PostgreSQL Source Code: src/interfaces/libpq/fe-secure-openssl.c Source File (original) (raw)

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

24

25#include <signal.h>

26#include <fcntl.h>

27#include <ctype.h>

28

33

34#ifdef WIN32

35#include "win32.h"

36#else

43#endif

44

45#include <sys/stat.h>

46

47#ifdef WIN32

49#else

50#include <pthread.h>

51#endif

52

53

54

55

56

57

58

60#include <openssl/ssl.h>

61#include <openssl/conf.h>

62#ifdef USE_SSL_ENGINE

63#include <openssl/engine.h>

64#endif

65#include <openssl/x509v3.h>

66

67

68static int verify_cb(int ok, X509_STORE_CTX *ctx);

70 ASN1_STRING *name_entry,

71 char **store_name);

73 ASN1_OCTET_STRING *addr_entry,

74 char **store_name);

79static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata);

80

85

87

90

91

92

93

94

97{

98

99 if (conn->ssl == NULL)

100 {

101

102

103

104

106 {

107

110 }

111 }

112

113

115}

116

117ssize_t

119{

120 ssize_t n;

121 int result_errno = 0;

124 unsigned long ecode;

125

126rloop:

127

128

129

130

131

132

133

134

135

136

138 ERR_clear_error();

139 n = SSL_read(conn->ssl, ptr, len);

140 err = SSL_get_error(conn->ssl, n);

141

142

143

144

145

146

147

148

149

150 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;

151 switch (err)

152 {

153 case SSL_ERROR_NONE:

154 if (n < 0)

155 {

156

158 "SSL_read failed but did not provide error information\n");

159

161 }

162 break;

163 case SSL_ERROR_WANT_READ:

164 n = 0;

165 break;

166 case SSL_ERROR_WANT_WRITE:

167

168

169

170

171

172

173

174 goto rloop;

175 case SSL_ERROR_SYSCALL:

177 {

179 if (result_errno == EPIPE ||

182 "\tThis probably means the server terminated abnormally\n"

183 "\tbefore or while processing the request.");

184 else

187 sebuf, sizeof(sebuf)));

188 }

189 else

190 {

192

194 n = -1;

195 }

196 break;

197 case SSL_ERROR_SSL:

198 {

200

203

205 n = -1;

206 break;

207 }

208 case SSL_ERROR_ZERO_RETURN:

209

210

211

212

213

214

217 n = -1;

218 break;

219 default:

221

223 n = -1;

224 break;

225 }

226

227

229

230 return n;

231}

232

233bool

235{

236 return SSL_pending(conn->ssl) > 0;

237}

238

239ssize_t

241{

242 ssize_t n;

243 int result_errno = 0;

246 unsigned long ecode;

247

249 ERR_clear_error();

250 n = SSL_write(conn->ssl, ptr, len);

251 err = SSL_get_error(conn->ssl, n);

252 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;

253 switch (err)

254 {

255 case SSL_ERROR_NONE:

256 if (n < 0)

257 {

258

260 "SSL_write failed but did not provide error information\n");

261

263 }

264 break;

265 case SSL_ERROR_WANT_READ:

266

267

268

269

270

271 n = 0;

272 break;

273 case SSL_ERROR_WANT_WRITE:

274 n = 0;

275 break;

276 case SSL_ERROR_SYSCALL:

277

278

279

280

281

282

284 {

286 if (result_errno == EPIPE || result_errno == ECONNRESET)

288 "\tThis probably means the server terminated abnormally\n"

289 "\tbefore or while processing the request.");

290 else

293 sebuf, sizeof(sebuf)));

294 }

295 else

296 {

298

300 n = -1;

301 }

302 break;

303 case SSL_ERROR_SSL:

304 {

306

309

311 n = -1;

312 break;

313 }

314 case SSL_ERROR_ZERO_RETURN:

315

316

317

318

319

320

323 n = -1;

324 break;

325 default:

327

329 n = -1;

330 break;

331 }

332

333

335

336 return n;

337}

338

339char *

341{

342 X509 *peer_cert;

343 const EVP_MD *algo_type;

