From bb6264791aab6a3e8150704fc8f1c8774c27018d Mon Sep 17 00:00:00 2001
From: David Zhang <idrawone@gmail.com>
Date: Wed, 6 Mar 2024 15:51:11 -0800
Subject: [PATCH] improve ssl files error code

---
 src/backend/libpq/be-secure-common.c  | 19 +++++++++++++++++++
 src/backend/libpq/be-secure-openssl.c | 10 ++++++++++
 src/include/libpq/libpq.h             |  1 +
 3 files changed, 30 insertions(+)

diff --git a/src/backend/libpq/be-secure-common.c b/src/backend/libpq/be-secure-common.c
index 0582606192..01d567cbfc 100644
--- a/src/backend/libpq/be-secure-common.c
+++ b/src/backend/libpq/be-secure-common.c
@@ -102,7 +102,26 @@ error:
 	return len;
 }
 
+/*
+ * Check SSL certificate files.
+ */
+bool
+check_ssl_file(const char *ssl_file, bool isServerStart)
+{
+	int			loglevel = isServerStart ? FATAL : LOG;
+	struct stat buf;
+
+	if (stat(ssl_file, &buf) != 0)
+	{
+		ereport(loglevel,
+				(errcode_for_file_access(),
+				 errmsg("could not access certificate file \"%s\": %m",
+						ssl_file)));
+		return false;
+	}
 
+	return true;
+}
 /*
  * Check permissions for SSL key files.
  */
diff --git a/src/backend/libpq/be-secure-openssl.c b/src/backend/libpq/be-secure-openssl.c
index e12b1cc9e3..c5d58545d9 100644
--- a/src/backend/libpq/be-secure-openssl.c
+++ b/src/backend/libpq/be-secure-openssl.c
@@ -144,6 +144,10 @@ be_tls_init(bool isServerStart)
 	/*
 	 * Load and verify server's certificate and private key
 	 */
+
+	if (!check_ssl_file(ssl_cert_file, isServerStart))
+		goto error;
+
 	if (SSL_CTX_use_certificate_chain_file(context, ssl_cert_file) != 1)
 	{
 		ereport(isServerStart ? FATAL : LOG,
@@ -297,6 +301,9 @@ be_tls_init(bool isServerStart)
 	{
 		STACK_OF(X509_NAME) * root_cert_list;
 
+		if (!check_ssl_file(ssl_ca_file, isServerStart))
+			goto error;
+
 		if (SSL_CTX_load_verify_locations(context, ssl_ca_file, NULL) != 1 ||
 			(root_cert_list = SSL_load_client_CA_file(ssl_ca_file)) == NULL)
 		{
@@ -336,6 +343,9 @@ be_tls_init(bool isServerStart)
 	{
 		X509_STORE *cvstore = SSL_CTX_get_cert_store(context);
 
+		if (ssl_crl_file[0] && !check_ssl_file(ssl_crl_file, isServerStart))
+			goto error;
+
 		if (cvstore)
 		{
 			/* Set the flags to check against the complete CRL chain */
diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h
index 6171a0d17a..a491f0caa9 100644
--- a/src/include/libpq/libpq.h
+++ b/src/include/libpq/libpq.h
@@ -140,5 +140,6 @@ extern int	run_ssl_passphrase_command(const char *prompt, bool is_server_start,
 									   char *buf, int size);
 extern bool check_ssl_key_file_permissions(const char *ssl_key_file,
 										   bool isServerStart);
+extern bool check_ssl_file(const char *ssl_file, bool isServerStart);
 
 #endif							/* LIBPQ_H */
-- 
2.34.1