On 1/19/18 13:43, Peter Eisentraut wrote:
> Comparing the existing {be,fe}-secure-openssl.c with the proposed
> {be,fe}-secure-gnutls.c, and with half an eye on the previously proposed
> Apple Secure Transport implementation, I have identified a few more
> areas of refactoring that should be done in order to avoid excessive
> copy-and-pasting in the new implementations:
And here is another place that needs cleaning up, where the OpenSSL API
was used directly.
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
From 5d8066201dd1152edd2bbe8ba62ea58f378d1dd0 Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <pete...@gmx.net>
Date: Thu, 25 Jan 2018 08:58:00 -0500
Subject: [PATCH] Use abstracted SSL API in server connection log messages
The existing "connection authorized" server log messages used OpenSSL
API calls directly, even though similar abstracted API calls exist.
Change to use the latter instead.
Change the function prototype for the functions that return the TLS
version and the cipher to return const char * directly instead of
copying into a buffer. That makes them slightly easier to use.
Add bits= to the message. psql shows that, so we might as well show the
same information on the client and server.
---
src/backend/libpq/be-secure-openssl.c | 16 ++++++++--------
src/backend/postmaster/pgstat.c | 4 ++--
src/backend/utils/init/postinit.c | 22 ++++++++++++++--------
src/include/libpq/libpq-be.h | 4 ++--
4 files changed, 26 insertions(+), 20 deletions(-)
diff --git a/src/backend/libpq/be-secure-openssl.c
b/src/backend/libpq/be-secure-openssl.c
index 02601da6c8..e1ddfb3c16 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1047,22 +1047,22 @@ be_tls_get_compression(Port *port)
return false;
}
-void
-be_tls_get_version(Port *port, char *ptr, size_t len)
+const char *
+be_tls_get_version(Port *port)
{
if (port->ssl)
- strlcpy(ptr, SSL_get_version(port->ssl), len);
+ return SSL_get_version(port->ssl);
else
- ptr[0] = '\0';
+ return NULL;
}
-void
-be_tls_get_cipher(Port *port, char *ptr, size_t len)
+const char *
+be_tls_get_cipher(Port *port)
{
if (port->ssl)
- strlcpy(ptr, SSL_get_cipher(port->ssl), len);
+ return SSL_get_cipher(port->ssl);
else
- ptr[0] = '\0';
+ return NULL;
}
void
diff --git a/src/backend/postmaster/pgstat.c b/src/backend/postmaster/pgstat.c
index d13011454c..605b1832be 100644
--- a/src/backend/postmaster/pgstat.c
+++ b/src/backend/postmaster/pgstat.c
@@ -2909,8 +2909,8 @@ pgstat_bestart(void)
beentry->st_ssl = true;
beentry->st_sslstatus->ssl_bits =
be_tls_get_cipher_bits(MyProcPort);
beentry->st_sslstatus->ssl_compression =
be_tls_get_compression(MyProcPort);
- be_tls_get_version(MyProcPort,
beentry->st_sslstatus->ssl_version, NAMEDATALEN);
- be_tls_get_cipher(MyProcPort,
beentry->st_sslstatus->ssl_cipher, NAMEDATALEN);
+ strlcpy(beentry->st_sslstatus->ssl_version,
be_tls_get_version(MyProcPort), NAMEDATALEN);
+ strlcpy(beentry->st_sslstatus->ssl_cipher,
be_tls_get_cipher(MyProcPort), NAMEDATALEN);
be_tls_get_peerdn_name(MyProcPort,
beentry->st_sslstatus->ssl_clientdn, NAMEDATALEN);
}
else
diff --git a/src/backend/utils/init/postinit.c
b/src/backend/utils/init/postinit.c
index f9b330998d..484628987f 100644
--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -246,12 +246,15 @@ PerformAuthentication(Port *port)
{
if (am_walsender)
{
-#ifdef USE_OPENSSL
+#ifdef USE_SSL
if (port->ssl_in_use)
ereport(LOG,
- (errmsg("replication connection
authorized: user=%s SSL enabled (protocol=%s, cipher=%s, compression=%s)",
-
port->user_name, SSL_get_version(port->ssl), SSL_get_cipher(port->ssl),
-
SSL_get_current_compression(port->ssl) ? _("on") : _("off"))));
+ (errmsg("replication connection
authorized: user=%s SSL enabled (protocol=%s, cipher=%s, bits=%d,
compression=%s)",
+ port->user_name,
+
be_tls_get_version(port),
+
be_tls_get_cipher(port),
+
be_tls_get_cipher_bits(port),
+
be_tls_get_compression(port) ? _("on") : _("off"))));
else
#endif
ereport(LOG,
@@ -260,12 +263,15 @@ PerformAuthentication(Port *port)
}
else
{
-#ifdef USE_OPENSSL
+#ifdef USE_SSL
if (port->ssl_in_use)
ereport(LOG,
- (errmsg("connection authorized:
user=%s database=%s SSL enabled (protocol=%s, cipher=%s, compression=%s)",
-
port->user_name, port->database_name, SSL_get_version(port->ssl),
SSL_get_cipher(port->ssl),
-
SSL_get_current_compression(port->ssl) ? _("on") : _("off"))));
+ (errmsg("connection authorized:
user=%s database=%s SSL enabled (protocol=%s, cipher=%s, bits=%d,
compression=%s)",
+
port->user_name, port->database_name,
+
be_tls_get_version(port),
+
be_tls_get_cipher(port),
+
be_tls_get_cipher_bits(port),
+
be_tls_get_compression(port) ? _("on") : _("off"))));
else
#endif
ereport(LOG,
diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h
index 584f794b9e..7698cd1f88 100644
--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -256,8 +256,8 @@ extern ssize_t be_tls_write(Port *port, void *ptr, size_t
len, int *waitfor);
*/
extern int be_tls_get_cipher_bits(Port *port);
extern bool be_tls_get_compression(Port *port);
-extern void be_tls_get_version(Port *port, char *ptr, size_t len);
-extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
+extern const char *be_tls_get_version(Port *port);
+extern const char *be_tls_get_cipher(Port *port);
extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
/*
--
2.16.1
