Line data Source code
1 : /*-------------------------------------------------------------------------
2 : *
3 : * be-secure.c
4 : * functions related to setting up a secure connection to the frontend.
5 : * Secure connections are expected to provide confidentiality,
6 : * message integrity and endpoint authentication.
7 : *
8 : *
9 : * Portions Copyright (c) 1996-2024, PostgreSQL Global Development Group
10 : * Portions Copyright (c) 1994, Regents of the University of California
11 : *
12 : *
13 : * IDENTIFICATION
14 : * src/backend/libpq/be-secure.c
15 : *
16 : *-------------------------------------------------------------------------
17 : */
18 :
19 : #include "postgres.h"
20 :
21 : #include <signal.h>
22 : #include <fcntl.h>
23 : #include <ctype.h>
24 : #include <sys/socket.h>
25 : #include <netdb.h>
26 : #include <netinet/in.h>
27 : #include <netinet/tcp.h>
28 : #include <arpa/inet.h>
29 :
30 : #include "libpq/libpq.h"
31 : #include "miscadmin.h"
32 : #include "tcop/tcopprot.h"
33 : #include "utils/injection_point.h"
34 : #include "utils/wait_event.h"
35 :
36 : char *ssl_library;
37 : char *ssl_cert_file;
38 : char *ssl_key_file;
39 : char *ssl_ca_file;
40 : char *ssl_crl_file;
41 : char *ssl_crl_dir;
42 : char *ssl_dh_params_file;
43 : char *ssl_passphrase_command;
44 : bool ssl_passphrase_command_supports_reload;
45 :
46 : #ifdef USE_SSL
47 : bool ssl_loaded_verify_locations = false;
48 : #endif
49 :
50 : /* GUC variable controlling SSL cipher list */
51 : char *SSLCipherSuites = NULL;
52 : char *SSLCipherList = NULL;
53 :
54 : /* GUC variable for default ECHD curve. */
55 : char *SSLECDHCurve;
56 :
57 : /* GUC variable: if false, prefer client ciphers */
58 : bool SSLPreferServerCiphers;
59 :
60 : int ssl_min_protocol_version = PG_TLS1_2_VERSION;
61 : int ssl_max_protocol_version = PG_TLS_ANY;
62 :
63 : /* ------------------------------------------------------------ */
64 : /* Procedures common to all secure sessions */
65 : /* ------------------------------------------------------------ */
66 :
67 : /*
68 : * Initialize global context.
69 : *
70 : * If isServerStart is true, report any errors as FATAL (so we don't return).
71 : * Otherwise, log errors at LOG level and return -1 to indicate trouble,
72 : * preserving the old SSL state if any. Returns 0 if OK.
73 : */
74 : int
75 64 : secure_initialize(bool isServerStart)
76 : {
77 : #ifdef USE_SSL
78 64 : return be_tls_init(isServerStart);
79 : #else
80 : return 0;
81 : #endif
82 : }
83 :
84 : /*
85 : * Destroy global context, if any.
86 : */
87 : void
88 246 : secure_destroy(void)
89 : {
90 : #ifdef USE_SSL
91 246 : be_tls_destroy();
92 : #endif
93 246 : }
94 :
95 : /*
96 : * Indicate if we have loaded the root CA store to verify certificates
97 : */
98 : bool
99 60 : secure_loaded_verify_locations(void)
100 : {
101 : #ifdef USE_SSL
102 60 : return ssl_loaded_verify_locations;
103 : #else
104 : return false;
105 : #endif
106 : }
107 :
108 : /*
109 : * Attempt to negotiate secure session.
110 : */
111 : int
112 252 : secure_open_server(Port *port)
113 : {
114 : #ifdef USE_SSL
115 252 : int r = 0;
116 : ssize_t len;
117 :
118 : /* push unencrypted buffered data back through SSL setup */
119 252 : len = pq_buffer_remaining_data();
120 252 : if (len > 0)
121 : {
122 6 : char *buf = palloc(len);
123 :
124 6 : pq_startmsgread();
125 6 : if (pq_getbytes(buf, len) == EOF)
126 0 : return STATUS_ERROR; /* shouldn't be possible */
127 6 : pq_endmsgread();
128 6 : port->raw_buf = buf;
129 6 : port->raw_buf_remaining = len;
130 6 : port->raw_buf_consumed = 0;
131 : }
132 : Assert(pq_buffer_remaining_data() == 0);
133 :
134 252 : INJECTION_POINT("backend-ssl-startup");
135 :
136 250 : r = be_tls_open_server(port);
137 :
138 250 : if (port->raw_buf_remaining > 0)
139 : {
140 : /*
141 : * This shouldn't be possible -- it would mean the client sent
142 : * encrypted data before we established a session key...
