opensourcemirror
/
postgresql
mirror of git://git.postgresql.org/git/postgresql.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix assorted error-cleanup bugs in SSL min/max protocol version code. 

The error exits added to initialize_SSL() failed to clean up the
partially-built SSL_context, and some of them also leaked the
result of SSLerrmessage().  Make them match other error-handling
cases in that function.

The error exits added to connectOptions2() failed to set conn->status
like every other error exit in that function.

In passing, make the SSL_get_peer_certificate() error exit look more
like all the other calls of SSLerrmessage().

Oversights in commit ff8ca5fad.  Coverity whined about leakage of the
SSLerrmessage() results; I noted the rest in manual code review.
This commit is contained in:
Tom Lane 2020-02-02 13:09:33 -05:00
parent 1fd687a035
commit 6148e2b9a6
2 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/interfaces/libpq/fe-connect.c
View File

@ -1306,6 +1306,7 @@ connectOptions2(PGconn *conn)
*/
if (!sslVerifyProtocolVersion(conn->sslminprotocolversion))
{
conn->status = CONNECTION_BAD;
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid sslminprotocolversion value: \"%s\"\n"),
conn->sslminprotocolversion);
@ -1313,6 +1314,7 @@ connectOptions2(PGconn *conn)
}
if (!sslVerifyProtocolVersion(conn->sslmaxprotocolversion))
{
conn->status = CONNECTION_BAD;
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid sslmaxprotocolversion value: \"%s\"\n"),
conn->sslmaxprotocolversion);
@ -1329,6 +1331,7 @@ connectOptions2(PGconn *conn)
if (!sslVerifyProtocolRange(conn->sslminprotocolversion,
conn->sslmaxprotocolversion))
{
conn->status = CONNECTION_BAD;
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid SSL protocol version range"));
return false;

10
src/interfaces/libpq/fe-secure-openssl.c
View File

@ -854,6 +854,7 @@ initialize_SSL(PGconn *conn)
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"),
conn->sslminprotocolversion);
SSL_CTX_free(SSL_context);
return -1;
}
@ -864,6 +865,8 @@ initialize_SSL(PGconn *conn)
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not set minimum version of SSL protocol: %s\n"),
err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
return -1;
}
}
@ -880,6 +883,7 @@ initialize_SSL(PGconn *conn)
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"),
conn->sslmaxprotocolversion);
SSL_CTX_free(SSL_context);
return -1;
}
@ -890,6 +894,8 @@ initialize_SSL(PGconn *conn)
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not set maximum version of SSL protocol: %s\n"),
err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
return -1;
}
}
@ -1321,9 +1327,7 @@ open_client_SSL(PGconn *conn)
conn->peer = SSL_get_peer_certificate(conn->ssl);
if (conn->peer == NULL)
{
char *err;
err = SSLerrmessage(ERR_get_error());
char *err = SSLerrmessage(ERR_get_error());
printfPQExpBuffer(&conn->errorMessage,
libpq_gettext("certificate could not be obtained: %s\n"),