old_set_parser_apply(ctx, CONFIG_LINE_TYPE_KEYVALUE, key, value);
return TRUE;
}
- if (strcmp(key, "ssl_cert_file") == 0 ||
- strcmp(key, "ssl_key_file") == 0 ||
+ if (strcmp(key, "ssl_key_file") == 0 ||
strcmp(key, "ssl_ca_file") == 0) {
if (*value == '\0')
return TRUE;
AM_CPPFLAGS = \
-I$(top_srcdir)/src/lib \
+ -I$(top_srcdir)/src/lib-settings \
-I$(top_srcdir)/src/lib-auth-client \
-I$(top_srcdir)/src/lib-dns \
-I$(top_srcdir)/src/lib-mail \
ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CACERTDIR, conn->ssl_set.ca_dir);
#ifdef LDAP_OPT_X_TLS_CERT
- if (conn->ssl_set.cert.cert != NULL)
- ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CERT, conn->ssl_set.cert.cert);
+ if (conn->ssl_set.cert.cert.content != NULL)
+ ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CERT, conn->ssl_set.cert.cert.content);
if (conn->ssl_set.cert.key != NULL)
ldap_set_option(conn->conn, LDAP_OPT_X_TLS_KEYFILE, conn->ssl_set.cert.key);
#endif
return FALSE;
if (null_strcmp(conn->ssl_set.ca_file, set->ssl_set->ca_file) != 0)
return FALSE;
- if (null_strcmp(conn->ssl_set.cert.cert, set->ssl_set->cert.cert) != 0)
+ if (null_strcmp(conn->ssl_set.cert.cert.content,
+ set->ssl_set->cert.cert.content) != 0)
return FALSE;
if (null_strcmp(conn->ssl_set.cert.key, set->ssl_set->cert.key) != 0)
return FALSE;
conn->ssl_set.min_protocol = p_strdup(pool, set->ssl_set->min_protocol);
conn->ssl_set.cipher_list = p_strdup(pool, set->ssl_set->cipher_list);
conn->ssl_set.ca_file = p_strdup(pool, set->ssl_set->ca_file);
- conn->ssl_set.cert.cert = p_strdup(pool, set->ssl_set->cert.cert);
+ conn->ssl_set.cert.cert.path =
+ p_strdup(pool, set->ssl_set->cert.cert.path);
+ conn->ssl_set.cert.cert.content =
+ p_strdup(pool, set->ssl_set->cert.cert.content);
conn->ssl_set.cert.key = p_strdup(pool, set->ssl_set->cert.key);
}
i_assert(ldap_connection_have_settings(conn, set));
relevant settings. */
const char *const settings[] = {
"ssl_ca", server_set->ssl->ca,
- "ssl_cert", server_set->ssl->cert.cert,
+ "ssl_cert_file", settings_file_get_value(unsafe_data_stack_pool,
+ &server_set->ssl->cert.cert),
"ssl_key", server_set->ssl->cert.key,
NULL,
};
if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
ERR_GET_REASON(err) == X509_R_KEY_VALUES_MISMATCH)
- return "Key is for a different cert than ssl_cert";
+ return "Key is for a different cert than ssl_cert_file";
else
return openssl_iostream_error();
}
return strstr(cert, "PRIVATE KEY---") != NULL;
}
-const char *
-openssl_iostream_use_certificate_error(const char *cert, const char *set_name)
+const char *openssl_iostream_use_certificate_error(const char *cert)
{
unsigned long err;
return openssl_iostream_error();
else if (is_pem_key(cert)) {
return "The file contains a private key "
- "(you've mixed ssl_cert and ssl_key settings)";
- } else if (set_name != NULL && strchr(cert, '\n') == NULL) {
- return t_strdup_printf("There is no valid PEM certificate. "
- "(You probably forgot '<' from %s=<%s)", set_name, cert);
+ "(you've mixed ssl_cert_file and ssl_key settings)";
} else {
return "There is no valid PEM certificate.";
}
}
/* Client can ignore an empty ssl_client_cert, but server will fail
- if ssl_cert is empty. */
- if (set->cert.cert != NULL &&
- (set->cert.cert[0] != '\0' || !ctx->client_ctx) &&
- ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert.cert) == 0) {
+ if ssl_cert_file is empty. */
+ if (set->cert.cert.content != NULL &&
+ (set->cert.cert.content[0] != '\0' || !ctx->client_ctx) &&
+ ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert.cert.content) == 0) {
*error_r = t_strdup_printf(
- "Can't load SSL certificate (ssl_cert setting): %s",
- openssl_iostream_use_certificate_error(set->cert.cert, NULL));
+ "Can't load SSL certificate (ssl_cert_file setting): %s",
+ openssl_iostream_use_certificate_error(set->cert.cert.content));
return -1;
}
if (set->cert.key != NULL && set->cert.key[0] != '\0') {
if (ssl_iostream_ctx_use_key(ctx, "ssl_key", &set->cert, error_r) < 0)
return -1;
}
- if (set->alt_cert.cert != NULL && set->alt_cert.cert[0] != '\0' &&
- ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->alt_cert.cert) == 0) {
+ if (set->alt_cert.cert.content != NULL &&
+ set->alt_cert.cert.content[0] != '\0' &&
+ ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->alt_cert.cert.content) == 0) {
*error_r = t_strdup_printf(
"Can't load alternative SSL certificate "
- "(ssl_alt_cert setting): %s",
- openssl_iostream_use_certificate_error(set->alt_cert.cert, NULL));
+ "(ssl_alt_cert_file setting): %s",
+ openssl_iostream_use_certificate_error(set->alt_cert.cert.content));
return -1;
}
if (set->alt_cert.key != NULL && set->alt_cert.key[0] != '\0') {
const char *openssl_iostream_error(void);
const char *openssl_iostream_key_load_error(void);
const char *
-openssl_iostream_use_certificate_error(const char *cert, const char *set_name);
+openssl_iostream_use_certificate_error(const char *cert);
void openssl_iostream_clear_errors(void);
void ssl_iostream_openssl_init(void);
ssl_iostream_context_cache_hash(const struct ssl_iostream_context_cache *cache)
{
unsigned int n, i, g, h = 0;
- const char *const cert[] = { cache->set->cert.cert, cache->set->alt_cert.cert };
+ const char *const cert[] = {
+ cache->set->cert.cert.content,
+ cache->set->alt_cert.cert.content
+ };
/* checking for different certs is typically good enough,
and it should be enough to check only the first few bytes (after the
i_zero(test_set);
test_set->pool = null_pool;
test_set->ca = test_ca_cert;
- test_set->cert.cert = test_server_cert;
+ test_set->cert.cert.content = test_server_cert;
test_set->cert.key = test_server_key;
test_set->dh = test_server_dh;
test_set->skip_crl_check = TRUE;
if (set1 == set2)
return TRUE;
- if (!quick_strcmp(set1->cert.cert, set2->cert.cert) ||
+ if (!quick_strcmp(set1->cert.cert.content, set2->cert.cert.content) ||
!quick_strcmp(set1->cert.key, set2->cert.key) ||
!quick_strcmp(set1->cert.key_password, set2->cert.key_password))
return FALSE;
- if (!quick_strcmp(set1->alt_cert.cert, set2->alt_cert.cert) ||
+ if (!quick_strcmp(set1->alt_cert.cert.content,
+ set2->alt_cert.cert.content) ||
!quick_strcmp(set1->alt_cert.key, set2->alt_cert.key) ||
!quick_strcmp(set1->alt_cert.key_password,
set2->alt_cert.key_password))
#ifndef IOSTREAM_SSL_H
#define IOSTREAM_SSL_H
+#include "settings-parser.h"
#include "ssl-settings.h"
struct ssl_iostream;
};
struct ssl_iostream_cert {
- const char *cert;
+ struct settings_file cert;
const char *key;
const char *key_password;
};
static const struct setting_define ssl_server_setting_defines[] = {
DEF(ENUM, ssl),
DEF(STR, ssl_ca),
- DEF(STR, ssl_cert),
+ DEF(FILE, ssl_cert_file),
DEF(STR, ssl_key),
- DEF(STR, ssl_alt_cert),
+ DEF(FILE, ssl_alt_cert_file),
DEF(STR, ssl_alt_key),
DEF(STR, ssl_key_password),
DEF(STR, ssl_dh),
static const struct ssl_server_settings ssl_server_default_settings = {
.ssl = "yes:no:required",
.ssl_ca = "",
- .ssl_cert = "",
+ .ssl_cert_file = "",
.ssl_key = "",
- .ssl_alt_cert = "",
+ .ssl_alt_cert_file = "",
.ssl_alt_key = "",
.ssl_key_password = "",
.ssl_dh = "",
set->ca = ssl_set->ssl_client_ca;
set->ca_file = ssl_set->ssl_client_ca_file;
set->ca_dir = ssl_set->ssl_client_ca_dir;
- set->cert.cert = ssl_set->ssl_client_cert;
+ set->cert.cert.content = ssl_set->ssl_client_cert;
set->cert.key = ssl_set->ssl_client_key;
set->verify_remote_cert = ssl_set->ssl_client_require_valid_cert;
set->allow_invalid_cert = !set->verify_remote_cert;
pool_add_external_ref(set->pool, ssl_server_set->pool);
set->ca = ssl_server_set->ssl_ca;
- set->cert.cert = ssl_server_set->ssl_cert;
+ settings_file_get(ssl_server_set->ssl_cert_file,
+ set->pool, &set->cert.cert);
set->cert.key = ssl_server_set->ssl_key;
set->cert.key_password = ssl_server_set->ssl_key_password;
- if (ssl_server_set->ssl_alt_cert != NULL &&
- *ssl_server_set->ssl_alt_cert != '\0') {
- set->alt_cert.cert = ssl_server_set->ssl_alt_cert;
+ if (ssl_server_set->ssl_alt_cert_file != NULL &&
+ *ssl_server_set->ssl_alt_cert_file != '\0') {
+ settings_file_get(ssl_server_set->ssl_alt_cert_file,
+ set->pool, &set->alt_cert.cert);
set->alt_cert.key = ssl_server_set->ssl_alt_key;
set->alt_cert.key_password = ssl_server_set->ssl_key_password;
}
const char *ssl;
const char *ssl_ca;
- const char *ssl_cert;
- const char *ssl_alt_cert;
+ const char *ssl_cert_file;
+ const char *ssl_alt_cert_file;
const char *ssl_key;
const char *ssl_alt_key;
const char *ssl_key_password;
"failhost") != 0, idx);
idx++;
ssl_iostream_test_settings_server(&server_set);
- server_set.cert.cert = NULL;
+ i_zero(&server_set.cert.cert);
ssl_iostream_test_settings_client(&client_set);
client_set.verify_remote_cert = TRUE;
test_expect_error_string("client(failhost): SSL certificate not received");
projects / thirdparty / dovecot / core.git / commitdiff
