SSL_ERROR_WANT_READ:
1352
1353 case SSL_ERROR_WANT_WRITE:
1355
1356 case SSL_ERROR_SYSCALL:
1357 {
1359 unsigned long vcode;
1360
1361 vcode = SSL_get_verify_result(conn->ssl);
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372 if (save_errno == 0 &&
1373 vcode == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY &&
1376 X509_verify_cert_error_string(vcode));
1377 else if (r == -1 && save_errno != 0)
1379 SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
1380 else
1384 }
1385 case SSL_ERROR_SSL:
1386 {
1388
1391 switch (ERR_GET_REASON(ecode))
1392 {
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407 case SSL_R_NO_PROTOCOLS_AVAILABLE:
1408 case SSL_R_UNSUPPORTED_PROTOCOL:
1409 case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:
1410 case SSL_R_UNKNOWN_PROTOCOL:
1411 case SSL_R_UNKNOWN_SSL_VERSION:
1412 case SSL_R_UNSUPPORTED_SSL_VERSION:
1413 case SSL_R_WRONG_SSL_VERSION:
1414 case SSL_R_WRONG_VERSION_NUMBER:
1415 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
1416#ifdef SSL_R_VERSION_TOO_HIGH
1417 case SSL_R_VERSION_TOO_HIGH:
1418 case SSL_R_VERSION_TOO_LOW:
1419#endif
1420 libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",
1423 MIN_OPENSSL_TLS_VERSION,
1426 MAX_OPENSSL_TLS_VERSION);
1427 break;
1428 default:
1429 break;
1430 }
1433 }
1434
1435 default:
1439 }
1440 }
1441
1442
1444 {
1445 const unsigned char *selected;
1446 unsigned int len;
1447
1448 SSL_get0_alpn_selected(conn->ssl, &selected, &len);
1449
1450 if (selected == NULL)
1451 {
1452 libpq_append_conn_error(conn, "direct SSL connection was established without ALPN protocol negotiation extension");
1455 }
1456
1457
1458
1459
1460
1463 {
1467 }
1468 }
1469
1470
1471
1472
1473
1474
1475
1476 conn->peer = SSL_get_peer_certificate(conn->ssl);
1477 if (conn->peer == NULL)
1478 {
1480
1485 }
1486
1488 {
1491 }
1492
1493
1495}
1496
1497void
1499{
1501 {
1502 if (conn->ssl)
1503 {
1504
1505
1506
1507
1508
1509
1510 SSL_shutdown(conn->ssl);
1511 SSL_free(conn->ssl);
1512 conn->ssl = NULL;
1515 }
1516
1517 if (conn->peer)
1518 {
1519 X509_free(conn->peer);
1520 conn->peer = NULL;
1521 }
1522
1523#ifdef USE_SSL_ENGINE
1524 if (conn->engine)
1525 {
1526 ENGINE_finish(conn->engine);
1527 ENGINE_free(conn->engine);
1528 conn->engine = NULL;
1529 }
1530#endif
1531 }
1532}
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545static char ssl_nomem[] = "out of memory allocating error description";
1546
1547#define SSL_ERR_LEN 128
1548
1549static char *
1551{
1552 const char *errreason;
1553 char *errbuf;
1554
1556 if (!errbuf)
1558 if (ecode == 0)
1559 {
1561 return errbuf;
1562 }
1563 errreason = ERR_reason_error_string(ecode);
1564 if (errreason != NULL)
1565 {
1567 return errbuf;
1568 }
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578#ifdef SSL_AD_NO_APPLICATION_PROTOCOL
1579 if (ERR_GET_LIB(ecode) == ERR_LIB_SSL &&
1580 ERR_GET_REASON(ecode) == SSL_AD_REASON_OFFSET + SSL_AD_NO_APPLICATION_PROTOCOL)
1581 {
1583 return errbuf;
1584 }
1585#endif
1586
1587
1588
1589
1590
1591
1592
1593
1594#ifdef ERR_SYSTEM_ERROR
1595 if (ERR_SYSTEM_ERROR(ecode))
1596 {
1598 return errbuf;
1599 }
1600#endif
1601
1602
1604 return errbuf;
1605}
1606
1607static void
1609{
1612}
1613
1614
1615
1616
1617
1618
1619
1620
1621void *
1623{
1625 return NULL;
1626 return conn->ssl;
1627}
1628
1629void *
1631{
1633 return NULL;
1634 if (strcmp(struct_name, "OpenSSL") == 0)
1635 return conn->ssl;
1636 return NULL;
1637}
1638
1639const char *const *
1641{
1642 static const char *const openssl_attrs[] = {
1643 "library",
1644 "key_bits",
1645 "cipher",
1646 "compression",
1647 "protocol",
1648 "alpn",
1649 NULL
1650 };
1651 static const char *const empty_attrs[] = {NULL};
1652
1654 {
1655
1656 return openssl_attrs;
1657 }
1658
1659
1660 if (conn->ssl == NULL)
1661 return empty_attrs;
1662
