dovecot-2.2: lib-ssl-iostream: If handshake callback fails, clos...

Thu Apr 4 15:40:19 EEST 2013

details:   http://hg.dovecot.org/dovecot-2.2/rev/4e9851e24c28
changeset: 16156:4e9851e24c28
user:      Timo Sirainen <tss at iki.fi>
date:      Thu Apr 04 15:40:08 2013 +0300
description:
lib-ssl-iostream: If handshake callback fails, close the iostreams immediately.
This way the callback itself doesn't have to do it. Also fixes errors caused
by it, since they didn't close the ostream.

diffstat:

 src/doveadm/server-connection.c            |  4 ++--
 src/lib-http/http-client-connection.c      |  8 ++++----
 src/lib-http/http-client.h                 |  1 -
 src/lib-imap-client/imapc-connection.c     |  1 -
 src/lib-ssl-iostream/iostream-openssl.c    |  2 ++
 src/lib-storage/index/pop3c/pop3c-client.c |  1 -
 6 files changed, 8 insertions(+), 9 deletions(-)

diffs (110 lines):

diff -r c1f1624a299c -r 4e9851e24c28 src/doveadm/server-connection.c

--- a/src/doveadm/server-connection.c	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/doveadm/server-connection.c	Thu Apr 04 15:40:08 2013 +0300
@@ -330,10 +330,12 @@
 			*error_r = "SSL certificate not received";
 		else
 			*error_r = "Received invalid SSL certificate";
+		return -1;
 	} else if (ssl_iostream_cert_match_name(conn->ssl_iostream, host) < 0) {
 		*error_r = t_strdup_printf(
 			"SSL certificate doesn't match expected host name %s",
 			host);
+		return -1;
 	} else {
 		if (doveadm_debug) {
 			i_debug("%s: SSL handshake successful",
@@ -341,8 +343,6 @@
 		}
 		return 0;
 	}
-	i_stream_close(conn->input);
-	return -1;
 }
 
 static int server_connection_init_ssl(struct server_connection *conn)
diff -r c1f1624a299c -r 4e9851e24c28 src/lib-http/http-client-connection.c
--- a/src/lib-http/http-client-connection.c	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/lib-http/http-client-connection.c	Thu Apr 04 15:40:08 2013 +0300
@@ -641,7 +641,7 @@
 {
 	struct http_client_connection *conn = context;
 
-	if (!conn->client->set.ssl_verify) {
+	if (conn->client->set.ssl_allow_invalid_cert) {
 		/* skip certificate checks */
 		http_client_connection_debug(conn, "SSL handshake successful");
 		return 0;
@@ -650,6 +650,7 @@
 			*error_r = "SSL certificate not received";
 		else
 			*error_r = "Received invalid SSL certificate";
+		return -1;
 	} else {
 		const char *host = http_client_peer_get_hostname(conn->peer);
 
@@ -662,9 +663,8 @@
 
 		*error_r = t_strdup_printf(
 			"SSL certificate doesn't match expected host name %s", host);
+		return -1;
 	}
-	i_stream_close(conn->conn.input);
-	return -1;
 }
 
 static int 
@@ -677,7 +677,7 @@
 	i_assert(conn->client->ssl_ctx != NULL);
 
 	memset(&ssl_set, 0, sizeof(ssl_set));
-	if (conn->client->set.ssl_verify) {
+	if (!conn->client->set.ssl_allow_invalid_cert) {
 		ssl_set.verbose_invalid_cert = TRUE;
 		ssl_set.verify_remote_cert = TRUE;
 		ssl_set.require_valid_cert = TRUE;
diff -r c1f1624a299c -r 4e9851e24c28 src/lib-http/http-client.h
--- a/src/lib-http/http-client.h	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/lib-http/http-client.h	Thu Apr 04 15:40:08 2013 +0300
@@ -36,7 +36,6 @@
 	const char *ssl_ca_dir, *ssl_ca;
 	const char *ssl_crypto_device;
 	bool ssl_allow_invalid_cert;
-	bool ssl_verify;
 
 	const char *rawlog_dir;
 
diff -r c1f1624a299c -r 4e9851e24c28 src/lib-imap-client/imapc-connection.c
--- a/src/lib-imap-client/imapc-connection.c	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/lib-imap-client/imapc-connection.c	Thu Apr 04 15:40:08 2013 +0300
@@ -1151,7 +1151,6 @@
 		return 0;
 	}
 	conn->handshake_failed = TRUE;
-	i_stream_close(conn->input);
 	return -1;
 }
 
diff -r c1f1624a299c -r 4e9851e24c28 src/lib-ssl-iostream/iostream-openssl.c
--- a/src/lib-ssl-iostream/iostream-openssl.c	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/lib-ssl-iostream/iostream-openssl.c	Thu Apr 04 15:40:08 2013 +0300
@@ -545,6 +545,8 @@
 	if (ssl_io->handshake_callback != NULL) {
 		if (ssl_io->handshake_callback(&error, ssl_io->handshake_context) < 0) {
 			i_assert(error != NULL);
+			i_stream_close(ssl_io->plain_input);
+			o_stream_close(ssl_io->plain_output);
 			openssl_iostream_set_error(ssl_io, error);
 			errno = EINVAL;
 			return -1;
diff -r c1f1624a299c -r 4e9851e24c28 src/lib-storage/index/pop3c/pop3c-client.c
--- a/src/lib-storage/index/pop3c/pop3c-client.c	Thu Apr 04 15:21:52 2013 +0300
+++ b/src/lib-storage/index/pop3c/pop3c-client.c	Thu Apr 04 15:40:08 2013 +0300
@@ -434,7 +434,6 @@
 		return 0;
 	}
 	client->handshake_failed = TRUE;
-	i_stream_close(client->input);
 	return -1;
 }
 
