diff options
| author | Heikki Linnakangas <heikki.linnakangas@iki.fi> | 2024-04-08 04:24:51 +0300 |
|---|---|---|
| committer | Heikki Linnakangas <heikki.linnakangas@iki.fi> | 2024-04-08 04:24:51 +0300 |
| commit | 91044ae4baeac2e501e34164a69bd5d9c4976d21 (patch) | |
| tree | 030ae118927d18f14ecb8840ec6719932b79773c /src/include | |
| parent | d39a49c1e459804831302807c724fa6512e90cf0 (diff) | |
Send ALPN in TLS handshake, require it in direct SSL connections
libpq now always tries to send ALPN. With the traditional negotiated
SSL connections, the server accepts the ALPN, and refuses the
connection if it's not what we expect, but connecting without ALPN is
still OK. With the new direct SSL connections, ALPN is mandatory.
NOTE: This uses "TBD-pgsql" as the protocol ID. We must register a
proper one with IANA before the release!
Author: Greg Stark, Heikki Linnakangas
Reviewed-by: Matthias van de Meent, Jacob Champion
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/libpq/libpq-be.h | 1 | ||||
| -rw-r--r-- | src/include/libpq/pqcomm.h | 19 |
2 files changed, 20 insertions, 0 deletions
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index 4ce61d1b4ee..05cb1874c58 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -203,6 +203,7 @@ typedef struct Port char *peer_cn; char *peer_dn; bool peer_cert_valid; + bool alpn_used; /* * OpenSSL structures. (Keep these last so that the locations of other diff --git a/src/include/libpq/pqcomm.h b/src/include/libpq/pqcomm.h index 9ae469c86c4..fb93c820530 100644 --- a/src/include/libpq/pqcomm.h +++ b/src/include/libpq/pqcomm.h @@ -139,6 +139,25 @@ typedef struct CancelRequestPacket uint32 cancelAuthCode; /* secret key to authorize cancel */ } CancelRequestPacket; +/* Application-Layer Protocol Negotiation is required for direct connections + * to avoid protocol confusion attacks (e.g https://alpaca-attack.com/). + * + * ALPN is specified in RFC 7301 + * + * This string should be registered at: + * https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids + * + * OpenSSL uses this wire-format for the list of alpn protocols even in the + * API. Both server and client take the same format parameter but the client + * actually sends it to the server as-is and the server it specifies the + * preference order to use to choose the one selected to send back. + * + * c.f. https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_alpn_select_cb.html + * + * The #define can be used to initialize a char[] vector to use directly in the API + */ +#define PG_ALPN_PROTOCOL "TBD-pgsql" +#define PG_ALPN_PROTOCOL_VECTOR { 9, 'T','B','D','-','p','g','s','q','l' } /* * A client can also start by sending a SSL or GSSAPI negotiation request to |