From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Wed, 14 Nov 2018 13:21:36 +0000 (+0200)
Subject: lib-imap-client: Use iostream ssl settings directly
X-Git-Tag: 2.3.6~112
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0372fd60f3f1237c763baa977328893f4799f11e;p=thirdparty%2Fdovecot%2Fcore.git

lib-imap-client: Use iostream ssl settings directly

Prevents custom SSL CAs and certificate verification disabling
until fixed by subsequent commits.
---

diff --git a/src/lib-imap-client/imapc-client.c b/src/lib-imap-client/imapc-client.c
index 61d8e1c2ef..0088083ab5 100644
--- a/src/lib-imap-client/imapc-client.c
+++ b/src/lib-imap-client/imapc-client.c
@@ -50,7 +50,6 @@ struct imapc_client *
 imapc_client_init(const struct imapc_client_settings *set)
 {
 	struct imapc_client *client;
-	struct ssl_iostream_settings ssl_set;
 	const char *error;
 	pool_t pool;
 
@@ -97,17 +96,9 @@ imapc_client_init(const struct imapc_client_settings *set)
 
 	if (set->ssl_mode != IMAPC_CLIENT_SSL_MODE_NONE) {
 		client->set.ssl_mode = set->ssl_mode;
-		client->set.ssl_ca_dir = p_strdup(pool, set->ssl_ca_dir);
-		client->set.ssl_ca_file = p_strdup(pool, set->ssl_ca_file);
-		client->set.ssl_verify = set->ssl_verify;
-
-		i_zero(&ssl_set);
-		ssl_set.ca_dir = set->ssl_ca_dir;
-		ssl_set.ca_file = set->ssl_ca_file;
-		ssl_set.allow_invalid_cert = !set->ssl_verify;
-		ssl_set.crypto_device = set->ssl_crypto_device;
-
-		if (ssl_iostream_client_context_cache_get(&ssl_set,
+		ssl_iostream_settings_init_from(pool, &client->set.ssl_set, &set->ssl_set);
+		client->set.ssl_set.verbose_invalid_cert = !client->set.ssl_set.allow_invalid_cert;
+		if (ssl_iostream_client_context_cache_get(&client->set.ssl_set,
 							  &client->ssl_ctx,
 							  &error) < 0) {
 			i_error("imapc(%s:%u): Couldn't initialize SSL context: %s",
diff --git a/src/lib-imap-client/imapc-client.h b/src/lib-imap-client/imapc-client.h
index 269e94bc55..6431c16a6b 100644
--- a/src/lib-imap-client/imapc-client.h
+++ b/src/lib-imap-client/imapc-client.h
@@ -2,6 +2,7 @@
 #define IMAPC_CLIENT_H
 
 #include "net.h"
+#include "iostream-ssl.h"
 
 /* IMAP RFC defines this to be at least 30 minutes. */
 #define IMAPC_DEFAULT_MAX_IDLE_TIME (60*29)
@@ -92,6 +93,7 @@ struct imapc_client_settings {
 
 	const char *dns_client_socket_path;
 	const char *temp_path_prefix;
+	struct ssl_iostream_settings ssl_set;
 
 	enum imapc_client_ssl_mode ssl_mode;
 	const char *ssl_ca_dir, *ssl_ca_file;
diff --git a/src/lib-imap-client/imapc-connection.c b/src/lib-imap-client/imapc-connection.c
index 5ac544f5c6..c0dd466471 100644
--- a/src/lib-imap-client/imapc-connection.c
+++ b/src/lib-imap-client/imapc-connection.c
@@ -1624,7 +1624,7 @@ static int imapc_connection_ssl_handshaked(const char **error_r, void *context)
 				conn->name);
 		}
 		return 0;
-	} else if (!conn->client->set.ssl_verify) {
+	} else if (conn->client->set.ssl_set.allow_invalid_cert) {
 		if (conn->client->set.debug) {
 			i_debug("imapc(%s): SSL handshake successful, "
 				"ignoring invalid certificate: %s",
@@ -1639,7 +1639,6 @@ static int imapc_connection_ssl_handshaked(const char **error_r, void *context)
 
 static int imapc_connection_ssl_init(struct imapc_connection *conn)
 {
-	struct ssl_iostream_settings ssl_set;
 	const char *error;
 
 	if (conn->client->ssl_ctx == NULL) {
@@ -1647,13 +1646,6 @@ static int imapc_connection_ssl_init(struct imapc_connection *conn)
 		return -1;
 	}
 
-	i_zero(&ssl_set);
-	if (conn->client->set.ssl_verify) {
-		ssl_set.verbose_invalid_cert = TRUE;
-	} else {
-		ssl_set.allow_invalid_cert = TRUE;
-	}
-
 	if (conn->client->set.debug)
 		i_debug("imapc(%s): Starting SSL handshake", conn->name);
 
@@ -1670,7 +1662,8 @@ static int imapc_connection_ssl_init(struct imapc_connection *conn)
 	io_remove(&conn->io);
 	if (io_stream_create_ssl_client(conn->client->ssl_ctx,
 					conn->client->set.host,
-					&ssl_set, &conn->input, &conn->output,
+					&conn->client->set.ssl_set,
+					&conn->input, &conn->output,
 					&conn->ssl_iostream, &error) < 0) {
 		i_error("imapc(%s): Couldn't initialize SSL client: %s",
 			conn->name, error);
diff --git a/src/lib-storage/index/imapc/Makefile.am b/src/lib-storage/index/imapc/Makefile.am
index 6a801a5f91..72ee102ff3 100644
--- a/src/lib-storage/index/imapc/Makefile.am
+++ b/src/lib-storage/index/imapc/Makefile.am
@@ -10,7 +10,8 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/lib-index \
 	-I$(top_srcdir)/src/lib-storage \
 	-I$(top_srcdir)/src/lib-storage/list \
-	-I$(top_srcdir)/src/lib-storage/index
+	-I$(top_srcdir)/src/lib-storage/index \
+	-I$(top_srcdir)/src/lib-ssl-iostream
 
 libstorage_imapc_la_SOURCES = \
 	imapc-list.c \
diff --git a/src/plugins/quota/Makefile.am b/src/plugins/quota/Makefile.am
index ffebc67404..e8bad8c414 100644
--- a/src/plugins/quota/Makefile.am
+++ b/src/plugins/quota/Makefile.am
@@ -14,6 +14,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/lib-imap \
 	-I$(top_srcdir)/src/lib-imap-client \
 	-I$(top_srcdir)/src/lib-settings \
+	-I$(top_srcdir)/src/lib-ssl-iostream \
 	-I$(top_srcdir)/src/lib-storage \
 	-I$(top_srcdir)/src/lib-storage/index \
 	-I$(top_srcdir)/src/lib-storage/index/imapc \