database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00
Code Activity

libpq error message refactoring, part 2

Browse Source 
This applies the new APIs to the code.

Reviewed-by: Alvaro Herrera <alvherre@alvh.no-ip.org>
Discussion: https://www.postgresql.org/message-id/flat/7c0232ef-7b44-68db-599d-b327d0640a77@enterprisedb.com
This commit is contained in:
Peter Eisentraut
2022-11-15 11:50:04 +01:00
parent 0873b2d354
commit a9e9a9f32b
12 changed files with 463 additions and 774 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
src/interfaces/libpq/fe-secure-openssl.c
View File

@ -212,20 +212,17 @@ rloop:
result_errno = SOCK_ERRNO;
if (result_errno == EPIPE ||
result_errno == ECONNRESET)
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("server closed the connection unexpectedly\n"
"\tThis probably means the server terminated abnormally\n"
"\tbefore or while processing the request.\n"));
libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
"\tThis probably means the server terminated abnormally\n"
"\tbefore or while processing the request.");
else
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("SSL SYSCALL error: %s\n"),
libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
SOCK_STRERROR(result_errno,
sebuf, sizeof(sebuf)));
}
else
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("SSL SYSCALL error: EOF detected\n"));
libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
/* assume the connection is broken */
result_errno = ECONNRESET;
n = -1;
@ -235,8 +232,7 @@ rloop:
{
char *errm = SSLerrmessage(ecode);
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("SSL error: %s\n"), errm);
libpq_append_conn_error(conn, "SSL error: %s", errm);
SSLerrfree(errm);
/* assume the connection is broken */
result_errno = ECONNRESET;
@ -250,15 +246,12 @@ rloop:
* a clean connection closure, so we should not report it as a
* server crash.
*/
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("SSL connection has been closed unexpectedly\n"));
libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
result_errno = ECONNRESET;
n = -1;
break;
default:
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("unrecognized SSL error code: %d\n"),
err);
libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
/* assume the connection is broken */
result_errno = ECONNRESET;
n = -1;
@ -319,20 +312,17 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
{
result_errno = SOCK_ERRNO;
if (result_errno == EPIPE || result_errno == ECONNRESET)
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("server closed the connection unexpectedly\n"
"\tThis probably means the server terminated abnormally\n"
"\tbefore or while processing the request.\n"));
libpq_append_conn_error(conn, "server closed the connection unexpectedly\n"
"\tThis probably means the server terminated abnormally\n"
"\tbefore or while processing the request.");
else
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("SSL SYSCALL error: %s\n"),
libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
SOCK_STRERROR(result_errno,
sebuf, sizeof(sebuf)));
}
else
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("SSL SYSCALL error: EOF detected\n"));
libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
/* assume the connection is broken */
result_errno = ECONNRESET;
n = -1;
@ -342,8 +332,7 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
{
char *errm = SSLerrmessage(ecode);
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("SSL error: %s\n"), errm);
libpq_append_conn_error(conn, "SSL error: %s", errm);
SSLerrfree(errm);
/* assume the connection is broken */
result_errno = ECONNRESET;
@ -357,15 +346,12 @@ pgtls_write(PGconn *conn, const void *ptr, size_t len)
* a clean connection closure, so we should not report it as a
* server crash.
*/
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("SSL connection has been closed unexpectedly\n"));
libpq_append_conn_error(conn, "SSL connection has been closed unexpectedly");
result_errno = ECONNRESET;
n = -1;
break;
default:
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("unrecognized SSL error code: %d\n"),
err);
libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
/* assume the connection is broken */
result_errno = ECONNRESET;
n = -1;
@ -403,8 +389,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
if (!OBJ_find_sigid_algs(X509_get_signature_nid(peer_cert),
&algo_nid, NULL))
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("could not determine server certificate signature algorithm\n"));
libpq_append_conn_error(conn, "could not determine server certificate signature algorithm");
return NULL;
}
@ -424,8 +409,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
algo_type = EVP_get_digestbynid(algo_nid);
if (algo_type == NULL)
{
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not find digest for NID %s\n"),
libpq_append_conn_error(conn, "could not find digest for NID %s",
OBJ_nid2sn(algo_nid));
return NULL;
}
@ -434,8 +418,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
if (!X509_digest(peer_cert, algo_type, hash, &hash_size))
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("could not generate peer certificate hash\n"));
libpq_append_conn_error(conn, "could not generate peer certificate hash");
return NULL;
}
@ -443,8 +426,7 @@ pgtls_get_peer_certificate_hash(PGconn *conn, size_t *len)
cert_hash = malloc(hash_size);
if (cert_hash == NULL)
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("out of memory\n"));
libpq_append_conn_error(conn, "out of memory");
return NULL;
}
memcpy(cert_hash, hash, hash_size);
@ -491,8 +473,7 @@ openssl_verify_peer_name_matches_certificate_name(PGconn *conn, ASN1_STRING *nam
/* Should not happen... */
if (name_entry == NULL)
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("SSL certificate's name entry is missing\n"));
libpq_append_conn_error(conn, "SSL certificate's name entry is missing");
return -1;
}
@ -526,8 +507,7 @@ openssl_verify_peer_name_matches_certificate_ip(PGconn *conn,
/* Should not happen... */
if (addr_entry == NULL)
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("SSL certificate's address entry is missing\n"));
libpq_append_conn_error(conn, "SSL certificate's address entry is missing");
return -1;
}
@ -944,9 +924,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not create SSL context: %s\n"),
err);
libpq_append_conn_error(conn, "could not create SSL context: %s", err);
SSLerrfree(err);
return -1;
}
@ -983,8 +961,7 @@ initialize_SSL(PGconn *conn)
if (ssl_min_ver == -1)
{
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid value \"%s\" for minimum SSL protocol version\n"),
libpq_append_conn_error(conn, "invalid value \"%s\" for minimum SSL protocol version",
conn->ssl_min_protocol_version);
SSL_CTX_free(SSL_context);
return -1;
@ -994,9 +971,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not set minimum SSL protocol version: %s\n"),
err);
libpq_append_conn_error(conn, "could not set minimum SSL protocol version: %s", err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
return -1;
@ -1012,8 +987,7 @@ initialize_SSL(PGconn *conn)
if (ssl_max_ver == -1)
{
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("invalid value \"%s\" for maximum SSL protocol version\n"),
libpq_append_conn_error(conn, "invalid value \"%s\" for maximum SSL protocol version",
conn->ssl_max_protocol_version);
SSL_CTX_free(SSL_context);
return -1;
@ -1023,9 +997,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not set maximum SSL protocol version: %s\n"),
err);
libpq_append_conn_error(conn, "could not set maximum SSL protocol version: %s", err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
return -1;
@ -1059,8 +1031,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not read root certificate file \"%s\": %s\n"),
libpq_append_conn_error(conn, "could not read root certificate file \"%s\": %s",
fnbuf, err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
@ -1112,13 +1083,11 @@ initialize_SSL(PGconn *conn)
* that it seems worth having a specialized error message for it.
*/
if (fnbuf[0] == '\0')
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not get home directory to locate root certificate file\n"
"Either provide the file or change sslmode to disable server certificate verification.\n"));
libpq_append_conn_error(conn, "could not get home directory to locate root certificate file\n"
"Either provide the file or change sslmode to disable server certificate verification.");
else
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("root certificate file \"%s\" does not exist\n"
"Either provide the file or change sslmode to disable server certificate verification.\n"), fnbuf);
libpq_append_conn_error(conn, "root certificate file \"%s\" does not exist\n"
"Either provide the file or change sslmode to disable server certificate verification.", fnbuf);
SSL_CTX_free(SSL_context);
return -1;
}
@ -1147,8 +1116,7 @@ initialize_SSL(PGconn *conn)
*/
if (errno != ENOENT && errno != ENOTDIR)
{
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not open certificate file \"%s\": %s\n"),
libpq_append_conn_error(conn, "could not open certificate file \"%s\": %s",
fnbuf, strerror_r(errno, sebuf, sizeof(sebuf)));
SSL_CTX_free(SSL_context);
return -1;
@ -1166,8 +1134,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not read certificate file \"%s\": %s\n"),
libpq_append_conn_error(conn, "could not read certificate file \"%s\": %s",
fnbuf, err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
@ -1191,9 +1158,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not establish SSL connection: %s\n"),
err);
libpq_append_conn_error(conn, "could not establish SSL connection: %s", err);
SSLerrfree(err);
SSL_CTX_free(SSL_context);
return -1;
@ -1225,9 +1190,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not set SSL Server Name Indication (SNI): %s\n"),
err);
libpq_append_conn_error(conn, "could not set SSL Server Name Indication (SNI): %s", err);
SSLerrfree(err);
return -1;
}
@ -1255,8 +1218,7 @@ initialize_SSL(PGconn *conn)
if (engine_str == NULL)
{
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("out of memory\n"));
libpq_append_conn_error(conn, "out of memory");
return -1;
}
@ -1271,8 +1233,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not load SSL engine \"%s\": %s\n"),
libpq_append_conn_error(conn, "could not load SSL engine \"%s\": %s",
engine_str, err);
SSLerrfree(err);
free(engine_str);
@ -1283,8 +1244,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not initialize SSL engine \"%s\": %s\n"),
libpq_append_conn_error(conn, "could not initialize SSL engine \"%s\": %s",
engine_str, err);
SSLerrfree(err);
ENGINE_free(conn->engine);
@ -1299,8 +1259,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not read private SSL key \"%s\" from engine \"%s\": %s\n"),
libpq_append_conn_error(conn, "could not read private SSL key \"%s\" from engine \"%s\": %s",
engine_colon, engine_str, err);
SSLerrfree(err);
ENGINE_finish(conn->engine);
@ -1313,8 +1272,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not load private SSL key \"%s\" from engine \"%s\": %s\n"),
libpq_append_conn_error(conn, "could not load private SSL key \"%s\" from engine \"%s\": %s",
engine_colon, engine_str, err);
SSLerrfree(err);
ENGINE_finish(conn->engine);
@ -1351,12 +1309,10 @@ initialize_SSL(PGconn *conn)
if (stat(fnbuf, &buf) != 0)
{
if (errno == ENOENT)
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("certificate present, but not private key file \"%s\"\n"),
libpq_append_conn_error(conn, "certificate present, but not private key file \"%s\"",
fnbuf);
else
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not stat private key file \"%s\": %m\n"),
libpq_append_conn_error(conn, "could not stat private key file \"%s\": %m",
fnbuf);
return -1;
}
@ -1364,8 +1320,7 @@ initialize_SSL(PGconn *conn)
/* Key file must be a regular file */
if (!S_ISREG(buf.st_mode))
{
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("private key file \"%s\" is not a regular file\n"),
libpq_append_conn_error(conn, "private key file \"%s\" is not a regular file",
fnbuf);
return -1;
}
@ -1397,9 +1352,9 @@ initialize_SSL(PGconn *conn)
buf.st_mode & (S_IWGRP | S_IXGRP | S_IRWXO) :
buf.st_mode & (S_IRWXG | S_IRWXO))
{
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root\n"),
fnbuf);
libpq_append_conn_error(conn,
"private key file \"%s\" has group or world access; file must have permissions u=rw (0600) or less if owned by the current user, or permissions u=rw,g=r (0640) or less if owned by root",
fnbuf);
return -1;
}
#endif
@ -1422,8 +1377,7 @@ initialize_SSL(PGconn *conn)
*/
if (SSL_use_PrivateKey_file(conn->ssl, fnbuf, SSL_FILETYPE_ASN1) != 1)
{
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("could not load private key file \"%s\": %s\n"),
libpq_append_conn_error(conn, "could not load private key file \"%s\": %s",
fnbuf, err);
SSLerrfree(err);
return -1;
@ -1439,8 +1393,7 @@ initialize_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("certificate does not match private key file \"%s\": %s\n"),
libpq_append_conn_error(conn, "certificate does not match private key file \"%s\": %s",
fnbuf, err);
SSLerrfree(err);
return -1;
@ -1493,12 +1446,10 @@ open_client_SSL(PGconn *conn)
char sebuf[PG_STRERROR_R_BUFLEN];
if (r == -1)
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("SSL SYSCALL error: %s\n"),
libpq_append_conn_error(conn, "SSL SYSCALL error: %s",
SOCK_STRERROR(SOCK_ERRNO, sebuf, sizeof(sebuf)));
else
appendPQExpBufferStr(&conn->errorMessage,
libpq_gettext("SSL SYSCALL error: EOF detected\n"));
libpq_append_conn_error(conn, "SSL SYSCALL error: EOF detected");
pgtls_close(conn);
return PGRES_POLLING_FAILED;
}
@ -1506,9 +1457,7 @@ open_client_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ecode);
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("SSL error: %s\n"),
err);
libpq_append_conn_error(conn, "SSL error: %s", err);
SSLerrfree(err);
switch (ERR_GET_REASON(ecode))
{
@ -1539,8 +1488,7 @@ open_client_SSL(PGconn *conn)
case SSL_R_VERSION_TOO_HIGH:
case SSL_R_VERSION_TOO_LOW:
#endif
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("This may indicate that the server does not support any SSL protocol version between %s and %s.\n"),
libpq_append_conn_error(conn, "This may indicate that the server does not support any SSL protocol version between %s and %s.",
conn->ssl_min_protocol_version ?
conn->ssl_min_protocol_version :
MIN_OPENSSL_TLS_VERSION,
@ -1556,9 +1504,7 @@ open_client_SSL(PGconn *conn)
}
default:
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("unrecognized SSL error code: %d\n"),
err);
libpq_append_conn_error(conn, "unrecognized SSL error code: %d", err);
pgtls_close(conn);
return PGRES_POLLING_FAILED;
}
@ -1575,9 +1521,7 @@ open_client_SSL(PGconn *conn)
{
char *err = SSLerrmessage(ERR_get_error());
appendPQExpBuffer(&conn->errorMessage,
libpq_gettext("certificate could not be obtained: %s\n"),
err);
libpq_append_conn_error(conn, "certificate could not be obtained: %s", err);
SSLerrfree(err);
pgtls_close(conn);
return PGRES_POLLING_FAILED;