The return value makes much more sense as a boolean TRUE/FALSE than 0/-1.
return p != NULL && strcmp(ssl_name+2, p+1) == 0;
}
-int openssl_cert_match_name(SSL *ssl, const char *verify_name)
+bool openssl_cert_match_name(SSL *ssl, const char *verify_name)
{
X509 *cert;
STACK_OF(GENERAL_NAME) *gnames;
const char *dnsname;
bool dns_names = FALSE;
unsigned int i, count;
- int ret;
+ bool ret;
cert = SSL_get_peer_certificate(ssl);
i_assert(cert != NULL);
/* verify against CommonName only when there wasn't any DNS
SubjectAltNames */
if (dns_names)
- ret = i < count ? 0 : -1;
+ ret = i < count;
else if (openssl_hostname_equals(get_cname(cert), verify_name))
- ret = 0;
+ ret = TRUE;
else
- ret = -1;
+ ret = FALSE;
X509_free(cert);
return ret;
}
return -1;
}
-static int
+static bool
openssl_iostream_cert_match_name(struct ssl_iostream *ssl_io,
const char *verify_name)
{
if (!ssl_iostream_has_valid_client_cert(ssl_io))
- return -1;
+ return FALSE;
return openssl_cert_match_name(ssl_io->ssl, verify_name);
}
ssl_io->handshake_failed = TRUE;
}
} else if (ssl_io->connected_host != NULL && !ssl_io->handshake_failed) {
- if (ssl_iostream_cert_match_name(ssl_io, ssl_io->connected_host) < 0) {
+ if (!ssl_iostream_cert_match_name(ssl_io, ssl_io->connected_host)) {
openssl_iostream_set_error(ssl_io, t_strdup_printf(
"SSL certificate doesn't match expected host name %s",
ssl_io->connected_host));
int openssl_iostream_load_key(const struct ssl_iostream_cert *set,
EVP_PKEY **pkey_r, const char **error_r);
-int openssl_cert_match_name(SSL *ssl, const char *verify_name);
+bool openssl_cert_match_name(SSL *ssl, const char *verify_name);
int openssl_get_protocol_options(const char *protocols);
#define OPENSSL_ALL_PROTOCOL_OPTIONS \
(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1)
bool (*has_handshake_failed)(const struct ssl_iostream *ssl_io);
bool (*has_valid_client_cert)(const struct ssl_iostream *ssl_io);
bool (*has_broken_client_cert)(struct ssl_iostream *ssl_io);
- int (*cert_match_name)(struct ssl_iostream *ssl_io, const char *name);
+ bool (*cert_match_name)(struct ssl_iostream *ssl_io, const char *name);
const char *(*get_peer_name)(struct ssl_iostream *ssl_io);
const char *(*get_server_name)(struct ssl_iostream *ssl_io);
const char *(*get_compression)(struct ssl_iostream *ssl_io);
return ssl_vfuncs->has_broken_client_cert(ssl_io);
}
-int ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name)
+bool ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name)
{
return ssl_vfuncs->cert_match_name(ssl_io, name);
}
*error_r = "Received invalid SSL certificate";
}
return -1;
- } else if (ssl_iostream_cert_match_name(ssl_io, host) < 0) {
+ } else if (!ssl_iostream_cert_match_name(ssl_io, host)) {
*error_r = t_strdup_printf(
"SSL certificate doesn't match expected host name %s",
host);
bool ssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io);
int ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
const char *host, const char **error_r);
-int ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name);
+/* Returns TRUE if the given name matches the SSL stream's certificate. */
+bool ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name);
const char *ssl_iostream_get_peer_name(struct ssl_iostream *ssl_io);
const char *ssl_iostream_get_compression(struct ssl_iostream *ssl_io);
const char *ssl_iostream_get_server_name(struct ssl_iostream *ssl_io);
int ssl_proxy_cert_match_name(struct ssl_proxy *proxy, const char *verify_name)
{
- return openssl_cert_match_name(proxy->ssl, verify_name);
+ return openssl_cert_match_name(proxy->ssl, verify_name) ? 0 : -1;
}
const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy)
projects / thirdparty / dovecot / core.git / commitdiff
