From 662bc1d19101865f91c6ed4a98c0f13f3757e1c7 Mon Sep 17 00:00:00 2001 From: Peter Eisentraut Date: Thu, 14 Jul 2022 22:08:53 +0200 Subject: [PATCH v5 2/2] squash! Log details for client certificate failures --- src/backend/libpq/be-secure-openssl.c | 29 +++++---------------------- 1 file changed, 5 insertions(+), 24 deletions(-) diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c index 8d5eee0d16..2147524ffc 100644 --- a/src/backend/libpq/be-secure-openssl.c +++ b/src/backend/libpq/be-secure-openssl.c @@ -81,13 +81,7 @@ static bool ssl_is_server_start; static int ssl_protocol_version_to_openssl(int v); static const char *ssl_protocol_version_to_string(int v); -/* Helpers for storing application data in the SSL handle */ -struct pg_ex_data -{ - /* to bubble errors out of callbacks */ - char *errdetail; -}; -static int ssl_ex_index; +static const char *cert_errdetail; /* ------------------------------------------------------------ */ /* Public interface */ @@ -110,7 +104,6 @@ be_tls_init(bool isServerStart) SSL_library_init(); SSL_load_error_strings(); #endif - ssl_ex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); SSL_initialized = true; } @@ -422,7 +415,6 @@ be_tls_open_server(Port *port) int err; int waitfor; unsigned long ecode; - struct pg_ex_data exdata = {0}; bool give_proto_hint; Assert(!port->ssl); @@ -455,14 +447,6 @@ be_tls_open_server(Port *port) SSLerrmessage(ERR_get_error())))); return -1; } - if (!SSL_set_ex_data(port->ssl, ssl_ex_index, &exdata)) - { - ereport(COMMERROR, - (errcode(ERRCODE_PROTOCOL_VIOLATION), - errmsg("could not attach application data to SSL handle: %s", - SSLerrmessage(ERR_get_error())))); - return -1; - } port->ssl_in_use = true; @@ -561,7 +545,7 @@ be_tls_open_server(Port *port) (errcode(ERRCODE_PROTOCOL_VIOLATION), errmsg("could not accept SSL connection: %s", SSLerrmessage(ecode)), - exdata.errdetail ? errdetail_internal("%s", exdata.errdetail) : 0, + cert_errdetail ? errdetail_internal("%s", cert_errdetail) : 0, give_proto_hint ? errhint("This may indicate that the client does not support any SSL protocol version between %s and %s.", ssl_min_protocol_version ? @@ -570,6 +554,7 @@ be_tls_open_server(Port *port) ssl_max_protocol_version ? ssl_protocol_version_to_string(ssl_max_protocol_version) : MAX_OPENSSL_TLS_VERSION) : 0)); + cert_errdetail = NULL; break; case SSL_ERROR_ZERO_RETURN: ereport(COMMERROR, @@ -1145,12 +1130,10 @@ truncate_cert_name(char *name) static int verify_cb(int ok, X509_STORE_CTX *ctx) { - SSL *ssl; int depth; int errcode; const char *errstring; StringInfoData str; - struct pg_ex_data *exdata; X509 *cert; if (ok) @@ -1160,7 +1143,6 @@ verify_cb(int ok, X509_STORE_CTX *ctx) } /* Pull all the information we have on the verification failure. */ - ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); depth = X509_STORE_CTX_get_error_depth(ctx); errcode = X509_STORE_CTX_get_error(ctx); errstring = X509_verify_cert_error_string(errcode); @@ -1212,9 +1194,8 @@ verify_cb(int ok, X509_STORE_CTX *ctx) pfree(subject); } - /* Store our detail message in SSL application data, to be logged later. */ - exdata = SSL_get_ex_data(ssl, ssl_ex_index); - exdata->errdetail = str.data; + /* Store our detail message to be logged later. */ + cert_errdetail = str.data; return ok; } -- 2.37.0