Mercurial > dovecot > core-2.2
changeset 13675:7e3afd2252fd
login proxy: Verify that remote hostname matches SSL cert, unless ssl=any-cert
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Tue, 08 Nov 2011 23:40:54 +0200 |
parents | 439ba86c91fc |
children | 72e894a8d267 |
files | configure.in src/lib-ssl-iostream/iostream-openssl.c src/lib-ssl-iostream/iostream-openssl.h src/login-common/Makefile.am src/login-common/login-proxy.c src/login-common/ssl-proxy-openssl.c src/login-common/ssl-proxy.c src/login-common/ssl-proxy.h |
diffstat | 8 files changed, 39 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/configure.in Tue Nov 08 22:49:57 2011 +0200 +++ b/configure.in Tue Nov 08 23:40:54 2011 +0200 @@ -2487,7 +2487,7 @@ LIBDOVECOT_STORAGE_LAST='$(top_builddir)/src/lib-storage/list/libstorage_list.la $(top_builddir)/src/lib-storage/index/libstorage_index.la $(top_builddir)/src/lib-storage/libstorage.la $(top_builddir)/src/lib-index/libindex.la' LIBDOVECOT_STORAGE_FIRST='$(top_builddir)/src/lib-storage/libstorage_service.la $(top_builddir)/src/lib-storage/register/libstorage_register.la' LIBDOVECOT_STORAGE="$LIBDOVECOT_STORAGE_FIRST $LINKED_STORAGE_LIBS $LIBDOVECOT_STORAGE_LAST" - LIBDOVECOT_LOGIN='$(top_builddir)/src/login-common/liblogin.la' + LIBDOVECOT_LOGIN='$(top_builddir)/src/login-common/liblogin.la $(top_builddir)/src/lib-ssl-iostream/libssl_iostream.la' LIBDOVECOT_LDA='$(top_builddir)/src/lib-lda/liblda.la' fi LIBDOVECOT_SQL='$(top_builddir)/src/lib-sql/libsql.la'
--- a/src/lib-ssl-iostream/iostream-openssl.c Tue Nov 08 22:49:57 2011 +0200 +++ b/src/lib-ssl-iostream/iostream-openssl.c Tue Nov 08 23:40:54 2011 +0200 @@ -492,8 +492,7 @@ return asn1_string_to_c(str); } -int ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, - const char *verify_name) +int openssl_cert_match_name(SSL *ssl, const char *verify_name) { X509 *cert; STACK_OF(GENERAL_NAME) *gnames; @@ -502,10 +501,7 @@ bool dns_names = FALSE; unsigned int i, count; - if (!ssl_iostream_has_valid_client_cert(ssl_io)) - return -1; - - cert = SSL_get_peer_certificate(ssl_io->ssl); + cert = SSL_get_peer_certificate(ssl); i_assert(cert != NULL); /* verify against SubjectAltNames */ @@ -529,6 +525,15 @@ return strcmp(get_cname(cert), verify_name) == 0 ? 0 : -1; } +int ssl_iostream_cert_match_name(struct ssl_iostream *ssl_io, + const char *verify_name) +{ + if (!ssl_iostream_has_valid_client_cert(ssl_io)) + return -1; + + return openssl_cert_match_name(ssl_io->ssl, verify_name); +} + int ssl_iostream_handshake(struct ssl_iostream *ssl_io) { int ret;
--- a/src/lib-ssl-iostream/iostream-openssl.h Tue Nov 08 22:49:57 2011 +0200 +++ b/src/lib-ssl-iostream/iostream-openssl.h Tue Nov 08 23:40:54 2011 +0200 @@ -60,6 +60,7 @@ int ssl_iostream_load_key(const struct ssl_iostream_settings *set, const char *key_source, EVP_PKEY **pkey_r); const char *ssl_iostream_get_use_certificate_error(const char *cert); +int openssl_cert_match_name(SSL *ssl, const char *verify_name); /* Sync plain_input/plain_output streams with BIOs. Returns TRUE if at least one byte was read/written. */
--- a/src/login-common/Makefile.am Tue Nov 08 22:49:57 2011 +0200 +++ b/src/login-common/Makefile.am Tue Nov 08 23:40:54 2011 +0200 @@ -6,6 +6,7 @@ -I$(top_srcdir)/src/lib-auth \ -I$(top_srcdir)/src/lib-dns \ -I$(top_srcdir)/src/lib-master \ + -I$(top_srcdir)/src/lib-ssl-iostream \ -DPKG_STATEDIR=\""$(statedir)"\" liblogin_la_SOURCES = \ @@ -39,6 +40,6 @@ pkglib_LTLIBRARIES = libdovecot-login.la libdovecot_login_la_SOURCES = -libdovecot_login_la_LIBADD = liblogin.la ../lib-dovecot/libdovecot.la +libdovecot_login_la_LIBADD = liblogin.la ../lib-ssl-iostream/libssl_iostream.la ../lib-dovecot/libdovecot.la libdovecot_login_la_DEPENDENCIES = liblogin.la libdovecot_login_la_LDFLAGS = -export-dynamic
--- a/src/login-common/login-proxy.c Tue Nov 08 22:49:57 2011 +0200 +++ b/src/login-common/login-proxy.c Tue Nov 08 23:40:54 2011 +0200 @@ -507,18 +507,24 @@ { struct login_proxy *proxy = context; - if ((proxy->ssl_flags & PROXY_SSL_FLAG_ANY_CERT) != 0 || - ssl_proxy_has_valid_client_cert(proxy->ssl_server_proxy)) + if ((proxy->ssl_flags & PROXY_SSL_FLAG_ANY_CERT) != 0) return 0; - if (!ssl_proxy_has_broken_client_cert(proxy->ssl_server_proxy)) { + if (ssl_proxy_has_broken_client_cert(proxy->ssl_server_proxy)) { + client_log_err(proxy->client, t_strdup_printf( + "proxy: Received invalid SSL certificate from %s:%u", + proxy->host, proxy->port)); + } else if (!ssl_proxy_has_valid_client_cert(proxy->ssl_server_proxy)) { client_log_err(proxy->client, t_strdup_printf( "proxy: SSL certificate not received from %s:%u", proxy->host, proxy->port)); - } else { + } else if (ssl_proxy_cert_match_name(proxy->ssl_server_proxy, + proxy->host) < 0) { client_log_err(proxy->client, t_strdup_printf( - "proxy: Received invalid SSL certificate from %s:%u", + "proxy: hostname doesn't match SSL certificate at %s:%u", proxy->host, proxy->port)); + } else { + return 0; } proxy->disconnecting = TRUE; return -1;
--- a/src/login-common/ssl-proxy-openssl.c Tue Nov 08 22:49:57 2011 +0200 +++ b/src/login-common/ssl-proxy-openssl.c Tue Nov 08 23:40:54 2011 +0200 @@ -19,6 +19,7 @@ #ifdef HAVE_OPENSSL +#include "iostream-openssl.h" #include <openssl/crypto.h> #include <openssl/x509.h> #include <openssl/pem.h> @@ -665,6 +666,11 @@ return proxy->cert_received && proxy->cert_broken; } +int ssl_proxy_cert_match_name(struct ssl_proxy *proxy, const char *verify_name) +{ + return openssl_cert_match_name(proxy->ssl, verify_name); +} + const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy) { X509 *x509;
--- a/src/login-common/ssl-proxy.c Tue Nov 08 22:49:57 2011 +0200 +++ b/src/login-common/ssl-proxy.c Tue Nov 08 23:40:54 2011 +0200 @@ -46,6 +46,12 @@ return FALSE; } +int ssl_proxy_cert_match_name(struct ssl_proxy *proxy ATTR_UNUSED, + const char *verify_name ATTR_UNUSED) +{ + return -1; +} + const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy ATTR_UNUSED) { return NULL;
--- a/src/login-common/ssl-proxy.h Tue Nov 08 22:49:57 2011 +0200 +++ b/src/login-common/ssl-proxy.h Tue Nov 08 23:40:54 2011 +0200 @@ -24,6 +24,7 @@ void ssl_proxy_set_client(struct ssl_proxy *proxy, struct client *client); bool ssl_proxy_has_valid_client_cert(const struct ssl_proxy *proxy) ATTR_PURE; bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy); +int ssl_proxy_cert_match_name(struct ssl_proxy *proxy, const char *verify_name); const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy); bool ssl_proxy_is_handshaked(const struct ssl_proxy *proxy) ATTR_PURE; const char *ssl_proxy_get_last_error(const struct ssl_proxy *proxy) ATTR_PURE;