1 /*-------------------------------------------------------------------------
2 *
3 * be-secure.c
4 * functions related to setting up a secure connection to the frontend.
5 * Secure connections are expected to provide confidentiality,
6 * message integrity and endpoint authentication.
7 *
8 *
9 * Portions Copyright (c) 1996-2017, PostgreSQL Global Development Group
10 * Portions Copyright (c) 1994, Regents of the University of California
11 *
12 *
13 * IDENTIFICATION
14 * src/backend/libpq/be-secure.c
15 *
16 *-------------------------------------------------------------------------
17 */
18
19 #include "postgres.h"
20
21 #include <sys/stat.h>
22 #include <signal.h>
23 #include <fcntl.h>
24 #include <ctype.h>
25 #include <sys/socket.h>
26 #include <unistd.h>
27 #include <netdb.h>
28 #include <netinet/in.h>
29 #ifdef HAVE_NETINET_TCP_H
30 #include <netinet/tcp.h>
31 #include <arpa/inet.h>
32 #endif
33
34 #include "libpq/libpq.h"
35 #include "miscadmin.h"
36 #include "pgstat.h"
37 #include "tcop/tcopprot.h"
38 #include "utils/memutils.h"
39 #include "storage/ipc.h"
40 #include "storage/proc.h"
41
42
43 char *ssl_cert_file;
44 char *ssl_key_file;
45 char *ssl_ca_file;
46 char *ssl_crl_file;
47 char *ssl_dh_params_file;
48
49 #ifdef USE_SSL
50 bool ssl_loaded_verify_locations = false;
51 #endif
52
53 /* GUC variable controlling SSL cipher list */
54 char *SSLCipherSuites = NULL;
55
56 /* GUC variable for default ECHD curve. */
57 char *SSLECDHCurve;
58
59 /* GUC variable: if false, prefer client ciphers */
60 bool SSLPreferServerCiphers;
61
62 /* ------------------------------------------------------------ */
63 /* Procedures common to all secure sessions */
64 /* ------------------------------------------------------------ */
65
66 /*
67 * Initialize global context.
68 *
69 * If isServerStart is true, report any errors as FATAL (so we don't return).
70 * Otherwise, log errors at LOG level and return -1 to indicate trouble,
71 * preserving the old SSL state if any. Returns 0 if OK.
72 */
73 int
secure_initialize(bool isServerStart)74 secure_initialize(bool isServerStart)
75 {
76 #ifdef USE_SSL
77 return be_tls_init(isServerStart);
78 #else
79 return 0;
80 #endif
81 }
82
83 /*
84 * Destroy global context, if any.
85 */
86 void
secure_destroy(void)87 secure_destroy(void)
88 {
89 #ifdef USE_SSL
90 be_tls_destroy();
91 #endif
92 }
93
94 /*
95 * Indicate if we have loaded the root CA store to verify certificates
96 */
97 bool
secure_loaded_verify_locations(void)98 secure_loaded_verify_locations(void)
99 {
100 #ifdef USE_SSL
101 return ssl_loaded_verify_locations;
102 #else
103 return false;
104 #endif
105 }
106
107 /*
108 * Attempt to negotiate secure session.
109 */
110 int
secure_open_server(Port * port)111 secure_open_server(Port *port)
112 {
113 int r = 0;
114
115 #ifdef USE_SSL
116 r = be_tls_open_server(port);
117 #endif
118
119 return r;
120 }
121
122 /*
123 * Close secure session.
124 */
125 void
secure_close(Port * port)126 secure_close(Port *port)
127 {
128 #ifdef USE_SSL
129 if (port->ssl_in_use)
130 be_tls_close(port);
131 #endif
132 }
133
134 /*
135 * Read data from a secure connection.
136 */
137 ssize_t
secure_read(Port * port,void * ptr,size_t len)138 secure_read(Port *port, void *ptr, size_t len)
139 {
140 ssize_t n;
141 int waitfor;
142
143 /* Deal with any already-pending interrupt condition. */
144 ProcessClientReadInterrupt(false);
145
146 retry:
147 #ifdef USE_SSL
148 waitfor = 0;
149 if (port->ssl_in_use)
150 {
151 n = be_tls_read(port, ptr, len, &waitfor);
152 }
153 else
154 #endif
155 {
156 n = secure_raw_read(port, ptr, len);
157 waitfor = WL_SOCKET_READABLE;
158 }
159
160 /* In blocking mode, wait until the socket is ready */
161 if (n < 0 && !port->noblock && (errno == EWOULDBLOCK || errno == EAGAIN))
162 {
163 WaitEvent event;
164
165 Assert(waitfor);
166
167 ModifyWaitEvent(FeBeWaitSet, 0, waitfor, NULL);
168
169 WaitEventSetWait(FeBeWaitSet, -1 /* no timeout */ , &event, 1,
170 WAIT_EVENT_CLIENT_READ);
171
172 /*
173 * If the postmaster has died, it's not safe to continue running,
174 * because it is the postmaster's job to kill us if some other backend
175 * exists uncleanly. Moreover, we won't run very well in this state;
176 * helper processes like walwriter and the bgwriter will exit, so
177 * performance may be poor. Finally, if we don't exit, pg_ctl will be
178 * unable to restart the postmaster without manual intervention, so no
179 * new connections can be accepted. Exiting clears the deck for a
180 * postmaster restart.
181 *
182 * (Note that we only make this check when we would otherwise sleep on
183 * our latch. We might still continue running for a while if the
184 * postmaster is killed in mid-query, or even through multiple queries
185 * if we never have to wait for read. We don't want to burn too many
186 * cycles checking for this very rare condition, and this should cause
187 * us to exit quickly in most cases.)
188 */
189 if (event.events & WL_POSTMASTER_DEATH)
190 ereport(FATAL,
191 (errcode(ERRCODE_ADMIN_SHUTDOWN),
192 errmsg("terminating connection due to unexpected postmaster exit")));
193
194 /* Handle interrupt. */
195 if (event.events & WL_LATCH_SET)
196 {
197 ResetLatch(MyLatch);
198 ProcessClientReadInterrupt(true);
199
200 /*
201 * We'll retry the read. Most likely it will return immediately
202 * because there's still no data available, and we'll wait for the
203 * socket to become ready again.
204 */
205 }
206 goto retry;
207 }
208
209 /*
210 * Process interrupts that happened during a successful (or non-blocking,
211 * or hard-failed) read.
212 */
213 ProcessClientReadInterrupt(false);
214
215 return n;
216 }
217
218 ssize_t
secure_raw_read(Port * port,void * ptr,size_t len)219 secure_raw_read(Port *port, void *ptr, size_t len)
220 {
221 ssize_t n;
222
223 /*
224 * Try to read from the socket without blocking. If it succeeds we're
225 * done, otherwise we'll wait for the socket using the latch mechanism.
226 */
227 #ifdef WIN32
228 pgwin32_noblock = true;
229 #endif
230 n = recv(port->sock, ptr, len, 0);
231 #ifdef WIN32
232 pgwin32_noblock = false;
233 #endif
234
235 return n;
236 }
237
238
239 /*
240 * Write data to a secure connection.
241 */
242 ssize_t
secure_write(Port * port,void * ptr,size_t len)243 secure_write(Port *port, void *ptr, size_t len)
244 {
245 ssize_t n;
246 int waitfor;
247
248 /* Deal with any already-pending interrupt condition. */
249 ProcessClientWriteInterrupt(false);
250
251 retry:
252 waitfor = 0;
253 #ifdef USE_SSL
254 if (port->ssl_in_use)
255 {
256 n = be_tls_write(port, ptr, len, &waitfor);
257 }
258 else
259 #endif
260 {
261 n = secure_raw_write(port, ptr, len);
262 waitfor = WL_SOCKET_WRITEABLE;
263 }
264
265 if (n < 0 && !port->noblock && (errno == EWOULDBLOCK || errno == EAGAIN))
266 {
267 WaitEvent event;
268
269 Assert(waitfor);
270
271 ModifyWaitEvent(FeBeWaitSet, 0, waitfor, NULL);
272
273 WaitEventSetWait(FeBeWaitSet, -1 /* no timeout */ , &event, 1,
274 WAIT_EVENT_CLIENT_WRITE);
275
276 /* See comments in secure_read. */
277 if (event.events & WL_POSTMASTER_DEATH)
278 ereport(FATAL,
279 (errcode(ERRCODE_ADMIN_SHUTDOWN),
280 errmsg("terminating connection due to unexpected postmaster exit")));
281
282 /* Handle interrupt. */
283 if (event.events & WL_LATCH_SET)
284 {
285 ResetLatch(MyLatch);
286 ProcessClientWriteInterrupt(true);
287
288 /*
289 * We'll retry the write. Most likely it will return immediately
290 * because there's still no buffer space available, and we'll wait
291 * for the socket to become ready again.
292 */
293 }
294 goto retry;
295 }
296
297 /*
298 * Process interrupts that happened during a successful (or non-blocking,
299 * or hard-failed) write.
300 */
301 ProcessClientWriteInterrupt(false);
302
303 return n;
304 }
305
306 ssize_t
secure_raw_write(Port * port,const void * ptr,size_t len)307 secure_raw_write(Port *port, const void *ptr, size_t len)
308 {
309 ssize_t n;
310
311 #ifdef WIN32
312 pgwin32_noblock = true;
313 #endif
314 n = send(port->sock, ptr, len, 0);
315 #ifdef WIN32
316 pgwin32_noblock = false;
317 #endif
318
319 return n;
320 }
321