Go over all OpenSSL return values and make sure we compare them

to the documented API value. The previous code got it right as it's implemented, but accepted too much/too little compared to the API documentation. Per comment from Zdenek Kotala.
author: Magnus Hagander <magnus@hagander.net> 2009-01-28 15:06:55 +0000
committer: Magnus Hagander <magnus@hagander.net> 2009-01-28 15:06:55 +0000
commit: 3364386166f4d7b926d12d7b51645e9c7a3a1c7e (patch)
tree: 9cb6b2af768c19f4480ac646267f745509db39c2 /src
parent: 7b4460885f2f651e36099124852aa6c1a9f66f5b (diff)
2 files changed, 12 insertions, 12 deletions
diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 772cd71a1f5..78aba180d9f 100644
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.74.2.2 2007/05/18 01:20:25 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.74.2.3 2009/01/28 15:06:54 mha Exp $
  *
  *	  Since the server static private key ($DataDir/server.key)
  *	  will normally be stored unencrypted so that the database
@@ -718,9 +718,9 @@ initialize_SSL(void)
 		/*
 		 * Load and verify certificate and private key
 		 */
-		if (!SSL_CTX_use_certificate_file(SSL_context,
+		if (SSL_CTX_use_certificate_file(SSL_context,
 										  SERVER_CERT_FILE,
-										  SSL_FILETYPE_PEM))
+										  SSL_FILETYPE_PEM) != 1)
 			ereport(FATAL,
 					(errcode(ERRCODE_CONFIG_FILE_ERROR),
 				  errmsg("could not load server certificate file \"%s\": %s",
@@ -750,14 +750,14 @@ initialize_SSL(void)
 					 errdetail("File must be owned by the database user and must have no permissions for \"group\" or \"other\".")));
 #endif
 
-		if (!SSL_CTX_use_PrivateKey_file(SSL_context,
+		if (SSL_CTX_use_PrivateKey_file(SSL_context,
 										 SERVER_PRIVATE_KEY_FILE,
-										 SSL_FILETYPE_PEM))
+										 SSL_FILETYPE_PEM) != 1)
 			ereport(FATAL,
 					(errmsg("could not load private key file \"%s\": %s",
 							SERVER_PRIVATE_KEY_FILE, SSLerrmessage())));
 
-		if (!SSL_CTX_check_private_key(SSL_context))
+		if (SSL_CTX_check_private_key(SSL_context) != 1)
 			ereport(FATAL,
 					(errmsg("check of private key failed: %s",
 							SSLerrmessage())));
@@ -774,7 +774,7 @@ initialize_SSL(void)
 	/*
 	 * Require and check client certificates only if we have a root.crt file.
 	 */
-	if (!SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL))
+	if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1)
 	{
 		/* Not fatal - we do not require client certificates */
 		ereport(LOG,
@@ -794,7 +794,7 @@ initialize_SSL(void)
 		if (cvstore)
 		{
 			/* Set the flags to check against the complete CRL chain */
-			if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+			if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) == 1)
 /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
 #ifdef X509_V_FLAG_CRL_CHECK
 				X509_STORE_set_flags(cvstore,
diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index 460b38c77d4..b4022d778bb 100644
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -11,7 +11,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.89 2006/10/06 17:14:01 petere Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.89.2.1 2009/01/28 15:06:55 mha Exp $
  *
  * NOTES
  *	  [ Most of these notes are wrong/obsolete, but perhaps not all ]
@@ -656,7 +656,7 @@ client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
 	fclose(fp);
 
 	/* verify that the cert and key go together */
-	if (!X509_check_private_key(*x509, *pkey))
+	if (X509_check_private_key(*x509, *pkey) != 1)
 	{
 		char	   *err = SSLerrmessage();
 
@@ -783,7 +783,7 @@ initialize_SSL(PGconn *conn)
 		{
 			X509_STORE *cvstore;
 
-			if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL))
+			if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)
 			{
 				char	   *err = SSLerrmessage();
 
@@ -797,7 +797,7 @@ initialize_SSL(PGconn *conn)
 			if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
 			{
 				/* setting the flags to check against the complete CRL chain */
-				if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+				if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) == 1)
 /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
 #ifdef X509_V_FLAG_CRL_CHECK
 					X509_STORE_set_flags(cvstore,
author	Magnus Hagander <magnus@hagander.net>	2009-01-28 15:06:55 +0000
committer	Magnus Hagander <magnus@hagander.net>	2009-01-28 15:06:55 +0000
commit	3364386166f4d7b926d12d7b51645e9c7a3a1c7e (patch)
tree	9cb6b2af768c19f4480ac646267f745509db39c2 /src
parent	7b4460885f2f651e36099124852aa6c1a9f66f5b (diff)