lib-ssl-iostream: Convert ssl_dh setting to ssl_dh_file

author Timo Sirainen <timo.sirainen@open-xchange.com>

Thu, 1 Feb 2024 14:36:53 +0000 (16:36 +0200)

committer Aki Tuomi <aki.tuomi@open-xchange.com>

Wed, 12 Feb 2025 10:34:11 +0000 (12:34 +0200)
author Timo Sirainen <timo.sirainen@open-xchange.com>
Thu, 1 Feb 2024 14:36:53 +0000 (16:36 +0200)
committer Aki Tuomi <aki.tuomi@open-xchange.com>
Wed, 12 Feb 2025 10:34:11 +0000 (12:34 +0200)
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c

index 80da8c7ad3f90c91ec22394b422d0bcbe1e51720..0ee6a9947e957301a4c444ea3edcda0143542470 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -34,7 +34,7 @@ static DH *ssl_tmp_dh_callback(SSL *ssl,
                 SSL_get_ex_data(ssl, dovecot_ssl_extdata_index);
  
         e_error(ssl_io->event, "Diffie-Hellman key exchange requested, "
-               "but no DH parameters provided. Set ssl_dh=</path/to/dh.pem");
+               "but no DH parameters provided. Set ssl_dh_file=/path/to/dh.pem");
         return NULL;
  }
  #endif
@@ -100,7 +100,7 @@ int openssl_iostream_load_dh(const struct ssl_iostream_settings *set,
         BIO *bio;
         EVP_PKEY *pkey = NULL;
  
-       bio = BIO_new_mem_buf(set->dh, strlen(set->dh));
+       bio = BIO_new_mem_buf(set->dh.content, strlen(set->dh.content));
  
         if (bio == NULL) {
                 *error_r = t_strdup_printf("BIO_new_mem_buf() failed: %s",
@@ -145,7 +145,7 @@ ssl_iostream_ctx_use_dh(struct ssl_iostream_context *ctx,
  {
         EVP_PKEY *pkey_dh;
         int ret = 0;
-       if (*set->dh == '\0') {
+       if (*set->dh.content == '\0') {
                 return 0;
         }
         if (openssl_iostream_load_dh(set, &pkey_dh, error_r) < 0)
@@ -158,7 +158,7 @@ ssl_iostream_ctx_use_dh(struct ssl_iostream_context *ctx,
  #endif
         {
                  *error_r = t_strdup_printf(
-                       "Can't load DH parameters (ssl_dh setting): %s",
+                       "Can't load DH parameters (ssl_dh_file setting): %s",
                         openssl_iostream_key_load_error());
                 ret = -1;
         }
@@ -624,7 +624,7 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx,
                         return -1;
         }
  
-       if (set->dh != NULL && *set->dh != '\0') {
+       if (set->dh.content != NULL && *set->dh.content != '\0') {
                 if (ssl_iostream_ctx_use_dh(ctx, set, error_r) < 0)
                         return -1;
         }
@@ -660,9 +660,8 @@ ssl_proxy_ctx_set_crypto_params(SSL_CTX *ssl_ctx,
                                 const struct ssl_iostream_settings *set ATTR_UNUSED,
                                 const char **error_r ATTR_UNUSED)
  {
-
  #ifdef SSL_CTX_set_tmp_dh_callback
-       if (set->dh == NULL || *set->dh == '\0')
+       if (set->dh.content == NULL || *set->dh.content == '\0')
                 SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_tmp_dh_callback);
  #endif
         /* In the non-recommended situation where ECDH cipher suites are being
diff --git a/src/lib-ssl-iostream/iostream-ssl-test.c b/src/lib-ssl-iostream/iostream-ssl-test.c

index 8da10c75bcdb99a698d67f3de9258841c5eb8c3f..1beb531a90dc381fa322fd8d8b3579d86ee2b9d3 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl-test.c
+++ b/src/lib-ssl-iostream/iostream-ssl-test.c
@@ -158,7 +158,7 @@ void ssl_iostream_test_settings_server(struct ssl_iostream_settings *test_set)
         test_set->ca = test_ca_cert;
         test_set->cert.cert.content = test_server_cert;
         test_set->cert.key.content = test_server_key;
-       test_set->dh = test_server_dh;
+       test_set->dh.content = test_server_dh;
         test_set->skip_crl_check = TRUE;
  }
  
diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c

index 3a6de2d7fb10183ab3d1d9bbcf1595219e0d3947..b21b56fa27e004ea344d2aceb3705a141604c477 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl.c
+++ b/src/lib-ssl-iostream/iostream-ssl.c
@@ -369,7 +369,7 @@ bool ssl_iostream_settings_equals(const struct ssl_iostream_settings *set1,
             !quick_strcmp(set1->cipher_list, set2->cipher_list) ||
             !quick_strcmp(set1->ciphersuites, set2->ciphersuites) ||
             !quick_strcmp(set1->curve_list, set2->curve_list) ||
-           !quick_strcmp(set1->dh, set2->dh) ||
+           !quick_strcmp(set1->dh.content, set2->dh.content) ||
             !quick_strcmp(set1->cert_username_field,
                           set2->cert_username_field) ||
             !quick_strcmp(set1->crypto_device, set2->crypto_device))
diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h

index 1413f54f38937a11e2209b128338c09ed16b8825..711ee7d8483b13a6b41839ea7384df2dcb99bbcb 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -38,7 +38,7 @@ struct ssl_iostream_settings {
         /* alternative cert is for providing certificate using
            different key algorithm */
         struct ssl_iostream_cert alt_cert;
-       const char *dh;
+       struct settings_file dh;
         /* Field which contains the username returned by
            ssl_iostream_get_peer_username() */
         const char *cert_username_field;
diff --git a/src/lib-ssl-iostream/ssl-settings.c b/src/lib-ssl-iostream/ssl-settings.c

index cb3c55fc4f2225b3874a9e614ecfc18440da823d..a543e9ea611621f24fee39705e98a50694510989 100644 (file)
--- a/src/lib-ssl-iostream/ssl-settings.c
+++ b/src/lib-ssl-iostream/ssl-settings.c
@@ -71,7 +71,7 @@ static const struct setting_define ssl_server_setting_defines[] = {
         DEF(FILE, ssl_alt_cert_file),
         DEF(FILE, ssl_alt_key_file),
         DEF(STR, ssl_key_password),
-       DEF(STR, ssl_dh),
+       DEF(FILE, ssl_dh_file),
         DEF(STR, ssl_cert_username_field),
  
         DEF(BOOL, ssl_require_crl),
@@ -89,7 +89,7 @@ static const struct ssl_server_settings ssl_server_default_settings = {
         .ssl_alt_cert_file = "",
         .ssl_alt_key_file = "",
         .ssl_key_password = "",
-       .ssl_dh = "",
+       .ssl_dh_file = "",
         .ssl_cert_username_field = "commonName",
  
         .ssl_require_crl = TRUE,
@@ -227,7 +227,7 @@ void ssl_server_settings_to_iostream_set(
                                   set->pool, &set->alt_cert.key);
                 set->alt_cert.key_password = ssl_server_set->ssl_key_password;
         }
-       set->dh = ssl_server_set->ssl_dh;
+       settings_file_get(ssl_server_set->ssl_dh_file, set->pool, &set->dh);
         set->cert_username_field =
                 ssl_server_set->ssl_cert_username_field;
         set->prefer_server_ciphers = ssl_server_set->ssl_prefer_server_ciphers;
diff --git a/src/lib-ssl-iostream/ssl-settings.h b/src/lib-ssl-iostream/ssl-settings.h

index 777c2ef89b750062173623a97ed55a7cdaa5d0a2..1ad8a710b48e28baa9a30dd164ff8927aecd3593 100644 (file)
--- a/src/lib-ssl-iostream/ssl-settings.h
+++ b/src/lib-ssl-iostream/ssl-settings.h
@@ -38,7 +38,7 @@ struct ssl_server_settings {
         const char *ssl_key_file;
         const char *ssl_alt_key_file;
         const char *ssl_key_password;
-       const char *ssl_dh;
+       const char *ssl_dh_file;
         const char *ssl_cert_username_field;
  
         bool ssl_require_crl;
author	Timo Sirainen <timo.sirainen@open-xchange.com>
	Thu, 1 Feb 2024 14:36:53 +0000 (16:36 +0200)
committer	Aki Tuomi <aki.tuomi@open-xchange.com>
	Wed, 12 Feb 2025 10:34:11 +0000 (12:34 +0200)
src/lib-ssl-iostream/iostream-openssl-context.c		patch \| blob \| blame \| history
src/lib-ssl-iostream/iostream-ssl-test.c		patch \| blob \| blame \| history
src/lib-ssl-iostream/iostream-ssl.c		patch \| blob \| blame \| history
src/lib-ssl-iostream/iostream-ssl.h		patch \| blob \| blame \| history
src/lib-ssl-iostream/ssl-settings.c		patch \| blob \| blame \| history
src/lib-ssl-iostream/ssl-settings.h		patch \| blob \| blame \| history