From: Magnus Hagander Date: Wed, 28 Jan 2009 15:06:48 +0000 (+0000) Subject: Go over all OpenSSL return values and make sure we compare them X-Git-Url: http://git.postgresql.org/gitweb/?a=commitdiff_plain;h=74db8b6176f8a6fcac1c78a46e77d33419bd8fec;p=users%2Fbernd%2Fpostgres.git Go over all OpenSSL return values and make sure we compare them to the documented API value. The previous code got it right as it's implemented, but accepted too much/too little compared to the API documentation. Per comment from Zdenek Kotala. --- diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c index e6cc1827b7..06f26fb0ad 100644 --- a/src/backend/libpq/be-secure.c +++ b/src/backend/libpq/be-secure.c @@ -700,7 +700,7 @@ initialize_SSL(void) * Load and verify certificate and private key */ snprintf(fnbuf, sizeof(fnbuf), "%s/server.crt", DataDir); - if (!SSL_CTX_use_certificate_file(SSL_context, fnbuf, SSL_FILETYPE_PEM)) + if (SSL_CTX_use_certificate_file(SSL_context, fnbuf, SSL_FILETYPE_PEM) != 1) ereport(FATAL, (errcode(ERRCODE_CONFIG_FILE_ERROR), errmsg("could not load server certificate file \"%s\": %s", @@ -720,12 +720,12 @@ initialize_SSL(void) fnbuf), errdetail("File must be owned by the database user and must have no permissions for \"group\" or \"other\"."))); - if (!SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM)) + if (SSL_CTX_use_PrivateKey_file(SSL_context, fnbuf, SSL_FILETYPE_PEM) != 1) ereport(FATAL, (errmsg("could not load private key file \"%s\": %s", fnbuf, SSLerrmessage()))); - if (!SSL_CTX_check_private_key(SSL_context)) + if (SSL_CTX_check_private_key(SSL_context) != 1) ereport(FATAL, (errmsg("check of private key failed: %s", SSLerrmessage()))); @@ -741,7 +741,7 @@ initialize_SSL(void) /* accept client certificates, but don't require them. */ snprintf(fnbuf, sizeof(fnbuf), "%s/root.crt", DataDir); - if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, CA_PATH)) + if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, CA_PATH) != 1) { /* Not fatal - we do not require client certificates */ ereport(LOG, diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c index 9fb2140d9b..67683f40c7 100644 --- a/src/interfaces/libpq/fe-secure.c +++ b/src/interfaces/libpq/fe-secure.c @@ -788,7 +788,7 @@ client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey) fclose(fp); /* verify that the cert and key go together */ - if (!X509_check_private_key(*x509, *pkey)) + if (X509_check_private_key(*x509, *pkey) != 1) { printfPQExpBuffer(&conn->errorMessage, libpq_gettext("certificate/private key mismatch (%s): %s\n"), @@ -848,7 +848,7 @@ initialize_SSL(PGconn *conn) return -1; #endif } - if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, 0)) + if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, 0) != 1) { printfPQExpBuffer(&conn->errorMessage, libpq_gettext("could not read root certificate list (%s): %s\n"),