/*------------------------------------------------------------------------- * * be-secure.c * functions related to setting up a secure connection to the frontend. * Secure connections are expected to provide confidentiality, * message integrity and endpoint authentication. * * * Portions Copyright (c) 1996-2014, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * * * IDENTIFICATION * src/backend/libpq/be-secure.c * *------------------------------------------------------------------------- */ #include "postgres.h" #include #include #include #include #include #include #include #include #ifdef HAVE_NETINET_TCP_H #include #include #endif #include "libpq/libpq.h" #include "tcop/tcopprot.h" #include "utils/memutils.h" char *ssl_cert_file; char *ssl_key_file; char *ssl_ca_file; char *ssl_crl_file; /* * How much data can be sent across a secure connection * (total in both directions) before we require renegotiation. * Set to 0 to disable renegotiation completely. */ int ssl_renegotiation_limit; #ifdef USE_SSL bool ssl_loaded_verify_locations = false; #endif /* GUC variable controlling SSL cipher list */ char *SSLCipherSuites = NULL; /* GUC variable for default ECHD curve. */ char *SSLECDHCurve; /* GUC variable: if false, prefer client ciphers */ bool SSLPreferServerCiphers; /* ------------------------------------------------------------ */ /* Procedures common to all secure sessions */ /* ------------------------------------------------------------ */ /* * Initialize global context */ int secure_initialize(void) { #ifdef USE_SSL be_tls_init(); #endif return 0; } /* * Indicate if we have loaded the root CA store to verify certificates */ bool secure_loaded_verify_locations(void) { #ifdef USE_SSL return ssl_loaded_verify_locations; #else return false; #endif } /* * Attempt to negotiate secure session. */ int secure_open_server(Port *port) { int r = 0; #ifdef USE_SSL r = be_tls_open_server(port); #endif return r; } /* * Close secure session. */ void secure_close(Port *port) { #ifdef USE_SSL if (port->ssl_in_use) be_tls_close(port); #endif } /* * Read data from a secure connection. */ ssize_t secure_read(Port *port, void *ptr, size_t len) { ssize_t n; #ifdef USE_SSL if (port->ssl_in_use) { n = be_tls_read(port, ptr, len); } else #endif { n = secure_raw_read(port, ptr, len); } return n; } ssize_t secure_raw_read(Port *port, void *ptr, size_t len) { ssize_t n; prepare_for_client_read(); n = recv(port->sock, ptr, len, 0); client_read_ended(); return n; } /* * Write data to a secure connection. */ ssize_t secure_write(Port *port, void *ptr, size_t len) { ssize_t n; #ifdef USE_SSL if (port->ssl_in_use) { n = be_tls_write(port, ptr, len); } else #endif n = secure_raw_write(port, ptr, len); return n; } ssize_t secure_raw_write(Port *port, const void *ptr, size_t len) { return send(port->sock, ptr, len, 0); }