From: Timo Sirainen Date: Thu, 1 Feb 2024 12:19:12 +0000 (+0200) Subject: lib-ssl-iostream, global: Convert ssl_[alt_]cert setting to ssl_[alt_]cert_file X-Git-Tag: 2.4.1~1073 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=014a926a2c13dee96ae2063502e0b8049290ebe7;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream, global: Convert ssl_[alt_]cert setting to ssl_[alt_]cert_file --- diff --git a/src/config/old-set-parser.c b/src/config/old-set-parser.c index 45bb50a9dd..45c856f0c3 100644 --- a/src/config/old-set-parser.c +++ b/src/config/old-set-parser.c @@ -211,8 +211,7 @@ old_settings_handle_root(struct config_parser_context *ctx, old_set_parser_apply(ctx, CONFIG_LINE_TYPE_KEYVALUE, key, value); return TRUE; } - if (strcmp(key, "ssl_cert_file") == 0 || - strcmp(key, "ssl_key_file") == 0 || + if (strcmp(key, "ssl_key_file") == 0 || strcmp(key, "ssl_ca_file") == 0) { if (*value == '\0') return TRUE; diff --git a/src/lib-doveadm/Makefile.am b/src/lib-doveadm/Makefile.am index 91b0c16645..4dd4e43d15 100644 --- a/src/lib-doveadm/Makefile.am +++ b/src/lib-doveadm/Makefile.am @@ -2,6 +2,7 @@ noinst_LTLIBRARIES = libdoveadm.la AM_CPPFLAGS = \ -I$(top_srcdir)/src/lib \ + -I$(top_srcdir)/src/lib-settings \ -I$(top_srcdir)/src/lib-auth-client \ -I$(top_srcdir)/src/lib-dns \ -I$(top_srcdir)/src/lib-mail \ diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c index 9decdac638..a4b81b3ca1 100644 --- a/src/lib-ldap/ldap-connection.c +++ b/src/lib-ldap/ldap-connection.c @@ -76,8 +76,8 @@ int ldap_connection_setup(struct ldap_connection *conn, const char **error_r) ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CACERTDIR, conn->ssl_set.ca_dir); #ifdef LDAP_OPT_X_TLS_CERT - if (conn->ssl_set.cert.cert != NULL) - ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CERT, conn->ssl_set.cert.cert); + if (conn->ssl_set.cert.cert.content != NULL) + ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CERT, conn->ssl_set.cert.cert.content); if (conn->ssl_set.cert.key != NULL) ldap_set_option(conn->conn, LDAP_OPT_X_TLS_KEYFILE, conn->ssl_set.cert.key); #endif @@ -137,7 +137,8 @@ bool ldap_connection_have_settings(struct ldap_connection *conn, return FALSE; if (null_strcmp(conn->ssl_set.ca_file, set->ssl_set->ca_file) != 0) return FALSE; - if (null_strcmp(conn->ssl_set.cert.cert, set->ssl_set->cert.cert) != 0) + if (null_strcmp(conn->ssl_set.cert.cert.content, + set->ssl_set->cert.cert.content) != 0) return FALSE; if (null_strcmp(conn->ssl_set.cert.key, set->ssl_set->cert.key) != 0) return FALSE; @@ -184,7 +185,10 @@ int ldap_connection_init(struct ldap_client *client, conn->ssl_set.min_protocol = p_strdup(pool, set->ssl_set->min_protocol); conn->ssl_set.cipher_list = p_strdup(pool, set->ssl_set->cipher_list); conn->ssl_set.ca_file = p_strdup(pool, set->ssl_set->ca_file); - conn->ssl_set.cert.cert = p_strdup(pool, set->ssl_set->cert.cert); + conn->ssl_set.cert.cert.path = + p_strdup(pool, set->ssl_set->cert.cert.path); + conn->ssl_set.cert.cert.content = + p_strdup(pool, set->ssl_set->cert.cert.content); conn->ssl_set.cert.key = p_strdup(pool, set->ssl_set->cert.key); } i_assert(ldap_connection_have_settings(conn, set)); diff --git a/src/lib-smtp/test-smtp-payload.c b/src/lib-smtp/test-smtp-payload.c index 23d7d6710c..3a1d489f9e 100644 --- a/src/lib-smtp/test-smtp-payload.c +++ b/src/lib-smtp/test-smtp-payload.c @@ -936,7 +936,8 @@ test_run_client_server( relevant settings. */ const char *const settings[] = { "ssl_ca", server_set->ssl->ca, - "ssl_cert", server_set->ssl->cert.cert, + "ssl_cert_file", settings_file_get_value(unsafe_data_stack_pool, + &server_set->ssl->cert.cert), "ssl_key", server_set->ssl->cert.key, NULL, }; diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c b/src/lib-ssl-iostream/iostream-openssl-common.c index edf58d1bae..98474af8c3 100644 --- a/src/lib-ssl-iostream/iostream-openssl-common.c +++ b/src/lib-ssl-iostream/iostream-openssl-common.c @@ -161,7 +161,7 @@ const char *openssl_iostream_key_load_error(void) if (ERR_GET_LIB(err) == ERR_LIB_X509 && ERR_GET_REASON(err) == X509_R_KEY_VALUES_MISMATCH) - return "Key is for a different cert than ssl_cert"; + return "Key is for a different cert than ssl_cert_file"; else return openssl_iostream_error(); } @@ -171,8 +171,7 @@ static bool is_pem_key(const char *cert) return strstr(cert, "PRIVATE KEY---") != NULL; } -const char * -openssl_iostream_use_certificate_error(const char *cert, const char *set_name) +const char *openssl_iostream_use_certificate_error(const char *cert) { unsigned long err; @@ -185,10 +184,7 @@ openssl_iostream_use_certificate_error(const char *cert, const char *set_name) return openssl_iostream_error(); else if (is_pem_key(cert)) { return "The file contains a private key " - "(you've mixed ssl_cert and ssl_key settings)"; - } else if (set_name != NULL && strchr(cert, '\n') == NULL) { - return t_strdup_printf("There is no valid PEM certificate. " - "(You probably forgot '<' from %s=<%s)", set_name, cert); + "(you've mixed ssl_cert_file and ssl_key settings)"; } else { return "There is no valid PEM certificate."; } diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index d1c28748a8..4ffac088f5 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -594,25 +594,26 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, } /* Client can ignore an empty ssl_client_cert, but server will fail - if ssl_cert is empty. */ - if (set->cert.cert != NULL && - (set->cert.cert[0] != '\0' || !ctx->client_ctx) && - ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert.cert) == 0) { + if ssl_cert_file is empty. */ + if (set->cert.cert.content != NULL && + (set->cert.cert.content[0] != '\0' || !ctx->client_ctx) && + ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert.cert.content) == 0) { *error_r = t_strdup_printf( - "Can't load SSL certificate (ssl_cert setting): %s", - openssl_iostream_use_certificate_error(set->cert.cert, NULL)); + "Can't load SSL certificate (ssl_cert_file setting): %s", + openssl_iostream_use_certificate_error(set->cert.cert.content)); return -1; } if (set->cert.key != NULL && set->cert.key[0] != '\0') { if (ssl_iostream_ctx_use_key(ctx, "ssl_key", &set->cert, error_r) < 0) return -1; } - if (set->alt_cert.cert != NULL && set->alt_cert.cert[0] != '\0' && - ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->alt_cert.cert) == 0) { + if (set->alt_cert.cert.content != NULL && + set->alt_cert.cert.content[0] != '\0' && + ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->alt_cert.cert.content) == 0) { *error_r = t_strdup_printf( "Can't load alternative SSL certificate " - "(ssl_alt_cert setting): %s", - openssl_iostream_use_certificate_error(set->alt_cert.cert, NULL)); + "(ssl_alt_cert_file setting): %s", + openssl_iostream_use_certificate_error(set->alt_cert.cert.content)); return -1; } if (set->alt_cert.key != NULL && set->alt_cert.key[0] != '\0') { diff --git a/src/lib-ssl-iostream/iostream-openssl.h b/src/lib-ssl-iostream/iostream-openssl.h index 5eb9eb7bdc..4dbc51a71c 100644 --- a/src/lib-ssl-iostream/iostream-openssl.h +++ b/src/lib-ssl-iostream/iostream-openssl.h @@ -120,7 +120,7 @@ void openssl_iostream_set_error(struct ssl_iostream *ssl_io, const char *str); const char *openssl_iostream_error(void); const char *openssl_iostream_key_load_error(void); const char * -openssl_iostream_use_certificate_error(const char *cert, const char *set_name); +openssl_iostream_use_certificate_error(const char *cert); void openssl_iostream_clear_errors(void); void ssl_iostream_openssl_init(void); diff --git a/src/lib-ssl-iostream/iostream-ssl-context-cache.c b/src/lib-ssl-iostream/iostream-ssl-context-cache.c index bcb666ec0d..033cc76972 100644 --- a/src/lib-ssl-iostream/iostream-ssl-context-cache.c +++ b/src/lib-ssl-iostream/iostream-ssl-context-cache.c @@ -18,7 +18,10 @@ static unsigned int ssl_iostream_context_cache_hash(const struct ssl_iostream_context_cache *cache) { unsigned int n, i, g, h = 0; - const char *const cert[] = { cache->set->cert.cert, cache->set->alt_cert.cert }; + const char *const cert[] = { + cache->set->cert.cert.content, + cache->set->alt_cert.cert.content + }; /* checking for different certs is typically good enough, and it should be enough to check only the first few bytes (after the diff --git a/src/lib-ssl-iostream/iostream-ssl-test.c b/src/lib-ssl-iostream/iostream-ssl-test.c index 87b2b58906..2e697be194 100644 --- a/src/lib-ssl-iostream/iostream-ssl-test.c +++ b/src/lib-ssl-iostream/iostream-ssl-test.c @@ -156,7 +156,7 @@ void ssl_iostream_test_settings_server(struct ssl_iostream_settings *test_set) i_zero(test_set); test_set->pool = null_pool; test_set->ca = test_ca_cert; - test_set->cert.cert = test_server_cert; + test_set->cert.cert.content = test_server_cert; test_set->cert.key = test_server_key; test_set->dh = test_server_dh; test_set->skip_crl_check = TRUE; diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c index 96e4ec32b4..0ad9facf59 100644 --- a/src/lib-ssl-iostream/iostream-ssl.c +++ b/src/lib-ssl-iostream/iostream-ssl.c @@ -347,12 +347,13 @@ bool ssl_iostream_settings_equals(const struct ssl_iostream_settings *set1, if (set1 == set2) return TRUE; - if (!quick_strcmp(set1->cert.cert, set2->cert.cert) || + if (!quick_strcmp(set1->cert.cert.content, set2->cert.cert.content) || !quick_strcmp(set1->cert.key, set2->cert.key) || !quick_strcmp(set1->cert.key_password, set2->cert.key_password)) return FALSE; - if (!quick_strcmp(set1->alt_cert.cert, set2->alt_cert.cert) || + if (!quick_strcmp(set1->alt_cert.cert.content, + set2->alt_cert.cert.content) || !quick_strcmp(set1->alt_cert.key, set2->alt_cert.key) || !quick_strcmp(set1->alt_cert.key_password, set2->alt_cert.key_password)) diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h index 065d473192..1e7115e13f 100644 --- a/src/lib-ssl-iostream/iostream-ssl.h +++ b/src/lib-ssl-iostream/iostream-ssl.h @@ -1,6 +1,7 @@ #ifndef IOSTREAM_SSL_H #define IOSTREAM_SSL_H +#include "settings-parser.h" #include "ssl-settings.h" struct ssl_iostream; @@ -18,7 +19,7 @@ enum ssl_iostream_flags { }; struct ssl_iostream_cert { - const char *cert; + struct settings_file cert; const char *key; const char *key_password; }; diff --git a/src/lib-ssl-iostream/ssl-settings.c b/src/lib-ssl-iostream/ssl-settings.c index 5e21eb1c38..9405804f8a 100644 --- a/src/lib-ssl-iostream/ssl-settings.c +++ b/src/lib-ssl-iostream/ssl-settings.c @@ -66,9 +66,9 @@ const struct setting_parser_info ssl_setting_parser_info = { static const struct setting_define ssl_server_setting_defines[] = { DEF(ENUM, ssl), DEF(STR, ssl_ca), - DEF(STR, ssl_cert), + DEF(FILE, ssl_cert_file), DEF(STR, ssl_key), - DEF(STR, ssl_alt_cert), + DEF(FILE, ssl_alt_cert_file), DEF(STR, ssl_alt_key), DEF(STR, ssl_key_password), DEF(STR, ssl_dh), @@ -84,9 +84,9 @@ static const struct setting_define ssl_server_setting_defines[] = { static const struct ssl_server_settings ssl_server_default_settings = { .ssl = "yes:no:required", .ssl_ca = "", - .ssl_cert = "", + .ssl_cert_file = "", .ssl_key = "", - .ssl_alt_cert = "", + .ssl_alt_cert_file = "", .ssl_alt_key = "", .ssl_key_password = "", .ssl_dh = "", @@ -193,7 +193,7 @@ void ssl_client_settings_to_iostream_set( set->ca = ssl_set->ssl_client_ca; set->ca_file = ssl_set->ssl_client_ca_file; set->ca_dir = ssl_set->ssl_client_ca_dir; - set->cert.cert = ssl_set->ssl_client_cert; + set->cert.cert.content = ssl_set->ssl_client_cert; set->cert.key = ssl_set->ssl_client_key; set->verify_remote_cert = ssl_set->ssl_client_require_valid_cert; set->allow_invalid_cert = !set->verify_remote_cert; @@ -212,12 +212,14 @@ void ssl_server_settings_to_iostream_set( pool_add_external_ref(set->pool, ssl_server_set->pool); set->ca = ssl_server_set->ssl_ca; - set->cert.cert = ssl_server_set->ssl_cert; + settings_file_get(ssl_server_set->ssl_cert_file, + set->pool, &set->cert.cert); set->cert.key = ssl_server_set->ssl_key; set->cert.key_password = ssl_server_set->ssl_key_password; - if (ssl_server_set->ssl_alt_cert != NULL && - *ssl_server_set->ssl_alt_cert != '\0') { - set->alt_cert.cert = ssl_server_set->ssl_alt_cert; + if (ssl_server_set->ssl_alt_cert_file != NULL && + *ssl_server_set->ssl_alt_cert_file != '\0') { + settings_file_get(ssl_server_set->ssl_alt_cert_file, + set->pool, &set->alt_cert.cert); set->alt_cert.key = ssl_server_set->ssl_alt_key; set->alt_cert.key_password = ssl_server_set->ssl_key_password; } diff --git a/src/lib-ssl-iostream/ssl-settings.h b/src/lib-ssl-iostream/ssl-settings.h index 2e123b25a6..ba08db79ed 100644 --- a/src/lib-ssl-iostream/ssl-settings.h +++ b/src/lib-ssl-iostream/ssl-settings.h @@ -33,8 +33,8 @@ struct ssl_server_settings { const char *ssl; const char *ssl_ca; - const char *ssl_cert; - const char *ssl_alt_cert; + const char *ssl_cert_file; + const char *ssl_alt_cert_file; const char *ssl_key; const char *ssl_alt_key; const char *ssl_key_password; diff --git a/src/lib-ssl-iostream/test-iostream-ssl.c b/src/lib-ssl-iostream/test-iostream-ssl.c index a11a3ad384..6265698d20 100644 --- a/src/lib-ssl-iostream/test-iostream-ssl.c +++ b/src/lib-ssl-iostream/test-iostream-ssl.c @@ -344,7 +344,7 @@ static void test_iostream_ssl_handshake(void) "failhost") != 0, idx); idx++; ssl_iostream_test_settings_server(&server_set); - server_set.cert.cert = NULL; + i_zero(&server_set.cert.cert); ssl_iostream_test_settings_client(&client_set); client_set.verify_remote_cert = TRUE; test_expect_error_string("client(failhost): SSL certificate not received");