Hi Everyone,
I’ve ran into an issue where the OpenSSL API function “ssl_get_fd” fails, due to the underlying BIO object created by Postgres is not being flagged properly.
Previous to OpenSSL version 1.1.0, the BIO methods object would be copied directly from the existing socket type and then its read\write functions would be replaced.
With 1.1.0 and up, the object is created from scratch and then all its methods are initialized to be the ones of the socket type, except read/write which are custom.
In this newer way, a new type is given to it by calling “BIO_get_new_index”, but the related type flags aren’t added.
For more information please see: https://www.openssl.org/docs/man1.1.0/man3/BIO_get_new_index.html
In this case, the type should have both BIO_TYPE_SOURCE_SINK and BIO_TYPE_DESCRIPTOR.
The proposed patch will add these flags to the BIO type on creation. I have compiled it with OpenSSL, enabled encryption and verified that basic queries work fine.
I don’t believe this affects Postgres, since the code has been this way for 5 years. I ran into it because I’m writing auditing code that hooks on Postgres calls. I’ve already found a workaround by adding these flags myself with an additional hook, but thought it would be worth bringing up here and see if you think it’s worth patching.
Regards,
Itamar Gafni
Imperva
-------------------------------------------
NOTICE:
This email and all attachments are confidential, may be proprietary, and may be privileged or otherwise protected from disclosure. They are intended solely for the individual or entity to whom the email is addressed. However, mistakes sometimes happen in addressing emails. If you believe that you are not an intended recipient, please stop reading immediately. Do not copy, forward, or rely on the contents in any way. Notify the sender and/or Imperva, Inc. by telephone at +1 (650) 832-6006 and then delete or destroy any copy of this email and its attachments. The sender reserves and asserts all rights to confidentiality, as well as any privileges that may apply. Any disclosure, copying, distribution or action taken or omitted to be taken by an unintended recipient in reliance on this message is prohibited and may be unlawful.
Please consider the environment before printing this email.