npgsql
diff --git a/‎src/Npgsql/Internal/NpgsqlConnector.cs‎
Lines changed: 123 additions & 103 deletions b/‎src/Npgsql/Internal/NpgsqlConnector.cs‎
Lines changed: 123 additions & 103 deletions
diff --git a/‎src/Npgsql/Internal/TypeMapping/TypeMapper.cs‎
Lines changed: 1 addition & 1 deletion b/‎src/Npgsql/Internal/TypeMapping/TypeMapper.cs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Npgsql/NpgsqlDataSource.cs‎
Lines changed: 2 additions & 0 deletions b/‎src/Npgsql/NpgsqlDataSource.cs‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Npgsql/NpgsqlDataSourceBuilder.cs‎
Lines changed: 22 additions & 0 deletions b/‎src/Npgsql/NpgsqlDataSourceBuilder.cs‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎src/Npgsql/NpgsqlDataSourceConfiguration.cs‎
Lines changed: 3 additions & 0 deletions b/‎src/Npgsql/NpgsqlDataSourceConfiguration.cs‎
Lines changed: 3 additions & 0 deletions
@@ -283,7 +283,7 @@ internal bool PostgresCancellationPerformed
     internal bool AttemptPostgresCancellation { get; private set; }
     static readonly TimeSpan _cancelImmediatelyTimeout = TimeSpan.FromMilliseconds(-1);
 
-    X509Certificate2? _certificate;
+    IDisposable? _certificate;
 
     internal NpgsqlLoggingConfiguration LoggingConfiguration { get; }
 
@@ -786,8 +786,12 @@ async Task RawOpen(SslMode sslMode, NpgsqlTimeout timeout, bool async, Cancellat
 
             IsSecure = false;
 
-            if (sslMode is SslMode.Prefer or SslMode.Require or SslMode.VerifyCA or SslMode.VerifyFull)
+            if ((sslMode is SslMode.Prefer && DataSource.EncryptionNegotiator is not null) ||
+                sslMode is SslMode.Require or SslMode.VerifyCA or SslMode.VerifyFull)
             {
+                if (DataSource.EncryptionNegotiator is null)
+                    throw new InvalidOperationException(NpgsqlStrings.EncryptionDisabled);
+
                 WriteSslRequest();
                 await Flush(async, cancellationToken);
 
@@ -804,136 +808,152 @@ async Task RawOpen(SslMode sslMode, NpgsqlTimeout timeout, bool async, Cancellat
                         throw new NpgsqlException("SSL connection requested. No SSL enabled connection from this host is configured.");
                     break;
                 case 'S':
-                    var clientCertificates = new X509Certificate2Collection();
-                    var certPath = Settings.SslCertificate ?? PostgresEnvironment.SslCert ?? PostgresEnvironment.SslCertDefault;
+                    await DataSource.EncryptionNegotiator(this, sslMode, timeout, async, isFirstAttempt);
+                    break;
+                }
 
-                    if (certPath != null)
-                    {
-                        var password = Settings.SslPassword;
+                if (ReadBuffer.ReadBytesLeft > 0)
+                    throw new NpgsqlException("Additional unencrypted data received after SSL negotiation - this should never happen, and may be an indication of a man-in-the-middle attack.");
+            }
 
-                        if (Path.GetExtension(certPath).ToUpperInvariant() != ".PFX")
-                        {
+            ConnectionLogger.LogTrace("Socket connected to {Host}:{Port}", Host, Port);
+        }
+        catch
+        {
+            _stream?.Dispose();
+            _stream = null!;
+
+            _baseStream?.Dispose();
+            _baseStream = null!;
+
+            _socket?.Dispose();
+            _socket = null!;
+
+            throw;
+        }
+    }
+
+    internal async Task NegotiateEncryption(SslMode sslMode, NpgsqlTimeout timeout, bool async, bool isFirstAttempt)
+    {
+        var clientCertificates = new X509Certificate2Collection();
+        var certPath = Settings.SslCertificate ?? PostgresEnvironment.SslCert ?? PostgresEnvironment.SslCertDefault;
+
+        if (certPath != null)
+        {
+            var password = Settings.SslPassword;
+
+            X509Certificate2? cert = null;
+            if (Path.GetExtension(certPath).ToUpperInvariant() != ".PFX")
+            {
 #if NET5_0_OR_GREATER
-                            // It's PEM time
-                            var keyPath = Settings.SslKey ?? PostgresEnvironment.SslKey ?? PostgresEnvironment.SslKeyDefault;
-                            _certificate = string.IsNullOrEmpty(password)
-                                ? X509Certificate2.CreateFromPemFile(certPath, keyPath)
-                                : X509Certificate2.CreateFromEncryptedPemFile(certPath, password, keyPath);
-                            if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
-                            {
-                                // Windows crypto API has a bug with pem certs
-                                // See #3650
-                                using var previousCert = _certificate;
-                                _certificate = new X509Certificate2(_certificate.Export(X509ContentType.Pkcs12));
-                            }
+                // It's PEM time
+                var keyPath = Settings.SslKey ?? PostgresEnvironment.SslKey ?? PostgresEnvironment.SslKeyDefault;
+                cert = string.IsNullOrEmpty(password)
+                    ? X509Certificate2.CreateFromPemFile(certPath, keyPath)
+                    : X509Certificate2.CreateFromEncryptedPemFile(certPath, password, keyPath);
+                if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+                {
+                    // Windows crypto API has a bug with pem certs
+                    // See #3650
+                    using var previousCert = cert;
+                    cert = new X509Certificate2(cert.Export(X509ContentType.Pkcs12));
+                }
+
 #else
-                            // Technically PEM certificates are supported as of .NET 5 but we don't build for the net5.0
-                            // TFM anymore since .NET 5 is out of support
-                            // This is a breaking change for .NET 5 as of Npgsql 8!
-                            throw new NotSupportedException("PEM certificates are only supported with .NET 6 and higher");
+                // Technically PEM certificates are supported as of .NET 5 but we don't build for the net5.0
+                // TFM anymore since .NET 5 is out of support
+                // This is a breaking change for .NET 5 as of Npgsql 8!
+                throw new NotSupportedException("PEM certificates are only supported with .NET 6 and higher");
 #endif
-                        }
+            }
 
-                        _certificate ??= new X509Certificate2(certPath, password);
-                        clientCertificates.Add(_certificate);
-                    }
+            cert ??= new X509Certificate2(certPath, password);
+            clientCertificates.Add(cert);
 
-                    ClientCertificatesCallback?.Invoke(clientCertificates);
+            _certificate = cert;
+        }
 
-                    var checkCertificateRevocation = Settings.CheckCertificateRevocation;
+        try
+        {
+            ClientCertificatesCallback?.Invoke(clientCertificates);
 
-                    RemoteCertificateValidationCallback? certificateValidationCallback;
-                    X509Certificate2? caCert;
-                    string? certRootPath = null;
+            var checkCertificateRevocation = Settings.CheckCertificateRevocation;
 
-                    if (UserCertificateValidationCallback is not null)
-                    {
-                        if (sslMode is SslMode.VerifyCA or SslMode.VerifyFull)
-                            throw new ArgumentException(string.Format(NpgsqlStrings.CannotUseSslVerifyWithUserCallback, sslMode));
+            RemoteCertificateValidationCallback? certificateValidationCallback;
+            X509Certificate2? caCert;
+            string? certRootPath = null;
 
-                        if (Settings.RootCertificate is not null)
-                            throw new ArgumentException(NpgsqlStrings.CannotUseSslRootCertificateWithUserCallback);
+            if (UserCertificateValidationCallback is not null)
+            {
+                if (sslMode is SslMode.VerifyCA or SslMode.VerifyFull)
+                    throw new ArgumentException(string.Format(NpgsqlStrings.CannotUseSslVerifyWithUserCallback, sslMode));
 
-                        if (DataSource.RootCertificateCallback is not null)
-                            throw new ArgumentException(NpgsqlStrings.CannotUseValidationRootCertificateCallbackWithUserCallback);
+                if (Settings.RootCertificate is not null)
+                    throw new ArgumentException(NpgsqlStrings.CannotUseSslRootCertificateWithUserCallback);
 
-                        certificateValidationCallback = UserCertificateValidationCallback;
-                    }
-                    else if (sslMode is SslMode.Prefer or SslMode.Require)
-                    {
-                        if (isFirstAttempt && sslMode is SslMode.Require && !Settings.TrustServerCertificate)
-                            throw new ArgumentException(NpgsqlStrings.CannotUseSslModeRequireWithoutTrustServerCertificate);
+                if (DataSource.RootCertificateCallback is not null)
+                    throw new ArgumentException(NpgsqlStrings.CannotUseValidationRootCertificateCallbackWithUserCallback);
 
