From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Tue, 31 Oct 2017 22:08:26 +0000 (+0200)
Subject: lib-ssl-iostream: ssl_iostream_cert_match_name() - Change to return bool
X-Git-Tag: 2.3.0.rc1~527
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=18344a653fb063e599e24d1e9f7d5db4d8fd7b45;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: ssl_iostream_cert_match_name() - Change to return bool

The return value makes much more sense as a boolean TRUE/FALSE than 0/-1.
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c b/src/lib-ssl-iostream/iostream-openssl-common.c
index d1732be9c8..ecc7294c40 100644
--- a/src/lib-ssl-iostream/iostream-openssl-common.c
+++ b/src/lib-ssl-iostream/iostream-openssl-common.c
@@ -154,7 +154,7 @@ static bool openssl_hostname_equals(const char *ssl_name, const char *host)
 	return p != NULL && strcmp(ssl_name+2, p+1) == 0;
 }
 
-int openssl_cert_match_name(SSL *ssl, const char *verify_name)
+bool openssl_cert_match_name(SSL *ssl, const char *verify_name)
 {
 	X509 *cert;
 	STACK_OF(GENERAL_NAME) *gnames;
@@ -163,7 +163,7 @@ int openssl_cert_match_name(SSL *ssl, const char *verify_name)
 	const char *dnsname;
 	bool dns_names = FALSE;
 	unsigned int i, count;
-	int ret;
+	bool ret;
 
 	cert = SSL_get_peer_certificate(ssl);
 	i_assert(cert != NULL);
@@ -203,11 +203,11 @@ int openssl_cert_match_name(SSL *ssl, const char *verify_name)
 	/* verify against CommonName only when there wasn't any DNS
 	   SubjectAltNames */
 	if (dns_names)
-		ret = i < count ? 0 : -1;
+		ret = i < count;
 	else if (openssl_hostname_equals(get_cname(cert), verify_name))
-		ret = 0;
+		ret = TRUE;
 	else
-		ret = -1;
+		ret = FALSE;
 	X509_free(cert);
 	return ret;
 }
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index f4a7a51a5e..04156f9699 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -587,12 +587,12 @@ int openssl_iostream_handle_error(struct ssl_iostream *ssl_io, int ret,
 	return -1;
 }
 
-static int
+static bool
 openssl_iostream_cert_match_name(struct ssl_iostream *ssl_io,
 				 const char *verify_name)
 {
 	if (!ssl_iostream_has_valid_client_cert(ssl_io))
-		return -1;
+		return FALSE;
 
 	return openssl_cert_match_name(ssl_io->ssl, verify_name);
 }
@@ -629,7 +629,7 @@ static int openssl_iostream_handshake(struct ssl_iostream *ssl_io)
 			ssl_io->handshake_failed = TRUE;
 		}
 	} else if (ssl_io->connected_host != NULL && !ssl_io->handshake_failed) {
-		if (ssl_iostream_cert_match_name(ssl_io, ssl_io->connected_host) < 0) {
+		if (!ssl_iostream_cert_match_name(ssl_io, ssl_io->connected_host)) {
 			openssl_iostream_set_error(ssl_io, t_strdup_printf(
 				"SSL certificate doesn't match expected host name %s",
 				ssl_io->connected_host));
diff --git a/src/lib-ssl-iostream/iostream-openssl.h b/src/lib-ssl-iostream/iostream-openssl.h
index 65a70d9bc4..405dff1552 100644
--- a/src/lib-ssl-iostream/iostream-openssl.h
+++ b/src/lib-ssl-iostream/iostream-openssl.h
@@ -82,7 +82,7 @@ void openssl_iostream_global_deinit(void);
 
 int openssl_iostream_load_key(const struct ssl_iostream_cert *set,
 			      EVP_PKEY **pkey_r, const char **error_r);
-int openssl_cert_match_name(SSL *ssl, const char *verify_name);
+bool openssl_cert_match_name(SSL *ssl, const char *verify_name);
 int openssl_get_protocol_options(const char *protocols);
 #define OPENSSL_ALL_PROTOCOL_OPTIONS \
 	(SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1)
diff --git a/src/lib-ssl-iostream/iostream-ssl-private.h b/src/lib-ssl-iostream/iostream-ssl-private.h
index 6efb842a3b..2242f63609 100644
--- a/src/lib-ssl-iostream/iostream-ssl-private.h
+++ b/src/lib-ssl-iostream/iostream-ssl-private.h
@@ -30,7 +30,7 @@ struct iostream_ssl_vfuncs {
 	bool (*has_handshake_failed)(const struct ssl_iostream *ssl_io);
 	bool (*has_valid_client_cert)(const struct ssl_iostream *ssl_io);
 	bool (*has_broken_client_cert)(struct ssl_iostream *ssl_io);
-	int (*cert_match_name)(struct ssl_iostream *ssl_io, const char *name);
+	bool (*cert_match_name)(struct ssl_iostream *ssl_io, const char *name);
 	const char *(*get_peer_name)(struct ssl_iostream *ssl_io);
 	const char *(*get_server_name)(struct ssl_iostream *ssl_io);
 	const char *(*get_compression)(struct ssl_iostream *ssl_io);
diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c
index 5431b771ea..f23819d37f 100644
--- a/src/lib-ssl-iostream/iostream-ssl.c
+++ b/src/lib-ssl-iostream/iostream-ssl.c
@@ -187,7 +187,7 @@ bool ssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io)
 	return ssl_vfuncs->has_broken_client_cert(ssl_io);
 }
 
-int ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name)
+bool ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name)
 {
 	return ssl_vfuncs->cert_match_name(ssl_io, name);
 }
@@ -204,7 +204,7 @@ int ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
 				*error_r = "Received invalid SSL certificate";
 		}
 		return -1;
-	} else if (ssl_iostream_cert_match_name(ssl_io, host) < 0) {
+	} else if (!ssl_iostream_cert_match_name(ssl_io, host)) {
 		*error_r = t_strdup_printf(
 			"SSL certificate doesn't match expected host name %s",
 			host);
diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
index a385f95043..f3e5fef6b9 100644
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -80,7 +80,8 @@ bool ssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io);
 bool ssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io);
 int ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
 				     const char *host, const char **error_r);
-int ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name);
+/* Returns TRUE if the given name matches the SSL stream's certificate. */
+bool ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, const char *name);
 const char *ssl_iostream_get_peer_name(struct ssl_iostream *ssl_io);
 const char *ssl_iostream_get_compression(struct ssl_iostream *ssl_io);
 const char *ssl_iostream_get_server_name(struct ssl_iostream *ssl_io);
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index 017cd8630f..7485a896f1 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -603,7 +603,7 @@ bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy)
 
 int ssl_proxy_cert_match_name(struct ssl_proxy *proxy, const char *verify_name)
 {
-	return openssl_cert_match_name(proxy->ssl, verify_name);
+	return openssl_cert_match_name(proxy->ssl, verify_name) ? 0 : -1;
 }
 
 const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy)