Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitf7cd589

Browse files
committed
Move OpenSSL routines for min/max protocol setting to src/common/
Two routines have been added in OpenSSL 1.1.0 to set the protocol boundsallowed within a given SSL context:- SSL_CTX_set_min_proto_version- SSL_CTX_set_max_proto_versionAs Postgres supports OpenSSL down to 1.0.1 (as of HEAD), equivalentreplacements exist in the tree, which are only available for thebackend. A follow-up patch is planned to add control of the SSLprotocol bounds for libpq, so move those routines to src/common/ so aslibpq can use them.Author: Daniel GustafssonDiscussion:https://postgr.es/m/4F246AE3-A7AE-471E-BD3D-C799D3748E03@yesql.se
1 parent5afaa2e commitf7cd589

File tree

5 files changed

+150
-99
lines changed

5 files changed

+150
-99
lines changed

‎src/backend/libpq/be-secure-openssl.c

Lines changed: 1 addition & 98 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
#include<openssl/ec.h>
3737
#endif
3838

39+
#include"common/openssl.h"
3940
#include"libpq/libpq.h"
4041
#include"miscadmin.h"
4142
#include"pgstat.h"
@@ -69,11 +70,6 @@ static bool ssl_is_server_start;
6970

7071
staticintssl_protocol_version_to_openssl(intv,constchar*guc_name,
7172
intloglevel);
72-
#ifndefSSL_CTX_set_min_proto_version
73-
staticintSSL_CTX_set_min_proto_version(SSL_CTX*ctx,intversion);
74-
staticintSSL_CTX_set_max_proto_version(SSL_CTX*ctx,intversion);
75-
#endif
76-
7773

7874
/* ------------------------------------------------------------ */
7975
/* Public interface*/
@@ -1314,96 +1310,3 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name, int loglevel)
13141310
GetConfigOption(guc_name, false, false))));
13151311
return-1;
13161312
}
1317-
1318-
/*
1319-
* Replacements for APIs present in newer versions of OpenSSL
1320-
*/
1321-
#ifndefSSL_CTX_set_min_proto_version
1322-
1323-
/*
1324-
* OpenSSL versions that support TLS 1.3 shouldn't get here because they
1325-
* already have these functions. So we don't have to keep updating the below
1326-
* code for every new TLS version, and eventually it can go away. But let's
1327-
* just check this to make sure ...
1328-
*/
1329-
#ifdefTLS1_3_VERSION
1330-
#error OpenSSL version mismatch
1331-
#endif
1332-
1333-
staticint
1334-
SSL_CTX_set_min_proto_version(SSL_CTX*ctx,intversion)
1335-
{
1336-
intssl_options=SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3;
1337-
1338-
if (version>TLS1_VERSION)
1339-
ssl_options |=SSL_OP_NO_TLSv1;
1340-
/*
1341-
* Some OpenSSL versions define TLS*_VERSION macros but not the
1342-
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1343-
* unsuccessfully here.
1344-
*/
1345-
#ifdefTLS1_1_VERSION
1346-
if (version>TLS1_1_VERSION)
1347-
{
1348-
#ifdefSSL_OP_NO_TLSv1_1
1349-
ssl_options |=SSL_OP_NO_TLSv1_1;
1350-
#else
1351-
return0;
1352-
#endif
1353-
}
1354-
#endif
1355-
#ifdefTLS1_2_VERSION
1356-
if (version>TLS1_2_VERSION)
1357-
{
1358-
#ifdefSSL_OP_NO_TLSv1_2
1359-
ssl_options |=SSL_OP_NO_TLSv1_2;
1360-
#else
1361-
return0;
1362-
#endif
1363-
}
1364-
#endif
1365-
1366-
SSL_CTX_set_options(ctx,ssl_options);
1367-
1368-
return1;/* success */
1369-
}
1370-
1371-
staticint
1372-
SSL_CTX_set_max_proto_version(SSL_CTX*ctx,intversion)
1373-
{
1374-
intssl_options=0;
1375-
1376-
AssertArg(version!=0);
1377-
1378-
/*
1379-
* Some OpenSSL versions define TLS*_VERSION macros but not the
1380-
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
1381-
* unsuccessfully here.
1382-
*/
1383-
#ifdefTLS1_1_VERSION
1384-
if (version<TLS1_1_VERSION)
1385-
{
1386-
#ifdefSSL_OP_NO_TLSv1_1
1387-
ssl_options |=SSL_OP_NO_TLSv1_1;
1388-
#else
1389-
return0;
1390-
#endif
1391-
}
1392-
#endif
1393-
#ifdefTLS1_2_VERSION
1394-
if (version<TLS1_2_VERSION)
1395-
{
1396-
#ifdefSSL_OP_NO_TLSv1_2
1397-
ssl_options |=SSL_OP_NO_TLSv1_2;
1398-
#else
1399-
return0;
1400-
#endif
1401-
}
1402-
#endif
1403-
1404-
SSL_CTX_set_options(ctx,ssl_options);
1405-
1406-
return1;/* success */
1407-
}
1408-
1409-
#endif/* !SSL_CTX_set_min_proto_version */

‎src/common/Makefile

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -75,7 +75,9 @@ OBJS_COMMON = \
7575
wchar.o
7676

7777
ifeq ($(with_openssl),yes)
78-
OBJS_COMMON += sha2_openssl.o
78+
OBJS_COMMON +=\
79+
protocol_openssl.o\
80+
sha2_openssl.o
7981
else
8082
OBJS_COMMON += sha2.o
8183
endif

‎src/common/protocol_openssl.c

Lines changed: 117 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,117 @@
1+
/*-------------------------------------------------------------------------
2+
*
3+
* protocol_openssl.c
4+
* OpenSSL functionality shared between frontend and backend
5+
*
6+
* This should only be used if code is compiled with OpenSSL support.
7+
*
8+
* Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
9+
* Portions Copyright (c) 1994, Regents of the University of California
10+
*
11+
* IDENTIFICATION
12+
* src/common/protocol_openssl.c
13+
*
14+
*-------------------------------------------------------------------------
15+
*/
16+
17+
#ifndefFRONTEND
18+
#include"postgres.h"
19+
#else
20+
#include"postgres_fe.h"
21+
#endif
22+
23+
#include"common/openssl.h"
24+
25+
/*
26+
* Replacements for APIs introduced in OpenSSL 1.1.0.
27+
*/
28+
#ifndefSSL_CTX_set_min_proto_version
29+
30+
/*
31+
* OpenSSL versions that support TLS 1.3 shouldn't get here because they
32+
* already have these functions. So we don't have to keep updating the below
33+
* code for every new TLS version, and eventually it can go away. But let's
34+
* just check this to make sure ...
35+
*/
36+
#ifdefTLS1_3_VERSION
37+
#error OpenSSL version mismatch
38+
#endif
39+
40+
int
41+
SSL_CTX_set_min_proto_version(SSL_CTX*ctx,intversion)
42+
{
43+
intssl_options=SSL_OP_NO_SSLv2 |SSL_OP_NO_SSLv3;
44+
45+
if (version>TLS1_VERSION)
46+
ssl_options |=SSL_OP_NO_TLSv1;
47+
48+
/*
49+
* Some OpenSSL versions define TLS*_VERSION macros but not the
50+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
51+
* unsuccessfully here.
52+
*/
53+
#ifdefTLS1_1_VERSION
54+
if (version>TLS1_1_VERSION)
55+
{
56+
#ifdefSSL_OP_NO_TLSv1_1
57+
ssl_options |=SSL_OP_NO_TLSv1_1;
58+
#else
59+
return0;
60+
#endif
61+
}
62+
#endif
63+
#ifdefTLS1_2_VERSION
64+
if (version>TLS1_2_VERSION)
65+
{
66+
#ifdefSSL_OP_NO_TLSv1_2
67+
ssl_options |=SSL_OP_NO_TLSv1_2;
68+
#else
69+
return0;
70+
#endif
71+
}
72+
#endif
73+
74+
SSL_CTX_set_options(ctx,ssl_options);
75+
76+
return1;/* success */
77+
}
78+
79+
int
80+
SSL_CTX_set_max_proto_version(SSL_CTX*ctx,intversion)
81+
{
82+
intssl_options=0;
83+
84+
AssertArg(version!=0);
85+
86+
/*
87+
* Some OpenSSL versions define TLS*_VERSION macros but not the
88+
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
89+
* unsuccessfully here.
90+
*/
91+
#ifdefTLS1_1_VERSION
92+
if (version<TLS1_1_VERSION)
93+
{
94+
#ifdefSSL_OP_NO_TLSv1_1
95+
ssl_options |=SSL_OP_NO_TLSv1_1;
96+
#else
97+
return0;
98+
#endif
99+
}
100+
#endif
101+
#ifdefTLS1_2_VERSION
102+
if (version<TLS1_2_VERSION)
103+
{
104+
#ifdefSSL_OP_NO_TLSv1_2
105+
ssl_options |=SSL_OP_NO_TLSv1_2;
106+
#else
107+
return0;
108+
#endif
109+
}
110+
#endif
111+
112+
SSL_CTX_set_options(ctx,ssl_options);
113+
114+
return1;/* success */
115+
}
116+
117+
#endif/* !SSL_CTX_set_min_proto_version */

‎src/include/common/openssl.h

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
/*-------------------------------------------------------------------------
2+
*
3+
* openssl.h
4+
* OpenSSL supporting functionality shared between frontend and backend
5+
*
6+
* Portions Copyright (c) 1996-2020, PostgreSQL Global Development Group
7+
* Portions Copyright (c) 1994, Regents of the University of California
8+
*
9+
* IDENTIFICATION
10+
* src/include/common/openssl.h
11+
*
12+
*-------------------------------------------------------------------------
13+
*/
14+
#ifndefCOMMON_OPENSSL_H
15+
#defineCOMMON_OPENSSL_H
16+
17+
#ifdefUSE_OPENSSL
18+
#include<openssl/ssl.h>
19+
20+
/* src/common/protocol_openssl.c */
21+
#ifndefSSL_CTX_set_min_proto_version
22+
externintSSL_CTX_set_min_proto_version(SSL_CTX*ctx,intversion);
23+
externintSSL_CTX_set_max_proto_version(SSL_CTX*ctx,intversion);
24+
#endif
25+
26+
#endif
27+
28+
#endif/* COMMON_OPENSSL_H */

‎src/tools/msvc/Mkvcbuild.pm

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -130,6 +130,7 @@ sub mkvcbuild
130130
if ($solution->{options}->{openssl})
131131
{
132132
push(@pgcommonallfiles,'sha2_openssl.c');
133+
push(@pgcommonallfiles,'protocol_openssl.c');
133134
}
134135
else
135136
{

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp