Fix assorted error-cleanup bugs in SSL min/max protocol version code.

The error exits added to initialize_SSL() failed to clean up the
partially-built SSL_context, and some of them also leaked the
result of SSLerrmessage().  Make them match other error-handling
cases in that function.

The error exits added to connectOptions2() failed to set conn->status
like every other error exit in that function.

In passing, make the SSL_get_peer_certificate() error exit look more
like all the other calls of SSLerrmessage().

Oversights in commit ff8ca5fad.  Coverity whined about leakage of the
SSLerrmessage() results; I noted the rest in manual code review.

diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 99cd6c41176598b1562baa73fc8ea84f5c3a9b08..408000af83aaae7ec1d5cf3be3a460cecaacc233 100644 (file)
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -1306,6 +1306,7 @@ connectOptions2(PGconn *conn)
     */
    if (!sslVerifyProtocolVersion(conn->sslminprotocolversion))
    {
+       conn->status = CONNECTION_BAD;
        printfPQExpBuffer(&conn->errorMessage,
                          libpq_gettext("invalid sslminprotocolversion value: \"%s\"\n"),
                          conn->sslminprotocolversion);
@@ -1313,6 +1314,7 @@ connectOptions2(PGconn *conn)
    }
    if (!sslVerifyProtocolVersion(conn->sslmaxprotocolversion))
    {
+       conn->status = CONNECTION_BAD;
        printfPQExpBuffer(&conn->errorMessage,
                          libpq_gettext("invalid sslmaxprotocolversion value: \"%s\"\n"),
                          conn->sslmaxprotocolversion);
@@ -1329,6 +1331,7 @@ connectOptions2(PGconn *conn)
    if (!sslVerifyProtocolRange(conn->sslminprotocolversion,
                                conn->sslmaxprotocolversion))
    {
+       conn->status = CONNECTION_BAD;
        printfPQExpBuffer(&conn->errorMessage,
                          libpq_gettext("invalid SSL protocol version range"));
        return false;

diff --git a/src/interfaces/libpq/fe-secure-openssl.c b/src/interfaces/libpq/fe-secure-openssl.c
index cf142fbaa48162fa835eefbcf869ffcd3ca23bdd..d3a37e1d273f8429ebc1034e21a123bcefeac081 100644 (file)
--- a/src/interfaces/libpq/fe-secure-openssl.c
+++ b/src/interfaces/libpq/fe-secure-openssl.c
@@ -854,6 +854,7 @@ initialize_SSL(PGconn *conn)
            printfPQExpBuffer(&conn->errorMessage,
                              libpq_gettext("invalid value \"%s\" for minimum version of SSL protocol\n"),
                              conn->sslminprotocolversion);
+           SSL_CTX_free(SSL_context);
            return -1;
        }
 
@@ -864,6 +865,8 @@ initialize_SSL(PGconn *conn)
            printfPQExpBuffer(&conn->errorMessage,
                              libpq_gettext("could not set minimum version of SSL protocol: %s\n"),
                              err);
+           SSLerrfree(err);
+           SSL_CTX_free(SSL_context);
            return -1;
        }
    }
@@ -880,6 +883,7 @@ initialize_SSL(PGconn *conn)
            printfPQExpBuffer(&conn->errorMessage,
                              libpq_gettext("invalid value \"%s\" for maximum version of SSL protocol\n"),
                              conn->sslmaxprotocolversion);
+           SSL_CTX_free(SSL_context);
            return -1;
        }
 
@@ -890,6 +894,8 @@ initialize_SSL(PGconn *conn)
            printfPQExpBuffer(&conn->errorMessage,
                              libpq_gettext("could not set maximum version of SSL protocol: %s\n"),
                              err);
+           SSLerrfree(err);
+           SSL_CTX_free(SSL_context);
            return -1;
        }
    }
@@ -1321,9 +1327,7 @@ open_client_SSL(PGconn *conn)
    conn->peer = SSL_get_peer_certificate(conn->ssl);
    if (conn->peer == NULL)
    {
-       char       *err;
-
-       err = SSLerrmessage(ERR_get_error());
+       char       *err = SSLerrmessage(ERR_get_error());
 
        printfPQExpBuffer(&conn->errorMessage,
                          libpq_gettext("certificate could not be obtained: %s\n"),