mirror of https://github.com/postgres/postgres
This is code that runs in the backend process after forking, rather than postmaster. Move it out of postmaster.c for clarity. Reviewed-by: Tristan Partin, Andres Freund Discussion: https://www.postgresql.org/message-id/7a59b073-5b5b-151e-7ed3-8b01ff7ce9ef@iki.fipull/159/head
Heikki Linnakangas
2 years ago
parent
aafc05de1b
commit
05c3980e7f
@ -0,0 +1,778 @@ |
|||||||
|
/*-------------------------------------------------------------------------
|
||||||
|
* |
||||||
|
* backend_startup.c |
||||||
|
* Backend startup code |
||||||
|
* |
||||||
|
* Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group |
||||||
|
* Portions Copyright (c) 1994, Regents of the University of California |
||||||
|
* |
||||||
|
* |
||||||
|
* IDENTIFICATION |
||||||
|
* src/backend/tcop/backend_startup.c |
||||||
|
* |
||||||
|
*------------------------------------------------------------------------- |
||||||
|
*/ |
||||||
|
|
||||||
|
#include "postgres.h" |
||||||
|
|
||||||
|
#include <unistd.h> |
||||||
|
|
||||||
|
#include "access/xlog.h" |
||||||
|
#include "common/ip.h" |
||||||
|
#include "common/string.h" |
||||||
|
#include "libpq/libpq.h" |
||||||
|
#include "libpq/libpq-be.h" |
||||||
|
#include "libpq/pqformat.h" |
||||||
|
#include "libpq/pqsignal.h" |
||||||
|
#include "miscadmin.h" |
||||||
|
#include "postmaster/postmaster.h" |
||||||
|
#include "replication/walsender.h" |
||||||
|
#include "storage/fd.h" |
||||||
|
#include "storage/ipc.h" |
||||||
|
#include "storage/proc.h" |
||||||
|
#include "tcop/backend_startup.h" |
||||||
|
#include "tcop/tcopprot.h" |
||||||
|
#include "utils/builtins.h" |
||||||
|
#include "utils/memutils.h" |
||||||
|
#include "utils/ps_status.h" |
||||||
|
#include "utils/timeout.h" |
||||||
|
|
||||||
|
static void BackendInitialize(ClientSocket *client_sock, CAC_state cac); |
||||||
|
static int ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done); |
||||||
|
static void SendNegotiateProtocolVersion(List *unrecognized_protocol_options); |
||||||
|
static void process_startup_packet_die(SIGNAL_ARGS); |
||||||
|
static void StartupPacketTimeoutHandler(void); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Entry point for a new backend process. |
||||||
|
* |
||||||
|
* Initialize the connection, read the startup packet, authenticate the |
||||||
|
* client, and start the main processing loop. |
||||||
|
*/ |
||||||
|
void |
||||||
|
BackendMain(char *startup_data, size_t startup_data_len) |
||||||
|
{ |
||||||
|
BackendStartupData *bsdata = (BackendStartupData *) startup_data; |
||||||
|
|
||||||
|
Assert(startup_data_len == sizeof(BackendStartupData)); |
||||||
|
Assert(MyClientSocket != NULL); |
||||||
|
|
||||||
|
#ifdef EXEC_BACKEND |
||||||
|
|
||||||
|
/*
|
||||||
|
* Need to reinitialize the SSL library in the backend, since the context |
||||||
|
* structures contain function pointers and cannot be passed through the |
||||||
|
* parameter file. |
||||||
|
* |
||||||
|
* If for some reason reload fails (maybe the user installed broken key |
||||||
|
* files), soldier on without SSL; that's better than all connections |
||||||
|
* becoming impossible. |
||||||
|
* |
||||||
|
* XXX should we do this in all child processes? For the moment it's |
||||||
|
* enough to do it in backend children. |
||||||
|
*/ |
||||||
|
#ifdef USE_SSL |
||||||
|
if (EnableSSL) |
||||||
|
{ |
||||||
|
if (secure_initialize(false) == 0) |
||||||
|
LoadedSSL = true; |
||||||
|
else |
||||||
|
ereport(LOG, |
||||||
|
(errmsg("SSL configuration could not be loaded in child process"))); |
||||||
|
} |
||||||
|
#endif |
||||||
|
#endif |
||||||
|
|
||||||
|
/* Perform additional initialization and collect startup packet */ |
||||||
|
BackendInitialize(MyClientSocket, bsdata->canAcceptConnections); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Create a per-backend PGPROC struct in shared memory. We must do this |
||||||
|
* before we can use LWLocks or access any shared memory. |
||||||
|
*/ |
||||||
|
InitProcess(); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Make sure we aren't in PostmasterContext anymore. (We can't delete it |
||||||
|
* just yet, though, because InitPostgres will need the HBA data.) |
||||||
|
*/ |
||||||
|
MemoryContextSwitchTo(TopMemoryContext); |
