Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit4b12ab1

Browse files
committed
Avoid corner-case memory leak in SSL parameter processing.
After reading the root cert list from the ssl_ca_file, immediatelyinstall it as client CA list of the new SSL context. That gives theSSL context ownership of the list, so that SSL_CTX_free will free it.This avoids a permanent memory leak if we fail further down inbe_tls_init(), which could happen if bogus CRL data is offered.The leak could only amount to something if the CRL parameters getbroken after server start (else we'd just quit) and then the serveris SIGHUP'd many times without fixing the CRL data. That's ratherunlikely perhaps, but it seems worth fixing, if only because thecode is clearer this way.While we're here, add some comments about the memory managementaspects of this logic.Noted by Jelte Fennema and independently by Andres Freund.Back-patch to v10; before commitde41869 it doesn't matter,since we'd not re-execute this code during SIGHUP.Discussion:https://postgr.es/m/16160-18367e56e9a28264@postgresql.org
1 parent4078ce6 commit4b12ab1

File tree

1 file changed

+27
-22
lines changed

1 file changed

+27
-22
lines changed

‎src/backend/libpq/be-secure-openssl.c

Lines changed: 27 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,6 @@ static const char *ssl_protocol_version_to_string(int v);
8181
int
8282
be_tls_init(boolisServerStart)
8383
{
84-
STACK_OF(X509_NAME)*root_cert_list=NULL;
8584
SSL_CTX*context;
8685
intssl_ver_min=-1;
8786
intssl_ver_max=-1;
@@ -100,6 +99,10 @@ be_tls_init(bool isServerStart)
10099
}
101100

102101
/*
102+
* Create a new SSL context into which we'll load all the configuration
103+
* settings. If we fail partway through, we can avoid memory leakage by
104+
* freeing this context; we don't install it as active until the end.
105+
*
103106
* We use SSLv23_method() because it can negotiate use of the highest
104107
* mutually supported protocol version, while alternatives like
105108
* TLSv1_2_method() permit only one specific version. Note that we don't
@@ -272,6 +275,8 @@ be_tls_init(bool isServerStart)
272275
*/
273276
if (ssl_ca_file[0])
274277
{
278+
STACK_OF(X509_NAME)*root_cert_list;
279+
275280
if (SSL_CTX_load_verify_locations(context,ssl_ca_file,NULL)!=1||
276281
(root_cert_list=SSL_load_client_CA_file(ssl_ca_file))==NULL)
277282
{
@@ -281,6 +286,25 @@ be_tls_init(bool isServerStart)
281286
ssl_ca_file,SSLerrmessage(ERR_get_error()))));
282287
gotoerror;
283288
}
289+
290+
/*
291+
* Tell OpenSSL to send the list of root certs we trust to clients in
292+
* CertificateRequests. This lets a client with a keystore select the
293+
* appropriate client certificate to send to us. Also, this ensures
294+
* that the SSL context will "own" the root_cert_list and remember to
295+
* free it when no longer needed.
296+
*/
297+
SSL_CTX_set_client_CA_list(context,root_cert_list);
298+
299+
/*
300+
* Always ask for SSL client cert, but don't fail if it's not
301+
* presented. We might fail such connections later, depending on what
302+
* we find in pg_hba.conf.
303+
*/
304+
SSL_CTX_set_verify(context,
305+
(SSL_VERIFY_PEER |
306+
SSL_VERIFY_CLIENT_ONCE),
307+
verify_cb);
284308
}
285309

286310
/*----------
@@ -297,7 +321,7 @@ be_tls_init(bool isServerStart)
297321
/* Set the flags to check against the complete CRL chain */
298322
if (X509_STORE_load_locations(cvstore,
299323
ssl_crl_file[0] ?ssl_crl_file :NULL,
300-
ssl_crl_dir[0]?ssl_crl_dir :NULL)
324+
ssl_crl_dir[0] ?ssl_crl_dir :NULL)
301325
==1)
302326
{
303327
X509_STORE_set_flags(cvstore,
@@ -331,26 +355,6 @@ be_tls_init(bool isServerStart)
331355
}
332356
}
333357

334-
if (ssl_ca_file[0])
335-
{
336-
/*
337-
* Always ask for SSL client cert, but don't fail if it's not
338-
* presented. We might fail such connections later, depending on what
339-
* we find in pg_hba.conf.
340-
*/
341-
SSL_CTX_set_verify(context,
342-
(SSL_VERIFY_PEER |
343-
SSL_VERIFY_CLIENT_ONCE),
344-
verify_cb);
345-
346-
/*
347-
* Tell OpenSSL to send the list of root certs we trust to clients in
348-
* CertificateRequests. This lets a client with a keystore select the
349-
* appropriate client certificate to send to us.
350-
*/
351-
SSL_CTX_set_client_CA_list(context,root_cert_list);
352-
}
353-
354358
/*
355359
* Success! Replace any existing SSL_context.
356360
*/
@@ -369,6 +373,7 @@ be_tls_init(bool isServerStart)
369373

370374
return0;
371375

376+
/* Clean up by releasing working context. */
372377
error:
373378
if (context)
374379
SSL_CTX_free(context);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp