Mercurial > dovecot > core-2.2
changeset 14518:773ca397d799
SSL proxying: Remote's host never matched cert, because auth process changed it to IP.
Now the "host" parameter isn't changed, but a new optional "hostip"
parameter contains the IP address where to connect to.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Wed, 25 Apr 2012 21:32:00 +0300 |
parents | c2b7767afc38 |
children | 96800058f29b |
files | src/auth/auth-request.c src/login-common/client-common-auth.c src/login-common/client-common.h src/login-common/login-proxy.c src/login-common/login-proxy.h |
diffstat | 5 files changed, 14 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-request.c Wed Apr 25 21:29:14 2012 +0300 +++ b/src/auth/auth-request.c Wed Apr 25 21:32:00 2012 +0300 @@ -1521,8 +1521,8 @@ "DNS lookup for %s took %u.%03u s", host, result->msecs/1000, result->msecs % 1000); } - auth_stream_reply_remove(request->extra_fields, "host"); - auth_stream_reply_add(request->extra_fields, "host", + auth_stream_reply_remove(request->extra_fields, "hostip"); + auth_stream_reply_add(request->extra_fields, "hostip", net_ip2addr(&result->ips[0])); for (i = 0; i < result->ips_count; i++) { if (auth_request_proxy_ip_is_self(request,
--- a/src/login-common/client-common-auth.c Wed Apr 25 21:29:14 2012 +0300 +++ b/src/login-common/client-common-auth.c Wed Apr 25 21:32:00 2012 +0300 @@ -86,6 +86,8 @@ reply_r->reason = value; else if (strcmp(key, "host") == 0) reply_r->host = value; + else if (strcmp(key, "hostip") == 0) + reply_r->hostip = value; else if (strcmp(key, "port") == 0) reply_r->port = atoi(value); else if (strcmp(key, "destuser") == 0) @@ -294,6 +296,9 @@ memset(&proxy_set, 0, sizeof(proxy_set)); proxy_set.host = reply->host; + if (reply->hostip != NULL && + net_addr2ip(reply->hostip, &proxy_set.ip) < 0) + proxy_set.ip.family = 0; proxy_set.port = reply->port; proxy_set.dns_client_socket_path = LOGIN_DNS_CLIENT_SOCKET_PATH; proxy_set.connect_timeout_msecs = reply->proxy_timeout_msecs;
--- a/src/login-common/client-common.h Wed Apr 25 21:29:14 2012 +0300 +++ b/src/login-common/client-common.h Wed Apr 25 21:32:00 2012 +0300 @@ -49,7 +49,7 @@ struct client_auth_reply { const char *master_user, *reason; /* for proxying */ - const char *host, *destuser, *password; + const char *host, *hostip, *destuser, *password; unsigned int port; unsigned int proxy_timeout_msecs; unsigned int proxy_refresh_secs;
--- a/src/login-common/login-proxy.c Wed Apr 25 21:29:14 2012 +0300 +++ b/src/login-common/login-proxy.c Wed Apr 25 21:32:00 2012 +0300 @@ -308,6 +308,7 @@ proxy->client_fd = -1; proxy->server_fd = -1; proxy->created = ioloop_timeval; + proxy->ip = set->ip; proxy->host = i_strdup(set->host); proxy->port = set->port; proxy->connect_timeout_msecs = set->connect_timeout_msecs; @@ -319,7 +320,8 @@ dns_lookup_set.dns_client_socket_path = set->dns_client_socket_path; dns_lookup_set.timeout_msecs = set->connect_timeout_msecs; - if (net_addr2ip(set->host, &proxy->ip) < 0) { + if (set->ip.family == 0 && + net_addr2ip(set->host, &proxy->ip) < 0) { if (dns_lookup(set->host, &dns_lookup_set, login_proxy_dns_done, proxy) < 0) return -1;
--- a/src/login-common/login-proxy.h Wed Apr 25 21:29:14 2012 +0300 +++ b/src/login-common/login-proxy.h Wed Apr 25 21:32:00 2012 +0300 @@ -1,6 +1,8 @@ #ifndef LOGIN_PROXY_H #define LOGIN_PROXY_H +#include "network.h" + struct client; struct login_proxy; @@ -15,6 +17,7 @@ struct login_proxy_settings { const char *host; + struct ip_addr ip; const char *dns_client_socket_path; unsigned int port; unsigned int connect_timeout_msecs;