database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-11-22 12:22:45 +03:00
Code Activity

pgindent run.

Browse Source
This commit is contained in:
Bruce Momjian
2002-09-04 20:31:48 +00:00
parent c91ceec21d
commit e50f52a074
446 changed files with 14942 additions and 13363 deletions
Download Patch File Download Diff File Expand all files Collapse all files

284
src/backend/libpq/be-secure.c
View File

@@ -11,7 +11,7 @@
*
*
* IDENTIFICATION
* $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.12 2002/09/02 02:47:02 momjian Exp $
* $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.13 2002/09/04 20:31:19 momjian Exp $
*
* Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database
@@ -30,13 +30,13 @@
* impersonations.
*
* Another benefit of EDH is that it allows the backend and
* clients to use DSA keys. DSA keys can only provide digital
* clients to use DSA keys. DSA keys can only provide digital
* signatures, not encryption, and are often acceptable in
* jurisdictions where RSA keys are unacceptable.
*
* The downside to EDH is that it makes it impossible to
* use ssldump(1) if there's a problem establishing an SSL
* session. In this case you'll need to temporarily disable
* session. In this case you'll need to temporarily disable
* EDH by commenting out the callback.
*
* ...
@@ -49,7 +49,7 @@
* milestone 1: fix basic coding errors
* [*] existing SSL code pulled out of existing files.
* [*] SSL_get_error() after SSL_read() and SSL_write(),
* SSL_shutdown(), default to TLSv1.
* SSL_shutdown(), default to TLSv1.
*
* milestone 2: provide endpoint authentication (server)
* [*] client verifies server cert
@@ -112,22 +112,22 @@
extern void ExitPostmaster(int);
extern void postmaster_error(const char *fmt,...);
int secure_initialize(void);
void secure_destroy(void);
int secure_open_server(Port *);
void secure_close(Port *);
ssize_t secure_read(Port *, void *ptr, size_t len);
ssize_t secure_write(Port *, const void *ptr, size_t len);
int secure_initialize(void);
void secure_destroy(void);
int secure_open_server(Port *);
void secure_close(Port *);
ssize_t secure_read(Port *, void *ptr, size_t len);
ssize_t secure_write(Port *, const void *ptr, size_t len);
#ifdef USE_SSL
static DH *load_dh_file(int keylength);
static DH *load_dh_buffer(const char *, size_t);
static DH *tmp_dh_cb(SSL *s, int is_export, int keylength);
static int verify_cb(int, X509_STORE_CTX *);
static DH *load_dh_file(int keylength);
static DH *load_dh_buffer(const char *, size_t);
static DH *tmp_dh_cb(SSL *s, int is_export, int keylength);
static int verify_cb(int, X509_STORE_CTX *);
static void info_cb(SSL *ssl, int type, int args);
static int initialize_SSL(void);
static int initialize_SSL(void);
static void destroy_SSL(void);
static int open_server_SSL(Port *);
static int open_server_SSL(Port *);
static void close_SSL(Port *);
static const char *SSLerrmessage(void);
#endif
@@ -137,13 +137,13 @@ static const char *SSLerrmessage(void);
* How much data can be sent across a secure connection
* (total in both directions) before we require renegotiation.
*/
#define RENEGOTIATION_LIMIT (64 * 1024)
#define CA_PATH NULL
#define RENEGOTIATION_LIMIT (64 * 1024)
#define CA_PATH NULL
static SSL_CTX *SSL_context = NULL;
#endif
/* ------------------------------------------------------------ */
/* Hardcoded values */
/* Hardcoded values */
/* ------------------------------------------------------------ */
/*
@@ -207,16 +207,16 @@ KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=\n\
-----END DH PARAMETERS-----\n";
/* ------------------------------------------------------------ */
/* Procedures common to all secure sessions */
/* Procedures common to all secure sessions */
/* ------------------------------------------------------------ */
/*
* Initialize global context
*/
int
secure_initialize (void)
secure_initialize(void)
{
int r = 0;
int r = 0;
#ifdef USE_SSL
r = initialize_SSL();
@@ -229,7 +229,7 @@ secure_initialize (void)
* Destroy global context
*/
void
secure_destroy (void)
secure_destroy(void)
{
#ifdef USE_SSL
destroy_SSL();
@@ -240,9 +240,9 @@ secure_destroy (void)
* Attempt to negotiate secure session.
*/
int
secure_open_server (Port *port)
secure_open_server(Port *port)
{
int r = 0;
int r = 0;
#ifdef USE_SSL
r = open_server_SSL(port);
@@ -255,7 +255,7 @@ secure_open_server (Port *port)
* Close secure session.
*/
void
secure_close (Port *port)
secure_close(Port *port)
{
#ifdef USE_SSL
if (port->ssl)
@@ -267,9 +267,9 @@ secure_close (Port *port)
* Read data from a secure connection.
*/
ssize_t
secure_read (Port *port, void *ptr, size_t len)
secure_read(Port *port, void *ptr, size_t len)
{
ssize_t n;
ssize_t n;
#ifdef USE_SSL
if (port->ssl)
@@ -283,28 +283,28 @@ secure_read (Port *port, void *ptr, size_t len)
n = SSL_read(port->ssl, ptr, len);
switch (SSL_get_error(port->ssl, n))
{
case SSL_ERROR_NONE:
port->count += n;
break;
case SSL_ERROR_WANT_READ:
break;
case SSL_ERROR_SYSCALL:
errno = get_last_socket_error();
elog(ERROR, "SSL SYSCALL error: %s", strerror(errno));
break;
case SSL_ERROR_SSL:
elog(ERROR, "SSL error: %s", SSLerrmessage());
/* fall through */
case SSL_ERROR_ZERO_RETURN:
secure_close(port);
errno = ECONNRESET;
n = -1;
break;
case SSL_ERROR_NONE:
port->count += n;
break;
case SSL_ERROR_WANT_READ:
break;
case SSL_ERROR_SYSCALL:
errno = get_last_socket_error();
elog(ERROR, "SSL SYSCALL error: %s", strerror(errno));
break;
case SSL_ERROR_SSL:
elog(ERROR, "SSL error: %s", SSLerrmessage());
/* fall through */
case SSL_ERROR_ZERO_RETURN:
secure_close(port);
errno = ECONNRESET;
n = -1;
break;
}
}
else
#endif
n = recv(port->sock, ptr, len, 0);
n = recv(port->sock, ptr, len, 0);
return n;
}
@@ -313,12 +313,12 @@ secure_read (Port *port, void *ptr, size_t len)
* Write data to a secure connection.
*/
ssize_t
secure_write (Port *port, const void *ptr, size_t len)
secure_write(Port *port, const void *ptr, size_t len)
{
ssize_t n;
ssize_t n;
#ifndef WIN32
pqsigfunc oldsighandler = pqsignal(SIGPIPE, SIG_IGN);
pqsigfunc oldsighandler = pqsignal(SIGPIPE, SIG_IGN);
#endif
#ifdef USE_SSL
@@ -333,28 +333,28 @@ secure_write (Port *port, const void *ptr, size_t len)
n = SSL_write(port->ssl, ptr, len);
switch (SSL_get_error(port->ssl, n))
{
case SSL_ERROR_NONE:
port->count += n;
break;
case SSL_ERROR_WANT_WRITE:
break;
case SSL_ERROR_SYSCALL:
errno = get_last_socket_error();
elog(ERROR, "SSL SYSCALL error: %s", strerror(errno));
break;
case SSL_ERROR_SSL:
elog(ERROR, "SSL error: %s", SSLerrmessage());
/* fall through */
case SSL_ERROR_ZERO_RETURN:
secure_close(port);
errno = ECONNRESET;
n = -1;
break;
case SSL_ERROR_NONE:
port->count += n;
break;
case SSL_ERROR_WANT_WRITE:
break;
case SSL_ERROR_SYSCALL:
errno = get_last_socket_error();
elog(ERROR, "SSL SYSCALL error: %s", strerror(errno));
break;
case SSL_ERROR_SSL:
elog(ERROR, "SSL error: %s", SSLerrmessage());
/* fall through */
case SSL_ERROR_ZERO_RETURN:
secure_close(port);
errno = ECONNRESET;
n = -1;
break;
}
}
else
#endif
n = send(port->sock, ptr, len, 0);
n = send(port->sock, ptr, len, 0);
#ifndef WIN32
pqsignal(SIGPIPE, oldsighandler);
@@ -364,7 +364,7 @@ secure_write (Port *port, const void *ptr, size_t len)
}
/* ------------------------------------------------------------ */
/* SSL specific code */
/* SSL specific code */
/* ------------------------------------------------------------ */
#ifdef USE_SSL
/*
@@ -374,13 +374,13 @@ secure_write (Port *port, const void *ptr, size_t len)
* to verify that the DBA-generated DH parameters file contains
* what we expect it to contain.
*/
static DH *
load_dh_file (int keylength)
static DH *
load_dh_file(int keylength)
{
FILE *fp;
char fnbuf[2048];
DH *dh = NULL;
int codes;
FILE *fp;
char fnbuf[2048];
DH *dh = NULL;
int codes;
/* attempt to open file. It's not an error if it doesn't exist. */
snprintf(fnbuf, sizeof fnbuf, "%s/dh%d.pem", DataDir, keylength);
@@ -393,10 +393,10 @@ load_dh_file (int keylength)
fclose(fp);
/* is the prime the correct size? */
if (dh != NULL && 8*DH_size(dh) < keylength)
if (dh != NULL && 8 * DH_size(dh) < keylength)
{
elog(LOG, "DH errors (%s): %d bits expected, %d bits found",
fnbuf, keylength, 8*DH_size(dh));
fnbuf, keylength, 8 * DH_size(dh));
dh = NULL;
}
@@ -417,8 +417,8 @@ load_dh_file (int keylength)
(codes & DH_CHECK_P_NOT_SAFE_PRIME))
{
elog(LOG,
"DH error (%s): neither suitable generator or safe prime",
fnbuf);
"DH error (%s): neither suitable generator or safe prime",
fnbuf);
return NULL;
}
}
@@ -432,11 +432,11 @@ load_dh_file (int keylength)
* To prevent problems if the DH parameters files don't even
* exist, we can load DH parameters hardcoded into this file.
*/
static DH *
load_dh_buffer (const char *buffer, size_t len)
static DH *
load_dh_buffer(const char *buffer, size_t len)
{
BIO *bio;
DH *dh = NULL;
BIO *bio;
DH *dh = NULL;
bio = BIO_new_mem_buf((char *) buffer, len);
if (bio == NULL)
@@ -462,58 +462,58 @@ load_dh_buffer (const char *buffer, size_t len)
* the OpenSSL library can efficiently generate random keys from
* the information provided.
*/
static DH *
tmp_dh_cb (SSL *s, int is_export, int keylength)
static DH *
tmp_dh_cb(SSL *s, int is_export, int keylength)
{
DH *r = NULL;
static DH *dh = NULL;
static DH *dh512 = NULL;
static DH *dh1024 = NULL;
static DH *dh2048 = NULL;
static DH *dh4096 = NULL;
DH *r = NULL;
static DH *dh = NULL;
static DH *dh512 = NULL;
static DH *dh1024 = NULL;
static DH *dh2048 = NULL;
static DH *dh4096 = NULL;
switch (keylength)
{
case 512:
if (dh512 == NULL)
dh512 = load_dh_file(keylength);
if (dh512 == NULL)
dh512 = load_dh_buffer(file_dh512, sizeof file_dh512);
r = dh512;
break;
case 512:
if (dh512 == NULL)
dh512 = load_dh_file(keylength);
if (dh512 == NULL)
dh512 = load_dh_buffer(file_dh512, sizeof file_dh512);
r = dh512;
break;
case 1024:
if (dh1024 == NULL)
dh1024 = load_dh_file(keylength);
if (dh1024 == NULL)
dh1024 = load_dh_buffer(file_dh1024, sizeof file_dh1024);
r = dh1024;
break;
case 1024:
if (dh1024 == NULL)
dh1024 = load_dh_file(keylength);
if (dh1024 == NULL)
dh1024 = load_dh_buffer(file_dh1024, sizeof file_dh1024);
r = dh1024;
break;
case 2048:
if (dh2048 == NULL)
dh2048 = load_dh_file(keylength);
if (dh2048 == NULL)
dh2048 = load_dh_buffer(file_dh2048, sizeof file_dh2048);
r = dh2048;
break;
case 2048:
if (dh2048 == NULL)
dh2048 = load_dh_file(keylength);
if (dh2048 == NULL)
dh2048 = load_dh_buffer(file_dh2048, sizeof file_dh2048);
r = dh2048;
break;
case 4096:
if (dh4096 == NULL)
dh4096 = load_dh_file(keylength);
if (dh4096 == NULL)
dh4096 = load_dh_buffer(file_dh4096, sizeof file_dh4096);
r = dh4096;
break;
case 4096:
if (dh4096 == NULL)
dh4096 = load_dh_file(keylength);
if (dh4096 == NULL)
dh4096 = load_dh_buffer(file_dh4096, sizeof file_dh4096);
r = dh4096;
break;
default:
if (dh == NULL)
dh = load_dh_file(keylength);
r = dh;
default:
if (dh == NULL)
dh = load_dh_file(keylength);
r = dh;
}
/* this may take a long time, but it may be necessary... */
if (r == NULL || 8*DH_size(r) < keylength)
if (r == NULL || 8 * DH_size(r) < keylength)
{
elog(DEBUG1, "DH: generating parameters (%d bits)....", keylength);
r = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
@@ -534,7 +534,7 @@ tmp_dh_cb (SSL *s, int is_export, int keylength)
* for now we accept the default checks.
