From: Timo Sirainen Date: Thu, 1 Feb 2024 13:17:45 +0000 (+0200) Subject: lib-ssl-iostream, global: Convert ssl_[alt_]key setting to ssl_[alt_]key_file X-Git-Tag: 2.4.1~1072 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e8bfc22a46079570613e2a93a93efab03b9baab9;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream, global: Convert ssl_[alt_]key setting to ssl_[alt_]key_file --- diff --git a/src/config/config-parser.h b/src/config/config-parser.h index 3e954b8f98..6f56acc424 100644 --- a/src/config/config-parser.h +++ b/src/config/config-parser.h @@ -52,7 +52,7 @@ struct config_module_parser { is forwarded to the config client process, which errors out only if the settings struct is attempted to be used. This allows for example doveadm to be called non-root and not fail even if it can't access - ssl_key file. */ + ssl_key_file. */ const char *delayed_error; }; ARRAY_DEFINE_TYPE(config_module_parsers, struct config_module_parser *); diff --git a/src/config/old-set-parser.c b/src/config/old-set-parser.c index 45c856f0c3..e814b5dd86 100644 --- a/src/config/old-set-parser.c +++ b/src/config/old-set-parser.c @@ -211,8 +211,7 @@ old_settings_handle_root(struct config_parser_context *ctx, old_set_parser_apply(ctx, CONFIG_LINE_TYPE_KEYVALUE, key, value); return TRUE; } - if (strcmp(key, "ssl_key_file") == 0 || - strcmp(key, "ssl_ca_file") == 0) { + if (strcmp(key, "ssl_ca_file") == 0) { if (*value == '\0') return TRUE; p = t_strdup_until(key, strrchr(key, '_')); diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c index a4b81b3ca1..e8af0d5144 100644 --- a/src/lib-ldap/ldap-connection.c +++ b/src/lib-ldap/ldap-connection.c @@ -78,8 +78,8 @@ int ldap_connection_setup(struct ldap_connection *conn, const char **error_r) #ifdef LDAP_OPT_X_TLS_CERT if (conn->ssl_set.cert.cert.content != NULL) ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CERT, conn->ssl_set.cert.cert.content); - if (conn->ssl_set.cert.key != NULL) - ldap_set_option(conn->conn, LDAP_OPT_X_TLS_KEYFILE, conn->ssl_set.cert.key); + if (conn->ssl_set.cert.key.content != NULL) + ldap_set_option(conn->conn, LDAP_OPT_X_TLS_KEYFILE, conn->ssl_set.cert.key.content); #endif if (conn->ssl_set.cipher_list != NULL) { /* NOTE: OpenLDAP's CIPHER_SUITE is actually using OpenSSL's @@ -140,7 +140,8 @@ bool ldap_connection_have_settings(struct ldap_connection *conn, if (null_strcmp(conn->ssl_set.cert.cert.content, set->ssl_set->cert.cert.content) != 0) return FALSE; - if (null_strcmp(conn->ssl_set.cert.key, set->ssl_set->cert.key) != 0) + if (null_strcmp(conn->ssl_set.cert.key.content, + set->ssl_set->cert.key.content) != 0) return FALSE; return TRUE; } @@ -189,7 +190,10 @@ int ldap_connection_init(struct ldap_client *client, p_strdup(pool, set->ssl_set->cert.cert.path); conn->ssl_set.cert.cert.content = p_strdup(pool, set->ssl_set->cert.cert.content); - conn->ssl_set.cert.key = p_strdup(pool, set->ssl_set->cert.key); + conn->ssl_set.cert.key.path = + p_strdup(pool, set->ssl_set->cert.key.path); + conn->ssl_set.cert.key.content = + p_strdup(pool, set->ssl_set->cert.key.content); } i_assert(ldap_connection_have_settings(conn, set)); diff --git a/src/lib-smtp/test-smtp-payload.c b/src/lib-smtp/test-smtp-payload.c index 3a1d489f9e..5be78567a0 100644 --- a/src/lib-smtp/test-smtp-payload.c +++ b/src/lib-smtp/test-smtp-payload.c @@ -938,7 +938,8 @@ test_run_client_server( "ssl_ca", server_set->ssl->ca, "ssl_cert_file", settings_file_get_value(unsafe_data_stack_pool, &server_set->ssl->cert.cert), - "ssl_key", server_set->ssl->cert.key, + "ssl_key_file", settings_file_get_value(unsafe_data_stack_pool, + &server_set->ssl->cert.key), NULL, }; struct settings_simple test_set; diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c b/src/lib-ssl-iostream/iostream-openssl-common.c index 98474af8c3..59cc10ba46 100644 --- a/src/lib-ssl-iostream/iostream-openssl-common.c +++ b/src/lib-ssl-iostream/iostream-openssl-common.c @@ -184,7 +184,7 @@ const char *openssl_iostream_use_certificate_error(const char *cert) return openssl_iostream_error(); else if (is_pem_key(cert)) { return "The file contains a private key " - "(you've mixed ssl_cert_file and ssl_key settings)"; + "(you've mixed ssl_cert_file and ssl_key_file settings)"; } else { return "There is no valid PEM certificate."; } diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index 4ffac088f5..d9ddbf8b45 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -66,7 +66,7 @@ int openssl_iostream_load_key(const struct ssl_iostream_cert *set, EVP_PKEY *pkey; BIO *bio; - bio = BIO_new_mem_buf(set->key, strlen(set->key)); + bio = BIO_new_mem_buf(set->key.content, strlen(set->key.content)); if (bio == NULL) { *error_r = t_strdup_printf("BIO_new_mem_buf() failed: %s", openssl_iostream_error()); @@ -603,8 +603,9 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, openssl_iostream_use_certificate_error(set->cert.cert.content)); return -1; } - if (set->cert.key != NULL && set->cert.key[0] != '\0') { - if (ssl_iostream_ctx_use_key(ctx, "ssl_key", &set->cert, error_r) < 0) + if (set->cert.key.content != NULL && set->cert.key.content[0] != '\0') { + if (ssl_iostream_ctx_use_key(ctx, "ssl_key_file", + &set->cert, error_r) < 0) return -1; } if (set->alt_cert.cert.content != NULL && @@ -616,8 +617,10 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx, openssl_iostream_use_certificate_error(set->alt_cert.cert.content)); return -1; } - if (set->alt_cert.key != NULL && set->alt_cert.key[0] != '\0') { - if (ssl_iostream_ctx_use_key(ctx, "ssl_alt_key", &set->alt_cert, error_r) < 0) + if (set->alt_cert.key.content != NULL && + set->alt_cert.key.content[0] != '\0') { + if (ssl_iostream_ctx_use_key(ctx, "ssl_alt_key_file", + &set->alt_cert, error_r) < 0) return -1; } diff --git a/src/lib-ssl-iostream/iostream-ssl-test.c b/src/lib-ssl-iostream/iostream-ssl-test.c index 2e697be194..8da10c75bc 100644 --- a/src/lib-ssl-iostream/iostream-ssl-test.c +++ b/src/lib-ssl-iostream/iostream-ssl-test.c @@ -157,7 +157,7 @@ void ssl_iostream_test_settings_server(struct ssl_iostream_settings *test_set) test_set->pool = null_pool; test_set->ca = test_ca_cert; test_set->cert.cert.content = test_server_cert; - test_set->cert.key = test_server_key; + test_set->cert.key.content = test_server_key; test_set->dh = test_server_dh; test_set->skip_crl_check = TRUE; } diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c index 0ad9facf59..3a6de2d7fb 100644 --- a/src/lib-ssl-iostream/iostream-ssl.c +++ b/src/lib-ssl-iostream/iostream-ssl.c @@ -348,13 +348,14 @@ bool ssl_iostream_settings_equals(const struct ssl_iostream_settings *set1, return TRUE; if (!quick_strcmp(set1->cert.cert.content, set2->cert.cert.content) || - !quick_strcmp(set1->cert.key, set2->cert.key) || + !quick_strcmp(set1->cert.key.content, set2->cert.key.content) || !quick_strcmp(set1->cert.key_password, set2->cert.key_password)) return FALSE; if (!quick_strcmp(set1->alt_cert.cert.content, set2->alt_cert.cert.content) || - !quick_strcmp(set1->alt_cert.key, set2->alt_cert.key) || + !quick_strcmp(set1->alt_cert.key.content, + set2->alt_cert.key.content) || !quick_strcmp(set1->alt_cert.key_password, set2->alt_cert.key_password)) return FALSE; diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h index 1e7115e13f..1413f54f38 100644 --- a/src/lib-ssl-iostream/iostream-ssl.h +++ b/src/lib-ssl-iostream/iostream-ssl.h @@ -20,7 +20,7 @@ enum ssl_iostream_flags { struct ssl_iostream_cert { struct settings_file cert; - const char *key; + struct settings_file key; const char *key_password; }; diff --git a/src/lib-ssl-iostream/ssl-settings.c b/src/lib-ssl-iostream/ssl-settings.c index 9405804f8a..fddb250654 100644 --- a/src/lib-ssl-iostream/ssl-settings.c +++ b/src/lib-ssl-iostream/ssl-settings.c @@ -67,9 +67,9 @@ static const struct setting_define ssl_server_setting_defines[] = { DEF(ENUM, ssl), DEF(STR, ssl_ca), DEF(FILE, ssl_cert_file), - DEF(STR, ssl_key), + DEF(FILE, ssl_key_file), DEF(FILE, ssl_alt_cert_file), - DEF(STR, ssl_alt_key), + DEF(FILE, ssl_alt_key_file), DEF(STR, ssl_key_password), DEF(STR, ssl_dh), DEF(STR, ssl_cert_username_field), @@ -85,9 +85,9 @@ static const struct ssl_server_settings ssl_server_default_settings = { .ssl = "yes:no:required", .ssl_ca = "", .ssl_cert_file = "", - .ssl_key = "", + .ssl_key_file = "", .ssl_alt_cert_file = "", - .ssl_alt_key = "", + .ssl_alt_key_file = "", .ssl_key_password = "", .ssl_dh = "", .ssl_cert_username_field = "commonName", @@ -194,7 +194,7 @@ void ssl_client_settings_to_iostream_set( set->ca_file = ssl_set->ssl_client_ca_file; set->ca_dir = ssl_set->ssl_client_ca_dir; set->cert.cert.content = ssl_set->ssl_client_cert; - set->cert.key = ssl_set->ssl_client_key; + set->cert.key.content = ssl_set->ssl_client_key; set->verify_remote_cert = ssl_set->ssl_client_require_valid_cert; set->allow_invalid_cert = !set->verify_remote_cert; /* client-side CRL checking not supported currently */ @@ -214,13 +214,15 @@ void ssl_server_settings_to_iostream_set( set->ca = ssl_server_set->ssl_ca; settings_file_get(ssl_server_set->ssl_cert_file, set->pool, &set->cert.cert); - set->cert.key = ssl_server_set->ssl_key; + settings_file_get(ssl_server_set->ssl_key_file, + set->pool, &set->cert.key); set->cert.key_password = ssl_server_set->ssl_key_password; if (ssl_server_set->ssl_alt_cert_file != NULL && *ssl_server_set->ssl_alt_cert_file != '\0') { settings_file_get(ssl_server_set->ssl_alt_cert_file, set->pool, &set->alt_cert.cert); - set->alt_cert.key = ssl_server_set->ssl_alt_key; + settings_file_get(ssl_server_set->ssl_alt_key_file, + set->pool, &set->alt_cert.key); set->alt_cert.key_password = ssl_server_set->ssl_key_password; } set->dh = ssl_server_set->ssl_dh; diff --git a/src/lib-ssl-iostream/ssl-settings.h b/src/lib-ssl-iostream/ssl-settings.h index ba08db79ed..072ce9c418 100644 --- a/src/lib-ssl-iostream/ssl-settings.h +++ b/src/lib-ssl-iostream/ssl-settings.h @@ -35,8 +35,8 @@ struct ssl_server_settings { const char *ssl_ca; const char *ssl_cert_file; const char *ssl_alt_cert_file; - const char *ssl_key; - const char *ssl_alt_key; + const char *ssl_key_file; + const char *ssl_alt_key_file; const char *ssl_key_password; const char *ssl_dh; const char *ssl_cert_username_field; diff --git a/src/lib-ssl-iostream/test-iostream-ssl.c b/src/lib-ssl-iostream/test-iostream-ssl.c index 6265698d20..9ab6088f5c 100644 --- a/src/lib-ssl-iostream/test-iostream-ssl.c +++ b/src/lib-ssl-iostream/test-iostream-ssl.c @@ -336,7 +336,7 @@ static void test_iostream_ssl_handshake(void) /* missing server credentials */ ssl_iostream_test_settings_server(&server_set); - server_set.cert.key = NULL; + i_zero(&server_set.cert.key); ssl_iostream_test_settings_client(&client_set); client_set.verify_remote_cert = TRUE; test_expect_error_string("client(failhost): SSL certificate not received");