4 files changed, 141 insertions, 14 deletions
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 09eb79812ac..2a2b10d5a29 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -201,6 +201,10 @@ static const internalPQconninfoOption PQconninfoOptions[] = {
 		"Database-Service", "", 20,
 	offsetof(struct pg_conn, pgservice)},
 
+	{"servicefile", "PGSERVICEFILE", NULL, NULL,
+		"Database-Service-File", "", 64,
+	offsetof(struct pg_conn, pgservicefile)},
+
 	{"user", "PGUSER", NULL, NULL,
 		"Database-User", "", 20,
 	offsetof(struct pg_conn, pguser)},
@@ -5062,6 +5066,7 @@ freePGconn(PGconn *conn)
 	free(conn->dbName);
 	free(conn->replication);
 	free(conn->pgservice);
+	free(conn->pgservicefile);
 	free(conn->pguser);
 	if (conn->pgpass)
 	{
@@ -5914,6 +5919,7 @@ static int
 parseServiceInfo(PQconninfoOption *options, PQExpBuffer errorMessage)
 {
 	const char *service = conninfo_getval(options, "service");
+	const char *service_fname = conninfo_getval(options, "servicefile");
 	char		serviceFile[MAXPGPATH];
 	char	   *env;
 	bool		group_found = false;
@@ -5933,10 +5939,13 @@ parseServiceInfo(PQconninfoOption *options, PQExpBuffer errorMessage)
 		return 0;
 
 	/*
-	 * Try PGSERVICEFILE if specified, else try ~/.pg_service.conf (if that
-	 * exists).
+	 * First, try the "servicefile" option in connection string.  Then, try
+	 * the PGSERVICEFILE environment variable.  Finally, check
+	 * ~/.pg_service.conf (if that exists).
 	 */
-	if ((env = getenv("PGSERVICEFILE")) != NULL)
+	if (service_fname != NULL)
+		strlcpy(serviceFile, service_fname, sizeof(serviceFile));
+	else if ((env = getenv("PGSERVICEFILE")) != NULL)
 		strlcpy(serviceFile, env, sizeof(serviceFile));
 	else
 	{
@@ -6092,7 +6101,17 @@ parseServiceFile(const char *serviceFile,
 				if (strcmp(key, "service") == 0)
 				{
 					libpq_append_error(errorMessage,
-									   "nested service specifications not supported in service file \"%s\", line %d",
+									   "nested \"service\" specifications not supported in service file \"%s\", line %d",
+									   serviceFile,
+									   linenr);
+					result = 3;
+					goto exit;
+				}
+
+				if (strcmp(key, "servicefile") == 0)
+				{
+					libpq_append_error(errorMessage,
+									   "nested \"servicefile\" specifications not supported in service file \"%s\", line %d",
 									   serviceFile,
 									   linenr);
 					result = 3;
@@ -6135,6 +6154,33 @@ parseServiceFile(const char *serviceFile,
 	}
 
 exit:
+
+	/*
+	 * If a service has been successfully found, set the "servicefile" option
+	 * if not already set.  This matters when we use a default service file or
+	 * PGSERVICEFILE, where we want to be able track the value.
+	 */
+	if (*group_found && result == 0)
+	{
+		for (i = 0; options[i].keyword; i++)
+		{
+			if (strcmp(options[i].keyword, "servicefile") != 0)
+				continue;
+
+			/* If value is already set, nothing to do */
+			if (options[i].val != NULL)
+				break;
+
+			options[i].val = strdup(serviceFile);
+			if (options[i].val == NULL)
+			{
+				libpq_append_error(errorMessage, "out of memory");
+				result = 3;
+			}
+			break;
+		}
+	}
+
 	fclose(f);
 
 	return result;
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index b08b3a6901b..51dd7b9fec0 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -693,34 +693,35 @@ static unsigned char alpn_protos[] = PG_ALPN_PROTOCOL_VECTOR;
  * purposes.  The file will be written using the NSS keylog format.  LibreSSL
  * 3.5 introduced stub function to set the callback for OpenSSL compatibility
  * but the callback is never invoked.
+ *
+ * Error messages added to the connection object wont be printed anywhere if
+ * the connection is successful.  Errors in processing keylogging are printed
+ * to stderr to overcome this.
  */
 static void
 SSL_CTX_keylog_cb(const SSL *ssl, const char *line)
 {
 	int			fd;
-	mode_t		old_umask;
 	ssize_t		rc;
 	PGconn	   *conn = SSL_get_app_data(ssl);
 
 	if (conn == NULL)
 		return;
 
-	old_umask = umask(077);
 	fd = open(conn->sslkeylogfile, O_WRONLY | O_APPEND | O_CREAT, 0600);
-	umask(old_umask);
 
 	if (fd == -1)
 	{
-		libpq_append_conn_error(conn, "could not open SSL key logging file \"%s\": %s",
-								conn->sslkeylogfile, pg_strerror(errno));
+		fprintf(stderr, libpq_gettext("WARNING: could not open SSL key logging file \"%s\": %m\n"),
+				conn->sslkeylogfile);
 		return;
 	}
 
 	/* line is guaranteed by OpenSSL to be NUL terminated */
 	rc = write(fd, line, strlen(line));
 	if (rc < 0)
-		libpq_append_conn_error(conn, "could not write to SSL key logging file \"%s\": %s",
-								conn->sslkeylogfile, pg_strerror(errno));
+		fprintf(stderr, libpq_gettext("WARNING: could not write to SSL key logging file \"%s\": %m\n"),
+				conn->sslkeylogfile);
 	else
 		rc = write(fd, "\n", 1);
 	(void) rc;					/* silence compiler warnings */
@@ -1044,6 +1045,10 @@ initialize_SSL(PGconn *conn)
 	}
 	conn->ssl_in_use = true;
 
