search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Clean up Windows-specific mutex code in libpq and ecpglib.
[pgsql.git] / src / interfaces / libpq / fe-secure-openssl.c
blob82360b0e29b3c7c93497eff4b017ecad22fc4f65
1 /*-------------------------------------------------------------------------
2 *
3 * fe-secure-openssl.c
4 * OpenSSL support
5 *
6 *
7 * Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
8 * Portions Copyright (c) 1994, Regents of the University of California
9 *
10 *
11 * IDENTIFICATION
12 * src/interfaces/libpq/fe-secure-openssl.c
13 *
14 * NOTES
15 *
16 * We don't provide informational callbacks here (like
17 * info_cb() in be-secure-openssl.c), since there's no good mechanism to
18 * display such information to the user.
19 *
20 *-------------------------------------------------------------------------
21 */
22
23 #include "postgres_fe.h"
24
25 #include <signal.h>
26 #include <fcntl.h>
27 #include <ctype.h>
28
29 #include "libpq-fe.h"
30 #include "fe-auth.h"
31 #include "fe-secure-common.h"
32 #include "libpq-int.h"
33
34 #ifdef WIN32
35 #include "win32.h"
36 #else
37 #include <sys/socket.h>
38 #include <unistd.h>
39 #include <netdb.h>
40 #include <netinet/in.h>
41 #include <netinet/tcp.h>
42 #include <arpa/inet.h>
43 #endif
44
45 #include <sys/stat.h>
46
47 #ifdef ENABLE_THREAD_SAFETY
48 #ifdef WIN32
49 #include "pthread-win32.h"
50 #else
51 #include <pthread.h>
52 #endif
53 #endif
54
55 /*
56 * These SSL-related #includes must come after all system-provided headers.
57 * This ensures that OpenSSL can take care of conflicts with Windows'
58 * <wincrypt.h> by #undef'ing the conflicting macros. (We don't directly
59 * include <wincrypt.h>, but some other Windows headers do.)
60 */
61 #include "common/openssl.h"
62 #include <openssl/conf.h>
63 #ifdef USE_SSL_ENGINE
64 #include <openssl/engine.h>
65 #endif
66 #include <openssl/x509v3.h>
67
68
69 static int verify_cb(int ok, X509_STORE_CTX *ctx);
70 static int openssl_verify_peer_name_matches_certificate_name(PGconn *conn,
71 ASN1_STRING *name_entry,
72 char **store_name);
73 static int openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
74 ASN1_OCTET_STRING *addr_entry,
75 char **store_name);
76 static void destroy_ssl_system(void);
77 static int initialize_SSL(PGconn *conn);
78 static PostgresPollingStatusType open_client_SSL(PGconn *conn);
79 static char *SSLerrmessage(unsigned long ecode);
80 static void SSLerrfree(char *buf);
81 static int PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata);
82
83 static int my_sock_read(BIO *h, char *buf, int size);
84 static int my_sock_write(BIO *h, const char *buf, int size);
85 static BIO_METHOD *my_BIO_s_socket(void);
86 static int my_SSL_set_fd(PGconn *conn, int fd);
87
88
89 static bool pq_init_ssl_lib = true;
90 static bool pq_init_crypto_lib = true;
91
92 static bool ssl_lib_initialized = false;
93
94 #ifdef ENABLE_THREAD_SAFETY
95 static long crypto_open_connections = 0;
96
97 static pthread_mutex_t ssl_config_mutex = PTHREAD_MUTEX_INITIALIZER;
98 #endif /* ENABLE_THREAD_SAFETY */
99
100 static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook = NULL;
101 static int ssl_protocol_version_to_openssl(const char *protocol);
102
103 /* ------------------------------------------------------------ */
104 /* Procedures common to all secure sessions */
105 /* ------------------------------------------------------------ */
106
107 void
108 pgtls_init_library(bool do_ssl, int do_crypto)
109 {
110 #ifdef ENABLE_THREAD_SAFETY
111
112 /*
113 * Disallow changing the flags while we have open connections, else we'd
114 * get completely confused.
115 */
116 if (crypto_open_connections != 0)
117 return;
118 #endif
119
120 pq_init_ssl_lib = do_ssl;
121 pq_init_crypto_lib = do_crypto;
122 }
123
124 PostgresPollingStatusType
125 pgtls_open_client(PGconn *conn)
126 {
127 /* First time through? */
128 if (conn->ssl == NULL)
129 {
130 /*
131 * Create a connection-specific SSL object, and load client
132 * certificate, private key, and trusted CA certs.
133 */
134 if (initialize_SSL(conn) != 0)
135 {
136 /* initialize_SSL already put a message in conn->errorMessage */
137 pgtls_close(conn);
138 return PGRES_POLLING_FAILED;
139 }
140 }
141
142 /* Begin or continue the actual handshake */
143 return open_client_SSL(conn);
144 }
145
146 ssize_t
147 pgtls_read(PGconn *conn, void *ptr, size_t len)
148 {
149 ssize_t n;
150 int result_errno = 0;
151 char sebuf[PG_STRERROR_R_BUFLEN];
152 int err;
153 unsigned long ecode;
154
155 rloop:
156
157 /*
158 * Prepare to call SSL_get_error() by clearing thread's OpenSSL error
159 * queue. In general, the current thread's error queue must be empty
160 * before the TLS/SSL I/O operation is attempted, or SSL_get_error() will
161 * not work reliably. Since the possibility exists that other OpenSSL
162 * clients running in the same thread but not under our control will fail
163 * to call ERR_get_error() themselves (after their own I/O operations),
164 * pro-actively clear the per-thread error queue now.
165 */
166 SOCK_ERRNO_SET(0);
167 ERR_clear_error();
168 n = SSL_read(conn->ssl, ptr, len);
169 err = SSL_get_error(conn->ssl, n);
170
171 /*
172 * Other clients of OpenSSL may fail to call ERR_get_error(), but we
173 * always do, so as to not cause problems for OpenSSL clients that don't
174 * call ERR_clear_error() defensively. Be sure that this happens by
175 * calling now. SSL_get_error() relies on the OpenSSL per-thread error
176 * queue being intact, so this is the earliest possible point
177 * ERR_get_error() may be called.
178 */
179 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
180 switch (err)
181 {
182 case SSL_ERROR_NONE:
183 if (n < 0)
184 {
185 /* Not supposed to happen, so we don't translate the msg */
186 appendPQExpBufferStr(&conn->errorMessage,
187 "SSL_read failed but did not provide error information\n");
188 /* assume the connection is broken */
189 result_errno = ECONNRESET;
190 }
191 break;
192 case SSL_ERROR_WANT_READ:
193 n = 0;
194 break;
195 case SSL_ERROR_WANT_WRITE:
196
197 /*
198 * Returning 0 here would cause caller to wait for read-ready,
199 * which is not correct since what SSL wants is wait for
200 * write-ready. The former could get us stuck in an infinite
201 * wait, so don't risk it; busy-loop instead.
202 */
203 goto rloop;
204 case SSL_ERROR_SYSCALL:
205 if (n < 0 && SOCK_ERRNO != 0)
206 {
207 result_errno = SOCK_ERRNO;
208 if (result_errno == EPIPE ||
209 result_errno == ECONNRESET)
210 libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
211 "\tThis probably means the server terminated abnormally\n"
212 "\tbefore or while processing the request.");
213 else
214 libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
215 SOCK_STRERROR(result_errno,
216 sebuf, sizeof(sebuf)));
217 }
218 else
219 {
220 libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
221 /* assume the connection is broken */
222 result_errno = ECONNRESET;
223 n = -1;
224 }
225 break;
226 case SSL_ERROR_SSL:
227 {
228 char *errm = SSLerrmessage(ecode);
229
230 libpq_append_conn_error(conn, "SSL error: %s", errm);
231 SSLerrfree(errm);
232 /* assume the connection is broken */
233 result_errno = ECONNRESET;
234 n = -1;
235 break;
236 }
237 case SSL_ERROR_ZERO_RETURN:
238
239 /*
240 * Per OpenSSL documentation, this error code is only returned for
241 * a clean connection closure, so we should not report it as a
242 * server crash.
243 */
244 libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
245 result_errno = ECONNRESET;
246 n = -1;
247 break;
248 default:
249 libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
250 /* assume the connection is broken */
251 result_errno = ECONNRESET;
252 n = -1;
253 break;
254 }
255
256 /* ensure we return the intended errno to caller */
257 SOCK_ERRNO_SET(result_errno);
258
259 return n;
260 }
261
262 bool
263 pgtls_read_pending(PGconn *conn)
264 {
265 return SSL_pending(conn->ssl) > 0;
266 }
267
268 ssize_t
269 pgtls_write(PGconn *conn, const void *ptr, size_t len)
270 {
271 ssize_t n;
272 int result_errno = 0;
273 char sebuf[PG_STRERROR_R_BUFLEN];
274 int err;
275 unsigned long ecode;
276
277 SOCK_ERRNO_SET(0);
278 ERR_clear_error();
279 n = SSL_write(conn->ssl, ptr, len);
280 err = SSL_get_error(conn->ssl, n);
281 ecode = (err != SSL_ERROR_NONE || n < 0) ? ERR_get_error() : 0;
282 switch (err)
283 {
284 case SSL_ERROR_NONE:
285 if (n < 0)
286 {
287 /* Not supposed to happen, so we don't translate the msg */
288 appendPQExpBufferStr(&conn->errorMessage,
289 "SSL_write failed but did not provide error information\n");
290 /* assume the connection is broken */
291 result_errno = ECONNRESET;
292 }
293 break;
294 case SSL_ERROR_WANT_READ:
295
296 /*
297 * Returning 0 here causes caller to wait for write-ready, which
298 * is not really the right thing, but it's the best we can do.
299 */
300 n = 0;
301 break;
302 case SSL_ERROR_WANT_WRITE:
303 n = 0;
304 break;
305 case SSL_ERROR_SYSCALL:
306
307 /*
308 * If errno is still zero then assume it's a read EOF situation,
309 * and report EOF. (This seems possible because SSL_write can
310 * also do reads.)
311 */
312 if (n < 0 && SOCK_ERRNO != 0)
313 {
314 result_errno = SOCK_ERRNO;
315 if (result_errno == EPIPE || result_errno == ECONNRESET)
316 libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
317 "\tThis probably means the server terminated abnormally\n"
318 "\tbefore or while processing the request.");
319 else
320 libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
321 SOCK_STRERROR(result_errno,
322 sebuf, sizeof(sebuf)));
323 }
324 else
325 {
326 libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
327 /* assume the connection is broken */
328 result_errno = ECONNRESET;
329 n = -1;
330 }
331 break;
332 case SSL_ERROR_SSL:
333 {
334 char *errm = SSLerrmessage(ecode);
335
336 libpq_append_conn_error(conn, "SSL error: %s", errm);
337 SSLerrfree(errm);
338 /* assume the connection is broken */
339 result_errno = ECONNRESET;
340 n = -1;
341 break;
342 }
343 case SSL_ERROR_ZERO_RETURN:
344
345 /*
346 * Per OpenSSL documentation, this error code is only returned for
347 * a clean connection closure, so we should not report it as a
348 * server crash.
349 */
350 libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
351 result_errno = ECONNRESET;
352 n = -1;
353 break;
354 default:
355 libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
356 /* assume the connection is broken */
357 result_errno = ECONNRESET;
358 n = -1;
359 break;
360 }
361
362 /* ensure we return the intended errno to caller */
363 SOCK_ERRNO_SET(result_errno);
364
365 return n;
366 }
367
368 #if defined(HAVE_X509_GET_SIGNATURE_NID) || defined(HAVE_X509_GET_SIGNATURE_INFO)
369 char *
370 pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
371 {
372 X509 *peer_cert;
373 const EVP_MD *algo_type;
374 unsigned char hash[EVP_MAX_MD_SIZE]; /* size for SHA-512 */
375 unsigned int hash_size;
376 int algo_nid;
377 char *cert_hash;
378
379 *len = 0;
380
381 if (!conn->peer)
382 return NULL;
383
384 peer_cert = conn->peer;
385
386 /*
387 * Get the signature algorithm of the certificate to determine the hash
388 * algorithm to use for the result. Prefer X509_get_signature_info(),
389 * introduced in OpenSSL 1.1.1, which can handle RSA-PSS signatures.
390 */
391 #if HAVE_X509_GET_SIGNATURE_INFO
392 if (!X509_get_signature_info(peer_cert, &algo_nid, NULL, NULL, NULL))
393 #else
394 if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
395 &algo_nid, NULL))
396 #endif
397 {
398 libpq_append_conn_error(conn, "could not determine server certificate signature algorithm");
399 return NULL;
400 }
401
402 /*
403 * The TLS server's certificate bytes need to be hashed with SHA-256 if
404 * its signature algorithm is MD5 or SHA-1 as per RFC 5929
405 * (https://tools.ietf.org/html/rfc5929#section-4.1). If something else
406 * is used, the same hash as the signature algorithm is used.
407 */
408 switch (algo_nid)
409 {
410 case NID_md5:
411 case NID_sha1:
412 algo_type = EVP_sha256();
413 break;
414 default:
415 algo_type = EVP_get_digestbynid(algo_nid);
416 if (algo_type == NULL)
417 {
418 libpq_append_conn_error(conn, "could not find digest for NID %s",
419 OBJ_nid2sn(algo_nid));
420 return NULL;
421 }
422 break;
423 }
424
425 if (!X509_digest(peer_cert, algo_type, hash, &hash_size))
426 {
427 libpq_append_conn_error(conn, "could not generate peer certificate hash");
428 return NULL;
429 }
430
431 /* save result */
432 cert_hash = malloc(hash_size);
433 if (cert_hash == NULL)
434 {
435 libpq_append_conn_error(conn, "out of memory");
436 return NULL;
437 }
438 memcpy(cert_hash, hash, hash_size);
439 *len = hash_size;
440
441 return cert_hash;
442 }
443 #endif /* HAVE_X509_GET_SIGNATURE_NID */
444
445 /* ------------------------------------------------------------ */
446 /* OpenSSL specific code */
447 /* ------------------------------------------------------------ */
448
449 /*
450 * Certificate verification callback
451 *
452 * This callback allows us to log intermediate problems during
453 * verification, but there doesn't seem to be a clean way to get
454 * our PGconn * structure. So we can't log anything!
455 *
456 * This callback also allows us to override the default acceptance
457 * criteria (e.g., accepting self-signed or expired certs), but
458 * for now we accept the default checks.
459 */
460 static int
461 verify_cb(int ok, X509_STORE_CTX *ctx)
462 {
463 return ok;
464 }
465
466 #ifdef HAVE_SSL_CTX_SET_CERT_CB
467 /*
468 * Certificate selection callback
469 *
470 * This callback lets us choose the client certificate we send to the server
471 * after seeing its CertificateRequest. We only support sending a single
472 * hard-coded certificate via sslcert, so we don't actually set any certificates
473 * here; we just use it to record whether or not the server has actually asked
474 * for one and whether we have one to send.
475 */
476 static int
477 cert_cb(SSL *ssl, void *arg)
478 {
479 PGconn *conn = arg;
480
481 conn->ssl_cert_requested = true;
482
483 /* Do we have a certificate loaded to send back? */
484 if (SSL_get_certificate(ssl))
485 conn->ssl_cert_sent = true;
486
487 /*
488 * Tell OpenSSL that the callback succeeded; we're not required to
489 * actually make any changes to the SSL handle.
490 */
491 return 1;
492 }
493 #endif
494
495 /*
496 * OpenSSL-specific wrapper around
497 * pq_verify_peer_name_matches_certificate_name(), converting the ASN1_STRING
498 * into a plain C string.
499 */
500 static int
501 openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *name_entry,
502 char **store_name)
503 {
504 int len;
505 const unsigned char *namedata;
506
507 /* Should not happen... */
508 if (name_entry == NULL)
509 {
510 libpq_append_conn_error(conn, "SSL certificate's name entry is missing");
511 return -1;
512 }
513
514 /*
515 * GEN_DNS can be only IA5String, equivalent to US ASCII.
516 */
517 #ifdef HAVE_ASN1_STRING_GET0_DATA
518 namedata = ASN1_STRING_get0_data(name_entry);
519 #else
520 namedata = ASN1_STRING_data(name_entry);
521 #endif
522 len = ASN1_STRING_length(name_entry);
523
524 /* OK to cast from unsigned to plain char, since it's all ASCII. */
525 return pq_verify_peer_name_matches_certificate_name(conn, (const char *) namedata, len, store_name);
526 }
527
528 /*
529 * OpenSSL-specific wrapper around
530 * pq_verify_peer_name_matches_certificate_ip(), converting the
531 * ASN1_OCTET_STRING into a plain C string.
532 */
533 static int
534 openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
535 ASN1_OCTET_STRING *addr_entry,
536 char **store_name)
537 {
538 int len;
539 const unsigned char *addrdata;
540
541 /* Should not happen... */
542 if (addr_entry == NULL)
543 {
544 libpq_append_conn_error(conn, "SSL certificate's address entry is missing");
545 return -1;
546 }
547
548 /*
549 * GEN_IPADD is an OCTET STRING containing an IP address in network byte
550 * order.
551 */
552 #ifdef HAVE_ASN1_STRING_GET0_DATA
553 addrdata = ASN1_STRING_get0_data(addr_entry);
554 #else
555 addrdata = ASN1_STRING_data(addr_entry);
556 #endif
557 len = ASN1_STRING_length(addr_entry);
558
559 return pq_verify_peer_name_matches_certificate_ip(conn, addrdata, len, store_name);
560 }
561
562 static bool
563 is_ip_address(const char *host)
564 {
565 struct in_addr dummy4;
566 #ifdef HAVE_INET_PTON
567 struct in6_addr dummy6;
568 #endif
569
570 return inet_aton(host, &dummy4)
571 #ifdef HAVE_INET_PTON
572 || (inet_pton(AF_INET6, host, &dummy6) == 1)
573 #endif
574 ;
575 }
576
577 /*
578 * Verify that the server certificate matches the hostname we connected to.
579 *
580 * The certificate's Common Name and Subject Alternative Names are considered.
581 */
582 int
583 pgtls_verify_peer_name_matches_certificate_guts(PGconn *conn,
584 int *names_examined,
585 char **first_name)
586 {
587 STACK_OF(GENERAL_NAME) * peer_san;
588 int i;
589 int rc = 0;
590 char *host = conn->connhost[conn->whichhost].host;
591 int host_type;
592 bool check_cn = true;
593
594 Assert(host && host[0]); /* should be guaranteed by caller */
595
596 /*
597 * We try to match the NSS behavior here, which is a slight departure from
598 * the spec but seems to make more intuitive sense:
599 *
600 * If connhost contains a DNS name, and the certificate's SANs contain any
601 * dNSName entries, then we'll ignore the Subject Common Name entirely;
602 * otherwise, we fall back to checking the CN. (This behavior matches the
603 * RFC.)
604 *
605 * If connhost contains an IP address, and the SANs contain iPAddress
606 * entries, we again ignore the CN. Otherwise, we allow the CN to match,
607 * EVEN IF there is a dNSName in the SANs. (RFC 6125 prohibits this: "A
608 * client MUST NOT seek a match for a reference identifier of CN-ID if the
609 * presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any
610 * application-specific identifier types supported by the client.")
611 *
612 * NOTE: Prior versions of libpq did not consider iPAddress entries at
613 * all, so this new behavior might break a certificate that has different
614 * IP addresses in the Subject CN and the SANs.
615 */
616 if (is_ip_address(host))
617 host_type = GEN_IPADD;
618 else
619 host_type = GEN_DNS;
620
621 /*
622 * First, get the Subject Alternative Names (SANs) from the certificate,
623 * and compare them against the originally given hostname.
624 */
625 peer_san = (STACK_OF(GENERAL_NAME) *)
626 X509_get_ext_d2i(conn->peer, NID_subject_alt_name, NULL, NULL);
627
628 if (peer_san)
629 {
630 int san_len = sk_GENERAL_NAME_num(peer_san);
631
632 for (i = 0; i < san_len; i++)
633 {
634 const GENERAL_NAME *name = sk_GENERAL_NAME_value(peer_san, i);
635 char *alt_name = NULL;
636
637 if (name->type == host_type)
638 {
639 /*
640 * This SAN is of the same type (IP or DNS) as our host name,
641 * so don't allow a fallback check of the CN.
642 */
643 check_cn = false;
644 }
645
646 if (name->type == GEN_DNS)
647 {
648 (*names_examined)++;
649 rc = openssl_verify_peer_name_matches_certificate_name(conn,
650 name->d.dNSName,
651 &alt_name);
652 }
653 else if (name->type == GEN_IPADD)
654 {
655 (*names_examined)++;
656 rc = openssl_verify_peer_name_matches_certificate_ip(conn,
657 name->d.iPAddress,
658 &alt_name);
659 }
660
661 if (alt_name)
662 {
663 if (!*first_name)
664 *first_name = alt_name;
665 else
666 free(alt_name);
667 }
668
669 if (rc != 0)
670 {
671 /*
672 * Either we hit an error or a match, and either way we should
673 * not fall back to the CN.
674 */
675 check_cn = false;
676 break;
677 }
678 }
679 sk_GENERAL_NAME_pop_free(peer_san, GENERAL_NAME_free);
680 }
681
682 /*
683 * If there is no subjectAltName extension of the matching type, check the
684 * Common Name.
685 *
686 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
687 * dNSName is present, the CN must be ignored. We break this rule if host
688 * is an IP address; see the comment above.)
689 */
690 if (check_cn)
691 {
692 X509_NAME *subject_name;
693
694 subject_name = X509_get_subject_name(conn->peer);
695 if (subject_name != NULL)
696 {
697 int cn_index;
698
699 cn_index = X509_NAME_get_index_by_NID(subject_name,
700 NID_commonName, -1);
701 if (cn_index >= 0)
702 {
703 char *common_name = NULL;
704
705 (*names_examined)++;
706 rc = openssl_verify_peer_name_matches_certificate_name(conn,
707 X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject_name, cn_index)),
708 &common_name);
709
710 if (common_name)
711 {
712 if (!*first_name)
713 *first_name = common_name;
714 else
715 free(common_name);
716 }
717 }
718 }
719 }
720
721 return rc;
722 }
723
724 #if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK)
725 /*
726 * Callback functions for OpenSSL internal locking. (OpenSSL 1.1.0
727 * does its own locking, and doesn't need these anymore. The
728 * CRYPTO_lock() function was removed in 1.1.0, when the callbacks
729 * were made obsolete, so we assume that if CRYPTO_lock() exists,
730 * the callbacks are still required.)
731 */
732
733 static unsigned long
734 pq_threadidcallback(void)
735 {
736 /*
737 * This is not standards-compliant. pthread_self() returns pthread_t, and
738 * shouldn't be cast to unsigned long, but CRYPTO_set_id_callback requires
739 * it, so we have to do it.
740 */
741 return (unsigned long) pthread_self();
742 }
743
744 static pthread_mutex_t *pq_lockarray;
745
746 static void
747 pq_lockingcallback(int mode, int n, const char *file, int line)
748 {
749 /*
750 * There's no way to report a mutex-primitive failure, so we just Assert
751 * in development builds, and ignore any errors otherwise. Fortunately
752 * this is all obsolete in modern OpenSSL.
753 */
754 if (mode & CRYPTO_LOCK)
755 {
756 if (pthread_mutex_lock(&pq_lockarray[n]))
757 Assert(false);
758 }
759 else
760 {
761 if (pthread_mutex_unlock(&pq_lockarray[n]))
762 Assert(false);
763 }
764 }
765 #endif /* ENABLE_THREAD_SAFETY && HAVE_CRYPTO_LOCK */
766
767 /*
768 * Initialize SSL library.
769 *
770 * In threadsafe mode, this includes setting up libcrypto callback functions
771 * to do thread locking.
772 *
773 * If the caller has told us (through PQinitOpenSSL) that he's taking care
774 * of libcrypto, we expect that callbacks are already set, and won't try to
775 * override it.
776 */
777 int
778 pgtls_init(PGconn *conn, bool do_ssl, bool do_crypto)
779 {
780 #ifdef ENABLE_THREAD_SAFETY
781 if (pthread_mutex_lock(&ssl_config_mutex))
782 return -1;
783
784 #ifdef HAVE_CRYPTO_LOCK
785 if (pq_init_crypto_lib)
786 {
787 /*
788 * If necessary, set up an array to hold locks for libcrypto.
789 * libcrypto will tell us how big to make this array.
790 */
791 if (pq_lockarray == NULL)
792 {
793 int i;
794
795 pq_lockarray = malloc(sizeof(pthread_mutex_t) * CRYPTO_num_locks());
796 if (!pq_lockarray)
797 {
798 pthread_mutex_unlock(&ssl_config_mutex);
799 return -1;
800 }
801 for (i = 0; i < CRYPTO_num_locks(); i++)
802 {
803 if (pthread_mutex_init(&pq_lockarray[i], NULL))
804 {
805 free(pq_lockarray);
806 pq_lockarray = NULL;
807 pthread_mutex_unlock(&ssl_config_mutex);
808 return -1;
809 }
810 }
811 }
812
813 if (do_crypto && !conn->crypto_loaded)
814 {
815 if (crypto_open_connections++ == 0)
816 {
817 /*
818 * These are only required for threaded libcrypto
819 * applications, but make sure we don't stomp on them if
820 * they're already set.
