diff options
| author | Magnus Hagander | 2009-01-28 15:06:47 +0000 |
|---|---|---|
| committer | Magnus Hagander | 2009-01-28 15:06:47 +0000 |
| commit | b053264eb9192ce88911efd3b55db42882dffa91 (patch) | |
| tree | 90f7c09cbed759ad1ff6d573e620761a2055652c | |
| parent | 09f041c8a41117c1d595aa40fb2a08c0fbe513b9 (diff) | |
Go over all OpenSSL return values and make sure we compare them
to the documented API value. The previous code got it right as
it's implemented, but accepted too much/too little compared to
the API documentation.
Per comment from Zdenek Kotala.
| -rw-r--r-- | src/backend/libpq/be-secure.c | 14 | ||||
| -rw-r--r-- | src/interfaces/libpq/fe-secure.c | 6 |
2 files changed, 10 insertions, 10 deletions
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index 42bb8f4a23..44575e3591 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -729,9 +729,9 @@ initialize_SSL(void) /* * Load and verify certificate and private key */ - if (!SSL_CTX_use_certificate_file(SSL_context, + if (SSL_CTX_use_certificate_file(SSL_context, SERVER_CERT_FILE, - SSL_FILETYPE_PEM)) + SSL_FILETYPE_PEM) != 1) ereport(FATAL, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("could not load server certificate file \"%s\": %s", @@ -760,14 +760,14 @@ initialize_SSL(void) errdetail("Permissions should be u=rw (0600) or less."))); #endif - if (!SSL_CTX_use_PrivateKey_file(SSL_context, + if (SSL_CTX_use_PrivateKey_file(SSL_context, SERVER_PRIVATE_KEY_FILE, - SSL_FILETYPE_PEM)) + SSL_FILETYPE_PEM) != 1) ereport(FATAL, (errmsg("could not load private key file \"%s\": %s", SERVER_PRIVATE_KEY_FILE, SSLerrmessage()))); - if (!SSL_CTX_check_private_key(SSL_context)) + if (SSL_CTX_check_private_key(SSL_context) != 1) ereport(FATAL, (errmsg("check of private key failed: %s", SSLerrmessage()))); @@ -800,7 +800,7 @@ initialize_SSL(void) ROOT_CERT_FILE))); } } - else if (!SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL)) + else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1) { /* * File was there, but we could not load it. This means the file is somehow @@ -823,7 +823,7 @@ initialize_SSL(void) if (cvstore) { /* Set the flags to check against the complete CRL chain */ - if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0) + if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) == 1) /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ #ifdef X509_V_FLAG_CRL_CHECK X509_STORE_set_flags(cvstore, diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index eb7ee75acd..7c229c3efe 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -757,7 +757,7 @@ client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) } /* verify that the cert and key go together */ - if (!X509_check_private_key(*x509, *pkey)) + if (X509_check_private_key(*x509, *pkey) != 1) { char *err = SSLerrmessage(); @@ -1004,7 +1004,7 @@ initialize_SSL(PGconn *conn) { X509_STORE *cvstore; - if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL)) + if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1) { char *err = SSLerrmessage(); @@ -1023,7 +1023,7 @@ initialize_SSL(PGconn *conn) snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE); /* setting the flags to check against the complete CRL chain */ - if (X509_STORE_load_locations(cvstore, fnbuf, NULL) != 0) + if (X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1) /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */ #ifdef X509_V_FLAG_CRL_CHECK X509_STORE_set_flags(cvstore, |