Don't require pqGetHomeDirectory to succeed if the user has specified

hardcoded paths for SSL rootcert/crl/clientcert/key. As noted by Andrew Chernow

Don't require pqGetHomeDirectory to succeed if the user has specified
hardcoded paths for SSL rootcert/crl/clientcert/key. As noted by Andrew Chernow
75eafe96 · Magnus Hagander · 16785db1 · 75eafe96
Commit 75eafe96 authored Jan 07, 2009 by Magnus Hagander
Show whitespace changes
Inline Side-by-side

Showing with 68 additions and 52 deletions

src/interfaces/libpq/fe-secure.c src/interfaces/libpq/fe-secure.c +68 -52

No files found.
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
 *
 *
 * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.115 2009/01/01 17:24:03 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.116 2009/01/07 12:02:46 mha Exp $
 *
 * NOTES
 *
@@ -560,12 +560,19 @@ client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
 	PGconn	   *conn = (PGconn *) SSL_get_app_data(ssl);
 	char		sebuf[256];

+	/*
+	 * If conn->sslcert  or conn->sslkey is not set, we don't need the home
+	 * directory to find the required files.
+	 */
+	if (!conn->sslcert || !conn->sslkey)
+	{
 		if (!pqGetHomeDirectory(homedir, sizeof(homedir)))
 		{
 			printfPQExpBuffer(&conn->errorMessage,
-						  libpq_gettext("could not get user information\n"));
+							  libpq_gettext("cannot find home directory to locate client certificate files"));
 			return 0;
 		}
+	}

 	/* read the user certificate */
 	if (conn->sslcert)
@@ -964,11 +971,30 @@ initialize_SSL(PGconn *conn)
 	 * If sslverify is set to anything other than "none", perform certificate
 	 * verification. If set to "cn" we will also do further verifications after
 	 * the connection has been completed.
+	 *
+	 * If we are going to look for either root certificate or CRL in the home directory,
+	 * we need pqGetHomeDirectory() to succeed. In other cases, we don't need to
+	 * get the home directory explicitly.
 	 */
-
-	/* Set up to verify server cert, if root.crt is present */
-	if (pqGetHomeDirectory(homedir, sizeof(homedir)))
+	if (!conn->sslrootcert || !conn->sslcrl)
+	{
+		if (!pqGetHomeDirectory(homedir, sizeof(homedir)))
 		{
+			if (strcmp(conn->sslverify, "none") != 0)
+			{
+				printfPQExpBuffer(&conn->errorMessage,
+								  libpq_gettext("cannot find home directory to locate root certificate file"));
+				return -1;
+			}
+		}
+	}
+	else
+	{
+		homedir[0] = '\0';
+	}
+
+
+
 	if (conn->sslrootcert)
 		strncpy(fnbuf, conn->sslrootcert, sizeof(fnbuf));
 	else
@@ -1017,7 +1043,7 @@ initialize_SSL(PGconn *conn)
 		}

 		SSL_CTX_set_verify(SSL_context, SSL_VERIFY_PEER, verify_cb);
-		}
+	} /* root certificate exists */
 	else
 	{
 		if (strcmp(conn->sslverify, "none") != 0)
@@ -1027,16 +1053,6 @@ initialize_SSL(PGconn *conn)
 			return -1;
 		}
 	}
-	}
-	else
-	{
-		if (strcmp(conn->sslverify, "none") != 0)
-		{
-			printfPQExpBuffer(&conn->errorMessage,
-							  libpq_gettext("cannot find home directory to locate root certificate file"));
-			return -1;
-		}
-	}

 	/* set up mechanism to provide client certificate, if available */
 	SSL_CTX_set_client_cert_cb(SSL_context, client_cert_cb);