dovecot/original-hg/dovecot-1.2: src/login-common/ssl-proxy-openssl.c annotate

annotate src/login-common/ssl-proxy-openssl.c @ 4506:025ffc5a3643 HEAD

Use SSL_pending() to figure out if we should call SSL_read() again. Otherwise it breaks..

author	Timo Sirainen <tss@iki.fi>
date	Mon, 24 Jul 2006 02:32:11 +0300
parents	886d7af1f38d
children	9d9e72374164

rev	line source
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	1 /* Copyright (C) 2002 Timo Sirainen */
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	2
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	3 #include "common.h"
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	4 #include "array.h"
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	5 #include "ioloop.h"
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	6 #include "network.h"
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	7 #include "ostream.h"
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	8 #include "read-full.h"
1231 6352baabd8a1 and compiler warning fixes.. Timo Sirainen <tss@iki.fi> parents: 1230 diff changeset	9 #include "hash.h"
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	10 #include "ssl-proxy.h"
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	11
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	12 #include <fcntl.h>
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	13 #include <unistd.h>
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	14 #include <sys/stat.h>
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	15
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	16 #ifdef HAVE_OPENSSL
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	17
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	18 #include <openssl/crypto.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	19 #include <openssl/x509.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	20 #include <openssl/pem.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	21 #include <openssl/ssl.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	22 #include <openssl/err.h>
1556 545f6b150e2c Make sure PRNG gets initialized before chrooting so it can open /dev/urandom. Timo Sirainen <tss@iki.fi> parents: 1544 diff changeset	23 #include <openssl/rand.h>
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	24
1996 d8f06a0c818e Added ssl_cipher_list setting. Timo Sirainen <tss@iki.fi> parents: 1907 diff changeset	25 #define DOVECOT_SSL_DEFAULT_CIPHER_LIST "ALL:!LOW"
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	26 /* Check every 30 minutes if parameters file has been updated */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	27 #define SSL_PARAMFILE_CHECK_INTERVAL (60*30)
1544 ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	28
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	29 #define PLAIN_OUTPUT_OPTIMAL_SIZE 2048
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	30
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	31 enum ssl_want {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	32 WANT_INPUT,
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	33 WANT_OUTPUT
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	34 };
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	35
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	36 struct ssl_proxy {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	37 int refcount;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	38
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	39 SSL *ssl;
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	40 struct ip_addr ip;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	41
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	42 int fd_ssl, fd_plain;
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	43 struct io io_ssl, io_plain_input;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	44
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	45 enum ssl_want want;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	46 void (step)(struct ssl_proxy );
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	47 unsigned int ssl_want_size;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	48
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	49 struct ostream *plain_output;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	50
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	51 unsigned char sslout_buf[1024];
1324 13d8f69d4f1a rewrite, maybe it works properly now. Timo Sirainen <tss@iki.fi> parents: 1268 diff changeset	52 unsigned int sslout_size;
1458 98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	53
98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	54 unsigned int handshaked:1;
98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	55 unsigned int destroyed:1;
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	56 unsigned int cert_received:1;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	57 unsigned int cert_broken:1;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	58 };
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	59
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	60 struct ssl_parameters {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	61 const char *fname;
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	62 time_t last_mtime, last_check;
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	63 int fd;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	64
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	65 DH dh_512, dh_1024;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	66 };
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	67
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	68 static int extdata_index;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	69 static SSL_CTX *ssl_ctx;
1230 e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	70 static struct hash_table *ssl_proxies;
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	71 static struct ssl_parameters ssl_params;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	72
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	73 static void ssl_input(struct ssl_proxy *proxy);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	74 static void ssl_output(struct ssl_proxy *proxy);
1324 13d8f69d4f1a rewrite, maybe it works properly now. Timo Sirainen <tss@iki.fi> parents: 1268 diff changeset	75 static void ssl_step(void *context);
1458 98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	76 static void ssl_proxy_destroy(struct ssl_proxy *proxy);
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	77 static void ssl_proxy_unref(struct ssl_proxy *proxy);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	78
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	79 static void read_next(struct ssl_parameters params, void data, size_t size)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	80 {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	81 int ret;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	82
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	83 if ((ret = read_full(params->fd, data, size)) < 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	84 i_fatal("read(%s) failed: %m", params->fname);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	85 if (ret == 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	86 i_fatal("read(%s) failed: Unexpected EOF", params->fname);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	87 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	88
