diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2020-02-02 13:09:33 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2020-02-02 13:09:33 -0500 |
| commit | 6148e2b9a6399b77e10e277c32d701b84703820f (patch) | |
| tree | c057fdcd5c7bad408e91bb24e9a690197d3b35d2 | |
| parent | 1fd687a035558238c0e3cab09fc22dc61a088869 (diff) | |
| download | postgresql-6148e2b9a6399b77e10e277c32d701b84703820f.tar.gz postgresql-6148e2b9a6399b77e10e277c32d701b84703820f.zip | |
Fix assorted error-cleanup bugs in SSL min/max protocol version code.
The error exits added to initialize_SSL() failed to clean up the
partially-built SSL_context, and some of them also leaked the
result of SSLerrmessage(). Make them match other error-handling
cases in that function.
The error exits added to connectOptions2() failed to set conn->status
like every other error exit in that function.
In passing, make the SSL_get_peer_certificate() error exit look more
like all the other calls of SSLerrmessage().
Oversights in commit ff8ca5fad. Coverity whined about leakage of the
SSLerrmessage() results; I noted the rest in manual code review.
| -rw-r--r-- | src/interfaces/libpq/fe-connect.c | 3 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-secure-openssl.c | 10 |
2 files changed, 10 insertions, 3 deletions
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c index 99cd6c41176..408000af83a 100644 --- a/src/interfaces/libpq/fe-connect.c +++ b/src/interfaces/libpq/fe-connect.c @@ -1306,6 +1306,7 @@ connectOptions2(PGconn *conn) */ if (!sslVerifyProtocolVersion(conn->sslminprotocolversion)) { + conn->status = CONNECTION_BAD; printfPQExpBuffer(&conn->errorMessage, libpq_gettext("invalid sslminprotocolversion value: \"%s\"\n"), conn->sslminprotocolversion); @@ -1313,6 +1314,7 @@ connectOptions2(PGconn *conn) } if (!sslVerifyProtocolVersion(conn->sslmaxprotocolversion)) { + conn->status = CONNECTION_BAD; printfPQExpBuffer(&conn->errorMessage, libpq_gettext("invalid sslmaxprotocolversion value: \"%s\"\n"), conn->sslmaxprotocolversion); @@ -1329,6 +1331,7 @@ connectOptions2(PGconn *conn) if (!sslVerifyProtocolRange(conn->sslminprotocolversion, conn->sslmaxprotocolversion)) { + conn->status = CONNECTION_BAD; printfPQExpBuffer(&conn->errorMessage, libpq_gettext("invalid SSL protocol version range")); return false; diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c index cf142fbaa48..d3a37e1d273 100644 --- a/src/interfaces/libpq/fe-secure-openssl.c +++ b/src/interfaces/libpq/fe-secure-openssl.c @@ -854,6 +854,7 @@ initialize_SSL(PGconn *conn) printfPQExpBuffer(&conn->errorMessage, libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"), conn->sslminprotocolversion); + SSL_CTX_free(SSL_context); return -1; } @@ -864,6 +865,8 @@ initialize_SSL(PGconn *conn) printfPQExpBuffer(&conn->errorMessage, libpq_gettext("could not set minimum version of SSL protocol: %s\n"), err); + SSLerrfree(err); + SSL_CTX_free(SSL_context); return -1; } } @@ -880,6 +883,7 @@ initialize_SSL(PGconn *conn) printfPQExpBuffer(&conn->errorMessage, libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"), conn->sslmaxprotocolversion); + SSL_CTX_free(SSL_context); return -1; } @@ -890,6 +894,8 @@ initialize_SSL(PGconn *conn) printfPQExpBuffer(&conn->errorMessage, libpq_gettext("could not set maximum version of SSL protocol: %s\n"), err); + SSLerrfree(err); + SSL_CTX_free(SSL_context); return -1; } } @@ -1321,9 +1327,7 @@ open_client_SSL(PGconn *conn) conn->peer = SSL_get_peer_certificate(conn->ssl); if (conn->peer == NULL) { - char *err; - - err = SSLerrmessage(ERR_get_error()); + char *err = SSLerrmessage(ERR_get_error()); printfPQExpBuffer(&conn->errorMessage, libpq_gettext("certificate could not be obtained: %s\n"), |