344 unsigned char hash[EVP_MAX_MD_SIZE];

345 unsigned int hash_size;

346 int algo_nid;

347 char *cert_hash;

348

349 *len = 0;

350

351 if (conn->peer)

352 return NULL;

353

354 peer_cert = conn->peer;

355

356

357

358

359

360

361#if HAVE_X509_GET_SIGNATURE_INFO

362 if (!X509_get_signature_info(peer_cert, &algo_nid, NULL, NULL, NULL))

363#else

364 if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),

365 &algo_nid, NULL))

366#endif

367 {

369 return NULL;

370 }

371

372

373

374

375

376

377

378 switch (algo_nid)

379 {

380 case NID_md5:

381 case NID_sha1:

382 algo_type = EVP_sha256();

383 break;

384 default:

385 algo_type = EVP_get_digestbynid(algo_nid);

386 if (algo_type == NULL)

387 {

389 OBJ_nid2sn(algo_nid));

390 return NULL;

391 }

392 break;

393 }

394

395 if (!X509_digest(peer_cert, algo_type, hash, &hash_size))

396 {

398 return NULL;

399 }

400

401

402 cert_hash = malloc(hash_size);

403 if (cert_hash == NULL)

404 {

406 return NULL;

407 }

408 memcpy(cert_hash, hash, hash_size);

409 *len = hash_size;

410

411 return cert_hash;

412}

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429static int

431{

432 return ok;

433}

434

435#ifdef HAVE_SSL_CTX_SET_CERT_CB

436

437

438

439

440

441

442

443

444

445static int

446cert_cb(SSL *ssl, void *arg)

447{

449

451

452

453 if (SSL_get_certificate(ssl))

455

456

457

458

459

460 return 1;

461}

462#endif

463

464

465

466

467

468

469static int

471 char **store_name)

472{

474 const unsigned char *namedata;

475

476

477 if (name_entry == NULL)

478 {

480 return -1;

481 }

482

483

484

485

486 namedata = ASN1_STRING_get0_data(name_entry);

487 len = ASN1_STRING_length(name_entry);

488

489

491}

492

493

494

495

496

497

498static int

500 ASN1_OCTET_STRING *addr_entry,

501 char **store_name)

502{

504 const unsigned char *addrdata;

505

506

507 if (addr_entry == NULL)

508 {

510 return -1;

511 }

512

513

514

515

516

517 addrdata = ASN1_STRING_get0_data(addr_entry);

518 len = ASN1_STRING_length(addr_entry);

519

521}

522

523static bool

525{

526 struct in_addr dummy4;

527#ifdef HAVE_INET_PTON

528 struct in6_addr dummy6;

529#endif

530

532#ifdef HAVE_INET_PTON

533 || (inet_pton(AF_INET6, host, &dummy6) == 1)

534#endif

535 ;

536}

537

538

539

540

541

542

543int

545 int *names_examined,

546 char **first_name)

547{

548 STACK_OF(GENERAL_NAME) * peer_san;

549 int i;

550 int rc = 0;

552 int host_type;

553 bool check_cn = true;

554

555 Assert(host && host[0]);

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576

578 host_type = GEN_IPADD;

579 else

580 host_type = GEN_DNS;

581

582

583

584

585

586 peer_san = (STACK_OF(GENERAL_NAME) *)

587 X509_get_ext_d2i(conn->peer, NID_subject_alt_name, NULL, NULL);

588

589 if (peer_san)

590 {

591 int san_len = sk_GENERAL_NAME_num(peer_san);

592

593 for (i = 0; i < san_len; i++)

594 {

595 const GENERAL_NAME *name = sk_GENERAL_NAME_value(peer_san, i);

596 char *alt_name = NULL;

597

598 if (name->type == host_type)

599 {

600

601

602

603

604 check_cn = false;

605 }

606

607 if (name->type == GEN_DNS)

608 {

609 (*names_examined)++;

611 name->d.dNSName,

612 &alt_name);

613 }

614 else if (name->type == GEN_IPADD)

615 {

616 (*names_examined)++;

618 name->d.iPAddress,

619 &alt_name);

620 }

621

622 if (alt_name)

623 {

624 if (!*first_name)

625 *first_name = alt_name;

626 else

627 free(alt_name);

628 }

629

630 if (rc != 0)

631 {

632

633

634

635

636 check_cn = false;

637 break;

638 }

639 }

640 sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);

641 }

642

643

644

645

646

647

648

649

650

651 if (check_cn)

652 {

653 X509_NAME *subject_name;

654

655 subject_name = X509_get_subject_name(conn->peer);

656 if (subject_name != NULL)

657 {

658 int cn_index;

659

660 cn_index = X509_NAME_get_index_by_NID(subject_name,

661 NID_commonName, -1);

662 if (cn_index >= 0)

663 {

664 char *common_name = NULL;

665

666 (*names_examined)++;

668 X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),

669 &common_name);

670

671 if (common_name)

672 {

673 if (!*first_name)

674 *first_name = common_name;

675 else

676 free(common_name);

677 }

678 }

679 }

680 }

681

682 return rc;

683}

684

685

687

688#ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK

689

690

691

692

693

694

695

696

697static void

698SSL_CTX_keylog_cb(const SSL *ssl, const char *line)

699{

700 int fd;

701 mode_t old_umask;

702 ssize_t rc;

703 PGconn *conn = SSL_get_app_data(ssl);

704

705 if (conn == NULL)

706 return;

707

708 old_umask = umask(077);

710 umask(old_umask);

711

712 if (fd == -1)

713 {

716 return;

717 }

718

719

720 rc = write(fd, line, strlen(line));

721 if (rc < 0)

724 else

726 (void) rc;

728}

729#endif

730

731

732

733

734

735

736

737static int

739{

745 bool have_homedir;

746 bool have_cert;

747 bool have_rootcert;

748

749

750

751

752

753

760 else

761 have_homedir = false;

762

763

764

765

766

767

768

769

770 SSL_context = SSL_CTX_new(SSLv23_method());

772 {

774

777 return -1;

778 }

779

780

781

782

783

784

785

786

787

788

789

790

791

794 {

796 SSL_CTX_set_default_passwd_cb_userdata(SSL_context, conn);

797 }

798

799#ifdef HAVE_SSL_CTX_SET_CERT_CB

800

802#endif

803

804

805 SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);

806

807

810 {

811 int ssl_min_ver;

812

814

815 if (ssl_min_ver == -1)

816 {

820 return -1;

821 }

822

823 if (!SSL_CTX_set_min_proto_version(SSL_context, ssl_min_ver))

824 {

826

830 return -1;

831 }

832 }

833

836 {

837 int ssl_max_ver;

838

840

841 if (ssl_max_ver == -1)

842 {

846 return -1;

847 }

848

849 if (!SSL_CTX_set_max_proto_version(SSL_context, ssl_max_ver))

850 {

852

856 return -1;

857 }

858 }

859

860

861

862

863

864 SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);

865

866

867

868

869

870

873 else if (have_homedir)

874 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);

875 else

876 fnbuf[0] = '\0';

877

878 if (strcmp(fnbuf, "system") == 0)

879 {

880

881

882

883

884

885

886

887 if (SSL_CTX_set_default_verify_paths(SSL_context) != 1)

888 {

890

895 return -1;

896 }

897 have_rootcert = true;

898 }

899 else if (fnbuf[0] != '\0' &&

901 {

902 X509_STORE *cvstore;

903

904 if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)

905 {

907

909 fnbuf, err);

912 return -1;

913 }

914

915 if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)

916 {

917 char *fname = NULL;

918 char *dname = NULL;

919

924

925

926 if (!fname && !dname && have_homedir)

927 {

928 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);

929 fname = fnbuf;

930 }

931

932

933 if ((fname || dname) &&

934 X509_STORE_load_locations(cvstore, fname, dname) == 1)

935 {

936 X509_STORE_set_flags(cvstore,

937 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);

938 }

939

940

941 ERR_clear_error();

942 }

943 have_rootcert = true;

944 }

945 else

946 {

947

948

949

950

951

952 if (conn->sslmode[0] == 'v')

953 {

954

955

956

957

958

959 if (fnbuf[0] == '\0')

961 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.");

962 else

964 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.", fnbuf);

966 return -1;

967 }

968 have_rootcert = false;

969 }

970

971

974 else if (have_homedir)

975 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);

976 else

977 fnbuf[0] = '\0';

978

980 {

981

982 have_cert = false;

983 }

984 else if (fnbuf[0] == '\0')

985 {

986

987 have_cert = false;

988 }

989 else if (stat(fnbuf, &buf) != 0)

990 {

991

992

993

994

995

996 if (errno != ENOENT && errno != ENOTDIR)

997 {

999 fnbuf, strerror_r(errno, sebuf, sizeof(sebuf)));

1001 return -1;

1002 }

1003 have_cert = false;

1004 }

1005 else

1006 {

1007

1008

1009

1010

1011

1012 if (SSL_CTX_use_certificate_chain_file(SSL_context, fnbuf) != 1)

1013 {

1015

1017 fnbuf, err);

1020 return -1;

1021 }

1022

1023

1024 have_cert = true;

1025 }

1026

1027

1028

1029

1030

1031

1032

1033

1035 !SSL_set_app_data(conn->ssl, conn) ||

1037 {

1039

1043 return -1;

1044 }

1046

1048 {

1049#ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK

1050 SSL_CTX_set_keylog_callback(SSL_context, SSL_CTX_keylog_cb);

1051#else

1052#ifdef LIBRESSL_VERSION_NUMBER

1053 fprintf(stderr, libpq_gettext("WARNING: sslkeylogfile support requires OpenSSL\n"));

1054#else

1055 fprintf(stderr, libpq_gettext("WARNING: libpq was not built with sslkeylogfile support\n"));

1056#endif

1057#endif

1058 }

1059

1060

1061

1062

1063

1064

1065

1068

1069

1070

1071

1072

1073

1075 {

1077

1078 if (host && host[0] &&

1079 !(strspn(host, "0123456789.") == strlen(host) ||

1080 strchr(host, ':')))

1081 {

1082 if (SSL_set_tlsext_host_name(conn->ssl, host) != 1)

1083 {

1085

1088 return -1;

1089 }

1090 }

1091 }

1092

1093

1094 {

1095 int retval;

1096

1098

1099 if (retval != 0)

1100 {

1102

1105 return -1;

1106 }

1107 }

1108

1109

1110

1111

1112

1113

1114

1116 {

1117#ifdef USE_SSL_ENGINE

1119#ifdef WIN32

1121#endif

1122 )

1123 {

1124

1125 char *engine_str = strdup(conn->sslkey);

1126 char *engine_colon;

1127 EVP_PKEY *pkey;

1128

1129 if (engine_str == NULL)

1130 {

1132 return -1;

1133 }

1134

1135

1136 engine_colon = strchr(engine_str, ':');

1137

1138 *engine_colon = '\0';

1139 engine_colon++;

1140

1141 conn->engine = ENGINE_by_id(engine_str);

1142 if (conn->engine == NULL)

1143 {

1145

1147 engine_str, err);

1149 free(engine_str);

1150 return -1;

1151 }

1152

1153 if (ENGINE_init(conn->engine) == 0)

1154 {

1156

1158 engine_str, err);

1160 ENGINE_free(conn->engine);

1161 conn->engine = NULL;

1162 free(engine_str);

1163 return -1;

1164 }

1165

1166 pkey = ENGINE_load_private_key(conn->engine, engine_colon,

1167 NULL, NULL);

1168 if (pkey == NULL)

1169 {

1171

1173 engine_colon, engine_str, err);

1175 ENGINE_finish(conn->engine);

1176 ENGINE_free(conn->engine);

1177 conn->engine = NULL;

1178 free(engine_str);

1179 return -1;

1180 }

1181 if (SSL_use_PrivateKey(conn->ssl, pkey) != 1)

1182 {

1184

1186 engine_colon, engine_str, err);

1188 ENGINE_finish(conn->engine);

1189 ENGINE_free(conn->engine);

1190 conn->engine = NULL;

1191 free(engine_str);

1192 return -1;

1193 }

1194

1195 free(engine_str);

1196

1197 fnbuf[0] = '\0';

1198

1199 }

1200 else

1201#endif

1202 {

1203

1205 }

1206 }

1207 else if (have_homedir)

1208 {

1209

1210 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);

1211 }

1212 else

1213 fnbuf[0] = '\0';

1214

1215 if (have_cert && fnbuf[0] != '\0')

1216 {

1217

1218

1219 if (stat(fnbuf, &buf) != 0)

1220 {

1221 if (errno == ENOENT)

1223 fnbuf);

1224 else

1226 fnbuf);

1227 return -1;

1228 }

1229

1230

1232 {

1234 fnbuf);

1235 return -1;

1236 }

1237

1238

1239

1240

1241

1242

1243

1244

1245

1246

1247

1248

1249

1250

1251

1252

1253

1254

1255

1256

1257

1258

1259

1260#if !defined(WIN32) && !defined(__CYGWIN__)

1261 if (buf.st_uid == 0 ?

1264 {

1266 "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",

1267 fnbuf);

1268 return -1;

1269 }

1270#endif

1271

1272 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)

1273 {

1275

1276

1277

1278

1279

1280

1281

1282

1283

1284

1285

1286

1287

1288 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)

1289 {

1291 fnbuf, err);

1293 return -1;

1294 }

1295

1297 }

1298 }

1299

1300

1301 if (have_cert &&

1302 SSL_check_private_key(conn->ssl) != 1)

1303 {

1305

1307 fnbuf, err);

1309 return -1;

1310 }

1311

1312

1313

1314

1315

1316 if (have_rootcert)

1317 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);

1318

1319

1320

1321

1323 SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);

1324 else

1325 SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);

1326

1327 return 0;

1328}

1329

1330

1331

1332

1335{

1336 int r;

1337

1339 ERR_clear_error();

1340 r = SSL_connect(conn->ssl);

1341 if (r <= 0)

1342 {

1344 int err = SSL_get_error(conn->ssl, r);

1345 unsigned long ecode;

1346

1347 ecode = ERR_get_error();

1348 switch (err)

1349 {

1350 case SSL_ERROR_WANT_READ:

1352

1353 case SSL_ERROR_WANT_WRITE:

1355

1356 case SSL_ERROR_SYSCALL:

1357 {

1359 unsigned long vcode;

1360

1361 vcode = SSL_get_verify_result(conn->ssl);

1362

1363

1364

1365

1366

1367

1368

1369

1370

1371

1372 if (save_errno == 0 &&

1373 vcode == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY &&

1376 X509_verify_cert_error_string(vcode));

1377 else if (r == -1 && save_errno != 0)

1379 SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));

1380 else

1384 }

1385 case SSL_ERROR_SSL:

1386 {

1388

1391 switch (ERR_GET_REASON(ecode))

1392 {

1393

1394

1395

1396

1397

1398

1399

1400

1401

1402

1403

1404

1405

1406

1407 case SSL_R_NO_PROTOCOLS_AVAILABLE:

1408 case SSL_R_UNSUPPORTED_PROTOCOL:

1409 case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:

1410 case SSL_R_UNKNOWN_PROTOCOL:

1411 case SSL_R_UNKNOWN_SSL_VERSION:

1412 case SSL_R_UNSUPPORTED_SSL_VERSION:

1413 case SSL_R_WRONG_SSL_VERSION:

1414 case SSL_R_WRONG_VERSION_NUMBER:

1415 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:

1416#ifdef SSL_R_VERSION_TOO_HIGH

1417 case SSL_R_VERSION_TOO_HIGH:

1418 case SSL_R_VERSION_TOO_LOW:

1419#endif

1420 libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",

1423 MIN_OPENSSL_TLS_VERSION,

1426 MAX_OPENSSL_TLS_VERSION);

1427 break;

1428 default:

1429 break;

1430 }

1433 }

1434

1435 default:

1439 }

1440 }

1441

1442

1444 {

1445 const unsigned char *selected;

1446 unsigned int len;

1447

1448 SSL_get0_alpn_selected(conn->ssl, &selected, &len);

1449

1450 if (selected == NULL)

