NotificationsYou must be signed in to change notification settings
Fork5
Star27

Commit16c46d5

committed

Go over all OpenSSL return values and make sure we compare them

to the documented API value. The previous code got it right asit's implemented, but accepted too much/too little compared tothe API documentation.Per comment from Zdenek Kotala.

1 parent1ab7dc0 commit16c46d5Copy full SHA for 16c46d5

File tree

2 files changed

+12

-12

lines changed

src
- backend/libpq
  - be-secure.c
- interfaces/libpq
  - fe-secure.c

2 files changed

+12

-12

lines changed

`‎src/backend/libpq/be-secure.c‎`

Lines changed: 8 additions & 8 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.89 2009/01/01 17:23:42 momjian Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/backend/libpq/be-secure.c,v 1.90 2009/01/28 15:06:47 mha Exp $`
`15`	`15`	`*`
`16`	`16`	`* Since the server static private key ($DataDir/server.key)`
`17`	`17`	`* will normally be stored unencrypted so that the database`
`@@ -729,9 +729,9 @@ initialize_SSL(void)`
`729`	`729`	`/*`
`730`	`730`	`* Load and verify certificate and private key`
`731`	`731`	`*/`
`732`		`-if (!SSL_CTX_use_certificate_file(SSL_context,`
	`732`	`+if (SSL_CTX_use_certificate_file(SSL_context,`
`733`	`733`	`SERVER_CERT_FILE,`
`734`		`-SSL_FILETYPE_PEM))`
	`734`	`+SSL_FILETYPE_PEM)!=1)`
`735`	`735`	`ereport(FATAL,`
`736`	`736`	`(errcode(ERRCODE_CONFIG_FILE_ERROR),`
`737`	`737`	`errmsg("could not load server certificate file \"%s\": %s",`
`@@ -760,14 +760,14 @@ initialize_SSL(void)`
`760`	`760`	`errdetail("Permissions should be u=rw (0600) or less.")));`
`761`	`761`	`#endif`
`762`	`762`
`763`		`-if (!SSL_CTX_use_PrivateKey_file(SSL_context,`
	`763`	`+if (SSL_CTX_use_PrivateKey_file(SSL_context,`
`764`	`764`	`SERVER_PRIVATE_KEY_FILE,`
`765`		`-SSL_FILETYPE_PEM))`
	`765`	`+SSL_FILETYPE_PEM)!=1)`
`766`	`766`	`ereport(FATAL,`
`767`	`767`	`(errmsg("could not load private key file \"%s\": %s",`
`768`	`768`	`SERVER_PRIVATE_KEY_FILE,SSLerrmessage())));`
`769`	`769`
`770`		`-if (!SSL_CTX_check_private_key(SSL_context))`
	`770`	`+if (SSL_CTX_check_private_key(SSL_context)!=1)`
`771`	`771`	`ereport(FATAL,`
`772`	`772`	`(errmsg("check of private key failed: %s",`
`773`	`773`	`SSLerrmessage())));`
`@@ -800,7 +800,7 @@ initialize_SSL(void)`
`800`	`800`	`ROOT_CERT_FILE)));`
`801`	`801`	`}`
`802`	`802`	`}`
`803`		`-elseif (!SSL_CTX_load_verify_locations(SSL_context,ROOT_CERT_FILE,NULL))`
	`803`	`+elseif (SSL_CTX_load_verify_locations(SSL_context,ROOT_CERT_FILE,NULL)!=1)`
`804`	`804`	`{`
`805`	`805`	`/*`
`806`	`806`	`* File was there, but we could not load it. This means the file is somehow`
`@@ -823,7 +823,7 @@ initialize_SSL(void)`
`823`	`823`	`if (cvstore)`
`824`	`824`	`{`
`825`	`825`	`/* Set the flags to check against the complete CRL chain */`
`826`		`-if (X509_STORE_load_locations(cvstore,ROOT_CRL_FILE,NULL)!=0)`
	`826`	`+if (X509_STORE_load_locations(cvstore,ROOT_CRL_FILE,NULL)==1)`
`827`	`827`	`/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */`
`828`	`828`	`#ifdefX509_V_FLAG_CRL_CHECK`
`829`	`829`	`X509_STORE_set_flags(cvstore,`

`‎src/interfaces/libpq/fe-secure.c‎`

Lines changed: 4 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`*`
`12`	`12`	`*`
`13`	`13`	`* IDENTIFICATION`
`14`		`- * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.118 2009/01/19 17:17:50 tgl Exp $`
	`14`	`+ * $PostgreSQL: pgsql/src/interfaces/libpq/fe-secure.c,v 1.119 2009/01/28 15:06:47 mha Exp $`
`15`	`15`	`*`
`16`	`16`	`* NOTES`
`17`	`17`	`*`
`@@ -757,7 +757,7 @@ client_cert_cb(SSL ssl, X509 x509, EVP_PKEY *pkey)`
`757`	`757`	`}`
`758`	`758`
`759`	`759`	`/* verify that the cert and key go together */`
`760`		`-if (!X509_check_private_key(x509,pkey))`
	`760`	`+if (X509_check_private_key(x509,pkey)!=1)`
`761`	`761`	`{`
`762`	`762`	`char*err=SSLerrmessage();`
`763`	`763`
`@@ -1004,7 +1004,7 @@ initialize_SSL(PGconn *conn)`
`1004`	`1004`	`{`
`1005`	`1005`	`X509_STORE*cvstore;`
`1006`	`1006`
`1007`		`-if (!SSL_CTX_load_verify_locations(SSL_context,fnbuf,NULL))`
	`1007`	`+if (SSL_CTX_load_verify_locations(SSL_context,fnbuf,NULL)!=1)`
`1008`	`1008`	`{`
`1009`	`1009`	`char*err=SSLerrmessage();`
`1010`	`1010`
`@@ -1023,7 +1023,7 @@ initialize_SSL(PGconn *conn)`
`1023`	`1023`	`snprintf(fnbuf,sizeof(fnbuf),"%s/%s",homedir,ROOT_CRL_FILE);`
`1024`	`1024`
`1025`	`1025`	`/* setting the flags to check against the complete CRL chain */`
`1026`		`-if (X509_STORE_load_locations(cvstore,fnbuf,NULL)!=0)`
	`1026`	`+if (X509_STORE_load_locations(cvstore,fnbuf,NULL)==1)`
`1027`	`1027`	`/* OpenSSL 0.96 does not support X509_V_FLAG_CRL_CHECK */`
`1028`	`1028`	`#ifdefX509_V_FLAG_CRL_CHECK`
`1029`	`1029`	`X509_STORE_set_flags(cvstore,`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit16c46d5

File tree

2 files changed

2 files changed

`‎src/backend/libpq/be-secure.c‎`

`‎src/interfaces/libpq/fe-secure.c‎`

0 commit comments