/* * Close secure session. */ void pqsecure_close(PGconn * conn) { #ifdef USE_SSL if (conn->ssl) close_SSL(conn); #endif }
/* * Attempt to negotiate secure session. */ PostgresPollingStatusType pqsecure_open_client(PGconn *conn) { #ifdef USE_SSL /* First time through? */ if (conn->ssl == NULL) { if (!(conn->ssl = SSL_new(SSL_context)) || !SSL_set_app_data(conn->ssl, conn) || !SSL_set_fd(conn->ssl, conn->sock)) { char *err = SSLerrmessage(); printfPQExpBuffer(&conn->errorMessage, libpq_gettext("could not establish SSL connection: %s\n"), err); SSLerrfree(err); close_SSL(conn); return PGRES_POLLING_FAILED; } /* * Initialize errorMessage to empty. This allows open_client_SSL() to * detect whether client_cert_cb() has stored a message. */ resetPQExpBuffer(&conn->errorMessage); } /* Begin or continue the actual handshake */ return open_client_SSL(conn); #else /* shouldn't get here */ return PGRES_POLLING_FAILED; #endif }
/* * Close secure session. */ void secure_close(Port *port) { #ifdef USE_SSL if (port->ssl) close_SSL(port); #endif }
/* * Begin or continue negotiating a secure session. */ PostgresPollingStatusType pqsecure_open_client(PGconn *conn) { #ifdef USE_SSL /* First time through? */ if (conn->ssl == NULL) { /* We cannot use MSG_NOSIGNAL to block SIGPIPE when using SSL */ conn->sigpipe_flag = false; /* Create a connection-specific SSL object */ if (!(conn->ssl = SSL_new(SSL_context)) || !SSL_set_app_data(conn->ssl, conn) || !SSL_set_fd(conn->ssl, conn->sock)) { char *err = SSLerrmessage(); printfPQExpBuffer(&conn->errorMessage, libpq_gettext("could not establish SSL connection: %s\n"), err); SSLerrfree(err); close_SSL(conn); return PGRES_POLLING_FAILED; } /* * Load client certificate, private key, and trusted CA certs. */ if (initialize_SSL(conn) != 0) { /* initialize_SSL already put a message in conn->errorMessage */ close_SSL(conn); return PGRES_POLLING_FAILED; } } /* Begin or continue the actual handshake */ return open_client_SSL(conn); #else /* shouldn't get here */ return PGRES_POLLING_FAILED; #endif }
/* * Attempt to negotiate SSL connection. */ static int open_server_SSL(Port *port) { Assert(!port->ssl); Assert(!port->peer); if (!(port->ssl = SSL_new(SSL_context)) || !my_SSL_set_fd(port->ssl, port->sock) || SSL_accept(port->ssl) <= 0) { ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not initialize SSL connection: %s", SSLerrmessage()))); close_SSL(port); return -1; } port->count = 0; /* get client certificate, if available. */ port->peer = SSL_get_peer_certificate(port->ssl); if (port->peer == NULL) { strncpy(port->peer_dn, "(anonymous)", sizeof(port->peer_dn)); strncpy(port->peer_cn, "(anonymous)", sizeof(port->peer_cn)); } else { X509_NAME_oneline(X509_get_subject_name(port->peer), port->peer_dn, sizeof(port->peer_dn)); port->peer_dn[sizeof(port->peer_dn) - 1] = '\0'; X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer), NID_commonName, port->peer_cn, sizeof(port->peer_cn)); port->peer_cn[sizeof(port->peer_cn) - 1] = '\0'; } ereport(DEBUG2, (errmsg("SSL connection from \"%s\"", port->peer_cn))); /* set up debugging/info callback */ SSL_CTX_set_info_callback(SSL_context, info_cb); return 0; }
int main(int argc, char** argv) { if(argc<4) { printf("Usage: ./wserver cert-file priv-key-file pub-key-file.\n"); exit(0); } else { CERTFILE = argv[1]; KEYFILE = argv[2]; PUBFILE = argv[3]; const char* PROMPT = "Enter password for Old Key file: "; if(argc == 5) { OLDKEY = argv[4]; PASSWORD = getpass(PROMPT); OLDPASS = (char*) calloc(1, strlen(PASSWORD)+1); strcpy(OLDPASS, PASSWORD); } PROMPT = "Enter password for Key file: "; PASSWORD = getpass(PROMPT); } int sock,s; BIO *sbio; SSL_CTX *ctx; SSL *ssl; int r; pid_t pid; char buf[BUFSIZZ]; char *owner = (char*) calloc(1,256); ctx=initialize_ctx(CERTFILE,KEYFILE,PASSWORD); load_dh_params(ctx,DHFILE); sock=tcp_listen(); if((s=accept(sock,0,0))<0) err_exit("Problem accepting"); sbio=BIO_new_socket(s,BIO_NOCLOSE); ssl=SSL_new(ctx); SSL_set_bio(ssl,sbio,sbio); SSL_set_verify(ssl,SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,0); if((r=SSL_accept(ssl)<=0)) berr_exit("SSL accept error"); if(check_cert(ssl, ctx, &owner)<=0) { send_data(ssl, "Revoked"); printf("Connection Closed.\n"); close_SSL(ssl, sock); destroy_ctx(ctx); exit(0); } send_data(ssl, "Approved"); printf("User connected: %s\n", owner); if((pid=fork())){ close(s); } else { if(argc == 5) {recrypt();} while(1){ memset((void*)buf, 0, BUFSIZZ); if(rec_data(buf, ssl)>0) { printf("Command received: %s\n", buf); if(starts_with(buf, "PUT")){ put_file(ssl, buf, owner); } else if(starts_with(buf, "GET")){ get_file(ssl, buf, owner); } else if(starts_with(buf, "DELEGATE")){ delegate(ssl, buf, owner); } else if(starts_with(buf, "END")){ close_SSL(ssl, sock); break; } else { printf("Command not recognized\n"); } } else{ perror("Error receiving command\n"); break; } } } destroy_ctx(ctx); exit(0); }
