Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit f7cd589

Browse files
committed
Move OpenSSL routines for min/max protocol setting to src/common/
Two routines have been added in OpenSSL 1.1.0 to set the protocol bounds allowed within a given SSL context: - SSL_CTX_set_min_proto_version - SSL_CTX_set_max_proto_version As Postgres supports OpenSSL down to 1.0.1 (as of HEAD), equivalent replacements exist in the tree, which are only available for the backend. A follow-up patch is planned to add control of the SSL protocol bounds for libpq, so move those routines to src/common/ so as libpq can use them. Author: Daniel Gustafsson Discussion: https://postgr.es/m/4F246AE3-A7AE-471E-BD3D-C799D3748E03@yesql.se
1 parent 5afaa2e commit f7cd589

File tree

5 files changed

+150
-99
lines changed

5 files changed

+150
-99
lines changed

src/backend/libpq/be-secure-openssl.c

+1-98
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
#include <openssl/ec.h>
3737
#endif
3838

39+
#include "common/openssl.h"
3940
#include "libpq/libpq.h"
4041
#include "miscadmin.h"
4142
#include "pgstat.h"
@@ -69,11 +70,6 @@ static bool ssl_is_server_start;
6970

7071
static int ssl_protocol_version_to_openssl(int v, const char *guc_name,
7172
int loglevel);
72-
#ifndef SSL_CTX_set_min_proto_version
73-
static int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
74-
static int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
75-
#endif
76-
7773

7874
/* ------------------------------------------------------------ */
7975
/* Public interface */
@@ -1314,96 +1310,3 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name, int loglevel)
13141310
GetConfigOption(guc_name, false, false))));
13151311
return -1;
13161312
}
1317-
1318-
/*
1319-
* Replacements for APIs present in newer versions of OpenSSL
1320-
*/
1321-
#ifndef SSL_CTX_set_min_proto_version
1322-
1323-
/*
1324-
* OpenSSL versions that support TLS 1.3 shouldn't get here because they
1325-
* already have these functions. So we don't have to keep updating the below
1326-
* code for every new TLS version, and eventually it can go away. But let's
1327-
* just check this to make sure ...
1328-
*/
1329-
#ifdef TLS1_3_VERSION
1330-
#error OpenSSL version mismatch
1331-
#endif
1332-
1333-
static int
1334-
SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
1335-
{
1336-
int ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
1337-
1338-
if (version > TLS1_VERSION)
1339-
ssl_options |= SSL_OP_NO_TLSv1;
1340-
/*
1341-
* Some OpenSSL versions define TLS*_VERSION macros but not the
1342-
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1343-
* unsuccessfully here.
1344-
*/
1345-
#ifdef TLS1_1_VERSION
1346-
if (version > TLS1_1_VERSION)
1347-
{
1348-
#ifdef SSL_OP_NO_TLSv1_1
1349-
ssl_options |= SSL_OP_NO_TLSv1_1;
1350-
#else
1351-
return 0;
1352-
#endif
1353-
}
1354-
#endif
1355-
#ifdef TLS1_2_VERSION
1356-
if (version > TLS1_2_VERSION)
1357-
{
1358-
#ifdef SSL_OP_NO_TLSv1_2
1359-
ssl_options |= SSL_OP_NO_TLSv1_2;
1360-
#else
1361-
return 0;
1362-
#endif
1363-
}
1364-
#endif
1365-
1366-
SSL_CTX_set_options(ctx, ssl_options);
1367-
1368-
return 1; /* success */
1369-
}
1370-
1371-
static int
1372-
SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
1373-
{
1374-
int ssl_options = 0;
1375-
1376-
AssertArg(version != 0);
1377-
1378-
/*
1379-
* Some OpenSSL versions define TLS*_VERSION macros but not the
1380-
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1381-
* unsuccessfully here.
1382-
*/
1383-
#ifdef TLS1_1_VERSION
1384-
if (version < TLS1_1_VERSION)
1385-
{
1386-
#ifdef SSL_OP_NO_TLSv1_1
1387-
ssl_options |= SSL_OP_NO_TLSv1_1;
1388-
#else
1389-
return 0;
1390-
#endif
1391-
}
1392-
#endif
1393-
#ifdef TLS1_2_VERSION
1394-
if (version < TLS1_2_VERSION)
1395-
{
1396-
#ifdef SSL_OP_NO_TLSv1_2
1397-
ssl_options |= SSL_OP_NO_TLSv1_2;
1398-
#else
1399-
return 0;
1400-
#endif
1401-
}
1402-
#endif
1403-
1404-
SSL_CTX_set_options(ctx, ssl_options);
1405-
1406-
return 1; /* success */
1407-
}
1408-
1409-
#endif /* !SSL_CTX_set_min_proto_version */

src/common/Makefile

+3-1
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,9 @@ OBJS_COMMON = \
7575
wchar.o
7676

