Skip to content

Commit bd58d9d

Browse files
tglsfdctglsfdc
committed
In initialize_SSL, don't fail unnecessarily when home dir is unavailable.
Instead, just act as though the certificate file(s) are not present. There is only one case where this need be a hard failure condition: when sslmode is verify-ca or verify-full, not having a root cert file is an error. Change the logic so that we complain only in that case, and otherwise fall through cleanly. This is how it used to behave pre-9.0, but my patch 4ed4b6c of 2010-05-26 broke the case. Per report from Christian Kastner.
1 parent ee3838b commit bd58d9d

File tree

1 file changed

+41
-23
lines changed

1 file changed

+41
-23
lines changed

src/interfaces/libpq/fe-secure.c

Lines changed: 41 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -825,37 +825,37 @@ initialize_SSL(PGconn *conn)
825825
char homedir[MAXPGPATH];
826826
char fnbuf[MAXPGPATH];
827827
char sebuf[256];
828+
bool have_homedir;
828829
bool have_cert;
829830
EVP_PKEY *pkey = NULL;
830831

831832
/*
832833
* We'll need the home directory if any of the relevant parameters are
833-
* defaulted.
834+
* defaulted. If pqGetHomeDirectory fails, act as though none of the
835+
* files could be found.
834836
*/
835837
if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
836838
!(conn->sslkey && strlen(conn->sslkey) > 0) ||
837839
!(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
838840
!(conn->sslcrl && strlen(conn->sslcrl) > 0))
839-
{
840-
if (!pqGetHomeDirectory(homedir, sizeof(homedir)))
841-
{
842-
printfPQExpBuffer(&conn->errorMessage,
843-
libpq_gettext("could not get home directory to locate client certificate files\n"));
844-
return -1;
845-
}
846-
}
847-
else
848-
{
849-
homedir[0] = '\0';
850-
}
841+
have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
842+
else /* won't need it */
843+
have_homedir = false;
851844

852845
/* Read the client certificate file */
853846
if (conn->sslcert && strlen(conn->sslcert) > 0)
854847
strncpy(fnbuf, conn->sslcert, sizeof(fnbuf));
855-
else
848+
else if (have_homedir)
856849
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
850+
else
851+
fnbuf[0] = '\0';
857852

858-
if (stat(fnbuf, &buf) != 0)
853+
if (fnbuf[0] == '\0')
854+
{
855+
/* no home directory, proceed without a client cert */
856+
have_cert = false;
857+
}
858+
else if (stat(fnbuf, &buf) != 0)
859859
{
860860
/*
861861
* If file is not present, just go on without a client cert; server
@@ -1001,11 +1001,13 @@ initialize_SSL(PGconn *conn)
10011001
strncpy(fnbuf, conn->sslkey, sizeof(fnbuf));
10021002
}
10031003
}
1004-
else
1004+
else if (have_homedir)
10051005
{
10061006
/* No PGSSLKEY specified, load default file */
10071007
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
10081008
}
1009+
else
1010+
fnbuf[0] = '\0';
10091011

10101012
if (have_cert && fnbuf[0] != '\0')
10111013
{
@@ -1060,10 +1062,13 @@ initialize_SSL(PGconn *conn)
10601062
*/
10611063
if (conn->sslrootcert && strlen(conn->sslrootcert) > 0)
10621064
strncpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
1063-
else
1065+
else if (have_homedir)
10641066
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
1067+
else
1068+
fnbuf[0] = '\0';
10651069

1066-
if (stat(fnbuf, &buf) == 0)
1070+
if (fnbuf[0] != '\0' &&
1071+
stat(fnbuf, &buf) == 0)
10671072
{
10681073
X509_STORE *cvstore;
10691074

@@ -1082,11 +1087,14 @@ initialize_SSL(PGconn *conn)
10821087
{
10831088
if (conn->sslcrl && strlen(conn->sslcrl) > 0)
10841089
strncpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
1085-
else
1090+
else if (have_homedir)
10861091
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
1092+
else
1093+
fnbuf[0] = '\0';
10871094

10881095
/* Set the flags to check against the complete CRL chain */
1089-
if (X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
1096+
if (fnbuf[0] != '\0' &&
1097+
X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
10901098
{
10911099
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
10921100
#ifdef X509_V_FLAG_CRL_CHECK
@@ -1116,9 +1124,19 @@ initialize_SSL(PGconn *conn)
11161124
*/
11171125
if (conn->sslmode[0] == 'v') /* "verify-ca" or "verify-full" */
11181126
{
1119-
printfPQExpBuffer(&conn->errorMessage,
1120-
libpq_gettext("root certificate file \"%s\" does not exist\n"
1121-
"Either provide the file or change sslmode to disable server certificate verification.\n"), fnbuf);
1127+
/*
1128+
* The only way to reach here with an empty filename is if
1129+
* pqGetHomeDirectory failed. That's a sufficiently unusual case
1130+
* that it seems worth having a specialized error message for it.
1131+
*/
1132+
if (fnbuf[0] == '\0')
1133+
printfPQExpBuffer(&conn->errorMessage,
1134+
libpq_gettext("could not get home directory to locate root certificate file\n"
1135+
"Either provide the file or change sslmode to disable server certificate verification.\n"));
1136+
else
1137+
printfPQExpBuffer(&conn->errorMessage,
1138+
libpq_gettext("root certificate file \"%s\" does not exist\n"
1139+
"Either provide the file or change sslmode to disable server certificate verification.\n"), fnbuf);
11221140
return -1;
11231141
}
11241142
}

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy