| blob | 5bb9d9779d82803c6394b72e2d7e71a8ea9139a2 |
1 /*-------------------------------------------------------------------------
2 *
3 * fe-secure-openssl.c
4 * OpenSSL support
5 *
6 *
7 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
8 * Portions Copyright (c) 1994, Regents of the University of California
9 *
10 *
11 * IDENTIFICATION
12 * src/interfaces/libpq/fe-secure-openssl.c
13 *
14 * NOTES
15 *
16 * We don't provide informational callbacks here (like
17 * info_cb() in be-secure-openssl.c), since there's no good mechanism to
18 * display such information to the user.
19 *
20 *-------------------------------------------------------------------------
21 */
25 #include <signal.h>
26 #include <fcntl.h>
27 #include <ctype.h>
34 #ifdef WIN32
36 #else
37 #include <sys/socket.h>
38 #include <unistd.h>
39 #include <netdb.h>
40 #include <netinet/in.h>
41 #include <netinet/tcp.h>
42 #include <arpa/inet.h>
43 #endif
45 #include <sys/stat.h>
47 #ifdef WIN32
49 #else
50 #include <pthread.h>
51 #endif
53 /*
54 * These SSL-related #includes must come after all system-provided headers.
55 * This ensures that OpenSSL can take care of conflicts with Windows'
56 * <wincrypt.h> by #undef'ing the conflicting macros. (We don't directly
57 * include <wincrypt.h>, but some other Windows headers do.)
58 */
60 #include <openssl/conf.h>
61 #ifdef USE_SSL_ENGINE
62 #include <openssl/engine.h>
63 #endif
64 #include <openssl/x509v3.h>
90 /* ------------------------------------------------------------ */
91 /* Procedures common to all secure sessions */
92 /* ------------------------------------------------------------ */
94 PostgresPollingStatusType
96 {
97 /* First time through? */
99 {
100 /*
101 * Create a connection-specific SSL object, and load client
102 * certificate, private key, and trusted CA certs.
103 */
105 {
106 /* initialize_SSL already put a message in conn->errorMessage */
109 }
110 }
112 /* Begin or continue the actual handshake */
114 }
116 ssize_t
118 {
119 ssize_t n;
125 rloop:
127 /*
128 * Prepare to call SSL_get_error() by clearing thread's OpenSSL error
129 * queue. In general, the current thread's error queue must be empty
130 * before the TLS/SSL I/O operation is attempted, or SSL_get_error() will
131 * not work reliably. Since the possibility exists that other OpenSSL
132 * clients running in the same thread but not under our control will fail
133 * to call ERR_get_error() themselves (after their own I/O operations),
134 * pro-actively clear the per-thread error queue now.
135 */
141 /*
142 * Other clients of OpenSSL may fail to call ERR_get_error(), but we
143 * always do, so as to not cause problems for OpenSSL clients that don't
144 * call ERR_clear_error() defensively. Be sure that this happens by
145 * calling now. SSL_get_error() relies on the OpenSSL per-thread error
146 * queue being intact, so this is the earliest possible point
147 * ERR_get_error() may be called.
148 */
151 {
154 {
155 /* Not supposed to happen, so we don't translate the msg */
158 /* assume the connection is broken */
160 }
167 /*
168 * Returning 0 here would cause caller to wait for read-ready,
169 * which is not correct since what SSL wants is wait for
170 * write-ready. The former could get us stuck in an infinite
171 * wait, so don't risk it; busy-loop instead.
172 */
176 {
183 else
187 }
188 else
189 {
191 /* assume the connection is broken */
194 }
197 {
202 /* assume the connection is broken */
206 }
209 /*
210 * Per OpenSSL documentation, this error code is only returned for
211 * a clean connection closure, so we should not report it as a
212 * server crash.
213 */
220 /* assume the connection is broken */
224 }
226 /* ensure we return the intended errno to caller */
230 }
232 bool
234 {
236 }
238 ssize_t
240 {
241 ssize_t n;
253 {
256 {
257 /* Not supposed to happen, so we don't translate the msg */
260 /* assume the connection is broken */
262 }
266 /*
267 * Returning 0 here causes caller to wait for write-ready, which
268 * is not really the right thing, but it's the best we can do.
269 */
277 /*
278 * If errno is still zero then assume it's a read EOF situation,
279 * and report EOF. (This seems possible because SSL_write can
280 * also do reads.)
281 */
283 {
289 else
293 }
294 else
295 {
297 /* assume the connection is broken */
300 }
303 {
308 /* assume the connection is broken */
312 }
315 /*
316 * Per OpenSSL documentation, this error code is only returned for
317 * a clean connection closure, so we should not report it as a
318 * server crash.
319 */
326 /* assume the connection is broken */
330 }
332 /* ensure we return the intended errno to caller */
336 }
340 {
355 /*
356 * Get the signature algorithm of the certificate to determine the hash
357 * algorithm to use for the result. Prefer X509_get_signature_info(),
358 * introduced in OpenSSL 1.1.1, which can handle RSA-PSS signatures.
359 */
360 #if HAVE_X509_GET_SIGNATURE_INFO
362 #else
365 #endif
366 {
369 }
371 /*
372 * The TLS server's certificate bytes need to be hashed with SHA-256 if
373 * its signature algorithm is MD5 or SHA-1 as per RFC 5929
374 * (https://tools.ietf.org/html/rfc5929#section-4.1). If something else
375 * is used, the same hash as the signature algorithm is used.
376 */
378 {
386 {
390 }
392 }
395 {
398 }
400 /* save result */
403 {
406 }
411 }
413 /* ------------------------------------------------------------ */
414 /* OpenSSL specific code */
415 /* ------------------------------------------------------------ */
417 /*
418 * Certificate verification callback
419 *
420 * This callback allows us to log intermediate problems during
421 * verification, but there doesn't seem to be a clean way to get
422 * our PGconn * structure. So we can't log anything!
423 *
424 * This callback also allows us to override the default acceptance
425 * criteria (e.g., accepting self-signed or expired certs), but
426 * for now we accept the default checks.
427 */
428 static int
430 {
432 }
434 #ifdef HAVE_SSL_CTX_SET_CERT_CB
435 /*
436 * Certificate selection callback
437 *
438 * This callback lets us choose the client certificate we send to the server
439 * after seeing its CertificateRequest. We only support sending a single
440 * hard-coded certificate via sslcert, so we don't actually set any certificates
441 * here; we just use it to record whether or not the server has actually asked
442 * for one and whether we have one to send.
443 */
444 static int
446 {
451 /* Do we have a certificate loaded to send back? */
455 /*
456 * Tell OpenSSL that the callback succeeded; we're not required to
457 * actually make any changes to the SSL handle.
458 */
460 }
461 #endif
463 /*
464 * OpenSSL-specific wrapper around
465 * pq_verify_peer_name_matches_certificate_name(), converting the ASN1_STRING
466 * into a plain C string.
467 */
468 static int
471 {
475 /* Should not happen... */
477 {
480 }
482 /*
483 * GEN_DNS can be only IA5String, equivalent to US ASCII.
484 */
488 /* OK to cast from unsigned to plain char, since it's all ASCII. */
489 return pq_verify_peer_name_matches_certificate_name(conn, (const char *) namedata, len, store_name);
490 }
492 /*
493 * OpenSSL-specific wrapper around
494 * pq_verify_peer_name_matches_certificate_ip(), converting the
495 * ASN1_OCTET_STRING into a plain C string.
496 */
497 static int
501 {
505 /* Should not happen... */
507 {
510 }
512 /*
513 * GEN_IPADD is an OCTET STRING containing an IP address in network byte
514 * order.
515 */
520 }
522 static bool
524 {
526 #ifdef HAVE_INET_PTON
528 #endif
531 #ifdef HAVE_INET_PTON
533 #endif
534 ;
535 }
537 /*
538 * Verify that the server certificate matches the hostname we connected to.
539 *
540 * The certificate's Common Name and Subject Alternative Names are considered.
541 */
542 int
546 {
556 /*
557 * We try to match the NSS behavior here, which is a slight departure from
558 * the spec but seems to make more intuitive sense:
559 *
560 * If connhost contains a DNS name, and the certificate's SANs contain any
561 * dNSName entries, then we'll ignore the Subject Common Name entirely;
562 * otherwise, we fall back to checking the CN. (This behavior matches the
563 * RFC.)
564 *
565 * If connhost contains an IP address, and the SANs contain iPAddress
566 * entries, we again ignore the CN. Otherwise, we allow the CN to match,
567 * EVEN IF there is a dNSName in the SANs. (RFC 6125 prohibits this: "A
568 * client MUST NOT seek a match for a reference identifier of CN-ID if the
569 * presented identifiers include a DNS-ID, SRV-ID, URI-ID, or any
570 * application-specific identifier types supported by the client.")
571 *
572 * NOTE: Prior versions of libpq did not consider iPAddress entries at
573 * all, so this new behavior might break a certificate that has different
574 * IP addresses in the Subject CN and the SANs.
575 */
578 else
581 /*
582 * First, get the Subject Alternative Names (SANs) from the certificate,
583 * and compare them against the originally given hostname.
584 */
589 {
593 {
598 {
599 /*
600 * This SAN is of the same type (IP or DNS) as our host name,
601 * so don't allow a fallback check of the CN.
602 */
604 }
607 {
612 }
614 {
619 }
622 {
625 else
627 }
630 {
631 /*
632 * Either we hit an error or a match, and either way we should
633 * not fall back to the CN.
634 */
637 }
638 }
640 }
642 /*
643 * If there is no subjectAltName extension of the matching type, check the
644 * Common Name.
645 *
646 * (Per RFC 2818 and RFC 6125, if the subjectAltName extension of type
647 * dNSName is present, the CN must be ignored. We break this rule if host
648 * is an IP address; see the comment above.)
649 */
651 {
656 {
662 {
671 {
674 else
676 }
677 }
678 }
679 }
682 }
684 /* See pqcomm.h comments on OpenSSL implementation of ALPN (RFC 7301) */
687 /*
688 * Create per-connection SSL object, and load the client certificate,
689 * private key, and trusted CA certs.
690 *
691 * Returns 0 if OK, -1 on failure (with a message in conn->errorMessage).
692 */
693 static int
695 {
705 /*
706 * We'll need the home directory if any of the relevant parameters are
707 * defaulted. If pqGetHomeDirectory fails, act as though none of the
708 * files could be found.
709 */
719 /*
720 * Create a new SSL_CTX object.
721 *
722 * We used to share a single SSL_CTX between all connections, but it was
723 * complicated if connections used different certificates. So now we
724 * create a separate context for each connection, and accept the overhead.
725 */
728 {
734 }
736 /*
737 * Delegate the client cert password prompt to the libpq wrapper callback
738 * if any is defined.
739 *
740 * If the application hasn't installed its own and the sslpassword
741 * parameter is non-null, we install ours now to make sure we supply
742 * PGconn->sslpassword to OpenSSL instead of letting it prompt on stdin.
743 *
744 * This will replace OpenSSL's default PEM_def_callback (which prompts on
745 * stdin), but we're only setting it for this SSL context so it's
746 * harmless.
747 */
750 {
753 }
755 #ifdef HAVE_SSL_CTX_SET_CERT_CB
756 /* Set up a certificate selection callback. */
758 #endif
760 /* Disable old protocol versions */
763 /* Set the minimum and maximum protocol versions if necessary */
766 {
772 {
777 }
780 {
787 }
788 }
792 {
798 {
803 }
806 {
813 }
814 }
816 /*
817 * Disable OpenSSL's moving-write-buffer sanity check, because it causes
818 * unnecessary failures in nonblocking send cases.
819 */
822 /*
823 * If the root cert file exists, load it so we can perform certificate
824 * verification. If sslmode is "verify-full" we will also do further
825 * verification after the connection has been completed.
826 */
831 else
835 {
836 /*
837 * The "system" sentinel value indicates that we should load whatever
838 * root certificates are installed for use by OpenSSL; these locations
839 * differ by platform. Note that the default system locations may be
840 * further overridden by the SSL_CERT_DIR and SSL_CERT_FILE
841 * environment variables.
842 */
844 {
848 err);
852 }
854 }
857 {
861 {
869 }
872 {
881 /* defaults to use the default CRL file */
883 {
886 }
888 /* Set the flags to check against the complete CRL chain */
891 {
894 }
896 /* if not found, silently ignore; we do not require CRL */
898 }
900 }
901 else
902 {
903 /*
904 * stat() failed; assume root file doesn't exist. If sslmode is
905 * verify-ca or verify-full, this is an error. Otherwise, continue
906 * without performing any server cert verification.
907 */
909 {
910 /*
911 * The only way to reach here with an empty filename is if
912 * pqGetHomeDirectory failed. That's a sufficiently unusual case
913 * that it seems worth having a specialized error message for it.
914 */
917 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.");
918 else
920 "Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.", fnbuf);
923 }
925 }
927 /* Read the client certificate file */
932 else
936 {
937 /* don't send a client cert even if we have one */
939 }
941 {
942 /* no home directory, proceed without a client cert */
944 }
946 {
947 /*
948 * If file is not present, just go on without a client cert; server
949 * might or might not accept the connection. Any other error,
950 * however, is grounds for complaint.
951 */
953 {
958 }
960 }
961 else
962 {
963 /*
964 * Cert file exists, so load it. Since OpenSSL doesn't provide the
965 * equivalent of "SSL_use_certificate_chain_file", we have to load it
966 * into the SSL context, rather than the SSL object.
967 */
969 {
977 }
979 /* need to load the associated private key, too */
981 }
983 /*
984 * The SSL context is now loaded with the correct root and client
985 * certificates. Create a connection-specific SSL object. The private key
986 * is loaded directly into the SSL object. (We could load the private key
987 * into the context, too, but we have done it this way historically, and
988 * it doesn't really matter.)
989 */
993 {
1000 }
1003 /*
1004 * SSL contexts are reference counted by OpenSSL. We can free it as soon
1005 * as we have created the SSL object, and it will stick around for as long
1006 * as it's actually needed.
1007 */
1011 /*
1012 * Set Server Name Indication (SNI), if enabled by connection parameters.
1013 * Per RFC 6066, do not set it if the host is a literal IP address (IPv4
1014 * or IPv6).
1015 */
1017 {
1023 {
1025 {
1031 }
1032 }
1033 }
1035 /* Set ALPN */
1036 {
1042 {
1048 }
1049 }
1051 /*
1052 * Read the SSL key. If a key is specified, treat it as an engine:key
1053 * combination if there is colon present - we don't support files with
1054 * colon in the name. The exception is if the second character is a colon,
1055 * in which case it can be a Windows filename with drive specification.
1056 */
1058 {
1059 #ifdef USE_SSL_ENGINE
1061 #ifdef WIN32
1063 #endif
1064 )
1065 {
1066 /* Colon, but not in second character, treat as engine:key */
1072 {
1075 }
1077 /* cannot return NULL because we already checked before strdup */
1085 {
1093 }
1096 {
1106 }
1111 {
1122 }
1124 {
1135 }
1140 * file */
1141 }
1142 else
1144 {
1145 /* PGSSLKEY is not an engine, treat it as a filename */
1147 }
1148 }
1150 {
1151 /* No PGSSLKEY specified, load default file */
1153 }
1154 else
1158 {
1159 /* read the client key from file */
1162 {
1165 fnbuf);
1166 else
1168 fnbuf);
1170 }
1172 /* Key file must be a regular file */
1174 {
1176 fnbuf);
1178 }
1180 /*
1181 * Refuse to load world-readable key files. We accept root-owned
1182 * files with mode 0640 or less, so that we can access system-wide
1183 * certificates if we have a supplementary group membership that
1184 * allows us to read 'em. For files with non-root ownership, require
1185 * mode 0600 or less. We need not check the file's ownership exactly;
1186 * if we're able to read it despite it having such restrictive
1187 * permissions, it must have the right ownership.
1188 *
1189 * Note: be very careful about tightening these rules. Some people
1190 * expect, for example, that a client process running as root should
1191 * be able to use a non-root-owned key file.
1192 *
1193 * Note that roughly similar checks are performed in
1194 * src/backend/libpq/be-secure-common.c so any changes here may need
1195 * to be made there as well. However, this code caters for the case
1196 * of current user == root, while that code does not.
1197 *
1198 * Ideally we would do similar permissions checks on Windows, but it
1199 * is not clear how that would work since Unix-style permissions may
1200 * not be available.
1201 */
1202 #if !defined(WIN32) && !defined(__CYGWIN__)
1206 {
1208 "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
1209 fnbuf);
1211 }
1212 #endif
1215 {
1218 /*
1219 * We'll try to load the file in DER (binary ASN.1) format, and if
1220 * that fails too, report the original error. This could mask
1221 * issues where there's something wrong with a DER-format cert,
1222 * but we'd have to duplicate openssl's format detection to be
1223 * smarter than this. We can't just probe for a leading -----BEGIN
1224 * because PEM can have leading non-matching lines and blanks.
