Skip to content

Commit 680513a

Browse files
hlinnakahlinnaka
committed
Break out OpenSSL-specific code to separate files.
This refactoring is in preparation for adding support for other SSL implementations, with no user-visible effects. There are now two #defines, USE_OPENSSL which is defined when building with OpenSSL, and USE_SSL which is defined when building with any SSL implementation. Currently, OpenSSL is the only implementation so the two #defines go together, but USE_SSL is supposed to be used for implementation-independent code. The libpq SSL code is changed to use a custom BIO, which does all the raw I/O, like we've been doing in the backend for a long time. That makes it possible to use MSG_NOSIGNAL to block SIGPIPE when using SSL, which avoids a couple of syscall for each send(). Probably doesn't make much performance difference in practice - the SSL encryption is expensive enough to mask the effect - but it was a natural result of this refactoring. Based on a patch by Martijn van Oosterhout from 2006. Briefly reviewed by Alvaro Herrera, Andreas Karlsson, Jeff Janes.
1 parent 6aa6158 commit 680513a

26 files changed

+2771
-2417
lines changed

configure

+1-1
Original file line numberDiff line numberDiff line change
@@ -5492,7 +5492,7 @@ if test "${with_openssl+set}" = set; then :
54925492
case $withval in
54935493
yes)
54945494

5495-
$as_echo "#define USE_SSL 1" >>confdefs.h
5495+
$as_echo "#define USE_OPENSSL 1" >>confdefs.h
54965496

54975497
;;
54985498
no)

configure.in

+1-1
Original file line numberDiff line numberDiff line change
@@ -657,7 +657,7 @@ AC_MSG_RESULT([$with_bonjour])
657657
#
658658
AC_MSG_CHECKING([whether to build with OpenSSL support])
659659
PGAC_ARG_BOOL(with, openssl, no, [build with OpenSSL support],
660-
[AC_DEFINE([USE_SSL], 1, [Define to build with (Open)SSL support. (--with-openssl)])])
660+
[AC_DEFINE([USE_OPENSSL], 1, [Define to build with OpenSSL support. (--with-openssl)])])
661661
AC_MSG_RESULT([$with_openssl])
662662
AC_SUBST(with_openssl)
663663

src/backend/libpq/Makefile

+4
Original file line numberDiff line numberDiff line change
@@ -17,4 +17,8 @@ include $(top_builddir)/src/Makefile.global
1717
OBJS = be-fsstubs.o be-secure.o auth.o crypt.o hba.o ip.o md5.o pqcomm.o \
1818
pqformat.o pqsignal.o
1919

20+
ifeq ($(with_openssl),yes)
21+
OBJS += be-secure-openssl.o
22+
endif
23+
2024
include $(top_srcdir)/src/backend/common.mk

src/backend/libpq/auth.c

+7-7
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,7 @@ static int pg_SSPI_recvauth(Port *port);
161161
* RADIUS Authentication
162162
*----------------------------------------------------------------
163163
*/
164-
#ifdef USE_SSL
164+
#ifdef USE_OPENSSL
165165
#include <openssl/rand.h>
166166
#endif
167167
static int CheckRADIUSAuth(Port *port);
@@ -330,7 +330,7 @@ ClientAuthentication(Port *port)
330330
* already if it didn't verify ok.
331331
*/
332332
#ifdef USE_SSL
333-
if (!port->peer)
333+
if (!port->peer_cert_valid)
334334
{
335335
ereport(FATAL,
336336
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
@@ -378,7 +378,7 @@ ClientAuthentication(Port *port)
378378
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
379379
errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s",
380380
hostinfo, port->user_name,
381-
port->ssl ? _("SSL on") : _("SSL off"))));
381+
port->ssl_in_use ? _("SSL on") : _("SSL off"))));
382382
#else
383383
ereport(FATAL,
384384
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
@@ -394,7 +394,7 @@ ClientAuthentication(Port *port)
394394
errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s",
395395
hostinfo, port->user_name,
396396
port->database_name,
397-
port->ssl ? _("SSL on") : _("SSL off"))));
397+
port->ssl_in_use ? _("SSL on") : _("SSL off"))));
398398
#else
399399
ereport(FATAL,
400400
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
@@ -452,7 +452,7 @@ ClientAuthentication(Port *port)
452452
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION),
453453
errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s",
454454
hostinfo, port->user_name,
455-
port->ssl ? _("SSL on") : _("SSL off")),
455+
port->ssl_in_use ? _("SSL on") : _("SSL off")),
456456
HOSTNAME_LOOKUP_DETAIL(port)));
457457
#else
458458
ereport(FATAL,
@@ -470,7 +470,7 @@ ClientAuthentication(Port *port)
470470
errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s",
471471
hostinfo, port->user_name,
472472
port->database_name,
473-
port->ssl ? _("SSL on") : _("SSL off")),
473+
port->ssl_in_use ? _("SSL on") : _("SSL off")),
474474
HOSTNAME_LOOKUP_DETAIL(port)));
475475
#else
476476
ereport(FATAL,
@@ -2315,7 +2315,7 @@ CheckRADIUSAuth(Port *port)
23152315
/* Construct RADIUS packet */
23162316
packet->code = RADIUS_ACCESS_REQUEST;
23172317
packet->length = RADIUS_HEADER_LENGTH;
2318-
#ifdef USE_SSL
2318+
#ifdef USE_OPENSSL
23192319
if (RAND_bytes(packet->vector, RADIUS_VECTOR_LENGTH) != 1)
23202320
{
23212321
ereport(LOG,

0 commit comments

Comments
 (0)