NotificationsYou must be signed in to change notification settings
Fork28
Star153

Commit79dfa8a

committed

Add bound checks for ssl_min_protocol_version and ssl_max_protocol_version

Mixing incorrect bounds in the SSL context leads to confusing errormessages generated by OpenSSL which are hard to act on. New rangechecks are added when both min/max parameters are loaded in the contextof a SSL reload to improve the error reporting. Note that this does notmake use of the GUC hook machinery contrary to41aadee, as there is noway to ensure a consistent range check (except if there is a way one dayto define range types for GUC parameters?). Hence, this patch appliesonly to OpenSSL, and uses a logic similar to other parameters to triggeran error when reloading the SSL context in a session.Author: Michael PaquierReviewed-by: Daniel GustafssonDiscussion:https://postgr.es/m/20200114035420.GE1515@paquier.xyz

1 parentde93963 commit79dfa8aCopy full SHA for 79dfa8a

File tree

2 files changed

+62

-21

lines changed

src
- backend/libpq
  - be-secure-openssl.c
- test/ssl/t
  - 001_ssltests.pl

2 files changed

+62

-21

lines changed

`‎src/backend/libpq/be-secure-openssl.c‎`

Lines changed: 45 additions & 20 deletions

Original file line number	Diff line number	Diff line change
`@@ -68,8 +68,7 @@ static bool SSL_initialized = false;`
`68`	`68`	`staticbooldummy_ssl_passwd_cb_called= false;`
`69`	`69`	`staticboolssl_is_server_start;`
`70`	`70`
`71`		`-staticintssl_protocol_version_to_openssl(intv,constchar*guc_name,`
`72`		`-intloglevel);`
	`71`	`+staticintssl_protocol_version_to_openssl(intv);`
`73`	`72`
`74`	`73`	`/* ------------------------------------------------------------ */`
`75`	`74`	`/* Public interface*/`
`@@ -80,6 +79,8 @@ be_tls_init(bool isServerStart)`
`80`	`79`	`{`
`81`	`80`	`STACK_OF(X509_NAME)*root_cert_list=NULL;`
`82`	`81`	`SSL_CTX*context;`
	`82`	`+intssl_ver_min=-1;`
	`83`	`+intssl_ver_max=-1;`
`83`	`84`
`84`	`85`	`/* This stuff need be done only once. */`
`85`	`86`	`if (!SSL_initialized)`
`@@ -188,13 +189,19 @@ be_tls_init(bool isServerStart)`
`188`	`189`
`189`	`190`	`if (ssl_min_protocol_version)`
`190`	`191`	`{`
`191`		`-intssl_ver=ssl_protocol_version_to_openssl(ssl_min_protocol_version,`
`192`		`-"ssl_min_protocol_version",`
`193`		`-isServerStart ?FATAL :LOG);`
	`192`	`+ssl_ver_min=ssl_protocol_version_to_openssl(ssl_min_protocol_version);`
`194`	`193`
`195`		`-if (ssl_ver==-1)`
	`194`	`+if (ssl_ver_min==-1)`
	`195`	`+{`
	`196`	`+ereport(isServerStart ?FATAL :LOG,`
	`197`	`+(errmsg("\"%s\" setting \"%s\" not supported by this build",`
	`198`	`+"ssl_min_protocol_version",`
	`199`	`+GetConfigOption("ssl_min_protocol_version",`
	`200`	`+false, false))));`
`196`	`201`	`gotoerror;`
`197`		`-if (!SSL_CTX_set_min_proto_version(context,ssl_ver))`
	`202`	`+}`
	`203`	`+`
	`204`	`+if (!SSL_CTX_set_min_proto_version(context,ssl_ver_min))`
`198`	`205`	`{`
`199`	`206`	`ereport(isServerStart ?FATAL :LOG,`
`200`	`207`	`(errmsg("could not set minimum SSL protocol version")));`
`@@ -204,20 +211,43 @@ be_tls_init(bool isServerStart)`
`204`	`211`
`205`	`212`	`if (ssl_max_protocol_version)`
`206`	`213`	`{`
`207`		`-intssl_ver=ssl_protocol_version_to_openssl(ssl_max_protocol_version,`
`208`		`-"ssl_max_protocol_version",`
`209`		`-isServerStart ?FATAL :LOG);`
	`214`	`+ssl_ver_max=ssl_protocol_version_to_openssl(ssl_max_protocol_version);`
`210`	`215`
`211`		`-if (ssl_ver==-1)`
	`216`	`+if (ssl_ver_max==-1)`
	`217`	`+{`
	`218`	`+ereport(isServerStart ?FATAL :LOG,`
	`219`	`+(errmsg("\"%s\" setting \"%s\" not supported by this build",`
	`220`	`+"ssl_max_protocol_version",`
	`221`	`+GetConfigOption("ssl_max_protocol_version",`
	`222`	`+false, false))));`
`212`	`223`	`gotoerror;`
`213`		`-if (!SSL_CTX_set_max_proto_version(context,ssl_ver))`
	`224`	`+}`
	`225`	`+`
	`226`	`+if (!SSL_CTX_set_max_proto_version(context,ssl_ver_max))`
`214`	`227`	`{`
`215`	`228`	`ereport(isServerStart ?FATAL :LOG,`
`216`	`229`	`(errmsg("could not set maximum SSL protocol version")));`
`217`	`230`	`gotoerror;`
`218`	`231`	`}`
`219`	`232`	`}`
`220`	`233`
	`234`	`+/* Check compatibility of min/max protocols */`
	`235`	`+if (ssl_min_protocol_version&&`
	`236`	`+ssl_max_protocol_version)`
	`237`	`+{`
	`238`	`+/*`
	`239`	`+ * No need to check for invalid values (-1) for each protocol number`
	`240`	`+ * as the code above would have already generated an error.`
	`241`	`+ */`
	`242`	`+if (ssl_ver_min>ssl_ver_max)`
	`243`	`+ereport(isServerStart ?FATAL :LOG,`
	`244`	`+(errmsg("could not set SSL protocol version range"),`
	`245`	`+errdetail("\"%s\" cannot be higher than \"%s\"",`
	`246`	`+"ssl_min_protocol_version",`
	`247`	`+"ssl_max_protocol_version")));`
	`248`	`+gotoerror;`
	`249`	`+}`
	`250`	`+`
`221`	`251`	`/* disallow SSL session tickets */`
`222`	`252`	`SSL_CTX_set_options(context,SSL_OP_NO_TICKET);`
`223`	`253`
`@@ -1271,15 +1301,14 @@ X509_NAME_to_cstring(X509_NAME *name)`
`1271`	`1301`	`* guc.c independent of OpenSSL availability and version.`
`1272`	`1302`	`*`
`1273`	`1303`	`* If a version is passed that is not supported by the current OpenSSL`
`1274`		`- * version, then we log with the given loglevel and return (if we return) -1.`
`1275`		`- * If a nonnegative value is returned, subsequent code can assume it's working`
`1276`		`- * with a supported version.`
	`1304`	`+ * version, then we return -1. If a nonnegative value is returned,`
	`1305`	`+ * subsequent code can assume it's working with a supported version.`
`1277`	`1306`	`*`
`1278`	`1307`	`* Note: this is rather similar to libpq's routine in fe-secure-openssl.c,`
`1279`	`1308`	`* so make sure to update both routines if changing this one.`
`1280`	`1309`	`*/`
`1281`	`1310`	`staticint`
`1282`		`-ssl_protocol_version_to_openssl(intv,constchar*guc_name,intloglevel)`
	`1311`	`+ssl_protocol_version_to_openssl(intv)`
`1283`	`1312`	`{`
`1284`	`1313`	`switch (v)`
`1285`	`1314`	`{`
`@@ -1307,9 +1336,5 @@ ssl_protocol_version_to_openssl(int v, const char *guc_name, int loglevel)`
`1307`	`1336`	`#endif`
`1308`	`1337`	`}`
`1309`	`1338`
`1310`		`-ereport(loglevel,`
`1311`		`-(errmsg("%s setting %s not supported by this build",`
`1312`		`-guc_name,`
`1313`		`-GetConfigOption(guc_name, false, false))));`
`1314`	`1339`	`return-1;`
`1315`	`1340`	`}`

`‎src/test/ssl/t/001_ssltests.pl‎`

Lines changed: 17 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -13,7 +13,7 @@`
`13`	`13`
`14`	`14`	`if ($ENV{with_openssl}eq'yes')`
`15`	`15`	`{`
`16`		`-plantests=>91;`
	`16`	`+plantests=>93;`
`17`	`17`	`}`
`18`	`18`	`else`
`19`	`19`	`{`
`@@ -97,6 +97,22 @@`
`97`	`97`	`'restart succeeds with password-protected key file');`
`98`	`98`	`$node->_update_pid(1);`
`99`	`99`
	`100`	`+# Test compatibility of SSL protocols.`
	`101`	`+# TLSv1.1 is lower than TLSv1.2, so it won't work.`
	`102`	`+$node->append_conf('postgresql.conf',`
	`103`	`+qq{ssl_min_protocol_version='TLSv1.2'`
	`104`	`+ssl_max_protocol_version='TLSv1.1'});`
	`105`	`+command_fails(`
	`106`	`+['pg_ctl','-D',$node->data_dir,'-l',$node->logfile,'restart' ],`
	`107`	`+'restart fails with incorrect SSL protocol bounds');`
	`108`	`+# Go back to the defaults, this works.`
	`109`	`+$node->append_conf('postgresql.conf',`
	`110`	`+qq{ssl_min_protocol_version='TLSv1.2'`
	`111`	`+ssl_max_protocol_version=''});`
	`112`	`+command_ok(`
	`113`	`+['pg_ctl','-D',$node->data_dir,'-l',$node->logfile,'restart' ],`
	`114`	`+'restart succeeds with correct SSL protocol bounds');`
	`115`	`+`
`100`	`116`	`### Run client-side tests.`
`101`	`117`	`###`
`102`	`118`	`### Test that libpq accepts/rejects the connection correctly, depending`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit79dfa8a

File tree

2 files changed

2 files changed

`‎src/backend/libpq/be-secure-openssl.c‎`

`‎src/test/ssl/t/001_ssltests.pl‎`

0 commit comments