*/
static int
verify_cb (int ok, X509_STORE_CTX *ctx)
verify_cb(int ok, X509_STORE_CTX *ctx)
{
return ok;
}
@@ -544,7 +544,7 @@ verify_cb (int ok, X509_STORE_CTX *ctx)
* into the PostgreSQL log.
*/
static void
info_cb (SSL *ssl, int type, int args)
info_cb(SSL *ssl, int type, int args)
{
switch (type)
{
@@ -579,9 +579,9 @@ info_cb (SSL *ssl, int type, int args)
* Initialize global SSL context.
*/
static int
initialize_SSL (void)
initialize_SSL(void)
{
char fnbuf[2048];
char fnbuf[2048];
struct stat buf;
if (!SSL_context)
@@ -597,7 +597,7 @@ initialize_SSL (void)
}
/*
* Load and verify certificate and private key
* Load and verify certificate and private key
*/
snprintf(fnbuf, sizeof(fnbuf), "%s/server.crt", DataDir);
if (!SSL_CTX_use_certificate_file(SSL_context, fnbuf, SSL_FILETYPE_PEM))
@@ -647,7 +647,7 @@ initialize_SSL (void)
ExitPostmaster(1);
}
SSL_CTX_set_verify(SSL_context,
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_cb);
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, verify_cb);
return 0;
}
@@ -656,7 +656,7 @@ initialize_SSL (void)
* Destroy global SSL context.
*/
static void
destroy_SSL (void)
destroy_SSL(void)
{
if (SSL_context)
{
@@ -669,7 +669,7 @@ destroy_SSL (void)
* Attempt to negotiate SSL connection.
*/
static int
open_server_SSL (Port *port)
open_server_SSL(Port *port)
{
if (!(port->ssl = SSL_new(SSL_context)) ||
!SSL_set_fd(port->ssl, port->sock) ||
@@ -685,17 +685,17 @@ open_server_SSL (Port *port)
port->peer = SSL_get_peer_certificate(port->ssl);
if (port->peer == NULL)
{
strncpy(port->peer_dn, "(anonymous)", sizeof (port->peer_dn));
strncpy(port->peer_cn, "(anonymous)", sizeof (port->peer_cn));
strncpy(port->peer_dn, "(anonymous)", sizeof(port->peer_dn));
strncpy(port->peer_cn, "(anonymous)", sizeof(port->peer_cn));
}
else
{
X509_NAME_oneline(X509_get_subject_name(port->peer),
port->peer_dn, sizeof (port->peer_dn));
port->peer_dn[sizeof(port->peer_dn)-1] = '\0';
port->peer_dn, sizeof(port->peer_dn));
port->peer_dn[sizeof(port->peer_dn) - 1] = '\0';
X509_NAME_get_text_by_NID(X509_get_subject_name(port->peer),
NID_commonName, port->peer_cn, sizeof (port->peer_cn));
port->peer_cn[sizeof(port->peer_cn)-1] = '\0';
NID_commonName, port->peer_cn, sizeof(port->peer_cn));
port->peer_cn[sizeof(port->peer_cn) - 1] = '\0';
}
elog(DEBUG1, "secure connection from '%s'", port->peer_cn);
@@ -709,7 +709,7 @@ open_server_SSL (Port *port)
* Close SSL connection.
*/
static void
close_SSL (Port *port)
close_SSL(Port *port)
{
if (port->ssl)
{
@@ -729,9 +729,9 @@ close_SSL (Port *port)
static const char *
SSLerrmessage(void)
{
unsigned long errcode;
const char *errreason;
static char errbuf[32];
unsigned long errcode;
const char *errreason;
static char errbuf[32];
errcode = ERR_get_error();
if (errcode == 0)
@@ -743,4 +743,4 @@ SSLerrmessage(void)
return errbuf;
}
#endif /* USE_SSL */
#endif /* USE_SSL */