From d39a49c1e459804831302807c724fa6512e90cf0 Mon Sep 17 00:00:00 2001 From: Heikki Linnakangas Date: Mon, 8 Apr 2024 04:24:49 +0300 Subject: Support TLS handshake directly without SSLRequest negotiation By skipping SSLRequest, you can eliminate one round-trip when establishing a TLS connection. It is also more friendly to generic TLS proxies that don't understand the PostgreSQL protocol. This is disabled by default in libpq, because the direct TLS handshake will fail with old server versions. It can be enabled with the sslnegotation=direct option. It will still fall back to the negotiated TLS handshake if the server rejects the direct attempt, either because it is an older version or the server doesn't support TLS at all, but the fallback can be disabled with the sslnegotiation=requiredirect option. Author: Greg Stark, Heikki Linnakangas Reviewed-by: Matthias van de Meent, Jacob Champion --- src/backend/libpq/be-secure.c | 52 ++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 49 insertions(+), 3 deletions(-) (limited to 'src/backend/libpq/be-secure.c') diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 5612c29f8b2..1663f36b6b8 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -109,18 +109,51 @@ secure_loaded_verify_locations(void) int secure_open_server(Port *port) { +#ifdef USE_SSL int r = 0; + ssize_t len; + + /* push unencrypted buffered data back through SSL setup */ + len = pq_buffer_remaining_data(); + if (len > 0) + { + char *buf = palloc(len); + + pq_startmsgread(); + if (pq_getbytes(buf, len) == EOF) + return STATUS_ERROR; /* shouldn't be possible */ + pq_endmsgread(); + port->raw_buf = buf; + port->raw_buf_remaining = len; + port->raw_buf_consumed = 0; + } + Assert(pq_buffer_remaining_data() == 0); -#ifdef USE_SSL r = be_tls_open_server(port); + if (port->raw_buf_remaining > 0) + { + /* + * This shouldn't be possible -- it would mean the client sent + * encrypted data before we established a session key... + */ + elog(LOG, "buffered unencrypted data remains after negotiating SSL connection"); + return STATUS_ERROR; + } + if (port->raw_buf != NULL) + { + pfree(port->raw_buf); + port->raw_buf = NULL; + } + ereport(DEBUG2, (errmsg_internal("SSL connection from DN:\"%s\" CN:\"%s\"", port->peer_dn ? port->peer_dn : "(anonymous)", port->peer_cn ? port->peer_cn : "(anonymous)"))); -#endif - return r; +#else + return 0; +#endif } /* @@ -232,6 +265,19 @@ secure_raw_read(Port *port, void *ptr, size_t len) { ssize_t n; + /* Read from the "unread" buffered data first. c.f. libpq-be.h */ + if (port->raw_buf_remaining > 0) + { + /* consume up to len bytes from the raw_buf */ + if (len > port->raw_buf_remaining) + len = port->raw_buf_remaining; + Assert(port->raw_buf); + memcpy(ptr, port->raw_buf + port->raw_buf_consumed, len); + port->raw_buf_consumed += len; + port->raw_buf_remaining -= len; + return len; + } + /* * Try to read from the socket without blocking. If it succeeds we're * done, otherwise we'll wait for the socket using the latch mechanism. -- cgit v1.2.3