821 */
822 if (CRYPTO_get_id_callback() == NULL)
823 CRYPTO_set_id_callback(pq_threadidcallback);
824 if (CRYPTO_get_locking_callback() == NULL)
825 CRYPTO_set_locking_callback(pq_lockingcallback);
826 }
827
828 conn->crypto_loaded = true;
829 }
830 }
831 #endif /* HAVE_CRYPTO_LOCK */
832 #endif /* ENABLE_THREAD_SAFETY */
833
834 if (!ssl_lib_initialized && do_ssl)
835 {
836 if (pq_init_ssl_lib)
837 {
838 #ifdef HAVE_OPENSSL_INIT_SSL
839 OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL);
840 #else
841 OPENSSL_config(NULL);
842 SSL_library_init();
843 SSL_load_error_strings();
844 #endif
845 }
846 ssl_lib_initialized = true;
847 }
848
849 #ifdef ENABLE_THREAD_SAFETY
850 pthread_mutex_unlock(&ssl_config_mutex);
851 #endif
852 return 0;
853 }
854
855 /*
856 * This function is needed because if the libpq library is unloaded
857 * from the application, the callback functions will no longer exist when
858 * libcrypto is used by other parts of the system. For this reason,
859 * we unregister the callback functions when the last libpq
860 * connection is closed. (The same would apply for OpenSSL callbacks
861 * if we had any.)
862 *
863 * Callbacks are only set when we're compiled in threadsafe mode, so
864 * we only need to remove them in this case. They are also not needed
865 * with OpenSSL 1.1.0 anymore.
866 */
867 static void
868 destroy_ssl_system(void)
869 {
870 #if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK)
871 if (pthread_mutex_lock(&ssl_config_mutex))
872 return;
873
874 if (pq_init_crypto_lib && crypto_open_connections > 0)
875 --crypto_open_connections;
876
877 if (pq_init_crypto_lib && crypto_open_connections == 0)
878 {
879 /*
880 * No connections left, unregister libcrypto callbacks, if no one
881 * registered different ones in the meantime.
882 */
883 if (CRYPTO_get_locking_callback() == pq_lockingcallback)
884 CRYPTO_set_locking_callback(NULL);
885 if (CRYPTO_get_id_callback() == pq_threadidcallback)
886 CRYPTO_set_id_callback(NULL);
887
888 /*
889 * We don't free the lock array. If we get another connection in this
890 * process, we will just re-use them with the existing mutexes.
891 *
892 * This means we leak a little memory on repeated load/unload of the
893 * library.
894 */
895 }
896
897 pthread_mutex_unlock(&ssl_config_mutex);
898 #endif
899 }
900
901 /*
902 * Create per-connection SSL object, and load the client certificate,
903 * private key, and trusted CA certs.
904 *
905 * Returns 0 if OK, -1 on failure (with a message in conn->errorMessage).
906 */
907 static int
908 initialize_SSL(PGconn *conn)
909 {
910 SSL_CTX *SSL_context;
911 struct stat buf;
912 char homedir[MAXPGPATH];
913 char fnbuf[MAXPGPATH];
914 char sebuf[PG_STRERROR_R_BUFLEN];
915 bool have_homedir;
916 bool have_cert;
917 bool have_rootcert;
918 EVP_PKEY *pkey = NULL;
919
920 /*
921 * We'll need the home directory if any of the relevant parameters are
922 * defaulted. If pqGetHomeDirectory fails, act as though none of the
923 * files could be found.
924 */
925 if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
926 !(conn->sslkey && strlen(conn->sslkey) > 0) ||
927 !(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
928 !((conn->sslcrl && strlen(conn->sslcrl) > 0) ||
929 (conn->sslcrldir && strlen(conn->sslcrldir) > 0)))
930 have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
931 else /* won't need it */
932 have_homedir = false;
933
934 /*
935 * Create a new SSL_CTX object.
936 *
937 * We used to share a single SSL_CTX between all connections, but it was
938 * complicated if connections used different certificates. So now we
939 * create a separate context for each connection, and accept the overhead.
940 */
941 SSL_context = SSL_CTX_new(SSLv23_method());
942 if (!SSL_context)
943 {
944 char *err = SSLerrmessage(ERR_get_error());
945
946 libpq_append_conn_error(conn, "could not create SSL context: %s", err);
947 SSLerrfree(err);
948 return -1;
949 }
950
951 /*
952 * Delegate the client cert password prompt to the libpq wrapper callback
953 * if any is defined.
954 *
955 * If the application hasn't installed its own and the sslpassword
956 * parameter is non-null, we install ours now to make sure we supply
957 * PGconn->sslpassword to OpenSSL instead of letting it prompt on stdin.
958 *
959 * This will replace OpenSSL's default PEM_def_callback (which prompts on
960 * stdin), but we're only setting it for this SSL context so it's
961 * harmless.
962 */
963 if (PQsslKeyPassHook
964 || (conn->sslpassword && strlen(conn->sslpassword) > 0))
965 {
966 SSL_CTX_set_default_passwd_cb(SSL_context, PQssl_passwd_cb);
967 SSL_CTX_set_default_passwd_cb_userdata(SSL_context, conn);
968 }
969
970 #ifdef HAVE_SSL_CTX_SET_CERT_CB
971 /* Set up a certificate selection callback. */
972 SSL_CTX_set_cert_cb(SSL_context, cert_cb, conn);
973 #endif
974
975 /* Disable old protocol versions */
976 SSL_CTX_set_options(SSL_context, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3);
977
978 /* Set the minimum and maximum protocol versions if necessary */
979 if (conn->ssl_min_protocol_version &&
980 strlen(conn->ssl_min_protocol_version) != 0)
981 {
982 int ssl_min_ver;
983
984 ssl_min_ver = ssl_protocol_version_to_openssl(conn->ssl_min_protocol_version);
985
986 if (ssl_min_ver == -1)
987 {
988 libpq_append_conn_error(conn, "invalid value \"%s\" for minimum SSL protocol version",
989 conn->ssl_min_protocol_version);
990 SSL_CTX_free(SSL_context);
991 return -1;
992 }
993
994 if (!SSL_CTX_set_min_proto_version(SSL_context, ssl_min_ver))
995 {
996 char *err = SSLerrmessage(ERR_get_error());
997
998 libpq_append_conn_error(conn, "could not set minimum SSL protocol version: %s", err);
999 SSLerrfree(err);
1000 SSL_CTX_free(SSL_context);
1001 return -1;
1002 }
1003 }
1004
1005 if (conn->ssl_max_protocol_version &&
1006 strlen(conn->ssl_max_protocol_version) != 0)
1007 {
1008 int ssl_max_ver;
1009
1010 ssl_max_ver = ssl_protocol_version_to_openssl(conn->ssl_max_protocol_version);
1011
1012 if (ssl_max_ver == -1)
1013 {
1014 libpq_append_conn_error(conn, "invalid value \"%s\" for maximum SSL protocol version",
1015 conn->ssl_max_protocol_version);
1016 SSL_CTX_free(SSL_context);
1017 return -1;
1018 }
1019
1020 if (!SSL_CTX_set_max_proto_version(SSL_context, ssl_max_ver))
1021 {
1022 char *err = SSLerrmessage(ERR_get_error());
1023
1024 libpq_append_conn_error(conn, "could not set maximum SSL protocol version: %s", err);
1025 SSLerrfree(err);
1026 SSL_CTX_free(SSL_context);
1027 return -1;
1028 }
1029 }
1030
1031 /*
1032 * Disable OpenSSL's moving-write-buffer sanity check, because it causes
1033 * unnecessary failures in nonblocking send cases.
1034 */
1035 SSL_CTX_set_mode(SSL_context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
1036
1037 /*
1038 * If the root cert file exists, load it so we can perform certificate
1039 * verification. If sslmode is "verify-full" we will also do further
1040 * verification after the connection has been completed.
1041 */
1042 if (conn->sslrootcert && strlen(conn->sslrootcert) > 0)
1043 strlcpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
1044 else if (have_homedir)
1045 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
1046 else
1047 fnbuf[0] = '\0';
1048
1049 if (strcmp(fnbuf, "system") == 0)
1050 {
1051 /*
1052 * The "system" sentinel value indicates that we should load whatever
1053 * root certificates are installed for use by OpenSSL; these locations
1054 * differ by platform. Note that the default system locations may be
1055 * further overridden by the SSL_CERT_DIR and SSL_CERT_FILE
1056 * environment variables.
1057 */
1058 if (SSL_CTX_set_default_verify_paths(SSL_context) != 1)
1059 {
1060 char *err = SSLerrmessage(ERR_get_error());
1061
1062 libpq_append_conn_error(conn, "could not load system root certificate paths: %s",
1063 err);
1064 SSLerrfree(err);
1065 SSL_CTX_free(SSL_context);
1066 return -1;
1067 }
1068 have_rootcert = true;
1069 }
1070 else if (fnbuf[0] != '\0' &&
1071 stat(fnbuf, &buf) == 0)
1072 {
1073 X509_STORE *cvstore;
1074
1075 if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)
1076 {
1077 char *err = SSLerrmessage(ERR_get_error());
1078
1079 libpq_append_conn_error(conn, "could not read root certificate file \"%s\": %s",
1080 fnbuf, err);
1081 SSLerrfree(err);
1082 SSL_CTX_free(SSL_context);
1083 return -1;
1084 }
1085
1086 if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
1087 {
1088 char *fname = NULL;
1089 char *dname = NULL;
1090
1091 if (conn->sslcrl && strlen(conn->sslcrl) > 0)
1092 fname = conn->sslcrl;
1093 if (conn->sslcrldir && strlen(conn->sslcrldir) > 0)
1094 dname = conn->sslcrldir;
1095
1096 /* defaults to use the default CRL file */
1097 if (!fname && !dname && have_homedir)
1098 {
1099 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
1100 fname = fnbuf;
1101 }
1102
1103 /* Set the flags to check against the complete CRL chain */
1104 if ((fname || dname) &&
1105 X509_STORE_load_locations(cvstore, fname, dname) == 1)
1106 {
1107 X509_STORE_set_flags(cvstore,
1108 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
1109 }
1110
1111 /* if not found, silently ignore; we do not require CRL */
1112 ERR_clear_error();
1113 }
1114 have_rootcert = true;
1115 }
1116 else
1117 {
1118 /*
1119 * stat() failed; assume root file doesn't exist. If sslmode is
1120 * verify-ca or verify-full, this is an error. Otherwise, continue
1121 * without performing any server cert verification.
1122 */
1123 if (conn->sslmode[0] == 'v') /* "verify-ca" or "verify-full" */
1124 {
1125 /*
1126 * The only way to reach here with an empty filename is if
1127 * pqGetHomeDirectory failed. That's a sufficiently unusual case
1128 * that it seems worth having a specialized error message for it.
1129 */
1130 if (fnbuf[0] == '\0')
1131 libpq_append_conn_error(conn, "could not get home directory to locate root certificate file\n"
1132 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.");
1133 else
1134 libpq_append_conn_error(conn, "root certificate file \"%s\" does not exist\n"
1135 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.", fnbuf);
1136 SSL_CTX_free(SSL_context);
1137 return -1;
1138 }
1139 have_rootcert = false;
1140 }
1141
1142 /* Read the client certificate file */
1143 if (conn->sslcert && strlen(conn->sslcert) > 0)
1144 strlcpy(fnbuf, conn->sslcert, sizeof(fnbuf));
1145 else if (have_homedir)
1146 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
1147 else
1148 fnbuf[0] = '\0';
1149
1150 if (conn->sslcertmode[0] == 'd') /* disable */
1151 {
1152 /* don't send a client cert even if we have one */
1153 have_cert = false;
1154 }
1155 else if (fnbuf[0] == '\0')
1156 {
1157 /* no home directory, proceed without a client cert */
1158 have_cert = false;
1159 }
1160 else if (stat(fnbuf, &buf) != 0)
1161 {
1162 /*
1163 * If file is not present, just go on without a client cert; server
1164 * might or might not accept the connection. Any other error,
1165 * however, is grounds for complaint.
1166 */
1167 if (errno != ENOENT && errno != ENOTDIR)
1168 {
1169 libpq_append_conn_error(conn, "could not open certificate file \"%s\": %s",
1170 fnbuf, strerror_r(errno, sebuf, sizeof(sebuf)));
1171 SSL_CTX_free(SSL_context);
1172 return -1;
1173 }
1174 have_cert = false;
1175 }
1176 else
1177 {
1178 /*
1179 * Cert file exists, so load it. Since OpenSSL doesn't provide the
1180 * equivalent of "SSL_use_certificate_chain_file", we have to load it
1181 * into the SSL context, rather than the SSL object.
1182 */
1183 if (SSL_CTX_use_certificate_chain_file(SSL_context, fnbuf) != 1)
1184 {
1185 char *err = SSLerrmessage(ERR_get_error());
1186
1187 libpq_append_conn_error(conn, "could not read certificate file \"%s\": %s",
1188 fnbuf, err);
1189 SSLerrfree(err);
1190 SSL_CTX_free(SSL_context);
1191 return -1;
1192 }
1193
1194 /* need to load the associated private key, too */
1195 have_cert = true;
1196 }
1197
1198 /*
1199 * The SSL context is now loaded with the correct root and client
1200 * certificates. Create a connection-specific SSL object. The private key
1201 * is loaded directly into the SSL object. (We could load the private key
1202 * into the context, too, but we have done it this way historically, and
1203 * it doesn't really matter.)
1204 */
1205 if (!(conn->ssl = SSL_new(SSL_context)) ||
1206 !SSL_set_app_data(conn->ssl, conn) ||
1207 !my_SSL_set_fd(conn, conn->sock))
1208 {
1209 char *err = SSLerrmessage(ERR_get_error());
1210
1211 libpq_append_conn_error(conn, "could not establish SSL connection: %s", err);
1212 SSLerrfree(err);
1213 SSL_CTX_free(SSL_context);
1214 return -1;
1215 }
1216 conn->ssl_in_use = true;
1217
1218 /*
1219 * SSL contexts are reference counted by OpenSSL. We can free it as soon
1220 * as we have created the SSL object, and it will stick around for as long
1221 * as it's actually needed.
1222 */
1223 SSL_CTX_free(SSL_context);
1224 SSL_context = NULL;
1225
1226 /*
1227 * Set Server Name Indication (SNI), if enabled by connection parameters.
1228 * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
1229 * or IPv6).
1230 */
1231 if (conn->sslsni && conn->sslsni[0] == '1')
1232 {
1233 const char *host = conn->connhost[conn->whichhost].host;
1234
1235 if (host && host[0] &&
1236 !(strspn(host, "0123456789.") == strlen(host) ||
1237 strchr(host, ':')))
1238 {
1239 if (SSL_set_tlsext_host_name(conn->ssl, host) != 1)
1240 {
1241 char *err = SSLerrmessage(ERR_get_error());
1242
1243 libpq_append_conn_error(conn, "could not set SSL Server Name Indication (SNI): %s", err);
1244 SSLerrfree(err);
1245 return -1;
1246 }
1247 }
1248 }
1249
1250 /*
1251 * Read the SSL key. If a key is specified, treat it as an engine:key
1252 * combination if there is colon present - we don't support files with
1253 * colon in the name. The exception is if the second character is a colon,
1254 * in which case it can be a Windows filename with drive specification.
1255 */
1256 if (have_cert && conn->sslkey && strlen(conn->sslkey) > 0)
1257 {
1258 #ifdef USE_SSL_ENGINE
1259 if (strchr(conn->sslkey, ':')
1260 #ifdef WIN32
1261 && conn->sslkey[1] != ':'
1262 #endif
1263 )
1264 {
1265 /* Colon, but not in second character, treat as engine:key */
1266 char *engine_str = strdup(conn->sslkey);
1267 char *engine_colon;
1268
1269 if (engine_str == NULL)
1270 {
1271 libpq_append_conn_error(conn, "out of memory");
1272 return -1;
1273 }
1274
1275 /* cannot return NULL because we already checked before strdup */
1276 engine_colon = strchr(engine_str, ':');
1277
1278 *engine_colon = '\0'; /* engine_str now has engine name */
1279 engine_colon++; /* engine_colon now has key name */
1280
1281 conn->engine = ENGINE_by_id(engine_str);
1282 if (conn->engine == NULL)
1283 {
1284 char *err = SSLerrmessage(ERR_get_error());
1285
1286 libpq_append_conn_error(conn, "could not load SSL engine \"%s\": %s",
1287 engine_str, err);
1288 SSLerrfree(err);
1289 free(engine_str);
1290 return -1;
1291 }
1292
1293 if (ENGINE_init(conn->engine) == 0)
1294 {
1295 char *err = SSLerrmessage(ERR_get_error());
1296
1297 libpq_append_conn_error(conn, "could not initialize SSL engine \"%s\": %s",
1298 engine_str, err);
1299 SSLerrfree(err);
1300 ENGINE_free(conn->engine);
1301 conn->engine = NULL;
1302 free(engine_str);
1303 return -1;
1304 }
1305
1306 pkey = ENGINE_load_private_key(conn->engine, engine_colon,
1307 NULL, NULL);
1308 if (pkey == NULL)
1309 {
1310 char *err = SSLerrmessage(ERR_get_error());
1311
1312 libpq_append_conn_error(conn, "could not read private SSL key \"%s\" from engine \"%s\": %s",
1313 engine_colon, engine_str, err);
1314 SSLerrfree(err);
1315 ENGINE_finish(conn->engine);
1316 ENGINE_free(conn->engine);
1317 conn->engine = NULL;
1318 free(engine_str);
1319 return -1;
1320 }
1321 if (SSL_use_PrivateKey(conn->ssl, pkey) != 1)
1322 {
1323 char *err = SSLerrmessage(ERR_get_error());
1324
1325 libpq_append_conn_error(conn, "could not load private SSL key \"%s\" from engine \"%s\": %s",
1326 engine_colon, engine_str, err);
1327 SSLerrfree(err);
1328 ENGINE_finish(conn->engine);
1329 ENGINE_free(conn->engine);
1330 conn->engine = NULL;
1331 free(engine_str);
1332 return -1;
1333 }
1334
1335 free(engine_str);
1336
1337 fnbuf[0] = '\0'; /* indicate we're not going to load from a
1338 * file */
1339 }
1340 else
1341 #endif /* USE_SSL_ENGINE */
1342 {
1343 /* PGSSLKEY is not an engine, treat it as a filename */
1344 strlcpy(fnbuf, conn->sslkey, sizeof(fnbuf));
1345 }
1346 }
1347 else if (have_homedir)
1348 {
1349 /* No PGSSLKEY specified, load default file */
1350 snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
1351 }
1352 else
1353 fnbuf[0] = '\0';
1354
1355 if (have_cert && fnbuf[0] != '\0')
1356 {
1357 /* read the client key from file */
1358
1359 if (stat(fnbuf, &buf) != 0)
1360 {
1361 if (errno == ENOENT)
1362 libpq_append_conn_error(conn, "certificate present, but not private key file \"%s\"",
1363 fnbuf);
1364 else
1365 libpq_append_conn_error(conn, "could not stat private key file \"%s\": %m",
1366 fnbuf);
1367 return -1;
1368 }
1369
1370 /* Key file must be a regular file */
1371 if (!S_ISREG(buf.st_mode))
1372 {
1373 libpq_append_conn_error(conn, "private key file \"%s\" is not a regular file",
1374 fnbuf);
1375 return -1;
1376 }
1377
1378 /*
1379 * Refuse to load world-readable key files. We accept root-owned
1380 * files with mode 0640 or less, so that we can access system-wide
1381 * certificates if we have a supplementary group membership that
1382 * allows us to read 'em. For files with non-root ownership, require
1383 * mode 0600 or less. We need not check the file's ownership exactly;
1384 * if we're able to read it despite it having such restrictive
1385 * permissions, it must have the right ownership.
1386 *
1387 * Note: be very careful about tightening these rules. Some people
1388 * expect, for example, that a client process running as root should
1389 * be able to use a non-root-owned key file.
1390 *
1391 * Note that roughly similar checks are performed in
1392 * src/backend/libpq/be-secure-common.c so any changes here may need
1393 * to be made there as well. However, this code caters for the case
1394 * of current user == root, while that code does not.
1395 *
1396 * Ideally we would do similar permissions checks on Windows, but it
1397 * is not clear how that would work since Unix-style permissions may
1398 * not be available.
1399 */
1400 #if !defined(WIN32) && !defined(__CYGWIN__)
1401 if (buf.st_uid == 0 ?
1402 buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO) :
1403 buf.st_mode & (S_IRWXG | S_IRWXO))
1404 {
1405 libpq_append_conn_error(conn,
1406 "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
1407 fnbuf);
1408 return -1;
1409 }
1410 #endif
1411
1412 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_PEM) != 1)
1413 {
1414 char *err = SSLerrmessage(ERR_get_error());
1415
1416 /*
1417 * We'll try to load the file in DER (binary ASN.1) format, and if
1418 * that fails too, report the original error. This could mask
1419 * issues where there's something wrong with a DER-format cert,
1420 * but we'd have to duplicate openssl's format detection to be
1421 * smarter than this. We can't just probe for a leading -----BEGIN
1422 * because PEM can have leading non-matching lines and blanks.
1423 * OpenSSL doesn't expose its get_name(...) and its PEM routines
1424 * don't differentiate between failure modes in enough detail to
1425 * let us tell the difference between "not PEM, try DER" and
1426 * "wrong password".
1427 */
1428 if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)
1429 {
1430 libpq_append_conn_error(conn, "could not load private key file \"%s\": %s",
1431 fnbuf, err);
1432 SSLerrfree(err);
1433 return -1;
1434 }
1435
1436 SSLerrfree(err);
1437 }
1438 }
1439
1440 /* verify that the cert and key go together */
1441 if (have_cert &&
1442 SSL_check_private_key(conn->ssl) != 1)
1443 {
1444 char *err = SSLerrmessage(ERR_get_error());
1445
1446 libpq_append_conn_error(conn, "certificate does not match private key file \"%s\": %s",
1447 fnbuf, err);
1448 SSLerrfree(err);
1449 return -1;
1450 }
1451
1452 /*
1453 * If a root cert was loaded, also set our certificate verification
1454 * callback.
1455 */
1456 if (have_rootcert)
1457 SSL_set_verify(conn->ssl, SSL_VERIFY_PEER, verify_cb);
1458
1459 /*
1460 * Set compression option if necessary.
1461 */
1462 if (conn->sslcompression && conn->sslcompression[0] == '0')
1463 SSL_set_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1464 else
1465 SSL_clear_options(conn->ssl, SSL_OP_NO_COMPRESSION);
1466
1467 return 0;
1468 }
1469
1470 /*
1471 * Attempt to negotiate SSL connection.
1472 */
1473 static PostgresPollingStatusType
1474 open_client_SSL(PGconn *conn)
1475 {
1476 int r;
1477
1478 SOCK_ERRNO_SET(0);
1479 ERR_clear_error();
1480 r = SSL_connect(conn->ssl);
1481 if (r <= 0)
1482 {
1483 int save_errno = SOCK_ERRNO;
1484 int err = SSL_get_error(conn->ssl, r);
1485 unsigned long ecode;
1486
1487 ecode = ERR_get_error();
1488 switch (err)
1489 {
1490 case SSL_ERROR_WANT_READ:
1491 return PGRES_POLLING_READING;
1492
1493 case SSL_ERROR_WANT_WRITE:
1494 return PGRES_POLLING_WRITING;
1495
1496 case SSL_ERROR_SYSCALL:
1497 {
1498 char sebuf[PG_STRERROR_R_BUFLEN];
1499 unsigned long vcode;
1500
1501 vcode = SSL_get_verify_result(conn->ssl);
1502
1503 /*
1504 * If we get an X509 error here for failing to load the
1505 * local issuer cert, without an error in the socket layer
1506 * it means that verification failed due to a missing
1507 * system CA pool without it being a protocol error. We
1508 * inspect the sslrootcert setting to ensure that the user
1509 * was using the system CA pool. For other errors, log
1510 * them using the normal SYSCALL logging.
1511 */
1512 if (save_errno == 0 &&
1513 vcode == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY &&
1514 strcmp(conn->sslrootcert, "system") == 0)
1515 libpq_append_conn_error(conn, "SSL error: certificate verify failed: %s",
1516 X509_verify_cert_error_string(vcode));
1517 else if (r == -1 && save_errno != 0)
1518 libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
1519 SOCK_STRERROR(save_errno, sebuf, sizeof(sebuf)));
1520 else
1521 libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
1522 pgtls_close(conn);
1523 return PGRES_POLLING_FAILED;
1524 }
1525 case SSL_ERROR_SSL:
1526 {
1527 char *err = SSLerrmessage(ecode);
1528
1529 libpq_append_conn_error(conn, "SSL error: %s", err);
1530 SSLerrfree(err);
1531 switch (ERR_GET_REASON(ecode))
1532 {
1533 /*
1534 * UNSUPPORTED_PROTOCOL, WRONG_VERSION_NUMBER, and
1535 * TLSV1_ALERT_PROTOCOL_VERSION have been observed
1536 * when trying to communicate with an old OpenSSL
1537 * library, or when the client and server specify
1538 * disjoint protocol ranges.
1539 * NO_PROTOCOLS_AVAILABLE occurs if there's a
1540 * local misconfiguration (which can happen
1541 * despite our checks, if openssl.cnf injects a
1542 * limit we didn't account for). It's not very
1543 * clear what would make OpenSSL return the other
1544 * codes listed here, but a hint about protocol
1545 * versions seems like it's appropriate for all.
