Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit8f44024

Browse files
committed
SSL patch to periodically renegotiate session key.
In order to reduce the risk of cryptanalysis during extendedsessions (or brief ones involving a substantial amount of data),this patch renegotiates the session key after 64kib has beentransferred.Bear Giles
1 parent55d0532 commit8f44024

File tree

2 files changed

+31
-3
lines changed

2 files changed

+31
-3
lines changed

‎src/backend/libpq/be-secure.c‎

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
*
1212
*
1313
* IDENTIFICATION
14-
* $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.2 2002/06/14 04:31:49 momjian Exp $
14+
* $Header: /cvsroot/pgsql/src/backend/libpq/be-secure.c,v 1.3 2002/06/14 04:33:53 momjian Exp $
1515
*
1616
* Since the server static private key ($DataDir/server.key)
1717
* will normally be stored unencrypted so that the database
@@ -39,6 +39,12 @@
3939
* session. In this case you'll need to temporarily disable
4040
* EDH by commenting out the callback.
4141
*
42+
* ...
43+
*
44+
* Because the risk of cryptanalysis increases as large
45+
* amounts of data are sent with the same session key, the
46+
* session keys are periodically renegotiated.
47+
*
4248
* PATCH LEVEL
4349
* milestone 1: fix basic coding errors
4450
* [*] existing SSL code pulled out of existing files.
@@ -52,7 +58,7 @@
5258
* milestone 3: improve confidentially, support perfect forward secrecy
5359
* [ ] use 'random' file, read from '/dev/urandom?'
5460
* [*] emphermal DH keys, default values
55-
* [] periodic renegotiation
61+
* [*] periodic renegotiation
5662
* [ ] private key permissions
5763
*
5864
* milestone 4: provide endpoint authentication (client)
@@ -126,6 +132,12 @@ static const char *SSLerrmessage(void);
126132
#endif
127133

128134
#ifdefUSE_SSL
135+
/*
136+
*How much data can be sent across a secure connection
137+
*(total in both directions) before we require renegotiation.
138+
*/
139+
#defineRENEGOTIATION_LIMIT(64 * 1024)
140+
129141
staticSSL_CTX*SSL_context=NULL;
130142
#endif
131143

@@ -261,10 +273,17 @@ secure_read (Port *port, void *ptr, size_t len)
261273
#ifdefUSE_SSL
262274
if (port->ssl)
263275
{
276+
if (port->count>RENEGOTIATION_LIMIT)
277+
{
278+
SSL_renegotiate(port->ssl);
279+
port->count=0;
280+
}
281+
264282
n=SSL_read(port->ssl,ptr,len);
265283
switch (SSL_get_error(port->ssl,n))
266284
{
267285
caseSSL_ERROR_NONE:
286+
port->count+=n;
268287
break;
269288
caseSSL_ERROR_WANT_READ:
270289
break;
@@ -304,10 +323,17 @@ secure_write (Port *port, const void *ptr, size_t len)
304323
#ifdefUSE_SSL
305324
if (port->ssl)
306325
{
326+
if (port->count>RENEGOTIATION_LIMIT)
327+
{
328+
SSL_renegotiate(port->ssl);
329+
port->count=0;
330+
}
331+
307332
n=SSL_write(port->ssl,ptr,len);
308333
switch (SSL_get_error(port->ssl,n))
309334
{
310335
caseSSL_ERROR_NONE:
336+
port->count+=n;
311337
break;
312338
caseSSL_ERROR_WANT_WRITE:
313339
break;
@@ -574,6 +600,7 @@ open_server_SSL (Port *port)
574600
close_SSL(port);
575601
return-1;
576602
}
603+
port->count=0;
577604

578605
return0;
579606
}

‎src/include/libpq/libpq-be.h‎

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@
1111
* Portions Copyright (c) 1996-2001, PostgreSQL Global Development Group
1212
* Portions Copyright (c) 1994, Regents of the University of California
1313
*
14-
* $Id: libpq-be.h,v 1.29 2002/06/14 04:09:37 momjian Exp $
14+
* $Id: libpq-be.h,v 1.30 2002/06/14 04:33:53 momjian Exp $
1515
*
1616
*-------------------------------------------------------------------------
1717
*/
@@ -70,6 +70,7 @@ typedef struct Port
7070
*/
7171
#ifdefUSE_SSL
7272
SSL*ssl;
73+
unsigned longcount;
7374
#endif
7475
}Port;
7576

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp