postgresql/src/backend/libpq
Michael Paquier 5fd61055ea Fix handling of SCRAM-SHA-256's channel binding with RSA-PSS certificates
OpenSSL 1.1.1 and newer versions have added support for RSA-PSS
certificates, which requires the use of a specific routine in OpenSSL to
determine which hash function to use when compiling it when using
channel binding in SCRAM-SHA-256.  X509_get_signature_nid(), that is the
original routine the channel binding code has relied on, is not able to
determine which hash algorithm to use for such certificates.  However,
X509_get_signature_info(), new to OpenSSL 1.1.1, is able to do it.  This
commit switches the channel binding logic to rely on
X509_get_signature_info() over X509_get_signature_nid(), which would be
the choice when building with 1.1.1 or newer.

The error could have been triggered on the client or the server, hence
libpq and the backend need to have their related code paths patched.
Note that attempting to load an RSA-PSS certificate with OpenSSL 1.1.0
or older leads to a failure due to an unsupported algorithm.

The discovery of relying on X509_get_signature_info() comes from Jacob,
the tests have been written by Heikki (with few tweaks from me), while I
have bundled the whole together while adding the bits needed for MSVC
and meson.

This issue exists since channel binding exists, so backpatch all the way
down.  Some tests are added in 15~, triggered if compiling with OpenSSL
1.1.1 or newer, where the certificate and key files can easily be
generated for RSA-PSS.

Reported-by: Gunnar "Nick" Bluth
Author: Jacob Champion, Heikki Linnakangas
Discussion: https://postgr.es/m/17760-b6c61e752ec07060@postgresql.org
Backpatch-through: 11
2023-02-15 10:12:31 +09:00
..
auth-sasl.c Improve error handling of cryptohash computations 2022-01-11 09:55:16 +09:00
auth-scram.c Improve error handling of HMAC computations 2022-01-13 16:17:21 +09:00
auth.c Clean up messy API for src/port/thread.c. 2022-01-11 13:46:20 -05:00
be-fsstubs.c Update copyright for 2022 2022-01-07 19:04:57 -05:00
be-gssapi-common.c Update copyright for 2022 2022-01-07 19:04:57 -05:00
be-secure-common.c Remove misguided SSL key file ownership check in libpq. 2022-05-26 14:14:05 -04:00
be-secure-gssapi.c Update copyright for 2022 2022-01-07 19:04:57 -05:00
be-secure-openssl.c Fix handling of SCRAM-SHA-256's channel binding with RSA-PSS certificates 2023-02-15 10:12:31 +09:00
be-secure.c Update copyright for 2022 2022-01-07 19:04:57 -05:00
crypt.c Improve error handling of cryptohash computations 2022-01-11 09:55:16 +09:00
hba.c Remove extraneous blank lines before block-closing braces 2022-04-13 19:16:02 +02:00
ifaddr.c Update copyright for 2022 2022-01-07 19:04:57 -05:00
Makefile Refactor SASL code with a generic interface for its mechanisms 2021-07-07 10:55:15 +09:00
pg_hba.conf.sample pg_hba.conf.sample: Reword connection type section 2021-04-29 07:00:20 +02:00
pg_ident.conf.sample Reformat the comments in pg_hba.conf and pg_ident.conf 2010-01-26 06:58:39 +00:00
pqcomm.c Pre-beta mechanical code beautification. 2022-05-12 15:17:30 -04:00
pqformat.c Update copyright for 2022 2022-01-07 19:04:57 -05:00
pqmq.c Update copyright for 2022 2022-01-07 19:04:57 -05:00
pqsignal.c Update copyright for 2022 2022-01-07 19:04:57 -05:00
README.SSL Move EDH support to common files 2018-01-23 07:11:38 -05:00

src/backend/libpq/README.SSL

SSL
===

>From the servers perspective:


  Receives StartupPacket
           |
           |
 (Is SSL_NEGOTIATE_CODE?) -----------  Normal startup
           |                  No
           |
           | Yes
           |
           |
 (Server compiled with USE_SSL?) ------- Send 'N'
           |                       No        |
           |                                 |
           | Yes                         Normal startup
           |
           |
        Send 'S'
           |
           |
      Establish SSL
           |
           |
      Normal startup





>From the clients perspective (v6.6 client _with_ SSL):


      Connect
         |
         |
  Send packet with SSL_NEGOTIATE_CODE
         |
         |
  Receive single char  ------- 'S' -------- Establish SSL
         |                                       |
         | '<else>'                              |
         |                                  Normal startup
         |
         |
   Is it 'E' for error  ------------------- Retry connection
         |                  Yes             without SSL
         | No
         |
   Is it 'N' for normal ------------------- Normal startup
         |                  Yes
         |
   Fail with unknown

---------------------------------------------------------------------------

Ephemeral DH
============

Since the server static private key ($DataDir/server.key) will
normally be stored unencrypted so that the database backend can
restart automatically, it is important that we select an algorithm
that continues to provide confidentiality even if the attacker has the
server's private key.  Ephemeral DH (EDH) keys provide this and more
(Perfect Forward Secrecy aka PFS).

N.B., the static private key should still be protected to the largest
extent possible, to minimize the risk of impersonations.

Another benefit of EDH is that it allows the backend and clients to
use DSA keys.  DSA keys can only provide digital signatures, not
encryption, and are often acceptable in jurisdictions where RSA keys
are unacceptable.

The downside to EDH is that it makes it impossible to use ssldump(1)
if there's a problem establishing an SSL session.  In this case you'll
need to temporarily disable EDH (see initialize_dh()).