-                        certificateValidationCallback = SslTrustServerValidation;
-                        checkCertificateRevocation = false;
-                    }
-                    else if ((caCert = DataSource.RootCertificateCallback?.Invoke()) is not null ||
-                             (certRootPath = Settings.RootCertificate ??
-                                             PostgresEnvironment.SslCertRoot ?? PostgresEnvironment.SslCertRootDefault) is not null)
-                    {
-                        certificateValidationCallback = SslRootValidation(sslMode == SslMode.VerifyFull, certRootPath, caCert);
-                    }
-                    else if (sslMode == SslMode.VerifyCA)
-                    {
-                        certificateValidationCallback = SslVerifyCAValidation;
-                    }
-                    else
-                    {
-                        Debug.Assert(sslMode == SslMode.VerifyFull);
-                        certificateValidationCallback = SslVerifyFullValidation;
-                    }
+                certificateValidationCallback = UserCertificateValidationCallback;
+            }
+            else if (sslMode is SslMode.Prefer or SslMode.Require)
+            {
+                if (isFirstAttempt && sslMode is SslMode.Require && !Settings.TrustServerCertificate)
+                    throw new ArgumentException(NpgsqlStrings.CannotUseSslModeRequireWithoutTrustServerCertificate);
+
+                certificateValidationCallback = SslTrustServerValidation;
+                checkCertificateRevocation = false;
+            }
+            else if ((caCert = DataSource.RootCertificateCallback?.Invoke()) is not null ||
+                     (certRootPath = Settings.RootCertificate ??
+                                     PostgresEnvironment.SslCertRoot ?? PostgresEnvironment.SslCertRootDefault) is not null)
+            {
+                certificateValidationCallback = SslRootValidation(sslMode == SslMode.VerifyFull, certRootPath, caCert);
+            }
+            else if (sslMode == SslMode.VerifyCA)
+            {
+                certificateValidationCallback = SslVerifyCAValidation;
+            }
+            else
+            {
+                Debug.Assert(sslMode == SslMode.VerifyFull);
+                certificateValidationCallback = SslVerifyFullValidation;
+            }
 
-                    timeout.CheckAndApply(this);
+            timeout.CheckAndApply(this);
 
-                    try
-                    {
-                        var sslStream = new SslStream(_stream, leaveInnerStreamOpen: false, certificateValidationCallback);
+            try
+            {
+                var sslStream = new SslStream(_stream, leaveInnerStreamOpen: false, certificateValidationCallback);
 
-                        var sslProtocols = SslProtocols.None;
+                var sslProtocols = SslProtocols.None;
 #if NETSTANDARD2_0
-                        // On .NET Framework SslProtocols.None can be disabled, see #3718
-                        sslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
+                // On .NET Framework SslProtocols.None can be disabled, see #3718
+                sslProtocols = SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12;
 #endif
 
-                        if (async)
-                            await sslStream.AuthenticateAsClientAsync(Host, clientCertificates, sslProtocols, checkCertificateRevocation);
-                        else
-                            sslStream.AuthenticateAsClient(Host, clientCertificates, sslProtocols, checkCertificateRevocation);
-
-                        _stream = sslStream;
-                    }
-                    catch (Exception e)
-                    {
-                        throw new NpgsqlException("Exception while performing SSL handshake", e);
-                    }
-
-                    ReadBuffer.Underlying = _stream;
-                    WriteBuffer.Underlying = _stream;
-                    IsSecure = true;
-                    ConnectionLogger.LogTrace("SSL negotiation successful");
-                    break;
-                }
+                if (async)
+                    await sslStream.AuthenticateAsClientAsync(Host, clientCertificates, sslProtocols, checkCertificateRevocation);
+                else
+                    sslStream.AuthenticateAsClient(Host, clientCertificates, sslProtocols, checkCertificateRevocation);
 
-                if (ReadBuffer.ReadBytesLeft > 0)
-                    throw new NpgsqlException("Additional unencrypted data received after SSL negotiation - this should never happen, and may be an indication of a man-in-the-middle attack.");
+                _stream = sslStream;
+            }
+            catch (Exception e)
+            {
+                throw new NpgsqlException("Exception while performing SSL handshake", e);
             }
 
-            ConnectionLogger.LogTrace("Socket connected to {Host}:{Port}", Host, Port);
+            ReadBuffer.Underlying = _stream;
+            WriteBuffer.Underlying = _stream;
+            IsSecure = true;
+            ConnectionLogger.LogTrace("SSL negotiation successful");
         }
         catch
         {
             _certificate?.Dispose();
             _certificate = null;
 
-            _stream?.Dispose();
-            _stream = null!;
-
-            _baseStream?.Dispose();
-            _baseStream = null!;
-
-            _socket?.Dispose();
-            _socket = null!;
-
             throw;
         }
     }
 