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	89 static bool read_dh_parameters_next(struct ssl_parameters *params)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	90 {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	91 unsigned char *buf;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	92 const unsigned char *cbuf;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	93 unsigned int len;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	94 int bits;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	95
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	96 /* read bit size. 0 ends the DH parameters list. */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	97 read_next(params, &bits, sizeof(bits));
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	98
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	99 if (bits == 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	100 return FALSE;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	101
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	102 /* read data size. */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	103 read_next(params, &len, sizeof(len));
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	104 if (len > 1024100) / should be enough? */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	105 i_fatal("Corrupted SSL parameters file: %s", params->fname);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	106
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	107 buf = i_malloc(len);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	108 read_next(params, buf, len);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	109
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	110 cbuf = buf;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	111 switch (bits) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	112 case 512:
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	113 params->dh_512 = d2i_DHparams(NULL, &cbuf, len);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	114 break;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	115 case 1024:
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	116 params->dh_1024 = d2i_DHparams(NULL, &cbuf, len);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	117 break;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	118 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	119
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	120 i_free(buf);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	121 return TRUE;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	122 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	123
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	124 static void ssl_free_parameters(struct ssl_parameters *params)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	125 {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	126 if (params->dh_512 != NULL) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	127 DH_free(params->dh_512);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	128 params->dh_512 = NULL;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	129 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	130 if (params->dh_1024 != NULL) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	131 DH_free(params->dh_1024);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	132 params->dh_1024 = NULL;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	133 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	134 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	135
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	136 static void ssl_read_parameters(struct ssl_parameters *params)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	137 {
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	138 struct stat st;
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	139 bool warned = FALSE;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	140
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	141 /* we'll wait until parameter file exists */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	142 for (;;) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	143 params->fd = open(params->fname, O_RDONLY);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	144 if (params->fd != -1)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	145 break;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	146
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	147 if (errno != ENOENT) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	148 i_fatal("Can't open SSL parameter file %s: %m",
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	149 params->fname);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	150 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	151
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	152 if (!warned) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	153 i_warning("Waiting for SSL parameter file %s",
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	154 params->fname);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	155 warned = TRUE;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	156 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	157 sleep(1);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	158 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	159
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	160 if (fstat(params->fd, &st) < 0)
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	161 i_error("fstat(%s) failed: %m", params->fname);
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	162 else
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	163 params->last_mtime = st.st_mtime;
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	164
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	165 ssl_free_parameters(params);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	166 while (read_dh_parameters_next(params)) ;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	167
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	168 if (close(params->fd) < 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	169 i_error("close() failed: %m");
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	170 params->fd = -1;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	171 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	172
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	173 static void ssl_refresh_parameters(struct ssl_parameters *params)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	174 {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	175 struct stat st;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	176
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	177 if (params->last_check > ioloop_time - SSL_PARAMFILE_CHECK_INTERVAL)
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	178 return;
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	179 params->last_check = ioloop_time;
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	180
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	181 if (params->last_mtime == 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	182 ssl_read_parameters(params);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	183 else {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	184 if (stat(params->fname, &st) < 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	185 i_error("stat(%s) failed: %m", params->fname);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	186 else if (st.st_mtime != params->last_mtime)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	187 ssl_read_parameters(params);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	188 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	189 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	190
