Extract common bits from OpenSSL implementation

Some things in be-secure-openssl.c and fe-secure-openssl.c were not
actually specific to OpenSSL but could also be used by other
implementations.  In order to avoid copy-and-pasting, move some of that
code to common files.

src/backend/libpq/be-secure-openssl.c

@@ -75,7 +75,6 @@ be_tls_init(bool isServerStart)
 {
 	STACK_OF(X509_NAME) *root_cert_list = NULL;
 	SSL_CTX    *context;
-	struct stat buf;
 
 	/* This stuff need be done only once. */
 	if (!SSL_initialized)
@@ -133,63 +132,8 @@ be_tls_init(bool isServerStart)
 		goto error;
 	}
 
-	if (stat(ssl_key_file, &buf) != 0)
-	{
-		ereport(isServerStart ? FATAL : LOG,
-				(errcode_for_file_access(),
-				 errmsg("could not access private key file \"%s\": %m",
-						ssl_key_file)));
+	if (!check_ssl_key_file_permissions(ssl_key_file, isServerStart))
 		goto error;
-	}
-
-	if (!S_ISREG(buf.st_mode))
-	{
-		ereport(isServerStart ? FATAL : LOG,
-				(errcode(ERRCODE_CONFIG_FILE_ERROR),
-				 errmsg("private key file \"%s\" is not a regular file",
-						ssl_key_file)));
-		goto error;
-	}
-
-	/*
-	 * Refuse to load key files owned by users other than us or root.
-	 *
-	 * XXX surely we can check this on Windows somehow, too.
-	 */
-#if !defined(WIN32) && !defined(__CYGWIN__)
-	if (buf.st_uid != geteuid() && buf.st_uid != 0)
-	{
-		ereport(isServerStart ? FATAL : LOG,
-				(errcode(ERRCODE_CONFIG_FILE_ERROR),
-				 errmsg("private key file \"%s\" must be owned by the database user or root",
-						ssl_key_file)));
-		goto error;
-	}
-#endif
-
-	/*
-	 * Require no public access to key file. If the file is owned by us,
-	 * require mode 0600 or less. If owned by root, require 0640 or less to
-	 * allow read access through our gid, or a supplementary gid that allows
-	 * to read system-wide certificates.
-	 *
-	 * XXX temporarily suppress check when on Windows, because there may not
-	 * be proper support for Unix-y file permissions.  Need to think of a
-	 * reasonable check to apply on Windows.  (See also the data directory
-	 * permission check in postmaster.c)
-	 */
-#if !defined(WIN32) && !defined(__CYGWIN__)
-	if ((buf.st_uid == geteuid() && buf.st_mode & (S_IRWXG | S_IRWXO)) ||
-		(buf.st_uid == 0 && buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO)))
-	{
-		ereport(isServerStart ? FATAL : LOG,
-				(errcode(ERRCODE_CONFIG_FILE_ERROR),
-				 errmsg("private key file \"%s\" has group or world access",
-						ssl_key_file),
-				 errdetail("File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.")));
-		goto error;
-	}
-#endif
 
 	/*
 	 * OK, try to load the private key file.
@@ -516,10 +460,6 @@ aloop:
 		port->peer_cert_valid = true;
 	}
 
-	ereport(DEBUG2,
-			(errmsg("SSL connection from \"%s\"",
-					port->peer_cn ? port->peer_cn : "(anonymous)")));
-
 	/* set up debugging/info callback */
 	SSL_CTX_set_info_callback(SSL_context, info_cb);