||||||
|
|
||||||
|
PostgresMain(MyProcPort->database_name, MyProcPort->user_name); |
||||||
|
} |
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* BackendInitialize -- initialize an interactive (postmaster-child) |
||||||
|
* backend process, and collect the client's startup packet. |
||||||
|
* |
||||||
|
* returns: nothing. Will not return at all if there's any failure. |
||||||
|
* |
||||||
|
* Note: this code does not depend on having any access to shared memory. |
||||||
|
* Indeed, our approach to SIGTERM/timeout handling *requires* that |
||||||
|
* shared memory not have been touched yet; see comments within. |
||||||
|
* In the EXEC_BACKEND case, we are physically attached to shared memory |
||||||
|
* but have not yet set up most of our local pointers to shmem structures. |
||||||
|
*/ |
||||||
|
static void |
||||||
|
BackendInitialize(ClientSocket *client_sock, CAC_state cac) |
||||||
|
{ |
||||||
|
int status; |
||||||
|
int ret; |
||||||
|
Port *port; |
||||||
|
char remote_host[NI_MAXHOST]; |
||||||
|
char remote_port[NI_MAXSERV]; |
||||||
|
StringInfoData ps_data; |
||||||
|
MemoryContext oldcontext; |
||||||
|
|
||||||
|
/* Tell fd.c about the long-lived FD associated with the client_sock */ |
||||||
|
ReserveExternalFD(); |
||||||
|
|
||||||
|
/*
|
||||||
|
* PreAuthDelay is a debugging aid for investigating problems in the |
||||||
|
* authentication cycle: it can be set in postgresql.conf to allow time to |
||||||
|
* attach to the newly-forked backend with a debugger. (See also |
||||||
|
* PostAuthDelay, which we allow clients to pass through PGOPTIONS, but it |
||||||
|
* is not honored until after authentication.) |
||||||
|
*/ |
||||||
|
if (PreAuthDelay > 0) |
||||||
|
pg_usleep(PreAuthDelay * 1000000L); |
||||||
|
|
||||||
|
/* This flag will remain set until InitPostgres finishes authentication */ |
||||||
|
ClientAuthInProgress = true; /* limit visibility of log messages */ |
||||||
|
|
||||||
|
/*
|
||||||
|
* Initialize libpq and enable reporting of ereport errors to the client. |
||||||
|
* Must do this now because authentication uses libpq to send messages. |
||||||
|
* |
||||||
|
* The Port structure and all data structures attached to it are allocated |
||||||
|
* in TopMemoryContext, so that they survive into PostgresMain execution. |
||||||
|
* We need not worry about leaking this storage on failure, since we |
||||||
|
* aren't in the postmaster process anymore. |
||||||
|
*/ |
||||||
|
oldcontext = MemoryContextSwitchTo(TopMemoryContext); |
||||||
|
port = MyProcPort = pq_init(client_sock); |
||||||
|
MemoryContextSwitchTo(oldcontext); |
||||||
|
|
||||||
|
whereToSendOutput = DestRemote; /* now safe to ereport to client */ |
||||||
|
|
||||||
|
/* set these to empty in case they are needed before we set them up */ |
||||||
|
port->remote_host = ""; |
||||||
|
port->remote_port = ""; |
||||||
|
|
||||||
|
/*
|
||||||
|
* We arrange to do _exit(1) if we receive SIGTERM or timeout while trying |
||||||
|
* to collect the startup packet; while SIGQUIT results in _exit(2). |
||||||
|
* Otherwise the postmaster cannot shutdown the database FAST or IMMED |
||||||
|
* cleanly if a buggy client fails to send the packet promptly. |
||||||
|
* |
||||||
|
* Exiting with _exit(1) is only possible because we have not yet touched |
||||||
|
* shared memory; therefore no outside-the-process state needs to get |
||||||
|
* cleaned up. |
||||||
|
*/ |
||||||
|
pqsignal(SIGTERM, process_startup_packet_die); |
||||||
|
/* SIGQUIT handler was already set up by InitPostmasterChild */ |
||||||
|
InitializeTimeouts(); /* establishes SIGALRM handler */ |
||||||
|
sigprocmask(SIG_SETMASK, &StartupBlockSig, NULL); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Get the remote host name and port for logging and status display. |
||||||
|
*/ |
||||||
|
remote_host[0] = '\0'; |
||||||
|
remote_port[0] = '\0'; |
||||||
|
if ((ret = pg_getnameinfo_all(&port->raddr.addr, port->raddr.salen, |
||||||
|
remote_host, sizeof(remote_host), |
||||||
|
remote_port, sizeof(remote_port), |
||||||
|
(log_hostname ? 0 : NI_NUMERICHOST) | NI_NUMERICSERV)) != 0) |
||||||
|
ereport(WARNING, |
||||||
|
(errmsg_internal("pg_getnameinfo_all() failed: %s", |
||||||
|
gai_strerror(ret)))); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Save remote_host and remote_port in port structure (after this, they |