1451 {

1452 libpq_append_conn_error(conn, "direct SSL connection was established without ALPN protocol negotiation extension");

1455 }

1456

1457

1458

1459

1460

1463 {

1467 }

1468 }

1469

1470

1471

1472

1473

1474

1475

1476 conn->peer = SSL_get_peer_certificate(conn->ssl);

1477 if (conn->peer == NULL)

1478 {

1480

1485 }

1486

1488 {

1491 }

1492

1493

1495}

1496

1497void

1499{

1501 {

1502 if (conn->ssl)

1503 {

1504

1505

1506

1507

1508

1509

1510 SSL_shutdown(conn->ssl);

1511 SSL_free(conn->ssl);

1512 conn->ssl = NULL;

1515 }

1516

1517 if (conn->peer)

1518 {

1519 X509_free(conn->peer);

1520 conn->peer = NULL;

1521 }

1522

1523#ifdef USE_SSL_ENGINE

1524 if (conn->engine)

1525 {

1526 ENGINE_finish(conn->engine);

1527 ENGINE_free(conn->engine);

1528 conn->engine = NULL;

1529 }

1530#endif

1531 }

1532}

1533

1534

1535

1536

1537

1538

1539

1540

1541

1542

1543

1544

1545static char ssl_nomem[] = "out of memory allocating error description";

1546

1547#define SSL_ERR_LEN 128

1548

1549static char *

1551{

1552 const char *errreason;

1553 char *errbuf;

1554

1556 if (!errbuf)

1558 if (ecode == 0)

1559 {

1561 return errbuf;

1562 }

1563 errreason = ERR_reason_error_string(ecode);

1564 if (errreason != NULL)

1565 {

1567 return errbuf;

1568 }

1569

1570

1571

1572

1573

1574

1575

1576

1577

1578#ifdef SSL_AD_NO_APPLICATION_PROTOCOL

1579 if (ERR_GET_LIB(ecode) == ERR_LIB_SSL &&

1580 ERR_GET_REASON(ecode) == SSL_AD_REASON_OFFSET + SSL_AD_NO_APPLICATION_PROTOCOL)

1581 {

1583 return errbuf;

1584 }

1585#endif

1586

1587

1588

1589

1590

1591

1592

1593

1594#ifdef ERR_SYSTEM_ERROR

1595 if (ERR_SYSTEM_ERROR(ecode))

1596 {

1598 return errbuf;

1599 }

1600#endif

1601

1602

1604 return errbuf;

1605}

1606

1607static void

1609{

1612}

1613

1614

1615

1616

1617

1618

1619

1620

1621void *

1623{

1625 return NULL;

1626 return conn->ssl;

1627}

1628

1629void *

1631{

1633 return NULL;

1634 if (strcmp(struct_name, "OpenSSL") == 0)

1635 return conn->ssl;

1636 return NULL;

1637}

1638

1639const char *const *

1641{

1642 static const char *const openssl_attrs[] = {

1643 "library",

1644 "key_bits",

1645 "cipher",

1646 "compression",

1647 "protocol",

1648 "alpn",

1649 NULL

1650 };

1651 static const char *const empty_attrs[] = {NULL};

1652

1654 {

1655

1656 return openssl_attrs;

1657 }

1658

1659

1660 if (conn->ssl == NULL)

1661 return empty_attrs;

1662

1663 return openssl_attrs;

1664}

1665

1666const char *

1668{

1670 {

1671

1672 if (strcmp(attribute_name, "library") == 0)

1673 return "OpenSSL";

1674 return NULL;

1675 }

1676

1677

1678 if (conn->ssl == NULL)

1679 return NULL;

1680

1681 if (strcmp(attribute_name, "library") == 0)

1682 return "OpenSSL";

1683

1684 if (strcmp(attribute_name, "key_bits") == 0)

1685 {

1686 static char sslbits_str[12];

1687 int sslbits;

1688

1689 SSL_get_cipher_bits(conn->ssl, &sslbits);

1690 snprintf(sslbits_str, sizeof(sslbits_str), "%d", sslbits);

1691 return sslbits_str;

1692 }

1693

1694 if (strcmp(attribute_name, "cipher") == 0)

1695 return SSL_get_cipher(conn->ssl);

1696

1697 if (strcmp(attribute_name, "compression") == 0)

1698 return SSL_get_current_compression(conn->ssl) ? "on" : "off";

1699

1700 if (strcmp(attribute_name, "protocol") == 0)

1701 return SSL_get_version(conn->ssl);

1702

1703 if (strcmp(attribute_name, "alpn") == 0)

1704 {

1705 const unsigned char *data;

1706 unsigned int len;

1707 static char alpn_str[256];

1708

1709

1710 SSL_get0_alpn_selected(conn->ssl, &data, &len);

1711 if (data == NULL || len == 0 || len > sizeof(alpn_str) - 1)

1712 return "";

1713 memcpy(alpn_str, data, len);

1714 alpn_str[len] = 0;

1715 return alpn_str;

1716 }

1717

1718 return NULL;

1719}

1720

1721

1722

1723

1724

1725

1726

1727

1728

1729

1730

1732

1733static int

1735{

1737 int res;

1738

1740 BIO_clear_retry_flags(h);

1742 if (res < 0)

1743 {

1744

1746 {

1747#ifdef EAGAIN

1749#endif

1750#if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))

1752#endif

1754 BIO_set_retry_read(h);

1755 break;

1756

1757 default:

1758 break;

1759 }

1760 }

1761

1762 if (res > 0)

1764

1765 return res;

1766}

1767

1768static int

1770{

1771 int res;

1772

1774 BIO_clear_retry_flags(h);

1775 if (res < 0)

1776 {

1777

1779 {

1780#ifdef EAGAIN

1782#endif

1783#if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))

1785#endif

1787 BIO_set_retry_write(h);

1788 break;

1789

1790 default:

1791 break;

1792 }

1793 }

1794

1795 return res;

1796}

1797

1798static long

1800{

1801 long res;

1803

1804 switch (cmd)

1805 {

1806 case BIO_CTRL_EOF:

1807

1808

1809

1810

1811

1812

1813

1815 break;

1816 case BIO_CTRL_FLUSH:

1817

1818 res = 1;

1819 break;

1820 default:

1821 res = 0;

1822 break;

1823 }

1824

1825 return res;

1826}

1827

1828static BIO_METHOD *

1830{

1831 BIO_METHOD *res;

1832

1834 return NULL;

1835

1837

1839 {

1840 int my_bio_index;

1841

1842 my_bio_index = BIO_get_new_index();

1843 if (my_bio_index == -1)

1844 goto err;

1845 my_bio_index |= BIO_TYPE_SOURCE_SINK;

1846 res = BIO_meth_new(my_bio_index, "libpq socket");

1847 if (!res)

1848 goto err;

1849

1850

1851

1852

1853

1857 {

1858 goto err;

1859 }

1860 }

1861

1864 return res;

1865

1867 if (res)

1868 BIO_meth_free(res);

1870 return NULL;

1871}

1872

1873static int

1875{

1876 BIO *bio;

1877 BIO_METHOD *bio_method;

1878

1880 if (bio_method == NULL)

1881 return 0;

1882

1883 bio = BIO_new(bio_method);

1884 if (bio == NULL)

1885 return 0;

1886

1887 BIO_set_data(bio, conn);

1888 BIO_set_init(bio, 1);

1889

1890 SSL_set_bio(conn->ssl, bio, bio);

1891 return 1;

1892}

1893

1894

1895

1896

1897

1898

1899int

1901{

1903 {

1907 buf[size - 1] = '\0';

1908 return strlen(buf);

1909 }

1910 else

1911 {

1912 buf[0] = '\0';

1913 return 0;

1914 }

1915}

1916

1919{

1921}

1922

1923void

1925{

1927}

1928

1929

1930

1931

1932

1933

1934static int

1936{

1938

1941 else

1943}

1944

1945

1946

1947

1948

1949

1950

1951

1952

1953

1954

1955static int

1957{

1959 return TLS1_VERSION;

1960

1961#ifdef TLS1_1_VERSION

1963 return TLS1_1_VERSION;

1964#endif

1965

1966#ifdef TLS1_2_VERSION

1968 return TLS1_2_VERSION;

1969#endif

1970

1971#ifdef TLS1_3_VERSION

1973 return TLS1_3_VERSION;

1974#endif

1975

1976 return -1;

1977}

static SSL_CTX * SSL_context

#define fprintf(file, fmt, msg)

void err(int eval, const char *fmt,...)

bool pqGetHomeDirectory(char *buf, int bufsize)

int pq_verify_peer_name_matches_certificate_name(PGconn *conn, const char *namedata, size_t namelen, char **store_name)

int pq_verify_peer_name_matches_certificate_ip(PGconn *conn, const unsigned char *ipdata, size_t iplen, char **store_name)

bool pq_verify_peer_name_matches_certificate(PGconn *conn)

static BIO_METHOD * pgconn_bio_method_ptr

static int ssl_protocol_version_to_openssl(const char *protocol)

void * PQgetssl(PGconn *conn)

static void SSLerrfree(char *buf)

PQsslKeyPassHook_OpenSSL_type PQgetSSLKeyPassHook_OpenSSL(void)

void * PQsslStruct(PGconn *conn, const char *struct_name)

int pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn, int *names_examined, char **first_name)

PostgresPollingStatusType pgtls_open_client(PGconn *conn)

bool pgtls_read_pending(PGconn *conn)

int PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)

static int pgconn_bio_read(BIO *h, char *buf, int size)

static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry, char **store_name)

ssize_t pgtls_read(PGconn *conn, void *ptr, size_t len)

static long pgconn_bio_ctrl(BIO *h, int cmd, long num, void *ptr)

static int pgconn_bio_write(BIO *h, const char *buf, int size)

ssize_t pgtls_write(PGconn *conn, const void *ptr, size_t len)

static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook

char * pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)

const char * PQsslAttribute(PGconn *conn, const char *attribute_name)

static int initialize_SSL(PGconn *conn)

static pthread_mutex_t ssl_config_mutex

static int verify_cb(int ok, X509_STORE_CTX *ctx)

static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)

static char * SSLerrmessage(unsigned long ecode)

static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn, ASN1_OCTET_STRING *addr_entry, char **store_name)

static PostgresPollingStatusType open_client_SSL(PGconn *conn)

static unsigned char alpn_protos[]

static int ssl_set_pgconn_bio(PGconn *conn)

void pgtls_close(PGconn *conn)

const char *const * PQsslAttributeNames(PGconn *conn)

void PQsetSSLKeyPassHook_OpenSSL(PQsslKeyPassHook_OpenSSL_type hook)

static BIO_METHOD * pgconn_bio_method(void)

static bool is_ip_address(const char *host)

ssize_t pqsecure_raw_read(PGconn *conn, void *ptr, size_t len)

ssize_t pqsecure_raw_write(PGconn *conn, const void *ptr, size_t len)

Assert(PointerIsAligned(start, uint64))

int(* PQsslKeyPassHook_OpenSSL_type)(char *buf, int size, PGconn *conn)

PostgresPollingStatusType

#define SOCK_ERRNO_SET(e)

void libpq_append_conn_error(PGconn *conn, const char *fmt,...)

#define PG_STRERROR_R_BUFLEN

int pg_strcasecmp(const char *s1, const char *s2)

int inet_aton(const char *cp, struct in_addr *addr)

char * pg_strerror(int errnum)

size_t strlcpy(char *dst, const char *src, size_t siz)

#define PG_ALPN_PROTOCOL_VECTOR

void appendPQExpBufferStr(PQExpBuffer str, const char *data)

static int fd(const char *x, int i)

int pthread_mutex_unlock(pthread_mutex_t *mp)

int pthread_mutex_lock(pthread_mutex_t *mp)

#define PTHREAD_MUTEX_INITIALIZER

static unsigned hash(unsigned *uv, int n)

char * ssl_max_protocol_version

char * ssl_min_protocol_version

PQExpBufferData errorMessage

bool ssl_handshake_started