From: Timo Sirainen <tss@iki.fi>
Date: Mon, 19 Jan 2004 17:07:21 +0000 (+0200)
Subject: Added setting ssl_ca_file, patch by Zach Bagnall
X-Git-Tag: 1.1.alpha1~4199
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=45abc1e6369ad4198e08e710f083982f8b610e31;p=thirdparty%2Fdovecot%2Fcore.git

Added setting ssl_ca_file, patch by Zach Bagnall

--HG--
branch : HEAD
---

diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index 5ee0ff6d4f..fc80534ee0 100644
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -403,9 +403,10 @@ static RSA *ssl_gen_rsa_key(SSL *ssl __attr_unused__,
 
 void ssl_proxy_init(void)
 {
-	const char *certfile, *keyfile, *paramfile;
+	const char *cafile, *certfile, *keyfile, *paramfile;
 	char buf;
 
+	cafile = getenv("SSL_CA_FILE");
 	certfile = getenv("SSL_CERT_FILE");
 	keyfile = getenv("SSL_KEY_FILE");
 	paramfile = getenv("SSL_PARAM_FILE");
@@ -428,6 +429,13 @@ void ssl_proxy_init(void)
 			SSL_CIPHER_LIST, ssl_last_error());
 	}
 
+	if (cafile != NULL) {
+		if (SSL_CTX_load_verify_locations(ssl_ctx, cafile, NULL) != 1) {
+			i_fatal("Can't load CA file %s: %s",
+				cafile, ssl_last_error());
+		}
+	}
+
 	if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
 		i_fatal("Can't load certificate file %s: %s",
 			certfile, ssl_last_error());
diff --git a/src/master/login-process.c b/src/master/login-process.c
index 52e1a25a73..91564e3d80 100644
--- a/src/master/login-process.c
+++ b/src/master/login-process.c
@@ -382,6 +382,10 @@ static void login_process_init_env(struct login_group *group, pid_t pid)
 	env_put("DOVECOT_MASTER=1");
 
 	if (!set->ssl_disable) {
+		if (set->ssl_ca_file != NULL) {
+			env_put(t_strconcat("SSL_CA_FILE=",
+					    set->ssl_ca_file, NULL));
+		}
 		env_put(t_strconcat("SSL_CERT_FILE=",
 				    set->ssl_cert_file, NULL));
 		env_put(t_strconcat("SSL_KEY_FILE=",
diff --git a/src/master/master-settings.c b/src/master/master-settings.c
index f0b0f2045a..2074995a9f 100644
--- a/src/master/master-settings.c
+++ b/src/master/master-settings.c
@@ -46,6 +46,7 @@ static struct setting_def setting_defs[] = {
 	DEF(SET_STR, ssl_listen),
 
 	DEF(SET_BOOL, ssl_disable),
+	DEF(SET_STR, ssl_ca_file),
 	DEF(SET_STR, ssl_cert_file),
 	DEF(SET_STR, ssl_key_file),
 	DEF(SET_STR, ssl_parameters_file),
@@ -164,6 +165,7 @@ struct settings default_settings = {
 	MEMBER(ssl_listen) NULL,
 
 	MEMBER(ssl_disable) FALSE,
+	MEMBER(ssl_ca_file) NULL,
 	MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
 	MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
 	MEMBER(ssl_parameters_file) "ssl-parameters.dat",
@@ -418,6 +420,12 @@ static int settings_verify(struct settings *set)
 
 #ifdef HAVE_SSL
 	if (!set->ssl_disable) {
+		if (set->ssl_ca_file != NULL &&
+		    access(set->ssl_ca_file, R_OK) < 0) {
+			i_fatal("Can't use SSL CA file %s: %m",
+				set->ssl_ca_file);
+		}
+
 		if (access(set->ssl_cert_file, R_OK) < 0) {
 			i_error("Can't use SSL certificate %s: %m",
 				set->ssl_cert_file);
diff --git a/src/master/master-settings.h b/src/master/master-settings.h
index ec79651a2c..e1c53b8b3b 100644
--- a/src/master/master-settings.h
+++ b/src/master/master-settings.h
@@ -23,6 +23,7 @@ struct settings {
 	const char *ssl_listen;
 
 	int ssl_disable;
+	const char *ssl_ca_file;
 	const char *ssl_cert_file;
 	const char *ssl_key_file;
 	const char *ssl_parameters_file;