From: Timo Sirainen Date: Thu, 19 Dec 2024 12:26:32 +0000 (+0200) Subject: lib-ssl-iostream, global: Use ssl_server_ prefix for SSL server settings X-Git-Tag: 2.4.1~343 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c3e8e8f7c441f45ce96b33d343f6003fe545ac1b;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream, global: Use ssl_server_ prefix for SSL server settings --- diff --git a/src/config/config-parser.h b/src/config/config-parser.h index 673fb2c4d7..0633537d1f 100644 --- a/src/config/config-parser.h +++ b/src/config/config-parser.h @@ -61,7 +61,7 @@ struct config_module_parser { is forwarded to the config client process, which errors out only if the settings struct is attempted to be used. This allows for example doveadm to be called non-root and not fail even if it can't access - ssl_key_file. */ + ssl_server_key_file. */ const char *delayed_error; }; ARRAY_DEFINE_TYPE(config_module_parsers, struct config_module_parser *); diff --git a/src/lib-smtp/test-smtp-payload.c b/src/lib-smtp/test-smtp-payload.c index 822e1c5c46..84f9b12ae0 100644 --- a/src/lib-smtp/test-smtp-payload.c +++ b/src/lib-smtp/test-smtp-payload.c @@ -935,12 +935,15 @@ test_run_client_server( Otherwise the SMTP SNI mechanism will break when looking up the relevant settings. */ const char *const settings[] = { - "ssl_ca_file", settings_file_get_value(unsafe_data_stack_pool, - &server_set->ssl->ca), - "ssl_cert_file", settings_file_get_value(unsafe_data_stack_pool, - &server_set->ssl->cert.cert), - "ssl_key_file", settings_file_get_value(unsafe_data_stack_pool, - &server_set->ssl->cert.key), + "ssl_server_ca_file", + settings_file_get_value(unsafe_data_stack_pool, + &server_set->ssl->ca), + "ssl_server_cert_file", + settings_file_get_value(unsafe_data_stack_pool, + &server_set->ssl->cert.cert), + "ssl_server_key_file", + settings_file_get_value(unsafe_data_stack_pool, + &server_set->ssl->cert.key), NULL, }; struct settings_simple test_set; diff --git a/src/lib-smtp/test-smtp-server-errors.c b/src/lib-smtp/test-smtp-server-errors.c index 2e74794cac..c087d4b2b2 100644 --- a/src/lib-smtp/test-smtp-server-errors.c +++ b/src/lib-smtp/test-smtp-server-errors.c @@ -4077,15 +4077,15 @@ test_run_client_server(struct smtp_server_settings *server_set, Otherwise the SMTP SNI mechanism will break when looking up the relevant settings. */ const char *const settings[] = { - "ssl_ca_file", + "ssl_server_ca_file", (server_set->ssl == NULL ? "" : settings_file_get_value(unsafe_data_stack_pool, &server_set->ssl->ca)), - "ssl_cert_file", + "ssl_server_cert_file", (server_set->ssl == NULL ? "" : settings_file_get_value(unsafe_data_stack_pool, &server_set->ssl->cert.cert)), - "ssl_key_file", + "ssl_server_key_file", (server_set->ssl == NULL ? "" : settings_file_get_value(unsafe_data_stack_pool, &server_set->ssl->cert.key)), diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c b/src/lib-ssl-iostream/iostream-openssl-common.c index 59cc10ba46..517e8acafd 100644 --- a/src/lib-ssl-iostream/iostream-openssl-common.c +++ b/src/lib-ssl-iostream/iostream-openssl-common.c @@ -161,7 +161,7 @@ const char *openssl_iostream_key_load_error(void) if (ERR_GET_LIB(err) == ERR_LIB_X509 && ERR_GET_REASON(err) == X509_R_KEY_VALUES_MISMATCH) - return "Key is for a different cert than ssl_cert_file"; + return "Key is for a different cert than ssl_server_cert_file"; else return openssl_iostream_error(); } @@ -184,7 +184,7 @@ const char *openssl_iostream_use_certificate_error(const char *cert) return openssl_iostream_error(); else if (is_pem_key(cert)) { return "The file contains a private key " - "(you've mixed ssl_cert_file and ssl_key_file settings)"; + "(you've mixed ssl_server_cert_file and ssl_server_key_file settings)"; } else { return "There is no valid PEM certificate."; } diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index aef934c188..13b04e1549 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -37,7 +37,7 @@ static DH *ssl_tmp_dh_callback(SSL *ssl, SSL_get_ex_data(ssl, dovecot_ssl_extdata_index); e_error(ssl_io->event, "Diffie-Hellman key exchange requested, " - "but no DH parameters provided. Set ssl_dh_file=/path/to/dh.pem"); + "but no DH parameters provided. Set ssl_server_dh_file=/path/to/dh.pem"); return NULL; } #endif @@ -85,7 +85,7 @@ int openssl_iostream_load_key(const struct ssl_iostream_cert *set, "Couldn't parse private SSL key (%s setting)%s: %s", set_name, ctx.password != NULL ? - " (maybe ssl_key_password is wrong?)" : + " (maybe ssl_server_key_password is wrong?)" : "", openssl_iostream_error()); } @@ -161,7 +161,7 @@ ssl_iostream_ctx_use_dh(struct ssl_iostream_context *ctx, #endif { *error_r = t_strdup_printf( - "Can't load DH parameters (ssl_dh_file setting): %s", + "Can't load DH parameters (ssl_server_dh_file setting): %s", openssl_iostream_key_load_error()); ret = -1; } @@ -610,8 +610,9 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx, if (set->ca.content != NULL && set->ca.content[0] != '\0') { store = SSL_CTX_get_cert_store(ctx->ssl_ctx); if (load_ca(store, set->ca.content, &xnames) < 0) { - *error_r = t_strdup_printf("Couldn't parse ssl_ca_file: %s", - openssl_iostream_error()); + *error_r = t_strdup_printf( + "Couldn't parse ssl_server_ca_file: %s", + openssl_iostream_error()); return -1; } ssl_iostream_ctx_verify_remote_cert(ctx, set, xnames); @@ -630,7 +631,7 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx, return -1; } } else if (!have_ca) { - *error_r = "Can't verify remote client certs without CA (ssl_ca_file setting)"; + *error_r = "Can't verify remote client certs without CA (ssl_server_ca_file setting)"; return -1; } return 0; @@ -684,17 +685,17 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, } /* Client can ignore an empty ssl_client_cert_file, but server will fail - if ssl_cert_file is empty. */ + if ssl_server_cert_file is empty. */ if (set->cert.cert.content != NULL && (set->cert.cert.content[0] != '\0' || !ctx->client_ctx) && ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert.cert.content) == 0) { *error_r = t_strdup_printf( - "Can't load SSL certificate (ssl_cert_file setting): %s", + "Can't load SSL certificate (ssl_server_cert_file setting): %s", openssl_iostream_use_certificate_error(set->cert.cert.content)); return -1; } if (set->cert.key.content != NULL && set->cert.key.content[0] != '\0') { - if (ssl_iostream_ctx_use_key(ctx, "ssl_key_file", + if (ssl_iostream_ctx_use_key(ctx, "ssl_server_key_file", &set->cert, error_r) < 0) return -1; } @@ -703,13 +704,13 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->alt_cert.cert.content) == 0) { *error_r = t_strdup_printf( "Can't load alternative SSL certificate " - "(ssl_alt_cert_file setting): %s", + "(ssl_server_alt_cert_file setting): %s", openssl_iostream_use_certificate_error(set->alt_cert.cert.content)); return -1; } if (set->alt_cert.key.content != NULL && set->alt_cert.key.content[0] != '\0') { - if (ssl_iostream_ctx_use_key(ctx, "ssl_alt_key_file", + if (ssl_iostream_ctx_use_key(ctx, "ssl_server_alt_key_file", &set->alt_cert, error_r) < 0) return -1; } @@ -729,7 +730,7 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, ctx->username_nid = OBJ_txt2nid(set->cert_username_field); if (ctx->username_nid == NID_undef) { *error_r = t_strdup_printf( - "Invalid ssl_cert_username_field: %s", + "Invalid ssl_server_cert_username_field: %s", set->cert_username_field); return -1; } diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 55d85a1dee..88885259bc 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -102,7 +102,7 @@ openssl_iostream_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx) X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), certname, ssl_io->ctx->client_ctx ? "ssl_client_ca_* settings?" : - "ssl_ca_file setting?")); + "ssl_server_ca_file setting?")); } else { e_debug(ssl_io->event, "Received valid SSL certificate: %s", certname); } diff --git a/src/lib-ssl-iostream/ssl-settings.c b/src/lib-ssl-iostream/ssl-settings.c index 1846e857c2..b37384cf87 100644 --- a/src/lib-ssl-iostream/ssl-settings.c +++ b/src/lib-ssl-iostream/ssl-settings.c @@ -75,36 +75,36 @@ const struct setting_parser_info ssl_setting_parser_info = { static const struct setting_define ssl_server_setting_defines[] = { DEF(ENUM, ssl), - DEF(FILE, ssl_ca_file), - DEF(FILE, ssl_cert_file), - DEF(FILE, ssl_key_file), - DEF(FILE, ssl_alt_cert_file), - DEF(FILE, ssl_alt_key_file), - DEF(STR, ssl_key_password), - DEF(FILE, ssl_dh_file), - DEF(STR, ssl_cert_username_field), - DEF(ENUM, ssl_prefer_ciphers), - - DEF(BOOL, ssl_require_crl), - DEF(BOOL, ssl_request_client_cert), + DEF(FILE, ssl_server_ca_file), + DEF(FILE, ssl_server_cert_file), + DEF(FILE, ssl_server_key_file), + DEF(FILE, ssl_server_alt_cert_file), + DEF(FILE, ssl_server_alt_key_file), + DEF(STR, ssl_server_key_password), + DEF(FILE, ssl_server_dh_file), + DEF(STR, ssl_server_cert_username_field), + DEF(ENUM, ssl_server_prefer_ciphers), + + DEF(BOOL, ssl_server_require_crl), + DEF(BOOL, ssl_server_request_client_cert), SETTING_DEFINE_LIST_END }; static const struct ssl_server_settings ssl_server_default_settings = { .ssl = "yes:no:required", - .ssl_ca_file = "", - .ssl_cert_file = "", - .ssl_key_file = "", - .ssl_alt_cert_file = "", - .ssl_alt_key_file = "", - .ssl_key_password = "", - .ssl_dh_file = "", - .ssl_cert_username_field = "commonName", - .ssl_prefer_ciphers = "client:server", - - .ssl_require_crl = TRUE, - .ssl_request_client_cert = FALSE, + .ssl_server_ca_file = "", + .ssl_server_cert_file = "", + .ssl_server_key_file = "", + .ssl_server_alt_cert_file = "", + .ssl_server_alt_key_file = "", + .ssl_server_key_password = "", + .ssl_server_dh_file = "", + .ssl_server_cert_username_field = "commonName", + .ssl_server_prefer_ciphers = "client:server", + + .ssl_server_require_crl = TRUE, + .ssl_server_request_client_cert = FALSE, }; const struct setting_parser_info ssl_server_setting_parser_info = { @@ -166,8 +166,9 @@ ssl_server_settings_check(void *_set, pool_t pool ATTR_UNUSED, return TRUE; } - if (set->ssl_request_client_cert && *set->ssl_ca_file == '\0') { - *error_r = "ssl_request_client_cert set, but ssl_ca_file not"; + if (set->ssl_server_request_client_cert && + *set->ssl_server_ca_file == '\0') { + *error_r = "ssl_server_request_client_cert set, but ssl_server_ca_file