aboutsummaryrefslogtreecommitdiff
path: root/vendor/github.com/lib/pq/ssl.go
diff options
context:
space:
mode:
authorGibheer <gibheer+git@zero-knowledge.org>2024-09-05 19:38:25 +0200
committerGibheer <gibheer+git@zero-knowledge.org>2024-09-05 19:38:25 +0200
commit6ea4d2c82de80efc87708e5e182034b7c6c2019e (patch)
tree35c0856a929040216c82153ca62d43b27530a887 /vendor/github.com/lib/pq/ssl.go
parent6f64eeace1b66639b9380b44e88a8d54850a4306 (diff)
switch from github.com/lib/pq to github.com/jackc/pgx/v5HEAD20240905master
lib/pq is out of maintenance for some time now, so switch to the newer more active library. Looks like it finally stabilized after a long time.
Diffstat (limited to 'vendor/github.com/lib/pq/ssl.go')
-rw-r--r--vendor/github.com/lib/pq/ssl.go204
1 files changed, 0 insertions, 204 deletions
diff --git a/vendor/github.com/lib/pq/ssl.go b/vendor/github.com/lib/pq/ssl.go
deleted file mode 100644
index 36b61ba..0000000
--- a/vendor/github.com/lib/pq/ssl.go
+++ /dev/null
@@ -1,204 +0,0 @@
-package pq
-
-import (
- "crypto/tls"
- "crypto/x509"
- "io/ioutil"
- "net"
- "os"
- "os/user"
- "path/filepath"
- "strings"
-)
-
-// ssl generates a function to upgrade a net.Conn based on the "sslmode" and
-// related settings. The function is nil when no upgrade should take place.
-func ssl(o values) (func(net.Conn) (net.Conn, error), error) {
- verifyCaOnly := false
- tlsConf := tls.Config{}
- switch mode := o["sslmode"]; mode {
- // "require" is the default.
- case "", "require":
- // We must skip TLS's own verification since it requires full
- // verification since Go 1.3.
- tlsConf.InsecureSkipVerify = true
-
- // From http://www.postgresql.org/docs/current/static/libpq-ssl.html:
- //
- // Note: For backwards compatibility with earlier versions of
- // PostgreSQL, if a root CA file exists, the behavior of
- // sslmode=require will be the same as that of verify-ca, meaning the
- // server certificate is validated against the CA. Relying on this
- // behavior is discouraged, and applications that need certificate
- // validation should always use verify-ca or verify-full.
- if sslrootcert, ok := o["sslrootcert"]; ok {
- if _, err := os.Stat(sslrootcert); err == nil {
- verifyCaOnly = true
- } else {
- delete(o, "sslrootcert")
- }
- }
- case "verify-ca":
- // We must skip TLS's own verification since it requires full
- // verification since Go 1.3.
- tlsConf.InsecureSkipVerify = true
- verifyCaOnly = true
- case "verify-full":
- tlsConf.ServerName = o["host"]
- case "disable":
- return nil, nil
- default:
- return nil, fmterrorf(`unsupported sslmode %q; only "require" (default), "verify-full", "verify-ca", and "disable" supported`, mode)
- }
-
- // Set Server Name Indication (SNI), if enabled by connection parameters.
- // By default SNI is on, any value which is not starting with "1" disables
- // SNI -- that is the same check vanilla libpq uses.
- if sslsni := o["sslsni"]; sslsni == "" || strings.HasPrefix(sslsni, "1") {
- // RFC 6066 asks to not set SNI if the host is a literal IP address (IPv4
- // or IPv6). This check is coded already crypto.tls.hostnameInSNI, so
- // just always set ServerName here and let crypto/tls do the filtering.
- tlsConf.ServerName = o["host"]
- }
-
- err := sslClientCertificates(&tlsConf, o)
- if err != nil {
- return nil, err
- }
- err = sslCertificateAuthority(&tlsConf, o)
- if err != nil {
- return nil, err
- }
-
- // Accept renegotiation requests initiated by the backend.
- //
- // Renegotiation was deprecated then removed from PostgreSQL 9.5, but
- // the default configuration of older versions has it enabled. Redshift
- // also initiates renegotiations and cannot be reconfigured.
- tlsConf.Renegotiation = tls.RenegotiateFreelyAsClient
-
- return func(conn net.Conn) (net.Conn, error) {
- client := tls.Client(conn, &tlsConf)
- if verifyCaOnly {
- err := sslVerifyCertificateAuthority(client, &tlsConf)
- if err != nil {
- return nil, err
- }
- }
- return client, nil
- }, nil
-}
-
-// sslClientCertificates adds the certificate specified in the "sslcert" and
-// "sslkey" settings, or if they aren't set, from the .postgresql directory
-// in the user's home directory. The configured files must exist and have
-// the correct permissions.
-func sslClientCertificates(tlsConf *tls.Config, o values) error {
- sslinline := o["sslinline"]
- if sslinline == "true" {
- cert, err := tls.X509KeyPair([]byte(o["sslcert"]), []byte(o["sslkey"]))
- if err != nil {
- return err
- }
- tlsConf.Certificates = []tls.Certificate{cert}
- return nil
- }
-
- // user.Current() might fail when cross-compiling. We have to ignore the
- // error and continue without home directory defaults, since we wouldn't
- // know from where to load them.
- user, _ := user.Current()
-
- // In libpq, the client certificate is only loaded if the setting is not blank.
- //
- // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1036-L1037
- sslcert := o["sslcert"]
- if len(sslcert) == 0 && user != nil {
- sslcert = filepath.Join(user.HomeDir, ".postgresql", "postgresql.crt")
- }
- // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1045
- if len(sslcert) == 0 {
- return nil
- }
- // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1050:L1054
- if _, err := os.Stat(sslcert); os.IsNotExist(err) {
- return nil
- } else if err != nil {
- return err
- }
-
- // In libpq, the ssl key is only loaded if the setting is not blank.
- //
- // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L1123-L1222
- sslkey := o["sslkey"]
- if len(sslkey) == 0 && user != nil {
- sslkey = filepath.Join(user.HomeDir, ".postgresql", "postgresql.key")
- }
-
- if len(sslkey) > 0 {
- if err := sslKeyPermissions(sslkey); err != nil {
- return err
- }
- }
-
- cert, err := tls.LoadX509KeyPair(sslcert, sslkey)
- if err != nil {
- return err
- }
-
- tlsConf.Certificates = []tls.Certificate{cert}
- return nil
-}
-
-// sslCertificateAuthority adds the RootCA specified in the "sslrootcert" setting.
-func sslCertificateAuthority(tlsConf *tls.Config, o values) error {
- // In libpq, the root certificate is only loaded if the setting is not blank.
- //
- // https://github.com/postgres/postgres/blob/REL9_6_2/src/interfaces/libpq/fe-secure-openssl.c#L950-L951
- if sslrootcert := o["sslrootcert"]; len(sslrootcert) > 0 {
- tlsConf.RootCAs = x509.NewCertPool()
-
- sslinline := o["sslinline"]
-
- var cert []byte
- if sslinline == "true" {
- cert = []byte(sslrootcert)
- } else {
- var err error
- cert, err = ioutil.ReadFile(sslrootcert)
- if err != nil {
- return err
- }
- }
-
- if !tlsConf.RootCAs.AppendCertsFromPEM(cert) {
- return fmterrorf("couldn't parse pem in sslrootcert")
- }
- }
-
- return nil
-}
-
-// sslVerifyCertificateAuthority carries out a TLS handshake to the server and
-// verifies the presented certificate against the CA, i.e. the one specified in
-// sslrootcert or the system CA if sslrootcert was not specified.
-func sslVerifyCertificateAuthority(client *tls.Conn, tlsConf *tls.Config) error {
- err := client.Handshake()
- if err != nil {
- return err
- }
- certs := client.ConnectionState().PeerCertificates
- opts := x509.VerifyOptions{
- DNSName: client.ConnectionState().ServerName,
- Intermediates: x509.NewCertPool(),
- Roots: tlsConf.RootCAs,
- }
- for i, cert := range certs {
- if i == 0 {
- continue
- }
- opts.Intermediates.AddCert(cert)
- }
- _, err = certs[0].Verify(opts)
- return err
-}