blob: 089cbd33cca63facadd4c7dcbc0df55a92b3bc66 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
/*-------------------------------------------------------------------------
*
* protocol_openssl.c
* OpenSSL functionality shared between frontend and backend
*
* This should only be used if code is compiled with OpenSSL support.
*
* Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group
* Portions Copyright (c) 1994, Regents of the University of California
*
* IDENTIFICATION
* src/common/protocol_openssl.c
*
*-------------------------------------------------------------------------
*/
#ifndef FRONTEND
#include "postgres.h"
#else
#include "postgres_fe.h"
#endif
#include "common/openssl.h"
/*
* Replacements for APIs introduced in OpenSSL 1.1.0.
*/
#ifndef SSL_CTX_set_min_proto_version
/*
* OpenSSL versions that support TLS 1.3 shouldn't get here because they
* already have these functions. So we don't have to keep updating the below
* code for every new TLS version, and eventually it can go away. But let's
* just check this to make sure ...
*/
#ifdef TLS1_3_VERSION
#error OpenSSL version mismatch
#endif
int
SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
{
int ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
if (version > TLS1_VERSION)
ssl_options |= SSL_OP_NO_TLSv1;
/*
* Some OpenSSL versions define TLS*_VERSION macros but not the
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
* unsuccessfully here.
*/
#ifdef TLS1_1_VERSION
if (version > TLS1_1_VERSION)
{
#ifdef SSL_OP_NO_TLSv1_1
ssl_options |= SSL_OP_NO_TLSv1_1;
#else
return 0;
#endif
}
#endif
#ifdef TLS1_2_VERSION
if (version > TLS1_2_VERSION)
{
#ifdef SSL_OP_NO_TLSv1_2
ssl_options |= SSL_OP_NO_TLSv1_2;
#else
return 0;
#endif
}
#endif
SSL_CTX_set_options(ctx, ssl_options);
return 1; /* success */
}
int
SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
{
int ssl_options = 0;
Assert(version != 0);
/*
* Some OpenSSL versions define TLS*_VERSION macros but not the
* corresponding SSL_OP_NO_* macro, so in those cases we have to return
* unsuccessfully here.
*/
#ifdef TLS1_1_VERSION
if (version < TLS1_1_VERSION)
{
#ifdef SSL_OP_NO_TLSv1_1
ssl_options |= SSL_OP_NO_TLSv1_1;
#else
return 0;
#endif
}
#endif
#ifdef TLS1_2_VERSION
if (version < TLS1_2_VERSION)
{
#ifdef SSL_OP_NO_TLSv1_2
ssl_options |= SSL_OP_NO_TLSv1_2;
#else
return 0;
#endif
}
#endif
SSL_CTX_set_options(ctx, ssl_options);
return 1; /* success */
}
#endif /* !SSL_CTX_set_min_proto_version */
|