7777
ifeq ($(with_openssl),yes)
78-
OBJS_COMMON += sha2_openssl.o
78+
OBJS_COMMON += \
79+
protocol_openssl.o \
80+
sha2_openssl.o
7981
else
8082
OBJS_COMMON += sha2.o
8183
endif

src/common/protocol_openssl.c

+117
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
/*-------------------------------------------------------------------------
2+
*
3+
* protocol_openssl.c
4+
* OpenSSL functionality shared between frontend and backend
5+
*
6+
* This should only be used if code is compiled with OpenSSL support.
7+
*
8+
* Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
9+
* Portions Copyright (c) 1994, Regents of the University of California
10+
*
11+
* IDENTIFICATION
12+
* src/common/protocol_openssl.c
13+
*
14+
*-------------------------------------------------------------------------
15+
*/
16+
17+
#ifndef FRONTEND
18+
#include "postgres.h"
19+
#else
20+
#include "postgres_fe.h"
21+
#endif
22+
23+
#include "common/openssl.h"
24+
25+
/*
26+
* Replacements for APIs introduced in OpenSSL 1.1.0.
27+
*/
28+
#ifndef SSL_CTX_set_min_proto_version
29+
30+
/*
31+
* OpenSSL versions that support TLS 1.3 shouldn't get here because they
32+
* already have these functions. So we don't have to keep updating the below
33+
* code for every new TLS version, and eventually it can go away. But let's
34+
* just check this to make sure ...
35+
*/
36+
#ifdef TLS1_3_VERSION
37+
#error OpenSSL version mismatch
38+
#endif
39+
40+
int
41+
SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
42+
{
43+
int ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
44+
45+
if (version > TLS1_VERSION)
46+
ssl_options |= SSL_OP_NO_TLSv1;
47+
48+
/*
49+
* Some OpenSSL versions define TLS*_VERSION macros but not the
50+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
51+
* unsuccessfully here.
52+
*/
53+
#ifdef TLS1_1_VERSION
54+
if (version > TLS1_1_VERSION)
55+
{
56+
#ifdef SSL_OP_NO_TLSv1_1
57+
ssl_options |= SSL_OP_NO_TLSv1_1;
58+
#else
59+
return 0;
60+
#endif
61+
}
62+
#endif
63+
#ifdef TLS1_2_VERSION
64+
if (version > TLS1_2_VERSION)
65+
{
66+
#ifdef SSL_OP_NO_TLSv1_2
67+
ssl_options |= SSL_OP_NO_TLSv1_2;
68+
#else
69+
return 0;
70+
#endif
71+
}
72+
#endif
73+
74+
SSL_CTX_set_options(ctx, ssl_options);
75+
76+
return 1; /* success */
77+
}
78+
79+
int
80+
SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
81+
{
82+
int ssl_options = 0;
83+
84+
AssertArg(version != 0);
85+
86+
/*
87+
* Some OpenSSL versions define TLS*_VERSION macros but not the
88+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
89+
* unsuccessfully here.
90+
*/
91+
#ifdef TLS1_1_VERSION
92+
if (version < TLS1_1_VERSION)
93+
{
94+
#ifdef SSL_OP_NO_TLSv1_1
95+
ssl_options |= SSL_OP_NO_TLSv1_1;
96+
#else
97+
return 0;
98+
#endif
99+
}
100+
#endif
101+
#ifdef TLS1_2_VERSION
102+
if (version < TLS1_2_VERSION)
103+
{
104+
#ifdef SSL_OP_NO_TLSv1_2
105+
ssl_options |= SSL_OP_NO_TLSv1_2;
106+
#else
107+
return 0;
108+
#endif
109+
}
110+
#endif
111+
112+
SSL_CTX_set_options(ctx, ssl_options);
113+
114+
return 1; /* success */
115+
}
116+
117+
#endif /* !SSL_CTX_set_min_proto_version */

src/include/common/openssl.h

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
/*-------------------------------------------------------------------------
2+
*
3+
* openssl.h
4+
* OpenSSL supporting functionality shared between frontend and backend
5+
*
6+
* Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
7+
* Portions Copyright (c) 1994, Regents of the University of California
8+
*
9+
* IDENTIFICATION
10+
* src/include/common/openssl.h
11+
*
12+
*-------------------------------------------------------------------------
13+
*/
14+
#ifndef COMMON_OPENSSL_H
15+
#define COMMON_OPENSSL_H
16+
17+
#ifdef USE_OPENSSL
18+
#include <openssl/ssl.h>
19+
20+
/* src/common/protocol_openssl.c */
21+
#ifndef SSL_CTX_set_min_proto_version
22+
extern int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
23+
extern int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
24+
#endif
25+
26+
#endif
27+
28+
#endif /* COMMON_OPENSSL_H */

src/tools/msvc/Mkvcbuild.pm

+1
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ sub mkvcbuild
130130
if ($solution->{options}->{openssl})
131131
{
132132
push(@pgcommonallfiles, 'sha2_openssl.c');
133+
push(@pgcommonallfiles, 'protocol_openssl.c');
133134
}
134135
else
135136
{

0 commit comments

Comments
 (0)