1663 return openssl_attrs;
1664}
1665
1666const char *
1668{
1670 {
1671
1672 if (strcmp(attribute_name, "library") == 0)
1673 return "OpenSSL";
1674 return NULL;
1675 }
1676
1677
1678 if (conn->ssl == NULL)
1679 return NULL;
1680
1681 if (strcmp(attribute_name, "library") == 0)
1682 return "OpenSSL";
1683
1684 if (strcmp(attribute_name, "key_bits") == 0)
1685 {
1686 static char sslbits_str[12];
1687 int sslbits;
1688
1689 SSL_get_cipher_bits(conn->ssl, &sslbits);
1690 snprintf(sslbits_str, sizeof(sslbits_str), "%d", sslbits);
1691 return sslbits_str;
1692 }
1693
1694 if (strcmp(attribute_name, "cipher") == 0)
1695 return SSL_get_cipher(conn->ssl);
1696
1697 if (strcmp(attribute_name, "compression") == 0)
1698 return SSL_get_current_compression(conn->ssl) ? "on" : "off";
1699
1700 if (strcmp(attribute_name, "protocol") == 0)
1701 return SSL_get_version(conn->ssl);
1702
1703 if (strcmp(attribute_name, "alpn") == 0)
1704 {
1705 const unsigned char *data;
1706 unsigned int len;
1707 static char alpn_str[256];
1708
1709
1710 SSL_get0_alpn_selected(conn->ssl, &data, &len);
1711 if (data == NULL || len == 0 || len > sizeof(alpn_str) - 1)
1712 return "";
1713 memcpy(alpn_str, data, len);
1714 alpn_str[len] = 0;
1715 return alpn_str;
1716 }
1717
1718 return NULL;
1719}
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1732
1733static int
1735{
1737 int res;
1738
1740 BIO_clear_retry_flags(h);
1742 if (res < 0)
1743 {
1744
1746 {
1747#ifdef EAGAIN
1749#endif
1750#if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1752#endif
1754 BIO_set_retry_read(h);
1755 break;
1756
1757 default:
1758 break;
1759 }
1760 }
1761
1762 if (res > 0)
1764
1765 return res;
1766}
1767
1768static int
1770{
1771 int res;
1772
1774 BIO_clear_retry_flags(h);
1775 if (res < 0)
1776 {
1777
1779 {
1780#ifdef EAGAIN
1782#endif
1783#if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1785#endif
1787 BIO_set_retry_write(h);
1788 break;
1789
1790 default:
1791 break;
1792 }
1793 }
1794
1795 return res;
1796}
1797
1798static long
1800{
1801 long res;
1803
1804 switch (cmd)
1805 {
1806 case BIO_CTRL_EOF:
1807
1808
1809
1810
1811
1812
1813
1815 break;
1816 case BIO_CTRL_FLUSH:
1817
1818 res = 1;
1819 break;
1820 default:
1821 res = 0;
1822 break;
1823 }
1824
1825 return res;
1826}
1827
1828static BIO_METHOD *
1830{
1831 BIO_METHOD *res;
1832
1834 return NULL;
1835
1837
1839 {
1840 int my_bio_index;
1841
1842 my_bio_index = BIO_get_new_index();
1843 if (my_bio_index == -1)
1844 goto err;
1845 my_bio_index |= BIO_TYPE_SOURCE_SINK;
1846 res = BIO_meth_new(my_bio_index, "libpq socket");
1847 if (!res)
1848 goto err;
1849
1850
1851
1852
1853
1857 {
1858 goto err;
1859 }
1860 }
1861
1864 return res;
1865
1867 if (res)
1868 BIO_meth_free(res);
1870 return NULL;
1871}
1872
1873static int
1875{
1876 BIO *bio;
1877 BIO_METHOD *bio_method;
1878
1880 if (bio_method == NULL)
1881 return 0;
1882
1883 bio = BIO_new(bio_method);
1884 if (bio == NULL)
1885 return 0;
1886
1887 BIO_set_data(bio, conn);
1888 BIO_set_init(bio, 1);
1889
1890 SSL_set_bio(conn->ssl, bio, bio);
1891 return 1;
1892}
1893
1894
1895
1896
1897
1898
1899int
1901{
1903 {
1907 buf[size - 1] = '\0';
1908 return strlen(buf);
1909 }
1910 else
1911 {
1912 buf[0] = '\0';
1913 return 0;
1914 }
1915}
1916
1919{
1921}
1922
1923void
1925{
1927}
1928
1929
1930
1931
1932
1933
1934static int
1936{
1938
1941 else
1943}
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955static int
1957{
1959 return TLS1_VERSION;
1960
1961#ifdef TLS1_1_VERSION
1963 return TLS1_1_VERSION;
1964#endif
1965
1966#ifdef TLS1_2_VERSION
1968 return TLS1_2_VERSION;
1969#endif
1970
1971#ifdef TLS1_3_VERSION
1973 return TLS1_3_VERSION;
1974#endif
1975
1976 return -1;
1977}
static SSL_CTX * SSL_context
#define fprintf(file, fmt, msg)
void err(int eval, const char *fmt,...)
bool pqGetHomeDirectory(char *buf, int bufsize)
int pq_verify_peer_name_matches_certificate_name(PGconn *conn, const char *namedata, size_t namelen, char **store_name)
int pq_verify_peer_name_matches_certificate_ip(PGconn *conn, const unsigned char *ipdata, size_t iplen, char **store_name)
bool pq_verify_peer_name_matches_certificate(PGconn *conn)
static BIO_METHOD * pgconn_bio_method_ptr
static int ssl_protocol_version_to_openssl(const char *protocol)
void * PQgetssl(PGconn *conn)
static void SSLerrfree(char *buf)
PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL(void)
void * PQsslStruct(PGconn *conn, const char *struct_name)
int pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn, int *names_examined, char **first_name)
PostgresPollingStatusType pgtls_open_client(PGconn *conn)
bool pgtls_read_pending(PGconn *conn)
int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)
static int pgconn_bio_read(BIO *h, char *buf, int size)
static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name)
ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len)
static long pgconn_bio_ctrl(BIO *h, int cmd, long num, void *ptr)
static int pgconn_bio_write(BIO *h, const char *buf, int size)
ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len)
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook
char * pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
const char * PQsslAttribute(PGconn *conn, const char *attribute_name)
static int initialize_SSL(PGconn *conn)
static pthread_mutex_t ssl_config_mutex
static int verify_cb(int ok, X509_STORE_CTX *ctx)
static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
static char * SSLerrmessage(unsigned long ecode)
static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)
static PostgresPollingStatusType open_client_SSL(PGconn *conn)
static unsigned char alpn_protos[]
static int ssl_set_pgconn_bio(PGconn *conn)
void pgtls_close(PGconn *conn)
const char *const * PQsslAttributeNames(PGconn *conn)
void PQsetSSLKeyPassHook_OpenSSL(PQsslKeyPassHook_OpenSSL_type hook)
static BIO_METHOD * pgconn_bio_method(void)
static bool is_ip_address(const char *host)
ssize_t pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)
ssize_t pqsecure_raw_write(PGconn *conn, const void *ptr, size_t len)
Assert(PointerIsAligned(start, uint64))
int(* PQsslKeyPassHook_OpenSSL_type)(char *buf, int size, PGconn *conn)
PostgresPollingStatusType
#define SOCK_ERRNO_SET(e)
void libpq_append_conn_error(PGconn *conn, const char *fmt,...)
#define PG_STRERROR_R_BUFLEN
int pg_strcasecmp(const char *s1, const char *s2)
int inet_aton(const char *cp, struct in_addr *addr)
char * pg_strerror(int errnum)
size_t strlcpy(char *dst, const char *src, size_t siz)
#define PG_ALPN_PROTOCOL_VECTOR
void appendPQExpBufferStr(PQExpBuffer str, const char *data)
static int fd(const char *x, int i)
int pthread_mutex_unlock(pthread_mutex_t *mp)
int pthread_mutex_lock(pthread_mutex_t *mp)
#define PTHREAD_MUTEX_INITIALIZER
static unsigned hash(unsigned *uv, int n)
char * ssl_max_protocol_version
char * ssl_min_protocol_version
PQExpBufferData errorMessage
bool ssl_handshake_started