From b9f4c652202eadefc2b5267d139545f5d6878043 Mon Sep 17 00:00:00 2001 From: AlexPeshkoff Date: Wed, 15 Jan 2020 18:02:03 +0300 Subject: [PATCH] Added various ways to get infomation about wire crypt plugin name: variable in rdb$get_context(), field in mon$attachments and tag in Attachment::getInfo() --- doc/README.monitoring_tables | 1 + doc/sql.extensions/README.context_variables2 | 3 +++ doc/sql.extensions/README.isc_info_xxx | 14 +++++++++++++- src/include/firebird/impl/consts_pub.h | 11 +++++++++-- src/include/firebird/impl/inf_pub.h | 2 ++ src/include/gen/ids.h | 1 + src/isql/show.epp | 6 ++++++ src/jrd/Attachment.cpp | 1 + src/jrd/Attachment.h | 1 + src/jrd/Monitoring.cpp | 2 ++ src/jrd/SysFunction.cpp | 8 ++++++++ src/jrd/fields.h | 3 ++- src/jrd/inf.cpp | 13 +++++++++++++ src/jrd/jrd.cpp | 5 +++++ src/jrd/names.h | 1 + src/jrd/relations.h | 1 + src/remote/remote.h | 5 +++-- src/remote/server/server.cpp | 4 ++++ 18 files changed, 76 insertions(+), 6 deletions(-) diff --git a/doc/README.monitoring_tables b/doc/README.monitoring_tables index b6918f661d..ea5477651c 100644 --- a/doc/README.monitoring_tables +++ b/doc/README.monitoring_tables @@ -114,6 +114,7 @@ Monitoring tables - MON$STATEMENT_TIMEOUT (statement timeout) - MON$WIRE_COMPRESSED (wire compression enabled/disabled) - MON$WIRE_ENCRYPTED (wire encryption enabled/disabled) + - MON$WIRE_CRYPT_PLUGIN (name of wire encryption plugin) MON$TRANSACTIONS (started transactions) - MON$TRANSACTION_ID (transaction ID) diff --git a/doc/sql.extensions/README.context_variables2 b/doc/sql.extensions/README.context_variables2 index bac0d8ec92..1d6ef72ab9 100644 --- a/doc/sql.extensions/README.context_variables2 +++ b/doc/sql.extensions/README.context_variables2 @@ -64,6 +64,9 @@ Usage: WIRE_ENCRYPTED | Encryption status of current connection. | Value is the same as for compression status above. | + WIRE_CRYPT_PLUGIN | If connection is encrypted - returns name of current plugin, + | otherwise NULL. + | CLIENT_ADDRESS | The wire protocol address and port number of remote client | represented as string. Value is IP address concatenated with | port number using the '/' separator character. Value is diff --git a/doc/sql.extensions/README.isc_info_xxx b/doc/sql.extensions/README.isc_info_xxx index 7682f29597..e6aa9d0740 100644 --- a/doc/sql.extensions/README.isc_info_xxx +++ b/doc/sql.extensions/README.isc_info_xxx @@ -32,10 +32,22 @@ New items for isc_database_info See also CORE-2054. +4. Database encryption information: + fb_info_crypt_state - flags describing encryption state: + fb_info_crypt_encrypted - database is encrypted, + fb_info_crypt_process - encryption/decryption process is not complete; + fb_info_crypt_plugin - name of database crypt plugin; + fb_info_crypt_key - name of used database crypt key. + +5. Connection information: + fb_info_conn_flags - flags describing connection state: + isc_dpb_addr_flag_conn_compressed - compression is used for connection, + isc_dpb_addr_flag_conn_encrypted - connection is encrypted; + fb_info_wire_crypt - name of connection encryption plugin. New items for isc_transaction_info: - + 1. isc_info_tra_oldest_interesting : return number of oldest interesting transaction when current transaction started. For snapshot transactions this is also the diff --git a/src/include/firebird/impl/consts_pub.h b/src/include/firebird/impl/consts_pub.h