1/*-------------------------------------------------------------------------
4 * This file contains definitions for structures and externs used
5 * by the postmaster during client authentication.
7 * Note that this is backend-internal and is NOT exported to clients.
8 * Structs that need to be client-visible are in pqcomm.h.
11 * Portions Copyright (c) 1996-2025, PostgreSQL Global Development Group
12 * Portions Copyright (c) 1994, Regents of the University of California
14 * src/include/libpq/libpq-be.h
16 *-------------------------------------------------------------------------
25#include <openssl/ssl.h>
26#include <openssl/err.h>
34#if defined(WIN32) && !defined(_MSC_VER)
42 * Define a fake structure compatible with GSSAPI on Unix.
50#endif /* ENABLE_SSPI */
58 * GSSAPI specific state information
60#if defined(ENABLE_GSS) | defined(ENABLE_SSPI)
63 gss_buffer_desc outbuf;
/* GSSAPI output token buffer */
65 gss_cred_id_t cred;
/* GSSAPI connection cred's */
66 gss_ctx_id_t ctx;
/* GSSAPI connection context */
67 gss_name_t
name;
/* GSSAPI client name */
68 char *princ;
/* GSSAPI Principal used for auth, NULL if
69 * GSSAPI auth was not used */
70 bool auth;
/* GSSAPI Authentication used */
71 bool enc;
/* GSSAPI encryption in use */
72 bool delegated_creds;
/* GSSAPI Delegated credentials */
78 * ClientConnectionInfo includes the fields describing the client connection
79 * that are copied over to parallel workers as nothing from Port does that.
80 * The same rules apply for allocations here as for Port (everything must be
81 * malloc'd or palloc'd in TopMemoryContext).
83 * If you add a struct member here, remember to also handle serialization in
84 * SerializeClientConnectionInfo() and co.
89 * Authenticated identity. The meaning of this identifier is dependent on
90 * auth_method; it is the identity (if any) that the user presented during
91 * the authentication cycle, before they were assigned a database role.
92 * (It is effectively the "SYSTEM-USERNAME" of a pg_ident usermap --
93 * though the exact string in use may be different, depending on pg_hba
96 * authn_id is NULL if the user has not actually been authenticated, for
97 * example if the "trust" auth method is in use.
102 * The HBA method that determined the above authn_id. This only has
103 * meaning if authn_id is not NULL; otherwise it's undefined.
109 * The Port structure holds state information about a client connection in a
110 * backend process. It is available in the global variable MyProcPort. The
111 * struct and all the data it points are kept in TopMemoryContext.
113 * remote_hostname is set if we did a successful reverse lookup of the
114 * client's IP address during connection setup.
115 * remote_hostname_resolv tracks the state of hostname verification:
116 * +1 = remote_hostname is known to resolve to client's IP address
117 * -1 = remote_hostname is known NOT to resolve to client's IP address
118 * 0 = we have not done the forward DNS lookup yet
119 * -2 = there was an error in name resolution
120 * If reverse lookup of the client IP address fails, remote_hostname will be
121 * left NULL while remote_hostname_resolv is set to -2. If reverse lookup
122 * succeeds but forward lookup fails, remote_hostname_resolv is also set to -2
123 * (the case is distinguishable because remote_hostname isn't NULL). In
124 * either of the -2 cases, remote_hostname_errcode saves the lookup return
125 * code for possible later use with gai_strerror.
131 bool noblock;
/* is the socket in non-blocking mode? */
142 /* local_host is filled only if needed (see log_status_format) */
143 char local_host[64];
/* ip addr of local socket for client conn */
146 * Information that needs to be saved from the startup packet and passed
147 * into backend execution. "char *" fields are NULL if not set.
148 * guc_options points to a List of alternating option names and values.
156 * The startup packet application name, only used here for the "connection
157 * authorized" log message. We shouldn't use this post-startup, instead
158 * the GUC should be used as application can change it afterward.
163 * Information that needs to be held during the authentication cycle.
168 * TCP keepalive and user timeout settings.
170 * default values are 0 if AF_UNIX or not yet known; current values are 0
171 * if AF_UNIX or using the default. Also, -1 in a default value means we
172 * were unable to find out the default (getsockopt failed).
193#if defined(ENABLE_GSS) || defined(ENABLE_SSPI)
196 * If GSSAPI is supported and used on this connection, store GSSAPI
197 * information. Even when GSSAPI is not compiled in, store a NULL pointer
198 * to keep struct offsets the same (for extension ABI compatibility).
216 * OpenSSL structures. As with GSSAPI above, to keep struct offsets
217 * constant, NULL pointers are stored when SSL support is not enabled.
218 * (Although extensions should have no business accessing the raw_buf
230 * This is a bit of a hack. raw_buf is data that was previously read and
231 * buffered in a higher layer but then "unread" and needs to be read again
232 * while establishing an SSL connection via the SSL library layer.
234 * There's no API to "unread", the upper layer just places the data in the
235 * Port structure in raw_buf and sets raw_buf_remaining to the amount of
236 * bytes unread and raw_buf_consumed to 0.
244 * ClientSocket holds a socket for an accepted connection, along with the
245 * information about the remote endpoint. This is passed from postmaster to
246 * the backend process.
256 * Hardcoded DH parameters, used in ephemeral DH keying. (See also
257 * README.SSL for more details on EDH.)
259 * This is the 2048-bit DH parameter from RFC 3526. The generation of the
260 * prime is specified in RFC 2412 Appendix E, which also discusses the
261 * design choice of the generator. Note that when loaded with OpenSSL
262 * this causes DH_check() to fail on DH_NOT_SUITABLE_GENERATOR, where
263 * leaking a bit is preferred.
266"-----BEGIN DH PARAMETERS-----\n\
267MIIBCAKCAQEA///////////JD9qiIWjCNMTGYouA3BzRKQJOCIpnzHQCC76mOxOb\n\
268IlFKCHmONATd75UZs806QxswKwpt8l8UN0/hNW1tUcJF5IW1dmJefsb0TELppjft\n\
269awv/XLb0Brft7jhr+1qJn6WunyQRfEsf5kkoZlHs5Fs9wgB8uKFjvwWY2kg2HFXT\n\
270mmkWP6j9JM9fg2VdI9yjrZYcYvNWIIVSu57VKQdwlpZtZww1Tkq8mATxdGwIyhgh\n\
271fDKQXkYuNs474553LBgOhgObJ4Oi7Aeij7XFXfBvTFLJ3ivL9pVYFxg5lUl86pVq\n\
2725RXSJhiY+gUQFXKOWoqsqmj//////////wIBAg==\n\
273-----END DH PARAMETERS-----\n"
276 * These functions are implemented by the glue code specific to each
277 * SSL implementation (e.g. be-secure-openssl.c)
281 * Initialize global SSL context.
283 * If isServerStart is true, report any errors as FATAL (so we don't return).
284 * Otherwise, log errors at LOG level and return -1 to indicate trouble,
285 * preserving the old SSL state if any. Returns 0 if OK.
290 * Destroy global SSL context, if any.
295 * Attempt to negotiate SSL connection.
300 * Close SSL connection.
305 * Read data from a secure connection.
310 * Write data to a secure connection.
315 * Return information about the SSL connection.
325 * Get the server certificate hash for SCRAM channel binding type
326 * tls-server-end-point.
328 * The result is a palloc'd hash of the server certificate with its
329 * size, and NULL if there is no certificate available.
333/* init hook for SSL, the default sets the password callback if appropriate */
335typedef void (*openssl_tls_init_hook_typ) (SSL_CTX *context,
bool isServerStart);
343 * Return information about the GSSAPI authenticated connection
350/* Read and write to a GSSAPI-encrypted connection. */
353#endif /* ENABLE_GSS */
358/* TCP keepalives configuration. These are no-ops on an AF_UNIX socket. */
370#endif /* LIBPQ_BE_H */
ssize_t be_gssapi_write(Port *port, const void *ptr, size_t len)
bool be_gssapi_get_auth(Port *port)
ssize_t be_gssapi_read(Port *port, void *ptr, size_t len)
bool be_gssapi_get_enc(Port *port)
const char * be_gssapi_get_princ(Port *port)
bool be_gssapi_get_delegation(Port *port)
const char * be_tls_get_version(Port *port)
ssize_t be_tls_write(Port *port, const void *ptr, size_t len, int *waitfor)
void be_tls_destroy(void)
int be_tls_init(bool isServerStart)
openssl_tls_init_hook_typ openssl_tls_init_hook
int be_tls_get_cipher_bits(Port *port)
int be_tls_open_server(Port *port)
char * be_tls_get_certificate_hash(Port *port, size_t *len)
const char * be_tls_get_cipher(Port *port)
void be_tls_get_peer_serial(Port *port, char *ptr, size_t len)
void be_tls_close(Port *port)
void be_tls_get_peer_issuer_name(Port *port, char *ptr, size_t len)
ssize_t be_tls_read(Port *port, void *ptr, size_t len, int *waitfor)
void be_tls_get_peer_subject_name(Port *port, char *ptr, size_t len)
int pq_setkeepalivesinterval(int interval, Port *port)
PGDLLIMPORT ProtocolVersion FrontendProtocol
int pq_getkeepalivescount(Port *port)
int pq_getkeepalivesinterval(Port *port)
int pq_settcpusertimeout(int timeout, Port *port)
int pq_setkeepalivesidle(int idle, Port *port)
int pq_getkeepalivesidle(Port *port)
struct ClientSocket ClientSocket
PGDLLIMPORT ClientConnectionInfo MyClientConnectionInfo
struct ClientConnectionInfo ClientConnectionInfo
int pq_gettcpusertimeout(Port *port)
int pq_setkeepalivescount(int count, Port *port)
#define SCRAM_MAX_KEY_LEN
int remote_hostname_errcode
int default_keepalives_idle
uint8 scram_ServerKey[SCRAM_MAX_KEY_LEN]
int default_keepalives_interval
ssize_t raw_buf_remaining
int default_keepalives_count
int remote_hostname_resolv
int default_tcp_user_timeout
uint8 scram_ClientKey[SCRAM_MAX_KEY_LEN]