Mercurial > dovecot > core-2.2
annotate src/lib-ssl-iostream/iostream-openssl-context.c @ 12616:bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Mon, 31 Jan 2011 18:40:27 +0200 |
parents | |
children | 733ac4aba089 |
rev | line source |
---|---|
12616
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1 /* Copyright (c) 2009 Dovecot authors, see the included COPYING file */ |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 #include "lib.h" |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 #include "safe-memset.h" |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 #include "iostream-openssl.h" |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
7 #include <openssl/crypto.h> |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 #include <openssl/x509.h> |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 #include <openssl/pem.h> |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 #include <openssl/ssl.h> |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
11 #include <openssl/err.h> |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
12 #include <openssl/rand.h> |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
14 struct ssl_iostream_password_context { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
15 const char *password; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
16 const char *key_source; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
17 }; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
18 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
19 static bool ssl_global_initialized = FALSE; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
20 int dovecot_ssl_extdata_index; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
21 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
22 static void ssl_iostream_init_global(void); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
23 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
24 const char *ssl_iostream_error(void) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
25 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
26 unsigned long err; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
27 char *buf; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
28 size_t err_size = 256; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
29 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
30 err = ERR_get_error(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
31 if (err == 0) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
32 if (errno != 0) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
33 return strerror(errno); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
34 return "Unknown error"; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
35 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
36 if (ERR_GET_REASON(err) == ERR_R_MALLOC_FAILURE) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
37 i_fatal_status(FATAL_OUTOFMEM, "OpenSSL malloc() failed"); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
38 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
39 buf = t_malloc(err_size); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
40 buf[err_size-1] = '\0'; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
41 ERR_error_string_n(err, buf, err_size-1); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
42 return buf; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
43 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
44 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
45 const char *ssl_iostream_key_load_error(void) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
46 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
47 unsigned long err = ERR_peek_error(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
48 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
49 if (ERR_GET_LIB(err) == ERR_LIB_X509 && |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
50 ERR_GET_REASON(err) == X509_R_KEY_VALUES_MISMATCH) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
51 return "Key is for a different cert than ssl_cert"; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
52 else |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
53 return ssl_iostream_error(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
54 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
55 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
56 static RSA *ssl_gen_rsa_key(SSL *ssl ATTR_UNUSED, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
57 int is_export ATTR_UNUSED, int keylength) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
58 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
59 return RSA_generate_key(keylength, RSA_F4, NULL, NULL); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
60 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
61 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
62 static DH *ssl_tmp_dh_callback(SSL *ssl ATTR_UNUSED, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
63 int is_export, int keylength) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
64 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
65 struct ssl_iostream *ssl_io; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
66 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
67 ssl_io = SSL_get_ex_data(ssl, dovecot_ssl_extdata_index); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
68 /* Well, I'm not exactly sure why the logic in here is this. |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
69 It's the same as in Postfix, so it can't be too wrong. */ |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
70 if (is_export && keylength == 512 && ssl_io->ctx->dh_512 != NULL) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
71 return ssl_io->ctx->dh_512; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
72 else |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
73 return ssl_io->ctx->dh_1024; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
74 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
75 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
76 static int |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
77 pem_password_callback(char *buf, int size, int rwflag ATTR_UNUSED, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
78 void *userdata) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
79 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
80 struct ssl_iostream_password_context *ctx = userdata; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
81 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
82 if (ctx->password == NULL) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
83 i_error("%s: SSL private key file is password protected, " |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
84 "but password isn't given", ctx->key_source); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
85 return 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
86 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
87 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
88 if (i_strocpy(buf, userdata, size) < 0) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
89 i_error("%s: SSL private key password is too long", |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
90 ctx->key_source); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
91 return 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
92 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
93 return strlen(buf); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
94 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
95 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
96 int ssl_iostream_load_key(const struct ssl_iostream_settings *set, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
97 const char *key_source, EVP_PKEY **pkey_r) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
98 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
99 struct ssl_iostream_password_context ctx; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
100 EVP_PKEY *pkey; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
101 BIO *bio; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
102 char *key; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
103 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
104 key = t_strdup_noconst(set->key); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
105 bio = BIO_new_mem_buf(key, strlen(key)); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
106 if (bio == NULL) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
107 i_error("BIO_new_mem_buf() failed: %s", ssl_iostream_error()); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
108 safe_memset(key, 0, strlen(key)); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
109 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
110 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
111 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
112 ctx.password = set->key_password; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