||||||
|
* will appear in log_line_prefix data for log messages). |
||||||
|
*/ |
||||||
|
oldcontext = MemoryContextSwitchTo(TopMemoryContext); |
||||||
|
port->remote_host = pstrdup(remote_host); |
||||||
|
port->remote_port = pstrdup(remote_port); |
||||||
|
|
||||||
|
/* And now we can issue the Log_connections message, if wanted */ |
||||||
|
if (Log_connections) |
||||||
|
{ |
||||||
|
if (remote_port[0]) |
||||||
|
ereport(LOG, |
||||||
|
(errmsg("connection received: host=%s port=%s", |
||||||
|
remote_host, |
||||||
|
remote_port))); |
||||||
|
else |
||||||
|
ereport(LOG, |
||||||
|
(errmsg("connection received: host=%s", |
||||||
|
remote_host))); |
||||||
|
} |
||||||
|
|
||||||
|
/*
|
||||||
|
* If we did a reverse lookup to name, we might as well save the results |
||||||
|
* rather than possibly repeating the lookup during authentication. |
||||||
|
* |
||||||
|
* Note that we don't want to specify NI_NAMEREQD above, because then we'd |
||||||
|
* get nothing useful for a client without an rDNS entry. Therefore, we |
||||||
|
* must check whether we got a numeric IPv4 or IPv6 address, and not save |
||||||
|
* it into remote_hostname if so. (This test is conservative and might |
||||||
|
* sometimes classify a hostname as numeric, but an error in that |
||||||
|
* direction is safe; it only results in a possible extra lookup.) |
||||||
|
*/ |
||||||
|
if (log_hostname && |
||||||
|
ret == 0 && |
||||||
|
strspn(remote_host, "0123456789.") < strlen(remote_host) && |
||||||
|
strspn(remote_host, "0123456789ABCDEFabcdef:") < strlen(remote_host)) |
||||||
|
{ |
||||||
|
port->remote_hostname = pstrdup(remote_host); |
||||||
|
} |
||||||
|
MemoryContextSwitchTo(oldcontext); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Ready to begin client interaction. We will give up and _exit(1) after |
||||||
|
* a time delay, so that a broken client can't hog a connection |
||||||
|
* indefinitely. PreAuthDelay and any DNS interactions above don't count |
||||||
|
* against the time limit. |
||||||
|
* |
||||||
|
* Note: AuthenticationTimeout is applied here while waiting for the |
||||||
|
* startup packet, and then again in InitPostgres for the duration of any |
||||||
|
* authentication operations. So a hostile client could tie up the |
||||||
|
* process for nearly twice AuthenticationTimeout before we kick him off. |
||||||
|
* |
||||||
|
* Note: because PostgresMain will call InitializeTimeouts again, the |
||||||
|
* registration of STARTUP_PACKET_TIMEOUT will be lost. This is okay |
||||||
|
* since we never use it again after this function. |
||||||
|
*/ |
||||||
|
RegisterTimeout(STARTUP_PACKET_TIMEOUT, StartupPacketTimeoutHandler); |
||||||
|
enable_timeout_after(STARTUP_PACKET_TIMEOUT, AuthenticationTimeout * 1000); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Receive the startup packet (which might turn out to be a cancel request |
||||||
|
* packet). |
||||||
|
*/ |
||||||
|
status = ProcessStartupPacket(port, false, false); |
||||||
|
|
||||||
|
/*
|
||||||
|
* If we're going to reject the connection due to database state, say so |
||||||
|
* now instead of wasting cycles on an authentication exchange. (This also |
||||||
|
* allows a pg_ping utility to be written.) |
||||||
|
*/ |
||||||
|
if (status == STATUS_OK) |
||||||
|
{ |
||||||
|
switch (cac) |
||||||
|
{ |
||||||
|
case CAC_STARTUP: |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_CANNOT_CONNECT_NOW), |
||||||
|
errmsg("the database system is starting up"))); |
||||||
|
break; |
||||||
|
case CAC_NOTCONSISTENT: |
||||||
|
if (EnableHotStandby) |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_CANNOT_CONNECT_NOW), |
||||||
|
errmsg("the database system is not yet accepting connections"), |
||||||
|
errdetail("Consistent recovery state has not been yet reached."))); |
||||||
|
else |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_CANNOT_CONNECT_NOW), |
||||||
|
errmsg("the database system is not accepting connections"), |
||||||
|
errdetail("Hot standby mode is disabled."))); |
||||||
|
break; |
||||||
|
case CAC_SHUTDOWN: |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_CANNOT_CONNECT_NOW), |
||||||
|
errmsg("the database system is shutting down"))); |
||||||
|
break; |
||||||
|
case CAC_RECOVERY: |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_CANNOT_CONNECT_NOW), |
||||||
|
errmsg("the database system is in recovery mode"))); |
||||||
|
break; |
||||||
|
case CAC_TOOMANY: |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_TOO_MANY_CONNECTIONS), |
||||||
|
errmsg("sorry, too many clients already"))); |
||||||
|
break; |
||||||
|
case CAC_OK: |
||||||
|
break; |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
/*
|
||||||
|
* Disable the timeout, and prevent SIGTERM again. |
||||||
|
*/ |
||||||
|
disable_timeout(STARTUP_PACKET_TIMEOUT, false); |
||||||
|
sigprocmask(SIG_SETMASK, &BlockSig, NULL); |
||||||
|
|
||||||
|
/*
|
||||||
|
* As a safety check that nothing in startup has yet performed |
||||||
|
* shared-memory modifications that would need to be undone if we had |
||||||
|
* exited through SIGTERM or timeout above, check that no on_shmem_exit |
||||||
|
* handlers have been registered yet. (This isn't terribly bulletproof, |
||||||
|
* since someone might misuse an on_proc_exit handler for shmem cleanup, |
||||||
|
* but it's a cheap and helpful check. We cannot disallow on_proc_exit |
||||||
|
* handlers unfortunately, since pq_init() already registered one.) |
||||||
|
*/ |
||||||
|
check_on_shmem_exit_lists_are_empty(); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Stop here if it was bad or a cancel packet. ProcessStartupPacket |
||||||
|
* already did any appropriate error reporting. |
||||||
|
*/ |
||||||
|
if (status != STATUS_OK) |
||||||
|
proc_exit(0); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Now that we have the user and database name, we can set the process |
||||||
|
* title for ps. It's good to do this as early as possible in startup. |
||||||
|
*/ |
||||||
|
initStringInfo(&ps_data); |
||||||
|
if (am_walsender) |
||||||
|
appendStringInfo(&ps_data, "%s ", GetBackendTypeDesc(B_WAL_SENDER)); |
||||||
|
appendStringInfo(&ps_data, "%s ", port->user_name); |
||||||
|
if (port->database_name[0] != '\0') |
||||||
|
appendStringInfo(&ps_data, "%s ", port->database_name); |
||||||
|
appendStringInfoString(&ps_data, port->remote_host); |
||||||
|
if (port->remote_port[0] != '\0') |
||||||
|
appendStringInfo(&ps_data, "(%s)", port->remote_port); |
||||||
|
|
||||||
|
init_ps_display(ps_data.data); |
||||||
|
pfree(ps_data.data); |
||||||
|
|
||||||
|
set_ps_display("initializing"); |
||||||
|
} |
||||||
|
|
||||||
|
/*
|
||||||
|
* Read a client's startup packet and do something according to it. |
||||||
|
* |
||||||
|
* Returns STATUS_OK or STATUS_ERROR, or might call ereport(FATAL) and |
||||||
|
* not return at all. |
||||||
|
* |
||||||
|
* (Note that ereport(FATAL) stuff is sent to the client, so only use it |
||||||
|
* if that's what you want. Return STATUS_ERROR if you don't want to |
||||||
|
* send anything to the client, which would typically be appropriate |
||||||
|
* if we detect a communications failure.) |
||||||
|
* |
||||||
|
* Set ssl_done and/or gss_done when negotiation of an encrypted layer |
||||||
|
* (currently, TLS or GSSAPI) is completed. A successful negotiation of either |
||||||
|
* encryption layer sets both flags, but a rejected negotiation sets only the |
||||||
|
* flag for that layer, since the client may wish to try the other one. We |
||||||
|
* should make no assumption here about the order in which the client may make |
||||||
|
* requests. |
||||||
|
*/ |
||||||
|
static int |
||||||
|
ProcessStartupPacket(Port *port, bool ssl_done, bool gss_done) |
||||||
|
{ |
||||||
|
int32 len; |
||||||
|
char *buf; |
||||||
|
ProtocolVersion proto; |
||||||
|
MemoryContext oldcontext; |
||||||
|
|
||||||
|
pq_startmsgread(); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Grab the first byte of the length word separately, so that we can tell |
||||||
|
* whether we have no data at all or an incomplete packet. (This might |
||||||
|
* sound inefficient, but it's not really, because of buffering in |
||||||
|
* pqcomm.c.) |
||||||
|
*/ |
||||||
|
if (pq_getbytes((char *) &len, 1) == EOF) |
||||||
|
{ |
||||||
|
/*
|
||||||
|
* If we get no data at all, don't clutter the log with a complaint; |
||||||
|
* such cases often occur for legitimate reasons. An example is that |
||||||
|
* we might be here after responding to NEGOTIATE_SSL_CODE, and if the |
||||||
|
* client didn't like our response, it'll probably just drop the |
||||||
|
* connection. Service-monitoring software also often just opens and |
||||||
|
* closes a connection without sending anything. (So do port |
||||||
|
* scanners, which may be less benign, but it's not really our job to |
||||||
|
* notice those.) |
||||||
|
*/ |
||||||
|
return STATUS_ERROR; |
||||||
|
} |
||||||
|
|
||||||
|
if (pq_getbytes(((char *) &len) + 1, 3) == EOF) |
||||||
|
{ |
||||||
|
/* Got a partial length word, so bleat about that */ |
||||||
|
if (!ssl_done && !gss_done) |
||||||
|
ereport(COMMERROR, |
||||||
|
(errcode(ERRCODE_PROTOCOL_VIOLATION), |
||||||
|
errmsg("incomplete startup packet"))); |
||||||
|
return STATUS_ERROR; |
||||||
|
} |
||||||
|
|
||||||
|
len = pg_ntoh32(len); |
||||||
|
len -= 4; |
||||||
|
|
||||||
|
if (len < (int32) sizeof(ProtocolVersion) || |
||||||
|
len > MAX_STARTUP_PACKET_LENGTH) |
||||||
|
{ |
||||||
|
ereport(COMMERROR, |
||||||
|
(errcode(ERRCODE_PROTOCOL_VIOLATION), |
||||||
|
errmsg("invalid length of startup packet"))); |
||||||
|
return STATUS_ERROR; |
||||||
|
} |
||||||
|
|
||||||
|
/*
|
||||||
|
* Allocate space to hold the startup packet, plus one extra byte that's |
||||||
|
* initialized to be zero. This ensures we will have null termination of |
||||||
|
* all strings inside the packet. |
||||||
|
*/ |
||||||
|
buf = palloc(len + 1); |
||||||
|
buf[len] = '\0'; |
||||||
|
|
||||||
|
if (pq_getbytes(buf, len) == EOF) |
||||||
|
{ |
||||||
|
ereport(COMMERROR, |
||||||
|
(errcode(ERRCODE_PROTOCOL_VIOLATION), |
||||||
|
errmsg("incomplete startup packet"))); |
||||||
|
return STATUS_ERROR; |
||||||
|
} |
||||||
|
pq_endmsgread(); |
||||||
|
|
||||||
|
/*
|
||||||
|
* The first field is either a protocol version number or a special |
||||||
|
* request code. |
||||||
|
*/ |
||||||
|
port->proto = proto = pg_ntoh32(*((ProtocolVersion *) buf)); |
||||||
|
|
||||||
|
if (proto == CANCEL_REQUEST_CODE) |
||||||
|
{ |
||||||
|
CancelRequestPacket *canc; |
||||||
|
int backendPID; |
||||||
|
int32 cancelAuthCode; |
||||||
|
|
||||||
|
if (len != sizeof(CancelRequestPacket)) |
||||||
|
{ |
||||||
|
ereport(COMMERROR, |
||||||
|
(errcode(ERRCODE_PROTOCOL_VIOLATION), |
||||||
|
errmsg("invalid length of startup packet"))); |
||||||
|
return STATUS_ERROR; |
||||||
|
} |
||||||
|
canc = (CancelRequestPacket *) buf; |
||||||
|
backendPID = (int) pg_ntoh32(canc->backendPID); |
||||||
|
cancelAuthCode = (int32) pg_ntoh32(canc->cancelAuthCode); |
||||||
|
|
||||||
|
processCancelRequest(backendPID, cancelAuthCode); |
||||||
|
/* Not really an error, but we don't want to proceed further */ |
||||||
|
return STATUS_ERROR; |
||||||
|
} |
||||||
|
|
||||||
|
if (proto == NEGOTIATE_SSL_CODE && !ssl_done) |
||||||
|
{ |
||||||
|
char SSLok; |
||||||
|
|
||||||
|
#ifdef USE_SSL |
||||||
|
/* No SSL when disabled or on Unix sockets */ |
||||||
|
if (!LoadedSSL || port->laddr.addr.ss_family == AF_UNIX) |
||||||
|
SSLok = 'N'; |
||||||
|
else |
||||||
|
SSLok = 'S'; /* Support for SSL */ |
||||||
|
#else |
||||||
|
SSLok = 'N'; /* No support for SSL */ |
||||||
|
#endif |
||||||
|
|
||||||
|
retry1: |
||||||
|
if (send(port->sock, &SSLok, 1, 0) != 1) |
||||||
|
{ |
||||||
|
if (errno == EINTR) |
||||||
|
goto retry1; /* if interrupted, just retry */ |
||||||
|
ereport(COMMERROR, |
||||||
|
(errcode_for_socket_access(), |
||||||
|
errmsg("failed to send SSL negotiation response: %m"))); |
||||||
|
return STATUS_ERROR; /* close the connection */ |
||||||
|
} |
||||||
|
|
||||||
|
#ifdef USE_SSL |
||||||
|
if (SSLok == 'S' && secure_open_server(port) == -1) |
||||||
|
return STATUS_ERROR; |
||||||
|
#endif |
||||||
|
|
||||||
|
/*
|
||||||
|
* At this point we should have no data already buffered. If we do, |
||||||
|
* it was received before we performed the SSL handshake, so it wasn't |
||||||
|
* encrypted and indeed may have been injected by a man-in-the-middle. |
||||||
|
* We report this case to the client. |
||||||
|
*/ |
||||||
|
if (pq_buffer_has_data()) |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_PROTOCOL_VIOLATION), |
||||||
|
errmsg("received unencrypted data after SSL request"), |
||||||
|
errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack."))); |
||||||
|
|
||||||
|
/*
|
||||||
