Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit39f0108

Browse files
Fix sslkeylogfile error handling logging
When sslkeylogfile has been set but the file fails to open in anotherwise successful connection, the log entry added to the connobject is never printed. Instead print the error on stderr forincreased visibility. This is a debugging tool so using stderrfor logging is appropriate. Also while there, remove the umaskcall in the callback as it's not useful.Issues noted by Peter Eisentraut in post-commit review, backpatchdown to 18 when support for sslkeylogfile was addedAuthor: Daniel Gustafsson <daniel@yesql.se>Reported-by: Peter Eisentraut <peter@eisentraut.org>Reviewed-by: Peter Eisentraut <peter@eisentraut.org>Discussion:https://postgr.es/m/70450bee-cfaa-48ce-8980-fc7efcfebb03@eisentraut.orgBackpatch-through: 18
1 parent36026b0 commit39f0108

File tree

2 files changed

+19
-8
lines changed

2 files changed

+19
-8
lines changed

‎src/interfaces/libpq/fe-secure-openssl.c‎

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -693,34 +693,35 @@ static unsigned char alpn_protos[] = PG_ALPN_PROTOCOL_VECTOR;
693693
* purposes. The file will be written using the NSS keylog format. LibreSSL
694694
* 3.5 introduced stub function to set the callback for OpenSSL compatibility
695695
* but the callback is never invoked.
696+
*
697+
* Error messages added to the connection object wont be printed anywhere if
698+
* the connection is successful. Errors in processing keylogging are printed
699+
* to stderr to overcome this.
696700
*/
697701
staticvoid
698702
SSL_CTX_keylog_cb(constSSL*ssl,constchar*line)
699703
{
700704
intfd;
701-
mode_told_umask;
702705
ssize_trc;
703706
PGconn*conn=SSL_get_app_data(ssl);
704707

705708
if (conn==NULL)
706709
return;
707710

708-
old_umask=umask(077);
709711
fd=open(conn->sslkeylogfile,O_WRONLY |O_APPEND |O_CREAT,0600);
710-
umask(old_umask);
711712

712713
if (fd==-1)
713714
{
714-
libpq_append_conn_error(conn,"could not open SSL key logging file \"%s\": %s",
715-
conn->sslkeylogfile,pg_strerror(errno));
715+
fprintf(stderr,libpq_gettext("WARNING:could not open SSL key logging file \"%s\": %m\n"),
716+
conn->sslkeylogfile);
716717
return;
717718
}
718719

719720
/* line is guaranteed by OpenSSL to be NUL terminated */
720721
rc=write(fd,line,strlen(line));
721722
if (rc<0)
722-
libpq_append_conn_error(conn,"could not write to SSL key logging file \"%s\": %s",
723-
conn->sslkeylogfile,pg_strerror(errno));
723+
fprintf(stderr,libpq_gettext("WARNING:could not write to SSL key logging file \"%s\": %m\n"),
724+
conn->sslkeylogfile);
724725
else
725726
rc=write(fd,"\n",1);
726727
(void)rc;/* silence compiler warnings */
@@ -1044,6 +1045,10 @@ initialize_SSL(PGconn *conn)
10441045
}
10451046
conn->ssl_in_use= true;
10461047

1048+
/*
1049+
* If SSL key logging is requested, set up the callback if a compatible
1050+
* version of OpenSSL is used and libpq was compiled to support it.
1051+
*/
10471052
if (conn->sslkeylogfile&&strlen(conn->sslkeylogfile)>0)
10481053
{
10491054
#ifdefHAVE_SSL_CTX_SET_KEYLOG_CALLBACK
@@ -1057,7 +1062,6 @@ initialize_SSL(PGconn *conn)
10571062
#endif
10581063
}
10591064

1060-
10611065
/*
10621066
* SSL contexts are reference counted by OpenSSL. We can free it as soon
10631067
* as we have created the SSL object, and it will stick around for as long

‎src/test/ssl/t/001_ssltests.pl‎

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,13 @@ sub switch_server_cert
173173
ok( (@status =stat("$tempdir/key.txt")),
174174
"keylog file exists and returned status");
175175
ok(@status && !($status[2] & 0006),"keylog file is not world readable");
176+
177+
# Connect should work with an incorrect sslkeylogfile, with the error to
178+
# open the logfile printed to stderr
179+
$node->connect_ok(
180+
"$common_connstr sslrootcert=ssl/root+server_ca.crt sslkeylogfile=$tempdir/invalid/key.txt sslmode=require",
181+
"connect with server root cert and incorrect sslkeylogfile path",
182+
expected_stderr=>qr/could not open/);
176183
}
177184

178185
# The server should not accept non-SSL connections.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp