v7-0004-WIP-refactorings-to-backend-support.patch
text/x-patch
Filename: v7-0004-WIP-refactorings-to-backend-support.patch
Type: text/x-patch
Part: 3
Patch
Same data as JSON:
GET /api/v1/attachments/:id/patch
the parsed metadata as JSON — format, series position, per-file stats; never the diff bytes.
API reference →
Format: format-patch
Series: patch v7-0004
Subject: WIP: refactorings to backend support
| File | + | − |
|---|---|---|
| src/backend/libpq/be-secure.c | 35 | 3 |
| src/backend/libpq/pqcomm.c | 1 | 3 |
| src/backend/postmaster/postmaster.c | 10 | 37 |
From 7aec324c254c834008bbcd94b23fc4eba4977512 Mon Sep 17 00:00:00 2001
From: Heikki Linnakangas <heikki.linnakangas@iki.fi>
Date: Wed, 10 Jan 2024 09:04:45 +0200
Subject: [PATCH v7 04/12] WIP: refactorings to backend support
---
src/backend/libpq/be-secure.c | 38 +++++++++++++++++++++--
src/backend/libpq/pqcomm.c | 4 +--
src/backend/postmaster/postmaster.c | 47 ++++++-----------------------
3 files changed, 46 insertions(+), 43 deletions(-)
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 0e4786cb2b6..8c770ba5afb 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -112,18 +112,50 @@ secure_loaded_verify_locations(void)
int
secure_open_server(Port *port)
{
+#ifdef USE_SSL
int r = 0;
+ ssize_t len;
+
+ /* push unencrypted buffered data back through SSL setup */
+ len = pq_buffer_has_data();
+ if (len > 0)
+ {
+ char *buf = palloc(len);
+
+ pq_startmsgread();
+ if (pq_getbytes(buf, len) == EOF)
+ return STATUS_ERROR; /* shouldn't be possible */
+ pq_endmsgread();
+ port->raw_buf = buf;
+ port->raw_buf_remaining = len;
+ port->raw_buf_consumed = 0;
+ }
+ Assert(pq_buffer_has_data() == 0);
-#ifdef USE_SSL
r = be_tls_open_server(port);
+ if (port->raw_buf_remaining > 0)
+ {
+ /* This shouldn't be possible -- it would mean the client sent
+ * encrypted data before we established a session key...
+ */
+ elog(LOG, "Buffered unencrypted data remains after negotiating native SSL connection");
+ return STATUS_ERROR;
+ }
+ if (port->raw_buf != NULL)
+ {
+ pfree(port->raw_buf);
+ port->raw_buf = NULL;
+ }
+
ereport(DEBUG2,
(errmsg_internal("SSL connection from DN:\"%s\" CN:\"%s\"",
port->peer_dn ? port->peer_dn : "(anonymous)",
port->peer_cn ? port->peer_cn : "(anonymous)")));
-#endif
-
return r;
+#else
+ return 0;
+#endif
}
/*
diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
index ff3a03a2428..caa502b6373 100644
--- a/src/backend/libpq/pqcomm.c
+++ b/src/backend/libpq/pqcomm.c
@@ -1134,9 +1134,7 @@ pq_discardbytes(size_t len)
}
/* --------------------------------
- * pq_buffer_has_data - is any buffered data available to read?
- *
- * Actually returns the number of bytes in the buffer...
+ * pq_buffer_has_data - return number of bytes in receive buffer
*
* This will *not* attempt to read more data. And reading up to that number of
* bytes should not cause reading any more data either.
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c
index 085c940aec5..b70e41c9e26 100644
--- a/src/backend/postmaster/postmaster.c
+++ b/src/backend/postmaster/postmaster.c
@@ -1933,13 +1933,10 @@ ServerLoop(void)
* This happens before startup packets so we are careful not to actual read
* any bytes from the stream if it's not a direct SSL connection.
*/
-
static int
ProcessSSLStartup(Port *port)
{
- int firstbyte;
-
- pq_startmsgread();
+ int firstbyte;
pq_startmsgread();
firstbyte = pq_peekbyte();
@@ -1956,7 +1953,9 @@ ProcessSSLStartup(Port *port)
* scanners, which may be less benign, but it's not really our job to
* notice those.)
*/
- return STATUS_ERROR;
+ // XXX: this is OK as far as this function is concerned. Let ProcessStartupPacket
+ // handle it
+ return STATUS_OK;
}
/*
@@ -1967,51 +1966,25 @@ ProcessSSLStartup(Port *port)
*/
if (firstbyte == 0x16)
{
-#ifdef USE_SSL
- ssize_t len;
- char *buf = NULL;
elog(LOG, "Detected direct SSL handshake");
- /* push unencrypted buffered data back through SSL setup */
- len = pq_buffer_has_data();
- if (len > 0)
- {
- buf = palloc(len);
- if (pq_getbytes(buf, len) == EOF)
- return STATUS_ERROR; /* shouldn't be possible */
- port->raw_buf = buf;
- port->raw_buf_remaining = len;
- port->raw_buf_consumed = 0;
- }
-
- Assert(pq_buffer_has_data() == 0);
- if (secure_open_server(port) == -1)
+#ifdef USE_SSL
+ if (!LoadedSSL || port->laddr.addr.ss_family == AF_UNIX || port->ssl_in_use)
{
- ereport(COMMERROR,
- (errcode(ERRCODE_PROTOCOL_VIOLATION),
- errmsg("SSL Protocol Error during direct SSL connection initiation")));
+ // XXX: Send TLS alert ?
return STATUS_ERROR;
}
-
- if (port->raw_buf_remaining > 0)
+ else if (secure_open_server(port) == -1)
{
- /* This shouldn't be possible -- it would mean the client sent
- * encrypted data before we established a session key...
- */
- elog(LOG, "Buffered unencrypted data remains after negotiating native SSL connection");
+ /* we assume secure_open_server() sent an appropriate TLS alert already */
return STATUS_ERROR;
}
- pfree(port->raw_buf);
#else
- ereport(COMMERROR,
- (errcode(ERRCODE_PROTOCOL_VIOLATION),
- errmsg("Received direct SSL connection request with no SSL support")));
+ // XXX: Send TLS alert ?
return STATUS_ERROR;
#endif
}
- pq_endmsgread();
-
if (port->ssl_in_use)
ereport(DEBUG2,
(errmsg_internal("Direct SSL connection established")));
--
2.39.2