index fc6f912f92..9ba14d70f9 100644 --- a/src/include/firebird/impl/consts_pub.h +++ b/src/include/firebird/impl/consts_pub.h @@ -153,8 +153,9 @@ ::= isc_dpb_addr_protocol | - isc_dpb_addr_endpoint - isc_dpb_addr_flags + isc_dpb_addr_endpoint | + isc_dpb_addr_flags | + isc_dpb_addr_crypt ::= "TCPv4" | @@ -163,6 +164,11 @@ "WNET" | .... + ::= + "Arc4" | + "ChaCha" | + .... + ::= | // such as "172.20.1.1" | // such as "2001:0:13FF:09FF::1" @@ -178,6 +184,7 @@ #define isc_dpb_addr_protocol 1 #define isc_dpb_addr_endpoint 2 #define isc_dpb_addr_flags 3 +#define isc_dpb_addr_crypt 4 /* possible addr flags */ #define isc_dpb_addr_flag_conn_compressed 0x01 diff --git a/src/include/firebird/impl/inf_pub.h b/src/include/firebird/impl/inf_pub.h index ea4d31eb9d..003ef9a68d 100644 --- a/src/include/firebird/impl/inf_pub.h +++ b/src/include/firebird/impl/inf_pub.h @@ -160,6 +160,8 @@ enum db_info_types fb_info_creation_timestamp_tz = 139, + fb_info_wire_crypt = 140, + isc_info_db_last_value /* Leave this LAST! */ }; diff --git a/src/include/gen/ids.h b/src/include/gen/ids.h index 9c3beca6b8..31cf55039c 100644 --- a/src/include/gen/ids.h +++ b/src/include/gen/ids.h @@ -524,6 +524,7 @@ const USHORT f_mon_att_stmt_timeout = 22; const USHORT f_mon_att_wire_compressed = 23; const USHORT f_mon_att_wire_encrypted = 24; + const USHORT f_mon_att_remote_crypt = 25; // Relation 35 (MON$TRANSACTIONS) diff --git a/src/isql/show.epp b/src/isql/show.epp index b36ebeb6ab..cdd23a5ea8 100644 --- a/src/isql/show.epp +++ b/src/isql/show.epp @@ -251,6 +251,7 @@ static const UCHAR db_items[] = isc_info_db_id, #endif fb_info_crypt_state, + fb_info_wire_crypt, isc_info_end }; @@ -554,6 +555,11 @@ bool SHOW_dbb_parameters(Firebird::IAttachment* db_handle, (SLONG) isqlGlob.major_ods, value_out, separator); break; + case fb_info_wire_crypt: + if (d) + sprintf (info, "Wire crypt plugin: %.*s%s", length, d, separator); + break; + #ifdef DEV_BUILD case isc_info_db_id: { diff --git a/src/jrd/Attachment.cpp b/src/jrd/Attachment.cpp index b4d32104f0..b380b6e748 100644 --- a/src/jrd/Attachment.cpp +++ b/src/jrd/Attachment.cpp @@ -221,6 +221,7 @@ Jrd::Attachment::Attachment(MemoryPool* pool, Database* dbb) att_context_vars(*pool), ddlTriggersContext(*pool), att_network_protocol(*pool), + att_remote_crypt(*pool), att_remote_address(*pool), att_remote_process(*pool), att_client_version(*pool), diff --git a/src/jrd/Attachment.h b/src/jrd/Attachment.h index 847e45c00b..93769141f7 100644 --- a/src/jrd/Attachment.h +++ b/src/jrd/Attachment.h @@ -440,6 +440,7 @@ public: Firebird::StringMap att_context_vars; // Context variables for the connection Firebird::Stack ddlTriggersContext; // Context variables for DDL trigger event Firebird::string att_network_protocol; // Network protocol used by client for connection + Firebird::PathName att_remote_crypt; // Name of wire crypt plugin (if any) Firebird::string att_remote_address; // Protocol-specific address of remote client SLONG att_remote_pid; // Process id of remote client ULONG att_remote_flags; // Flags specific for server/client link diff --git a/src/jrd/Monitoring.cpp b/src/jrd/Monitoring.cpp index 7a9986cf9a..49a02453e9 100644 --- a/src/jrd/Monitoring.cpp +++ b/src/jrd/Monitoring.cpp @@ -978,6 +978,8 @@ void Monitoring::putAttachment(SnapshotData::DumpRecord& record, const Jrd::Atta record.storeString(f_mon_att_client_version, attachment->att_client_version); // remote protocol version record.storeString(f_mon_att_remote_version, attachment->att_remote_protocol); + // wire encryption plugin + record.storeString(f_mon_att_remote_crypt, attachment->att_remote_crypt); // remote host name record.storeString(f_mon_att_remote_host, attachment->att_remote_host); // OS user name diff --git a/src/jrd/SysFunction.cpp b/src/jrd/SysFunction.cpp index 9273c840a1..be5e09b45d 100644 --- a/src/jrd/SysFunction.cpp +++ b/src/jrd/SysFunction.cpp @@ -335,6 +335,7 @@ const char NETWORK_PROTOCOL_NAME[] = "NETWORK_PROTOCOL", WIRE_COMPRESSED_NAME[] = "WIRE_COMPRESSED", WIRE_ENCRYPTED_NAME[] = "WIRE_ENCRYPTED", + WIRE_CRYPT_PLUGIN_NAME[] = "WIRE_CRYPT_PLUGIN", CLIENT_ADDRESS_NAME[] = "CLIENT_ADDRESS", CLIENT_HOST_NAME[] = "CLIENT_HOST", CLIENT_PID_NAME[] = "CLIENT_PID", @@ -4048,6 +4049,13 @@ dsc* evlGetContext(thread_db* tdbb, const SysFunction*, const NestValueArray& ar resultStr = (attachment->att_remote_flags & isc_dpb_addr_flag_conn_encrypted) ? TRUE_VALUE : FALSE_VALUE; } + else if (nameStr == WIRE_CRYPT_PLUGIN_NAME) + { + if (attachment->att_remote_crypt.isEmpty()) + return NULL; + + resultStr = attachment->att_remote_crypt.ToString(); + } else if (nameStr == CLIENT_ADDRESS_NAME) { if (attachment->att_remote_address.isEmpty()) diff --git a/src/jrd/fields.h b/src/jrd/fields.h index 36f75f9497..aa60900fa4 100644 --- a/src/jrd/fields.h +++ b/src/jrd/fields.h @@ -208,4 +208,5 @@ FIELD(fld_tz_db_version , nam_tz_db_version , dtype_varying , 10 , dsc_text_type_ascii , NULL , true) - FIELD(fld_crypt_state , nam_crypt_state , dtype_short , sizeof(SSHORT) , 0 , NULL , true) \ No newline at end of file + FIELD(fld_crypt_state , nam_crypt_state , dtype_short , sizeof(SSHORT) , 0 , NULL , true) + FIELD(fld_remote_crypt , nam_wire_crypt_plugin, dtype_varying, MAX_SQL_IDENTIFIER_LEN , dsc_text_type_metadata , NULL , true) diff --git a/src/jrd/inf.cpp b/src/jrd/inf.cpp index 27babdf081..38b1a5a742 100644 --- a/src/jrd/inf.cpp +++ b/src/jrd/inf.cpp @@ -822,6 +822,19 @@ void INF_database_info(thread_db* tdbb, length = INF_convert(tdbb->getAttachment()->att_remote_flags, buffer); break; + case fb_info_wire_crypt: + { + const PathName& nm = tdbb->getAttachment()->att_remote_crypt; + if (!(info = INF_put_item(item, static_cast(nm.length()), nm.c_str(), info, end))) + { + if (transaction) + TRA_commit(tdbb, transaction, false); + + return; + } + } + continue; + case fb_info_statement_timeout_db: length = INF_convert(dbb->dbb_config->getStatementTimeout(), buffer); break; diff --git a/src/jrd/jrd.cpp b/src/jrd/jrd.cpp index 0a53d15f38..bc82593032 100644 --- a/src/jrd/jrd.cpp +++ b/src/jrd/jrd.cpp @@ -1065,6 +1065,7 @@ namespace Jrd PathName dpb_working_directory; string dpb_set_db_charset; string dpb_network_protocol; + PathName dpb_remote_crypt; string dpb_remote_address; string dpb_remote_host; string dpb_remote_os_user; @@ -6970,6 +6971,9 @@ void DatabaseOptions::get(const UCHAR* dpb, USHORT dpb_length, bool& invalid_cli case isc_dpb_addr_flags: dpb_remote_flags = address.getInt(); break; + case isc_dpb_addr_crypt: + address.getPath(dpb_remote_crypt); + break; default: break; } @@ -7275,6 +7279,7 @@ static JAttachment* create_attachment(const PathName& alias_name, attachment->att_filename = alias_name; attachment->att_network_protocol = options.dpb_network_protocol; + attachment->att_remote_crypt = options.dpb_remote_crypt; attachment->att_remote_address = options.dpb_remote_address; attachment->att_remote_pid = options.dpb_remote_pid; attachment->att_remote_flags = options.dpb_remote_flags; diff --git a/src/jrd/names.h b/src/jrd/names.h index 05b405cd47..6ebe4528c0 100644 --- a/src/jrd/names.h +++ b/src/jrd/names.h @@ -419,6 +419,7 @@ NAME("MON$STATEMENT_TIMER", nam_stmt_timer) NAME("MON$WIRE_COMPRESSED", nam_wire_compressed) NAME("MON$WIRE_ENCRYPTED", nam_wire_encrypted) +NAME("MON$WIRE_CRYPT_PLUGIN", nam_wire_crypt_plugin) NAME("RDB$TIME_ZONES", nam_time_zones) NAME("RDB$TIME_ZONE_ID", nam_tz_id) diff --git a/src/jrd/relations.h b/src/jrd/relations.h index 37ce864eb8..ceb93f0c6c 100644 --- a/src/jrd/relations.h +++ b/src/jrd/relations.h @@ -523,6 +523,7 @@ RELATION(nam_mon_attachments, rel_mon_attachments, ODS_11_1, rel_virtual) FIELD(f_mon_att_stmt_timeout, nam_stmt_timeout, fld_stmt_timeout, 0, ODS_13_0) FIELD(f_mon_att_wire_compressed, nam_wire_compressed, fld_bool, 0, ODS_13_0) FIELD(f_mon_att_wire_encrypted, nam_wire_encrypted, fld_bool, 0, ODS_13_0) + FIELD(f_mon_att_remote_crypt, nam_wire_crypt_plugin, fld_remote_crypt, 0, ODS_12_0) END_RELATION // Relation 35 (MON$TRANSACTIONS) diff --git a/src/remote/remote.h b/src/remote/remote.h index 6e575106fb..8ffa2f8ced 100644 --- a/src/remote/remote.h +++ b/src/remote/remote.h @@ -1093,6 +1093,7 @@ struct rem_port : public Firebird::GlobalStorage, public Firebird::RefCounted Firebird::IWireCryptPlugin* port_crypt_plugin; // plugin used by port, when not NULL - crypts wire data Firebird::ICryptKeyCallback* port_client_crypt_callback; // client callback to transfer database crypt key ServerCallbackBase* port_server_crypt_callback; // server callback to transfer database crypt key + Firebird::PathName port_crypt_name; // name of actual wire crypt plugin Firebird::RefPtr port_replicator; @@ -1138,8 +1139,8 @@ public: port_srv_auth(NULL), port_srv_auth_block(NULL), port_crypt_keys(getPool()), port_crypt_complete(false), port_crypt_level(WIRECRYPT_REQUIRED), port_known_server_keys(getPool()), port_crypt_plugin(NULL), - port_client_crypt_callback(NULL), port_server_crypt_callback(NULL), port_replicator(NULL), - port_buffer(FB_NEW_POOL(getPool()) UCHAR[rpt]), + port_client_crypt_callback(NULL), port_server_crypt_callback(NULL), port_crypt_name(getPool()), + port_replicator(NULL), port_buffer(FB_NEW_POOL(getPool()) UCHAR[rpt]), port_snd_packets(0), port_rcv_packets(0), port_snd_bytes(0), port_rcv_bytes(0) { addRef(); diff --git a/src/remote/server/server.cpp b/src/remote/server/server.cpp index 2a9c1a3825..425deb35e5 100644 --- a/src/remote/server/server.cpp +++ b/src/remote/server/server.cpp @@ -2328,7 +2328,10 @@ static void addClumplets(ClumpletWriter* dpb_buffer, flags |= isc_dpb_addr_flag_conn_compressed; #endif if (port->port_crypt_plugin) + { flags |= isc_dpb_addr_flag_conn_encrypted; + address_record.insertString(isc_dpb_addr_crypt, port->port_crypt_name); + } if (flags) address_record.insertInt(isc_dpb_addr_flags, flags); @@ -6175,6 +6178,7 @@ void rem_port::start_crypt(P_CRYPT * crypt, PACKET* sendL) port_crypt_plugin = cp.plugin(); port_crypt_plugin->addRef(); port_crypt_complete = true; + port_crypt_name = cp.name(); send_response(sendL, 0, 0, &st, false); WIRECRYPT_DEBUG(fprintf(stderr, "Srv: Installed cipher %s\n", cp.name()));