1225 * OpenSSL doesn't expose its get_name(...) and its PEM routines
1226 * don't differentiate between failure modes in enough detail to
1227 * let us tell the difference between "not PEM, try DER" and
1228 * "wrong password".
1229 */
1231 {
1236 }
1239 }
1240 }
1242 /* verify that the cert and key go together */
1245 {
1252 }
1254 /*
1255 * If a root cert was loaded, also set our certificate verification
1256 * callback.
1257 */
1261 /*
1262 * Set compression option if necessary.
1263 */
1266 else
1270 }
1272 /*
1273 * Attempt to negotiate SSL connection.
1274 */
1275 static PostgresPollingStatusType
1277 {
1284 {
1291 {
1299 {
1305 /*
1306 * If we get an X509 error here for failing to load the
1307 * local issuer cert, without an error in the socket layer
1308 * it means that verification failed due to a missing
1309 * system CA pool without it being a protocol error. We
1310 * inspect the sslrootcert setting to ensure that the user
1311 * was using the system CA pool. For other errors, log
1312 * them using the normal SYSCALL logging.
1313 */
1322 else
1326 }
1328 {
1334 {
1335 /*
1336 * UNSUPPORTED_PROTOCOL, WRONG_VERSION_NUMBER, and
1337 * TLSV1_ALERT_PROTOCOL_VERSION have been observed
1338 * when trying to communicate with an old OpenSSL
1339 * library, or when the client and server specify
1340 * disjoint protocol ranges.
1341 * NO_PROTOCOLS_AVAILABLE occurs if there's a
1342 * local misconfiguration (which can happen
1343 * despite our checks, if openssl.cnf injects a
1344 * limit we didn't account for). It's not very
1345 * clear what would make OpenSSL return the other
1346 * codes listed here, but a hint about protocol
1347 * versions seems like it's appropriate for all.
1348 */
1358 #ifdef SSL_R_VERSION_TOO_HIGH
1361 #endif
1362 libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",
1365 MIN_OPENSSL_TLS_VERSION,
1368 MAX_OPENSSL_TLS_VERSION);
1372 }
1375 }
1381 }
1382 }
1384 /* ALPN is mandatory with direct SSL connections */
1386 {
1393 {
1394 libpq_append_conn_error(conn, "direct SSL connection was established without ALPN protocol negotiation extension");
1397 }
1399 /*
1400 * We only support one protocol so that's what the negotiation should
1401 * always choose, but doesn't hurt to check.
1402 */
1405 {
1409 }
1410 }
1412 /*
1413 * We already checked the server certificate in initialize_SSL() using
1414 * SSL_CTX_set_verify(), if root.crt exists.
1415 */
1417 /* get server certificate */
1420 {
1427 }
1430 {
1433 }
1435 /* SSL handshake is complete */
1437 }
1439 void
1441 {
1443 {
1445 {
1446 /*
1447 * We can't destroy everything SSL-related here due to the
1448 * possible later calls to OpenSSL routines which may need our
1449 * thread callbacks, so set a flag here and check at the end.
1450 */
1457 }
1460 {
1463 }
1465 #ifdef USE_SSL_ENGINE
1467 {
1471 }
1472 #endif
1473 }
1474 }
1477 /*
1478 * Obtain reason string for passed SSL errcode
1479 *
1480 * ERR_get_error() is used by caller to get errcode to pass here.
1481 * The result must be freed after use, using SSLerrfree.
1482 *
1483 * Some caution is needed here since ERR_reason_error_string will return NULL
1484 * if it doesn't recognize the error code, or (in OpenSSL >= 3) if the code
1485 * represents a system errno value. We don't want to return NULL ever.
1486 */
1489 #define SSL_ERR_LEN 128
1493 {
1501 {
1504 }
1507 {
1510 }
1512 /*
1513 * Server aborted the connection with TLS "no_application_protocol" alert.
1514 * The ERR_reason_error_string() function doesn't give any error string
1515 * for that for some reason, so do it ourselves. See
1516 * https://github.com/openssl/openssl/issues/24300. This is available in
1517 * OpenSSL 1.1.0 and later, as well as in LibreSSL 3.4.3 (OpenBSD 7.0) and
1518 * later.
1519 */
1520 #ifdef SSL_AD_NO_APPLICATION_PROTOCOL
1523 {
1526 }
1527 #endif
1529 /*
1530 * In OpenSSL 3.0.0 and later, ERR_reason_error_string does not map system
1531 * errno values anymore. (See OpenSSL source code for the explanation.)
1532 * We can cover that shortcoming with this bit of code. Older OpenSSL
1533 * versions don't have the ERR_SYSTEM_ERROR macro, but that's okay because
1534 * they don't have the shortcoming either.
1535 */
1536 #ifdef ERR_SYSTEM_ERROR
1538 {
1541 }
1542 #endif
1544 /* No choice but to report the numeric ecode */
1547 }
1549 static void
1551 {
1554 }
1556 /* ------------------------------------------------------------ */
1557 /* SSL information functions */
1558 /* ------------------------------------------------------------ */
1560 /*
1561 * Return pointer to OpenSSL object.
1562 */
1565 {
1569 }
1573 {
1579 }
1583 {
1591 NULL
1592 };
1596 {
1597 /* Return attributes of default SSL library */
1599 }
1601 /* No attrs for unencrypted connection */
1606 }
1610 {
1612 {
1613 /* PQsslAttribute(NULL, "library") reports the default SSL library */
1617 }
1619 /* All attributes read as NULL for a non-encrypted connection */
1627 {
1634 }
1646 {
1650 * bytes */
1658 }
1661 }
1663 /*
1664 * Private substitute BIO: this does the sending and receiving using
1665 * pqsecure_raw_write() and pqsecure_raw_read() instead, to allow those
1666 * functions to disable SIGPIPE and give better error messages on I/O errors.
1667 *
1668 * These functions are closely modelled on the standard socket BIO in OpenSSL;
1669 * see sock_read() and sock_write() in OpenSSL's crypto/bio/bss_sock.c.
1670 */
1672 /* protected by ssl_config_mutex */
1675 static int
1677 {
1685 {
1686 /* If we were interrupted, tell caller to retry */
1688 {
1689 #ifdef EAGAIN
1691 #endif
1692 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1694 #endif
1701 }
1702 }
1708 }
1710 static int
1712 {
1718 {
1719 /* If we were interrupted, tell caller to retry */
1721 {
1722 #ifdef EAGAIN
1724 #endif
1725 #if defined(EWOULDBLOCK) && (!defined(EAGAIN) || (EWOULDBLOCK != EAGAIN))
1727 #endif
1734 }
1735 }
1738 }
1740 static long
1742 {
1747 {
1750 /*
1751 * This should not be needed. pgconn_bio_read already has a way to
1752 * signal EOF to OpenSSL. However, OpenSSL made an undocumented,
1753 * backwards-incompatible change and now expects EOF via BIO_ctrl.
1754 * See https://github.com/openssl/openssl/issues/8208
1755 */
1759 /* libssl expects all BIOs to support BIO_flush. */
1765 }
1768 }
1772 {
1781 {
1792 /*
1793 * As of this writing, these functions never fail. But check anyway,
1794 * like OpenSSL's own examples do.
1795 */
1799 {
1801 }
1802 }
1808 err:
1813 }
1815 static int
1817 {
1834 }
1836 /*
1837 * This is the default handler to return a client cert password from
1838 * conn->sslpassword. Apps may install it explicitly if they want to
1839 * prevent openssl from ever prompting on stdin.
1840 */
1841 int
1843 {
1845 {
1851 }
1852 else
1853 {
1856 }
1857 }
1859 PQsslKeyPassHook_OpenSSL_type
1861 {
1863 }
1865 void
1867 {
1869 }
1871 /*
1872 * Supply a password to decrypt a client certificate.
1873 *
1874 * This must match OpenSSL type pem_password_cb.
1875 */
1876 static int
1878 {
1883 else
1885 }
1887 /*
1888 * Convert TLS protocol version string to OpenSSL values
1889 *
1890 * If a version is passed that is not supported by the current OpenSSL version,
1891 * then we return -1. If a non-negative value is returned, subsequent code can
1892 * assume it is working with a supported version.
1893 *
1894 * Note: this is rather similar to the backend routine in be-secure-openssl.c,
1895 * so make sure to update both routines if changing this one.
1896 */
1897 static int
1899 {
1903 #ifdef TLS1_1_VERSION
1906 #endif
1908 #ifdef TLS1_2_VERSION
1911 #endif
1913 #ifdef TLS1_3_VERSION
1916 #endif
1919 }