diff -cr pgsql/src/backend/postmaster/postmaster.c pgsql_ssl/src/backend/postmaster/postmaster.c *** pgsql/src/backend/postmaster/postmaster.c Sun Aug 20 12:55:33 2000 --- pgsql_ssl/src/backend/postmaster/postmaster.c Sun Aug 20 14:05:41 2000 *************** *** 195,204 **** bool NetServer = false; /* listen on TCP/IP */ #ifdef USE_SSL ! static bool SecureNetServer = false; /* if not zero, postmaster listens ! * for only SSL non-local ! * connections */ ! #endif static pid_t StartupPID = 0, --- 195,201 ---- bool NetServer = false; /* listen on TCP/IP */ #ifdef USE_SSL ! static bool DisableSSL = false; /* Completely disable SSL, even if compiled in */ #endif static pid_t StartupPID = 0, *************** *** 456,462 **** break; #ifdef USE_SSL case 'l': ! SecureNetServer = true; break; #endif case 'm': --- 453,459 ---- break; #ifdef USE_SSL case 'l': ! DisableSSL = true; break; #endif case 'm': *************** *** 567,579 **** } #ifdef USE_SSL ! if (!NetServer && SecureNetServer) { ! fprintf(stderr, "%s: For SSL, you must enable TCP/IP connections.\n", progname); exit(1); } ! InitSSL(); #endif if (NetServer) --- 564,577 ---- } #ifdef USE_SSL ! if (!NetServer && !DisableSSL) { ! fprintf(stderr, "%s: For SSL, you must enable TCP/IP connections. Use -l to disable SSL\n", progname); exit(1); } ! if (!DisableSSL) ! InitSSL(); #endif if (NetServer) *************** *** 755,761 **** printf(" -F turn fsync off\n"); printf(" -i listen on TCP/IP sockets\n"); #ifdef USE_SSL ! printf(" -l listen only on SSL connections (EXPERIMENTAL)\n"); #endif printf(" -N maximum number of allowed connections (1..%d, default %d)\n", MAXBACKENDS, DEF_MAXBACKENDS); --- 753,759 ---- printf(" -F turn fsync off\n"); printf(" -i listen on TCP/IP sockets\n"); #ifdef USE_SSL ! printf(" -l disable SSL\n"); #endif printf(" -N maximum number of allowed connections (1..%d, default %d)\n", MAXBACKENDS, DEF_MAXBACKENDS); *************** *** 1063,1069 **** char SSLok; #ifdef USE_SSL ! SSLok = 'S'; /* Support for SSL */ #else SSLok = 'N'; /* No support for SSL */ #endif --- 1061,1071 ---- char SSLok; #ifdef USE_SSL ! if (DisableSSL || port->laddr.sa.sa_family != AF_INET) ! /* No SSL when disabled or on Unix sockets */ ! SSLok = 'N'; ! else ! SSLok = 'S'; /* Support for SSL */ #else SSLok = 'N'; /* No support for SSL */ #endif *************** *** 1074,1086 **** } #ifdef USE_SSL ! if (!(port->ssl = SSL_new(SSL_context)) || ! !SSL_set_fd(port->ssl, port->sock) || ! SSL_accept(port->ssl) <= 0) ! { ! fprintf(stderr, "Failed to initialize SSL connection: %s, errno: %d (%s)\n", ! ERR_reason_error_string(ERR_get_error()), errno, strerror(errno)); ! return STATUS_ERROR; } #endif /* ready for the normal startup packet */ --- 1076,1090 ---- } #ifdef USE_SSL ! if (SSLok == 'S') { ! if (!(port->ssl = SSL_new(SSL_context)) || ! !SSL_set_fd(port->ssl, port->sock) || ! SSL_accept(port->ssl) <= 0) ! { ! fprintf(stderr, "Failed to initialize SSL connection: %s, errno: %d (%s)\n", ! ERR_reason_error_string(ERR_get_error()), errno, strerror(errno)); ! return STATUS_ERROR; ! } } #endif /* ready for the normal startup packet */ *************** *** 1092,1109 **** /* Could add additional special packet types here */ - #ifdef USE_SSL - - /* - * Any SSL negotiation must have taken place here, so drop the - * connection ASAP if we require SSL - */ - if (SecureNetServer && !port->ssl) - { - PacketSendError(&port->pktInfo, "Backend requires secure connection."); - return STATUS_OK; - } - #endif /* Check we can handle the protocol the frontend is using. */ --- 1096,1101 ---- diff -cr pgsql/src/bin/psql/startup.c pgsql_ssl/src/bin/psql/startup.c *** pgsql/src/bin/psql/startup.c Sun Jul 2 17:21:17 2000 --- pgsql_ssl/src/bin/psql/startup.c Sun Aug 20 15:09:03 2000 *************** *** 81,86 **** --- 81,90 ---- static void showVersion(void); + #ifdef USE_SSL + static void + printSSLInfo(void); + #endif /* *************** *** 263,269 **** " \\g or terminate with semicolon to execute query\n" " \\q to quit\n\n", pset.progname); } ! SetVariable(pset.vars, "PROMPT1", DEFAULT_PROMPT1); SetVariable(pset.vars, "PROMPT2", DEFAULT_PROMPT2); SetVariable(pset.vars, "PROMPT3", DEFAULT_PROMPT3); --- 267,275 ---- " \\g or terminate with semicolon to execute query\n" " \\q to quit\n\n", pset.progname); } ! #ifdef USE_SSL ! printSSLInfo(); ! #endif SetVariable(pset.vars, "PROMPT1", DEFAULT_PROMPT1); SetVariable(pset.vars, "PROMPT2", DEFAULT_PROMPT2); SetVariable(pset.vars, "PROMPT3", DEFAULT_PROMPT3); *************** *** 639,641 **** --- 645,671 ---- puts("Read the file COPYRIGHT or use the command \\copyright to see the"); puts("usage and distribution terms."); } + + + + /* + * printSSLInfo + * + * Prints information about the current SSL connection, if SSL is in use + */ + #ifdef USE_SSL + static void + printSSLInfo(void) + { + int sslbits = -1; + SSL *ssl; + + ssl = PQgetssl(pset.db); + if (!ssl) + return; /* no SSL */ + + SSL_get_cipher_bits(ssl, &sslbits); + printf("SSL enabled connection. Chiper: %s, bits: %i\n\n", + SSL_get_cipher(ssl),sslbits); + } + #endif diff -cr pgsql/src/interfaces/libpq/fe-connect.c pgsql_ssl/src/interfaces/libpq/fe-connect.c *** pgsql/src/interfaces/libpq/fe-connect.c Sun Aug 20 12:55:35 2000 --- pgsql_ssl/src/interfaces/libpq/fe-connect.c Sun Aug 20 15:32:58 2000 *************** *** 63,69 **** #ifdef USE_SSL static SSL_CTX *SSL_context = NULL; - #endif #define NOTIFYLIST_INITIAL_SIZE 10 --- 63,68 ---- *************** *** 131,136 **** --- 130,140 ---- {"options", "PGOPTIONS", DefaultOption, NULL, "Backend-Debug-Options", "D", 40}, + #ifdef USE_SSL + {"requiressl", "PGREQUIRESSL", "0", NULL, + "Require-SSL", "", 1 }, + #endif + /* Terminating entry --- MUST BE LAST */ {NULL, NULL, NULL, NULL, NULL, NULL, 0} *************** *** 303,308 **** --- 307,316 ---- conn->pguser = tmp ? strdup(tmp) : NULL; tmp = conninfo_getval(connOptions, "password"); conn->pgpass = tmp ? strdup(tmp) : NULL; + #ifdef USE_SSL + tmp = conninfo_getval(connOptions, "requiressl"); + conn->require_ssl = tmp ? (tmp[0]=='1'?true:false) : false; + #endif /* ---------- * Free the option info - all is in conn now *************** *** 475,480 **** --- 483,496 ---- else conn->dbName = strdup(dbName); + + #ifdef USE_SSL + if ((tmp = getenv("PGREQUIRESSL")) != NULL) + conn->require_ssl = (tmp[0]=='1')?true:false; + else + conn->require_ssl = 0; + #endif + if (error) conn->status = CONNECTION_BAD; else *************** *** 781,793 **** goto connect_errReturn; #endif ! #ifdef USE_SSL ! ! /* ! * This needs to be done before we set into nonblocking, since SSL ! * negotiation does not like that mode */ /* Attempt to negotiate SSL usage */ if (conn->allow_ssl_try) { --- 797,851 ---- goto connect_errReturn; #endif ! /* ---------- ! * Start / make connection. We are hopefully in non-blocking mode ! * now, but it is possible that: ! * 1. Older systems will still block on connect, despite the ! * non-blocking flag. (Anyone know if this is true?) ! * 2. We are running under Windows, and aren't even trying ! * to be non-blocking (see above). ! * 3. We are using SSL. ! * Thus, we have make arrangements for all eventualities. ! * ---------- */ + if (connect(conn->sock, &conn->raddr.sa, conn->raddr_len) < 0) + { + #ifndef WIN32 + if (errno == EINPROGRESS || errno == 0) + #else + if (WSAGetLastError() == WSAEINPROGRESS) + #endif + { + /* + * This is fine - we're in non-blocking mode, and the + * connection is in progress. + */ + conn->status = CONNECTION_STARTED; + } + else + { + /* Something's gone wrong */ + printfPQExpBuffer(&conn->errorMessage, + "connectDBStart() -- connect() failed: %s\n" + "\tIs the postmaster running%s at '%s'\n" + "\tand accepting connections on %s '%s'?\n", + strerror(errno), + (family == AF_INET) ? " (with -i)" : "", + conn->pghost ? conn->pghost : "localhost", + (family == AF_INET) ? + "TCP/IP port" : "Unix socket", + conn->pgport); + goto connect_errReturn; + } + } + else + { + /* We're connected already */ + conn->status = CONNECTION_MADE; + } + + #ifdef USE_SSL /* Attempt to negotiate SSL usage */ if (conn->allow_ssl_try) { *************** *** 837,843 **** { /* Received error - probably protocol mismatch */ if (conn->Pfdebug) ! fprintf(conn->Pfdebug, "Postmaster reports error, attempting fallback to pre-6.6.\n"); close(conn->sock); conn->allow_ssl_try = FALSE; return connectDBStart(conn); --- 895,901 ---- { /* Received error - probably protocol mismatch */ if (conn->Pfdebug) ! fprintf(conn->Pfdebug, "Postmaster reports error, attempting fallback to pre-7.0.\n"); close(conn->sock); conn->allow_ssl_try = FALSE; return connectDBStart(conn); *************** *** 849,903 **** goto connect_errReturn; } } ! #endif ! ! /* ---------- ! * Start / make connection. We are hopefully in non-blocking mode ! * now, but it is possible that: ! * 1. Older systems will still block on connect, despite the ! * non-blocking flag. (Anyone know if this is true?) ! * 2. We are running under Windows, and aren't even trying ! * to be non-blocking (see above). ! * 3. We are using SSL. ! * Thus, we have make arrangements for all eventualities. ! * ---------- ! */ ! if (connect(conn->sock, &conn->raddr.sa, conn->raddr_len) < 0) { ! #ifndef WIN32 ! if (errno == EINPROGRESS || errno == 0) ! #else ! if (WSAGetLastError() == WSAEINPROGRESS) #endif - { - /* - * This is fine - we're in non-blocking mode, and the - * connection is in progress. - */ - conn->status = CONNECTION_STARTED; - } - else - { - /* Something's gone wrong */ - printfPQExpBuffer(&conn->errorMessage, - "connectDBStart() -- connect() failed: %s\n" - "\tIs the postmaster running%s at '%s'\n" - "\tand accepting connections on %s '%s'?\n", - strerror(errno), - (family == AF_INET) ? " (with -i)" : "", - conn->pghost ? conn->pghost : "localhost", - (family == AF_INET) ? - "TCP/IP port" : "Unix socket", - conn->pgport); - goto connect_errReturn; - } - } - else - { - /* We're connected already */ - conn->status = CONNECTION_MADE; - } /* * This makes the connection non-blocking, for all those cases which --- 907,921 ---- goto connect_errReturn; } } ! if (conn->require_ssl && !conn->ssl) { ! /* Require SSL, but server does not support/want it */ ! printfPQExpBuffer(&conn->errorMessage, ! "Server does not support SSL when SSL was required.\n"); ! goto connect_errReturn; ! } #endif /* * This makes the connection non-blocking, for all those cases which *************** *** 2483,2488 **** --- 2501,2515 ---- return -1; } + #endif + + #ifdef USE_SSL + SSL *PQgetssl(PGconn *conn) + { + if (!conn) + return NULL; + return conn->ssl; + } #endif void diff -cr pgsql/src/interfaces/libpq/libpq-fe.h pgsql_ssl/src/interfaces/libpq/libpq-fe.h *** pgsql/src/interfaces/libpq/libpq-fe.h Fri Apr 14 02:24:52 2000 --- pgsql_ssl/src/interfaces/libpq/libpq-fe.h Sun Aug 20 14:50:18 2000 *************** *** 25,30 **** --- 25,33 ---- * such as Oid. */ #include "postgres_ext.h" + #ifdef USE_SSL + #include + #endif /* Application-visible enum types */ *************** *** 222,227 **** --- 225,235 ---- extern int PQbackendPID(const PGconn *conn); extern int PQclientEncoding(const PGconn *conn); extern int PQsetClientEncoding(PGconn *conn, const char *encoding); + #ifdef USE_SSL + /* Get the SSL structure associated with a connection */ + extern SSL *PQgetssl(PGconn *conn); + #endif + /* Enable/disable tracing */ extern void PQtrace(PGconn *conn, FILE *debug_port); diff -cr pgsql/src/interfaces/libpq/libpq-int.h pgsql_ssl/src/interfaces/libpq/libpq-int.h *** pgsql/src/interfaces/libpq/libpq-int.h Sat May 27 06:13:05 2000 --- pgsql_ssl/src/interfaces/libpq/libpq-int.h Sun Aug 20 15:19:08 2000 *************** *** 263,268 **** --- 263,269 ---- #ifdef USE_SSL bool allow_ssl_try; /* Allowed to try SSL negotiation */ + bool require_ssl; /* Require SSL to make connection */ SSL *ssl; /* SSL status, if have SSL connection */ #endif