@@ -305,7 +305,7 @@ internal NpgsqlTypeHandler ResolveByDataTypeName(string typeName)
             case PostgresMultirangeType:
                 return throwOnError
                     ? throw new NotSupportedException(
-                        $"'{pgType}' is a range type; please call {nameof(NpgsqlRangeExtensions.UseRange)} on {nameof(NpgsqlDataSourceBuilder)} or on {nameof(NpgsqlConnection)}.{nameof(NpgsqlConnection.GlobalTypeMapper)} to enable ranges. " +
+                        $"'{pgType}' is a range type; please call {nameof(NpgsqlSlimDataSourceBuilder.EnableRanges)} on {nameof(NpgsqlSlimDataSourceBuilder)} to enable ranges. " +
                         "See https://www.npgsql.org/doc/types/ranges.html for more information.")
                     : null;
 #pragma warning restore CS0618
 
@@ -43,6 +43,7 @@ public abstract class NpgsqlDataSource : DbDataSource
     /// </summary>
     internal NpgsqlDatabaseInfo DatabaseInfo { get; set; } = null!; // Initialized at bootstrapping
 
+    internal Func<NpgsqlConnector, SslMode, NpgsqlTimeout, bool, bool, Task>? EncryptionNegotiator { get; }
     internal RemoteCertificateValidationCallback? UserCertificateValidationCallback { get; }
     internal Action<X509CertificateCollection>? ClientCertificatesCallback { get; }
 
@@ -89,6 +90,7 @@ internal NpgsqlDataSource(
         Configuration = dataSourceConfig;
 
         (LoggingConfiguration,
+                EncryptionNegotiator,
                 UserCertificateValidationCallback,
                 ClientCertificatesCallback,
                 _periodicPasswordProvider,
 
@@ -2,11 +2,13 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Net.Security;
 using System.Security.Cryptography.X509Certificates;
+using System.Text.Json;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Logging;
 using Npgsql.Internal.TypeHandling;
 using Npgsql.TypeMapping;
+using NpgsqlTypes;
 
 namespace Npgsql;
 
@@ -200,6 +202,25 @@ public NpgsqlDataSourceBuilder UsePeriodicPasswordProvider(
     public void AddTypeResolverFactory(TypeHandlerResolverFactory resolverFactory)
         => _internalBuilder.AddTypeResolverFactory(resolverFactory);
 
+    /// <summary>
+    /// Sets up System.Text.Json mappings for the PostgreSQL <c>json</c> and <c>jsonb</c> types.
+    /// </summary>
+    /// <param name="serializerOptions">Options to customize JSON serialization and deserialization.</param>
+    /// <param name="jsonbClrTypes">
+    /// A list of CLR types to map to PostgreSQL <c>jsonb</c> (no need to specify <see cref="NpgsqlDbType.Jsonb" />).
+    /// </param>
+    /// <param name="jsonClrTypes">
+    /// A list of CLR types to map to PostgreSQL <c>json</c> (no need to specify <see cref="NpgsqlDbType.Json" />).
+    /// </param>
+    public NpgsqlDataSourceBuilder UseSystemTextJson(
+        JsonSerializerOptions? serializerOptions = null,
+        Type[]? jsonbClrTypes = null,
+        Type[]? jsonClrTypes = null)
+    {
+        AddTypeResolverFactory(new JsonTypeHandlerResolverFactory(jsonbClrTypes, jsonClrTypes, serializerOptions));
+        return this;
+    }
+
     /// <inheritdoc />
     public INpgsqlTypeMapper MapEnum<TEnum>(string? pgName = null, INpgsqlNameTranslator? nameTranslator = null)
         where TEnum : struct, Enum
@@ -291,6 +312,7 @@ public NpgsqlMultiHostDataSource BuildMultiHost()
 
     void AddDefaultFeatures()
     {
+        _internalBuilder.EnableEncryption();
         _internalBuilder.AddDefaultTypeResolverFactory(new JsonTypeHandlerResolverFactory());
         _internalBuilder.AddDefaultTypeResolverFactory(new RangeTypeHandlerResolverFactory());
     }
 
@@ -4,13 +4,16 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
+using Npgsql.Internal;
 using Npgsql.Internal.TypeHandling;
 using Npgsql.Internal.TypeMapping;
+using Npgsql.Util;
 
 namespace Npgsql;
 
 sealed record NpgsqlDataSourceConfiguration(
     NpgsqlLoggingConfiguration LoggingConfiguration,
+    Func<NpgsqlConnector, SslMode, NpgsqlTimeout, bool, bool, Task>? EncryptionNegotiator,
     RemoteCertificateValidationCallback? UserCertificateValidationCallback,
     Action<X509CertificateCollection>? ClientCertificatesCallback,
     Func<NpgsqlConnectionStringBuilder, CancellationToken, ValueTask<string>>? PeriodicPasswordProvider,