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	191 static const char *ssl_last_error(void)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	192 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	193 unsigned long err;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	194 char *buf;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	195 size_t err_size = 256;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	196
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	197 err = ERR_get_error();
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	198 if (err == 0)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	199 return strerror(errno);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	200
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	201 buf = t_malloc(err_size);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	202 buf[err_size-1] = '\0';
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	203 ERR_error_string_n(err, buf, err_size-1);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	204 return buf;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	205 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	206
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	207 static void ssl_set_io(struct ssl_proxy *proxy, enum ssl_want want)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	208 {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	209 if (proxy->io_ssl != NULL) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	210 if (want == proxy->want)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	211 return;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	212 io_remove(&proxy->io_ssl);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	213 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	214
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	215 proxy->want = want;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	216 switch (want) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	217 case WANT_INPUT:
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	218 proxy->io_ssl =
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	219 io_add(proxy->fd_ssl, IO_READ, ssl_step, proxy);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	220 break;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	221 case WANT_OUTPUT:
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	222 proxy->io_ssl =
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	223 io_add(proxy->fd_ssl, IO_WRITE, ssl_step, proxy);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	224 break;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	225 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	226 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	227
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	228 static void
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	229 ssl_handle_error(struct ssl_proxy proxy, int ret, const char func_name,
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	230 void (func)(struct ssl_proxy ), unsigned int want_size)
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	231 {
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	232 const char *errstr;
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	233 int err;
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	234
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	235 err = SSL_get_error(proxy->ssl, ret);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	236
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	237 switch (err) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	238 case SSL_ERROR_WANT_READ:
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	239 proxy->step = func;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	240 proxy->ssl_want_size = want_size;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	241 ssl_set_io(proxy, WANT_INPUT);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	242 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	243 case SSL_ERROR_WANT_WRITE:
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	244 proxy->step = func;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	245 proxy->ssl_want_size = want_size;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	246 ssl_set_io(proxy, WANT_OUTPUT);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	247 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	248 case SSL_ERROR_SYSCALL:
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	249 /* eat up the error queue */
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	250 if (verbose_ssl) {
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	251 if (ERR_peek_error() != 0)
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	252 errstr = ssl_last_error();
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	253 else {
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	254 if (ret == 0)
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	255 errstr = "EOF";
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	256 else
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	257 errstr = strerror(errno);
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	258 }
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	259
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	260 i_warning("%s syscall failed: %s [%s]",
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	261 func_name, errstr, net_ip2addr(&proxy->ip));
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	262 }
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	263 ssl_proxy_destroy(proxy);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	264 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	265 case SSL_ERROR_ZERO_RETURN:
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	266 /* clean connection closing */
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	267 ssl_proxy_destroy(proxy);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	268 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	269 case SSL_ERROR_SSL:
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	270 if (verbose_ssl) {
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	271 i_warning("%s failed: %s [%s]", func_name,
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	272 ssl_last_error(), net_ip2addr(&proxy->ip));
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	273 }
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	274 ssl_proxy_destroy(proxy);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	275 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	276 default:
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	277 i_warning("%s failed: unknown failure %d (%s) [%s]",
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	278 func_name, err, ssl_last_error(),
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	279 net_ip2addr(&proxy->ip));
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	280 ssl_proxy_destroy(proxy);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	281 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	282 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	283 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	284
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	285 static void plain_input(void *context)
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	286 {
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	287 struct ssl_proxy *proxy = context;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	288 ssize_t ret;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	289
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	290 if (proxy->sslout_size == sizeof(proxy->sslout_buf)) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	291 /* buffer full, block input until it's written */
