Skip to content

Commit bd58d9d

Browse files
tglsfdctglsfdc
committed
In initialize_SSL, don't fail unnecessarily when home dir is unavailable.
Instead, just act as though the certificate file(s) are not present. There is only one case where this need be a hard failure condition: when sslmode is verify-ca or verify-full, not having a root cert file is an error. Change the logic so that we complain only in that case, and otherwise fall through cleanly. This is how it used to behave pre-9.0, but my patch 4ed4b6c of 2010-05-26 broke the case. Per report from Christian Kastner.
1 parent ee3838b commit bd58d9d

File tree

1 file changed

+41
-23
lines changed

1 file changed

+41
-23
lines changed

src/interfaces/libpq/fe-secure.c

Lines changed: 41 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -825,37 +825,37 @@ initialize_SSL(PGconn *conn)
825825
char homedir[MAXPGPATH];
826826
char fnbuf[MAXPGPATH];
827827
char sebuf[256];
828+
bool have_homedir;
828829
bool have_cert;
829830
EVP_PKEY *pkey = NULL;
830831

831832
/*
832833
* We'll need the home directory if any of the relevant parameters are
833-
* defaulted.
834+
* defaulted. If pqGetHomeDirectory fails, act as though none of the
835+
* files could be found.
834836
*/
835837
if (!(conn->sslcert && strlen(conn->sslcert) > 0) ||
836838
!(conn->sslkey && strlen(conn->sslkey) > 0) ||
837839
!(conn->sslrootcert && strlen(conn->sslrootcert) > 0) ||
838840
!(conn->sslcrl && strlen(conn->sslcrl) > 0))
839-
{
840-
if (!pqGetHomeDirectory(homedir, sizeof(homedir)))
841-
{
842-
printfPQExpBuffer(&conn->errorMessage,
843-
libpq_gettext("could not get home directory to locate client certificate files\n"));
844-
return -1;
845-
}
846-
}
847-
else
848-
{
849-
homedir[0] = '\0';
850-
}
841+
have_homedir = pqGetHomeDirectory(homedir, sizeof(homedir));
842+
else /* won't need it */
843+
have_homedir = false;
851844

852845
/* Read the client certificate file */
853846
if (conn->sslcert && strlen(conn->sslcert) > 0)
854847
strncpy(fnbuf, conn->sslcert, sizeof(fnbuf));
855-
else
848+
else if (have_homedir)
856849
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
850+
else
851+
fnbuf[0] = '\0';
857852

858-
if (stat(fnbuf, &buf) != 0)
853+
if (fnbuf[0] == '\0')
854+
{
855+
/* no home directory, proceed without a client cert */
856+
have_cert = false;
857+
}
858+
else if (stat(fnbuf, &buf) != 0)
859859
{
860860
/*
861861
* If file is not present, just go on without a client cert; server
@@ -1001,11 +1001,13 @@ initialize_SSL(PGconn *conn)
10011001
strncpy(fnbuf, conn->sslkey, sizeof(fnbuf));
10021002
}
10031003
}
1004-
else
1004+
else if (have_homedir)
10051005
{
10061006
/* No PGSSLKEY specified, load default file */
10071007
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_KEY_FILE);
10081008
}
1009+
else
1010+
fnbuf[0] = '\0';
10091011

10101012
if (have_cert && fnbuf[0] != '\0')
10111013
{
@@ -1060,10 +1062,13 @@ initialize_SSL(PGconn *conn)
10601062
*/
10611063
if (conn->sslrootcert && strlen(conn->sslrootcert) > 0)
10621064
strncpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
1063-
else
1065+
else if (have_homedir)
10641066
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CERT_FILE);
1067+
else
1068+
fnbuf[0] = '\0';
10651069

1066-
if (stat(fnbuf, &buf) == 0)
1070+
if (fnbuf[0] != '\0' &&
1071+
stat(fnbuf, &buf) == 0)
10671072
{
10681073
X509_STORE *cvstore;
10691074

@@ -1082,11 +1087,14 @@ initialize_SSL(PGconn *conn)
10821087
{
10831088
if (conn->sslcrl && strlen(conn->sslcrl) > 0)
10841089
strncpy(fnbuf, conn->sslcrl, sizeof(fnbuf));
1085-
else
1090+
else if (have_homedir)
10861091
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
1092+
else
1093+
fnbuf[0] = '\0';
10871094

10881095
/* Set the flags to check against the complete CRL chain */
1089-
if (X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
1096+
if (fnbuf[0] != '\0' &&
1097+
X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
10901098
{
10911099
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
10921100
#ifdef X509_V_FLAG_CRL_CHECK
@@ -1116,9 +1124,19 @@ initialize_SSL(PGconn *conn)
11161124
*/
11171125
if (conn->sslmode[0] == 'v') /* "verify-ca" or "verify-full" */
11181126
{
1119-
printfPQExpBuffer(&conn->errorMessage,
1120-
libpq_gettext("root certificate file \"%s\" does not exist\n"
1121-
"Either provide the file or change sslmode to disable server certificate verification.\n"), fnbuf);
1127+
/*
1128+
* The only way to reach here with an empty filename is if
1129+
* pqGetHomeDirectory failed. That's a sufficiently unusual case
1130+
* that it seems worth having a specialized error message for it.
1131+
*/
1132+
if (fnbuf[0] == '\0')
1133+
printfPQExpBuffer(&conn->errorMessage,
1134+
libpq_gettext("could not get home directory to locate root certificate file\n"
1135+
"Either provide the file or change sslmode to disable server certificate verification.\n"));
1136+
else
1137+
printfPQExpBuffer(&conn->errorMessage,
1138+
libpq_gettext("root certificate file \"%s\" does not exist\n"
1139+
"Either provide the file or change sslmode to disable server certificate verification.\n"), fnbuf);
11221140
return -1;
11231141
}
11241142
}

0 commit comments

Comments
 (0)