From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Sat, 10 Mar 2018 15:06:03 +0000 (+0200)
Subject: lib-ssl-iostream: Correctly build certificate chains
X-Git-Tag: 2.3.2.rc1~70
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2f13abc3d7812bbf3e2aebf82eedecfce2e5ad07;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Correctly build certificate chains

Prevents sending extraneous certificates when using
alternative certs.

Reported by John Fawcett <john@voipsupport.it> and
Peter Linss <peter@linss.com>.
---

diff --git a/m4/ssl.m4 b/m4/ssl.m4
index e7d3db4ea2..faf9cb1c4e 100644
--- a/m4/ssl.m4
+++ b/m4/ssl.m4
@@ -133,6 +133,45 @@ AC_DEFUN([DOVECOT_SSL], [
         AC_DEFINE(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION,, [Define if you have SSL_CTX_set_min_proto_version])
       fi
 
+      # SSL_CTX_add0_chain_cert is also a macro so AC_CHECK_LIB fails here.
+      AC_CACHE_CHECK([whether SSL_CTX_add0_chain_cert exists],i_cv_have_ssl_ctx_add0_chain_cert,[
+        old_LIBS=$LIBS
+        LIBS="$LIBS -lssl"
+        AC_TRY_LINK([
+          #include <openssl/ssl.h>
+        ], [
+          SSL_CTX_add0_chain_cert((void*)0, 0);
+        ], [
+          i_cv_have_ssl_ctx_add0_chain_cert=yes
+        ], [
+          i_cv_have_ssl_ctx_add0_chain_cert=no
+        ])
+        LIBS=$old_LIBS
+      ])
+      if test $i_cv_have_ssl_ctx_add0_chain_cert = yes; then
+        AC_DEFINE(HAVE_SSL_CTX_ADD0_CHAIN_CERT,, [Define if you have SSL_CTX_add0_chain_cert])
+      fi
+
+      # SSL_CTX_set_current_cert is also a macro so AC_CHECK_LIB fails here.
+      AC_CACHE_CHECK([whether SSL_CTX_set_current_cert exists],i_cv_have_ssl_ctx_set_current_cert,[
+        old_LIBS=$LIBS
+        LIBS="$LIBS -lssl"
+        AC_TRY_LINK([
+          #include <openssl/ssl.h>
+        ], [
+          SSL_CTX_set_current_cert((void*)0, 0);
+        ], [
+          i_cv_have_ssl_ctx_set_current_cert=yes
+        ], [
+          i_cv_have_ssl_ctx_set_current_cert=no
+        ])
+        LIBS=$old_LIBS
+      ])
+      if test $i_cv_have_ssl_ctx_set_current_cert = yes; then
+        AC_DEFINE(HAVE_SSL_CTX_SET_CURRENT_CERT,, [Define if you have SSL_CTX_set_current_cert])
+      fi
+
+
       AC_CHECK_LIB(ssl, SSL_CIPHER_get_kx_nid, [
         AC_DEFINE(HAVE_SSL_CIPHER_get_kx_nid,, [Define if you have SSL_CIPHER_get_kx_nid])
       ],, $SSL_LIBS)
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 125d1125db..6dbbe96760 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -201,6 +201,9 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert)
 		ret = 0;
 
 	if (ret != 0) {
+#ifdef HAVE_SSL_CTX_SET_CURRENT_CERT
+		SSL_CTX_select_current_cert(ctx, x);
+#endif
 		/* If we could set up our certificate, now proceed to
 		 * the CA certificates.
 		 */
@@ -209,7 +212,11 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert)
 		unsigned long err;
 		
 		while ((ca = PEM_read_bio_X509(in,NULL,NULL,NULL)) != NULL) {
+#ifdef HAVE_SSL_CTX_ADD0_CHAIN_CERT
+			r = SSL_CTX_add0_chain_cert(ctx, ca);
+#else
 			r = SSL_CTX_add_extra_chain_cert(ctx, ca);
+#endif
 			if (r == 0) {
 				X509_free(ca);
 				ret = 0;
@@ -227,6 +234,9 @@ static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert)
 end:
 	if (x != NULL) X509_free(x);
 	BIO_free(in);
+#ifdef HAVE_SSL_CTX_SET_CURRENT_CERT
+	SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
+#endif
 	return ret;
 }