Mercurial > dovecot > core-2.2

changeset 16156:4e9851e24c28

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
lib-ssl-iostream: If handshake callback fails, close the iostreams immediately. This way the callback itself doesn't have to do it. Also fixes errors caused by it, since they didn't close the ostream.
author Timo Sirainen <tss@iki.fi>
date Thu, 04 Apr 2013 15:40:08 +0300
parents c1f1624a299c
children c040fa0fcfdf
files src/doveadm/server-connection.c src/lib-http/http-client-connection.c src/lib-http/http-client.h src/lib-imap-client/imapc-connection.c src/lib-ssl-iostream/iostream-openssl.c src/lib-storage/index/pop3c/pop3c-client.c
diffstat 6 files changed, 8 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/src/doveadm/server-connection.c	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/doveadm/server-connection.c	Thu Apr 04 15:40:08 2013 +0300
@@ -330,10 +330,12 @@
 			*error_r = "SSL certificate not received";
 		else
 			*error_r = "Received invalid SSL certificate";
+		return -1;
 	} else if (ssl_iostream_cert_match_name(conn->ssl_iostream, host) < 0) {
 		*error_r = t_strdup_printf(
 			"SSL certificate doesn't match expected host name %s",
 			host);
+		return -1;
 	} else {
 		if (doveadm_debug) {
 			i_debug("%s: SSL handshake successful",
@@ -341,8 +343,6 @@
 		}
 		return 0;
 	}
-	i_stream_close(conn->input);
-	return -1;
 }
 
 static int server_connection_init_ssl(struct server_connection *conn)
--- a/src/lib-http/http-client-connection.c	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/lib-http/http-client-connection.c	Thu Apr 04 15:40:08 2013 +0300
@@ -641,7 +641,7 @@
 {
 	struct http_client_connection *conn = context;
 
-	if (!conn->client->set.ssl_verify) {
+	if (conn->client->set.ssl_allow_invalid_cert) {
 		/* skip certificate checks */
 		http_client_connection_debug(conn, "SSL handshake successful");
 		return 0;
@@ -650,6 +650,7 @@
 			*error_r = "SSL certificate not received";
 		else
 			*error_r = "Received invalid SSL certificate";
+		return -1;
 	} else {
 		const char *host = http_client_peer_get_hostname(conn->peer);
 
@@ -662,9 +663,8 @@
 
 		*error_r = t_strdup_printf(
 			"SSL certificate doesn't match expected host name %s", host);
+		return -1;
 	}
-	i_stream_close(conn->conn.input);
-	return -1;
 }
 
 static int 
@@ -677,7 +677,7 @@
 	i_assert(conn->client->ssl_ctx != NULL);
 
 	memset(&ssl_set, 0, sizeof(ssl_set));
-	if (conn->client->set.ssl_verify) {
+	if (!conn->client->set.ssl_allow_invalid_cert) {
 		ssl_set.verbose_invalid_cert = TRUE;
 		ssl_set.verify_remote_cert = TRUE;
 		ssl_set.require_valid_cert = TRUE;
--- a/src/lib-http/http-client.h	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/lib-http/http-client.h	Thu Apr 04 15:40:08 2013 +0300
@@ -36,7 +36,6 @@
 	const char *ssl_ca_dir, *ssl_ca;
 	const char *ssl_crypto_device;
 	bool ssl_allow_invalid_cert;
-	bool ssl_verify;
 
 	const char *rawlog_dir;
 
--- a/src/lib-imap-client/imapc-connection.c	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/lib-imap-client/imapc-connection.c	Thu Apr 04 15:40:08 2013 +0300
@@ -1151,7 +1151,6 @@
 		return 0;
 	}
 	conn->handshake_failed = TRUE;
-	i_stream_close(conn->input);
 	return -1;
 }
 
--- a/src/lib-ssl-iostream/iostream-openssl.c	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/lib-ssl-iostream/iostream-openssl.c	Thu Apr 04 15:40:08 2013 +0300
@@ -545,6 +545,8 @@
 	if (ssl_io->handshake_callback != NULL) {
 		if (ssl_io->handshake_callback(&error, ssl_io->handshake_context) < 0) {
 			i_assert(error != NULL);
+			i_stream_close(ssl_io->plain_input);
+			o_stream_close(ssl_io->plain_output);
 			openssl_iostream_set_error(ssl_io, error);
 			errno = EINVAL;
 			return -1;
--- a/src/lib-storage/index/pop3c/pop3c-client.c	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/lib-storage/index/pop3c/pop3c-client.c	Thu Apr 04 15:40:08 2013 +0300
@@ -434,7 +434,6 @@
 		return 0;
 	}
 	client->handshake_failed = TRUE;
-	i_stream_close(client->input);
 	return -1;
 }