summaryrefslogtreecommitdiffstats
path: root/src/interfaces/libpq/fe-secure-openssl.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/interfaces/libpq/fe-secure-openssl.c45
1 files changed, 21 insertions, 24 deletions
diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index 25569e6..a44d7d3 100644
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -94,12 +94,7 @@ static bool ssl_lib_initialized = false;
#ifdef ENABLE_THREAD_SAFETY
static long crypto_open_connections = 0;
-#ifndef WIN32
static pthread_mutex_t ssl_config_mutex = PTHREAD_MUTEX_INITIALIZER;
-#else
-static pthread_mutex_t ssl_config_mutex = NULL;
-static long win32_ssl_create_mutex = 0;
-#endif
#endif /* ENABLE_THREAD_SAFETY */
static PQsslKeyPassHook_OpenSSL_type PQsslKeyPassHook = NULL;
@@ -783,20 +778,6 @@ int
pgtls_init(PGconn *conn, bool do_ssl, bool do_crypto)
{
#ifdef ENABLE_THREAD_SAFETY
-#ifdef WIN32
- /* Also see similar code in fe-connect.c, default_threadlock() */
- if (ssl_config_mutex == NULL)
- {
- while (InterlockedExchange(&win32_ssl_create_mutex, 1) == 1)
- /* loop, another thread own the lock */ ;
- if (ssl_config_mutex == NULL)
- {
- if (pthread_mutex_init(&ssl_config_mutex, NULL))
- return -1;
- }
- InterlockedExchange(&win32_ssl_create_mutex, 0);
- }
-#endif
if (pthread_mutex_lock(&ssl_config_mutex))
return -1;
@@ -887,7 +868,6 @@ static void
destroy_ssl_system(void)
{
#if defined(ENABLE_THREAD_SAFETY) && defined(HAVE_CRYPTO_LOCK)
- /* Mutex is created in pgtls_init() */
if (pthread_mutex_lock(&ssl_config_mutex))
return;
@@ -935,7 +915,6 @@ initialize_SSL(PGconn *conn)
bool have_homedir;
bool have_cert;
bool have_rootcert;
- EVP_PKEY *pkey = NULL;
/*
* We'll need the home directory if any of the relevant parameters are
@@ -1285,6 +1264,7 @@ initialize_SSL(PGconn *conn)
/* Colon, but not in second character, treat as engine:key */
char *engine_str = strdup(conn->sslkey);
char *engine_colon;
+ EVP_PKEY *pkey;
if (engine_str == NULL)
{
@@ -1695,10 +1675,11 @@ pgtls_close(PGconn *conn)
* Obtain reason string for passed SSL errcode
*
* ERR_get_error() is used by caller to get errcode to pass here.
+ * The result must be freed after use, using SSLerrfree.
*
- * Some caution is needed here since ERR_reason_error_string will
- * return NULL if it doesn't recognize the error code. We don't
- * want to return NULL ever.
+ * Some caution is needed here since ERR_reason_error_string will return NULL
+ * if it doesn't recognize the error code, or (in OpenSSL >= 3) if the code
+ * represents a system errno value. We don't want to return NULL ever.
*/
static char ssl_nomem[] = "out of memory allocating error description";
@@ -1724,6 +1705,22 @@ SSLerrmessage(unsigned long ecode)
strlcpy(errbuf, errreason, SSL_ERR_LEN);
return errbuf;
}
+
+ /*
+ * In OpenSSL 3.0.0 and later, ERR_reason_error_string randomly refuses to
+ * map system errno values. We can cover that shortcoming with this bit
+ * of code. Older OpenSSL versions don't have the ERR_SYSTEM_ERROR macro,
+ * but that's okay because they don't have the shortcoming either.
+ */
+#ifdef ERR_SYSTEM_ERROR
+ if (ERR_SYSTEM_ERROR(ecode))
+ {
+ strlcpy(errbuf, strerror(ERR_GET_REASON(ecode)), SSL_ERR_LEN);
+ return errbuf;
+ }
+#endif
+
+ /* No choice but to report the numeric ecode */
snprintf(errbuf, SSL_ERR_LEN, libpq_gettext("SSL error code %lu"), ecode);
return errbuf;
}