aboutsummaryrefslogtreecommitdiff
path: root/src/interfaces/libpq/fe-secure-openssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/interfaces/libpq/fe-secure-openssl.c')
-rw-r--r--src/interfaces/libpq/fe-secure-openssl.c166
1 files changed, 55 insertions, 111 deletions
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index b42a908733a..bad85359b6c 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -212,20 +212,17 @@ rloop:
result_errno = SOCK_ERRNO;
if (result_errno == EPIPE ||
result_errno == ECONNRESET)
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("server closed the connection unexpectedly\n"
- "\tThis probably means the server terminated abnormally\n"
- "\tbefore or while processing the request.\n"));
+ libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
+ "\tThis probably means the server terminated abnormally\n"
+ "\tbefore or while processing the request.");
else
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("SSL SYSCALL error: %s\n"),
+ libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
SOCK_STRERROR(result_errno,
sebuf, sizeof(sebuf)));
}
else
{
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("SSL SYSCALL error: EOF detected\n"));
+ libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
/* assume the connection is broken */
result_errno = ECONNRESET;
n = -1;
@@ -235,8 +232,7 @@ rloop:
{
char *errm = SSLerrmessage(ecode);
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("SSL error: %s\n"), errm);
+ libpq_append_conn_error(conn, "SSL error: %s", errm);
SSLerrfree(errm);
/* assume the connection is broken */
result_errno = ECONNRESET;
@@ -250,15 +246,12 @@ rloop:
* a clean connection closure, so we should not report it as a
* server crash.
*/
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("SSL connection has been closed unexpectedly\n"));
+ libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
result_errno = ECONNRESET;
n = -1;
break;
default:
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("unrecognized SSL error code: %d\n"),
- err);
+ libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
/* assume the connection is broken */
result_errno = ECONNRESET;
n = -1;
@@ -319,20 +312,17 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
{
result_errno = SOCK_ERRNO;
if (result_errno == EPIPE || result_errno == ECONNRESET)
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("server closed the connection unexpectedly\n"
- "\tThis probably means the server terminated abnormally\n"
- "\tbefore or while processing the request.\n"));
+ libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
+ "\tThis probably means the server terminated abnormally\n"
+ "\tbefore or while processing the request.");
else
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("SSL SYSCALL error: %s\n"),
+ libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
SOCK_STRERROR(result_errno,
sebuf, sizeof(sebuf)));
}
else
{
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("SSL SYSCALL error: EOF detected\n"));
+ libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
/* assume the connection is broken */
result_errno = ECONNRESET;
n = -1;
@@ -342,8 +332,7 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
{
char *errm = SSLerrmessage(ecode);
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("SSL error: %s\n"), errm);
+ libpq_append_conn_error(conn, "SSL error: %s", errm);
SSLerrfree(errm);
/* assume the connection is broken */
result_errno = ECONNRESET;
@@ -357,15 +346,12 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
* a clean connection closure, so we should not report it as a
* server crash.
*/
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("SSL connection has been closed unexpectedly\n"));
+ libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
result_errno = ECONNRESET;
n = -1;
break;
default:
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("unrecognized SSL error code: %d\n"),
- err);
+ libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
/* assume the connection is broken */
result_errno = ECONNRESET;
n = -1;
@@ -403,8 +389,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
&algo_nid, NULL))
{
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("could not determine server certificate signature algorithm\n"));
+ libpq_append_conn_error(conn, "could not determine server certificate signature algorithm");
return NULL;
}
@@ -424,8 +409,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
algo_type = EVP_get_digestbynid(algo_nid);
if (algo_type == NULL)
{
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not find digest for NID %s\n"),
+ libpq_append_conn_error(conn, "could not find digest for NID %s",
OBJ_nid2sn(algo_nid));
return NULL;
}
@@ -434,8 +418,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
if (!X509_digest(peer_cert, algo_type, hash, &hash_size))
{
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("could not generate peer certificate hash\n"));
+ libpq_append_conn_error(conn, "could not generate peer certificate hash");
return NULL;
}
@@ -443,8 +426,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
cert_hash = malloc(hash_size);
if (cert_hash == NULL)
{
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("out of memory\n"));
+ libpq_append_conn_error(conn, "out of memory");
return NULL;
}
memcpy(cert_hash, hash, hash_size);
@@ -491,8 +473,7 @@ openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *nam
/* Should not happen... */
if (name_entry == NULL)
{
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("SSL certificate's name entry is missing\n"));
+ libpq_append_conn_error(conn, "SSL certificate's name entry is missing");
return -1;
}
@@ -526,8 +507,7 @@ openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
/* Should not happen... */
if (addr_entry == NULL)
{
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("SSL certificate's address entry is missing\n"));
+ libpq_append_conn_error(conn, "SSL certificate's address entry is missing");
return -1;
}
@@ -944,9 +924,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not create SSL context: %s\n"),
- err);
+ libpq_append_conn_error(conn, "could not create SSL context: %s", err);
SSLerrfree(err);
return -1;
}
@@ -983,8 +961,7 @@ initialize_SSL(PGconn *conn)
if (ssl_min_ver == -1)
{
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("invalid value \"%s\" for minimum SSL protocol version\n"),
+ libpq_append_conn_error(conn, "invalid value \"%s\" for minimum SSL protocol version",
conn->ssl_min_protocol_version);
SSL_CTX_free(SSL_context);
return -1;
@@ -994,9 +971,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not set minimum SSL protocol version: %s\n"),
- err);
+ libpq_append_conn_error(conn, "could not set minimum SSL protocol version: %s", err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
return -1;
@@ -1012,8 +987,7 @@ initialize_SSL(PGconn *conn)
if (ssl_max_ver == -1)
{
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("invalid value \"%s\" for maximum SSL protocol version\n"),
+ libpq_append_conn_error(conn, "invalid value \"%s\" for maximum SSL protocol version",
conn->ssl_max_protocol_version);
SSL_CTX_free(SSL_context);
return -1;
@@ -1023,9 +997,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not set maximum SSL protocol version: %s\n"),
- err);
+ libpq_append_conn_error(conn, "could not set maximum SSL protocol version: %s", err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
return -1;
@@ -1059,8 +1031,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not read root certificate file \"%s\": %s\n"),
+ libpq_append_conn_error(conn, "could not read root certificate file \"%s\": %s",
fnbuf, err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
@@ -1112,13 +1083,11 @@ initialize_SSL(PGconn *conn)
* that it seems worth having a specialized error message for it.
*/
if (fnbuf[0] == '\0')
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not get home directory to locate root certificate file\n"
- "Either provide the file or change sslmode to disable server certificate verification.\n"));
+ libpq_append_conn_error(conn, "could not get home directory to locate root certificate file\n"
+ "Either provide the file or change sslmode to disable server certificate verification.");
else
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("root certificate file \"%s\" does not exist\n"
- "Either provide the file or change sslmode to disable server certificate verification.\n"), fnbuf);
+ libpq_append_conn_error(conn, "root certificate file \"%s\" does not exist\n"
+ "Either provide the file or change sslmode to disable server certificate verification.", fnbuf);
SSL_CTX_free(SSL_context);
return -1;
}
@@ -1147,8 +1116,7 @@ initialize_SSL(PGconn *conn)
*/
if (errno != ENOENT && errno != ENOTDIR)
{
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not open certificate file \"%s\": %s\n"),
+ libpq_append_conn_error(conn, "could not open certificate file \"%s\": %s",
fnbuf, strerror_r(errno, sebuf, sizeof(sebuf)));
SSL_CTX_free(SSL_context);
return -1;
@@ -1166,8 +1134,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not read certificate file \"%s\": %s\n"),
+ libpq_append_conn_error(conn, "could not read certificate file \"%s\": %s",
fnbuf, err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
@@ -1191,9 +1158,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not establish SSL connection: %s\n"),
- err);
+ libpq_append_conn_error(conn, "could not establish SSL connection: %s", err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
return -1;
@@ -1225,9 +1190,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"),
- err);
+ libpq_append_conn_error(conn, "could not set SSL Server Name Indication (SNI): %s", err);
SSLerrfree(err);
return -1;
}
@@ -1255,8 +1218,7 @@ initialize_SSL(PGconn *conn)