|
* regular startup packet, cancel, etc packet should follow, but not |
||||||
|
* another SSL negotiation request, and a GSS request should only |
||||||
|
* follow if SSL was rejected (client may negotiate in either order) |
||||||
|
*/ |
||||||
|
return ProcessStartupPacket(port, true, SSLok == 'S'); |
||||||
|
} |
||||||
|
else if (proto == NEGOTIATE_GSS_CODE && !gss_done) |
||||||
|
{ |
||||||
|
char GSSok = 'N'; |
||||||
|
|
||||||
|
#ifdef ENABLE_GSS |
||||||
|
/* No GSSAPI encryption when on Unix socket */ |
||||||
|
if (port->laddr.addr.ss_family != AF_UNIX) |
||||||
|
GSSok = 'G'; |
||||||
|
#endif |
||||||
|
|
||||||
|
while (send(port->sock, &GSSok, 1, 0) != 1) |
||||||
|
{ |
||||||
|
if (errno == EINTR) |
||||||
|
continue; |
||||||
|
ereport(COMMERROR, |
||||||
|
(errcode_for_socket_access(), |
||||||
|
errmsg("failed to send GSSAPI negotiation response: %m"))); |
||||||
|
return STATUS_ERROR; /* close the connection */ |
||||||
|
} |
||||||
|
|
||||||
|
#ifdef ENABLE_GSS |
||||||
|
if (GSSok == 'G' && secure_open_gssapi(port) == -1) |
||||||
|
return STATUS_ERROR; |
||||||
|
#endif |
||||||
|
|
||||||
|
/*
|
||||||
|
* At this point we should have no data already buffered. If we do, |
||||||
|
* it was received before we performed the GSS handshake, so it wasn't |
||||||
|
* encrypted and indeed may have been injected by a man-in-the-middle. |
||||||
|
* We report this case to the client. |
||||||
|
*/ |
||||||
|
if (pq_buffer_has_data()) |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_PROTOCOL_VIOLATION), |
||||||
|
errmsg("received unencrypted data after GSSAPI encryption request"), |
||||||
|
errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack."))); |
||||||
|
|
||||||
|
/*
|
||||||
|
* regular startup packet, cancel, etc packet should follow, but not |
||||||
|
* another GSS negotiation request, and an SSL request should only |
||||||
|
* follow if GSS was rejected (client may negotiate in either order) |
||||||
|
*/ |
||||||
|
return ProcessStartupPacket(port, GSSok == 'G', true); |
||||||
|
} |
||||||
|
|
||||||
|
/* Could add additional special packet types here */ |
||||||
|
|
||||||
|
/*
|
||||||
|
* Set FrontendProtocol now so that ereport() knows what format to send if |
||||||
|
* we fail during startup. |
||||||
|
*/ |
||||||
|
FrontendProtocol = proto; |
||||||
|
|
||||||
|
/* Check that the major protocol version is in range. */ |
||||||
|
if (PG_PROTOCOL_MAJOR(proto) < PG_PROTOCOL_MAJOR(PG_PROTOCOL_EARLIEST) || |
||||||
|
PG_PROTOCOL_MAJOR(proto) > PG_PROTOCOL_MAJOR(PG_PROTOCOL_LATEST)) |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED), |
||||||
|
errmsg("unsupported frontend protocol %u.%u: server supports %u.0 to %u.%u", |
||||||
|
PG_PROTOCOL_MAJOR(proto), PG_PROTOCOL_MINOR(proto), |
||||||
|
PG_PROTOCOL_MAJOR(PG_PROTOCOL_EARLIEST), |
||||||
|
PG_PROTOCOL_MAJOR(PG_PROTOCOL_LATEST), |
||||||
|
PG_PROTOCOL_MINOR(PG_PROTOCOL_LATEST)))); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Now fetch parameters out of startup packet and save them into the Port |
||||||
|
* structure. |
||||||
|
*/ |
||||||
|
oldcontext = MemoryContextSwitchTo(TopMemoryContext); |
||||||
|
|
||||||
|
/* Handle protocol version 3 startup packet */ |
||||||
|
{ |
||||||
|
int32 offset = sizeof(ProtocolVersion); |
||||||
|
List *unrecognized_protocol_options = NIL; |
||||||
|
|
||||||
|
/*
|
||||||
|
* Scan packet body for name/option pairs. We can assume any string |
||||||
|
* beginning within the packet body is null-terminated, thanks to |
||||||
|
* zeroing extra byte above. |
||||||
|
*/ |
||||||
|
port->guc_options = NIL; |
||||||
|
|
||||||
|
while (offset < len) |
||||||
|
{ |
||||||
|
char *nameptr = buf + offset; |
||||||
|
int32 valoffset; |
||||||
|
char *valptr; |
||||||
|
|
||||||
|
if (*nameptr == '\0') |
||||||
|
break; /* found packet terminator */ |
||||||
|
valoffset = offset + strlen(nameptr) + 1; |
||||||
|
if (valoffset >= len) |
||||||
|
break; /* missing value, will complain below */ |
||||||
|
valptr = buf + valoffset; |
||||||
|
|
||||||
|
if (strcmp(nameptr, "database") == 0) |
||||||
|
port->database_name = pstrdup(valptr); |
||||||
|
else if (strcmp(nameptr, "user") == 0) |
||||||
|
port->user_name = pstrdup(valptr); |
||||||
|
else if (strcmp(nameptr, "options") == 0) |
||||||
|
port->cmdline_options = pstrdup(valptr); |
||||||
|
else if (strcmp(nameptr, "replication") == 0) |
||||||
|
{ |
||||||
|
/*
|
||||||
|
* Due to backward compatibility concerns the replication |
||||||
|
* parameter is a hybrid beast which allows the value to be |
||||||
|
* either boolean or the string 'database'. The latter |
||||||
|
* connects to a specific database which is e.g. required for |
||||||
|
* logical decoding while. |
||||||
|
*/ |
||||||
|
if (strcmp(valptr, "database") == 0) |
||||||
|
{ |
||||||
|
am_walsender = true; |
||||||
|
am_db_walsender = true; |
||||||
|
} |
||||||
|
else if (!parse_bool(valptr, &am_walsender)) |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_INVALID_PARAMETER_VALUE), |
||||||
|
errmsg("invalid value for parameter \"%s\": \"%s\"", |
||||||
|
"replication", |
||||||
|
valptr), |
||||||
|
errhint("Valid values are: \"false\", 0, \"true\", 1, \"database\"."))); |
||||||
|
} |
||||||
|
else if (strncmp(nameptr, "_pq_.", 5) == 0) |
||||||
|
{ |
||||||
|
/*
|
||||||
|
* Any option beginning with _pq_. is reserved for use as a |
||||||
|
* protocol-level option, but at present no such options are |
||||||
|
* defined. |
||||||
|
*/ |
||||||
|
unrecognized_protocol_options = |
||||||
|
lappend(unrecognized_protocol_options, pstrdup(nameptr)); |
||||||
|
} |
||||||
|
else |
||||||
|
{ |
||||||
|
/* Assume it's a generic GUC option */ |
||||||
|
port->guc_options = lappend(port->guc_options, |
||||||
|
pstrdup(nameptr)); |
||||||
|
port->guc_options = lappend(port->guc_options, |
||||||
|
pstrdup(valptr)); |
||||||
|
|
||||||
|
/*
|
||||||
|
* Copy application_name to port if we come across it. This |
||||||
|
* is done so we can log the application_name in the |
||||||
|
* connection authorization message. Note that the GUC would |
||||||
|
* be used but we haven't gone through GUC setup yet. |
||||||
|
*/ |
||||||
|
if (strcmp(nameptr, "application_name") == 0) |
||||||
|
{ |
||||||
|
port->application_name = pg_clean_ascii(valptr, 0); |
||||||
|
} |
||||||
|
} |
||||||
|
offset = valoffset + strlen(valptr) + 1; |
||||||
|
} |
||||||
|
|
||||||
|
/*
|
||||||
|
* If we didn't find a packet terminator exactly at the end of the |
||||||
|
* given packet length, complain. |
||||||
|
*/ |
||||||
|
if (offset != len - 1) |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_PROTOCOL_VIOLATION), |
||||||
|
errmsg("invalid startup packet layout: expected terminator as last byte"))); |
||||||
|
|
||||||
|
/*
|
||||||
|
* If the client requested a newer protocol version or if the client |
||||||
|
* requested any protocol options we didn't recognize, let them know |
||||||
|
* the newest minor protocol version we do support and the names of |
||||||
|
* any unrecognized options. |
||||||
|
*/ |
||||||
|
if (PG_PROTOCOL_MINOR(proto) > PG_PROTOCOL_MINOR(PG_PROTOCOL_LATEST) || |
||||||
|
unrecognized_protocol_options != NIL) |
||||||
|
SendNegotiateProtocolVersion(unrecognized_protocol_options); |
||||||
|
} |
||||||
|
|
||||||
|
/* Check a user name was given. */ |
||||||
|
if (port->user_name == NULL || port->user_name[0] == '\0') |
||||||
|
ereport(FATAL, |
||||||
|
(errcode(ERRCODE_INVALID_AUTHORIZATION_SPECIFICATION), |
||||||
|
errmsg("no PostgreSQL user name specified in startup packet"))); |
||||||
|
|
||||||
|
/* The database defaults to the user name. */ |
||||||
|
if (port->database_name == NULL || port->database_name[0] == '\0') |
||||||
|
port->database_name = pstrdup(port->user_name); |
||||||
|
|
||||||
|
if (am_walsender) |
||||||
|
MyBackendType = B_WAL_SENDER; |
||||||
|
else |
||||||
|
MyBackendType = B_BACKEND; |
||||||
|
|
||||||
|
/*
|
||||||
|
* Normal walsender backends, e.g. for streaming replication, are not |
||||||
|
* connected to a particular database. But walsenders used for logical |
||||||
|
* replication need to connect to a specific database. We allow streaming |
||||||
|
* replication commands to be issued even if connected to a database as it |
||||||
|
* can make sense to first make a basebackup and then stream changes |
||||||
|
* starting from that. |
||||||
|
*/ |
||||||
|
if (am_walsender && !am_db_walsender) |
||||||
|
port->database_name[0] = '\0'; |
||||||
|
|
||||||
|
/*
|
||||||
|
* Done filling the Port structure |
||||||
|
*/ |
||||||
|
MemoryContextSwitchTo(oldcontext); |
