Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit 453c468

Browse files
committed
Cope with a deficiency in OpenSSL 3.x's error reporting.
In OpenSSL 3.0.0 and later, ERR_reason_error_string randomly refuses to provide a string for error codes representing system errno values (e.g., "No such file or directory"). There is a poorly-documented way to extract the errno from the SSL error code in this case, so do that and apply strerror, rather than falling back to reporting the error code's numeric value as we were previously doing. Problem reported by David Zhang, although this is not his proposed patch; it's instead based on a suggestion from Heikki Linnakangas. Back-patch to all supported branches, since any of them are likely to be used with recent OpenSSL. Discussion: https://postgr.es/m/b6fb018b-f05c-4afd-abd3-318c649faf18@highgo.ca
1 parent d61a6ca commit 453c468

File tree

2 files changed

+36
-6
lines changed

2 files changed

+36
-6
lines changed

src/backend/libpq/be-secure-openssl.c

+16-3
Original file line numberDiff line numberDiff line change
@@ -1348,9 +1348,9 @@ initialize_ecdh(SSL_CTX *context, bool isServerStart)
13481348
*
13491349
* ERR_get_error() is used by caller to get errcode to pass here.
13501350
*
1351-
* Some caution is needed here since ERR_reason_error_string will
1352-
* return NULL if it doesn't recognize the error code. We don't
1353-
* want to return NULL ever.
1351+
* Some caution is needed here since ERR_reason_error_string will return NULL
1352+
* if it doesn't recognize the error code, or (in OpenSSL >= 3) if the code
1353+
* represents a system errno value. We don't want to return NULL ever.
13541354
*/
13551355
static const char *
13561356
SSLerrmessage(unsigned long ecode)
@@ -1363,6 +1363,19 @@ SSLerrmessage(unsigned long ecode)
13631363
errreason = ERR_reason_error_string(ecode);
13641364
if (errreason != NULL)
13651365
return errreason;
1366+
1367+
/*
1368+
* In OpenSSL 3.0.0 and later, ERR_reason_error_string randomly refuses to
1369+
* map system errno values. We can cover that shortcoming with this bit
1370+
* of code. Older OpenSSL versions don't have the ERR_SYSTEM_ERROR macro,
1371+
* but that's okay because they don't have the shortcoming either.
1372+
*/
1373+
#ifdef ERR_SYSTEM_ERROR
1374+
if (ERR_SYSTEM_ERROR(ecode))
1375+
return strerror(ERR_GET_REASON(ecode));
1376+
#endif
1377+
1378+
/* No choice but to report the numeric ecode */
13661379
snprintf(errbuf, sizeof(errbuf), _("SSL error code %lu"), ecode);
13671380
return errbuf;
13681381
}

src/interfaces/libpq/fe-secure-openssl.c

+20-3
Original file line numberDiff line numberDiff line change
@@ -1662,10 +1662,11 @@ pgtls_close(PGconn *conn)
16621662
* Obtain reason string for passed SSL errcode
16631663
*
16641664
* ERR_get_error() is used by caller to get errcode to pass here.
1665+
* The result must be freed after use, using SSLerrfree.
16651666
*
1666-
* Some caution is needed here since ERR_reason_error_string will
1667-
* return NULL if it doesn't recognize the error code. We don't
1668-
* want to return NULL ever.
1667+
* Some caution is needed here since ERR_reason_error_string will return NULL
1668+
* if it doesn't recognize the error code, or (in OpenSSL >= 3) if the code
1669+
* represents a system errno value. We don't want to return NULL ever.
16691670
*/
16701671
static char ssl_nomem[] = "out of memory allocating error description";
16711672

@@ -1691,6 +1692,22 @@ SSLerrmessage(unsigned long ecode)
16911692
strlcpy(errbuf, errreason, SSL_ERR_LEN);
16921693
return errbuf;
16931694
}
1695+
1696+
/*
1697+
* In OpenSSL 3.0.0 and later, ERR_reason_error_string randomly refuses to
1698+
* map system errno values. We can cover that shortcoming with this bit
1699+
* of code. Older OpenSSL versions don't have the ERR_SYSTEM_ERROR macro,
1700+
* but that's okay because they don't have the shortcoming either.
1701+
*/
1702+
#ifdef ERR_SYSTEM_ERROR
1703+
if (ERR_SYSTEM_ERROR(ecode))
1704+
{
1705+
strlcpy(errbuf, strerror(ERR_GET_REASON(ecode)), SSL_ERR_LEN);
1706+
return errbuf;
1707+
}
1708+
#endif
1709+
1710+
/* No choice but to report the numeric ecode */
16941711
snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("SSL error code %lu"), ecode);
16951712
return errbuf;
16961713
}

0 commit comments

Comments
 (0)