+	/*
+	 * If SSL key logging is requested, set up the callback if a compatible
+	 * version of OpenSSL is used and libpq was compiled to support it.
+	 */
 	if (conn->sslkeylogfile && strlen(conn->sslkeylogfile) > 0)
 	{
 #ifdef HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
@@ -1057,7 +1062,6 @@ initialize_SSL(PGconn *conn)
 #endif
 	}
 
-
 	/*
 	 * SSL contexts are reference counted by OpenSSL. We can free it as soon
 	 * as we have created the SSL object, and it will stick around for as long
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index a6cfd7f5c9d..70c28f2ffca 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -389,6 +389,8 @@ struct pg_conn
 	char	   *dbName;			/* database name */
 	char	   *replication;	/* connect as the replication standby? */
 	char	   *pgservice;		/* Postgres service, if any */
+	char	   *pgservicefile;	/* path to a service file containing
+								 * service(s) */
 	char	   *pguser;			/* Postgres username and password, if any */
 	char	   *pgpass;
 	char	   *pgpassfile;		/* path to a file containing password(s) */
diff --git a/src/interfaces/libpq/t/006_service.pl b/src/interfaces/libpq/t/006_service.pl
index d896558a6cc..797e6232b8f 100644
--- a/src/interfaces/libpq/t/006_service.pl
+++ b/src/interfaces/libpq/t/006_service.pl
@@ -53,6 +53,13 @@ copy($srvfile_valid, $srvfile_nested)
   or die "Could not copy $srvfile_valid to $srvfile_nested: $!";
 append_to_file($srvfile_nested, 'service=invalid_srv' . $newline);
 
+# Service file with nested "servicefile" defined.
+my $srvfile_nested_2 = "$td/pg_service_nested_2.conf";
+copy($srvfile_valid, $srvfile_nested_2)
+  or die "Could not copy $srvfile_valid to $srvfile_nested_2: $!";
+append_to_file($srvfile_nested_2,
+	'servicefile=' . $srvfile_default . $newline);
+
 # Set the fallback directory lookup of the service file to the temporary
 # directory of this test.  PGSYSCONFDIR is used if the service file
 # defined in PGSERVICEFILE cannot be found, or when a service file is
@@ -158,9 +165,77 @@ local $ENV{PGSERVICEFILE} = "$srvfile_empty";
 
 	$dummy_node->connect_fails(
 		'service=my_srv',
-		'connection with nested service file',
+		'connection with "service" in nested service file',
+		expected_stderr =>
+		  qr/nested "service" specifications not supported in service file/);
+
+	local $ENV{PGSERVICEFILE} = $srvfile_nested_2;
+
+	$dummy_node->connect_fails(
+		'service=my_srv',
+		'connection with "servicefile" in nested service file',
 		expected_stderr =>
-		  qr/nested service specifications not supported in service file/);
+		  qr/nested "servicefile" specifications not supported in service file/
+	);
+}
+
+# Properly escape backslashes in the path, to ensure the generation of
+# correct connection strings.
+my $srvfile_win_cared = $srvfile_valid;
+$srvfile_win_cared =~ s/\\/\\\\/g;
+
+# Checks that the "servicefile" option works as expected
+{
+	$dummy_node->connect_ok(
+		q{service=my_srv servicefile='} . $srvfile_win_cared . q{'},
+		'connection with valid servicefile in connection string',
+		sql => "SELECT 'connect3_1'",
+		expected_stdout => qr/connect3_1/);
+
+	# Encode slashes and backslash
+	my $encoded_srvfile = $srvfile_valid =~ s{([\\/])}{
+		$1 eq '/' ? '%2F' : '%5C'
+	}ger;
+
+	# Additionally encode a colon in servicefile path of Windows
+	$encoded_srvfile =~ s/:/%3A/g;
+
+	$dummy_node->connect_ok(
+		'postgresql:///?service=my_srv&servicefile=' . $encoded_srvfile,
+		'connection with valid servicefile in URI',
+		sql => "SELECT 'connect3_2'",
+		expected_stdout => qr/connect3_2/);
+
+	local $ENV{PGSERVICE} = 'my_srv';
+	$dummy_node->connect_ok(
+		q{servicefile='} . $srvfile_win_cared . q{'},
+		'connection with PGSERVICE and servicefile in connection string',
+		sql => "SELECT 'connect3_3'",
+		expected_stdout => qr/connect3_3/);
+
+	$dummy_node->connect_ok(
+		'postgresql://?servicefile=' . $encoded_srvfile,
+		'connection with PGSERVICE and servicefile in URI',
+		sql => "SELECT 'connect3_4'",
+		expected_stdout => qr/connect3_4/);
+}
+
+# Check that the "servicefile" option takes priority over the PGSERVICEFILE
+# environment variable.
+{
+	local $ENV{PGSERVICEFILE} = 'non-existent-file.conf';
+
+	$dummy_node->connect_fails(
+		'service=my_srv',
+		'connection with invalid PGSERVICEFILE',
+		expected_stderr =>
+		  qr/service file "non-existent-file\.conf" not found/);
+
+	$dummy_node->connect_ok(
+		q{service=my_srv servicefile='} . $srvfile_win_cared . q{'},
+		'connection with both servicefile and PGSERVICEFILE',
+		sql => "SELECT 'connect4_1'",
+		expected_stdout => qr/connect4_1/);
 }
 
 $node->teardown_node;