not"; return FALSE; } return TRUE; @@ -255,29 +256,31 @@ void ssl_server_settings_to_iostream_set( ssl_common_settings_to_iostream_set(ssl_set); pool_add_external_ref(set->pool, ssl_server_set->pool); - settings_file_get(ssl_server_set->ssl_ca_file, set->pool, &set->ca); - settings_file_get(ssl_server_set->ssl_cert_file, + settings_file_get(ssl_server_set->ssl_server_ca_file, set->pool, &set->ca); + settings_file_get(ssl_server_set->ssl_server_cert_file, set->pool, &set->cert.cert); - settings_file_get(ssl_server_set->ssl_key_file, + settings_file_get(ssl_server_set->ssl_server_key_file, set->pool, &set->cert.key); - set->cert.key_password = ssl_server_set->ssl_key_password; - if (ssl_server_set->ssl_alt_cert_file != NULL && - *ssl_server_set->ssl_alt_cert_file != '\0') { - settings_file_get(ssl_server_set->ssl_alt_cert_file, + set->cert.key_password = ssl_server_set->ssl_server_key_password; + if (ssl_server_set->ssl_server_alt_cert_file != NULL && + *ssl_server_set->ssl_server_alt_cert_file != '\0') { + settings_file_get(ssl_server_set->ssl_server_alt_cert_file, set->pool, &set->alt_cert.cert); - settings_file_get(ssl_server_set->ssl_alt_key_file, + settings_file_get(ssl_server_set->ssl_server_alt_key_file, set->pool, &set->alt_cert.key); - set->alt_cert.key_password = ssl_server_set->ssl_key_password; + set->alt_cert.key_password = + ssl_server_set->ssl_server_key_password; } - settings_file_get(ssl_server_set->ssl_dh_file, set->pool, &set->dh); + settings_file_get(ssl_server_set->ssl_server_dh_file, + set->pool, &set->dh); set->cert_username_field = - ssl_server_set->ssl_cert_username_field; + ssl_server_set->ssl_server_cert_username_field; set->prefer_server_ciphers = - strcmp(ssl_server_set->ssl_prefer_ciphers, "server") == 0; - set->verify_remote_cert = ssl_server_set->ssl_request_client_cert; + strcmp(ssl_server_set->ssl_server_prefer_ciphers, "server") == 0; + set->verify_remote_cert = ssl_server_set->ssl_server_request_client_cert; set->allow_invalid_cert = !set->verify_remote_cert; - /* ssl_require_crl is used only for checking client-provided SSL + /* ssl_server_require_crl is used only for checking client-provided SSL certificate's CRL. */ - set->skip_crl_check = !ssl_server_set->ssl_require_crl; + set->skip_crl_check = !ssl_server_set->ssl_server_require_crl; *set_r = set; } diff --git a/src/lib-ssl-iostream/ssl-settings.h b/src/lib-ssl-iostream/ssl-settings.h index 19106cf770..91d7137c6e 100644 --- a/src/lib-ssl-iostream/ssl-settings.h +++ b/src/lib-ssl-iostream/ssl-settings.h @@ -32,18 +32,18 @@ struct ssl_server_settings { pool_t pool; const char *ssl; - const char *ssl_ca_file; - const char *ssl_cert_file; - const char *ssl_alt_cert_file; - const char *ssl_key_file; - const char *ssl_alt_key_file; - const char *ssl_key_password; - const char *ssl_dh_file; - const char *ssl_cert_username_field; - const char *ssl_prefer_ciphers; + const char *ssl_server_ca_file; + const char *ssl_server_cert_file; + const char *ssl_server_alt_cert_file; + const char *ssl_server_key_file; + const char *ssl_server_alt_key_file; + const char *ssl_server_key_password; + const char *ssl_server_dh_file; + const char *ssl_server_cert_username_field; + const char *ssl_server_prefer_ciphers; - bool ssl_require_crl; - bool ssl_request_client_cert; + bool ssl_server_require_crl; + bool ssl_server_request_client_cert; }; extern const struct setting_parser_info ssl_setting_parser_info;