diff options
| author | Heikki Linnakangas <heikki.linnakangas@iki.fi> | 2014-08-11 11:54:19 +0300 |
|---|---|---|
| committer | Heikki Linnakangas <heikki.linnakangas@iki.fi> | 2014-08-11 11:54:19 +0300 |
| commit | 680513ab79c7e12e402a2aad7921b95a25a4bcc8 (patch) | |
| tree | c2a5b1debb5599ae4a3522be921a78a6f1cf35c3 /src/backend/libpq/auth.c | |
| parent | 6aa61580e08d58909b2a8845a4087b7699335ee0 (diff) | |
| download | postgresql-680513ab79c7e12e402a2aad7921b95a25a4bcc8.tar.gz postgresql-680513ab79c7e12e402a2aad7921b95a25a4bcc8.zip | |
Break out OpenSSL-specific code to separate files.
This refactoring is in preparation for adding support for other SSL
implementations, with no user-visible effects. There are now two #defines,
USE_OPENSSL which is defined when building with OpenSSL, and USE_SSL which
is defined when building with any SSL implementation. Currently, OpenSSL is
the only implementation so the two #defines go together, but USE_SSL is
supposed to be used for implementation-independent code.
The libpq SSL code is changed to use a custom BIO, which does all the raw
I/O, like we've been doing in the backend for a long time. That makes it
possible to use MSG_NOSIGNAL to block SIGPIPE when using SSL, which avoids
a couple of syscall for each send(). Probably doesn't make much performance
difference in practice - the SSL encryption is expensive enough to mask the
effect - but it was a natural result of this refactoring.
Based on a patch by Martijn van Oosterhout from 2006. Briefly reviewed by
Alvaro Herrera, Andreas Karlsson, Jeff Janes.
Diffstat (limited to 'src/backend/libpq/auth.c')
| -rw-r--r-- | src/backend/libpq/auth.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 70b0b939823..b1974d121cd 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -161,7 +161,7 @@ static int pg_SSPI_recvauth(Port *port); * RADIUS Authentication *---------------------------------------------------------------- */ -#ifdef USE_SSL +#ifdef USE_OPENSSL #include <openssl/rand.h> #endif static int CheckRADIUSAuth(Port *port); @@ -330,7 +330,7 @@ ClientAuthentication(Port *port) * already if it didn't verify ok. */ #ifdef USE_SSL - if (!port->peer) + if (!port->peer_cert_valid) { ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), @@ -378,7 +378,7 @@ ClientAuthentication(Port *port) (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), errmsg("pg_hba.conf rejects replication connection for host \"%s\", user \"%s\", %s", hostinfo, port->user_name, - port->ssl ? _("SSL on") : _("SSL off")))); + port->ssl_in_use ? _("SSL on") : _("SSL off")))); #else ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), @@ -394,7 +394,7 @@ ClientAuthentication(Port *port) errmsg("pg_hba.conf rejects connection for host \"%s\", user \"%s\", database \"%s\", %s", hostinfo, port->user_name, port->database_name, - port->ssl ? _("SSL on") : _("SSL off")))); + port->ssl_in_use ? _("SSL on") : _("SSL off")))); #else ereport(FATAL, (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), @@ -452,7 +452,7 @@ ClientAuthentication(Port *port) (errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), errmsg("no pg_hba.conf entry for replication connection from host \"%s\", user \"%s\", %s", hostinfo, port->user_name, - port->ssl ? _("SSL on") : _("SSL off")), + port->ssl_in_use ? _("SSL on") : _("SSL off")), HOSTNAME_LOOKUP_DETAIL(port))); #else ereport(FATAL, @@ -470,7 +470,7 @@ ClientAuthentication(Port *port) errmsg("no pg_hba.conf entry for host \"%s\", user \"%s\", database \"%s\", %s", hostinfo, port->user_name, port->database_name, - port->ssl ? _("SSL on") : _("SSL off")), + port->ssl_in_use ? _("SSL on") : _("SSL off")), HOSTNAME_LOOKUP_DETAIL(port))); #else ereport(FATAL, @@ -2315,7 +2315,7 @@ CheckRADIUSAuth(Port *port) /* Construct RADIUS packet */ packet->code = RADIUS_ACCESS_REQUEST; packet->length = RADIUS_HEADER_LENGTH; -#ifdef USE_SSL +#ifdef USE_OPENSSL if (RAND_bytes(packet->vector, RADIUS_VECTOR_LENGTH) != 1) { ereport(LOG, |