Header And Logo

PostgreSQL
| The world's most advanced open source database.

Functions | Variables

be-secure.c File Reference

#include "postgres.h"
#include <sys/stat.h>
#include <signal.h>
#include <fcntl.h>
#include <ctype.h>
#include <sys/socket.h>
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include "libpq/libpq.h"
#include "tcop/tcopprot.h"
#include "utils/memutils.h"
Include dependency graph for be-secure.c:

Go to the source code of this file.

Functions

int secure_initialize (void)
bool secure_loaded_verify_locations (void)
int secure_open_server (Port *port)
void secure_close (Port *port)
ssize_t secure_read (Port *port, void *ptr, size_t len)
ssize_t secure_write (Port *port, void *ptr, size_t len)

Variables

char * ssl_cert_file
char * ssl_key_file
char * ssl_ca_file
char * ssl_crl_file
int ssl_renegotiation_limit
char * SSLCipherSuites = NULL

Function Documentation

void secure_close ( Port port  ) 

Definition at line 228 of file be-secure.c.

Referenced by ConnFree(), and pq_close().

{
#ifdef USE_SSL
    if (port->ssl)
        close_SSL(port);
#endif
}

int secure_initialize ( void   ) 

Definition at line 187 of file be-secure.c.

Referenced by PostmasterMain().

{
#ifdef USE_SSL
    initialize_SSL();
#endif

    return 0;
}

bool secure_loaded_verify_locations ( void   ) 

Definition at line 200 of file be-secure.c.

Referenced by parse_hba_auth_opt().

{
#ifdef USE_SSL
    return ssl_loaded_verify_locations;
#else
    return false;
#endif
}

int secure_open_server ( Port port  ) 

Definition at line 213 of file be-secure.c.

Referenced by ProcessStartupPacket().

{
    int         r = 0;

#ifdef USE_SSL
    r = open_server_SSL(port);
#endif

    return r;
}

ssize_t secure_read ( Port port,
void *  ptr,
size_t  len 
)

Definition at line 240 of file be-secure.c.

References client_read_ended(), COMMERROR, ereport, errcode(), errmsg(), Port::noblock, pgwin32_waitforsinglesocket(), prepare_for_client_read(), recv, and Port::sock.

Referenced by pq_getbyte_if_available(), and pq_recvbuf().

{
    ssize_t     n;

#ifdef USE_SSL
    if (port->ssl)
    {
        int         err;

rloop:
        errno = 0;
        n = SSL_read(port->ssl, ptr, len);
        err = SSL_get_error(port->ssl, n);
        switch (err)
        {
            case SSL_ERROR_NONE:
                port->count += n;
                break;
            case SSL_ERROR_WANT_READ:
            case SSL_ERROR_WANT_WRITE:
                if (port->noblock)
                {
                    errno = EWOULDBLOCK;
                    n = -1;
                    break;
                }
#ifdef WIN32
                pgwin32_waitforsinglesocket(SSL_get_fd(port->ssl),
                                            (err == SSL_ERROR_WANT_READ) ?
                                    FD_READ | FD_CLOSE : FD_WRITE | FD_CLOSE,
                                            INFINITE);
#endif
                goto rloop;
            case SSL_ERROR_SYSCALL:
                /* leave it to caller to ereport the value of errno */
                if (n != -1)
                {
                    errno = ECONNRESET;
                    n = -1;
                }
                break;
            case SSL_ERROR_SSL:
                ereport(COMMERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("SSL error: %s", SSLerrmessage())));
                /* fall through */
            case SSL_ERROR_ZERO_RETURN:
                errno = ECONNRESET;
                n = -1;
                break;
            default:
                ereport(COMMERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("unrecognized SSL error code: %d",
                                err)));
                n = -1;
                break;
        }
    }
    else
#endif
    {
        prepare_for_client_read();

        n = recv(port->sock, ptr, len, 0);

        client_read_ended();
    }

    return n;
}

ssize_t secure_write ( Port port,
void *  ptr,
size_t  len 
)

Definition at line 316 of file be-secure.c.

References COMMERROR, ereport, errcode(), errmsg(), pgwin32_waitforsinglesocket(), send, Port::sock, and ssl_renegotiation_limit.

Referenced by internal_flush().

{
    ssize_t     n;

#ifdef USE_SSL
    if (port->ssl)
    {
        int         err;

        if (ssl_renegotiation_limit && port->count > ssl_renegotiation_limit * 1024L)
        {
            SSL_set_session_id_context(port->ssl, (void *) &SSL_context,
                                       sizeof(SSL_context));
            if (SSL_renegotiate(port->ssl) <= 0)
                ereport(COMMERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("SSL renegotiation failure")));
            if (SSL_do_handshake(port->ssl) <= 0)
                ereport(COMMERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("SSL renegotiation failure")));
            if (port->ssl->state != SSL_ST_OK)
                ereport(COMMERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("SSL failed to send renegotiation request")));
            port->ssl->state |= SSL_ST_ACCEPT;
            SSL_do_handshake(port->ssl);
            if (port->ssl->state != SSL_ST_OK)
                ereport(COMMERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("SSL renegotiation failure")));
            port->count = 0;
        }

wloop:
        errno = 0;
        n = SSL_write(port->ssl, ptr, len);
        err = SSL_get_error(port->ssl, n);
        switch (err)
        {
            case SSL_ERROR_NONE:
                port->count += n;
                break;
            case SSL_ERROR_WANT_READ:
            case SSL_ERROR_WANT_WRITE:
#ifdef WIN32
                pgwin32_waitforsinglesocket(SSL_get_fd(port->ssl),
                                            (err == SSL_ERROR_WANT_READ) ?
                                    FD_READ | FD_CLOSE : FD_WRITE | FD_CLOSE,
                                            INFINITE);
#endif
                goto wloop;
            case SSL_ERROR_SYSCALL:
                /* leave it to caller to ereport the value of errno */
                if (n != -1)
                {
                    errno = ECONNRESET;
                    n = -1;
                }
                break;
            case SSL_ERROR_SSL:
                ereport(COMMERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("SSL error: %s", SSLerrmessage())));
                /* fall through */
            case SSL_ERROR_ZERO_RETURN:
                errno = ECONNRESET;
                n = -1;
                break;
            default:
                ereport(COMMERROR,
                        (errcode(ERRCODE_PROTOCOL_VIOLATION),
                         errmsg("unrecognized SSL error code: %d",
                                err)));
                n = -1;
                break;
        }
    }
    else
#endif
        n = send(port->sock, ptr, len, 0);

    return n;
}


Variable Documentation

char* ssl_ca_file

Definition at line 94 of file be-secure.c.

Definition at line 92 of file be-secure.c.

char* ssl_crl_file

Definition at line 95 of file be-secure.c.

char* ssl_key_file

Definition at line 93 of file be-secure.c.

Definition at line 102 of file be-secure.c.

Referenced by secure_write().

char* SSLCipherSuites = NULL

Definition at line 110 of file be-secure.c.