From: Aki Tuomi Date: Mon, 30 Oct 2017 12:06:36 +0000 (+0200) Subject: global: Splice cert into separate struct from iostream_ssl_settings X-Git-Tag: 2.3.0.rc1~686 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9f7ba3807f77209a65e0faa56cac8545b06cd116;p=thirdparty%2Fdovecot%2Fcore.git global: Splice cert into separate struct from iostream_ssl_settings --- diff --git a/src/auth/db-oauth2.c b/src/auth/db-oauth2.c index c44f425a5b..c0a9894c43 100644 --- a/src/auth/db-oauth2.c +++ b/src/auth/db-oauth2.c @@ -189,8 +189,8 @@ struct db_oauth2 *db_oauth2_init(const char *config_path) ssl_set.ca_file = db->set.tls_ca_cert_file; ssl_set.ca_dir = db->set.tls_ca_cert_dir; if (db->set.tls_cert_file != NULL && *db->set.tls_cert_file != '\0') { - ssl_set.cert = db->set.tls_cert_file; - ssl_set.key = db->set.tls_key_file; + ssl_set.cert.cert = db->set.tls_cert_file; + ssl_set.cert.key = db->set.tls_key_file; } ssl_set.prefer_server_ciphers = TRUE; ssl_set.allow_invalid_cert = db->set.tls_allow_invalid_cert; diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c index 4777354c03..7e01c7b5e7 100644 --- a/src/lib-ldap/ldap-connection.c +++ b/src/lib-ldap/ldap-connection.c @@ -74,10 +74,10 @@ int ldap_connection_setup(struct ldap_connection *conn, const char **error_r) if (conn->ssl_set.ca_dir != NULL) ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CACERTDIR, conn->ssl_set.ca_dir); - if (conn->ssl_set.cert != NULL) - ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CERTFILE, conn->ssl_set.cert); - if (conn->ssl_set.key != NULL) - ldap_set_option(conn->conn, LDAP_OPT_X_TLS_KEYFILE, conn->ssl_set.key); + if (conn->ssl_set.cert.cert != NULL) + ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CERTFILE, conn->ssl_set.cert.cert); + if (conn->ssl_set.cert.key != NULL) + ldap_set_option(conn->conn, LDAP_OPT_X_TLS_KEYFILE, conn->ssl_set.cert.key); opt = conn->set.debug; ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &opt); @@ -123,9 +123,9 @@ bool ldap_connection_have_settings(struct ldap_connection *conn, return FALSE; if (null_strcmp(conn->ssl_set.ca_file, set->ssl_set->ca_file) != 0) return FALSE; - if (null_strcmp(conn->ssl_set.cert, set->ssl_set->cert) != 0) + if (null_strcmp(conn->ssl_set.cert.cert, set->ssl_set->cert.cert) != 0) return FALSE; - if (null_strcmp(conn->ssl_set.key, set->ssl_set->key) != 0) + if (null_strcmp(conn->ssl_set.cert.key, set->ssl_set->cert.key) != 0) return FALSE; return TRUE; } @@ -159,7 +159,7 @@ int ldap_connection_init(struct ldap_client *client, } /* cannot use these */ conn->ssl_set.ca = NULL; - conn->ssl_set.key_password = NULL; + conn->ssl_set.cert.key_password = NULL; conn->ssl_set.cert_username_field = NULL; conn->ssl_set.crypto_device = NULL; @@ -169,8 +169,8 @@ int ldap_connection_init(struct ldap_client *client, conn->ssl_set.protocols = p_strdup(pool, set->ssl_set->protocols); conn->ssl_set.cipher_list = p_strdup(pool, set->ssl_set->cipher_list); conn->ssl_set.ca_file = p_strdup(pool, set->ssl_set->ca_file); - conn->ssl_set.cert = p_strdup(pool, set->ssl_set->cert); - conn->ssl_set.key = p_strdup(pool, set->ssl_set->key); + conn->ssl_set.cert.cert = p_strdup(pool, set->ssl_set->cert.cert); + conn->ssl_set.cert.key = p_strdup(pool, set->ssl_set->cert.key); } i_assert(ldap_connection_have_settings(conn, set)); diff --git a/src/lib-master/master-service-ssl.c b/src/lib-master/master-service-ssl.c index 07e97d1d70..2cfdbb2d06 100644 --- a/src/lib-master/master-service-ssl.c +++ b/src/lib-master/master-service-ssl.c @@ -65,10 +65,10 @@ void master_service_ssl_ctx_init(struct master_service *service) ssl_set.cipher_list = set->ssl_cipher_list; ssl_set.curve_list = set->ssl_curve_list; ssl_set.ca = set->ssl_ca; - ssl_set.cert = set->ssl_cert; - ssl_set.key = set->ssl_key; + ssl_set.cert.cert = set->ssl_cert; + ssl_set.cert.key = set->ssl_key; ssl_set.dh = set->ssl_dh; - ssl_set.key_password = set->ssl_key_password; + ssl_set.cert.key_password = set->ssl_key_password; ssl_set.cert_username_field = set->ssl_cert_username_field; ssl_set.crypto_device = set->ssl_crypto_device; diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index dd489cc258..ade2ae99cf 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -82,7 +82,7 @@ pem_password_callback(char *buf, int size, int rwflag ATTR_UNUSED, return strlen(buf); } -int openssl_iostream_load_key(const struct ssl_iostream_settings *set, +int openssl_iostream_load_key(const struct ssl_iostream_cert *set, EVP_PKEY **pkey_r, const char **error_r) { struct ssl_iostream_password_context ctx; @@ -146,7 +146,7 @@ int openssl_iostream_load_dh(const struct ssl_iostream_settings *set, static int ssl_iostream_ctx_use_key(struct ssl_iostream_context *ctx, - const struct ssl_iostream_settings *set, + const struct ssl_iostream_cert *set, const char **error_r) { EVP_PKEY *pkey; @@ -380,14 +380,14 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, openssl_get_protocol_options(ctx->set->protocols)); } - if (set->cert != NULL && - ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert) == 0) { + if (set->cert.cert != NULL && + ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert.cert) == 0) { *error_r = t_strdup_printf("Can't load SSL certificate: %s", - openssl_iostream_use_certificate_error(set->cert, NULL)); + openssl_iostream_use_certificate_error(set->cert.cert, NULL)); return -1; } - if (set->key != NULL) { - if (ssl_iostream_ctx_use_key(ctx, set, error_r) < 0) + if (set->cert.key != NULL) { + if (ssl_iostream_ctx_use_key(ctx, &set->cert, error_r) < 0) return -1; } @@ -433,8 +433,8 @@ ssl_proxy_ctx_get_pkey_ec_curve_name(const struct ssl_iostream_settings *set, EC_KEY *eckey; const EC_GROUP *ecgrp; - if (set->key != NULL) { - if (openssl_iostream_load_key(set, &pkey, error_r) < 0) + if (set->cert.key != NULL) { + if (openssl_iostream_load_key(&set->cert, &pkey, error_r) < 0) return -1; if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) != NULL && diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 713128ad25..b7af743dbc 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -85,7 +85,7 @@ openssl_iostream_use_certificate(struct ssl_iostream *ssl_io, const char *cert, static int openssl_iostream_use_key(struct ssl_iostream *ssl_io, - const struct ssl_iostream_settings *set, + const struct ssl_iostream_cert *set, const char **error_r) { EVP_PKEY *pkey; @@ -181,12 +181,12 @@ openssl_iostream_set(struct ssl_iostream *ssl_io, openssl_get_protocol_options(set->protocols)); } - if (set->cert != NULL && strcmp(ctx_set->cert, set->cert) != 0) { - if (openssl_iostream_use_certificate(ssl_io, set->cert, error_r) < 0) + if (set->cert.cert != NULL && strcmp(ctx_set->cert.cert, set->cert.cert) != 0) { + if (openssl_iostream_use_certificate(ssl_io, set->cert.cert, error_r) < 0) return -1; } - if (set->key != NULL && strcmp(ctx_set->key, set->key) != 0) { - if (openssl_iostream_use_key(ssl_io, set, error_r) < 0) + if (set->cert.key != NULL && strcmp(ctx_set->cert.key, set->cert.key) != 0) { + if (openssl_iostream_use_key(ssl_io, &set->cert, error_r) < 0) return -1; } if (set->verify_remote_cert) { diff --git a/src/lib-ssl-iostream/iostream-openssl.h b/src/lib-ssl-iostream/iostream-openssl.h index bb87ff05ad..9d7e958c90 100644 --- a/src/lib-ssl-iostream/iostream-openssl.h +++ b/src/lib-ssl-iostream/iostream-openssl.h @@ -70,7 +70,7 @@ int openssl_iostream_context_init_server(const struct ssl_iostream_settings *set void openssl_iostream_context_deinit(struct ssl_iostream_context *ctx); void openssl_iostream_global_deinit(void); -int openssl_iostream_load_key(const struct ssl_iostream_settings *set, +int openssl_iostream_load_key(const struct ssl_iostream_cert *set, EVP_PKEY **pkey_r, const char **error_r); int openssl_cert_match_name(SSL *ssl, const char *verify_name); int openssl_get_protocol_options(const char *protocols); diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c index 30b213abd7..5f52d6d6b4 100644 --- a/src/lib-ssl-iostream/iostream-ssl.c +++ b/src/lib-ssl-iostream/iostream-ssl.c @@ -225,9 +225,9 @@ ssl_iostream_settings_dup(pool_t pool, new_set->ca = p_strdup(pool, old_set->ca); new_set->ca_file = p_strdup(pool, old_set->ca_file); new_set->ca_dir = p_strdup(pool, old_set->ca_dir); - new_set->cert = p_strdup(pool, old_set->cert); - new_set->key = p_strdup(pool, old_set->key); - new_set->key_password = p_strdup(pool, old_set->key_password); + new_set->cert.cert = p_strdup(pool, old_set->cert.cert); + new_set->cert.key = p_strdup(pool, old_set->cert.key); + new_set->cert.key_password = p_strdup(pool, old_set->cert.key_password); new_set->cert_username_field = p_strdup(pool, old_set->cert_username_field); new_set->crypto_device = p_strdup(pool, old_set->crypto_device); diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h index eeefa544f4..6c4a2031ec 100644 --- a/src/lib-ssl-iostream/iostream-ssl.h +++ b/src/lib-ssl-iostream/iostream-ssl.h @@ -4,14 +4,18 @@ struct ssl_iostream; struct ssl_iostream_context; +struct ssl_iostream_cert { + const char *cert; + const char *key; + const char *key_password; +}; + struct ssl_iostream_settings { const char *protocols; const char *cipher_list; const char *curve_list; const char *ca, *ca_file, *ca_dir; /* context-only */ - const char *cert; - const char *key; - const char *key_password; + struct ssl_iostream_cert cert; /* both */ const char *dh; const char *cert_username_field; const char *crypto_device; /* context-only */