The enum gives more details what failed.
const char *error, *host = pshared->addr.a.tcp.https_name;
if (ssl_iostream_check_cert_validity(conn->ssl_iostream,
- host, &error) == 0)
+ host, &error) == SSL_IOSTREAM_CERT_VALIDITY_OK)
e_debug(conn->event, "SSL handshake successful");
else if (ssl_iostream_get_allow_invalid_cert(conn->ssl_iostream)) {
e_debug(conn->event, "SSL handshake successful, "
const char *error;
if (ssl_iostream_check_cert_validity(conn->ssl_iostream,
- conn->client->set->imapc_host, &error) == 0) {
+ conn->client->set->imapc_host,
+ &error) == SSL_IOSTREAM_CERT_VALIDITY_OK) {
e_debug(conn->event, "SSL handshake successful");
return 0;
} else if (ssl_iostream_get_allow_invalid_cert(conn->ssl_iostream)) {
const char *error, *host = conn->host;
if (ssl_iostream_check_cert_validity(conn->ssl_iostream,
- host, &error) == 0) {
+ host, &error) == SSL_IOSTREAM_CERT_VALIDITY_OK) {
e_debug(conn->event, "SSL handshake successful");
} else if (ssl_iostream_get_allow_invalid_cert(conn->ssl_iostream)) {
e_debug(conn->event, "SSL handshake successful, "
}
} else if (ssl_io->connected_host != NULL && !ssl_io->handshake_failed &&
!ssl_io->allow_invalid_cert) {
- if (ssl_iostream_check_cert_validity(ssl_io, ssl_io->connected_host, &reason) < 0) {
+ if (ssl_iostream_check_cert_validity(ssl_io, ssl_io->connected_host,
+ &reason) != SSL_IOSTREAM_CERT_VALIDITY_OK) {
openssl_iostream_set_error(ssl_io, reason);
ssl_io->handshake_failed = TRUE;
}
return ssl_vfuncs->cert_match_name(ssl_io, name, reason_r);
}
-int ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
- const char *host, const char **error_r)
+enum ssl_iostream_cert_validity
+ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
+ const char *host, const char **error_r)
{
const char *reason;
if (!ssl_iostream_has_valid_client_cert(ssl_io)) {
- if (!ssl_iostream_has_client_cert(ssl_io))
+ if (!ssl_iostream_has_client_cert(ssl_io)) {
*error_r = "SSL certificate not received";
- else {
+ return SSL_IOSTREAM_CERT_VALIDITY_NO_CERT;
+ } else {
*error_r = t_strdup(ssl_iostream_get_last_error(ssl_io));
if (*error_r == NULL)
*error_r = "Received invalid SSL certificate";
+ return SSL_IOSTREAM_CERT_VALIDITY_INVALID;
}
- return -1;
} else if (!ssl_iostream_cert_match_name(ssl_io, host, &reason)) {
*error_r = t_strdup_printf(
"SSL certificate doesn't match expected host name %s: %s",
host, reason);
- return -1;
+ return SSL_IOSTREAM_CERT_VALIDITY_NAME_MISMATCH;
}
- return 0;
+ return SSL_IOSTREAM_CERT_VALIDITY_OK;
}
bool ssl_iostream_get_allow_invalid_cert(struct ssl_iostream *ssl_io)
SSL_IOSTREAM_FLAG_DISABLE_CA_FILES = BIT(1),
};
+enum ssl_iostream_cert_validity {
+ /* SSL certificate is valid. */
+ SSL_IOSTREAM_CERT_VALIDITY_OK,
+ /* SSL certificate has not been received. */
+ SSL_IOSTREAM_CERT_VALIDITY_NO_CERT,
+ /* SSL certificate is invalid/untrusted. */
+ SSL_IOSTREAM_CERT_VALIDITY_INVALID,
+ /* SSL certificate is valid, but it doesn't match the name. */
+ SSL_IOSTREAM_CERT_VALIDITY_NAME_MISMATCH,
+};
+
struct ssl_iostream_cert {
struct settings_file cert;
struct settings_file key;
This function is same as calling ssl_iostream_has_valid_client_cert()
and ssl_iostream_cert_match_name().
*/
-int ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
- const char *host, const char **error_r);
+enum ssl_iostream_cert_validity
+ssl_iostream_check_cert_validity(struct ssl_iostream *ssl_io,
+ const char *host, const char **error_r);
/* Returns TRUE if the given name matches the SSL stream's certificate.
The returned reason is a human-readable string explaining what exactly
matched the name, or why nothing matched. Note that this function works
} else if (client->hostname != NULL &&
!client->set->allow_invalid_cert &&
ssl_iostream_check_cert_validity(client->iostream, client->hostname,
- &error) != 0) {
+ &error) != SSL_IOSTREAM_CERT_VALIDITY_OK) {
i_error("client(%s): %s", client->hostname, error);
ret = -1;
/* client cert */
} else if (server->set->verify_remote_cert &&
- ssl_iostream_check_cert_validity(server->iostream, NULL, &error) != 0) {
+ ssl_iostream_check_cert_validity(server->iostream, NULL,
+ &error) != SSL_IOSTREAM_CERT_VALIDITY_OK) {
i_error("server: %s", error);
ret = -1;
}
const char *error;
if (ssl_iostream_check_cert_validity(client->ssl_iostream,
- client->set.host, &error) == 0) {
+ client->set.host, &error) == SSL_IOSTREAM_CERT_VALIDITY_OK) {
e_debug(client->event, "SSL handshake successful");
return 0;
} else if (ssl_iostream_get_allow_invalid_cert(client->ssl_iostream)) {
projects / thirdparty / dovecot / core.git / commitdiff
