From f5030009988597d51ba6569008e86831349b244f Mon Sep 17 00:00:00 2001 From: edbjunwang Date: Fri, 22 May 2026 17:31:35 +0800 Subject: [PATCH 1/4] fix: Race Condition in Revocation Database --- sslutils.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/sslutils.c b/sslutils.c index 5848b82..c485d26 100644 --- a/sslutils.c +++ b/sslutils.c @@ -19,6 +19,7 @@ #include "postgres.h" #include "miscadmin.h" +#include "unistd.h" #include #include @@ -250,6 +251,14 @@ static int revoke_client_certificate(const char* dbfile, X509* x) if (revoke_file == NULL) return -1; + if (flock(fileno(revoke_file), LOCK_EX) != 0) + { + fprintf(stdout, "Could not lock revocation database, maybe it is locked by another process.\n"); + fflush(stdout); + ereport(ERROR, (errmsg("Could not lock revocation database"))); + return -1; + } + // Lookup whether the client cert has been revoke by serial number // and rotate the index.txt while (fgets(line, 512, revoke_file)) @@ -311,6 +320,8 @@ static int revoke_client_certificate(const char* dbfile, X509* x) } fwrite("\n", 1, 1, revoke_file); + // For testing purpose + sleep(10); fclose(revoke_file); return 0; } From c3b5ae88978069f6b0103e227aa113e9a9dbf0f1 Mon Sep 17 00:00:00 2001 From: edbjunwang Date: Fri, 22 May 2026 18:23:23 +0800 Subject: [PATCH 2/4] fix: Race Condition in Revocation Database --- sslutils.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sslutils.c b/sslutils.c index c485d26..6ba00be 100644 --- a/sslutils.c +++ b/sslutils.c @@ -20,6 +20,7 @@ #include "postgres.h" #include "miscadmin.h" #include "unistd.h" +#include #include #include From 1dcaf07127cf5168ad442142b0ec1852818d9263 Mon Sep 17 00:00:00 2001 From: edbjunwang Date: Fri, 22 May 2026 19:27:17 +0800 Subject: [PATCH 3/4] test: add some more debugging log --- sslutils.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/sslutils.c b/sslutils.c index 6ba00be..11293c9 100644 --- a/sslutils.c +++ b/sslutils.c @@ -252,11 +252,19 @@ static int revoke_client_certificate(const char* dbfile, X509* x) if (revoke_file == NULL) return -1; - if (flock(fileno(revoke_file), LOCK_EX) != 0) + if (flock(fileno(revoke_file), LOCK_EX | LOCK_NB) != 0) { - fprintf(stdout, "Could not lock revocation database, maybe it is locked by another process.\n"); - fflush(stdout); - ereport(ERROR, (errmsg("Could not lock revocation database"))); + if (errno == EWOULDBLOCK) { + fprintf(stdout, "Could not lock revocation database, it is already locked by another process.\n"); + fflush(stdout); + ereport(ERROR, (errmsg("Could not lock revocation database, it is already locked by another process ---"))); + } + else + { + fprintf(stdout, "Could not lock revocation database, for unknown reason.\n"); + fflush(stdout); + ereport(ERROR, (errmsg("Could not lock revocation database, for unknown reason ---"))); + } return -1; } From 7b69c997913778b3f18fb246d29febe5e389027c Mon Sep 17 00:00:00 2001 From: edbjunwang Date: Fri, 22 May 2026 19:58:28 +0800 Subject: [PATCH 4/4] chore: remove debugging code --- sslutils.c | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/sslutils.c b/sslutils.c index 11293c9..4a8b14b 100644 --- a/sslutils.c +++ b/sslutils.c @@ -19,7 +19,6 @@ #include "postgres.h" #include "miscadmin.h" -#include "unistd.h" #include #include @@ -255,15 +254,7 @@ static int revoke_client_certificate(const char* dbfile, X509* x) if (flock(fileno(revoke_file), LOCK_EX | LOCK_NB) != 0) { if (errno == EWOULDBLOCK) { - fprintf(stdout, "Could not lock revocation database, it is already locked by another process.\n"); - fflush(stdout); - ereport(ERROR, (errmsg("Could not lock revocation database, it is already locked by another process ---"))); - } - else - { - fprintf(stdout, "Could not lock revocation database, for unknown reason.\n"); - fflush(stdout); - ereport(ERROR, (errmsg("Could not lock revocation database, for unknown reason ---"))); + ereport(ERROR, (errmsg("Could not lock revocation database, it is already locked by another process."))); } return -1; } @@ -329,8 +320,6 @@ static int revoke_client_certificate(const char* dbfile, X509* x) } fwrite("\n", 1, 1, revoke_file); - // For testing purpose - sleep(10); fclose(revoke_file); return 0; }