Go over all OpenSSL return values and make sure we compare them

to the documented API value. The previous code got it right as
it's implemented, but accepted too much/too little compared to
the API documentation.

Per comment from Zdenek Kotala.

diff --git a/src/backend/libpq/be-secure.c b/src/backend/libpq/be-secure.c
index 629c3033852870b3707f028d0af2f429027e9436..73d16ae6000d6c30ddaf9e25957ef06f16afc886 100644 (file)
--- a/src/backend/libpq/be-secure.c
+++ b/src/backend/libpq/be-secure.c
@@ -727,9 +727,9 @@ initialize_SSL(void)
                /*
                 * Load and verify certificate and private key
                 */
-               if (!SSL_CTX_use_certificate_file(SSL_context,
+               if (SSL_CTX_use_certificate_file(SSL_context,
                                                                                  SERVER_CERT_FILE,
-                                                                                 SSL_FILETYPE_PEM))
+                                                                                 SSL_FILETYPE_PEM) != 1)
                        ereport(FATAL,
                                        (errcode(ERRCODE_CONFIG_FILE_ERROR),
                                  errmsg("could not load server certificate file \"%s\": %s",
@@ -759,14 +759,14 @@ initialize_SSL(void)
                                         errdetail("File must be owned by the database user and must have no permissions for \"group\" or \"other\".")));
 #endif
 
-               if (!SSL_CTX_use_PrivateKey_file(SSL_context,
+               if (SSL_CTX_use_PrivateKey_file(SSL_context,
                                                                                 SERVER_PRIVATE_KEY_FILE,
-                                                                                SSL_FILETYPE_PEM))
+                                                                                SSL_FILETYPE_PEM) != 1)
                        ereport(FATAL,
                                        (errmsg("could not load private key file \"%s\": %s",
                                                        SERVER_PRIVATE_KEY_FILE, SSLerrmessage())));
 
-               if (!SSL_CTX_check_private_key(SSL_context))
+               if (SSL_CTX_check_private_key(SSL_context) != 1)
                        ereport(FATAL,
                                        (errmsg("check of private key failed: %s",
                                                        SSLerrmessage())));
@@ -783,7 +783,7 @@ initialize_SSL(void)
        /*
         * Require and check client certificates only if we have a root.crt file.
         */
-       if (!SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL))
+       if (SSL_CTX_load_verify_locations(SSL_context, ROOT_CERT_FILE, NULL) != 1)
        {
                /* Not fatal - we do not require client certificates */
                ereport(LOG,
@@ -803,7 +803,7 @@ initialize_SSL(void)
                if (cvstore)
                {
                        /* Set the flags to check against the complete CRL chain */
-                       if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+                       if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) == 1)
 /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
 #ifdef X509_V_FLAG_CRL_CHECK
                                X509_STORE_set_flags(cvstore,

diff --git a/src/interfaces/libpq/fe-secure.c b/src/interfaces/libpq/fe-secure.c
index f545eae44cf4011ff86854fabf441cb13ccb82ca..e50e27d9bd372f366887979627587f05fcdb10f2 100644 (file)
--- a/src/interfaces/libpq/fe-secure.c
+++ b/src/interfaces/libpq/fe-secure.c
@@ -793,7 +793,7 @@ client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
        }
 
        /* verify that the cert and key go together */
-       if (!X509_check_private_key(*x509, *pkey))
+       if (X509_check_private_key(*x509, *pkey) != 1)
        {
                char       *err = SSLerrmessage();
 
@@ -926,7 +926,7 @@ initialize_SSL(PGconn *conn)
                {
                        X509_STORE *cvstore;
 
-                       if (!SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL))
+                       if (SSL_CTX_load_verify_locations(SSL_context, fnbuf, NULL) != 1)
                        {
                                char       *err = SSLerrmessage();
 
@@ -940,7 +940,7 @@ initialize_SSL(PGconn *conn)
                        if ((cvstore = SSL_CTX_get_cert_store(SSL_context)) != NULL)
                        {
                                /* setting the flags to check against the complete CRL chain */
-                               if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) != 0)
+                               if (X509_STORE_load_locations(cvstore, ROOT_CRL_FILE, NULL) == 1)
 /* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */
 #ifdef X509_V_FLAG_CRL_CHECK
                                        X509_STORE_set_flags(cvstore,