From 32185020927824c4b57af900100a37f92ae6a040 Mon Sep 17 00:00:00 2001 From: Greg Stark Date: Mon, 20 Mar 2023 14:09:30 -0400 Subject: [PATCH v3 4/4] alpn support --- src/backend/libpq/be-secure-openssl.c | 65 ++++++++++++++++++++++++ src/backend/libpq/be-secure.c | 3 ++ src/backend/postmaster/postmaster.c | 23 +++++++++ src/bin/psql/command.c | 7 ++- src/include/libpq/libpq-be.h | 1 + src/include/libpq/libpq.h | 1 + src/interfaces/libpq/fe-connect.c | 5 ++ src/interfaces/libpq/fe-secure-openssl.c | 25 +++++++++ src/interfaces/libpq/libpq-int.h | 1 + 9 files changed, 129 insertions(+), 2 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 685aa2ed69..034e1cf2ec 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -67,6 +67,12 @@ static int ssl_external_passwd_cb(char *buf, int size, int rwflag, void *userdat static int dummy_ssl_passwd_cb(char *buf, int size, int rwflag, void *userdata); static int verify_cb(int ok, X509_STORE_CTX *ctx); static void info_cb(const SSL *ssl, int type, int args); +static int alpn_cb(SSL *ssl, + const unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, + void *userdata); static bool initialize_dh(SSL_CTX *context, bool isServerStart); static bool initialize_ecdh(SSL_CTX *context, bool isServerStart); static const char *SSLerrmessage(unsigned long ecode); @@ -432,6 +438,11 @@ be_tls_open_server(Port *port) /* set up debugging/info callback */ SSL_CTX_set_info_callback(SSL_context, info_cb); + if (ssl_enable_alpn) { + elog(WARNING, "Enabling ALPN Callback"); + SSL_CTX_set_alpn_select_cb(SSL_context, alpn_cb, port); + } + if (!(port->ssl = SSL_new(SSL_context))) { ereport(COMMERROR, @@ -1250,6 +1261,60 @@ info_cb(const SSL *ssl, int type, int args) } } +static unsigned char alpn_protos[] = { + 12, 'P','o','s','t','g','r','e','s','/','3','.','0' +}; +static unsigned int alpn_protos_len = sizeof(alpn_protos); + +/* + * Server callback for ALPN negotiation. We use use the standard "helper" + * function even though currently we only accept one value. We store the + * negotiated protocol in Port->ssl_alpn_protocol and rely on higher level + * logic (in postmaster.c) to decide what to do with that info. + * + * XXX Not sure if it's kosher to use palloc and elog() inside OpenSSL + * callbacks. If we throw an error from here is there a risk of messing up + * OpenSSL data structures? It's possible it's ok becuase this is only called + * during connection negotiation which we don't try to recover from. + */ +static int alpn_cb(SSL *ssl, + const unsigned char **out, + unsigned char *outlen, + const unsigned char *in, + unsigned int inlen, + void *userdata) +{ + /* why does OpenSSL provide a helper function that requires a nonconst + * vector when the callback is declared to take a const vector? What are + * we to do with that?*/ + int retval; + Assert(userdata != NULL); + Assert(out != NULL); + Assert(outlen != NULL); + Assert(in != NULL); + + retval = SSL_select_next_proto((unsigned char **)out, outlen, + alpn_protos, alpn_protos_len, + in, inlen); + if (*out == NULL || *outlen > alpn_protos_len || outlen <= 0) + elog(ERROR, "SSL_select_next_proto returned nonsensical results"); + + if (retval == OPENSSL_NPN_NEGOTIATED) + { + struct Port *port = (struct Port *)userdata; + + port->ssl_alpn_protocol = palloc0(*outlen+1); + /* SSL uses unsigned chars but Postgres uses host signedness of chars */ + strncpy(port->ssl_alpn_protocol, (char*)*out, *outlen); + return SSL_TLSEXT_ERR_OK; + } else if (retval == OPENSSL_NPN_NO_OVERLAP) { + return SSL_TLSEXT_ERR_NOACK; + } else { + return SSL_TLSEXT_ERR_NOACK; + } +} + + /* * Set DH parameters for generating ephemeral DH keys. The * DH parameters can take a long time to compute, so they must be diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 1020b3adb0..79a61900ba 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -61,6 +61,9 @@ bool SSLPreferServerCiphers; int ssl_min_protocol_version = PG_TLS1_2_VERSION; int ssl_max_protocol_version = PG_TLS_ANY; +/* GUC variable: if false ignore ALPN negotiation */ +bool ssl_enable_alpn = true; + /* ------------------------------------------------------------ */ /* Procedures common to all secure sessions */ /* ------------------------------------------------------------ */ diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c index ec1d895a23..2640b69fed 100644 --- a/src/backend/postmaster/postmaster.c +++ b/src/backend/postmaster/postmaster.c @@ -1934,6 +1934,8 @@ ServerLoop(void) * any bytes from the stream if it's not a direct SSL connection. */ +static const char *expected_alpn_protocol = "Postgres/3.0"; + static int ProcessSSLStartup(Port *port) { @@ -1970,6 +1972,10 @@ ProcessSSLStartup(Port *port) char *buf = NULL; elog(LOG, "Detected direct SSL handshake"); + if (!ssl_enable_alpn) { + elog(WARNING, "Received direct SSL connection without ssl_enable_alpn enabled"); + } + /* push unencrypted buffered data back through SSL setup */ len = pq_buffer_has_data(); if (len > 0) @@ -2000,6 +2006,23 @@ ProcessSSLStartup(Port *port) return STATUS_ERROR; } pfree(port->raw_buf); + + if (port->ssl_alpn_protocol == NULL) + { + ereport(COMMERROR, + (errcode(ERRCODE_PROTOCOL_VIOLATION), + errmsg("Received direct SSL connection request without required ALPN protocol negotiation extension"))); + return STATUS_ERROR; + } + if (strcmp(port->ssl_alpn_protocol, expected_alpn_protocol) != 0) + { + ereport(COMMERROR, + (errcode(ERRCODE_PROTOCOL_VIOLATION), + errmsg("Received direct SSL connection request with unexpected ALPN protocol \"%s\" expected \"%s\"", + port->ssl_alpn_protocol, + expected_alpn_protocol))); + return STATUS_ERROR; + } #else ereport(COMMERROR, (errcode(ERRCODE_PROTOCOL_VIOLATION), diff --git a/src/bin/psql/command.c b/src/bin/psql/command.c index 61ec049f05..a219962ea1 100644 --- a/src/bin/psql/command.c +++ b/src/bin/psql/command.c @@ -3715,6 +3715,7 @@ printSSLInfo(void) const char *protocol; const char *cipher; const char *compression; + const char *alpn; if (!PQsslInUse(pset.db)) return; /* no SSL */ @@ -3722,11 +3723,13 @@ printSSLInfo(void) protocol = PQsslAttribute(pset.db, "protocol"); cipher = PQsslAttribute(pset.db, "cipher"); compression = PQsslAttribute(pset.db, "compression"); + alpn = PQsslAttribute(pset.db, "alpn"); - printf(_("SSL connection (protocol: %s, cipher: %s, compression: %s)\n"), + printf(_("SSL connection (protocol: %s, cipher: %s, compression: %s, ALPN: %s)\n"), protocol ? protocol : _("unknown"), cipher ? cipher : _("unknown"), - (compression && strcmp(compression, "off") != 0) ? _("on") : _("off")); + (compression && strcmp(compression, "off") != 0) ? _("on") : _("off"), + alpn ? alpn : _("none")); } /* diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index 824b28e824..2258241770 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -217,6 +217,7 @@ typedef struct Port char *peer_cn; char *peer_dn; bool peer_cert_valid; + char *ssl_alpn_protocol; /* * OpenSSL structures. (Keep these last so that the locations of other diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h index 2b02f67257..e7adf4a989 100644 --- a/src/include/libpq/libpq.h +++ b/src/include/libpq/libpq.h @@ -123,6 +123,7 @@ extern PGDLLIMPORT char *SSLECDHCurve; extern PGDLLIMPORT bool SSLPreferServerCiphers; extern PGDLLIMPORT int ssl_min_protocol_version; extern PGDLLIMPORT int ssl_max_protocol_version; +extern PGDLLIMPORT bool ssl_enable_alpn; enum ssl_protocol_versions { diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 80d3e9169b..d2aa0f3941 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -307,6 +307,10 @@ static const internalPQconninfoOption PQconninfoOptions[] = { "SSL-SNI", "", 1, offsetof(struct pg_conn, sslsni)}, + {"sslalpn", "PGSSLALPN", "1", NULL, + "SSL-ALPN", "", 1, + offsetof(struct pg_conn, sslalpn)}, + {"requirepeer", "PGREQUIREPEER", NULL, NULL, "Require-Peer", "", 10, offsetof(struct pg_conn, requirepeer)}, @@ -4322,6 +4326,7 @@ freePGconn(PGconn *conn) free(conn->sslcrldir); free(conn->sslcompression); free(conn->sslsni); + free(conn->sslalpn); free(conn->requirepeer); free(conn->require_auth); free(conn->ssl_min_protocol_version); diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index 6a4431ddfe..1b15542894 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -884,6 +884,13 @@ destroy_ssl_system(void) #endif } +/* XXX This should move somewhere I guess */ +static unsigned char alpn_protos[] = { + 12, 'P','o','s','t','g','r','e','s','/','3','.','0' +}; +static unsigned int alpn_protos_len = sizeof(alpn_protos); + + /* * Create per-connection SSL object, and load the client certificate, * private key, and trusted CA certs. @@ -1202,6 +1209,11 @@ initialize_SSL(PGconn *conn) } } + if (conn->sslalpn && conn->sslalpn[0] == '1') + { + SSL_set_alpn_protos(conn->ssl, alpn_protos, alpn_protos_len); + } + /* * Read the SSL key. If a key is specified, treat it as an engine:key * combination if there is colon present - we don't support files with @@ -1739,6 +1751,19 @@ PQsslAttribute(PGconn *conn, const char *attribute_name) if (strcmp(attribute_name, "protocol") == 0) return SSL_get_version(conn->ssl); + if (strcmp(attribute_name, "alpn") == 0) + { + const unsigned char *data; + unsigned int len; + static char alpn_str[256]; /* alpn doesn't support longer than 255 bytes */ + SSL_get0_alpn_selected(conn->ssl, &data, &len); + if (data == NULL || len==0 || len > sizeof(alpn_str)-1) + return NULL; + memcpy(alpn_str, data, len); + alpn_str[len] = 0; + return alpn_str; + } + return NULL; /* unknown attribute */ } diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h index 8d8964d835..6cdb5d22b3 100644 --- a/src/interfaces/libpq/libpq-int.h +++ b/src/interfaces/libpq/libpq-int.h @@ -389,6 +389,7 @@ struct pg_conn char *sslcrl; /* certificate revocation list filename */ char *sslcrldir; /* certificate revocation list directory name */ char *sslsni; /* use SSL SNI extension (0 or 1) */ + char *sslalpn; /* use SSL ALPN extension (0 or 1) */ char *requirepeer; /* required peer credentials for local sockets */ char *gssencmode; /* GSS mode (require,prefer,disable) */ char *krbsrvname; /* Kerberos service name */ -- 2.39.2