Mercurial > dovecot > core-2.2
changeset 16156:4e9851e24c28
lib-ssl-iostream: If handshake callback fails, close the iostreams immediately.
This way the callback itself doesn't have to do it. Also fixes errors caused
by it, since they didn't close the ostream.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Thu, 04 Apr 2013 15:40:08 +0300 |
parents | c1f1624a299c |
children | c040fa0fcfdf |
files | src/doveadm/server-connection.c src/lib-http/http-client-connection.c src/lib-http/http-client.h src/lib-imap-client/imapc-connection.c src/lib-ssl-iostream/iostream-openssl.c src/lib-storage/index/pop3c/pop3c-client.c |
diffstat | 6 files changed, 8 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/src/doveadm/server-connection.c Thu Apr 04 15:21:52 2013 +0300 +++ b/src/doveadm/server-connection.c Thu Apr 04 15:40:08 2013 +0300 @@ -330,10 +330,12 @@ *error_r = "SSL certificate not received"; else *error_r = "Received invalid SSL certificate"; + return -1; } else if (ssl_iostream_cert_match_name(conn->ssl_iostream, host) < 0) { *error_r = t_strdup_printf( "SSL certificate doesn't match expected host name %s", host); + return -1; } else { if (doveadm_debug) { i_debug("%s: SSL handshake successful", @@ -341,8 +343,6 @@ } return 0; } - i_stream_close(conn->input); - return -1; } static int server_connection_init_ssl(struct server_connection *conn)
--- a/src/lib-http/http-client-connection.c Thu Apr 04 15:21:52 2013 +0300 +++ b/src/lib-http/http-client-connection.c Thu Apr 04 15:40:08 2013 +0300 @@ -641,7 +641,7 @@ { struct http_client_connection *conn = context; - if (!conn->client->set.ssl_verify) { + if (conn->client->set.ssl_allow_invalid_cert) { /* skip certificate checks */ http_client_connection_debug(conn, "SSL handshake successful"); return 0; @@ -650,6 +650,7 @@ *error_r = "SSL certificate not received"; else *error_r = "Received invalid SSL certificate"; + return -1; } else { const char *host = http_client_peer_get_hostname(conn->peer); @@ -662,9 +663,8 @@ *error_r = t_strdup_printf( "SSL certificate doesn't match expected host name %s", host); + return -1; } - i_stream_close(conn->conn.input); - return -1; } static int @@ -677,7 +677,7 @@ i_assert(conn->client->ssl_ctx != NULL); memset(&ssl_set, 0, sizeof(ssl_set)); - if (conn->client->set.ssl_verify) { + if (!conn->client->set.ssl_allow_invalid_cert) { ssl_set.verbose_invalid_cert = TRUE; ssl_set.verify_remote_cert = TRUE; ssl_set.require_valid_cert = TRUE;
--- a/src/lib-http/http-client.h Thu Apr 04 15:21:52 2013 +0300 +++ b/src/lib-http/http-client.h Thu Apr 04 15:40:08 2013 +0300 @@ -36,7 +36,6 @@ const char *ssl_ca_dir, *ssl_ca; const char *ssl_crypto_device; bool ssl_allow_invalid_cert; - bool ssl_verify; const char *rawlog_dir;
--- a/src/lib-imap-client/imapc-connection.c Thu Apr 04 15:21:52 2013 +0300 +++ b/src/lib-imap-client/imapc-connection.c Thu Apr 04 15:40:08 2013 +0300 @@ -1151,7 +1151,6 @@ return 0; } conn->handshake_failed = TRUE; - i_stream_close(conn->input); return -1; }
--- a/src/lib-ssl-iostream/iostream-openssl.c Thu Apr 04 15:21:52 2013 +0300 +++ b/src/lib-ssl-iostream/iostream-openssl.c Thu Apr 04 15:40:08 2013 +0300 @@ -545,6 +545,8 @@ if (ssl_io->handshake_callback != NULL) { if (ssl_io->handshake_callback(&error, ssl_io->handshake_context) < 0) { i_assert(error != NULL); + i_stream_close(ssl_io->plain_input); + o_stream_close(ssl_io->plain_output); openssl_iostream_set_error(ssl_io, error); errno = EINVAL; return -1;