Index: postgresql/src/backend/postmaster/be-secure.c diff -c postgresql/src/backend/postmaster/be-secure.c:1.1 postgresql/src/backend/postmaster/be-secure.c:1.2 *** postgresql/src/backend/postmaster/be-secure.c:1.1 Fri May 24 12:41:53 2002 --- postgresql/src/backend/postmaster/be-secure.c Fri May 24 16:45:00 2002 *************** *** 11,22 **** * * * IDENTIFICATION ! * $Header: /usr/local/cvsroot/postgresql/src/backend/postmaster/be-secure.c,v 1.1 2002/05/24 18:41:53 bear Exp $ * * PATCH LEVEL * milestone 1: fix basic coding errors * [*] existing SSL code pulled out of existing files. ! * [ ] SSL_get_error() after SSL_read() and SSL_write(), * SSL_shutdown(), default to TLSv1. * * milestone 2: provide endpoint authentication (server) --- 11,22 ---- * * * IDENTIFICATION ! * $Header: /usr/local/cvsroot/postgresql/src/backend/postmaster/be-secure.c,v 1.2 2002/05/24 22:45:00 bear Exp $ * * PATCH LEVEL * milestone 1: fix basic coding errors * [*] existing SSL code pulled out of existing files. ! * [*] SSL_get_error() after SSL_read() and SSL_write(), * SSL_shutdown(), default to TLSv1. * * milestone 2: provide endpoint authentication (server) *************** *** 26,31 **** --- 26,32 ---- * milestone 3: improve confidentially, support perfect forward secrecy * [ ] use 'random' file, read from '/dev/urandom?' * [ ] emphermal DH keys, default values + * [ ] periodic renegotiation * * milestone 4: provide endpoint authentication (client) * [ ] server verifies client certificates *************** *** 70,75 **** --- 71,81 ---- #include "strdup.h" #endif + #ifdef USE_SSL + #include + #include + #endif + extern void ExitPostmaster(int); extern void postmaster_error(const char *fmt,...); *************** *** 92,99 **** static SSL_CTX *SSL_context = NULL; #endif - #define PING() elog(DEBUG,"%s, line %d, %s", __FILE__, __LINE__, __func__); - /* ------------------------------------------------------------ */ /* Procedures common to all secure sessions */ /* ------------------------------------------------------------ */ --- 98,103 ---- *************** *** 107,115 **** int r = 0; #ifdef USE_SSL - PING(); r = initialize_SSL(); - PING(); #endif return r; --- 111,117 ---- *************** *** 135,143 **** int r = 0; #ifdef USE_SSL - PING(); r = open_server_SSL(port); - PING(); #endif return r; --- 137,143 ---- *************** *** 167,172 **** --- 167,191 ---- if (port->ssl) { n = SSL_read(port->ssl, ptr, len); + switch (SSL_get_error(port->ssl, n)) + { + case SSL_ERROR_NONE: + break; + case SSL_ERROR_WANT_READ: + break; + case SSL_ERROR_SYSCALL: + errno = get_last_socket_error(); + elog(ERROR, "SSL SYSCALL error: %s", strerror(errno)); + break; + case SSL_ERROR_SSL: + elog(ERROR, "SSL error: %s", SSLerrmessage()); + /* fall through */ + case SSL_ERROR_ZERO_RETURN: + secure_close(port); + errno = ECONNRESET; + n = -1; + break; + } } else #endif *************** *** 191,196 **** --- 210,234 ---- if (port->ssl) { n = SSL_write(port->ssl, ptr, len); + switch (SSL_get_error(port->ssl, n)) + { + case SSL_ERROR_NONE: + break; + case SSL_ERROR_WANT_WRITE: + break; + case SSL_ERROR_SYSCALL: + errno = get_last_socket_error(); + elog(ERROR, "SSL SYSCALL error: %s", strerror(errno)); + break; + case SSL_ERROR_SSL: + elog(ERROR, "SSL error: %s", SSLerrmessage()); + /* fall through */ + case SSL_ERROR_ZERO_RETURN: + secure_close(port); + errno = ECONNRESET; + n = -1; + break; + } } else #endif *************** *** 219,225 **** { SSL_library_init(); SSL_load_error_strings(); ! SSL_context = SSL_CTX_new(SSLv23_method()); if (!SSL_context) { postmaster_error("failed to create SSL context: %s", --- 257,263 ---- { SSL_library_init(); SSL_load_error_strings(); ! SSL_context = SSL_CTX_new(TLSv1_method()); if (!SSL_context) { postmaster_error("failed to create SSL context: %s", *************** *** 282,288 **** close_SSL(port); return -1; } - else { elog(DEBUG, "success"); } return 0; } --- 320,325 ---- *************** *** 295,300 **** --- 332,338 ---- { if (port->ssl) { + SSL_shutdown(port->ssl); SSL_free(port->ssl); port->ssl = NULL; } Index: postgresql/src/interfaces/libpq/fe-secure.c diff -c postgresql/src/interfaces/libpq/fe-secure.c:1.1 postgresql/src/interfaces/libpq/fe-secure.c:1.2 *** postgresql/src/interfaces/libpq/fe-secure.c:1.1 Fri May 24 12:41:53 2002 --- postgresql/src/interfaces/libpq/fe-secure.c Fri May 24 16:45:00 2002 *************** *** 11,22 **** * * * IDENTIFICATION ! * $Header: /usr/local/cvsroot/postgresql/src/interfaces/libpq/fe-secure.c,v 1.1 2002/05/24 18:41:53 bear Exp $ * * PATCH LEVEL * milestone 1: fix basic coding errors * [*] existing SSL code pulled out of existing files. ! * [ ] SSL_get_error() after SSL_read() and SSL_write(), * SSL_shutdown(), default to TLSv1. * * milestone 2: provide endpoint authentication (server) --- 11,22 ---- * * * IDENTIFICATION ! * $Header: /usr/local/cvsroot/postgresql/src/interfaces/libpq/fe-secure.c,v 1.2 2002/05/24 22:45:00 bear Exp $ * * PATCH LEVEL * milestone 1: fix basic coding errors * [*] existing SSL code pulled out of existing files. ! * [*] SSL_get_error() after SSL_read() and SSL_write(), * SSL_shutdown(), default to TLSv1. * * milestone 2: provide endpoint authentication (server) *************** *** 71,76 **** --- 71,81 ---- #include "strdup.h" #endif + #ifdef USE_SSL + #include + #include + #endif /* USE_SSL */ + int secure_initialize(PGconn *); void secure_destroy(void); int secure_open_client(PGconn *); *************** *** 159,164 **** --- 164,190 ---- if (conn->ssl) { n = SSL_read(conn->ssl, ptr, len); + switch (SSL_get_error(conn->ssl, n)) + { + case SSL_ERROR_NONE: + break; + case SSL_ERROR_WANT_READ: + break; + case SSL_ERROR_SYSCALL: + errno = get_last_socket_error(); + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("SSL SYSCALL error: %s\n"), strerror(errno)); + break; + case SSL_ERROR_SSL: + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("SSL error: %s\n"), SSLerrmessage()); + /* fall through */ + case SSL_ERROR_ZERO_RETURN: + secure_close(conn); + errno = ECONNRESET; + n = -1; + break; + } } else #endif *************** *** 183,188 **** --- 209,235 ---- if (conn->ssl) { n = SSL_write(conn->ssl, ptr, len); + switch (SSL_get_error(conn->ssl, n)) + { + case SSL_ERROR_NONE: + break; + case SSL_ERROR_WANT_WRITE: + break; + case SSL_ERROR_SYSCALL: + errno = get_last_socket_error(); + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("SSL SYSCALL error: %s\n"), strerror(errno)); + break; + case SSL_ERROR_SSL: + printfPQExpBuffer(&conn->errorMessage, + libpq_gettext("SSL error: %s\n"), SSLerrmessage()); + /* fall through */ + case SSL_ERROR_ZERO_RETURN: + secure_close(conn); + errno = ECONNRESET; + n = -1; + break; + } } else #endif *************** *** 209,215 **** { SSL_library_init(); SSL_load_error_strings(); ! SSL_context = SSL_CTX_new(SSLv23_method()); if (!SSL_context) { printfPQExpBuffer(&conn->errorMessage, --- 256,262 ---- { SSL_library_init(); SSL_load_error_strings(); ! SSL_context = SSL_CTX_new(TLSv1_method()); if (!SSL_context) { printfPQExpBuffer(&conn->errorMessage, *************** *** 263,268 **** --- 310,316 ---- { if (conn->ssl) { + SSL_shutdown(conn->ssl); SSL_free(conn->ssl); conn->ssl = NULL; }