143 : */
144 0 : elog(LOG, "buffered unencrypted data remains after negotiating SSL connection");
145 0 : return STATUS_ERROR;
146 : }
147 250 : if (port->raw_buf != NULL)
148 : {
149 6 : pfree(port->raw_buf);
150 6 : port->raw_buf = NULL;
151 : }
152 :
153 250 : ereport(DEBUG2,
154 : (errmsg_internal("SSL connection from DN:\"%s\" CN:\"%s\"",
155 : port->peer_dn ? port->peer_dn : "(anonymous)",
156 : port->peer_cn ? port->peer_cn : "(anonymous)")));
157 250 : return r;
158 : #else
159 : return 0;
160 : #endif
161 : }
162 :
163 : /*
164 : * Close secure session.
165 : */
166 : void
167 25198 : secure_close(Port *port)
168 : {
169 : #ifdef USE_SSL
170 25198 : if (port->ssl_in_use)
171 250 : be_tls_close(port);
172 : #endif
173 25198 : }
174 :
175 : /*
176 : * Read data from a secure connection.
177 : */
178 : ssize_t
179 2964096 : secure_read(Port *port, void *ptr, size_t len)
180 : {
181 : ssize_t n;
182 : int waitfor;
183 :
184 : /* Deal with any already-pending interrupt condition. */
185 2964096 : ProcessClientReadInterrupt(false);
186 :
187 3277740 : retry:
188 : #ifdef USE_SSL
189 3277740 : waitfor = 0;
190 3277740 : if (port->ssl_in_use)
191 : {
192 824 : n = be_tls_read(port, ptr, len, &waitfor);
193 : }
194 : else
195 : #endif
196 : #ifdef ENABLE_GSS
197 : if (port->gss && port->gss->enc)
198 : {
199 : n = be_gssapi_read(port, ptr, len);
200 : waitfor = WL_SOCKET_READABLE;
201 : }
202 : else
203 : #endif
204 : {
205 3276916 : n = secure_raw_read(port, ptr, len);
206 3276916 : waitfor = WL_SOCKET_READABLE;
207 : }
208 :
209 : /* In blocking mode, wait until the socket is ready */
210 3277740 : if (n < 0 && !port->noblock && (errno == EWOULDBLOCK || errno == EAGAIN))
211 : {
212 : WaitEvent event;
213 :
214 : Assert(waitfor);
215 :
216 313720 : ModifyWaitEvent(FeBeWaitSet, FeBeWaitSetSocketPos, waitfor, NULL);
217 :
218 313720 : WaitEventSetWait(FeBeWaitSet, -1 /* no timeout */ , &event, 1,
219 : WAIT_EVENT_CLIENT_READ);
220 :
221 : /*
222 : * If the postmaster has died, it's not safe to continue running,
223 : * because it is the postmaster's job to kill us if some other backend
224 : * exits uncleanly. Moreover, we won't run very well in this state;
225 : * helper processes like walwriter and the bgwriter will exit, so
226 : * performance may be poor. Finally, if we don't exit, pg_ctl will be
227 : * unable to restart the postmaster without manual intervention, so no
228 : * new connections can be accepted. Exiting clears the deck for a
229 : * postmaster restart.
230 : *
231 : * (Note that we only make this check when we would otherwise sleep on
232 : * our latch. We might still continue running for a while if the
233 : * postmaster is killed in mid-query, or even through multiple queries
234 : * if we never have to wait for read. We don't want to burn too many
235 : * cycles checking for this very rare condition, and this should cause
236 : * us to exit quickly in most cases.)
237 : */
238 313720 : if (event.events & WL_POSTMASTER_DEATH)
239 0 : ereport(FATAL,
240 : (errcode(ERRCODE_ADMIN_SHUTDOWN),
241 : errmsg("terminating connection due to unexpected postmaster exit")));
242 :
243 : /* Handle interrupt. */
244 313720 : if (event.events & WL_LATCH_SET)
245 : {
246 22456 : ResetLatch(MyLatch);
247 22456 : ProcessClientReadInterrupt(true);
248 :
249 : /*
250 : * We'll retry the read. Most likely it will return immediately
251 : * because there's still no data available, and we'll wait for the
252 : * socket to become ready again.
253 : */
254 : }
255 313694 : goto retry;
256 : }
257 :
258 : /*
259 : * Process interrupts that happened during a successful (or non-blocking,
260 : * or hard-failed) read.
261 : */
262 2964020 : ProcessClientReadInterrupt(false);
263 :
264 2964018 : return n;
265 : }
266 :
267 : ssize_t
268 3281126 : secure_raw_read(Port *port, void *ptr, size_t len)
269 : {
270 : ssize_t n;
271 :
272 : /* Read from the "unread" buffered data first. c.f. libpq-be.h */
273 3281126 : if (port->raw_buf_remaining > 0)
274 : {
275 : /* consume up to len bytes from the raw_buf */
276 12 : if (len > port->raw_buf_remaining)
277 0 : len = port->raw_buf_remaining;
278 : Assert(port->raw_buf);
279 12 : memcpy(ptr, port->raw_buf + port->raw_buf_consumed, len);
280 12 : port->raw_buf_consumed += len;
281 12 : port->raw_buf_remaining -= len;
282 12 : return len;
283 : }
284 :
285 : /*
286 : * Try to read from the socket without blocking. If it succeeds we're
287 : * done, otherwise we'll wait for the socket using the latch mechanism.
288 : */
289 : #ifdef WIN32
290 : pgwin32_noblock = true;
291 : #endif
292 3281114 : n = recv(port->sock, ptr, len, 0);
293 : #ifdef WIN32
294 : pgwin32_noblock = false;
295 : #endif
296 :
297 3281114 : return n;
298 : }
299 :
300 :
301 : /*
302 : * Write data to a secure connection.
303 : */
304 : ssize_t
305 2072248 : secure_write(Port *port, void *ptr, size_t len)
306 : {
307 : ssize_t n;
308 : int waitfor;
309 :
310 : /* Deal with any already-pending interrupt condition. */
311 2072248 : ProcessClientWriteInterrupt(false);
312 :
313 2090280 : retry:
314 2090280 : waitfor = 0;
315 : #ifdef USE_SSL
316 2090280 : if (port->ssl_in_use)
317 : {
318 384 : n = be_tls_write(port, ptr, len, &waitfor);
319 : }
320 : else
321 : #endif
322 : #ifdef ENABLE_GSS
323 : if (port->gss && port->gss->enc)
324 : {
325 : n = be_gssapi_write(port, ptr, len);
326 : waitfor = WL_SOCKET_WRITEABLE;
327 : }
328 : else
329 : #endif
330 : {
331 2089896 : n = secure_raw_write(port, ptr, len);
332 2089896 : waitfor = WL_SOCKET_WRITEABLE;
333 : }
334 :
335 2090280 : if (n < 0 && !port->noblock && (errno == EWOULDBLOCK || errno == EAGAIN))
336 : {
337 : WaitEvent event;
338 :
339 : Assert(waitfor);
340 :
341 18032 : ModifyWaitEvent(FeBeWaitSet, FeBeWaitSetSocketPos, waitfor, NULL);
342 :
343 18032 : WaitEventSetWait(FeBeWaitSet, -1 /* no timeout */ , &event, 1,
344 : WAIT_EVENT_CLIENT_WRITE);
345 :
346 : /* See comments in secure_read. */
347 18032 : if (event.events & WL_POSTMASTER_DEATH)
348 0 : ereport(FATAL,
349 : (errcode(ERRCODE_ADMIN_SHUTDOWN),
350 : errmsg("terminating connection due to unexpected postmaster exit")));
351 :
352 : /* Handle interrupt. */
353 18032 : if (event.events & WL_LATCH_SET)
354 : {
355 10 : ResetLatch(MyLatch);
356 10 : ProcessClientWriteInterrupt(true);
357 :
358 : /*
359 : * We'll retry the write. Most likely it will return immediately
360 : * because there's still no buffer space available, and we'll wait
361 : * for the socket to become ready again.
362 : */
363 : }
364 18032 : goto retry;
365 : }
366 :
367 : /*
368 : * Process interrupts that happened during a successful (or non-blocking,
369 : * or hard-failed) write.
370 : */
371 2072248 : ProcessClientWriteInterrupt(false);
372 :
373 2072248 : return n;
374 : }
375 :
376 : ssize_t
377 2090988 : secure_raw_write(Port *port, const void *ptr, size_t len)
378 : {
379 : ssize_t n;
380 :
381 : #ifdef WIN32
382 : pgwin32_noblock = true;
383 : #endif
384 2090988 : n = send(port->sock, ptr, len, 0);
385 : #ifdef WIN32
386 : pgwin32_noblock = false;
387 : #endif
388 :
389 2090988 : return n;
390 : }
|