From: Timo Sirainen Date: Thu, 4 Apr 2013 12:40:08 +0000 (+0300) Subject: lib-ssl-iostream: If handshake callback fails, close the iostreams immediately. X-Git-Tag: 2.2.rc4~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9709107819ba60d41f737279dd070b40d46b4120;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream: If handshake callback fails, close the iostreams immediately. This way the callback itself doesn't have to do it. Also fixes errors caused by it, since they didn't close the ostream. --- diff --git a/src/doveadm/server-connection.c b/src/doveadm/server-connection.c index a64bef4d6c..f59f2035fe 100644 --- a/src/doveadm/server-connection.c +++ b/src/doveadm/server-connection.c @@ -330,10 +330,12 @@ static int server_connection_ssl_handshaked(const char **error_r, void *context) *error_r = "SSL certificate not received"; else *error_r = "Received invalid SSL certificate"; + return -1; } else if (ssl_iostream_cert_match_name(conn->ssl_iostream, host) < 0) { *error_r = t_strdup_printf( "SSL certificate doesn't match expected host name %s", host); + return -1; } else { if (doveadm_debug) { i_debug("%s: SSL handshake successful", @@ -341,8 +343,6 @@ static int server_connection_ssl_handshaked(const char **error_r, void *context) } return 0; } - i_stream_close(conn->input); - return -1; } static int server_connection_init_ssl(struct server_connection *conn) diff --git a/src/lib-http/http-client-connection.c b/src/lib-http/http-client-connection.c index d45bafda14..446ba6ee3c 100644 --- a/src/lib-http/http-client-connection.c +++ b/src/lib-http/http-client-connection.c @@ -641,7 +641,7 @@ http_client_connection_ssl_handshaked(const char **error_r, void *context) { struct http_client_connection *conn = context; - if (!conn->client->set.ssl_verify) { + if (conn->client->set.ssl_allow_invalid_cert) { /* skip certificate checks */ http_client_connection_debug(conn, "SSL handshake successful"); return 0; @@ -650,6 +650,7 @@ http_client_connection_ssl_handshaked(const char **error_r, void *context) *error_r = "SSL certificate not received"; else *error_r = "Received invalid SSL certificate"; + return -1; } else { const char *host = http_client_peer_get_hostname(conn->peer); @@ -662,9 +663,8 @@ http_client_connection_ssl_handshaked(const char **error_r, void *context) *error_r = t_strdup_printf( "SSL certificate doesn't match expected host name %s", host); + return -1; } - i_stream_close(conn->conn.input); - return -1; } static int @@ -677,7 +677,7 @@ http_client_connection_ssl_init(struct http_client_connection *conn, i_assert(conn->client->ssl_ctx != NULL); memset(&ssl_set, 0, sizeof(ssl_set)); - if (conn->client->set.ssl_verify) { + if (!conn->client->set.ssl_allow_invalid_cert) { ssl_set.verbose_invalid_cert = TRUE; ssl_set.verify_remote_cert = TRUE; ssl_set.require_valid_cert = TRUE; diff --git a/src/lib-http/http-client.h b/src/lib-http/http-client.h index 5eb5e89d4e..2980b3cf8c 100644 --- a/src/lib-http/http-client.h +++ b/src/lib-http/http-client.h @@ -36,7 +36,6 @@ struct http_client_settings { const char *ssl_ca_dir, *ssl_ca; const char *ssl_crypto_device; bool ssl_allow_invalid_cert; - bool ssl_verify; const char *rawlog_dir; diff --git a/src/lib-imap-client/imapc-connection.c b/src/lib-imap-client/imapc-connection.c index 94f07b4c95..113deb36a0 100644 --- a/src/lib-imap-client/imapc-connection.c +++ b/src/lib-imap-client/imapc-connection.c @@ -1151,7 +1151,6 @@ static int imapc_connection_ssl_handshaked(const char **error_r, void *context) return 0; } conn->handshake_failed = TRUE; - i_stream_close(conn->input); return -1; } diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 80ce04cd8c..d0b997aadd 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -545,6 +545,8 @@ static int openssl_iostream_handshake(struct ssl_iostream *ssl_io) if (ssl_io->handshake_callback != NULL) { if (ssl_io->handshake_callback(&error, ssl_io->handshake_context) < 0) { i_assert(error != NULL); + i_stream_close(ssl_io->plain_input); + o_stream_close(ssl_io->plain_output); openssl_iostream_set_error(ssl_io, error); errno = EINVAL; return -1; diff --git a/src/lib-storage/index/pop3c/pop3c-client.c b/src/lib-storage/index/pop3c/pop3c-client.c index 8250ebdeb6..93dd8aac54 100644 --- a/src/lib-storage/index/pop3c/pop3c-client.c +++ b/src/lib-storage/index/pop3c/pop3c-client.c @@ -434,7 +434,6 @@ static int pop3c_client_ssl_handshaked(const char **error_r, void *context) return 0; } client->handshake_failed = TRUE; - i_stream_close(client->input); return -1; }