Use abstracted SSL API in server connection log messages

The existing "connection authorized" server log messages used OpenSSL API calls directly, even though similar abstracted API calls exist. Change to use the latter instead. Change the function prototype for the functions that return the TLS version and the cipher to return const char * directly instead of copying into a buffer. That makes them slightly easier to use. Add bits= to the message. psql shows that, so we might as well show the same information on the client and server. Reviewed-by: Daniel Gustafsson <daniel@yesql.se> Reviewed-by: Michael Paquier <michael.paquier@gmail.com>

Use abstracted SSL API in server connection log messages
The existing "connection authorized" server log messages used OpenSSL API calls directly, even though similar abstracted API calls exist. Change to use the latter instead. Change the function prototype for the functions that return the TLS version and the cipher to return const char * directly instead of copying into a buffer. That makes them slightly easier to use. Add bits= to the message. psql shows that, so we might as well show the same information on the client and server. Reviewed-by: Daniel Gustafsson <daniel@yesql.se> Reviewed-by: Michael Paquier <michael.paquier@gmail.com>
c1869542 · Peter Eisentraut · a6ef00b5 · c1869542 · c1869542 · c1869542
Commit c1869542 authored Jan 25, 2018 by Peter Eisentraut
4 changed files
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -1047,22 +1047,22 @@ be_tls_get_compression(Port *port)
 		return false;
 }
-void
+const char *
-be_tls_get_version(Port *port, char *ptr, size_t len)
+be_tls_get_version(Port *port)
 {
 	if (port->ssl)
-		strlcpy(ptr, SSL_get_version(port->ssl), len);
+		return SSL_get_version(port->ssl);
 	else
-		ptr[0] = '\0';
+		return NULL;
 }
-void
+const char *
-be_tls_get_cipher(Port *port, char *ptr, size_t len)
+be_tls_get_cipher(Port *port)
 {
 	if (port->ssl)
-		strlcpy(ptr, SSL_get_cipher(port->ssl), len);
+		return SSL_get_cipher(port->ssl);
 	else
-		ptr[0] = '\0';
+		return NULL;
 }
 void

--- a/src/backend/postmaster/pgstat.c
+++ b/src/backend/postmaster/pgstat.c
@@ -2909,8 +2909,8 @@ pgstat_bestart(void)
 		beentry->st_ssl = true;
 		beentry->st_sslstatus->ssl_bits = be_tls_get_cipher_bits(MyProcPort);
 		beentry->st_sslstatus->ssl_compression = be_tls_get_compression(MyProcPort);
-		be_tls_get_version(MyProcPort, beentry->st_sslstatus->ssl_version, NAMEDATALEN);
+		strlcpy(beentry->st_sslstatus->ssl_version, be_tls_get_version(MyProcPort), NAMEDATALEN);
-		be_tls_get_cipher(MyProcPort, beentry->st_sslstatus->ssl_cipher, NAMEDATALEN);
+		strlcpy(beentry->st_sslstatus->ssl_cipher, be_tls_get_cipher(MyProcPort), NAMEDATALEN);
 		be_tls_get_peerdn_name(MyProcPort, beentry->st_sslstatus->ssl_clientdn, NAMEDATALEN);
 	}
 	else

--- a/src/backend/utils/init/postinit.c
+++ b/src/backend/utils/init/postinit.c
@@ -246,12 +246,15 @@ PerformAuthentication(Port *port)
 	{
 		if (am_walsender)
 		{
-#ifdef USE_OPENSSL
+#ifdef USE_SSL
 			if (port->ssl_in_use)
 				ereport(LOG,
-						(errmsg("replication connection authorized: user=%s SSL enabled (protocol=%s, cipher=%s, compression=%s)",
+						(errmsg("replication connection authorized: user=%s SSL enabled (protocol=%s, cipher=%s, bits=%d, compression=%s)",
-								port->user_name, SSL_get_version(port->ssl), SSL_get_cipher(port->ssl),
+								port->user_name,
-								SSL_get_current_compression(port->ssl) ? _("on") : _("off"))));
+								be_tls_get_version(port),
+								be_tls_get_cipher(port),
+								be_tls_get_cipher_bits(port),
+								be_tls_get_compression(port) ? _("on") : _("off"))));
 			else
 #endif
 				ereport(LOG,
@@ -260,12 +263,15 @@ PerformAuthentication(Port *port)
 		}
 		else
 		{
-#ifdef USE_OPENSSL
+#ifdef USE_SSL
 			if (port->ssl_in_use)
 				ereport(LOG,
-						(errmsg("connection authorized: user=%s database=%s SSL enabled (protocol=%s, cipher=%s, compression=%s)",
+						(errmsg("connection authorized: user=%s database=%s SSL enabled (protocol=%s, cipher=%s, bits=%d, compression=%s)",
-								port->user_name, port->database_name, SSL_get_version(port->ssl), SSL_get_cipher(port->ssl),
+								port->user_name, port->database_name,
-								SSL_get_current_compression(port->ssl) ? _("on") : _("off"))));
+								be_tls_get_version(port),
+								be_tls_get_cipher(port),
+								be_tls_get_cipher_bits(port),
+								be_tls_get_compression(port) ? _("on") : _("off"))));
 			else
 #endif
 				ereport(LOG,

--- a/src/include/libpq/libpq-be.h
+++ b/src/include/libpq/libpq-be.h
@@ -256,8 +256,8 @@ extern ssize_t be_tls_write(Port *port, void *ptr, size_t len, int *waitfor);
 */
 extern int	be_tls_get_cipher_bits(Port *port);
 extern bool be_tls_get_compression(Port *port);
-extern void be_tls_get_version(Port *port, char *ptr, size_t len);
+extern const char *be_tls_get_version(Port *port);
-extern void be_tls_get_cipher(Port *port, char *ptr, size_t len);
+extern const char *be_tls_get_cipher(Port *port);
 extern void be_tls_get_peerdn_name(Port *port, char *ptr, size_t len);
 /*