From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Mon, 30 Oct 2017 12:08:23 +0000 (+0200)
Subject: lib-ssl-iostream: Add alternate certificate support
X-Git-Tag: 2.3.0.rc1~685
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0577701d04beea222fc49a7318851ddcea3b99d3;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Add alternate certificate support
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index ade2ae99cf..60c3ba32ed 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -446,6 +446,19 @@ ssl_proxy_ctx_get_pkey_ec_curve_name(const struct ssl_iostream_settings *set,
 		}
 		EVP_PKEY_free(pkey);
 	}
+	if (nid == 0 && set->alt_cert.key != NULL) {
+		if (openssl_iostream_load_key(&set->alt_cert, &pkey, error_r) < 0)
+			return -1;
+
+		if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) != NULL &&
+		    (ecgrp = EC_KEY_get0_group(eckey)) != NULL)
+			nid = EC_GROUP_get_curve_name(ecgrp);
+		else {
+			/* clear errors added by the above calls */
+			openssl_iostream_clear_errors();
+		}
+		EVP_PKEY_free(pkey);
+	}
 
 	*nid_r = nid;
 	return 0;
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index b7af743dbc..5f08c35494 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -189,6 +189,14 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
 		if (openssl_iostream_use_key(ssl_io, &set->cert, error_r) < 0)
 			return -1;
 	}
+	if (set->alt_cert.cert != NULL && strcmp(ctx_set->alt_cert.cert, set->alt_cert.cert) != 0) {
+		if (openssl_iostream_use_certificate(ssl_io, set->alt_cert.cert, error_r) < 0)
+			return -1;
+	}
+	if (set->alt_cert.key != NULL && strcmp(ctx_set->alt_cert.key, set->alt_cert.key) != 0) {
+		if (openssl_iostream_use_key(ssl_io, &set->alt_cert, error_r) < 0)
+			return -1;
+	}
 	if (set->verify_remote_cert) {
 		if (ssl_io->ctx->client_ctx)
 			verify_flags = SSL_VERIFY_NONE;
diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c
index 5f52d6d6b4..2d8905c2b8 100644
--- a/src/lib-ssl-iostream/iostream-ssl.c
+++ b/src/lib-ssl-iostream/iostream-ssl.c
@@ -228,6 +228,9 @@ ssl_iostream_settings_dup(pool_t pool,
 	new_set->cert.cert = p_strdup(pool, old_set->cert.cert);
 	new_set->cert.key = p_strdup(pool, old_set->cert.key);
 	new_set->cert.key_password = p_strdup(pool, old_set->cert.key_password);
+	new_set->alt_cert.cert = p_strdup(pool, old_set->alt_cert.cert);
+	new_set->alt_cert.key = p_strdup(pool, old_set->alt_cert.key);
+	new_set->alt_cert.key_password = p_strdup(pool, old_set->alt_cert.key_password);
 	new_set->cert_username_field = p_strdup(pool, old_set->cert_username_field);
 	new_set->crypto_device = p_strdup(pool, old_set->crypto_device);
 
diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
index 6c4a2031ec..6103559120 100644
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -15,7 +15,10 @@ struct ssl_iostream_settings {
 	const char *cipher_list;
 	const char *curve_list;
 	const char *ca, *ca_file, *ca_dir; /* context-only */
+	/* alternative cert is for providing certificate using
+	   different key algorithm */
 	struct ssl_iostream_cert cert; /* both */
+	struct ssl_iostream_cert alt_cert;
 	const char *dh;
 	const char *cert_username_field;
 	const char *crypto_device; /* context-only */