if (engine_str == NULL)
{
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("out of memory\n"));
+ libpq_append_conn_error(conn, "out of memory");
return -1;
}
@@ -1271,8 +1233,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not load SSL engine \"%s\": %s\n"),
+ libpq_append_conn_error(conn, "could not load SSL engine \"%s\": %s",
engine_str, err);
SSLerrfree(err);
free(engine_str);
@@ -1283,8 +1244,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not initialize SSL engine \"%s\": %s\n"),
+ libpq_append_conn_error(conn, "could not initialize SSL engine \"%s\": %s",
engine_str, err);
SSLerrfree(err);
ENGINE_free(conn->engine);
@@ -1299,8 +1259,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not read private SSL key \"%s\" from engine \"%s\": %s\n"),
+ libpq_append_conn_error(conn, "could not read private SSL key \"%s\" from engine \"%s\": %s",
engine_colon, engine_str, err);
SSLerrfree(err);
ENGINE_finish(conn->engine);
@@ -1313,8 +1272,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not load private SSL key \"%s\" from engine \"%s\": %s\n"),
+ libpq_append_conn_error(conn, "could not load private SSL key \"%s\" from engine \"%s\": %s",
engine_colon, engine_str, err);
SSLerrfree(err);
ENGINE_finish(conn->engine);
@@ -1351,12 +1309,10 @@ initialize_SSL(PGconn *conn)
if (stat(fnbuf, &buf) != 0)
{
if (errno == ENOENT)
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("certificate present, but not private key file \"%s\"\n"),
+ libpq_append_conn_error(conn, "certificate present, but not private key file \"%s\"",
fnbuf);
else
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not stat private key file \"%s\": %m\n"),
+ libpq_append_conn_error(conn, "could not stat private key file \"%s\": %m",
fnbuf);
return -1;
}
@@ -1364,8 +1320,7 @@ initialize_SSL(PGconn *conn)
/* Key file must be a regular file */
if (!S_ISREG(buf.st_mode))
{
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("private key file \"%s\" is not a regular file\n"),
+ libpq_append_conn_error(conn, "private key file \"%s\" is not a regular file",
fnbuf);
return -1;
}
@@ -1397,9 +1352,9 @@ initialize_SSL(PGconn *conn)
buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO) :
buf.st_mode & (S_IRWXG | S_IRWXO))
{
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root\n"),
- fnbuf);
+ libpq_append_conn_error(conn,
+ "private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
+ fnbuf);
return -1;
}
#endif
@@ -1422,8 +1377,7 @@ initialize_SSL(PGconn *conn)
*/
if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)
{
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("could not load private key file \"%s\": %s\n"),
+ libpq_append_conn_error(conn, "could not load private key file \"%s\": %s",
fnbuf, err);
SSLerrfree(err);
return -1;
@@ -1439,8 +1393,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("certificate does not match private key file \"%s\": %s\n"),
+ libpq_append_conn_error(conn, "certificate does not match private key file \"%s\": %s",
fnbuf, err);
SSLerrfree(err);
return -1;
@@ -1493,12 +1446,10 @@ open_client_SSL(PGconn *conn)
char sebuf[PG_STRERROR_R_BUFLEN];
if (r == -1)
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("SSL SYSCALL error: %s\n"),
+ libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
else
- appendPQExpBufferStr(&conn->errorMessage,
- libpq_gettext("SSL SYSCALL error: EOF detected\n"));
+ libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
pgtls_close(conn);
return PGRES_POLLING_FAILED;
}
@@ -1506,9 +1457,7 @@ open_client_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ecode);
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("SSL error: %s\n"),
- err);
+ libpq_append_conn_error(conn, "SSL error: %s", err);
SSLerrfree(err);
switch (ERR_GET_REASON(ecode))
{
@@ -1539,8 +1488,7 @@ open_client_SSL(PGconn *conn)
case SSL_R_VERSION_TOO_HIGH:
case SSL_R_VERSION_TOO_LOW:
#endif
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("This may indicate that the server does not support any SSL protocol version between %s and %s.\n"),
+ libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",
conn->ssl_min_protocol_version ?
conn->ssl_min_protocol_version :
MIN_OPENSSL_TLS_VERSION,
@@ -1556,9 +1504,7 @@ open_client_SSL(PGconn *conn)
}
default:
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("unrecognized SSL error code: %d\n"),
- err);
+ libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
pgtls_close(conn);
return PGRES_POLLING_FAILED;
}
@@ -1575,9 +1521,7 @@ open_client_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
- appendPQExpBuffer(&conn->errorMessage,
- libpq_gettext("certificate could not be obtained: %s\n"),
- err);
+ libpq_append_conn_error(conn, "certificate could not be obtained: %s", err);
SSLerrfree(err);
pgtls_close(conn);
return PGRES_POLLING_FAILED;
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-20 13:47:38 +0000