Обсуждение: Supporting Windows SChannel as OpenSSL replacement

Hi,

I've been looking at Windows' native SSL implementatation, the SChannel 
API. It would be nice to support that as a replacement for OpenSSL on 
Windows. Currently, we bundle the OpenSSL library in the PostgreSQL, 
installers, which is annoying because whenever OpenSSL puts out a new 
release that fixes vulnerabilities, we need to do a security release of 
PostgreSQL on Windows. I was reminded of this recently wrt. psqlODBC, 
which bundles libpq and openssl as well. It's particularly annoying for 
psqlODBC and other client applications, as people typically update it 
less diligently than their servers.

I think that we should keep the user-visible behavior the same, i.e. the 
libpq connection options, locations of the certificate files etc. would 
all be the same regardless of which SSL implementation is used. Using 
Windows SChannel API might make it possible to integrate better with 
Windows' own certificate store etc. but I don't really know much about 
that stuff, so for starters I'd like to just use it as a drop-in 
replacement for OpenSSL.

Thoughts? While we're at it, we'll probably want to refactor things so 
that it's easy to support other SSL implementations too, like gnutls.

- Heikki

On Monday, June 9, 2014, Heikki Linnakangas <hlinnakangas@vmware.com> wrote:

Hi,

I've been looking at Windows' native SSL implementatation, the SChannel API. It would be nice to support that as a replacement for OpenSSL on Windows. Currently, we bundle the OpenSSL library in the PostgreSQL, installers, which is annoying because whenever OpenSSL puts out a new release that fixes vulnerabilities, we need to do a security release of PostgreSQL on Windows. I was reminded of this recently wrt. psqlODBC, which bundles libpq and openssl as well. It's particularly annoying for psqlODBC and other client applications, as people typically update it less diligently than their servers.

I think that we should keep the user-visible behavior the same, i.e. the libpq connection options, locations of the certificate files etc. would all be the same regardless of which SSL implementation is used. Using Windows SChannel API might make it possible to integrate better with Windows' own certificate store etc. but I don't really know much about that stuff, so for starters I'd like to just use it as a drop-in replacement for OpenSSL.

Thoughts? While we're at it, we'll probably want to refactor things so that it's easy to support other SSL implementations too, like gnutls.

--
 Magnus Hagander
 Me: http://www.hagander.net/
 Work: http://www.redpill-linpro.com/

On 06/09/2014 02:53 PM, Magnus Hagander wrote:
> Also, my memory says that SChannel doesn't support the key file format that
> we use now, which makes a much bigger break with the supported platforms.
> That may have changed of course - have you researched that part?

A quick web search turned up a few discussion forums threads with a 
recipe for this (e.g 
https://stackoverflow.com/questions/1231178/load-an-x509-pem-file-into-windows-cryptoapi). 
There's no direct "read this file" function, but there are low-level 
functions that can decode the file format once it's read into memory. So 
it seems possible to make it work.

> It's also a question of if we can accept supporting a different set of
> libraries on the server vs on the client. It's really on the client that
> it's a bigger problem, but in the end I think we want to have "symmetrical
> support". But it might be worth doing just the client side initially, and
> then move to the server. I think in general, the client side is actually
> likely to be *harder* than the server side..

Once we've modified the client to support multiple libraries, it's 
probably not much extra effort to do the same to the server. I wouldn't 
like to support different libraries in client and server, if only 
because it would be more complicated to have separate ./configure 
options for client and server.

- Heikki

On 2014-06-09 13:53:15 +0200, Magnus Hagander wrote:
> The main other entries I've been looking at are NSS and gnutls, both of
> which can speak our current file formats. I think the right thing is to
> start with those and thereby make it more pluggable, and only after that
> tackle schannel. But I do think it would be good to have them all.

I think NSS makes a great deal of sense - the advantages of supporting
gnutls are much less clear to me. Maybe it's little enough additional
code that that doesn't matter much, but we imo shouldn't focus on it.

Greetings,

Andres Freund

-- Andres Freund                       http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services

On Mon, Jun 09, 2014 at 02:45:08PM +0300, Heikki Linnakangas wrote:
> Thoughts? While we're at it, we'll probably want to refactor things
> so that it's easy to support other SSL implementations too, like
> gnutls.

One project that is proud to support several SSL implementations
is curl: http://curl.haxx.se/

Git: https://github.com/bagder/curl.git
Implementations: https://github.com/bagder/curl/tree/master/lib/vtls

List from vtls.c:

- OpenSSL
- GnuTLS
- NSS
- QsoSSL
- GSKit
- PolarSSL
- CyaSSL
- Schannel SSPI
- SecureTransport (Darwin)

We cannot reuse the code directly, but seems it's usable for
reference for various gotchas that need to be solved.

-- 
marko

On 06/09/2014 01:45 PM, Heikki Linnakangas wrote:
> Thoughts? While we're at it, we'll probably want to refactor things so
> that it's easy to support other SSL implementations too, like gnutls.

