diff options
| author | Andrew Dunstan <andrew@dunslane.net> | 2020-03-25 17:13:17 -0400 |
|---|---|---|
| committer | Andrew Dunstan <andrew@dunslane.net> | 2020-03-25 17:13:17 -0400 |
| commit | 896fcdb230e729652d37270c8606ccdc45212f0d (patch) | |
| tree | 1aeb2f25ece8cd7412924bcbaca4a0499f7af01c /src/backend/libpq/be-secure-openssl.c | |
| parent | ffd398021c296e55b59ab848ac71a1769ddff93f (diff) | |
Provide a TLS init hook
The default hook function sets the default password callback function.
In order to allow preloaded libraries to have an opportunity to override
the default, TLS initialization if now delayed slightly until after
shared preloaded libraries have been loaded.
A test module is provided which contains a trivial example that decodes
an obfuscated password for an SSL certificate.
Author: Andrew Dunstan
Reviewed By: Andreas Karlsson, Asaba Takanori
Discussion: https://postgr.es/m/04116472-818b-5859-1d74-3d995aab2252@2ndQuadrant.com
Diffstat (limited to 'src/backend/libpq/be-secure-openssl.c')
| -rw-r--r-- | src/backend/libpq/be-secure-openssl.c | 48 |
1 files changed, 29 insertions, 19 deletions
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index b53c2b813eb..a65f920343c 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -45,6 +45,9 @@ #include "tcop/tcopprot.h" #include "utils/memutils.h" +/* default init hook can be overridden by a shared library */ +static void default_openssl_tls_init(SSL_CTX *context, bool isServerStart); +openssl_tls_init_hook_typ openssl_tls_init_hook = default_openssl_tls_init; static int my_sock_read(BIO *h, char *buf, int size); static int my_sock_write(BIO *h, const char *buf, int size); @@ -117,27 +120,10 @@ be_tls_init(bool isServerStart) SSL_CTX_set_mode(context, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); /* - * Set password callback + * Call init hook (usually to set password callback) */ - if (isServerStart) - { - if (ssl_passphrase_command[0]) - SSL_CTX_set_default_passwd_cb(context, ssl_external_passwd_cb); - } - else - { - if (ssl_passphrase_command[0] && ssl_passphrase_command_supports_reload) - SSL_CTX_set_default_passwd_cb(context, ssl_external_passwd_cb); - else + (* openssl_tls_init_hook)(context, isServerStart); - /* - * If reloading and no external command is configured, override - * OpenSSL's default handling of passphrase-protected files, - * because we don't want to prompt for a passphrase in an - * already-running server. - */ - SSL_CTX_set_default_passwd_cb(context, dummy_ssl_passwd_cb); - } /* used by the callback */ ssl_is_server_start = isServerStart; @@ -1338,3 +1324,27 @@ ssl_protocol_version_to_openssl(int v) return -1; } + + +static void +default_openssl_tls_init(SSL_CTX *context, bool isServerStart) +{ + if (isServerStart) + { + if (ssl_passphrase_command[0]) + SSL_CTX_set_default_passwd_cb(context, ssl_external_passwd_cb); + } + else + { + if (ssl_passphrase_command[0] && ssl_passphrase_command_supports_reload) + SSL_CTX_set_default_passwd_cb(context, ssl_external_passwd_cb); + else + /* + * If reloading and no external command is configured, override + * OpenSSL's default handling of passphrase-protected files, + * because we don't want to prompt for a passphrase in an + * already-running server. + */ + SSL_CTX_set_default_passwd_cb(context, dummy_ssl_passwd_cb); + } +} |