From c275cef636c79e1d08b3a82462c4abdca6f8cef3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martti=20Rannanj=C3=A4rvi?= Date: Tue, 26 Apr 2016 10:39:21 +0300 Subject: [PATCH] lib-http: use ssl_iostream_settings in http_client_settings --- src/lib-http/http-client-connection.c | 4 ++-- src/lib-http/http-client.c | 26 ++++---------------------- src/lib-http/http-client.h | 9 +++------ src/lib-http/test-http-client.c | 11 ++++++++--- 4 files changed, 17 insertions(+), 33 deletions(-) diff --git a/src/lib-http/http-client-connection.c b/src/lib-http/http-client-connection.c index f725e5452b..235d4e1432 100644 --- a/src/lib-http/http-client-connection.c +++ b/src/lib-http/http-client-connection.c @@ -1090,7 +1090,7 @@ http_client_connection_ssl_handshaked(const char **error_r, void *context) if (ssl_iostream_check_cert_validity(conn->ssl_iostream, host, &error) == 0) http_client_connection_debug(conn, "SSL handshake successful"); - else if (conn->client->set.ssl_allow_invalid_cert) { + else if (!conn->client->set.ssl->require_valid_cert) { http_client_connection_debug(conn, "SSL handshake successful, " "ignoring invalid certificate: %s", error); } else { @@ -1110,7 +1110,7 @@ http_client_connection_ssl_init(struct http_client_connection *conn, i_assert(conn->client->ssl_ctx != NULL); memset(&ssl_set, 0, sizeof(ssl_set)); - if (!conn->client->set.ssl_allow_invalid_cert) { + if (conn->client->set.ssl->require_valid_cert) { ssl_set.verbose_invalid_cert = TRUE; ssl_set.verify_remote_cert = TRUE; ssl_set.require_valid_cert = TRUE; diff --git a/src/lib-http/http-client.c b/src/lib-http/http-client.c index 4ed3345263..d2d0a648d9 100644 --- a/src/lib-http/http-client.c +++ b/src/lib-http/http-client.c @@ -92,19 +92,14 @@ struct http_client *http_client_init(const struct http_client_settings *set) pool = pool_alloconly_create("http client", 1024); client = p_new(pool, struct http_client, 1); client->pool = pool; + client->set.dns_client = set->dns_client; client->set.dns_client_socket_path = p_strdup_empty(pool, set->dns_client_socket_path); client->set.user_agent = p_strdup_empty(pool, set->user_agent); client->set.rawlog_dir = p_strdup_empty(pool, set->rawlog_dir); - client->set.ssl_ca_dir = p_strdup(pool, set->ssl_ca_dir); - client->set.ssl_ca_file = p_strdup(pool, set->ssl_ca_file); - client->set.ssl_ca = p_strdup(pool, set->ssl_ca); - client->set.ssl_crypto_device = p_strdup(pool, set->ssl_crypto_device); - client->set.ssl_allow_invalid_cert = set->ssl_allow_invalid_cert; - client->set.ssl_cert = p_strdup(pool, set->ssl_cert); - client->set.ssl_key = p_strdup(pool, set->ssl_key); - client->set.ssl_key_password = p_strdup(pool, set->ssl_key_password); + + client->set.ssl = ssl_iostream_settings_dup(client->pool, set->ssl); if (set->proxy_socket_path != NULL && *set->proxy_socket_path != '\0') { client->set.proxy_socket_path = p_strdup(pool, set->proxy_socket_path); @@ -278,25 +273,12 @@ unsigned int http_client_get_pending_request_count(struct http_client *client) int http_client_init_ssl_ctx(struct http_client *client, const char **error_r) { - struct ssl_iostream_settings ssl_set; const char *error; if (client->ssl_ctx != NULL) return 0; - memset(&ssl_set, 0, sizeof(ssl_set)); - ssl_set.ca_dir = client->set.ssl_ca_dir; - ssl_set.ca_file = client->set.ssl_ca_file; - ssl_set.ca = client->set.ssl_ca; - ssl_set.verify_remote_cert = TRUE; - ssl_set.crypto_device = client->set.ssl_crypto_device; - ssl_set.cert = client->set.ssl_cert; - ssl_set.key = client->set.ssl_key; - ssl_set.key_password = client->set.ssl_key_password; - ssl_set.verbose = client->set.debug; - ssl_set.verbose_invalid_cert = client->set.debug; - - if (ssl_iostream_context_init_client(&ssl_set, &client->ssl_ctx, &error) < 0) { + if (ssl_iostream_context_init_client(client->set.ssl, &client->ssl_ctx, &error) < 0) { *error_r = t_strdup_printf("Couldn't initialize SSL context: %s", error); return -1; diff --git a/src/lib-http/http-client.h b/src/lib-http/http-client.h index 8ce56da511..4a58d83816 100644 --- a/src/lib-http/http-client.h +++ b/src/lib-http/http-client.h @@ -11,6 +11,8 @@ struct http_response; struct http_client; struct http_client_request; +struct ssl_iostream_settings; + /* * Client settings */ @@ -23,12 +25,7 @@ struct http_client_settings { struct dns_client *dns_client; const char *dns_client_socket_path; - /* ssl configuration */ - const char *ssl_ca_dir, *ssl_ca_file, *ssl_ca; - const char *ssl_crypto_device; - bool ssl_allow_invalid_cert; - /* user cert */ - const char *ssl_cert, *ssl_key, *ssl_key_password; + const struct ssl_iostream_settings *ssl; /* User-Agent: header (default: none) */ const char *user_agent; diff --git a/src/lib-http/test-http-client.c b/src/lib-http/test-http-client.c index 883cf52ddb..2424b0c3f0 100644 --- a/src/lib-http/test-http-client.c +++ b/src/lib-http/test-http-client.c @@ -8,6 +8,7 @@ #include "http-url.h" #include "http-client.h" #include "dns-lookup.h" +#include "iostream-ssl.h" struct http_test_request { struct io *io; @@ -335,6 +336,7 @@ int main(int argc, char *argv[]) struct dns_lookup_settings dns_set; struct http_client_settings http_set; struct http_client *http_client; + struct ssl_iostream_settings ssl_set; const char *error; struct ioloop *ioloop; @@ -356,11 +358,14 @@ int main(int argc, char *argv[]) if (dns_client_connect(dns_client, &error) < 0) i_fatal("Couldn't initialize DNS client: %s", error); + memset(&ssl_set, 0, sizeof(ssl_set)); + ssl_set.require_valid_cert = FALSE; + ssl_set.ca_dir = "/etc/ssl/certs"; /* debian */ + ssl_set.ca_file = "/etc/pki/tls/cert.pem"; /* redhat */ + memset(&http_set, 0, sizeof(http_set)); + http_set.ssl = &ssl_set; http_set.dns_client = dns_client; - http_set.ssl_allow_invalid_cert = TRUE; - http_set.ssl_ca_dir = "/etc/ssl/certs"; /* debian */ - http_set.ssl_ca_file = "/etc/pki/tls/cert.pem"; /* redhat */ http_set.max_idle_time_msecs = 5*1000; http_set.max_parallel_connections = 4; http_set.max_pipelined_requests = 4;