patch_support_tls1.3_curvelist.diff
application/octet-stream
Filename: patch_support_tls1.3_curvelist.diff
Type: application/octet-stream
Part: 0
Patch
Format: unified
| File | + | − |
|---|---|---|
| src/backend/libpq/be-secure.c | 1 | 0 |
| src/backend/libpq/be-secure-openssl.c | 27 | 16 |
| src/backend/utils/misc/guc_tables.c | 16 | 1 |
| src/include/libpq/libpq.h | 1 | 0 |
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index 39b1a66236..cd21863897 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -289,7 +289,7 @@ be_tls_init(bool isServerStart)
goto error;
/* set up the allowed cipher list */
- if (SSL_CTX_set_cipher_list(context, SSLCipherSuites) != 1)
+ if (SSL_CTX_set_cipher_list(context, SSLCipherLists) != 1)
{
ereport(isServerStart ? FATAL : LOG,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
@@ -297,6 +297,15 @@ be_tls_init(bool isServerStart)
goto error;
}
+ /* set up the allowed cipher suites */
+ if (SSL_CTX_set_ciphersuites(context, SSLCipherSuites) != 1)
+ {
+ ereport(isServerStart ? FATAL : LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("could not set the cipher suites (no valid ciphers available)")));
+ goto error;
+ }
+
/* Let server choose order */
if (SSLPreferServerCiphers)
SSL_CTX_set_options(context, SSL_OP_CIPHER_SERVER_PREFERENCE);
@@ -1397,35 +1406,37 @@ initialize_dh(SSL_CTX *context, bool isServerStart)
* Set ECDH parameters for generating ephemeral Elliptic Curve DH
* keys. This is much simpler than the DH parameters, as we just
* need to provide the name of the curve to OpenSSL.
+ * From Postgres 17 on, we support to provide a string list which
+ * is a colon separated list of curve names.
*/
static bool
initialize_ecdh(SSL_CTX *context, bool isServerStart)
{
#ifndef OPENSSL_NO_ECDH
- EC_KEY *ecdh;
- int nid;
+ char *curve_list = strdup(SSLECDHCurve);
+ char *saveptr;
+ char *token = strtok_r(curve_list, ":", &saveptr);
+ int nid;
- nid = OBJ_sn2nid(SSLECDHCurve);
- if (!nid)
+ while (token != NULL)
{
- ereport(isServerStart ? FATAL : LOG,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("ECDH: unrecognized curve name: %s", SSLECDHCurve)));
+ nid = OBJ_sn2nid(token);
+ if (!nid)
+ {ereport(isServerStart ? FATAL : LOG,
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("ECDH: unrecognized curve name: %s", token)));
return false;
+ }
+ token = strtok_r(NULL, ":", &saveptr);
}
- ecdh = EC_KEY_new_by_curve_name(nid);
- if (!ecdh)
+ if(SSL_CTX_set1_curves_list(context, SSLECDHCurve) !=1)
{
ereport(isServerStart ? FATAL : LOG,
- (errcode(ERRCODE_CONFIG_FILE_ERROR),
- errmsg("ECDH: could not create key")));
+ (errcode(ERRCODE_CONFIG_FILE_ERROR),
+ errmsg("ECDH: failed to set curve names")));
return false;
}
-
- SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
- SSL_CTX_set_tmp_ecdh(context, ecdh);
- EC_KEY_free(ecdh);
#endif
return true;
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 1663f36b6b..aba0498d39 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -48,6 +48,7 @@ bool ssl_loaded_verify_locations = false;
/* GUC variable controlling SSL cipher list */
char *SSLCipherSuites = NULL;
+char *SSLCipherLists = NULL;
/* GUC variable for default ECHD curve. */
char *SSLECDHCurve;
diff --git a/src/backend/utils/misc/guc_tables.c b/src/backend/utils/misc/guc_tables.c
index 46c258be28..37c500042d 100644
--- a/src/backend/utils/misc/guc_tables.c
+++ b/src/backend/utils/misc/guc_tables.c
@@ -4579,7 +4579,7 @@ struct config_string ConfigureNamesString[] =
NULL,
GUC_SUPERUSER_ONLY
},
- &SSLCipherSuites,
+ &SSLCipherLists,
#ifdef USE_OPENSSL
"HIGH:MEDIUM:+3DES:!aNULL",
#else
@@ -4588,6 +4588,21 @@ struct config_string ConfigureNamesString[] =
NULL, NULL, NULL
},
+ {
+ {"ssl_cipher_suites", PGC_SIGHUP, CONN_AUTH_SSL,
+ gettext_noop("Sets the list of allowed SSL cipher suites."),
+ NULL,
+ GUC_SUPERUSER_ONLY
+ },
+ &SSLCipherSuites,
+#ifdef USE_OPENSSL
+ "TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256",
+#else
+ "none",
+#endif
+ NULL, NULL, NULL
+ },
+
{
{"ssl_ecdh_curve", PGC_SIGHUP, CONN_AUTH_SSL,
gettext_noop("Sets the curve to use for ECDH."),
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index 83e338f604..055fce4fe5 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -118,6 +118,7 @@ extern ssize_t secure_open_gssapi(Port *port);
/* GUCs */
extern PGDLLIMPORT char *SSLCipherSuites;
+extern PGDLLIMPORT char *SSLCipherLists;
extern PGDLLIMPORT char *SSLECDHCurve;
extern PGDLLIMPORT bool SSLPreferServerCiphers;
extern PGDLLIMPORT int ssl_min_protocol_version;