There was a patch set for this from Martijn van Oosterhout which was 
quite complete.

http://www.postgresql.org/message-id/20060504134807.GK4752@svana.org

I am interested in dropping the dependency on OpenSSL, if only to fix 
the situation with Debian, libreadline and OpenSSL[1].

Notes

1. They now compile against libedit and change to using libreadline at 
runtime. This does not work perfectly though since libreadline supports 
some features which libedit does not which can only be checked for at 
compile time.

Andreas

Heikki Linnakangas <hlinnakangas@vmware.com> writes:
> I've been looking at Windows' native SSL implementatation, the SChannel 
> API. It would be nice to support that as a replacement for OpenSSL on 
> Windows. Currently, we bundle the OpenSSL library in the PostgreSQL, 
> installers, which is annoying because whenever OpenSSL puts out a new 
> release that fixes vulnerabilities, we need to do a security release of 
> PostgreSQL on Windows.

Does SChannel have a better security track record than OpenSSL?  Or is
the point here just that we can define it as not our problem when a
vulnerability surfaces?

I'm doubtful that we can ignore security issues affecting PG just because
somebody else is responsible for shipping the fix, and thus am concerned
that if we support N different SSL libraries, we will need to keep track
of N sets of vulnerabilities instead of just one.
        regards, tom lane

Hi,

On 2014-06-09 10:18:40 -0400, Tom Lane wrote:
> Does SChannel have a better security track record than OpenSSL?  Or is
> the point here just that we can define it as not our problem when a
> vulnerability surfaces?

Well, it's patched as part of the OS - so no new PG binaries have to be
released when it's buggy.

> I'm doubtful that we can ignore security issues affecting PG just because
> somebody else is responsible for shipping the fix, and thus am concerned
> that if we support N different SSL libraries, we will need to keep track
> of N sets of vulnerabilities instead of just one.

In most of the cases where such a issue exists it'll primarily affect
binary distributions that include the ssl library - and those will only
pick one anyway.

Greetings,

Andres Freund

-- Andres Freund                       http://www.2ndQuadrant.com/PostgreSQL Development, 24x7 Support, Training &
Services

From: "Heikki Linnakangas" <hlinnakangas@vmware.com>
> Thoughts? While we're at it, we'll probably want to refactor things so 
> that it's easy to support other SSL implementations too, like gnutls.

That may be good because it provides users with choices.  But I wonder if it 
is worth the complexity and maintainability of PostgreSQL code.

* Are SChannel and other libraries more secure than OpenSSL?  IIRC, recently 
I read in the news that GnuTLS had a vulnerability.  OpenSSL is probably the 
most widely used library, and many people are getting more interested in its 
quality.  I expect the quality will improve thanks to the help from The 
Linux foundation and other organizations/researchers.

* Do other libraries get support from commercial vendor product support? 
For example, Safenet Inc., the famous HSM (hardware security module) vendor, 
supports OpenSSL to access the private key stored in its HSM product.  Intel 
offered AES-NI implementation code to OpenSSL community.  I guess OpenSSL 
will continue to be the most functional and obtain the widest adoption and 
support.

Regards
MauMau

On Mon, Jun 09, 2014 at 03:35:23PM +0200, Magnus Hagander wrote:
> On Mon, Jun 9, 2014 at 3:19 PM, Andreas Karlsson <andreas@proxel.se> wrote:
>
> > On 06/09/2014 01:45 PM, Heikki Linnakangas wrote:
> > There was a patch set for this from Martijn van Oosterhout which was quite
> > complete.
> >
> > http://www.postgresql.org/message-id/20060504134807.GK4752@svana.org

Wow, blast from the past.

> A lot has, unfortunately, changed since 2006. It might be a good
> startingpoint. But also actively starting from the point of "let's try to
> support multiple libraries" rather than "let's try to support gnutls" is
> probably also important.

The patch did provide an API. The idea was that there were a number of
functions which would need to be defined to support an SSL library.
Each library would then have a wrapper which wrapped the library and
based on the results of configure it compiled the right file into the
backend.

These functions were:

extern void pgtls_initialize(void);
extern void pgtls_destroy(void);
extern int pgtls_open_server(Port *);
extern void pgtls_close(Port *);
extern ssize_t pgtls_read(Port *port, void *ptr, size_t len);
extern ssize_t pgtls_write(Port *port, void *ptr, size_t len);

Which should be easy enough to support for any library. These days
you'd need to add support for verifying certificates, but I don't think
that that would be difficult (unless the actual certificate formats are
different).

No switching after compile time, that would just lead to useless
overhead.

> At some point we should design a new API, so that we can deprecate the old
> one. Even if we don't hve the code ready, we need to get rid of PQgetssl(),
> and replace it with something else. I'm thinking probably a functoin that
> returns both a void pointer and an enum that tells you which library is
> actually in use. And a boolean just saying "ssl on/off", because that's
> what a lot of clients are interested in and they don't care aobut more than
> that.
>
> Obviously, we also have to do something about PQinitOpenSSL().

Yeah, I think this was one of the more controversial parts. Support in
the backend was primarily moving code around and renaming functions,
fairly straightforward.  Even error handling was not so hard (I found
the gnutls handling of errors much easier than openssl).