/* * Attempt to negotiate SSL connection. */ static int open_server_SSL(Port *port) { int r; int err; Assert(!port->ssl); Assert(!port->peer); if (!(port->ssl = SSL_new(SSL_context))) { ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not initialize SSL connection: %s", SSLerrmessage()))); close_SSL(port); return -1; } if (!my_SSL_set_fd(port->ssl, port->sock)) { ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not set SSL socket: %s", SSLerrmessage()))); close_SSL(port); return -1; } aloop: r = SSL_accept(port->ssl); if (r <= 0) { err = SSL_get_error(port->ssl, r); switch (err) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: #ifdef WIN32 pgwin32_waitforsinglesocket(SSL_get_fd(port->ssl), (err == SSL_ERROR_WANT_READ) ? FD_READ | FD_CLOSE | FD_ACCEPT : FD_WRITE | FD_CLOSE, INFINITE); #endif goto aloop; case SSL_ERROR_SYSCALL: if (r < 0) ereport(COMMERROR, (errcode_for_socket_access(), errmsg("could not accept SSL connection: %m"))); else ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not accept SSL connection: EOF detected"))); break; case SSL_ERROR_SSL: ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not accept SSL connection: %s", SSLerrmessage()))); break; case SSL_ERROR_ZERO_RETURN: ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not accept SSL connection: EOF detected"))); break; default: ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("unrecognized SSL error code: %d", err))); break; } close_SSL(port); return -1; } port->count = 0; /* get client certificate, if available. */ port->peer = SSL_get_peer_certificate(port->ssl); if (port->peer == NULL) { strlcpy(port->peer_dn, "(anonymous)", sizeof(port->peer_dn)); strlcpy(port->peer_cn, "(anonymous)", sizeof(port->peer_cn)); } else { X509_NAME_oneline(X509_get_subject_name(port->peer), port->peer_dn, sizeof(port->peer_dn)); port->peer_dn[sizeof(port->peer_dn) - 1] = '\0'; r = X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer), NID_commonName, port->peer_cn, sizeof(port->peer_cn)); port->peer_cn[sizeof(port->peer_cn) - 1] = '\0'; if (r == -1) { /* Unable to get the CN, set it to blank so it can't be used */ port->peer_cn[0] = '\0'; } else { /* * Reject embedded NULLs in certificate common name to prevent * attacks like CVE-2009-4034. */ if (r != strlen(port->peer_cn)) { ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("SSL certificate's common name contains embedded null"))); close_SSL(port); return -1; } } } ereport(DEBUG2, (errmsg("SSL connection from \"%s\"", port->peer_cn))); /* set up debugging/info callback */ SSL_CTX_set_info_callback(SSL_context, info_cb); return 0; }
/* * Attempt to negotiate SSL connection. */ static int open_server_SSL(Port *port) { int r; int err; Assert(!port->ssl); Assert(!port->peer); if (!(port->ssl = SSL_new(SSL_context))) { ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not initialize SSL connection: %s", SSLerrmessage()))); close_SSL(port); return -1; } if (!my_SSL_set_fd(port->ssl, port->sock)) { ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not set SSL socket: %s", SSLerrmessage()))); close_SSL(port); return -1; } aloop: r = SSL_accept(port->ssl); if (r <= 0) { err = SSL_get_error(port->ssl, r); switch (err) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: #ifdef WIN32 pgwin32_waitforsinglesocket(SSL_get_fd(port->ssl), (err == SSL_ERROR_WANT_READ) ? FD_READ | FD_CLOSE | FD_ACCEPT : FD_WRITE | FD_CLOSE, INFINITE); #endif goto aloop; case SSL_ERROR_SYSCALL: if (r < 0) ereport(COMMERROR, (errcode_for_socket_access(), errmsg("could not accept SSL connection: %m"))); else ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not accept SSL connection: EOF detected"))); break; case SSL_ERROR_SSL: ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not accept SSL connection: %s", SSLerrmessage()))); break; case SSL_ERROR_ZERO_RETURN: ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not accept SSL connection: EOF detected"))); break; default: ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("unrecognized SSL error code: %d", err))); break; } close_SSL(port); return -1; } port->count = 0; /* Get client certificate, if available. */ port->peer = SSL_get_peer_certificate(port->ssl); /* and extract the Common Name from it. */ port->peer_cn = NULL; if (port->peer != NULL) { int len; len = X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer), NID_commonName, NULL, 0); if (len != -1) { char *peer_cn; peer_cn = MemoryContextAlloc(TopMemoryContext, len + 1); r = X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer), NID_commonName, peer_cn, len+1); peer_cn[len] = '\0'; if (r != len) { /* shouldn't happen */ pfree(peer_cn); close_SSL(port); return -1; } /* * Reject embedded NULLs in certificate common name to prevent * attacks like CVE-2009-4034. */ if (len != strlen(peer_cn)) { ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("SSL certificate's common name contains embedded null"))); pfree(peer_cn); close_SSL(port); return -1; } port->peer_cn = peer_cn; } } ereport(DEBUG2, (errmsg("SSL connection from \"%s\"", port->peer_cn ? port->peer_cn : "(anonymous)"))); /* set up debugging/info callback */ SSL_CTX_set_info_callback(SSL_context, info_cb); return 0; }
/* * Attempt to negotiate SSL connection. */ static PostgresPollingStatusType open_client_SSL(PGconn *conn) { int r; r = SSL_connect(conn->ssl); if (r <= 0) { int err = SSL_get_error(conn->ssl, r); switch (err) { case SSL_ERROR_WANT_READ: return PGRES_POLLING_READING; case SSL_ERROR_WANT_WRITE: return PGRES_POLLING_WRITING; case SSL_ERROR_SYSCALL: { char sebuf[256]; if (r == -1) printfPQExpBuffer(&conn->errorMessage, libpq_gettext("SSL SYSCALL error: %s\n"), SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf))); else printfPQExpBuffer(&conn->errorMessage, libpq_gettext("SSL SYSCALL error: EOF detected\n")); close_SSL(conn); return PGRES_POLLING_FAILED; } case SSL_ERROR_SSL: { /* * If there are problems with the local certificate files, * these will be detected by client_cert_cb() which is * called from SSL_connect(). We want to return that * error message and not the rather unhelpful error that * OpenSSL itself returns. So check to see if an error * message was already stored. */ if (conn->errorMessage.len == 0) { char *err = SSLerrmessage(); printfPQExpBuffer(&conn->errorMessage, libpq_gettext("SSL error: %s\n"), err); SSLerrfree(err); } close_SSL(conn); return PGRES_POLLING_FAILED; } default: printfPQExpBuffer(&conn->errorMessage, libpq_gettext("unrecognized SSL error code: %d\n"), err); close_SSL(conn); return PGRES_POLLING_FAILED; } } /* check the certificate chain of the server */ #ifdef NOT_USED /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */ /* * this eliminates simple man-in-the-middle attacks and simple * impersonations */ r = SSL_get_verify_result(conn->ssl); if (r != X509_V_OK) { printfPQExpBuffer(&conn->errorMessage, libpq_gettext("certificate could not be validated: %s\n"), X509_verify_cert_error_string(r)); close_SSL(conn); return PGRES_POLLING_FAILED; } #endif /* pull out server distinguished and common names */ conn->peer = SSL_get_peer_certificate(conn->ssl); if (conn->peer == NULL) { char *err = SSLerrmessage(); printfPQExpBuffer(&conn->errorMessage, libpq_gettext("certificate could not be obtained: %s\n"), err); SSLerrfree(err); close_SSL(conn); return PGRES_POLLING_FAILED; } X509_NAME_oneline(X509_get_subject_name(conn->peer), conn->peer_dn, sizeof(conn->peer_dn)); conn->peer_dn[sizeof(conn->peer_dn) - 1] = '\0'; X509_NAME_get_text_by_NID(X509_get_subject_name(conn->peer), NID_commonName, conn->peer_cn, SM_USER); conn->peer_cn[SM_USER] = '\0'; /* verify that the common name resolves to peer */ #ifdef NOT_USED /* CLIENT CERTIFICATES NOT REQUIRED bjm 2002-09-26 */ /* * this is necessary to eliminate man-in-the-middle attacks and * impersonations where the attacker somehow learned the server's private * key */ if (verify_peer(conn) == -1) { close_SSL(conn); return PGRES_POLLING_FAILED; } #endif /* SSL handshake is complete */ return PGRES_POLLING_OK; }