lib-http: use ssl_iostream_settings in http_client_settings

dovecot · May 7, 2016 · c275cef · c275cef
1 parent 173d1d7
commit c275cef
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 33 deletions.
diff --git a/src/lib-http/http-client-connection.c b/src/lib-http/http-client-connection.c
@@ -1090,7 +1090,7 @@ http_client_connection_ssl_handshaked(const char **error_r, void *context)
 
 	if (ssl_iostream_check_cert_validity(conn->ssl_iostream, host, &error) == 0)
 		http_client_connection_debug(conn, "SSL handshake successful");
-	else if (conn->client->set.ssl_allow_invalid_cert) {
+	else if (!conn->client->set.ssl->require_valid_cert) {
 		http_client_connection_debug(conn, "SSL handshake successful, "
 			"ignoring invalid certificate: %s", error);
 	} else {
@@ -1110,7 +1110,7 @@ http_client_connection_ssl_init(struct http_client_connection *conn,
 	i_assert(conn->client->ssl_ctx != NULL);
 
 	memset(&ssl_set, 0, sizeof(ssl_set));
-	if (!conn->client->set.ssl_allow_invalid_cert) {
+	if (conn->client->set.ssl->require_valid_cert) {
 		ssl_set.verbose_invalid_cert = TRUE;
 		ssl_set.verify_remote_cert = TRUE;
 		ssl_set.require_valid_cert = TRUE;

diff --git a/src/lib-http/http-client.c b/src/lib-http/http-client.c
@@ -92,19 +92,14 @@ struct http_client *http_client_init(const struct http_client_settings *set)
 	pool = pool_alloconly_create("http client", 1024);
 	client = p_new(pool, struct http_client, 1);
 	client->pool = pool;
+
 	client->set.dns_client = set->dns_client;
 	client->set.dns_client_socket_path =
 		p_strdup_empty(pool, set->dns_client_socket_path);
 	client->set.user_agent = p_strdup_empty(pool, set->user_agent);
 	client->set.rawlog_dir = p_strdup_empty(pool, set->rawlog_dir);
-	client->set.ssl_ca_dir = p_strdup(pool, set->ssl_ca_dir);
-	client->set.ssl_ca_file = p_strdup(pool, set->ssl_ca_file);
-	client->set.ssl_ca = p_strdup(pool, set->ssl_ca);
-	client->set.ssl_crypto_device = p_strdup(pool, set->ssl_crypto_device);
-	client->set.ssl_allow_invalid_cert = set->ssl_allow_invalid_cert;
-	client->set.ssl_cert = p_strdup(pool, set->ssl_cert);
-	client->set.ssl_key = p_strdup(pool, set->ssl_key);
-	client->set.ssl_key_password = p_strdup(pool, set->ssl_key_password);
+
+	client->set.ssl = ssl_iostream_settings_dup(client->pool, set->ssl);
 
 	if (set->proxy_socket_path != NULL && *set->proxy_socket_path != '\0') {
 		client->set.proxy_socket_path = p_strdup(pool, set->proxy_socket_path);
@@ -278,25 +273,12 @@ unsigned int http_client_get_pending_request_count(struct http_client *client)
 
 int http_client_init_ssl_ctx(struct http_client *client, const char **error_r)
 {
-	struct ssl_iostream_settings ssl_set;
 	const char *error;
 
 	if (client->ssl_ctx != NULL)
 		return 0;
 
-	memset(&ssl_set, 0, sizeof(ssl_set));
-	ssl_set.ca_dir = client->set.ssl_ca_dir;
-	ssl_set.ca_file = client->set.ssl_ca_file;
-	ssl_set.ca = client->set.ssl_ca;
-	ssl_set.verify_remote_cert = TRUE;
-	ssl_set.crypto_device = client->set.ssl_crypto_device;
-	ssl_set.cert = client->set.ssl_cert;
-	ssl_set.key = client->set.ssl_key;
-	ssl_set.key_password = client->set.ssl_key_password;
-	ssl_set.verbose = client->set.debug;
-	ssl_set.verbose_invalid_cert = client->set.debug;
-
-	if (ssl_iostream_context_init_client(&ssl_set, &client->ssl_ctx, &error) < 0) {
+	if (ssl_iostream_context_init_client(client->set.ssl, &client->ssl_ctx, &error) < 0) {
 		*error_r = t_strdup_printf("Couldn't initialize SSL context: %s",
 					   error);
 		return -1;

diff --git a/src/lib-http/http-client.h b/src/lib-http/http-client.h
@@ -11,6 +11,8 @@ struct http_response;
 struct http_client;
 struct http_client_request;
 
+struct ssl_iostream_settings;
+
 /*
  * Client settings
  */
@@ -23,12 +25,7 @@ struct http_client_settings {
 	struct dns_client *dns_client;
 	const char *dns_client_socket_path;
 
-	/* ssl configuration */
-	const char *ssl_ca_dir, *ssl_ca_file, *ssl_ca;
-	const char *ssl_crypto_device;
-	bool ssl_allow_invalid_cert;
-	/* user cert */
-	const char *ssl_cert, *ssl_key, *ssl_key_password;
+	const struct ssl_iostream_settings *ssl;
 
 	/* User-Agent: header (default: none) */
 	const char *user_agent;

diff --git a/src/lib-http/test-http-client.c b/src/lib-http/test-http-client.c
@@ -8,6 +8,7 @@
 #include "http-url.h"
 #include "http-client.h"
 #include "dns-lookup.h"
+#include "iostream-ssl.h"
 
 struct http_test_request {
 	struct io *io;
@@ -335,6 +336,7 @@ int main(int argc, char *argv[])
 	struct dns_lookup_settings dns_set;
 	struct http_client_settings http_set;
 	struct http_client *http_client;
+	struct ssl_iostream_settings ssl_set;
 	const char *error;
 	struct ioloop *ioloop;
 
@@ -356,11 +358,14 @@ int main(int argc, char *argv[])
 	if (dns_client_connect(dns_client, &error) < 0)
 		i_fatal("Couldn't initialize DNS client: %s", error);
 
+	memset(&ssl_set, 0, sizeof(ssl_set));
+	ssl_set.require_valid_cert = FALSE;
+	ssl_set.ca_dir = "/etc/ssl/certs"; /* debian */
+	ssl_set.ca_file = "/etc/pki/tls/cert.pem"; /* redhat */
+
 	memset(&http_set, 0, sizeof(http_set));
+	http_set.ssl = &ssl_set;
 	http_set.dns_client = dns_client;
-	http_set.ssl_allow_invalid_cert = TRUE;
-	http_set.ssl_ca_dir = "/etc/ssl/certs"; /* debian */
-	http_set.ssl_ca_file = "/etc/pki/tls/cert.pem"; /* redhat */
 	http_set.max_idle_time_msecs = 5*1000;
 	http_set.max_parallel_connections = 4;
 	http_set.max_pipelined_requests = 4;