aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMagnus Hagander <magnus@hagander.net>2009-01-28 15:06:47 +0000
committerMagnus Hagander <magnus@hagander.net>2009-01-28 15:06:47 +0000
commit16c46d5d7a98c5478737a120cfd44bd358a54e9e (patch)
treed3925a8f7fc4d01e98db6217960a29a3d57ea1e6
parent1ab7dc063083b44548670184e2736f9bc0ba7813 (diff)
downloadpostgresql-16c46d5d7a98c5478737a120cfd44bd358a54e9e.tar.gz
postgresql-16c46d5d7a98c5478737a120cfd44bd358a54e9e.zip
Go over all OpenSSL return values and make sure we compare them
to the documented API value. The previous code got it right as it's implemented, but accepted too much/too little compared to the API documentation. Per comment from Zdenek Kotala.
-rw-r--r--src/backend/libpq/be-secure.c16
-rw-r--r--src/interfaces/libpq/fe-secure.c8
2 files changed, 12 insertions, 12 deletions
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 10c3aa79434..d7cf20ccf09 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.89 2009/01/01 17:23:42 momjian Exp $
+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.90 2009/01/28 15:06:47 mha Exp $
*
* Since the server static private key ($DataDir/server.key)
* will normally be stored unencrypted so that the database
@@ -729,9 +729,9 @@ initialize_SSL(void)
/*
* Load and verify certificate and private key
*/
- if (!SSL_CTX_use_certificate_file(SSL_context,
+ if (SSL_CTX_use_certificate_file(SSL_context,
SERVER_CERT_FILE,
- SSL_FILETYPE_PEM))
+ SSL_FILETYPE_PEM) != 1)
ereport(FATAL,
(errcode(ERRCODE_CONFIG_FILE_ERROR),
errmsg("could not load server certificate file \"%s\": %s",
@@ -760,14 +760,14 @@ initialize_SSL(void)
errdetail("Permissions should be u=rw (0600) or less.")));
#endif
- if (!SSL_CTX_use_PrivateKey_file(SSL_context,
+ if (SSL_CTX_use_PrivateKey_file(SSL_context,
SERVER_PRIVATE_KEY_FILE,
- SSL_FILETYPE_PEM))
+ SSL_FILETYPE_PEM) != 1)
ereport(FATAL,
(errmsg("could not load private key file \"%s\": %s",
SERVER_PRIVATE_KEY_FILE, SSLerrmessage())));
- if (!SSL_CTX_check_private_key(SSL_context))
+ if (SSL_CTX_check_private_key(SSL_context) != 1)
ereport(FATAL,
(errmsg("check of private key failed: %s",
SSLerrmessage())));
@@ -800,7 +800,7 @@ initialize_SSL(void)
ROOT_CERT_FILE)));
}
}
- else if (!SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL))
+ else if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1)
{
/*
* File was there, but we could not load it. This means the file is somehow
@@ -823,7 +823,7 @@ initialize_SSL(void)
if (cvstore)
{
/* Set the flags to check against the complete CRL chain */
- if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+ if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) == 1)
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
#ifdef X509_V_FLAG_CRL_CHECK
X509_STORE_set_flags(cvstore,
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 2d5eff7dee1..de3a71cca0c 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
*
*
* IDENTIFICATION
- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.118 2009/01/19 17:17:50 tgl Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.119 2009/01/28 15:06:47 mha Exp $
*
* NOTES
*
@@ -757,7 +757,7 @@ client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
}
/* verify that the cert and key go together */
- if (!X509_check_private_key(*x509, *pkey))
+ if (X509_check_private_key(*x509, *pkey) != 1)
{
char *err = SSLerrmessage();
@@ -1004,7 +1004,7 @@ initialize_SSL(PGconn *conn)
{
X509_STORE *cvstore;
- if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL))
+ if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)
{
char *err = SSLerrmessage();
@@ -1023,7 +1023,7 @@ initialize_SSL(PGconn *conn)
snprintf(fnbuf, sizeof(fnbuf), "%s/%s", homedir, ROOT_CRL_FILE);
/* setting the flags to check against the complete CRL chain */
- if (X509_STORE_load_locations(cvstore, fnbuf, NULL) != 0)
+ if (X509_STORE_load_locations(cvstore, fnbuf, NULL) == 1)
/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
#ifdef X509_V_FLAG_CRL_CHECK
X509_STORE_set_flags(cvstore,