global: Splice cert into separate struct from iostream_ssl_settings

dovecot · Oct 31, 2017 · 9f7ba38 · 9f7ba38
1 parent c75fd96
commit 9f7ba38
Show file tree

Hide file tree

Showing 8 changed files with 39 additions and 35 deletions.
diff --git a/src/auth/db-oauth2.c b/src/auth/db-oauth2.c
@@ -189,8 +189,8 @@ struct db_oauth2 *db_oauth2_init(const char *config_path)
 	ssl_set.ca_file = db->set.tls_ca_cert_file;
 	ssl_set.ca_dir = db->set.tls_ca_cert_dir;
 	if (db->set.tls_cert_file != NULL && *db->set.tls_cert_file != '\0') {
-		ssl_set.cert = db->set.tls_cert_file;
-		ssl_set.key = db->set.tls_key_file;
+		ssl_set.cert.cert = db->set.tls_cert_file;
+		ssl_set.cert.key = db->set.tls_key_file;
 	}
 	ssl_set.prefer_server_ciphers = TRUE;
 	ssl_set.allow_invalid_cert = db->set.tls_allow_invalid_cert;

diff --git a/src/lib-ldap/ldap-connection.c b/src/lib-ldap/ldap-connection.c
@@ -74,10 +74,10 @@ int ldap_connection_setup(struct ldap_connection *conn, const char **error_r)
 	if (conn->ssl_set.ca_dir != NULL)
 		ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CACERTDIR, conn->ssl_set.ca_dir);
 
-	if (conn->ssl_set.cert != NULL)
-		ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CERTFILE, conn->ssl_set.cert);
-	if (conn->ssl_set.key != NULL)
-		ldap_set_option(conn->conn, LDAP_OPT_X_TLS_KEYFILE, conn->ssl_set.key);
+	if (conn->ssl_set.cert.cert != NULL)
+		ldap_set_option(conn->conn, LDAP_OPT_X_TLS_CERTFILE, conn->ssl_set.cert.cert);
+	if (conn->ssl_set.cert.key != NULL)
+		ldap_set_option(conn->conn, LDAP_OPT_X_TLS_KEYFILE, conn->ssl_set.cert.key);
 
 	opt = conn->set.debug;
 	ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &opt);
@@ -123,9 +123,9 @@ bool ldap_connection_have_settings(struct ldap_connection *conn,
 		return FALSE;
 	if (null_strcmp(conn->ssl_set.ca_file, set->ssl_set->ca_file) != 0)
 		return FALSE;
-	if (null_strcmp(conn->ssl_set.cert, set->ssl_set->cert) != 0)
+	if (null_strcmp(conn->ssl_set.cert.cert, set->ssl_set->cert.cert) != 0)
 		return FALSE;
-	if (null_strcmp(conn->ssl_set.key, set->ssl_set->key) != 0)
+	if (null_strcmp(conn->ssl_set.cert.key, set->ssl_set->cert.key) != 0)
 		return FALSE;
 	return TRUE;
 }
@@ -159,7 +159,7 @@ int ldap_connection_init(struct ldap_client *client,
 	}
 	/* cannot use these */
 	conn->ssl_set.ca = NULL;
-	conn->ssl_set.key_password = NULL;
+	conn->ssl_set.cert.key_password = NULL;
 	conn->ssl_set.cert_username_field = NULL;
 	conn->ssl_set.crypto_device = NULL;
 
@@ -169,8 +169,8 @@ int ldap_connection_init(struct ldap_client *client,
 		conn->ssl_set.protocols = p_strdup(pool, set->ssl_set->protocols);
 		conn->ssl_set.cipher_list = p_strdup(pool, set->ssl_set->cipher_list);
 		conn->ssl_set.ca_file = p_strdup(pool, set->ssl_set->ca_file);
-		conn->ssl_set.cert = p_strdup(pool, set->ssl_set->cert);
-		conn->ssl_set.key = p_strdup(pool, set->ssl_set->key);
+		conn->ssl_set.cert.cert = p_strdup(pool, set->ssl_set->cert.cert);
+		conn->ssl_set.cert.key = p_strdup(pool, set->ssl_set->cert.key);
 	}
 	i_assert(ldap_connection_have_settings(conn, set));
 

diff --git a/src/lib-master/master-service-ssl.c b/src/lib-master/master-service-ssl.c
@@ -65,10 +65,10 @@ void master_service_ssl_ctx_init(struct master_service *service)
 	ssl_set.cipher_list = set->ssl_cipher_list;
 	ssl_set.curve_list = set->ssl_curve_list;
 	ssl_set.ca = set->ssl_ca;
-	ssl_set.cert = set->ssl_cert;
-	ssl_set.key = set->ssl_key;
+	ssl_set.cert.cert = set->ssl_cert;
+	ssl_set.cert.key = set->ssl_key;
 	ssl_set.dh = set->ssl_dh;
-	ssl_set.key_password = set->ssl_key_password;
+	ssl_set.cert.key_password = set->ssl_key_password;
 	ssl_set.cert_username_field = set->ssl_cert_username_field;
 	ssl_set.crypto_device = set->ssl_crypto_device;
 

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -82,7 +82,7 @@ pem_password_callback(char *buf, int size, int rwflag ATTR_UNUSED,
 	return strlen(buf);
 }
 
-int openssl_iostream_load_key(const struct ssl_iostream_settings *set,
+int openssl_iostream_load_key(const struct ssl_iostream_cert *set,
 			      EVP_PKEY **pkey_r, const char **error_r)
 {
 	struct ssl_iostream_password_context ctx;
@@ -146,7 +146,7 @@ int openssl_iostream_load_dh(const struct ssl_iostream_settings *set,
 
 static int
 ssl_iostream_ctx_use_key(struct ssl_iostream_context *ctx,
-			 const struct ssl_iostream_settings *set,
+			 const struct ssl_iostream_cert *set,
 			 const char **error_r)
 {
 	EVP_PKEY *pkey;
@@ -380,14 +380,14 @@ ssl_iostream_context_set(struct ssl_iostream_context *ctx,
 			    openssl_get_protocol_options(ctx->set->protocols));
 	}
 
-	if (set->cert != NULL &&
-	    ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert) == 0) {
+	if (set->cert.cert != NULL &&
+	    ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert.cert) == 0) {
 		*error_r = t_strdup_printf("Can't load SSL certificate: %s",
-			openssl_iostream_use_certificate_error(set->cert, NULL));
+			openssl_iostream_use_certificate_error(set->cert.cert, NULL));
 		return -1;
 	}
-	if (set->key != NULL) {
-		if (ssl_iostream_ctx_use_key(ctx, set, error_r) < 0)
+	if (set->cert.key != NULL) {
+		if (ssl_iostream_ctx_use_key(ctx, &set->cert, error_r) < 0)
 			return -1;
 	}
 
@@ -433,8 +433,8 @@ ssl_proxy_ctx_get_pkey_ec_curve_name(const struct ssl_iostream_settings *set,
 	EC_KEY *eckey;
 	const EC_GROUP *ecgrp;
 
-	if (set->key != NULL) {
-		if (openssl_iostream_load_key(set, &pkey, error_r) < 0)
+	if (set->cert.key != NULL) {
+		if (openssl_iostream_load_key(&set->cert, &pkey, error_r) < 0)
 			return -1;
 
 		if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) != NULL &&

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
@@ -85,7 +85,7 @@ openssl_iostream_use_certificate(struct ssl_iostream *ssl_io, const char *cert,
 
 static int
 openssl_iostream_use_key(struct ssl_iostream *ssl_io,
-			 const struct ssl_iostream_settings *set,
+			 const struct ssl_iostream_cert *set,
 			 const char **error_r)
 {
 	EVP_PKEY *pkey;
@@ -181,12 +181,12 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
 				openssl_get_protocol_options(set->protocols));
 	}
 
-	if (set->cert != NULL && strcmp(ctx_set->cert, set->cert) != 0) {
-		if (openssl_iostream_use_certificate(ssl_io, set->cert, error_r) < 0)
+	if (set->cert.cert != NULL && strcmp(ctx_set->cert.cert, set->cert.cert) != 0) {
+		if (openssl_iostream_use_certificate(ssl_io, set->cert.cert, error_r) < 0)
 			return -1;
 	}
-	if (set->key != NULL && strcmp(ctx_set->key, set->key) != 0) {
-		if (openssl_iostream_use_key(ssl_io, set, error_r) < 0)
+	if (set->cert.key != NULL && strcmp(ctx_set->cert.key, set->cert.key) != 0) {
+		if (openssl_iostream_use_key(ssl_io, &set->cert, error_r) < 0)
 			return -1;
 	}
 	if (set->verify_remote_cert) {

diff --git a/src/lib-ssl-iostream/iostream-openssl.h b/src/lib-ssl-iostream/iostream-openssl.h
@@ -70,7 +70,7 @@ int openssl_iostream_context_init_server(const struct ssl_iostream_settings *set
 void openssl_iostream_context_deinit(struct ssl_iostream_context *ctx);
 void openssl_iostream_global_deinit(void);
 
-int openssl_iostream_load_key(const struct ssl_iostream_settings *set,
+int openssl_iostream_load_key(const struct ssl_iostream_cert *set,
 			      EVP_PKEY **pkey_r, const char **error_r);
 int openssl_cert_match_name(SSL *ssl, const char *verify_name);
 int openssl_get_protocol_options(const char *protocols);

diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c
@@ -225,9 +225,9 @@ ssl_iostream_settings_dup(pool_t pool,
 	new_set->ca = p_strdup(pool, old_set->ca);
 	new_set->ca_file = p_strdup(pool, old_set->ca_file);
 	new_set->ca_dir = p_strdup(pool, old_set->ca_dir);
-	new_set->cert = p_strdup(pool, old_set->cert);
-	new_set->key = p_strdup(pool, old_set->key);
-	new_set->key_password = p_strdup(pool, old_set->key_password);
+	new_set->cert.cert = p_strdup(pool, old_set->cert.cert);
+	new_set->cert.key = p_strdup(pool, old_set->cert.key);
+	new_set->cert.key_password = p_strdup(pool, old_set->cert.key_password);
 	new_set->cert_username_field = p_strdup(pool, old_set->cert_username_field);
 	new_set->crypto_device = p_strdup(pool, old_set->crypto_device);
 

diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
@@ -4,14 +4,18 @@
 struct ssl_iostream;
 struct ssl_iostream_context;
 
+struct ssl_iostream_cert {
+	const char *cert;
+	const char *key;
+	const char *key_password;
+};
+
 struct ssl_iostream_settings {
 	const char *protocols;
 	const char *cipher_list;
 	const char *curve_list;
 	const char *ca, *ca_file, *ca_dir; /* context-only */
-	const char *cert;
-	const char *key;
-	const char *key_password;
+	struct ssl_iostream_cert cert; /* both */
 	const char *dh;
 	const char *cert_username_field;
 	const char *crypto_device; /* context-only */