Skip to content

Commit 680513a

Browse files
hlinnakahlinnaka
committed
Break out OpenSSL-specific code to separate files.
This refactoring is in preparation for adding support for other SSL implementations, with no user-visible effects. There are now two #defines, USE_OPENSSL which is defined when building with OpenSSL, and USE_SSL which is defined when building with any SSL implementation. Currently, OpenSSL is the only implementation so the two #defines go together, but USE_SSL is supposed to be used for implementation-independent code. The libpq SSL code is changed to use a custom BIO, which does all the raw I/O, like we've been doing in the backend for a long time. That makes it possible to use MSG_NOSIGNAL to block SIGPIPE when using SSL, which avoids a couple of syscall for each send(). Probably doesn't make much performance difference in practice - the SSL encryption is expensive enough to mask the effect - but it was a natural result of this refactoring. Based on a patch by Martijn van Oosterhout from 2006. Briefly reviewed by Alvaro Herrera, Andreas Karlsson, Jeff Janes.
1 parent 6aa6158 commit 680513a

26 files changed

+2771
-2417
lines changed

configure

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5492,7 +5492,7 @@ if test "${with_openssl+set}" = set; then :
54925492
case $withval in
54935493
yes)
54945494

5495-
$as_echo "#define USE_SSL 1" >>confdefs.h
5495+
$as_echo "#define USE_OPENSSL 1" >>confdefs.h
54965496

54975497
;;
54985498
no)

configure.in

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -657,7 +657,7 @@ AC_MSG_RESULT([$with_bonjour])
657657
#
658658
AC_MSG_CHECKING([whether to build with OpenSSL support])
659659
PGAC_ARG_BOOL(with, openssl, no, [build with OpenSSL support],
660-
[AC_DEFINE([USE_SSL], 1, [Define to build with (Open)SSL support. (--with-openssl)])])
660+
[AC_DEFINE([USE_OPENSSL], 1, [Define to build with OpenSSL support. (--with-openssl)])])
661661
AC_MSG_RESULT([$with_openssl])
662662
AC_SUBST(with_openssl)
663663

src/backend/libpq/Makefile

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,4 +17,8 @@ include $(top_builddir)/src/Makefile.global
1717
OBJS = be-fsstubs.o be-secure.o auth.o crypt.o hba.o ip.o md5.o pqcomm.o \
1818
pqformat.o pqsignal.o
1919

20+
ifeq ($(with_openssl),yes)
21+
OBJS += be-secure-openssl.o
22+
endif
23+
2024
include $(top_srcdir)/src/backend/common.mk

src/backend/libpq/auth.c

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,7 @@ static int pg_SSPI_recvauth(Port *port);
161161
* RADIUS Authentication
162162
*----------------------------------------------------------------
163163
*/
164-
#ifdef USE_SSL
164+
#ifdef USE_OPENSSL
165165
#include <openssl/rand.h>
166166
#endif
167167
static int CheckRADIUSAuth(Port *port);
@@ -330,7 +330,7 @@ ClientAuthentication(Port *port)
330330
* already if it didn't verify ok.
331331
*/
332332
#ifdef USE_SSL
333-
if (!port->peer)
333+
if (!port->peer_cert_valid)
334334
{
335335
ereport(FATAL,
336336
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
@@ -378,7 +378,7 @@ ClientAuthentication(Port *port)
378378
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
379379
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
380380
hostinfo, port->user_name,
381-
port->ssl ? _("SSL on") : _("SSL off"))));
381+
port->ssl_in_use ? _("SSL on") : _("SSL off"))));
382382
#else
383383
ereport(FATAL,
384384
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
@@ -394,7 +394,7 @@ ClientAuthentication(Port *port)
394394
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
395395
hostinfo, port->user_name,
396396
port->database_name,
397-
port->ssl ? _("SSL on") : _("SSL off"))));
397+
port->ssl_in_use ? _("SSL on") : _("SSL off"))));
398398
#else
399399
ereport(FATAL,
400400
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
@@ -452,7 +452,7 @@ ClientAuthentication(Port *port)
452452
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
453453
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
454454
hostinfo, port->user_name,
455-
port->ssl ? _("SSL on") : _("SSL off")),
455+
port->ssl_in_use ? _("SSL on") : _("SSL off")),
456456
HOSTNAME_LOOKUP_DETAIL(port)));
457457
#else
458458
ereport(FATAL,
@@ -470,7 +470,7 @@ ClientAuthentication(Port *port)
470470
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
471471
hostinfo, port->user_name,
472472
port->database_name,
473-
port->ssl ? _("SSL on") : _("SSL off")),
473+
port->ssl_in_use ? _("SSL on") : _("SSL off")),
474474
HOSTNAME_LOOKUP_DETAIL(port)));
475475
#else
476476
ereport(FATAL,
@@ -2315,7 +2315,7 @@ CheckRADIUSAuth(Port *port)
23152315
/* Construct RADIUS packet */
23162316
packet->code = RADIUS_ACCESS_REQUEST;
23172317
packet->length = RADIUS_HEADER_LENGTH;
2318-
#ifdef USE_SSL
2318+
#ifdef USE_OPENSSL
23192319
if (RAND_bytes(packet->vector, RADIUS_VECTOR_LENGTH) != 1)
23202320
{
23212321
ereport(LOG,

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy