From: Petr Špaček <petr.spacek@nic.cz>
Date: Thu, 18 Jan 2018 13:11:26 +0000 (+0100)
Subject: TLS: use constants for GnuTLS return codes
X-Git-Tag: v2.0.0~29^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84ea95de0237d852385ce548a09f419f55af9f7d;p=thirdparty%2Fknot-resolver.git

TLS: use constants for GnuTLS return codes

GnuTLS manual for some functions do not declare that error return code
must be negative, so we should use constants to avoid potential
problems.
---

diff --git a/daemon/tls.c b/daemon/tls.c
index cf1080720..8e077955d 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -165,21 +165,21 @@ struct tls_ctx_t *tls_new(struct worker_ctx *worker)
 	}
 
 	int err = gnutls_init(&tls->session, GNUTLS_SERVER | GNUTLS_NONBLOCK);
-	if (err < 0) {
+	if (err != GNUTLS_E_SUCCESS) {
 		kr_log_error("[tls] gnutls_init(): %s (%d)\n", gnutls_strerror_name(err), err);
 		tls_free(tls);
 		return NULL;
 	}
 	tls->credentials = tls_credentials_reserve(net->tls_credentials);
 	err = gnutls_credentials_set(tls->session, GNUTLS_CRD_CERTIFICATE, tls->credentials->credentials);
-	if (err < 0) {
+	if (err != GNUTLS_E_SUCCESS) {
 		kr_log_error("[tls] gnutls_credentials_set(): %s (%d)\n", gnutls_strerror_name(err), err);
 		tls_free(tls);
 		return NULL;
 	}
 	const char *errpos = NULL;
 	err = gnutls_priority_set_direct(tls->session, priorities, &errpos);
-	if (err < 0) {
+	if (err != GNUTLS_E_SUCCESS) {
 		kr_log_error("[tls] setting priority '%s' failed at character %zd (...'%s') with %s (%d)\n",
 			     priorities, errpos - priorities, errpos, gnutls_strerror_name(err), err);
 		tls_free(tls);
@@ -279,7 +279,7 @@ int tls_process(struct worker_ctx *worker, uv_stream_t *handle, const uint8_t *b
 			tls_p->handshake_done = true;
 		} else if (err == GNUTLS_E_AGAIN) {
 			return 0; /* No data, bail out */
-		} else if (err < 0 && gnutls_error_is_fatal(err)) {
+		} else if (gnutls_error_is_fatal(err)) {
 			return kr_error(err);
 		}
 	}
@@ -329,7 +329,7 @@ static int get_oob_key_pin(gnutls_x509_crt_t crt, char *outchar, ssize_t outchar
 	gnutls_pubkey_t key;
 	gnutls_datum_t datum = { .size = 0 };
 
-	if ((err = gnutls_pubkey_init(&key)) < 0) {
+	if ((err = gnutls_pubkey_init(&key)) != GNUTLS_E_SUCCESS) {
 		return err;
 	}
 
@@ -405,17 +405,17 @@ static time_t _get_end_entity_expiration(gnutls_certificate_credentials_t creds)
 	int err;
 	time_t ret = GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION;
 
-	if ((err = gnutls_certificate_get_crt_raw(creds, 0, 0, &data)) < 0) {
+	if ((err = gnutls_certificate_get_crt_raw(creds, 0, 0, &data)) != GNUTLS_E_SUCCESS) {
 		kr_log_error("[tls] failed to get cert to check expiration: (%d) %s\n",
 			     err, gnutls_strerror_name(err));
 		goto done;
 	}
-	if ((err = gnutls_x509_crt_init(&cert)) < 0) {
+	if ((err = gnutls_x509_crt_init(&cert)) != GNUTLS_E_SUCCESS) {
 		kr_log_error("[tls] failed to initialize cert: (%d) %s\n",
 			     err, gnutls_strerror_name(err));
 		goto done;
 	}
-	if ((err = gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_DER)) < 0) {
+	if ((err = gnutls_x509_crt_import(cert, &data, GNUTLS_X509_FMT_DER)) != GNUTLS_E_SUCCESS) {
 		kr_log_error("[tls] failed to construct cert while checking expiration: (%d) %s\n",
 			     err, gnutls_strerror_name(err));
 		goto done;
@@ -441,7 +441,7 @@ int tls_certificate_set(struct network *net, const char *tls_cert, const char *t
 	}
 
 	int err = 0;
-	if ((err = gnutls_certificate_allocate_credentials(&tls_credentials->credentials)) < 0) {
+	if ((err = gnutls_certificate_allocate_credentials(&tls_credentials->credentials)) != GNUTLS_E_SUCCESS) {
 		kr_log_error("[tls] gnutls_certificate_allocate_credentials() failed: (%d) %s\n",
 			     err, gnutls_strerror_name(err));
 		tls_credentials_free(tls_credentials);
@@ -463,7 +463,7 @@ int tls_certificate_set(struct network *net, const char *tls_cert, const char *t
 	}
 	
 	if ((err = gnutls_certificate_set_x509_key_file(tls_credentials->credentials,
-							tls_cert, tls_key, GNUTLS_X509_FMT_PEM)) < 0) {
+							tls_cert, tls_key, GNUTLS_X509_FMT_PEM)) != GNUTLS_E_SUCCESS) {
 		tls_credentials_free(tls_credentials);
 		kr_log_error("[tls] gnutls_certificate_set_x509_key_file(%s,%s) failed: %d (%s)\n",
 			     tls_cert, tls_key, err, gnutls_strerror_name(err));
@@ -904,7 +904,7 @@ int tls_client_process(struct worker_ctx *worker, uv_stream_t *handle, const uin
 			ctx->handshake_state = TLS_HS_DONE;
 		} else if (err == GNUTLS_E_AGAIN) {
 			return 0;
-		} else if (err < 0 && gnutls_error_is_fatal(err)) {
+		} else if (gnutls_error_is_fatal(err)) {
 			kr_log_error("[tls_client] gnutls_handshake failed: %s (%d)\n",
 			             gnutls_strerror_name(err), err);
 			if (ctx->handshake_cb) {