Fix assorted error-cleanup bugs in SSL min/max protocol version code.
The error exits added to initialize_SSL() failed to clean up the
partially-built SSL_context, and some of them also leaked the
result of SSLerrmessage(). Make them match other error-handling
cases in that function.
The error exits added to connectOptions2() failed to set conn->status
like every other error exit in that function.
In passing, make the SSL_get_peer_certificate() error exit look more
like all the other calls of SSLerrmessage().
Oversights in commit ff8ca5fad
. Coverity whined about leakage of the
SSLerrmessage() results; I noted the rest in manual code review.
This commit is contained in:
parent
1fd687a035
commit
6148e2b9a6
|
@ -1306,6 +1306,7 @@ connectOptions2(PGconn *conn)
|
||||||
*/
|
*/
|
||||||
if (!sslVerifyProtocolVersion(conn->sslminprotocolversion))
|
if (!sslVerifyProtocolVersion(conn->sslminprotocolversion))
|
||||||
{
|
{
|
||||||
|
conn->status = CONNECTION_BAD;
|
||||||
printfPQExpBuffer(&conn->errorMessage,
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
libpq_gettext("invalid sslminprotocolversion value: \"%s\"\n"),
|
libpq_gettext("invalid sslminprotocolversion value: \"%s\"\n"),
|
||||||
conn->sslminprotocolversion);
|
conn->sslminprotocolversion);
|
||||||
|
@ -1313,6 +1314,7 @@ connectOptions2(PGconn *conn)
|
||||||
}
|
}
|
||||||
if (!sslVerifyProtocolVersion(conn->sslmaxprotocolversion))
|
if (!sslVerifyProtocolVersion(conn->sslmaxprotocolversion))
|
||||||
{
|
{
|
||||||
|
conn->status = CONNECTION_BAD;
|
||||||
printfPQExpBuffer(&conn->errorMessage,
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
libpq_gettext("invalid sslmaxprotocolversion value: \"%s\"\n"),
|
libpq_gettext("invalid sslmaxprotocolversion value: \"%s\"\n"),
|
||||||
conn->sslmaxprotocolversion);
|
conn->sslmaxprotocolversion);
|
||||||
|
@ -1329,6 +1331,7 @@ connectOptions2(PGconn *conn)
|
||||||
if (!sslVerifyProtocolRange(conn->sslminprotocolversion,
|
if (!sslVerifyProtocolRange(conn->sslminprotocolversion,
|
||||||
conn->sslmaxprotocolversion))
|
conn->sslmaxprotocolversion))
|
||||||
{
|
{
|
||||||
|
conn->status = CONNECTION_BAD;
|
||||||
printfPQExpBuffer(&conn->errorMessage,
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
libpq_gettext("invalid SSL protocol version range"));
|
libpq_gettext("invalid SSL protocol version range"));
|
||||||
return false;
|
return false;
|
||||||
|
|
|
@ -854,6 +854,7 @@ initialize_SSL(PGconn *conn)
|
||||||
printfPQExpBuffer(&conn->errorMessage,
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"),
|
libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"),
|
||||||
conn->sslminprotocolversion);
|
conn->sslminprotocolversion);
|
||||||
|
SSL_CTX_free(SSL_context);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -864,6 +865,8 @@ initialize_SSL(PGconn *conn)
|
||||||
printfPQExpBuffer(&conn->errorMessage,
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
libpq_gettext("could not set minimum version of SSL protocol: %s\n"),
|
libpq_gettext("could not set minimum version of SSL protocol: %s\n"),
|
||||||
err);
|
err);
|
||||||
|
SSLerrfree(err);
|
||||||
|
SSL_CTX_free(SSL_context);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -880,6 +883,7 @@ initialize_SSL(PGconn *conn)
|
||||||
printfPQExpBuffer(&conn->errorMessage,
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"),
|
libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"),
|
||||||
conn->sslmaxprotocolversion);
|
conn->sslmaxprotocolversion);
|
||||||
|
SSL_CTX_free(SSL_context);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -890,6 +894,8 @@ initialize_SSL(PGconn *conn)
|
||||||
printfPQExpBuffer(&conn->errorMessage,
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
libpq_gettext("could not set maximum version of SSL protocol: %s\n"),
|
libpq_gettext("could not set maximum version of SSL protocol: %s\n"),
|
||||||
err);
|
err);
|
||||||
|
SSLerrfree(err);
|
||||||
|
SSL_CTX_free(SSL_context);
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -1321,9 +1327,7 @@ open_client_SSL(PGconn *conn)
|
||||||
conn->peer = SSL_get_peer_certificate(conn->ssl);
|
conn->peer = SSL_get_peer_certificate(conn->ssl);
|
||||||
if (conn->peer == NULL)
|
if (conn->peer == NULL)
|
||||||
{
|
{
|
||||||
char *err;
|
char *err = SSLerrmessage(ERR_get_error());
|
||||||
|
|
||||||
err = SSLerrmessage(ERR_get_error());
|
|
||||||
|
|
||||||
printfPQExpBuffer(&conn->errorMessage,
|
printfPQExpBuffer(&conn->errorMessage,
|
||||||
libpq_gettext("certificate could not be obtained: %s\n"),
|
libpq_gettext("certificate could not be obtained: %s\n"),
|
||||||
|
|
Loading…
Reference in New Issue