||||||
|
|
||||||
|
return STATUS_OK; |
||||||
|
} |
||||||
|
|
||||||
|
/*
|
||||||
|
* Send a NegotiateProtocolVersion to the client. This lets the client know |
||||||
|
* that they have requested a newer minor protocol version than we are able |
||||||
|
* to speak. We'll speak the highest version we know about; the client can, |
||||||
|
* of course, abandon the connection if that's a problem. |
||||||
|
* |
||||||
|
* We also include in the response a list of protocol options we didn't |
||||||
|
* understand. This allows clients to include optional parameters that might |
||||||
|
* be present either in newer protocol versions or third-party protocol |
||||||
|
* extensions without fear of having to reconnect if those options are not |
||||||
|
* understood, while at the same time making certain that the client is aware |
||||||
|
* of which options were actually accepted. |
||||||
|
*/ |
||||||
|
static void |
||||||
|
SendNegotiateProtocolVersion(List *unrecognized_protocol_options) |
||||||
|
{ |
||||||
|
StringInfoData buf; |
||||||
|
ListCell *lc; |
||||||
|
|
||||||
|
pq_beginmessage(&buf, PqMsg_NegotiateProtocolVersion); |
||||||
|
pq_sendint32(&buf, PG_PROTOCOL_LATEST); |
||||||
|
pq_sendint32(&buf, list_length(unrecognized_protocol_options)); |
||||||
|
foreach(lc, unrecognized_protocol_options) |
||||||
|
pq_sendstring(&buf, lfirst(lc)); |
||||||
|
pq_endmessage(&buf); |
||||||
|
|
||||||
|
/* no need to flush, some other message will follow */ |
||||||
|
} |
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* SIGTERM while processing startup packet. |
||||||
|
* |
||||||
|
* Running proc_exit() from a signal handler would be quite unsafe. |
||||||
|
* However, since we have not yet touched shared memory, we can just |
||||||
|
* pull the plug and exit without running any atexit handlers. |
||||||
|
* |
||||||
|
* One might be tempted to try to send a message, or log one, indicating |
||||||
|
* why we are disconnecting. However, that would be quite unsafe in itself. |
||||||
|
* Also, it seems undesirable to provide clues about the database's state |
||||||
|
* to a client that has not yet completed authentication, or even sent us |
||||||
|
* a startup packet. |
||||||
|
*/ |
||||||
|
static void |
||||||
|
process_startup_packet_die(SIGNAL_ARGS) |
||||||
|
{ |
||||||
|
_exit(1); |
||||||
|
} |
||||||
|
|
||||||
|
/*
|
||||||
|
* Timeout while processing startup packet. |
||||||
|
* As for process_startup_packet_die(), we exit via _exit(1). |
||||||
|
*/ |
||||||
|
static void |
||||||
|
StartupPacketTimeoutHandler(void) |
||||||
|
{ |
||||||
|
_exit(1); |
||||||
|
} |
||||||
@ -0,0 +1,41 @@ |
|||||||
|
/*-------------------------------------------------------------------------
|
||||||
|
* |
||||||
|
* backend_startup.h |
||||||
|
* prototypes for backend_startup.c. |
||||||
|
* |
||||||
|
* |
||||||
|
* Portions Copyright (c) 1996-2023, PostgreSQL Global Development Group |
||||||
|
* Portions Copyright (c) 1994, Regents of the University of California |
||||||
|
* |
||||||
|
* src/include/tcop/backend_startup.h |
||||||
|
* |
||||||
|
*------------------------------------------------------------------------- |
||||||
|
*/ |
||||||
|
#ifndef BACKEND_STARTUP_H |
||||||
|
#define BACKEND_STARTUP_H |
||||||
|
|
||||||
|
/*
|
||||||
|
* CAC_state is passed from postmaster to the backend process, to indicate |
||||||
|
* whether the connection should be accepted, or if the process should just |
||||||
|
* send an error to the client and close the connection. Note that the |
||||||
|
* connection can fail for various reasons even if postmaster passed CAC_OK. |
||||||
|
*/ |
||||||
|
typedef enum CAC_state |
||||||
|
{ |
||||||
|
CAC_OK, |
||||||
|
CAC_STARTUP, |
||||||
|
CAC_SHUTDOWN, |
||||||
|
CAC_RECOVERY, |
||||||
|
CAC_NOTCONSISTENT, |
||||||
|
CAC_TOOMANY, |
||||||
|
} CAC_state; |
||||||
|
|
||||||
|
/* Information passed from postmaster to backend process in 'startup_data' */ |
||||||
|
typedef struct BackendStartupData |
||||||
|
{ |
||||||
|
CAC_state canAcceptConnections; |
||||||
|
} BackendStartupData; |
||||||
|
|
||||||
|
extern void BackendMain(char *startup_data, size_t startup_data_len) pg_attribute_noreturn(); |
||||||
|
|
||||||
|
#endif /* BACKEND_STARTUP_H */ |
||||||
Loading…
Reference in new issue