From: Timo Sirainen Date: Thu, 1 Feb 2024 15:03:41 +0000 (+0200) Subject: lib-ssl-iostream: Remove unused ssl_iostream_settings.ca_file X-Git-Tag: 2.4.1~1066 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=28b14e7a057ce53a5851717021796e901cb41048;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream: Remove unused ssl_iostream_settings.ca_file --- diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index 47c9f49e8e..0384182877 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -265,28 +265,15 @@ static int load_ca(X509_STORE *store, const char *ca, } static int -load_ca_locations(struct ssl_iostream_context *ctx, const char *ca_file, +load_ca_locations(struct ssl_iostream_context *ctx, const char *ca_dir, const char **error_r) { - if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, ca_file, ca_dir) != 0) + if (SSL_CTX_load_verify_locations(ctx->ssl_ctx, NULL, ca_dir) != 0) return 0; - if (ca_dir == NULL) { - *error_r = t_strdup_printf( - "Can't load CA certs from %s " - "(ssl_client_ca_file setting): %s", - ca_file, openssl_iostream_error()); - } else if (ca_file == NULL) { - *error_r = t_strdup_printf( - "Can't load CA certs from directory %s " - "(ssl_client_ca_dir setting): %s", - ca_dir, openssl_iostream_error()); - } else { - *error_r = t_strdup_printf( - "Can't load CA certs from file %s and directory %s " - "(ssl_client_ca_* settings): %s", - ca_file, ca_dir, openssl_iostream_error()); - } + *error_r = t_strdup_printf("Can't load CA certs from directory %s " + "(ssl_client_ca_dir setting): %s", + ca_dir, openssl_iostream_error()); return -1; } @@ -512,7 +499,6 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx, { X509_STORE *store; STACK_OF(X509_NAME) *xnames = NULL; - const char *ca_file, *ca_dir; bool have_ca = FALSE; if (set->ca.content != NULL && set->ca.content[0] != '\0') { @@ -525,12 +511,8 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx, ssl_iostream_ctx_verify_remote_cert(ctx, set, xnames); have_ca = TRUE; } - ca_file = set->ca_file == NULL || *set->ca_file == '\0' ? - NULL : set->ca_file; - ca_dir = set->ca_dir == NULL || *set->ca_dir == '\0' ? - NULL : set->ca_dir; - if (ca_file != NULL || ca_dir != NULL) { - if (load_ca_locations(ctx, ca_file, ca_dir, error_r) < 0) + if (set->ca_dir != NULL && *set->ca_dir != '\0') { + if (load_ca_locations(ctx, set->ca_dir, error_r) < 0) return -1; have_ca = TRUE; } diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c index 3e0cf6b69c..604a5eba48 100644 --- a/src/lib-ssl-iostream/iostream-ssl.c +++ b/src/lib-ssl-iostream/iostream-ssl.c @@ -151,7 +151,6 @@ int io_stream_autocreate_ssl_client( p_memdup(pool, set, sizeof(*set)); set_copy->pool = pool; pool_add_external_ref(pool, set->pool); - set_copy->ca_file = NULL; set_copy->ca_dir = NULL; settings_free(set); set = set_copy; @@ -361,7 +360,6 @@ bool ssl_iostream_settings_equals(const struct ssl_iostream_settings *set1, return FALSE; if (!quick_strcmp(set1->ca.content, set2->ca.content) || - !quick_strcmp(set1->ca_file, set2->ca_file) || !quick_strcmp(set1->ca_dir, set2->ca_dir)) return FALSE; diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h index 5abb06d508..578058ff19 100644 --- a/src/lib-ssl-iostream/iostream-ssl.h +++ b/src/lib-ssl-iostream/iostream-ssl.h @@ -34,7 +34,7 @@ struct ssl_iostream_settings { const char *ciphersuites; /* TLSv1.3 only */ const char *curve_list; struct settings_file ca; - const char *ca_file, *ca_dir; + const char *ca_dir; struct ssl_iostream_cert cert; /* alternative cert is for providing certificate using different key algorithm */