Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitbd58d9d

Browse files
committed
In initialize_SSL, don't fail unnecessarily when home dir is unavailable.
Instead, just act as though the certificate file(s) are not present.There is only one case where this need be a hard failure condition: whensslmode is verify-ca or verify-full, not having a root cert file is anerror. Change the logic so that we complain only in that case, andotherwise fall through cleanly. This is how it used to behave pre-9.0,but my patch4ed4b6c of 2010-05-26 brokethe case. Per report from Christian Kastner.
1 parentee3838b commitbd58d9d

File tree

1 file changed

+41
-23
lines changed

1 file changed

+41
-23
lines changed

‎src/interfaces/libpq/fe-secure.c‎

Lines changed: 41 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -825,37 +825,37 @@ initialize_SSL(PGconn *conn)
825825
charhomedir[MAXPGPATH];
826826
charfnbuf[MAXPGPATH];
827827
charsebuf[256];
828+
boolhave_homedir;
828829
boolhave_cert;
829830
EVP_PKEY*pkey=NULL;
830831

831832
/*
832833
* We'll need the home directory if any of the relevant parameters are
833-
* defaulted.
834+
* defaulted. If pqGetHomeDirectory fails, act as though none of the
835+
* files could be found.
834836
*/
835837
if (!(conn->sslcert&&strlen(conn->sslcert)>0)||
836838
!(conn->sslkey&&strlen(conn->sslkey)>0)||
837839
!(conn->sslrootcert&&strlen(conn->sslrootcert)>0)||
838840
!(conn->sslcrl&&strlen(conn->sslcrl)>0))
839-
{
840-
if (!pqGetHomeDirectory(homedir,sizeof(homedir)))
841-
{
842-
printfPQExpBuffer(&conn->errorMessage,
843-
libpq_gettext("could not get home directory to locate client certificate files\n"));
844-
return-1;
845-
}
846-
}
847-
else
848-
{
849-
homedir[0]='\0';
850-
}
841+
have_homedir=pqGetHomeDirectory(homedir,sizeof(homedir));
842+
else/* won't need it */
843+
have_homedir= false;
851844

852845
/* Read the client certificate file */
853846
if (conn->sslcert&&strlen(conn->sslcert)>0)
854847
strncpy(fnbuf,conn->sslcert,sizeof(fnbuf));
855-
else
848+
elseif (have_homedir)
856849
snprintf(fnbuf,sizeof(fnbuf),"%s/%s",homedir,USER_CERT_FILE);
850+
else
851+
fnbuf[0]='\0';
857852

858-
if (stat(fnbuf,&buf)!=0)
853+
if (fnbuf[0]=='\0')
854+
{
855+
/* no home directory, proceed without a client cert */
856+
have_cert= false;
857+
}
858+
elseif (stat(fnbuf,&buf)!=0)
859859
{
860860
/*
861861
* If file is not present, just go on without a client cert; server
@@ -1001,11 +1001,13 @@ initialize_SSL(PGconn *conn)
10011001
strncpy(fnbuf,conn->sslkey,sizeof(fnbuf));
10021002
}
10031003
}
1004-
else
1004+
elseif (have_homedir)
10051005
{
10061006
/* No PGSSLKEY specified, load default file */
10071007
snprintf(fnbuf,sizeof(fnbuf),"%s/%s",homedir,USER_KEY_FILE);
10081008
}
1009+
else
1010+
fnbuf[0]='\0';
10091011

10101012
if (have_cert&&fnbuf[0]!='\0')
10111013
{
@@ -1060,10 +1062,13 @@ initialize_SSL(PGconn *conn)
10601062
*/
10611063
if (conn->sslrootcert&&strlen(conn->sslrootcert)>0)
10621064
strncpy(fnbuf,conn->sslrootcert,sizeof(fnbuf));
1063-
else
1065+
elseif (have_homedir)
10641066
snprintf(fnbuf,sizeof(fnbuf),"%s/%s",homedir,ROOT_CERT_FILE);
1067+
else
1068+
fnbuf[0]='\0';
10651069

1066-
if (stat(fnbuf,&buf)==0)
1070+
if (fnbuf[0]!='\0'&&
1071+
stat(fnbuf,&buf)==0)
10671072
{
10681073
X509_STORE*cvstore;
10691074

@@ -1082,11 +1087,14 @@ initialize_SSL(PGconn *conn)
10821087
{
10831088
if (conn->sslcrl&&strlen(conn->sslcrl)>0)
10841089
strncpy(fnbuf,conn->sslcrl,sizeof(fnbuf));
1085-
else
1090+
elseif (have_homedir)
10861091
snprintf(fnbuf,sizeof(fnbuf),"%s/%s",homedir,ROOT_CRL_FILE);
1092+
else
1093+
fnbuf[0]='\0';
10871094

10881095
/* Set the flags to check against the complete CRL chain */
1089-
if (X509_STORE_load_locations(cvstore,fnbuf,NULL)==1)
1096+
if (fnbuf[0]!='\0'&&
1097+
X509_STORE_load_locations(cvstore,fnbuf,NULL)==1)
10901098
{
10911099
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
10921100
#ifdefX509_V_FLAG_CRL_CHECK
@@ -1116,9 +1124,19 @@ initialize_SSL(PGconn *conn)
11161124
*/
11171125
if (conn->sslmode[0]=='v')/* "verify-ca" or "verify-full" */
11181126
{
1119-
printfPQExpBuffer(&conn->errorMessage,
1120-
libpq_gettext("root certificate file \"%s\" does not exist\n"
1121-
"Either provide the file or change sslmode to disable server certificate verification.\n"),fnbuf);
1127+
/*
1128+
* The only way to reach here with an empty filename is if
1129+
* pqGetHomeDirectory failed. That's a sufficiently unusual case
1130+
* that it seems worth having a specialized error message for it.
1131+
*/
1132+
if (fnbuf[0]=='\0')
1133+
printfPQExpBuffer(&conn->errorMessage,
1134+
libpq_gettext("could not get home directory to locate root certificate file\n"
1135+
"Either provide the file or change sslmode to disable server certificate verification.\n"));
1136+
else
1137+
printfPQExpBuffer(&conn->errorMessage,
1138+
libpq_gettext("root certificate file \"%s\" does not exist\n"
1139+
"Either provide the file or change sslmode to disable server certificate verification.\n"),fnbuf);
11221140
return-1;
11231141
}
11241142
}

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp