Mercurial > dovecot > core-2.2
changeset 10224:3f1c47797dee HEAD
ssl: Don't start handshake until client has been set.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 28 Oct 2009 21:17:53 -0400 |
parents | 7b774a0c3493 |
children | 67b88d1a12f2 |
files | src/login-common/client-common.c src/login-common/login-proxy.c src/login-common/main.c src/login-common/ssl-proxy-openssl.c src/login-common/ssl-proxy.c src/login-common/ssl-proxy.h |
diffstat | 6 files changed, 48 insertions(+), 39 deletions(-) [+] |
line wrap: on
line diff
--- a/src/login-common/client-common.c Wed Oct 28 21:15:23 2009 -0400 +++ b/src/login-common/client-common.c Wed Oct 28 21:17:53 2009 -0400 @@ -254,8 +254,8 @@ if (!client_unref(&client) || client->destroyed) return; - fd_ssl = ssl_proxy_new(client->fd, &client->ip, - client->set, &client->ssl_proxy); + fd_ssl = ssl_proxy_alloc(client->fd, &client->ip, + client->set, &client->ssl_proxy); if (fd_ssl == -1) { client_send_line(client, CLIENT_CMD_REPLY_BYE, "TLS initialization failed."); @@ -264,6 +264,7 @@ return; } ssl_proxy_set_client(client->ssl_proxy, client); + ssl_proxy_start(client->ssl_proxy); client->starttls = TRUE; client->tls = TRUE;
--- a/src/login-common/login-proxy.c Wed Oct 28 21:15:23 2009 -0400 +++ b/src/login-common/login-proxy.c Wed Oct 28 21:17:53 2009 -0400 @@ -423,10 +423,10 @@ o_stream_destroy(&proxy->server_output); io_remove(&proxy->server_io); - fd = ssl_proxy_client_new(proxy->server_fd, &proxy->client->ip, - proxy->client->set, - login_proxy_ssl_handshaked, proxy, - &proxy->ssl_server_proxy); + fd = ssl_proxy_client_alloc(proxy->server_fd, &proxy->client->ip, + proxy->client->set, + login_proxy_ssl_handshaked, proxy, + &proxy->ssl_server_proxy); if (fd < 0) { client_log_err(proxy->client, t_strdup_printf( "proxy: SSL handshake failed to %s:%u", @@ -434,6 +434,7 @@ return -1; } ssl_proxy_set_client(proxy->ssl_server_proxy, proxy->client); + ssl_proxy_start(proxy->ssl_server_proxy); proxy->server_fd = fd; proxy_plain_connected(proxy);
--- a/src/login-common/main.c Wed Oct 28 21:15:23 2009 -0400 +++ b/src/login-common/main.c Wed Oct 28 21:17:53 2009 -0400 @@ -78,7 +78,8 @@ client = client_create(conn->fd, FALSE, pool, set, other_sets, &local_ip, &conn->remote_ip); } else { - fd_ssl = ssl_proxy_new(conn->fd, &conn->remote_ip, set, &proxy); + fd_ssl = ssl_proxy_alloc(conn->fd, &conn->remote_ip, set, + &proxy); if (fd_ssl == -1) { net_disconnect(conn->fd); pool_unref(&pool); @@ -89,6 +90,7 @@ &local_ip, &conn->remote_ip); client->ssl_proxy = proxy; ssl_proxy_set_client(proxy, client); + ssl_proxy_start(proxy); } client->remote_port = conn->remote_port;
--- a/src/login-common/ssl-proxy-openssl.c Wed Oct 28 21:15:23 2009 -0400 +++ b/src/login-common/ssl-proxy-openssl.c Wed Oct 28 21:17:53 2009 -0400 @@ -533,9 +533,9 @@ } static int -ssl_proxy_new_common(SSL_CTX *ssl_ctx, int fd, const struct ip_addr *ip, - const struct login_settings *set, - struct ssl_proxy **proxy_r) +ssl_proxy_alloc_common(SSL_CTX *ssl_ctx, int fd, const struct ip_addr *ip, + const struct login_settings *set, + struct ssl_proxy **proxy_r) { struct ssl_proxy *proxy; SSL *ssl; @@ -590,11 +590,11 @@ return sfd[1]; } -int ssl_proxy_new(int fd, const struct ip_addr *ip, - const struct login_settings *set, struct ssl_proxy **proxy_r) +int ssl_proxy_alloc(int fd, const struct ip_addr *ip, + const struct login_settings *set, + struct ssl_proxy **proxy_r) { struct ssl_server_context *ctx, lookup_ctx; - int ret; memset(&lookup_ctx, 0, sizeof(lookup_ctx)); lookup_ctx.cert = set->ssl_cert; @@ -607,32 +607,31 @@ if (ctx == NULL) ctx = ssl_server_context_init(set); - ret = ssl_proxy_new_common(ctx->ctx, fd, ip, set, proxy_r); - if (ret < 0) - return -1; - - ssl_step(*proxy_r); - return ret; + return ssl_proxy_alloc_common(ctx->ctx, fd, ip, set, proxy_r); } -int ssl_proxy_client_new(int fd, struct ip_addr *ip, - const struct login_settings *set, - ssl_handshake_callback_t *callback, void *context, - struct ssl_proxy **proxy_r) +int ssl_proxy_client_alloc(int fd, struct ip_addr *ip, + const struct login_settings *set, + ssl_handshake_callback_t *callback, void *context, + struct ssl_proxy **proxy_r) { int ret; - ret = ssl_proxy_new_common(ssl_client_ctx, fd, ip, set, proxy_r); + ret = ssl_proxy_alloc_common(ssl_client_ctx, fd, ip, set, proxy_r); if (ret < 0) return -1; (*proxy_r)->handshake_callback = callback; (*proxy_r)->handshake_context = context; (*proxy_r)->client_proxy = TRUE; - ssl_step(*proxy_r); return ret; } +void ssl_proxy_start(struct ssl_proxy *proxy) +{ + ssl_step(proxy); +} + void ssl_proxy_set_client(struct ssl_proxy *proxy, struct client *client) { i_assert(proxy->client == NULL);
--- a/src/login-common/ssl-proxy.c Wed Oct 28 21:15:23 2009 -0400 +++ b/src/login-common/ssl-proxy.c Wed Oct 28 21:17:53 2009 -0400 @@ -9,24 +9,28 @@ /* no SSL support */ -int ssl_proxy_new(int fd ATTR_UNUSED, const struct ip_addr *ip ATTR_UNUSED, - const struct login_settings *set ATTR_UNUSED, - struct ssl_proxy **proxy_r ATTR_UNUSED) +int ssl_proxy_alloc(int fd ATTR_UNUSED, const struct ip_addr *ip ATTR_UNUSED, + const struct login_settings *set ATTR_UNUSED, + struct ssl_proxy **proxy_r ATTR_UNUSED) { i_error("Dovecot wasn't built with SSL support"); return -1; } -int ssl_proxy_client_new(int fd ATTR_UNUSED, struct ip_addr *ip ATTR_UNUSED, - const struct login_settings *set ATTR_UNUSED, - ssl_handshake_callback_t *callback ATTR_UNUSED, - void *context ATTR_UNUSED, - struct ssl_proxy **proxy_r ATTR_UNUSED) +int ssl_proxy_client_alloc(int fd ATTR_UNUSED, struct ip_addr *ip ATTR_UNUSED, + const struct login_settings *set ATTR_UNUSED, + ssl_handshake_callback_t *callback ATTR_UNUSED, + void *context ATTR_UNUSED, + struct ssl_proxy **proxy_r ATTR_UNUSED) { i_error("Dovecot wasn't built with SSL support"); return -1; } +void ssl_proxy_start(struct ssl_proxy *proxy ATTR_UNUSED) +{ +} + void ssl_proxy_set_client(struct ssl_proxy *proxy ATTR_UNUSED, struct client *client ATTR_UNUSED) {
--- a/src/login-common/ssl-proxy.h Wed Oct 28 21:15:23 2009 -0400 +++ b/src/login-common/ssl-proxy.h Wed Oct 28 21:17:53 2009 -0400 @@ -13,12 +13,14 @@ /* establish SSL connection with the given fd, returns a new fd which you must use from now on, or -1 if error occurred. Unless -1 is returned, the given fd must be simply forgotten. */ -int ssl_proxy_new(int fd, const struct ip_addr *ip, - const struct login_settings *set, struct ssl_proxy **proxy_r); -int ssl_proxy_client_new(int fd, struct ip_addr *ip, - const struct login_settings *set, - ssl_handshake_callback_t *callback, void *context, - struct ssl_proxy **proxy_r); +int ssl_proxy_alloc(int fd, const struct ip_addr *ip, + const struct login_settings *set, + struct ssl_proxy **proxy_r); +int ssl_proxy_client_alloc(int fd, struct ip_addr *ip, + const struct login_settings *set, + ssl_handshake_callback_t *callback, void *context, + struct ssl_proxy **proxy_r); +void ssl_proxy_start(struct ssl_proxy *proxy); void ssl_proxy_set_client(struct ssl_proxy *proxy, struct client *client); bool ssl_proxy_has_valid_client_cert(const struct ssl_proxy *proxy) ATTR_PURE; bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy);