From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Thu, 1 Feb 2024 14:46:02 +0000 (+0200)
Subject: lib-ssl-iostream: Convert ssl_ca setting to ssl_ca_file
X-Git-Tag: 2.4.1~1069
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d58a5dae5accc0f5d205af789556f2d7e94300e;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Convert ssl_ca setting to ssl_ca_file
---

diff --git a/src/config/old-set-parser.c b/src/config/old-set-parser.c
index e814b5dd86..85faea5081 100644
--- a/src/config/old-set-parser.c
+++ b/src/config/old-set-parser.c
@@ -156,7 +156,7 @@ static bool
 old_settings_handle_root(struct config_parser_context *ctx,
 			 const char *key, const char *value)
 {
-	const char *p, *suffix;
+	const char *suffix;
 	size_t len;
 
 	if (strcmp(key, "base_dir") == 0) {
@@ -211,14 +211,6 @@ old_settings_handle_root(struct config_parser_context *ctx,
 		old_set_parser_apply(ctx, CONFIG_LINE_TYPE_KEYVALUE, key, value);
 		return TRUE;
 	}
-	if (strcmp(key, "ssl_ca_file") == 0) {
-		if (*value == '\0')
-			return TRUE;
-		p = t_strdup_until(key, strrchr(key, '_'));
-		obsolete(ctx, "%s has been replaced by %s = <file", key, p);
-		old_set_parser_apply(ctx, CONFIG_LINE_TYPE_KEYFILE, p, value);
-		return TRUE;
-	}
 	if (strcmp(key, "ssl_disable") == 0) {
 		if (strcasecmp(value, "yes") == 0)
 			value = "no";
diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c
index e8af0d5144..6e322f693a 100644
--- a/src/lib-ldap/ldap-connection.c
+++ b/src/lib-ldap/ldap-connection.c
@@ -175,7 +175,7 @@ int ldap_connection_init(struct ldap_client *client,
 		ber_str2bv(conn->set.password, strlen(conn->set.password), 0, &conn->cred);
 	}
 	/* cannot use these */
-	conn->ssl_set.ca = NULL;
+	i_zero(&conn->ssl_set.ca);
 	conn->ssl_set.cert.key_password = NULL;
 	conn->ssl_set.cert_username_field = NULL;
 	conn->ssl_set.crypto_device = NULL;
diff --git a/src/lib-smtp/test-smtp-payload.c b/src/lib-smtp/test-smtp-payload.c
index 5be78567a0..e9f6d1ad6d 100644
--- a/src/lib-smtp/test-smtp-payload.c
+++ b/src/lib-smtp/test-smtp-payload.c
@@ -935,7 +935,8 @@ test_run_client_server(
 	   Otherwise the SMTP SNI mechanism will break when looking up the
 	   relevant settings. */
 	const char *const settings[] = {
-		"ssl_ca", server_set->ssl->ca,
+		"ssl_ca_file", settings_file_get_value(unsafe_data_stack_pool,
+						       &server_set->ssl->ca),
 		"ssl_cert_file", settings_file_get_value(unsafe_data_stack_pool,
 							 &server_set->ssl->cert.cert),
 		"ssl_key_file", settings_file_get_value(unsafe_data_stack_pool,
diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 0ee6a9947e..47c9f49e8e 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -515,10 +515,10 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx,
 	const char *ca_file, *ca_dir;
 	bool have_ca = FALSE;
 
-	if (set->ca != NULL && set->ca[0] != '\0') {
+	if (set->ca.content != NULL && set->ca.content[0] != '\0') {
 		store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
-		if (load_ca(store, set->ca, &xnames) < 0) {
-			*error_r = t_strdup_printf("Couldn't parse ssl_ca: %s",
+		if (load_ca(store, set->ca.content, &xnames) < 0) {
+			*error_r = t_strdup_printf("Couldn't parse ssl_ca_file: %s",
 						   openssl_iostream_error());
 			return -1;
 		}
@@ -542,7 +542,7 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx,
 			return -1;
 		}
 	} else if (!have_ca) {
-		*error_r = "Can't verify remote client certs without CA (ssl_ca setting)";
+		*error_r = "Can't verify remote client certs without CA (ssl_ca_file setting)";
 		return -1;
 	}
 	return 0;
diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 7da03c0ac2..2faf906ff0 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -94,7 +94,7 @@ openssl_iostream_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx)
 			X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), certname,
 			ssl_io->ctx->client_ctx ?
 				"ssl_client_ca_* settings?" :
-				"ssl_ca setting?"));
+				"ssl_ca_file setting?"));
 	} else {
 		e_debug(ssl_io->event, "Received valid SSL certificate: %s", certname);
 	}
diff --git a/src/lib-ssl-iostream/iostream-ssl-test.c b/src/lib-ssl-iostream/iostream-ssl-test.c
index 1beb531a90..acdf228568 100644
--- a/src/lib-ssl-iostream/iostream-ssl-test.c
+++ b/src/lib-ssl-iostream/iostream-ssl-test.c
@@ -155,7 +155,7 @@ void ssl_iostream_test_settings_server(struct ssl_iostream_settings *test_set)
 {
 	i_zero(test_set);
 	test_set->pool = null_pool;
-	test_set->ca = test_ca_cert;
+	test_set->ca.content = test_ca_cert;
 	test_set->cert.cert.content = test_server_cert;
 	test_set->cert.key.content = test_server_key;
 	test_set->dh.content = test_server_dh;
@@ -166,6 +166,6 @@ void ssl_iostream_test_settings_client(struct ssl_iostream_settings *test_set)
 {
 	i_zero(test_set);
 	test_set->pool = null_pool;
-	test_set->ca = test_ca_cert;
+	test_set->ca.content = test_ca_cert;
 	test_set->skip_crl_check = TRUE;
 }
diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c
index b21b56fa27..3e0cf6b69c 100644
--- a/src/lib-ssl-iostream/iostream-ssl.c
+++ b/src/lib-ssl-iostream/iostream-ssl.c
@@ -360,7 +360,7 @@ bool ssl_iostream_settings_equals(const struct ssl_iostream_settings *set1,
 			  set2->alt_cert.key_password))
 		return FALSE;
 
-	if (!quick_strcmp(set1->ca, set2->ca) ||
+	if (!quick_strcmp(set1->ca.content, set2->ca.content) ||
 	    !quick_strcmp(set1->ca_file, set2->ca_file) ||
 	    !quick_strcmp(set1->ca_dir, set2->ca_dir))
 		return FALSE;
diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
index 711ee7d848..5abb06d508 100644
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -33,7 +33,8 @@ struct ssl_iostream_settings {
 	const char *cipher_list; /* TLSv1.2 and below only */
 	const char *ciphersuites; /* TLSv1.3 only */
 	const char *curve_list;
-	const char *ca, *ca_file, *ca_dir;
+	struct settings_file ca;
+	const char *ca_file, *ca_dir;
 	struct ssl_iostream_cert cert;
 	/* alternative cert is for providing certificate using
 	   different key algorithm */
diff --git a/src/lib-ssl-iostream/ssl-settings.c b/src/lib-ssl-iostream/ssl-settings.c
index a543e9ea61..8423651f4d 100644
--- a/src/lib-ssl-iostream/ssl-settings.c
+++ b/src/lib-ssl-iostream/ssl-settings.c
@@ -65,7 +65,7 @@ const struct setting_parser_info ssl_setting_parser_info = {
 
 static const struct setting_define ssl_server_setting_defines[] = {
 	DEF(ENUM, ssl),
-	DEF(STR, ssl_ca),
+	DEF(FILE, ssl_ca_file),
 	DEF(FILE, ssl_cert_file),
 	DEF(FILE, ssl_key_file),
 	DEF(FILE, ssl_alt_cert_file),
@@ -83,7 +83,7 @@ static const struct setting_define ssl_server_setting_defines[] = {
 
 static const struct ssl_server_settings ssl_server_default_settings = {
 	.ssl = "yes:no:required",
-	.ssl_ca = "",
+	.ssl_ca_file = "",
 	.ssl_cert_file = "",
 	.ssl_key_file = "",
 	.ssl_alt_cert_file = "",
@@ -156,8 +156,8 @@ ssl_server_settings_check(void *_set, pool_t pool ATTR_UNUSED,
 		return TRUE;
 	}
 
-	if (set->ssl_request_client_cert && *set->ssl_ca == '\0') {
-		*error_r = "ssl_request_client_cert set, but ssl_ca not";
+	if (set->ssl_request_client_cert && *set->ssl_ca_file == '\0') {
+		*error_r = "ssl_request_client_cert set, but ssl_ca_file not";
 		return FALSE;
 	}
 	return TRUE;
@@ -190,7 +190,7 @@ void ssl_client_settings_to_iostream_set(
 	struct ssl_iostream_settings *set =
 		ssl_common_settings_to_iostream_set(ssl_set);
 
-	set->ca = ssl_set->ssl_client_ca;
+	set->ca.content = ssl_set->ssl_client_ca;
 	set->ca_file = ssl_set->ssl_client_ca_file;
 	set->ca_dir = ssl_set->ssl_client_ca_dir;
 	settings_file_get(ssl_set->ssl_client_cert_file,
@@ -213,7 +213,7 @@ void ssl_server_settings_to_iostream_set(
 		ssl_common_settings_to_iostream_set(ssl_set);
 	pool_add_external_ref(set->pool, ssl_server_set->pool);
 
-	set->ca = ssl_server_set->ssl_ca;
+	settings_file_get(ssl_server_set->ssl_ca_file, set->pool, &set->ca);
 	settings_file_get(ssl_server_set->ssl_cert_file,
 			  set->pool, &set->cert.cert);
 	settings_file_get(ssl_server_set->ssl_key_file,
diff --git a/src/lib-ssl-iostream/ssl-settings.h b/src/lib-ssl-iostream/ssl-settings.h
index 1ad8a710b4..16e8bc9ecc 100644
--- a/src/lib-ssl-iostream/ssl-settings.h
+++ b/src/lib-ssl-iostream/ssl-settings.h
@@ -32,7 +32,7 @@ struct ssl_server_settings {
 	pool_t pool;
 
 	const char *ssl;
-	const char *ssl_ca;
+	const char *ssl_ca_file;
 	const char *ssl_cert_file;
 	const char *ssl_alt_cert_file;
 	const char *ssl_key_file;
diff --git a/src/lib-ssl-iostream/test-iostream-ssl.c b/src/lib-ssl-iostream/test-iostream-ssl.c
index 9ab6088f5c..a9cf6d4697 100644
--- a/src/lib-ssl-iostream/test-iostream-ssl.c
+++ b/src/lib-ssl-iostream/test-iostream-ssl.c
@@ -318,7 +318,7 @@ static void test_iostream_ssl_handshake(void)
 	ssl_iostream_test_settings_server(&server_set);
 	ssl_iostream_test_settings_client(&client_set);
 	client_set.verify_remote_cert = TRUE;
-	client_set.ca = NULL;
+	i_zero(&client_set.ca);
 	test_expect_error_string("client: Received invalid SSL certificate");
 	test_assert_idx(test_iostream_ssl_handshake_real(&server_set, &client_set,
 							 "127.0.0.1") != 0, idx);