Re: [HACKERS] [COMMITTERS] pgsql: Use BIO functions to avoid passing FILE * pointers to OpenSSL

Tue, 02 Oct 2007 02:19:46 -0700 

On Tue, Oct 02, 2007 at 08:42:28AM +0200, Magnus Hagander wrote:
> > > http://www.openssl.org/docs/crypto/ERR_set_mark.html
> > > says
> > > ERR_set_mark() and ERR_pop_to_mark() were added in OpenSSL 0.9.8.
> > 
> > > Ooops.  Back to the drawing board.
> > 
> > To get the buildfarm going again, I applied a patch that turns these
> > calls into no-ops if the local OpenSSL hasn't got the functions.
> > I'm not entirely sure if the net result is a regression for pre-0.9.8
> > OpenSSLs or not --- Magnus, any thoughts on that?
> > 
> 
> I thought of a compromise. We can put back a check if the file exists without 
> using bio. That would cover some 99 percent of the messages coming out of 
> that 
> routine, I bet. And things would still work correct in 0.9.8.

Here's an example of what I meant.

I think this can be reasonable - OpenSSL 0.9.8 is from 2005 after all, so
it's not like we're requiring something extremely new..

//Magnus


Index: fe-secure.c
===================================================================
RCS file: /cvsroot/pgsql/src/interfaces/libpq/fe-secure.c,v
retrieving revision 1.96
diff -c -r1.96 fe-secure.c
*** fe-secure.c 2 Oct 2007 00:25:20 -0000       1.96
--- fe-secure.c 2 Oct 2007 09:04:16 -0000
***************
*** 607,612 ****
--- 607,626 ----
  
        /* read the user certificate */
        snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, USER_CERT_FILE);
+ 
+       /* 
+        * OpenSSL <= 0.8.2 lacks error stack handling. Do a separate check
+        * for the existance of the file without using BIO functions to make
+        * it pick up the majority of the cases with the old versions.
+        */
+       if (stat(fnbuf, &buf) == -1)
+       {
+               printfPQExpBuffer(&conn->errorMessage,
+                          libpq_gettext("could not open certificate file 
\"%s\": %s\n"),
+                                                 fnbuf, pqStrerror(errno, 
sebuf, sizeof(sebuf)));
+               return 0;
+       }
+       
        if ((bio = BIO_new_file(fnbuf, "r")) == NULL)
        {
                printfPQExpBuffer(&conn->errorMessage,

---------------------------(end of broadcast)---------------------------
TIP 1: if posting/reading through Usenet, please send an appropriate
       subscribe-nomail command to [EMAIL PROTECTED] so that your
       message can get through to the mailing list cleanly

Reply via email to