diff --git a/src/gausskernel/process/postmaster/postmaster.cpp b/src/gausskernel/process/postmaster/postmaster.cpp index 162c2cc80..fa55fb5c4 100644 --- a/src/gausskernel/process/postmaster/postmaster.cpp +++ b/src/gausskernel/process/postmaster/postmaster.cpp @@ -3348,13 +3348,35 @@ static void CheckRecoveryParaConflict() } #if ((defined(USE_SSL)) && (defined(USE_TASSL))) +static bool CheckSSLConflictInternal(const char**ssl_ciphers_list) +{ + char* token = NULL; + bool find_ciphers_in_list = false; + char* ptok = NULL; + char *sslciphers = pstrdup(g_instance.attr.attr_security.SSLCipherSuites); + + if (sslciphers == NULL || ssl_ciphers_list == NULL) { + ereport(ERROR, (errmsg("sslciphers or ssl_ciphers_list can not be null"))); + } else { + token = strtok_r(sslciphers, ";", &ptok); + while (token != NULL) { + for (int cnt = 0; ssl_ciphers_list[cnt] != NULL; cnt++) { + if (strlen(ssl_ciphers_list[cnt]) == strlen(token) && + strncmp(ssl_ciphers_list[cnt], token, strlen(token)) == 0) { + find_ciphers_in_list = true; + break; + } + } + if(find_ciphers_in_list) + break; + token = strtok_r(NULL, ";", &ptok); + } + pfree(sslciphers); + } + return find_ciphers_in_list; +} static void CheckSSLConflict() { - char *sslciphers = NULL; - char* token = NULL; - bool find_sm_ciphers_in_list = false; - int sm_index = 6; - char* ptok = NULL; const char* ssl_ciphers_list[] = { "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES256-GCM-SHA384", @@ -3362,41 +3384,33 @@ static void CheckSSLConflict() "ECDHE-ECDSA-AES256-GCM-SHA384", "DHE-RSA-AES128-GCM-SHA256", "DHE-RSA-AES256-GCM-SHA384", - "ECDHE-SM4-SM3", //6 - "ECDHE-SM4-GCM-SM3", //7 - "ECC-SM4-SM3",//8 - "ECC-SM4-GCM-SM3"//9 + NULL }; - if(!g_instance.attr.attr_security.ssl_use_tlcp || !g_instance.attr.attr_security.EnableSSL - || strcasecmp(g_instance.attr.attr_security.SSLCipherSuites, "ALL") == 0) { + const char* ssl_sm_ciphers_list[] = { + "ECDHE-SM4-SM3", + "ECDHE-SM4-GCM-SM3", + "ECC-SM4-SM3", + "ECC-SM4-GCM-SM3", + NULL + }; + + if(!g_instance.attr.attr_security.EnableSSL || + strcasecmp(g_instance.attr.attr_security.SSLCipherSuites, "ALL") == 0) { return; } - - sslciphers = pstrdup(g_instance.attr.attr_security.SSLCipherSuites); - if (sslciphers == NULL) { - ereport(ERROR, (errmsg("sslciphers can not be null"))); - } else { - token = strtok_r(sslciphers, ";", &ptok); - while (token != NULL) { - for (int j = sm_index; ssl_ciphers_list[j] != NULL; j++) { - if (strlen(ssl_ciphers_list[j]) == strlen(token) && - strncmp(ssl_ciphers_list[j], token, strlen(token)) == 0) { - find_sm_ciphers_in_list = true; - break; - } - } - if(find_sm_ciphers_in_list) - break; - token = strtok_r(NULL, ";", &ptok); + if(g_instance.attr.attr_security.ssl_use_tlcp) { + if(!CheckSSLConflictInternal(ssl_sm_ciphers_list)) { + ereport(ERROR, (errmsg("ssl_ciphers is not matched with ssl_use_tlcp"), + errhint("Please add at last one cipher suite that supports TLCP in ssl_ciphers when ssl&ssl_use_tlcp is on"))); } - if (!find_sm_ciphers_in_list) { - pfree(sslciphers); - ereport(ERROR, (errmsg("SM cipher suite is not included in ssl_ciphers"), - errhint("Please add sm cipher suite in ssl_ciphers when ssl&ssl_use_tlcp is on"))); + } else { + if(!CheckSSLConflictInternal(ssl_ciphers_list)) { + ereport(ERROR, (errmsg("ssl_ciphers is not matched with ssl_use_tlcp"), + errhint("Please add at last one cipher suite that supports TLS in ssl_ciphers when ssl_use_tlcp is off"))); } } } -#endif +#endif static void CheckGUCConflictsMaxConnections() {