# HG changeset patch # User Timo Sirainen # Date 1252454418 14400 # Node ID e819f6dfe5f4b340147387353d0b5022eee11e4f # Parent 37bc3a3d4464ad7d7176a612b2a03b0ae52c1bd5 dovecot -p (ask ssl key password from command line) works again. diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/login-common/ssl-proxy-openssl.c --- a/src/login-common/ssl-proxy-openssl.c Tue Sep 08 19:34:49 2009 -0400 +++ b/src/login-common/ssl-proxy-openssl.c Tue Sep 08 20:00:18 2009 -0400 @@ -889,16 +889,19 @@ { EVP_PKEY *pkey; BIO *bio; - char *password; + const char *password; + char *dup_password; bio = BIO_new_mem_buf(t_strdup_noconst(set->ssl_key), strlen(set->ssl_key)); if (bio == NULL) i_fatal("BIO_new_mem_buf() failed"); - password = t_strdup_noconst(set->ssl_key_password); + password = *set->ssl_key_password != '\0' ? set->ssl_key_password : + getenv("SSL_KEY_PASSWORD"); + dup_password = t_strdup_noconst(password); pkey = PEM_read_bio_PrivateKey(bio, NULL, pem_password_callback, - password); + dup_password); if (pkey == NULL) i_fatal("Couldn't parse private ssl_key"); BIO_free(bio); @@ -980,8 +983,6 @@ static void ssl_proxy_init_server(const struct login_settings *set) { - char *password; - if ((ssl_server_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) i_fatal("SSL_CTX_new() failed"); ssl_proxy_ctx_init(ssl_server_ctx, set); @@ -997,13 +998,7 @@ ssl_proxy_get_use_certificate_error(set->ssl_cert)); } - password = t_strdup_noconst(set->ssl_key_password); - SSL_CTX_set_default_passwd_cb(ssl_server_ctx, pem_password_callback); - SSL_CTX_set_default_passwd_cb_userdata(ssl_server_ctx, password); - ssl_proxy_ctx_use_key(ssl_server_ctx, set); - safe_memset(password, 0, strlen(password)); - if (set->verbose_ssl) SSL_CTX_set_info_callback(ssl_server_ctx, ssl_info_callback); diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/Makefile.am --- a/src/master/Makefile.am Tue Sep 08 19:34:49 2009 -0400 +++ b/src/master/Makefile.am Tue Sep 08 20:00:18 2009 -0400 @@ -20,6 +20,7 @@ dovecot_DEPENDENCIES = $(libs) dovecot_SOURCES = \ + askpass.c \ capabilities-posix.c \ dup2-array.c \ main.c \ @@ -35,6 +36,7 @@ service.c noinst_HEADERS = \ + askpass.h \ capabilities.h \ common.h \ dup2-array.h \ diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/common.h --- a/src/master/common.h Tue Sep 08 19:34:49 2009 -0400 +++ b/src/master/common.h Tue Sep 08 20:00:18 2009 -0400 @@ -11,6 +11,7 @@ extern gid_t master_gid; extern bool auth_success_written; extern bool core_dumps_disabled; +extern char ssl_manual_key_password[]; extern int null_fd; extern struct service_list *services; diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/main.c --- a/src/master/main.c Tue Sep 08 19:34:49 2009 -0400 +++ b/src/master/main.c Tue Sep 08 20:00:18 2009 -0400 @@ -11,6 +11,7 @@ #include "restrict-process-size.h" #include "master-service.h" #include "master-service-settings.h" +#include "askpass.h" #include "capabilities.h" #include "service.h" #include "service-listen.h" @@ -37,6 +38,7 @@ gid_t master_gid; bool auth_success_written; bool core_dumps_disabled; +char ssl_manual_key_password[100]; int null_fd; struct service_list *services; @@ -737,16 +739,11 @@ auth_warning_print(set); } -#if 0 // FIXME if (ask_key_pass) { - const char *prompt; - - prompt = t_strdup_printf("Give the password for SSL key file " - "%s: ", set->ssl_key_file); - askpass(prompt, ssl_manual_key_password, + askpass("Give the password for SSL keys", + ssl_manual_key_password, sizeof(ssl_manual_key_password)); } -#endif /* save TZ environment. AIX depends on it to get the timezone correctly. */ diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/service-process.c --- a/src/master/service-process.c Tue Sep 08 19:34:49 2009 -0400 +++ b/src/master/service-process.c Tue Sep 08 20:00:18 2009 -0400 @@ -458,6 +458,13 @@ env_put(t_strconcat("LOCAL_IP=", net_ip2addr(&request->local_ip), NULL)); env_put(t_strconcat("IP=", net_ip2addr(&request->remote_ip), NULL)); + if (*ssl_manual_key_password != '\0' && + request->process->process.service->have_inet_listeners) { + /* manually given SSL password. give it only to services + that have inet listeners. */ + env_put(t_strconcat("SSL_KEY_PASSWORD=", + ssl_manual_key_password, NULL)); + } } struct service_process * diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/service.c --- a/src/master/service.c Tue Sep 08 19:34:49 2009 -0400 +++ b/src/master/service.c Tue Sep 08 20:00:18 2009 -0400 @@ -293,6 +293,7 @@ if (service_create_inet_listeners(service, inet_listeners[i], error_r) < 0) return NULL; + service->have_inet_listeners = TRUE; } return service; diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/service.h --- a/src/master/service.h Tue Sep 08 19:34:49 2009 -0400 +++ b/src/master/service.h Tue Sep 08 20:00:18 2009 -0400 @@ -93,6 +93,8 @@ unsigned int listen_pending:1; /* service is currently listening for new connections */ unsigned int listening:1; + /* TRUE if service has at least one inet_listener */ + unsigned int have_inet_listeners:1; }; struct service_list {