lib-ssl-iostream: If handshake callback fails, close the iostreams immediately.

This way the callback itself doesn't have to do it. Also fixes errors caused
by it, since they didn't close the ostream.

diff --git a/src/doveadm/server-connection.c b/src/doveadm/server-connection.c
index a64bef4d6c2f91cb1118a578755d3c56d142e0bf..f59f2035febc3f7716581830143f03ddc9d30db6 100644 (file)
--- a/src/doveadm/server-connection.c
+++ b/src/doveadm/server-connection.c
@@ -330,10 +330,12 @@ static int server_connection_ssl_handshaked(const char **error_r, void *context)
                        *error_r = "SSL certificate not received";
                else
                        *error_r = "Received invalid SSL certificate";
+               return -1;
        } else if (ssl_iostream_cert_match_name(conn->ssl_iostream, host) < 0) {
                *error_r = t_strdup_printf(
                        "SSL certificate doesn't match expected host name %s",
                        host);
+               return -1;
        } else {
                if (doveadm_debug) {
                        i_debug("%s: SSL handshake successful",
@@ -341,8 +343,6 @@ static int server_connection_ssl_handshaked(const char **error_r, void *context)
                }
                return 0;
        }
-       i_stream_close(conn->input);
-       return -1;
 }
 
 static int server_connection_init_ssl(struct server_connection *conn)

diff --git a/src/lib-http/http-client-connection.c b/src/lib-http/http-client-connection.c
index d45bafda14b4fe01a2a75d36a1a5d2b70495bd69..446ba6ee3cb84c9480abd6eea623aa53dcd70ab0 100644 (file)
--- a/src/lib-http/http-client-connection.c
+++ b/src/lib-http/http-client-connection.c
@@ -641,7 +641,7 @@ http_client_connection_ssl_handshaked(const char **error_r, void *context)
 {
        struct http_client_connection *conn = context;
 
-       if (!conn->client->set.ssl_verify) {
+       if (conn->client->set.ssl_allow_invalid_cert) {
                /* skip certificate checks */
                http_client_connection_debug(conn, "SSL handshake successful");
                return 0;
@@ -650,6 +650,7 @@ http_client_connection_ssl_handshaked(const char **error_r, void *context)
                        *error_r = "SSL certificate not received";
                else
                        *error_r = "Received invalid SSL certificate";
+               return -1;
        } else {
                const char *host = http_client_peer_get_hostname(conn->peer);
 
@@ -662,9 +663,8 @@ http_client_connection_ssl_handshaked(const char **error_r, void *context)
 
                *error_r = t_strdup_printf(
                        "SSL certificate doesn't match expected host name %s", host);
+               return -1;
        }
-       i_stream_close(conn->conn.input);
-       return -1;
 }
 
 static int 
@@ -677,7 +677,7 @@ http_client_connection_ssl_init(struct http_client_connection *conn,
        i_assert(conn->client->ssl_ctx != NULL);
 
        memset(&ssl_set, 0, sizeof(ssl_set));
-       if (conn->client->set.ssl_verify) {
+       if (!conn->client->set.ssl_allow_invalid_cert) {
                ssl_set.verbose_invalid_cert = TRUE;
                ssl_set.verify_remote_cert = TRUE;
                ssl_set.require_valid_cert = TRUE;

diff --git a/src/lib-http/http-client.h b/src/lib-http/http-client.h
index 5eb5e89d4ef6444d54560fd277b4621f958a5ad1..2980b3cf8cba926f589866d4d58fc80c4d9fc00c 100644 (file)
--- a/src/lib-http/http-client.h
+++ b/src/lib-http/http-client.h
@@ -36,7 +36,6 @@ struct http_client_settings {
        const char *ssl_ca_dir, *ssl_ca;
        const char *ssl_crypto_device;
        bool ssl_allow_invalid_cert;
-       bool ssl_verify;
 
        const char *rawlog_dir;
 

diff --git a/src/lib-imap-client/imapc-connection.c b/src/lib-imap-client/imapc-connection.c
index 94f07b4c950399a41c6396005e9e2fb114606f75..113deb36a0676c4d20ac2bd02f7d301eccffb05c 100644 (file)
--- a/src/lib-imap-client/imapc-connection.c
+++ b/src/lib-imap-client/imapc-connection.c
@@ -1151,7 +1151,6 @@ static int imapc_connection_ssl_handshaked(const char **error_r, void *context)
                return 0;
        }
        conn->handshake_failed = TRUE;
-       i_stream_close(conn->input);
        return -1;
 }
 

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 80ce04cd8c6c93a2cfd03142d9f1137ffc8e1dd7..d0b997aadd87aaafcc08ddfba019f977e9b1110b 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -545,6 +545,8 @@ static int openssl_iostream_handshake(struct ssl_iostream *ssl_io)
        if (ssl_io->handshake_callback != NULL) {
                if (ssl_io->handshake_callback(&error, ssl_io->handshake_context) < 0) {
                        i_assert(error != NULL);
+                       i_stream_close(ssl_io->plain_input);
+                       o_stream_close(ssl_io->plain_output);
                        openssl_iostream_set_error(ssl_io, error);
                        errno = EINVAL;
                        return -1;

diff --git a/src/lib-storage/index/pop3c/pop3c-client.c b/src/lib-storage/index/pop3c/pop3c-client.c
index 8250ebdeb6db5568f14403f16d74d1c4925ae1b2..93dd8aac54796a3021bb43a9958769de9c9ad7e5 100644 (file)
--- a/src/lib-storage/index/pop3c/pop3c-client.c
+++ b/src/lib-storage/index/pop3c/pop3c-client.c
@@ -434,7 +434,6 @@ static int pop3c_client_ssl_handshaked(const char **error_r, void *context)
                return 0;
        }
        client->handshake_failed = TRUE;
-       i_stream_close(client->input);
        return -1;
 }