1546 */
1547 case SSL_R_NO_PROTOCOLS_AVAILABLE:
1548 case SSL_R_UNSUPPORTED_PROTOCOL:
1549 case SSL_R_BAD_PROTOCOL_VERSION_NUMBER:
1550 case SSL_R_UNKNOWN_PROTOCOL:
1551 case SSL_R_UNKNOWN_SSL_VERSION:
1552 case SSL_R_UNSUPPORTED_SSL_VERSION:
1553 case SSL_R_WRONG_SSL_VERSION:
1554 case SSL_R_WRONG_VERSION_NUMBER:
1555 case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
1556 #ifdef SSL_R_VERSION_TOO_HIGH
1557 case SSL_R_VERSION_TOO_HIGH:
1558 case SSL_R_VERSION_TOO_LOW:
1559 #endif
1560 libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",
1561 conn->ssl_min_protocol_version ?
1562 conn->ssl_min_protocol_version :
1563 MIN_OPENSSL_TLS_VERSION,
1564 conn->ssl_max_protocol_version ?
1565 conn->ssl_max_protocol_version :
1566 MAX_OPENSSL_TLS_VERSION);
1567 break;
1568 default:
1569 break;
1570 }
1571 pgtls_close(conn);
1572 return PGRES_POLLING_FAILED;
1573 }
1574
1575 default:
1576 libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
1577 pgtls_close(conn);
1578 return PGRES_POLLING_FAILED;
1579 }
1580 }
1581
1582 /*
1583 * We already checked the server certificate in initialize_SSL() using
1584 * SSL_CTX_set_verify(), if root.crt exists.
1585 */
1586
1587 /* get server certificate */
1588 conn->peer = SSL_get_peer_certificate(conn->ssl);
1589 if (conn->peer == NULL)
1590 {
1591 char *err = SSLerrmessage(ERR_get_error());
1592
1593 libpq_append_conn_error(conn, "certificate could not be obtained: %s", err);
1594 SSLerrfree(err);
1595 pgtls_close(conn);
1596 return PGRES_POLLING_FAILED;
1597 }
1598
1599 if (!pq_verify_peer_name_matches_certificate(conn))
1600 {
1601 pgtls_close(conn);
1602 return PGRES_POLLING_FAILED;
1603 }
1604
1605 /* SSL handshake is complete */
1606 return PGRES_POLLING_OK;
1607 }
1608
1609 void
1610 pgtls_close(PGconn *conn)
1611 {
1612 bool destroy_needed = false;
1613
1614 if (conn->ssl_in_use)
1615 {
1616 if (conn->ssl)
1617 {
1618 /*
1619 * We can't destroy everything SSL-related here due to the
1620 * possible later calls to OpenSSL routines which may need our
1621 * thread callbacks, so set a flag here and check at the end.
1622 */
1623
1624 SSL_shutdown(conn->ssl);
1625 SSL_free(conn->ssl);
1626 conn->ssl = NULL;
1627 conn->ssl_in_use = false;
1628
1629 destroy_needed = true;
1630 }
1631
1632 if (conn->peer)
1633 {
1634 X509_free(conn->peer);
1635 conn->peer = NULL;
1636 }
1637
1638 #ifdef USE_SSL_ENGINE
1639 if (conn->engine)
1640 {
1641 ENGINE_finish(conn->engine);
1642 ENGINE_free(conn->engine);
1643 conn->engine = NULL;
1644 }
1645 #endif
1646 }
1647 else
1648 {
1649 /*
1650 * In the non-SSL case, just remove the crypto callbacks if the
1651 * connection has then loaded. This code path has no dependency on
1652 * any pending SSL calls.
1653 */
1654 if (conn->crypto_loaded)
1655 destroy_needed = true;
1656 }
1657
1658 /*
1659 * This will remove our crypto locking hooks if this is the last
1660 * connection using libcrypto which means we must wait to call it until
1661 * after all the potential SSL calls have been made, otherwise we can end
1662 * up with a race condition and possible deadlocks.
1663 *
1664 * See comments above destroy_ssl_system().
1665 */
1666 if (destroy_needed)
1667 {
1668 destroy_ssl_system();
1669 conn->crypto_loaded = false;
1670 }
1671 }
1672
1673
1674 /*
1675 * Obtain reason string for passed SSL errcode
1676 *
1677 * ERR_get_error() is used by caller to get errcode to pass here.
1678 *
1679 * Some caution is needed here since ERR_reason_error_string will
1680 * return NULL if it doesn't recognize the error code. We don't
1681 * want to return NULL ever.
1682 */
1683 static char ssl_nomem[] = "out of memory allocating error description";
1684
1685 #define SSL_ERR_LEN 128
1686
1687 static char *
1688 SSLerrmessage(unsigned long ecode)
1689 {
1690 const char *errreason;
1691 char *errbuf;
1692
1693 errbuf = malloc(SSL_ERR_LEN);
1694 if (!errbuf)
1695 return ssl_nomem;
1696 if (ecode == 0)
1697 {
1698 snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("no SSL error reported"));
1699 return errbuf;
1700 }
1701 errreason = ERR_reason_error_string(ecode);
1702 if (errreason != NULL)
1703 {
1704 strlcpy(errbuf, errreason, SSL_ERR_LEN);
1705 return errbuf;
1706 }
1707 snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("SSL error code %lu"), ecode);
1708 return errbuf;
1709 }
1710
1711 static void
1712 SSLerrfree(char *buf)
1713 {
1714 if (buf != ssl_nomem)
1715 free(buf);
1716 }
1717
1718 /* ------------------------------------------------------------ */
1719 /* SSL information functions */
1720 /* ------------------------------------------------------------ */
1721
1722 /*
1723 * Return pointer to OpenSSL object.
1724 */
1725 void *
1726 PQgetssl(PGconn *conn)
1727 {
1728 if (!conn)
1729 return NULL;
1730 return conn->ssl;
1731 }
1732
1733 void *
1734 PQsslStruct(PGconn *conn, const char *struct_name)
1735 {
1736 if (!conn)
1737 return NULL;
1738 if (strcmp(struct_name, "OpenSSL") == 0)
1739 return conn->ssl;
1740 return NULL;
1741 }
1742
1743 const char *const *
1744 PQsslAttributeNames(PGconn *conn)
1745 {
1746 static const char *const openssl_attrs[] = {
1747 "library",
1748 "key_bits",
1749 "cipher",
1750 "compression",
1751 "protocol",
1752 NULL
1753 };
1754 static const char *const empty_attrs[] = {NULL};
1755
1756 if (!conn)
1757 {
1758 /* Return attributes of default SSL library */
1759 return openssl_attrs;
1760 }
1761
1762 /* No attrs for unencrypted connection */
1763 if (conn->ssl == NULL)
1764 return empty_attrs;
1765
1766 return openssl_attrs;
1767 }
1768
1769 const char *
1770 PQsslAttribute(PGconn *conn, const char *attribute_name)
1771 {
1772 if (!conn)
1773 {
1774 /* PQsslAttribute(NULL, "library") reports the default SSL library */
1775 if (strcmp(attribute_name, "library") == 0)
1776 return "OpenSSL";
1777 return NULL;
1778 }
1779
1780 /* All attributes read as NULL for a non-encrypted connection */
1781 if (conn->ssl == NULL)
1782 return NULL;
1783
1784 if (strcmp(attribute_name, "library") == 0)
1785 return "OpenSSL";
1786
1787 if (strcmp(attribute_name, "key_bits") == 0)
1788 {
1789 static char sslbits_str[12];
1790 int sslbits;
1791
1792 SSL_get_cipher_bits(conn->ssl, &sslbits);
1793 snprintf(sslbits_str, sizeof(sslbits_str), "%d", sslbits);
1794 return sslbits_str;
1795 }
1796
1797 if (strcmp(attribute_name, "cipher") == 0)
1798 return SSL_get_cipher(conn->ssl);
1799
1800 if (strcmp(attribute_name, "compression") == 0)
1801 return SSL_get_current_compression(conn->ssl) ? "on" : "off";
1802
1803 if (strcmp(attribute_name, "protocol") == 0)
1804 return SSL_get_version(conn->ssl);
1805
1806 return NULL; /* unknown attribute */
1807 }
1808
1809 /*
1810 * Private substitute BIO: this does the sending and receiving using
1811 * pqsecure_raw_write() and pqsecure_raw_read() instead, to allow those
1812 * functions to disable SIGPIPE and give better error messages on I/O errors.
1813 *
1814 * These functions are closely modelled on the standard socket BIO in OpenSSL;
1815 * see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
1816 * XXX OpenSSL 1.0.1e considers many more errcodes than just EINTR as reasons
1817 * to retry; do we need to adopt their logic for that?
1818 */
1819
1820 /* protected by ssl_config_mutex */
1821 static BIO_METHOD *my_bio_methods;
1822
1823 static int
1824 my_sock_read(BIO *h, char *buf, int size)
1825 {
1826 int res;
1827
1828 res = pqsecure_raw_read((PGconn *) BIO_get_app_data(h), buf, size);
1829 BIO_clear_retry_flags(h);
1830 if (res < 0)
1831 {
1832 /* If we were interrupted, tell caller to retry */
1833 switch (SOCK_ERRNO)
1834 {
1835 #ifdef EAGAIN
1836 case EAGAIN:
1837 #endif
1838 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1839 case EWOULDBLOCK:
1840 #endif
1841 case EINTR:
1842 BIO_set_retry_read(h);
1843 break;
1844
1845 default:
1846 break;
1847 }
1848 }
1849
1850 return res;
1851 }
1852
1853 static int
1854 my_sock_write(BIO *h, const char *buf, int size)
1855 {
1856 int res;
1857
1858 res = pqsecure_raw_write((PGconn *) BIO_get_app_data(h), buf, size);
1859 BIO_clear_retry_flags(h);
1860 if (res < 0)
1861 {
1862 /* If we were interrupted, tell caller to retry */
1863 switch (SOCK_ERRNO)
1864 {
1865 #ifdef EAGAIN
1866 case EAGAIN:
1867 #endif
1868 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1869 case EWOULDBLOCK:
1870 #endif
1871 case EINTR:
1872 BIO_set_retry_write(h);
1873 break;
1874
1875 default:
1876 break;
1877 }
1878 }
1879
1880 return res;
1881 }
1882
1883 static BIO_METHOD *
1884 my_BIO_s_socket(void)
1885 {
1886 BIO_METHOD *res;
1887
1888 #ifdef ENABLE_THREAD_SAFETY
1889 if (pthread_mutex_lock(&ssl_config_mutex))
1890 return NULL;
1891 #endif
1892
1893 res = my_bio_methods;
1894
1895 if (!my_bio_methods)
1896 {
1897 BIO_METHOD *biom = (BIO_METHOD *) BIO_s_socket();
1898 #ifdef HAVE_BIO_METH_NEW
1899 int my_bio_index;
1900
1901 my_bio_index = BIO_get_new_index();
1902 if (my_bio_index == -1)
1903 goto err;
1904 my_bio_index |= (BIO_TYPE_DESCRIPTOR | BIO_TYPE_SOURCE_SINK);
1905 res = BIO_meth_new(my_bio_index, "libpq socket");
1906 if (!res)
1907 goto err;
1908
1909 /*
1910 * As of this writing, these functions never fail. But check anyway,
1911 * like OpenSSL's own examples do.
1912 */
1913 if (!BIO_meth_set_write(res, my_sock_write) ||
1914 !BIO_meth_set_read(res, my_sock_read) ||
1915 !BIO_meth_set_gets(res, BIO_meth_get_gets(biom)) ||
1916 !BIO_meth_set_puts(res, BIO_meth_get_puts(biom)) ||
1917 !BIO_meth_set_ctrl(res, BIO_meth_get_ctrl(biom)) ||
1918 !BIO_meth_set_create(res, BIO_meth_get_create(biom)) ||
1919 !BIO_meth_set_destroy(res, BIO_meth_get_destroy(biom)) ||
1920 !BIO_meth_set_callback_ctrl(res, BIO_meth_get_callback_ctrl(biom)))
1921 {
1922 goto err;
1923 }
1924 #else
1925 res = malloc(sizeof(BIO_METHOD));
1926 if (!res)
1927 goto err;
1928 memcpy(res, biom, sizeof(BIO_METHOD));
1929 res->bread = my_sock_read;
1930 res->bwrite = my_sock_write;
1931 #endif
1932 }
1933
1934 my_bio_methods = res;
1935
1936 #ifdef ENABLE_THREAD_SAFETY
1937 pthread_mutex_unlock(&ssl_config_mutex);
1938 #endif
1939
1940 return res;
1941
1942 err:
1943 #ifdef HAVE_BIO_METH_NEW
1944 if (res)
1945 BIO_meth_free(res);
1946 #else
1947 if (res)
1948 free(res);
1949 #endif
1950
1951 #ifdef ENABLE_THREAD_SAFETY
1952 pthread_mutex_unlock(&ssl_config_mutex);
1953 #endif
1954 return NULL;
1955 }
1956
1957 /* This should exactly match OpenSSL's SSL_set_fd except for using my BIO */
1958 static int
1959 my_SSL_set_fd(PGconn *conn, int fd)
1960 {
1961 int ret = 0;
1962 BIO *bio;
1963 BIO_METHOD *bio_method;
1964
1965 bio_method = my_BIO_s_socket();
1966 if (bio_method == NULL)
1967 {
1968 SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
1969 goto err;
1970 }
1971 bio = BIO_new(bio_method);
1972 if (bio == NULL)
1973 {
1974 SSLerr(SSL_F_SSL_SET_FD, ERR_R_BUF_LIB);
1975 goto err;
1976 }
1977 BIO_set_app_data(bio, conn);
1978
1979 SSL_set_bio(conn->ssl, bio, bio);
1980 BIO_set_fd(bio, fd, BIO_NOCLOSE);
1981 ret = 1;
1982 err:
1983 return ret;
1984 }
1985
1986 /*
1987 * This is the default handler to return a client cert password from
1988 * conn->sslpassword. Apps may install it explicitly if they want to
1989 * prevent openssl from ever prompting on stdin.
1990 */
1991 int
1992 PQdefaultSSLKeyPassHook_OpenSSL(char *buf, int size, PGconn *conn)
1993 {
1994 if (conn && conn->sslpassword)
1995 {
1996 if (strlen(conn->sslpassword) + 1 > size)
1997 fprintf(stderr, libpq_gettext("WARNING: sslpassword truncated\n"));
1998 strncpy(buf, conn->sslpassword, size);
1999 buf[size - 1] = '\0';
2000 return strlen(buf);
2001 }
2002 else
2003 {
2004 buf[0] = '\0';
2005 return 0;
2006 }
2007 }
2008
2009 PQsslKeyPassHook_OpenSSL_type
2010 PQgetSSLKeyPassHook_OpenSSL(void)
2011 {
2012 return PQsslKeyPassHook;
2013 }
2014
2015 void
2016 PQsetSSLKeyPassHook_OpenSSL(PQsslKeyPassHook_OpenSSL_type hook)
2017 {
2018 PQsslKeyPassHook = hook;
2019 }
2020
2021 /*
2022 * Supply a password to decrypt a client certificate.
2023 *
2024 * This must match OpenSSL type pem_password_cb.
2025 */
2026 static int
2027 PQssl_passwd_cb(char *buf, int size, int rwflag, void *userdata)
2028 {
2029 PGconn *conn = userdata;
2030
2031 if (PQsslKeyPassHook)
2032 return PQsslKeyPassHook(buf, size, conn);
2033 else
2034 return PQdefaultSSLKeyPassHook_OpenSSL(buf, size, conn);
2035 }
2036
2037 /*
2038 * Convert TLS protocol version string to OpenSSL values
2039 *
2040 * If a version is passed that is not supported by the current OpenSSL version,
2041 * then we return -1. If a non-negative value is returned, subsequent code can
2042 * assume it is working with a supported version.
2043 *
2044 * Note: this is rather similar to the backend routine in be-secure-openssl.c,
2045 * so make sure to update both routines if changing this one.
2046 */
2047 static int
2048 ssl_protocol_version_to_openssl(const char *protocol)
2049 {
2050 if (pg_strcasecmp("TLSv1", protocol) == 0)
2051 return TLS1_VERSION;
2052
2053 #ifdef TLS1_1_VERSION
2054 if (pg_strcasecmp("TLSv1.1", protocol) == 0)
2055 return TLS1_1_VERSION;
2056 #endif
2057
2058 #ifdef TLS1_2_VERSION
2059 if (pg_strcasecmp("TLSv1.2", protocol) == 0)
2060 return TLS1_2_VERSION;
2061 #endif
2062
2063 #ifdef TLS1_3_VERSION
2064 if (pg_strcasecmp("TLSv1.3", protocol) == 0)
2065 return TLS1_3_VERSION;
2066 #endif
2067
2068 return -1;
2069 }
Postgresql Clone from git://git.postgresql.org/git/postgresql.git