修改 ssl_use_tlcp与ssl_ciphers的匹配判断

src/gausskernel/process/postmaster/postmaster.cpp

@@ -3348,13 +3348,35 @@ static void CheckRecoveryParaConflict()
 }
 
 #if ((defined(USE_SSL)) && (defined(USE_TASSL)))
+static bool CheckSSLConflictInternal(const char**ssl_ciphers_list)
+{
+    char* token = NULL;
+    bool find_ciphers_in_list = false;
+    char* ptok = NULL;
+    char *sslciphers = pstrdup(g_instance.attr.attr_security.SSLCipherSuites);
+
+    if (sslciphers == NULL || ssl_ciphers_list == NULL) {
+        ereport(ERROR, (errmsg("sslciphers or ssl_ciphers_list can not be null")));
+    } else {
+        token = strtok_r(sslciphers, ";", &ptok);
+        while (token != NULL) {
+            for (int cnt = 0; ssl_ciphers_list[cnt] != NULL; cnt++) {
+                if (strlen(ssl_ciphers_list[cnt]) == strlen(token) &&
+                    strncmp(ssl_ciphers_list[cnt], token, strlen(token)) == 0) { 
+                    find_ciphers_in_list = true;
+                    break;
+                }
+            }
+            if(find_ciphers_in_list)
+                break;
+            token = strtok_r(NULL, ";", &ptok);
+        }
+        pfree(sslciphers);
+    } 
+    return find_ciphers_in_list;
+}
 static void CheckSSLConflict()
 {
-    char *sslciphers = NULL;
-    char* token = NULL;
-    bool find_sm_ciphers_in_list = false;
-    int sm_index = 6;
-    char* ptok = NULL;
     const char* ssl_ciphers_list[] = {
         "ECDHE-RSA-AES128-GCM-SHA256",
         "ECDHE-RSA-AES256-GCM-SHA384",
@@ -3362,41 +3384,33 @@ static void CheckSSLConflict()
         "ECDHE-ECDSA-AES256-GCM-SHA384",
         "DHE-RSA-AES128-GCM-SHA256",
         "DHE-RSA-AES256-GCM-SHA384",
-        "ECDHE-SM4-SM3", //6
-        "ECDHE-SM4-GCM-SM3", //7
-        "ECC-SM4-SM3",//8
-        "ECC-SM4-GCM-SM3"//9
+        NULL
     };
-    if(!g_instance.attr.attr_security.ssl_use_tlcp || !g_instance.attr.attr_security.EnableSSL
-    || strcasecmp(g_instance.attr.attr_security.SSLCipherSuites, "ALL") == 0) {
+    const char* ssl_sm_ciphers_list[] = {
+        "ECDHE-SM4-SM3",
+        "ECDHE-SM4-GCM-SM3",
+        "ECC-SM4-SM3",
+        "ECC-SM4-GCM-SM3",
+        NULL
+    };
+
+    if(!g_instance.attr.attr_security.EnableSSL || 
+        strcasecmp(g_instance.attr.attr_security.SSLCipherSuites, "ALL") == 0) {
         return;
     }
-
-    sslciphers = pstrdup(g_instance.attr.attr_security.SSLCipherSuites);
-    if (sslciphers == NULL) {
-        ereport(ERROR, (errmsg("sslciphers can not be null")));
-    } else {
-        token = strtok_r(sslciphers, ";", &ptok);
-        while (token != NULL) {
-            for (int j = sm_index; ssl_ciphers_list[j] != NULL; j++) {
-                if (strlen(ssl_ciphers_list[j]) == strlen(token) &&
-                    strncmp(ssl_ciphers_list[j], token, strlen(token)) == 0) {
-                    find_sm_ciphers_in_list = true;
-                    break;
-                }
-            }
-            if(find_sm_ciphers_in_list)
-                break;
-            token = strtok_r(NULL, ";", &ptok);
+    if(g_instance.attr.attr_security.ssl_use_tlcp) {
+        if(!CheckSSLConflictInternal(ssl_sm_ciphers_list)) {  
+            ereport(ERROR, (errmsg("ssl_ciphers is not matched with ssl_use_tlcp"),
+                    errhint("Please add at last one cipher suite that supports TLCP in ssl_ciphers when ssl&ssl_use_tlcp is on")));
         }
-        if (!find_sm_ciphers_in_list) {
-                pfree(sslciphers);
-                ereport(ERROR, (errmsg("SM cipher suite is not included in ssl_ciphers"),
-                        errhint("Please add sm cipher suite in ssl_ciphers when ssl&ssl_use_tlcp is on")));
+    } else {
+        if(!CheckSSLConflictInternal(ssl_ciphers_list)) {
+            ereport(ERROR, (errmsg("ssl_ciphers is not matched with ssl_use_tlcp"),
+                    errhint("Please add at last one cipher suite that supports TLS in ssl_ciphers when ssl_use_tlcp is off")));
         }
     }
 }
-#endif 
+#endif
 
 static void CheckGUCConflictsMaxConnections()
 {