From: Timo Sirainen <timo.sirainen@dovecot.fi>
Date: Tue, 31 Oct 2017 23:38:19 +0000 (+0200)
Subject: lib-ssl-iostream: io_stream_create_ssl_client() - Move code to set verify_remote_cert... 
X-Git-Tag: 2.3.0.rc1~515
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=74b7b25c4ef1175fe1cd12fbd56a287b8c80595b;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: io_stream_create_ssl_client() - Move code to set verify_remote_cert=TRUE

Enable it in the generic SSL code instead of OpenSSL-specific code.
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index d05e0c208a..ae35005fa1 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -577,14 +577,10 @@ int openssl_iostream_context_init_client(const struct ssl_iostream_settings *set
 					 struct ssl_iostream_context **ctx_r,
 					 const char **error_r)
 {
-	struct ssl_iostream_settings set_copy = *set;
 	struct ssl_iostream_context *ctx;
 	SSL_CTX *ssl_ctx;
 
-	/* ensure this is set to TRUE */
-	set_copy.verify_remote_cert = TRUE;
-
-	if (ssl_iostream_init_global(&set_copy, error_r) < 0)
+	if (ssl_iostream_init_global(set, error_r) < 0)
 		return -1;
 	if ((ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
 		*error_r = t_strdup_printf("SSL_CTX_new() failed: %s",
@@ -597,7 +593,7 @@ int openssl_iostream_context_init_client(const struct ssl_iostream_settings *set
 	ctx->refcount = 1;
 	ctx->ssl_ctx = ssl_ctx;
 	ctx->client_ctx = TRUE;
-	if (ssl_iostream_context_init_common(ctx, &set_copy, error_r) < 0) {
+	if (ssl_iostream_context_init_common(ctx, set, error_r) < 0) {
 		ssl_iostream_context_unref(&ctx);
 		return -1;
 	}
diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c
index 228c982eaf..2daa04e1b1 100644
--- a/src/lib-ssl-iostream/iostream-ssl.c
+++ b/src/lib-ssl-iostream/iostream-ssl.c
@@ -80,11 +80,16 @@ int ssl_iostream_context_init_client(const struct ssl_iostream_settings *set,
 				     struct ssl_iostream_context **ctx_r,
 				     const char **error_r)
 {
+	struct ssl_iostream_settings set_copy = *set;
+
+	/* ensure this is set to TRUE */
+	set_copy.verify_remote_cert = TRUE;
+
 	if (!ssl_module_loaded) {
 		if (ssl_module_load(error_r) < 0)
 			return -1;
 	}
-	return ssl_vfuncs->context_init_client(set, ctx_r, error_r);
+	return ssl_vfuncs->context_init_client(&set_copy, ctx_r, error_r);
 }
 
 int ssl_iostream_context_init_server(const struct ssl_iostream_settings *set,