113 ctx.key_source = key_source; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
114 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
115 pkey = PEM_read_bio_PrivateKey(bio, NULL, pem_password_callback, &ctx); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
116 if (pkey == NULL) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
117 i_error("%s: Couldn't parse private SSL key: %s", |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
118 key_source, ssl_iostream_error()); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
119 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
120 BIO_free(bio); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
121 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
122 safe_memset(key, 0, strlen(key)); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
123 *pkey_r = pkey; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
124 return pkey == NULL ? -1 : 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
125 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
126 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
127 static int |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
128 ssl_iostream_ctx_use_key(struct ssl_iostream_context *ctx, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
129 const struct ssl_iostream_settings *set) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
130 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
131 EVP_PKEY *pkey; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
132 int ret = 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
133 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
134 if (ssl_iostream_load_key(set, ctx->source, &pkey) < 0) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
135 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
136 if (!SSL_CTX_use_PrivateKey(ctx->ssl_ctx, pkey)) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
137 i_error("%s: Can't load SSL private key: %s", |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
138 ctx->source, ssl_iostream_key_load_error()); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
139 ret = -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
140 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
141 EVP_PKEY_free(pkey); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
142 return ret; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
143 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
144 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
145 static bool is_pem_key(const char *cert) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
146 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
147 return strstr(cert, "PRIVATE KEY---") != NULL; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
148 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
149 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
150 const char *ssl_iostream_get_use_certificate_error(const char *cert) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
151 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
152 unsigned long err; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
153 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
154 err = ERR_peek_error(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
155 if (ERR_GET_LIB(err) != ERR_LIB_PEM || |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
156 ERR_GET_REASON(err) != PEM_R_NO_START_LINE) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
157 return ssl_iostream_error(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
158 else if (is_pem_key(cert)) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
159 return "The file contains a private key " |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
160 "(you've mixed ssl_cert and ssl_key settings)"; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
161 } else { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
162 return "There is no certificate."; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
163 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
164 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
165 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
166 static int ssl_ctx_use_certificate_chain(SSL_CTX *ctx, const char *cert) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
167 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
168 /* mostly just copy&pasted from SSL_CTX_use_certificate_chain_file() */ |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
169 BIO *in; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
170 X509 *x; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
171 int ret = 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
172 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
173 in = BIO_new_mem_buf(t_strdup_noconst(cert), strlen(cert)); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
174 if (in == NULL) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
175 i_fatal("BIO_new_mem_buf() failed"); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
176 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
177 x = PEM_read_bio_X509(in, NULL, NULL, NULL); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
178 if (x == NULL) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
179 goto end; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
180 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
181 ret = SSL_CTX_use_certificate(ctx, x); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
182 if (ERR_peek_error() != 0) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
183 ret = 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
184 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
185 if (ret != 0) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
186 /* If we could set up our certificate, now proceed to |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
187 * the CA certificates. |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
188 */ |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
189 X509 *ca; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
190 int r; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
191 unsigned long err; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
192 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
193 while ((ca = PEM_read_bio_X509(in,NULL,NULL,NULL)) != NULL) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
194 r = SSL_CTX_add_extra_chain_cert(ctx, ca); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
195 if (!r) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
196 X509_free(ca); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
197 ret = 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
198 goto end; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
199 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
200 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
201 /* When the while loop ends, it's usually just EOF. */ |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
202 err = ERR_peek_last_error(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
203 if (ERR_GET_LIB(err) == ERR_LIB_PEM && ERR_GET_REASON(err) == PEM_R_NO_START_LINE) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
204 ERR_clear_error(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
205 else |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
206 ret = 0; /* some real error */ |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
207 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
208 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
209 end: |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
210 if (x != NULL) X509_free(x); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
211 BIO_free(in); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
212 return ret; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
213 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
214 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
215 static int load_ca(X509_STORE *store, const char *ca, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
216 STACK_OF(X509_NAME) **xnames_r) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
217 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
218 /* mostly just copy&pasted from X509_load_cert_crl_file() */ |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
219 STACK_OF(X509_INFO) *inf; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
220 STACK_OF(X509_NAME) *xnames; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
221 X509_INFO *itmp; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
222 X509_NAME *xname; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
223 BIO *bio; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
224 int i; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
225 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
226 bio = BIO_new_mem_buf(t_strdup_noconst(ca), strlen(ca)); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
227 if (bio == NULL) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
228 i_fatal("BIO_new_mem_buf() failed"); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
229 inf = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
230 BIO_free(bio); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
231 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
232 if (inf == NULL) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
233 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
234 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
235 xnames = sk_X509_NAME_new_null(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
236 if (xnames == NULL) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
237 i_fatal("sk_X509_NAME_new_null() failed"); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
238 for(i = 0; i < sk_X509_INFO_num(inf); i++) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
239 itmp = sk_X509_INFO_value(inf, i); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
240 if(itmp->x509) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
241 X509_STORE_add_cert(store, itmp->x509); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
242 xname = X509_get_subject_name(itmp->x509); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
243 if (xname != NULL) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
244 xname = X509_NAME_dup(xname); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
245 if (xname != NULL) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
246 sk_X509_NAME_push(xnames, xname); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
247 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
248 if(itmp->crl) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
249 X509_STORE_add_crl(store, itmp->crl); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
250 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
251 sk_X509_INFO_pop_free(inf, X509_INFO_free); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
252 *xnames_r = xnames; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
253 return 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
254 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
255 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
256 static int |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
257 ssl_iostream_ctx_verify_remote_cert(struct ssl_iostream_context *ctx, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
258 STACK_OF(X509_NAME) *ca_names) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
259 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
260 #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
261 X509_STORE *store; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
262 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
263 store = SSL_CTX_get_cert_store(ctx->ssl_ctx); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
264 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
265 X509_V_FLAG_CRL_CHECK_ALL); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
266 #endif |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
267 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
268 SSL_CTX_set_client_CA_list(ctx->ssl_ctx, ca_names); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
269 return 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
270 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
271 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
272 static struct ssl_iostream_settings * |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
273 ssl_iostream_settings_dup(pool_t pool, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
274 const struct ssl_iostream_settings *old_set) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
275 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
276 struct ssl_iostream_settings *new_set; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
277 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
278 new_set = p_new(pool, struct ssl_iostream_settings, 1); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
279 new_set->cipher_list = p_strdup(pool, old_set->cipher_list); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
280 new_set->cert = p_strdup(pool, old_set->cert); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
281 new_set->key = p_strdup(pool, old_set->key); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
282 new_set->key_password = p_strdup(pool, old_set->key_password); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
283 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
284 new_set->verbose = old_set->verbose; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
285 return new_set; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
286 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
287 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
288 static int |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
289 ssl_iostream_context_set(struct ssl_iostream_context *ctx, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
290 const struct ssl_iostream_settings *set) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
291 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
292 X509_STORE *store; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
293 STACK_OF(X509_NAME) *xnames = NULL; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
294 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
295 ctx->set = ssl_iostream_settings_dup(ctx->pool, set); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
296 if (set->cipher_list != NULL && |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
297 !SSL_CTX_set_cipher_list(ctx->ssl_ctx, set->cipher_list)) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
298 i_error("%s: Can't set cipher list to '%s': %s", |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
299 ctx->source, set->cipher_list, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
300 ssl_iostream_error()); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
301 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
302 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
303 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
304 if (set->cert != NULL && |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
305 ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert) < 0) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
306 i_error("%s: Can't load SSL certificate: %s", ctx->source, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
307 ssl_iostream_get_use_certificate_error(set->cert)); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
308 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
309 if (set->key != NULL) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
310 if (ssl_iostream_ctx_use_key(ctx, set) < 0) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
311 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
312 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
313 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
314 /* set trusted CA certs */ |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
315 if (!set->verify_remote_cert) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
316 /* no CA */ |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
317 } else if (set->ca != NULL) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
318 store = SSL_CTX_get_cert_store(ctx->ssl_ctx); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
319 if (load_ca(store, set->ca, &xnames) < 0) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
320 i_error("%s: Couldn't parse ssl_ca: %s", ctx->source, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
321 ssl_iostream_error()); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
322 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
323 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
324 if (ssl_iostream_ctx_verify_remote_cert(ctx, xnames) < 0) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
325 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
326 } else if (set->ca_dir != NULL) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
327 if (!SSL_CTX_load_verify_locations(ctx->ssl_ctx, NULL, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
328 set->ca_dir)) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
329 i_error("%s: Can't load CA certs from directory %s: %s", |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
330 ctx->source, set->ca_dir, ssl_iostream_error()); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
331 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
332 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
333 } else { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
334 i_error("%s: Can't verify remote certs without CA", |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
335 ctx->source); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
336 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
337 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
338 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
339 if (set->cert_username_field != NULL) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
340 ctx->username_nid = OBJ_txt2nid(set->cert_username_field); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
341 if (ctx->username_nid == NID_undef) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
342 i_error("%s: Invalid cert_username_field: %s", |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
343 ctx->source, set->cert_username_field); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
344 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
345 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
346 return 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
347 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
348 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
349 static int |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
350 ssl_iostream_context_init_common(struct ssl_iostream_context *ctx, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
351 const char *source, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
352 const struct ssl_iostream_settings *set) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
353 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
354 ctx->pool = pool_alloconly_create("ssl iostream context", 4096); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
355 ctx->source = p_strdup(ctx->pool, source); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
356 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
357 SSL_CTX_set_options(ctx->ssl_ctx, SSL_OP_ALL | SSL_OP_NO_SSLv2); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
358 if (SSL_CTX_need_tmp_RSA(ctx->ssl_ctx)) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
359 SSL_CTX_set_tmp_rsa_callback(ctx->ssl_ctx, ssl_gen_rsa_key); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
360 SSL_CTX_set_tmp_dh_callback(ctx->ssl_ctx, ssl_tmp_dh_callback); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
361 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
362 return ssl_iostream_context_set(ctx, set); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
363 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
364 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
365 int ssl_iostream_context_init_client(const char *source, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
366 const struct ssl_iostream_settings *set, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
367 struct ssl_iostream_context **ctx_r) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
368 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
369 struct ssl_iostream_context *ctx; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
370 SSL_CTX *ssl_ctx; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
371 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
372 ssl_iostream_init_global(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
373 if ((ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
374 i_error("SSL_CTX_new() failed: %s", ssl_iostream_error()); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
375 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
376 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
377 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
378 ctx = i_new(struct ssl_iostream_context, 1); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
379 ctx->ssl_ctx = ssl_ctx; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
380 ctx->client_ctx = TRUE; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
381 if (ssl_iostream_context_init_common(ctx, source, set) < 0) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
382 ssl_iostream_context_deinit(&ctx); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
383 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
384 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
385 *ctx_r = ctx; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
386 return 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
387 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
388 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
389 int ssl_iostream_context_init_server(const char *source, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
390 const struct ssl_iostream_settings *set, |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
391 struct ssl_iostream_context **ctx_r) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
392 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
393 struct ssl_iostream_context *ctx; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
394 SSL_CTX *ssl_ctx; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
395 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
396 ssl_iostream_init_global(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
397 if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
398 i_error("SSL_CTX_new() failed: %s", ssl_iostream_error()); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
399 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
400 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
401 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
402 ctx = i_new(struct ssl_iostream_context, 1); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
403 ctx->ssl_ctx = ssl_ctx; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
404 if (ssl_iostream_context_init_common(ctx, source, set) < 0) { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
405 ssl_iostream_context_deinit(&ctx); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
406 return -1; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
407 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
408 *ctx_r = ctx; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
409 return 0; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
410 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
411 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
412 void ssl_iostream_context_deinit(struct ssl_iostream_context **_ctx) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
413 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
414 struct ssl_iostream_context *ctx = *_ctx; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
415 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
416 *_ctx = NULL; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
417 SSL_CTX_free(ctx->ssl_ctx); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
418 ssl_iostream_context_free_params(ctx); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
419 pool_unref(&ctx->pool); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
420 i_free(ctx); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
421 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
422 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
423 static void ssl_iostream_deinit_global(void) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
424 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
425 EVP_cleanup(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
426 ERR_free_strings(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
427 } |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
428 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
429 static void ssl_iostream_init_global(void) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
430 { |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
431 static char dovecot[] = "dovecot"; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
432 unsigned char buf; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
433 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
434 if (ssl_global_initialized) |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
435 return; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
436 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
437 atexit(ssl_iostream_deinit_global); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
438 ssl_global_initialized = TRUE; |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
439 SSL_library_init(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
440 SSL_load_error_strings(); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
441 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
442 dovecot_ssl_extdata_index = |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
443 SSL_get_ex_new_index(0, dovecot, NULL, NULL, NULL); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
444 |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
445 /* PRNG initialization might want to use /dev/urandom, make sure it |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
446 does it before chrooting. We might not have enough entropy at |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
447 the first try, so this function may fail. It's still been |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
448 initialized though. */ |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
449 (void)RAND_bytes(&buf, 1); |
bd23d4e10fa1
Added lib-ssl-iostream for handling SSL connections more easily.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
450 } |