1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
|
/*-------------------------------------------------------------------------
*
* fe-secure-common.c
*
* common implementation-independent SSL support code
*
* While fe-secure.c contains the interfaces that the rest of libpq call, this
* file contains support routines that are used by the library-specific
* implementations such as fe-secure-openssl.c.
*
* Portions Copyright (c) 1996-2021, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
* IDENTIFICATION
* src/interfaces/libpq/fe-secure-common.c
*
*-------------------------------------------------------------------------
*/
#include "postgres_fe.h"
#include "fe-secure-common.h"
#include "libpq-int.h"
#include "pqexpbuffer.h"
/*
* Check if a wildcard certificate matches the server hostname.
*
* The rule for this is:
* 1. We only match the '*' character as wildcard
* 2. We match only wildcards at the start of the string
* 3. The '*' character does *not* match '.', meaning that we match only
* a single pathname component.
* 4. We don't support more than one '*' in a single pattern.
*
* This is roughly in line with RFC2818, but contrary to what most browsers
* appear to be implementing (point 3 being the difference)
*
* Matching is always case-insensitive, since DNS is case insensitive.
*/
static bool
wildcard_certificate_match(const char *pattern, const char *string)
{
int lenpat = strlen(pattern);
int lenstr = strlen(string);
/* If we don't start with a wildcard, it's not a match (rule 1 & 2) */
if (lenpat < 3 ||
pattern[0] != '*' ||
pattern[1] != '.')
return false;
/* If pattern is longer than the string, we can never match */
if (lenpat > lenstr)
return false;
/*
* If string does not end in pattern (minus the wildcard), we don't match
*/
if (pg_strcasecmp(pattern + 1, string + lenstr - lenpat + 1) != 0)
return false;
/*
* If there is a dot left of where the pattern started to match, we don't
* match (rule 3)
*/
if (strchr(string, '.') < string + lenstr - lenpat)
return false;
/* String ended with pattern, and didn't have a dot before, so we match */
return true;
}
/*
* Check if a name from a server's certificate matches the peer's hostname.
*
* Returns 1 if the name matches, and 0 if it does not. On error, returns
* -1, and sets the libpq error message.
*
* The name extracted from the certificate is returned in *store_name. The
* caller is responsible for freeing it.
*/
int
pq_verify_peer_name_matches_certificate_name(PGconn *conn,
const char *namedata, size_t namelen,
char **store_name)
{
char *name;
int result;
char *host = conn->connhost[conn->whichhost].host;
*store_name = NULL;
if (!(host && host[0] != '\0'))
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("host name must be specified\n"));
return -1;
}
/*
* There is no guarantee the string returned from the certificate is
* NULL-terminated, so make a copy that is.
*/
name = malloc(namelen + 1);
if (name == NULL)
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("out of memory\n"));
return -1;
}
memcpy(name, namedata, namelen);
name[namelen] = '\0';
/*
* Reject embedded NULLs in certificate common or alternative name to
* prevent attacks like CVE-2009-4034.
*/
if (namelen != strlen(name))
{
free(name);
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("SSL certificate's name contains embedded null\n"));
return -1;
}
if (pg_strcasecmp(name, host) == 0)
{
/* Exact name match */
result = 1;
}
else if (wildcard_certificate_match(name, host))
{
/* Matched wildcard name */
result = 1;
}
else
{
result = 0;
}
*store_name = name;
return result;
}
/*
* Verify that the server certificate matches the hostname we connected to.
*
* The certificate's Common Name and Subject Alternative Names are considered.
*/
bool
pq_verify_peer_name_matches_certificate(PGconn *conn)
{
char *host = conn->connhost[conn->whichhost].host;
int rc;
int names_examined = 0;
char *first_name = NULL;
/*
* If told not to verify the peer name, don't do it. Return true
* indicating that the verification was successful.
*/
if (strcmp(conn->sslmode, "verify-full") != 0)
return true;
/* Check that we have a hostname to compare with. */
if (!(host && host[0] != '\0'))
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("host name must be specified for a verified SSL connection\n"));
return false;
}
rc = pgtls_verify_peer_name_matches_certificate_guts(conn, &names_examined, &first_name);
if (rc == 0)
{
/*
* No match. Include the name from the server certificate in the error
* message, to aid debugging broken configurations. If there are
* multiple names, only print the first one to avoid an overly long
* error message.
*/
if (names_examined > 1)
{
appendPQExpBuffer(&conn->errorMessage,
libpq_ngettext("server certificate for \"%s\" (and %d other name) does not match host name \"%s\"\n",
"server certificate for \"%s\" (and %d other names) does not match host name \"%s\"\n",
names_examined - 1),
first_name, names_examined - 1, host);
}
else if (names_examined == 1)
{
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("server certificate for \"%s\" does not match host name \"%s\"\n"),
first_name, host);
}
else
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("could not get server's host name from server certificate\n"));
}
}
/* clean up */
if (first_name)
free(first_name);
return (rc == 1);
}
|