One tricky part is that programs like to use libpq for the
authentication, and then they hijack the connection using PGgetssl().
The way I dealt with this is defining a new state "passthrough" where
the caller would get a few function pointers to read/write/check the
connection.  Then the callers would not need to know what library libpq
was compiled with.  And libpq would know the connection was hijacked
and refuse to act anymore.  I don't think everyone was pleased with
this, but no real alternative was presented (other than requiring
people hijacking the connection to do the hard work).

For information about which library was in use there was PQgettlsinfo()
which returned a PGresult with information about the library and
connection.  I beleive since then new functions have been added to
libpq to retrive info about certificates, so that might need a rethink
also.

Basically, I think these last two points are the hard parts to get
agreement (assuming there's agreement to do anything at all about the
problem) and without nailing those down first whoever picks this up
will be in for a lot of work.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.  -- Arthur Schopenhauer

On 06/09/2014 05:22 PM, Andres Freund wrote:
> Hi,
>
> On 2014-06-09 10:18:40 -0400, Tom Lane wrote:
>> Does SChannel have a better security track record than OpenSSL?  Or is
>> the point here just that we can define it as not our problem when a
>> vulnerability surfaces?
>
> Well, it's patched as part of the OS - so no new PG binaries have to be
> released when it's buggy.

Right. I have no idea what SChannel's track record is, but when there's 
a vulnerability in the native SSL implementation in Windows, you better 
upgrade anyway, regardless of PostgreSQL. So when we rely on that, we 
don't put any extra burden on users. And we won't need to release new 
binaries just to update the DLL included in it.

- Heikki

On Mon, Jun 9, 2014 at 10:40 AM, Heikki Linnakangas
<hlinnakangas@vmware.com> wrote:
> Right. I have no idea what SChannel's track record is, but when there's a
> vulnerability in the native SSL implementation in Windows, you better
> upgrade anyway, regardless of PostgreSQL. So when we rely on that, we don't
> put any extra burden on users. And we won't need to release new binaries
> just to update the DLL included in it.

Right, heartily agreed.  It wouldn't surprise me if there are lots of
Windows machines out there that have 4 or 5 copies of OpenSSL on them,
each provided by a different installer for some other piece of
software that happens to depend on OpenSSL.  When OpenSSL then has a
security vulnerability, you're not safe until all of the people who
produce those installers produce new versions and you upgrade to all
of those new versions.  In practice, I'm sure that an enormous amount
slips through the cracks here.  Relying on something that is part of
the OS and updated by the OS vendor seems like less work for both
packagers (who have to prepare the updates) and users (who have to
apply them).  Of course there may be cases where the OS implementation
sucks badly or otherwise can't be relied upon, and then we'll just
have to live with shipping copies of things.  But avoiding it sounds
better, if someone's volunteering to do the work....

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On Mon, Jun 09, 2014 at 11:39:17PM +0900, MauMau wrote:
> From: "Heikki Linnakangas" <hlinnakangas@vmware.com>
> >Thoughts? While we're at it, we'll probably want to refactor
> >things so that it's easy to support other SSL implementations too,
> >like gnutls.
>
> That may be good because it provides users with choices.  But I
> wonder if it is worth the complexity and maintainability of
> PostgreSQL code.

The complexity is very low. SSL is a standard protocol and so all
libraries offer the same functionality. Were not really doing anything
complex.

> * Are SChannel and other libraries more secure than OpenSSL?  IIRC,
> recently I read in the news that GnuTLS had a vulnerability.
> OpenSSL is probably the most widely used library, and many people
> are getting more interested in its quality.  I expect the quality
> will improve thanks to the help from The Linux foundation and other
> organizations/researchers.

Does that matter? What's wrong with letting people choose. OpenVPN
these days supports multiple SSL libraries, because PolarSSL (for
example) has been vetted for a higher security level than OpenSSL.

> * Do other libraries get support from commercial vendor product
> support? For example, Safenet Inc., the famous HSM (hardware
> security module) vendor, supports OpenSSL to access the private key
> stored in its HSM product.  Intel offered AES-NI implementation code
> to OpenSSL community.  I guess OpenSSL will continue to be the most
> functional and obtain the widest adoption and support.

And the crappiest license. I think it's silly for PostgreSQL dictate
what SSL library users must use, when there are so many possibilities.
We also support libedit for, in my opinion, worse reasons.

Have a nice day,
--
Martijn van Oosterhout   <kleptog@svana.org>   http://svana.org/kleptog/
> He who writes carelessly confesses thereby at the very outset that he does
> not attach much importance to his own thoughts.  -- Arthur Schopenhauer

On 06/09/2014 06:03 PM, Magnus Hagander wrote:
> One tricky part is that programs like to use libpq for the
>> >authentication, and then they hijack the connection using PGgetssl().
>> >
> Is there*anybody*  other than odbc that does that? Do we actually need a
> published API for that, or just a hack for pgodbc?

I wish psqlODBC would stop doing that. It's kind of cool that it 
supports compiling without libpq, but it's really quite a mess. I think 
we should modify psqlODBC to use the libpq API like most people do.

- Heikki

On 06/09/2014 05:39 PM, Martijn van Oosterhout wrote:
> On Mon, Jun 09, 2014 at 03:35:23PM +0200, Magnus Hagander wrote:
>> On Mon, Jun 9, 2014 at 3:19 PM, Andreas Karlsson <andreas@proxel.se> wrote:
>>
>>> On 06/09/2014 01:45 PM, Heikki Linnakangas wrote:
>>> There was a patch set for this from Martijn van Oosterhout which was quite
>>> complete.
>>>
>>> http://www.postgresql.org/message-id/20060504134807.GK4752@svana.org
>
> Wow, blast from the past.
>
>> A lot has, unfortunately, changed since 2006. It might be a good
>> startingpoint. But also actively starting from the point of "let's try to
>> support multiple libraries" rather than "let's try to support gnutls" is
>> probably also important.
>
> The patch did provide an API. The idea was that there were a number of
> functions which would need to be defined to support an SSL library.
> Each library would then have a wrapper which wrapped the library and
> based on the results of configure it compiled the right file into the
> backend.
>
> These functions were:
>
> extern void pgtls_initialize(void);
> extern void pgtls_destroy(void);
> extern int pgtls_open_server(Port *);
> extern void pgtls_close(Port *);
> extern ssize_t pgtls_read(Port *port, void *ptr, size_t len);
> extern ssize_t pgtls_write(Port *port, void *ptr, size_t len);
>
> Which should be easy enough to support for any library. These days
> you'd need to add support for verifying certificates, but I don't think
> that that would be difficult (unless the actual certificate formats are
> different).
>
> No switching after compile time, that would just lead to useless
> overhead.

Yeah, that seems like a reasonable design.

I did again the refactoring you did back in 2006, patch attached. One
thing I did differently: I moved the raw, non-encrypted, read/write
functions to separate functions: pqsecure_raw_read and
pqsecure_raw_write. Those functions encapsulate the SIGPIPE handling.
The OpenSSL code implements a custom BIO, which calls to
pqsecure_raw_read/write to do the low-level I/O.  Similarly in the
server-side, there are be_tls_raw_read and pg_tls_raw_write functions,
which do the prepare_for_client_read()/client_read_ended() dance, so
that the SSL implementation doesn't need to know about that.

I then implemented a quick proof-of-concept Windows SChannel
implementation of that API. It's client-side only, and there's no
support for validating server certificate or specifying non-default
ciphers or anything yet. But I did implement performing authentication
with a client certificate, as a proof of concept that it's possible to
read the OpenSSL key and certificate files - although in this proof of
concept the key and certificate are hard-coded in the sources, not read
from a file.

The SChannel implementation obviously needs a lot of work, but I'm
fairly confident that it's doable, and the new internal SSL API works
for that. Except for the user-visible PQgetssl() functions and such - I
don't know what to do with those.


>> At some point we should design a new API, so that we can deprecate the old
>> one. Even if we don't hve the code ready, we need to get rid of PQgetssl(),
>> and replace it with something else. I'm thinking probably a functoin that
>> returns both a void pointer and an enum that tells you which library is
>> actually in use. And a boolean just saying "ssl on/off", because that's
>> what a lot of clients are interested in and they don't care aobut more than
>> that.
>>
>> Obviously, we also have to do something about PQinitOpenSSL().
>
> Yeah, I think this was one of the more controversial parts. Support in
> the backend was primarily moving code around and renaming functions,
> fairly straightforward.  Even error handling was not so hard (I found
> the gnutls handling of errors much easier than openssl).
>
> One tricky part is that programs like to use libpq for the
> authentication, and then they hijack the connection using PGgetssl().
> The way I dealt with this is defining a new state "passthrough" where
> the caller would get a few function pointers to read/write/check the
> connection.  Then the callers would not need to know what library libpq
> was compiled with.  And libpq would know the connection was hijacked
> and refuse to act anymore.  I don't think everyone was pleased with
> this, but no real alternative was presented (other than requiring
> people hijacking the connection to do the hard work).

Sounds good. If we want to support such hijacking if the first place.

- Heikki

On Wed, Jun 11, 2014 at 7:51 AM, Heikki Linnakangas <hlinnakangas@vmware.com> wrote:
>
>
> I did again the refactoring you did back in 2006, patch attached. One thing
> I did differently: I moved the raw, non-encrypted, read/write functions to
> separate functions: pqsecure_raw_read and pqsecure_raw_write. Those
> functions encapsulate the SIGPIPE handling. The OpenSSL code implements a
> custom BIO, which calls to pqsecure_raw_read/write to do the low-level I/O.
> Similarly in the server-side, there are be_tls_raw_read and pg_tls_raw_write
> functions, which do the prepare_for_client_read()/client_read_ended() dance,
> so that the SSL implementation doesn't need to know about that.

I've tried your 0001 patch, reflecting this refactoring, on Linux and it caused 'make check' to hang at 'starting postmaster'.

The hang seems to be in:

/tmp_check/install//home/jjanes/pgsql/test_ssl/bin/psql -X postgres

with a backtrace of:

#0  0x0000003550edf2f8 in __poll (fds=0x7fff610cbd50, nfds=1, timeout=-1) at ../sysdeps/unix/sysv/linux/poll.c:83
#1  0x00007fcf372035b1 in pqSocketPoll (conn=0x2317770, forRead=1, forWrite=0, end_time=-1) at fe-misc.c:1122
#2  pqSocketCheck (conn=0x2317770, forRead=1, forWrite=0, end_time=-1) at fe-misc.c:1064
#3  0x00007fcf37203630 in pqWaitTimed (forRead=<value optimized out>, forWrite=<value optimized out>, conn=0x2317770, finish_time=<value optimized out>)
    at fe-misc.c:996
#4  0x00007fcf371fe632 in connectDBComplete (conn=0x2317770) at fe-connect.c:1498
#5  0x00007fcf371ff27f in PQconnectdbParams (keywords=<value optimized out>, values=<value optimized out>, expand_dbname=<value optimized out>)
    at fe-connect.c:462
#6  0x0000000000411bb5 in main (argc=<value optimized out>, argv=0x7fff610cc038) at startup.c:219

The make check never times out, like it usually does when something gets stalled.

On 06/24/2014 03:20 AM, Jeff Janes wrote:
> I've tried your 0001 patch, reflecting this refactoring, on Linux and it
> caused 'make check' to hang at 'starting postmaster'.

I found the bug in the code, and I have attached the a patch which you
can apply on top of the patch. The regression tests pass now on my
Debian machine.

One thing I noticed when trying to find the bug is that be-secure.c
still includes some OpenSSL headers. Those should be removed since they
have already been moved to be-secure-openssl.c.

--
Andreas Karlsson

Heikki Linnakangas wrote:

> I did again the refactoring you did back in 2006, patch attached.
> One thing I did differently: I moved the raw, non-encrypted,
> read/write functions to separate functions: pqsecure_raw_read and
> pqsecure_raw_write. Those functions encapsulate the SIGPIPE
> handling. The OpenSSL code implements a custom BIO, which calls to
> pqsecure_raw_read/write to do the low-level I/O.  Similarly in the
> server-side, there are be_tls_raw_read and pg_tls_raw_write
> functions, which do the
> prepare_for_client_read()/client_read_ended() dance, so that the SSL
> implementation doesn't need to know about that.

I'm skimming over this patch (0001).  There are some issues:

* You duplicated the long comment under the IDENTIFICATION tag that was in be-secure.c; it's now both in that file and
alsoin be-secure-openssl.c.  I think it should be removed from be-secure.c. Also, the hardcoded DH params are
duplicatedin be-secure.c, but they belong in -openssl.c only now.
 

* There is some mixup regarding USE_SSL and USE_OPENSSL in be-secure.c. I think anything that's OpenSSL-specific should
bein be-secure-openssl.c only; any new SSL implementation will need to implement all those functions.  For instance,
be_tls_init().I imagine that if we select any SSL implementation, USE_SSL would get defined, and each SSL
implementationwould additionally define its own symbol.  Unless the idea is to get rid of USE_OPENSSL completely, and
useonly the Makefile bit to decide which implementation to use?  If so, then USE_OPENSSL as a preprocessor symbol is
useless...
 

* ssl_renegotiation_limit is also duplicated.  But removing this one is probably not going to be as easy as deleting a
linefrom be-secure.c, because guc.c depends on that one.  I think that variable should be defined in be-secure.c (i.e.
deleteit from -openssl) and make sure that all SSL implementations enforce it on their own somehow.
 

The DISABLE_SIGPIPE thingy looks wrong in pqsecure_write.  I think it
should be like this:

ssize_t
pqsecure_write(PGconn *conn, const void *ptr, size_t len)
{ssize_t        n;

#ifdef USE_SSLif (conn->ssl_in_use){    DECLARE_SIGPIPE_INFO(spinfo);
    DISABLE_SIGPIPE(conn, spinfo, return -1);
    n = pgtls_write(conn, ptr, len);
    RESTORE_SIGPIPE(spinfo);}else 
#endif   /* USE_OPENSSL */{    n = pqsecure_raw_write(conn, ptr, len);}
return n;
}

You are missing the restore call, and I moved the declaration inside the
ssl_in_use block since otherwise it's not useful.  The other path is
fine since pqsecure_raw_write disables and restores the flag by itself.
Also, you're missing DECLARE/DISABLE/RESTORE in the ssl_in_use block in
pqsecure_read.  (The original code does not have that code in the
non-SSL path.  I assume, without checking, that that's okay.)  I also
assume without checking that all SSL implementations would be fine with
this SIGPIPE handling.

Another thing that seems wrong is the REMEMBER_EPIPE stuff.  The
fe-secure-openssl.c code should be setting the flag, but AFAICS only the
non-SSL code is doing it.


Thanks for working on this -- I'm sure many distributors will be happy
to be able to enable other, less license-broken TLS implementations.

-- 
Álvaro Herrera                http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services

On 06/27/2014 02:26 AM, Andreas Karlsson wrote:
> On 06/24/2014 03:20 AM, Jeff Janes wrote:
>> I've tried your 0001 patch, reflecting this refactoring, on Linux and it
>> caused 'make check' to hang at 'starting postmaster'.
>
> I found the bug in the code, and I have attached the a patch which you
> can apply on top of the patch. The regression tests pass now on my
> Debian machine.

Ah, thanks!

> One thing I noticed when trying to find the bug is that be-secure.c
> still includes some OpenSSL headers. Those should be removed since they
> have already been moved to be-secure-openssl.c.

Removed.

Here's a new version of the patch, rebased over master and those two
things fixed.

- Heikki

On 07/11/2014 08:39 PM, Alvaro Herrera wrote:
> Heikki Linnakangas wrote:
>
>> I did again the refactoring you did back in 2006, patch attached.
>> One thing I did differently: I moved the raw, non-encrypted,
>> read/write functions to separate functions: pqsecure_raw_read and
>> pqsecure_raw_write. Those functions encapsulate the SIGPIPE
>> handling. The OpenSSL code implements a custom BIO, which calls to
>> pqsecure_raw_read/write to do the low-level I/O.  Similarly in the
>> server-side, there are be_tls_raw_read and pg_tls_raw_write
>> functions, which do the
>> prepare_for_client_read()/client_read_ended() dance, so that the SSL
>> implementation doesn't need to know about that.
>
> I'm skimming over this patch (0001).  There are some issues:
>
> * You duplicated the long comment under the IDENTIFICATION tag that was
>    in be-secure.c; it's now both in that file and also in
>    be-secure-openssl.c.  I think it should be removed from be-secure.c.
>    Also, the hardcoded DH params are duplicated in be-secure.c, but they
>    belong in -openssl.c only now.

Hmm. Once we add other SSL implementations, shouldn't they share the 
hardcoded DH parameters? That would warrant keeping them in be-secure.c.

> * There is some mixup regarding USE_SSL and USE_OPENSSL in be-secure.c.
>    I think anything that's OpenSSL-specific should be in
>    be-secure-openssl.c only; any new SSL implementation will need to
>    implement all those functions.  For instance, be_tls_init().

Agreed.

>    I imagine that if we select any SSL implementation, USE_SSL would get
>    defined, and each SSL implementation would additionally define its own
>    symbol.

Yeah, that was the idea.

> * ssl_renegotiation_limit is also duplicated.  But removing this one is
>    probably not going to be as easy as deleting a line from be-secure.c,
>    because guc.c depends on that one.  I think that variable should be
>    defined in be-secure.c (i.e. delete it from -openssl) and make sure
>    that all SSL implementations enforce it on their own somehow.

Agreed.

> The DISABLE_SIGPIPE thingy looks wrong in pqsecure_write.  I think it
> should be like this:
>
> ssize_t
> pqsecure_write(PGconn *conn, const void *ptr, size_t len)
> {
>     ssize_t        n;
>
> #ifdef USE_SSL
>     if (conn->ssl_in_use)
>     {
>         DECLARE_SIGPIPE_INFO(spinfo);
>
>         DISABLE_SIGPIPE(conn, spinfo, return -1);
>
>         n = pgtls_write(conn, ptr, len);
>
>         RESTORE_SIGPIPE(spinfo);
>     }
>     else
> #endif   /* USE_OPENSSL */
>     {
>         n = pqsecure_raw_write(conn, ptr, len);
>     }
>
>     return n;
> }
>
> You are missing the restore call, and I moved the declaration inside the
> ssl_in_use block since otherwise it's not useful.  The other path is
> fine since pqsecure_raw_write disables and restores the flag by itself.
> Also, you're missing DECLARE/DISABLE/RESTORE in the ssl_in_use block in
> pqsecure_read.  (The original code does not have that code in the
> non-SSL path.  I assume, without checking, that that's okay.)  I also
> assume without checking that all SSL implementations would be fine with
> this SIGPIPE handling.
>
> Another thing that seems wrong is the REMEMBER_EPIPE stuff.  The
> fe-secure-openssl.c code should be setting the flag, but AFAICS only the
> non-SSL code is doing it.

I think you're missing a change to the way fe-secure-openssl.c now uses 
the OpenSSL library: it defines custom read/write functions, 
my_sock_read and my_sock_write, which in turn call 
pqsecure_raw_read/write. So all the actual I/O now goes through 
pqsecure_raw_read/write. I believe it's therefore enough to put do the 
REMEMBER_EPIPE in pqsecure_raw_write. Come to think of it, 
pqsecure_write() shouldn't be doing any SIGPIGE stuff at all anymore.

- Heikki

On 07/08/2014 08:11 PM, Jeff Janes wrote:
> Is there some recipe for testing the 0002 patch?  Can it be tested on an
> MinGW environment, or does it need to use the MicroSoft supplied compilers?

I used MSVC. It ought to work with MinGW, I think, although you might 
need to tweak the Makefiles to make it compile. Certainly we should 
eventually make it work, before committing. If you try it out, let me 
know how it goes.

- Heikki

Here's a new version of the refactoring patch. I've fixed the issues
reported so far.

Upon looking closer at the SIGPIPE stuff in libpq, I realized that we
can remove this line from fe-secure-openssl.c:

> -               /* We cannot use MSG_NOSIGNAL to block SIGPIPE when using SSL */
> -               conn->sigpipe_flag = false;

That's because all the I/O now goes through our wrapper functions that
do the send/recv, and will use MSG_NOSIGNAL if it's available. That
avoids two syscalls per send. I haven't measured the performance impact
of that - it's probably negligible compared to doing encryption - but
it's still nice to avoid it.

This patch is just refactoring of existing code. It doesn't have any
user-visible changes; the libpq functions that expose OpenSSL stuff are
still intact. Doing something about those are the next phase of this
project.

Please review. I think this is in a good shape, ready for commit.

- Heikki

On 08/06/2014 08:37 PM, Jeff Janes wrote:
> But now it looks like 0002 needs a rebase....

I've committed the refactoring patch, and here's a rebased and improved
version of the Windows SChannel implementation over that.

Server-side support is now implemented too, but it's all very crude and
work-in-progress. CRLs are not supported, intermediary CAs are not
supported, and probably many other bells and whistles are missing too.
But the basics work, including cert authentication. Consider this a
Proof of Concept.

One issue came up with managing private keys: In the server, it's
necessary to import the private key into a permanent key container
that's managed by the Windows Crypto API. That can be done
programmatically (as I do in the patch), but the keys are permanently
stored in the system (in the user's profile). They will be left behind
even if you completely delete the data directory. That's not the end of
the world, but it would be nicer if we could use some kind of a
temporary key container that only lives in memory, but the Crypto API
doesn't seem to have such a concept. You can acquire an ephemeral
context by passing the CRYPT_VERIFYCONTEXT flag to CryptAcquireContext
function, and that's exactly what I'm doing in the client, but that
method doesn't seem to work when acting as an SSL server.

Also, the key container needs to be given a name, or we can use the
default container, but either way all the keys are shared among all
applications that use the same container. We'll have to figure out how
to set that up so that there are no conflicts, if you try to use the
same server certificate for two PostgreSQL instances running on the same
host (useful while developing/testing replication).

This isn't a showstopper, but needs some thought. As the patch stands,
it uses a single key container called "PostgreSQL server key container",
and makes no attempt to delete the keys after they're no longer used.
That works, but it leaves the key lying on the system.

- Heikki

On Tue, Aug 12, 2014 at 1:52 PM, Heikki Linnakangas
<hlinnakangas@vmware.com> wrote:
> This isn't a showstopper, but needs some thought. As the patch stands, it
> uses a single key container called "PostgreSQL server key container", and
> makes no attempt to delete the keys after they're no longer used. That
> works, but it leaves the key lying on the system.

What about using something like 'PostgreSQL ' || system_identifier?

Would it make sense to have pg_ctl unregister delete the key
container, or do we need a separate facility for that?

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

On 08/15/2014 08:16 PM, Jeff Janes wrote:
> On Tue, Aug 12, 2014 at 10:52 AM, Heikki Linnakangas <
> hlinnakangas@vmware.com> wrote:
>
>> On 08/06/2014 08:37 PM, Jeff Janes wrote:
>>
>>> But now it looks like 0002 needs a rebase....
>>
>> I've committed the refactoring patch, and here's a rebased and improved
>> version of the Windows SChannel implementation over that.
>
> On MinGW, I get the following error when compiling with options
> --host=x86_64-w64-mingw32 --without-zlib:
>
> be-secure.c: In function 'secure_open_server':
> be-secure.c:106:2: error: 'Port' has no member named 'peer_cn'
> be-secure.c:106:2: error: 'Port' has no member named 'peer_cn'
> make[3]: *** [be-secure.o] Error 1
> make[2]: *** [libpq-recursive] Error 2
> make[1]: *** [all-backend-recurse] Error 2
> make: *** [all-src-recurse] Error 2
>
> Should the ereport DEBUG2 be inside the "#ifdef USE_SSL"?

Yeah.

I've been thinking though, perhaps we should always have the ssl_in_use, 
peer_cn and peer_cert_valid members in the Port struct. If not compiled 
with USE_SSL, they would just always be false/NULL. Then we wouldn't 
need #ifdefs around all the places that check hose fields either.

- Heikki

Heikki Linnakangas <hlinnakangas@vmware.com> writes:
> On 08/15/2014 08:16 PM, Jeff Janes wrote:
>> Should the ereport DEBUG2 be inside the "#ifdef USE_SSL"?

> Yeah.

> I've been thinking though, perhaps we should always have the ssl_in_use, 
> peer_cn and peer_cert_valid members in the Port struct. If not compiled 
> with USE_SSL, they would just always be false/NULL. Then we wouldn't 
> need #ifdefs around all the places that check hose fields either.

+1.  This would also make it less risky for add-on code to touch the Port
struct.
        regards, tom lane

On Tue, Aug 12, 2014 at 1:52 PM, Heikki Linnakangas
<hlinnakangas@vmware.com> wrote:
> On 08/06/2014 08:37 PM, Jeff Janes wrote:
>>
>> But now it looks like 0002 needs a rebase....
>
> I've committed the refactoring patch, and here's a rebased and improved
> version of the Windows SChannel implementation over that.
>
> Server-side support is now implemented too, but it's all very crude and
> work-in-progress. CRLs are not supported, intermediary CAs are not
> supported, and probably many other bells and whistles are missing too. But
> the basics work, including cert authentication. Consider this a Proof of
> Concept.

Heikki, do you have any plans to work more on this?

Or does anyone else?

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Robert Haas <robertmhaas@gmail.com> writes:
> Heikki, do you have any plans to work more on this?
> Or does anyone else?

FWIW, I have some interest in the Apple Secure Transport patch that
is in the CF queue, and will probably pick that up at some point if
no one beats me to it (but it's not real high on my to-do list).
I won't be touching the Windows version though.  I suspect that the
folk who might be competent to review the Windows code may have
correspondingly little interest in the macOS patch.  This is a bit
of a problem, since it would be good for someone to look at both of
them, with an eye to whether there are any places in our SSL abstraction
API that ought to be rethought now that we have actual non-OpenSSL
implementations to compare to.
        regards, tom lane


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On Wed, Oct 18, 2017 at 2:50 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> Robert Haas <robertmhaas@gmail.com> writes:
>> Heikki, do you have any plans to work more on this?
>> Or does anyone else?
>
> FWIW, I have some interest in the Apple Secure Transport patch that
> is in the CF queue, and will probably pick that up at some point if
> no one beats me to it (but it's not real high on my to-do list).
> I won't be touching the Windows version though.  I suspect that the
> folk who might be competent to review the Windows code may have
> correspondingly little interest in the macOS patch.  This is a bit
> of a problem, since it would be good for someone to look at both of
> them, with an eye to whether there are any places in our SSL abstraction
> API that ought to be rethought now that we have actual non-OpenSSL
> implementations to compare to.

Well, the best way to handle that might be to get some of this stuff
done before we get too much later into the release cycle, so that
there's time to tinker with it before the release goes out the door
(or is deep in beta).  However, if nobody's working on this and the
other patch is someplace far down your to-do list, then I guess that
isn't going to happen.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Tom, Robert, Microsoft is interested in supporting windows SChannel for Postgres. Please let know how we can help
takingthis forward. We would love contributing to this either by enhancing the original patch provided by Heikki, or
testthe changes on Windows. 

Thanks,
Satya

-----Original Message-----
From: pgsql-hackers-owner@postgresql.org [mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of Tom Lane
Sent: Wednesday, October 18, 2017 11:51 AM
To: Robert Haas <robertmhaas@gmail.com>
Cc: hlinnaka <hlinnaka@iki.fi>; Jeff Janes <jeff.janes@gmail.com>; Andreas Karlsson <andreas@proxel.se>; Martijn van
Oosterhout<kleptog@svana.org>; Magnus Hagander <magnus@hagander.net>; PostgreSQL-development
<pgsql-hackers@postgresql.org>
Subject: Re: [HACKERS] Supporting Windows SChannel as OpenSSL replacement

Robert Haas <robertmhaas@gmail.com> writes:
> Heikki, do you have any plans to work more on this?
> Or does anyone else?

FWIW, I have some interest in the Apple Secure Transport patch that is in the CF queue, and will probably pick that up
atsome point if no one beats me to it (but it's not real high on my to-do list). 
I won't be touching the Windows version though.  I suspect that the folk who might be competent to review the Windows
codemay have correspondingly little interest in the macOS patch.  This is a bit of a problem, since it would be good
forsomeone to look at both of them, with an eye to whether there are any places in our SSL abstraction API that ought
tobe rethought now that we have actual non-OpenSSL implementations to compare to. 
        regards, tom lane


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription:

https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.postgresql.org%2Fmailpref%2Fpgsql-hackers&data=02%7C01%7CSatyanarayana.Narlapuram%40microsoft.com%7C99f781c4865e46f8e69408d5165965f0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636439495588088189&sdata=4I%2FYNAtDb63%2BGbSIgh6XVmfKZlbq1YewZ2mkAJkQVKE%3D&reserved=0


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

On Thu, Oct 19, 2017 at 1:15 AM, Satyanarayana Narlapuram
<Satyanarayana.Narlapuram@microsoft.com> wrote:
> Tom, Robert, Microsoft is interested in supporting windows SChannel for Postgres. Please let know how we can help
takingthis forward. We would love contributing to this either by enhancing the original patch provided by Heikki, or
testthe changes on Windows. 

That would be great!  I think the first thing to do would be look over
Heikki's comments about what was left to be done and maybe try to do
some of those things.  And then test the result.  :-)

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers