From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Thu, 1 Feb 2024 15:02:56 +0000 (+0200)
Subject: lib-ldap, lib-http: Use ssl_iostream_settings.ca instead of ca_file
X-Git-Tag: 2.4.1~1067
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be2547f7e41444cb9b32cef2a763134498563799;p=thirdparty%2Fdovecot%2Fcore.git

lib-ldap, lib-http: Use ssl_iostream_settings.ca instead of ca_file
---

diff --git a/src/lib-http/test-http-client.c b/src/lib-http/test-http-client.c
index 267694ccd1..ea543c395c 100644
--- a/src/lib-http/test-http-client.c
+++ b/src/lib-http/test-http-client.c
@@ -385,8 +385,17 @@ int main(int argc, char *argv[])
 	ssl_set.allow_invalid_cert = TRUE;
 	if (stat("/etc/ssl/certs", &st) == 0 && S_ISDIR(st.st_mode))
 		ssl_set.ca_dir = "/etc/ssl/certs"; /* debian */
-	if (stat("/etc/ssl/certs", &st) == 0 && S_ISREG(st.st_mode))
-		ssl_set.ca_file = "/etc/pki/tls/cert.pem"; /* redhat */
+	if (stat("/etc/ssl/certs", &st) == 0 && S_ISREG(st.st_mode)) {
+		/* redhat */
+		const char *ca_value;
+		if (settings_parse_read_file("/etc/pki/tls/cert.pem",
+					     "/etc/pki/tls/cert.pem",
+					     unsafe_data_stack_pool,
+					     &ca_value, &error) < 0)
+			i_fatal("%s", error);
+		settings_file_get(ca_value, unsafe_data_stack_pool,
+				  &ssl_set.ca);
+	}
 
 	http_client_settings_init(null_pool, &http_set);
 	http_set.max_idle_time_msecs = 5*1000;
diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c
index 6e322f693a..f33d374ebc 100644
--- a/src/lib-ldap/ldap-connection.c
+++ b/src/lib-ldap/ldap-connection.c
@@ -70,8 +70,15 @@ int ldap_connection_setup(struct ldap_connection *conn, const char **error_r)
 	/* timelimit */
 	ldap_set_option(conn->conn, LDAP_OPT_TIMELIMIT, &opt);
 
-	if (conn->ssl_set.ca_file != NULL)
-		ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CACERTFILE, conn->ssl_set.ca_file);
+	if (conn->ssl_set.ca.content != NULL &&
+	    conn->ssl_set.ca.content[0] != '\0') {
+		if (conn->ssl_set.ca.path[0] == '\0') {
+			*error_r = "LDAP doesn't support inline ssl_client_ca_file - use a path";
+			return -1;
+		}
+		ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CACERTFILE,
+				conn->ssl_set.ca.path);
+	}
 	if (conn->ssl_set.ca_dir != NULL)
 		ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CACERTDIR, conn->ssl_set.ca_dir);
 
@@ -135,7 +142,7 @@ bool ldap_connection_have_settings(struct ldap_connection *conn,
 		return FALSE;
 	if (null_strcmp(conn->ssl_set.curve_list, set->ssl_set->curve_list) != 0)
 		return FALSE;
-	if (null_strcmp(conn->ssl_set.ca_file, set->ssl_set->ca_file) != 0)
+	if (null_strcmp(conn->ssl_set.ca.path, set->ssl_set->ca.path) != 0)
 		return FALSE;
 	if (null_strcmp(conn->ssl_set.cert.cert.content,
 			set->ssl_set->cert.cert.content) != 0)
@@ -185,7 +192,9 @@ int ldap_connection_init(struct ldap_client *client,
 		conn->set.ssl_set = &conn->ssl_set;
 		conn->ssl_set.min_protocol = p_strdup(pool, set->ssl_set->min_protocol);
 		conn->ssl_set.cipher_list = p_strdup(pool, set->ssl_set->cipher_list);
-		conn->ssl_set.ca_file = p_strdup(pool, set->ssl_set->ca_file);
+		conn->ssl_set.ca.path = p_strdup(pool, set->ssl_set->ca.path);
+		conn->ssl_set.ca.content =
+			p_strdup(pool, set->ssl_set->ca.content);
 		conn->ssl_set.cert.cert.path =
 			p_strdup(pool, set->ssl_set->cert.cert.path);
 		conn->ssl_set.cert.cert.content =