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	292 io_remove(&proxy->io_plain_input);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	293 return;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	294 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	295
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	296 ret = net_receive(proxy->fd_plain,
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	297 proxy->sslout_buf + proxy->sslout_size,
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	298 sizeof(proxy->sslout_buf) - proxy->sslout_size);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	299 if (ret <= 0) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	300 if (ret < 0)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	301 ssl_proxy_destroy(proxy);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	302 } else {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	303 proxy->sslout_size += ret;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	304 if (SSL_want(proxy->ssl) == SSL_NOTHING) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	305 i_assert(proxy->ssl_want_size == 0);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	306 ssl_output(proxy);
4131 c12bb541f925 Reverted back for now. Timo Sirainen <tss@iki.fi> parents: 4127 diff changeset	307 }
4127 60583fb75d9e Rewrite. Hopefully works better. Timo Sirainen <tss@iki.fi> parents: 3960 diff changeset	308 }
60583fb75d9e Rewrite. Hopefully works better. Timo Sirainen <tss@iki.fi> parents: 3960 diff changeset	309 }
60583fb75d9e Rewrite. Hopefully works better. Timo Sirainen <tss@iki.fi> parents: 3960 diff changeset	310
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	311 static int plain_output(void *context)
4127 60583fb75d9e Rewrite. Hopefully works better. Timo Sirainen <tss@iki.fi> parents: 3960 diff changeset	312 {
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	313 struct ssl_proxy *proxy = context;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	314 int ret;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	315
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	316 if (proxy->ssl_want_size != 0)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	317 return 0;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	318
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	319 if ((ret = o_stream_flush(proxy->plain_output)) < 0) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	320 ssl_proxy_destroy(proxy);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	321 return 1;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	322 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	323
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	324 if (o_stream_get_buffer_used_size(proxy->plain_output) <
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	325 PLAIN_OUTPUT_OPTIMAL_SIZE &&
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	326 proxy->want == WANT_INPUT && proxy->io_ssl == NULL)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	327 ssl_set_io(proxy, WANT_INPUT);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	328
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	329 return ret;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	330 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	331
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	332 static void ssl_handshake(struct ssl_proxy *proxy)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	333 {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	334 int ret, old_errno;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	335
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	336 net_set_cork(proxy->fd_ssl, TRUE);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	337 ret = SSL_accept(proxy->ssl);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	338
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	339 old_errno = errno;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	340 net_set_cork(proxy->fd_ssl, FALSE);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	341 errno = old_errno;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	342
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	343 if (ret != 1)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	344 ssl_handle_error(proxy, ret, "SSL_accept()", ssl_handshake, 0);
4127 60583fb75d9e Rewrite. Hopefully works better. Timo Sirainen <tss@iki.fi> parents: 3960 diff changeset	345 else {
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	346 proxy->handshaked = TRUE;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	347 proxy->step = ssl_input;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	348 ssl_set_io(proxy, WANT_INPUT);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	349
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	350 proxy->io_plain_input = io_add(proxy->fd_plain, IO_READ,
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	351 plain_input, proxy);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	352 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	353 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	354
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	355 static void ssl_input(struct ssl_proxy *proxy)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	356 {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	357 unsigned char buf[PLAIN_OUTPUT_OPTIMAL_SIZE];
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	358 size_t size, used;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	359 ssize_t ret, ret2;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	360
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	361 used = o_stream_get_buffer_used_size(proxy->plain_output);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	362 if (used >= PLAIN_OUTPUT_OPTIMAL_SIZE) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	363 io_remove(&proxy->io_ssl);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	364 return;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	365 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	366
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	367 size = sizeof(buf) - used;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	368 if (proxy->ssl_want_size != 0) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	369 i_assert(proxy->ssl_want_size <= size);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	370 size = proxy->ssl_want_size;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	371 proxy->ssl_want_size = 0;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	372 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	373
4506 025ffc5a3643 Use SSL_pending() to figure out if we should call SSL_read() again. Timo Sirainen <tss@iki.fi> parents: 4505 diff changeset	374 do {
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	375 ret = SSL_read(proxy->ssl, buf, size);
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	376 if (ret <= 0) {
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	377 ssl_handle_error(proxy, ret, "SSL_read()",
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	378 ssl_input, size);
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	379 return;
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	380 }
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	381 o_stream_cork(proxy->plain_output);
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	382 ret2 = o_stream_send(proxy->plain_output, buf, ret);
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	383 i_assert(ret2 < 0 \|\| ret2 == ret);
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	384 o_stream_uncork(proxy->plain_output);
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	385
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	386 if (proxy->sslout_size > 0)
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	387 ssl_output(proxy);
4506 025ffc5a3643 Use SSL_pending() to figure out if we should call SSL_read() again. Timo Sirainen <tss@iki.fi> parents: 4505 diff changeset	388 } while (SSL_pending(proxy->ssl) > 0);
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	389 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	390
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	391 static void ssl_output(struct ssl_proxy *proxy)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	392 {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	393 unsigned int size;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	394 int ret, old_errno;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	395
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	396 if (proxy->ssl_want_size == 0)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	397 size = proxy->sslout_size;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	398 else {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	399 i_assert(proxy->ssl_want_size <= proxy->sslout_size);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	400 size = proxy->ssl_want_size;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	401 proxy->ssl_want_size = 0;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	402 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	403
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	404 net_set_cork(proxy->fd_ssl, TRUE);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	405 ret = SSL_write(proxy->ssl, proxy->sslout_buf, size);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	406
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	407 old_errno = errno;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	408 net_set_cork(proxy->fd_ssl, FALSE);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	409 errno = old_errno;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	410
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	411 if (ret <= 0) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	412 ssl_handle_error(proxy, ret, "SSL_write()", ssl_output, size);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	413 return;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	414 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	415
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	416 proxy->sslout_size -= ret;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	417 memmove(proxy->sslout_buf, proxy->sslout_buf + ret, proxy->sslout_size);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	418
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	419 if (proxy->sslout_size > 0) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	420 ssl_set_io(proxy, WANT_OUTPUT);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	421 proxy->step = ssl_output;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	422 } else {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	423 ssl_set_io(proxy, WANT_INPUT);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	424 proxy->step = ssl_input;
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	425 }
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	426 if (proxy->io_plain_input == NULL) {
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	427 proxy->io_plain_input = io_add(proxy->fd_plain, IO_READ,
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	428 plain_input, proxy);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	429 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	430 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	431
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	432 static void ssl_step(void *context)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	433 {
1324 13d8f69d4f1a rewrite, maybe it works properly now. Timo Sirainen <tss@iki.fi> parents: 1268 diff changeset	434 struct ssl_proxy *proxy = context;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	435
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	436 proxy->step(proxy);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	437 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	438
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	439 int ssl_proxy_new(int fd, struct ip_addr ip, struct ssl_proxy *proxy_r)
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	440 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	441 struct ssl_proxy *proxy;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	442 SSL *ssl;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	443 int sfd[2];
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	444
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	445 *proxy_r = NULL;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	446
2679 8f7b01c29bcb Show clear error messages if --ssl is tried to be used but it's not Timo Sirainen <tss@iki.fi> parents: 2629 diff changeset	447 if (!ssl_initialized) {
8f7b01c29bcb Show clear error messages if --ssl is tried to be used but it's not Timo Sirainen <tss@iki.fi> parents: 2629 diff changeset	448 i_error("SSL support not enabled in configuration");
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	449 return -1;
2679 8f7b01c29bcb Show clear error messages if --ssl is tried to be used but it's not Timo Sirainen <tss@iki.fi> parents: 2629 diff changeset	450 }
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	451
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	452 ssl_refresh_parameters(&ssl_params);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	453
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	454 ssl = SSL_new(ssl_ctx);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	455 if (ssl == NULL) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	456 i_error("SSL_new() failed: %s", ssl_last_error());
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	457 return -1;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	458 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	459
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	460 if (SSL_set_fd(ssl, fd) != 1) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	461 i_error("SSL_set_fd() failed: %s", ssl_last_error());
1457 7dd0e88ed7ef cleanups Timo Sirainen <tss@iki.fi> parents: 1324 diff changeset	462 SSL_free(ssl);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	463 return -1;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	464 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	465
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	466 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sfd) == -1) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	467 i_error("socketpair() failed: %m");
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	468 SSL_free(ssl);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	469 return -1;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	470 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	471
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	472 net_set_nonblock(sfd[0], TRUE);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	473 net_set_nonblock(sfd[1], TRUE);
1268 0d9f0e617a1a net_* functions don't anymore set sockets to non-blocking by default. Timo Sirainen <tss@iki.fi> parents: 1235 diff changeset	474 net_set_nonblock(fd, TRUE);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	475
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	476 proxy = i_new(struct ssl_proxy, 1);
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	477 proxy->refcount = 2;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	478 proxy->ssl = ssl;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	479 proxy->fd_ssl = fd;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	480 proxy->fd_plain = sfd[0];
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	481 proxy->ip = *ip;
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	482 proxy->plain_output =
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	483 o_stream_create_file(proxy->fd_plain, default_pool,
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	484 (size_t)-1, FALSE);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	485 o_stream_set_flush_callback(proxy->plain_output, plain_output, proxy);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	486
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	487 SSL_set_ex_data(ssl, extdata_index, proxy);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	488
1544 ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	489 hash_insert(ssl_proxies, proxy, proxy);
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	490
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	491 proxy->step = ssl_handshake;
1324 13d8f69d4f1a rewrite, maybe it works properly now. Timo Sirainen <tss@iki.fi> parents: 1268 diff changeset	492 ssl_handshake(proxy);
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	493 main_ref();
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	494
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	495 *proxy_r = proxy;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	496 return sfd[1];
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	497 }
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	498
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	499 bool ssl_proxy_has_valid_client_cert(struct ssl_proxy *proxy)
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	500 {
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	501 return proxy->cert_received && !proxy->cert_broken;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	502 }
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	503
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	504 const char ssl_proxy_get_peer_name(struct ssl_proxy proxy)
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	505 {
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	506 X509 *x509;
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	507 char buf[1024];
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	508 const char *name;
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	509
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	510 if (!ssl_proxy_has_valid_client_cert(proxy))
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	511 return NULL;
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	512
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	513 x509 = SSL_get_peer_certificate(proxy->ssl);
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	514 if (x509 == NULL)
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	515 return NULL; /* we should have had it.. */
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	516
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	517 if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	518 NID_commonName, buf, sizeof(buf)) < 0)
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	519 name = "";
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	520 else
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	521 name = t_strndup(buf, sizeof(buf));
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	522 X509_free(x509);
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	523
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	524 return *name == '\0' ? NULL : name;
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	525 }
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	526
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	527 void ssl_proxy_free(struct ssl_proxy *proxy)
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	528 {
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	529 ssl_proxy_unref(proxy);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	530 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	531
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	532 static void ssl_proxy_unref(struct ssl_proxy *proxy)
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	533 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	534 if (--proxy->refcount > 0)
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	535 return;
1490 63242ba50ea4 fixes Timo Sirainen <tss@iki.fi> parents: 1485 diff changeset	536 i_assert(proxy->refcount == 0);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	537
2302 8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	538 SSL_free(proxy->ssl);
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	539 i_free(proxy);
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	540
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	541 main_unref();
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	542 }
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	543
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	544 static void ssl_proxy_destroy(struct ssl_proxy *proxy)
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	545 {
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	546 if (proxy->destroyed)
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	547 return;
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	548 proxy->destroyed = TRUE;
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	549
1230 e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	550 hash_remove(ssl_proxies, proxy);
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	551
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	552 if (proxy->io_ssl != NULL)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	553 io_remove(&proxy->io_ssl);
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	554 if (proxy->io_plain_input != NULL)
1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	555 io_remove(&proxy->io_plain_input);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	556
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	557 o_stream_unref(&proxy->plain_output);
3960 aeb424e64f24 Call io_remove() before closing the fd. It's required by kqueue. Timo Sirainen <tss@iki.fi> parents: 3889 diff changeset	558 (void)net_disconnect(proxy->fd_ssl);
aeb424e64f24 Call io_remove() before closing the fd. It's required by kqueue. Timo Sirainen <tss@iki.fi> parents: 3889 diff changeset	559 (void)net_disconnect(proxy->fd_plain);
aeb424e64f24 Call io_remove() before closing the fd. It's required by kqueue. Timo Sirainen <tss@iki.fi> parents: 3889 diff changeset	560
2302 8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	561 ssl_proxy_unref(proxy);
1458 98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	562 }
98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	563
1492 383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	564 static RSA ssl_gen_rsa_key(SSL ssl __attr_unused__,
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	565 int is_export __attr_unused__, int keylength)
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	566 {
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	567 return RSA_generate_key(keylength, RSA_F4, NULL, NULL);
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	568 }
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	569
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	570 static DH ssl_tmp_dh_callback(SSL ssl __attr_unused__,
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	571 int is_export, int keylength)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	572 {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	573 /* Well, I'm not exactly sure why the logic in here is this.
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	574 It's the same as in Postfix, so it can't be too wrong. */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	575 if (is_export && keylength == 512 && ssl_params.dh_512 != NULL)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	576 return ssl_params.dh_512;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	577
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	578 return ssl_params.dh_1024;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	579 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	580
4471 a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	581 static void ssl_info_callback(const SSL *ssl, int where, int ret)
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	582 {
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	583 struct ssl_proxy *proxy;
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	584
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	585 proxy = SSL_get_ex_data(ssl, extdata_index);
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	586
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	587 if ((where & SSL_CB_ALERT) != 0) {
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	588 i_warning("SSL alert: where=0x%x, ret=%d: %s %s [%s]",
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	589 where, ret, SSL_alert_type_string_long(ret),
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	590 SSL_alert_desc_string_long(ret),
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	591 net_ip2addr(&proxy->ip));
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	592 } else {
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	593 i_warning("SSL BIO failed: where=0x%x, ret=%d: %s [%s]",
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	594 where, ret, SSL_state_string_long(ssl),
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	595 net_ip2addr(&proxy->ip));
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	596 }
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	597 }
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	598
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	599 static int ssl_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx)
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	600 {
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	601 SSL *ssl;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	602 struct ssl_proxy *proxy;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	603
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	604 ssl = X509_STORE_CTX_get_ex_data(ctx,
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	605 SSL_get_ex_data_X509_STORE_CTX_idx());
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	606 proxy = SSL_get_ex_data(ssl, extdata_index);
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	607 proxy->cert_received = TRUE;
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	608
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	609 if (verbose_ssl \|\| (verbose_auth && !preverify_ok)) {
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	610 char buf[1024];
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	611 X509_NAME *subject;
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	612
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	613 subject = X509_get_subject_name(ctx->current_cert);
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	614 (void)X509_NAME_oneline(subject, buf, sizeof(buf));
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	615 buf[sizeof(buf)-1] = '\0'; /* just in case.. */
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	616 if (!preverify_ok)
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	617 i_info("Invalid certificate: %s", buf);
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	618 else
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	619 i_info("Valid certificate: %s", buf);
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	620 }
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	621 if (!preverify_ok)
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	622 proxy->cert_broken = TRUE;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	623
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	624 /* Return success anyway, because if ssl_require_client_cert=no we
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	625 could still allow authentication. */
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	626 return 1;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	627 }
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	628
3889 c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	629 static int
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	630 pem_password_callback(char *buf, int size, int rwflag __attr_unused__,
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	631 void *userdata)
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	632 {
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	633 if (userdata == NULL) {
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	634 i_error("SSL private key file is password protected, "
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	635 "but password isn't given");
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	636 return 0;
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	637 }
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	638
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	639 if (strocpy(buf, userdata, size) < 0)
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	640 return 0;
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	641 return strlen(buf);
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	642 }
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	643
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	644 void ssl_proxy_init(void)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	645 {
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	646 const char cafile, certfile, keyfile, cipher_list;
3889 c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	647 char *password;
2629 6ba9dcff11b9 Compiler warning fixes and cleanups Timo Sirainen <tss@iki.fi> parents: 2335 diff changeset	648 unsigned char buf;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	649
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	650 memset(&ssl_params, 0, sizeof(ssl_params));
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	651
1907 190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	652 cafile = getenv("SSL_CA_FILE");
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	653 certfile = getenv("SSL_CERT_FILE");
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	654 keyfile = getenv("SSL_KEY_FILE");
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	655 ssl_params.fname = getenv("SSL_PARAM_FILE");
3889 c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	656 password = getenv("SSL_KEY_PASSWORD");
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	657
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	658 if (certfile == NULL \|\| keyfile == NULL \|\| ssl_params.fname == NULL) {
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	659 /* SSL support is disabled */
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	660 return;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	661 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	662
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	663 SSL_library_init();
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	664 SSL_load_error_strings();
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	665
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	666 extdata_index = SSL_get_ex_new_index(0, "dovecot", NULL, NULL, NULL);
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	667
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	668 if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	669 i_fatal("SSL_CTX_new() failed");
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	670
1544 ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	671 SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	672
1996 d8f06a0c818e Added ssl_cipher_list setting. Timo Sirainen <tss@iki.fi> parents: 1907 diff changeset	673 cipher_list = getenv("SSL_CIPHER_LIST");
d8f06a0c818e Added ssl_cipher_list setting. Timo Sirainen <tss@iki.fi> parents: 1907 diff changeset	674 if (cipher_list == NULL)
d8f06a0c818e Added ssl_cipher_list setting. Timo Sirainen <tss@iki.fi> parents: 1907 diff changeset	675 cipher_list = DOVECOT_SSL_DEFAULT_CIPHER_LIST;
d8f06a0c818e Added ssl_cipher_list setting. Timo Sirainen <tss@iki.fi> parents: 1907 diff changeset	676 if (SSL_CTX_set_cipher_list(ssl_ctx, cipher_list) != 1) {
1544 ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	677 i_fatal("Can't set cipher list to '%s': %s",
1996 d8f06a0c818e Added ssl_cipher_list setting. Timo Sirainen <tss@iki.fi> parents: 1907 diff changeset	678 cipher_list, ssl_last_error());
1544 ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	679 }
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	680
1907 190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	681 if (cafile != NULL) {
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	682 if (SSL_CTX_load_verify_locations(ssl_ctx, cafile, NULL) != 1) {
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	683 i_fatal("Can't load CA file %s: %s",
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	684 cafile, ssl_last_error());
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	685 }
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	686 }
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	687
1544 ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	688 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	689 i_fatal("Can't load certificate file %s: %s",
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	690 certfile, ssl_last_error());
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	691 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	692
3889 c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	693 SSL_CTX_set_default_passwd_cb(ssl_ctx, pem_password_callback);
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	694 SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, password);
3584 b686c8bbcd6f Don't require private key to be RSA Timo Sirainen <tss@iki.fi> parents: 3580 diff changeset	695 if (SSL_CTX_use_PrivateKey_file(ssl_ctx, keyfile,
b686c8bbcd6f Don't require private key to be RSA Timo Sirainen <tss@iki.fi> parents: 3580 diff changeset	696 SSL_FILETYPE_PEM) != 1) {
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	697 i_fatal("Can't load private key file %s: %s",
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	698 keyfile, ssl_last_error());
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	699 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	700
1492 383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	701 if (SSL_CTX_need_tmp_RSA(ssl_ctx))
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	702 SSL_CTX_set_tmp_rsa_callback(ssl_ctx, ssl_gen_rsa_key);
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	703 SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_tmp_dh_callback);
1492 383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	704
4471 a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	705 if (verbose_ssl)
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	706 SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback);
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	707
1997 1d0985f6bdd9 Added ssl_verify_client_cert setting. Timo Sirainen <tss@iki.fi> parents: 1996 diff changeset	708 if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) {
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	709 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	710 X509_STORE *store;
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	711
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	712 store = SSL_CTX_get_cert_store(ssl_ctx);
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	713 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK \|
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	714 X509_V_FLAG_CRL_CHECK_ALL);
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	715 #endif
1997 1d0985f6bdd9 Added ssl_verify_client_cert setting. Timo Sirainen <tss@iki.fi> parents: 1996 diff changeset	716 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER \|
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	717 SSL_VERIFY_CLIENT_ONCE,
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	718 ssl_verify_client_cert);
1997 1d0985f6bdd9 Added ssl_verify_client_cert setting. Timo Sirainen <tss@iki.fi> parents: 1996 diff changeset	719 }
1d0985f6bdd9 Added ssl_verify_client_cert setting. Timo Sirainen <tss@iki.fi> parents: 1996 diff changeset	720
1556 545f6b150e2c Make sure PRNG gets initialized before chrooting so it can open /dev/urandom. Timo Sirainen <tss@iki.fi> parents: 1544 diff changeset	721 /* PRNG initialization might want to use /dev/urandom, make sure it
2007 3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong Timo Sirainen <tss@iki.fi> parents: 1997 diff changeset	722 does it before chrooting. We might not have enough entropy at
3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong Timo Sirainen <tss@iki.fi> parents: 1997 diff changeset	723 the first try, so this function may fail. It's still been
3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong Timo Sirainen <tss@iki.fi> parents: 1997 diff changeset	724 initialized though. */
3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong Timo Sirainen <tss@iki.fi> parents: 1997 diff changeset	725 (void)RAND_bytes(&buf, 1);
1556 545f6b150e2c Make sure PRNG gets initialized before chrooting so it can open /dev/urandom. Timo Sirainen <tss@iki.fi> parents: 1544 diff changeset	726
1230 e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	727 ssl_proxies = hash_create(default_pool, default_pool, 0, NULL, NULL);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	728 ssl_initialized = TRUE;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	729 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	730
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	731 void ssl_proxy_deinit(void)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	732 {
1897 1e6ed8045f2b Changed hash_foreach() to iterator. Timo Sirainen <tss@iki.fi> parents: 1556 diff changeset	733 struct hash_iterate_context *iter;
1e6ed8045f2b Changed hash_foreach() to iterator. Timo Sirainen <tss@iki.fi> parents: 1556 diff changeset	734 void key, value;
1e6ed8045f2b Changed hash_foreach() to iterator. Timo Sirainen <tss@iki.fi> parents: 1556 diff changeset	735
1230 e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	736 if (!ssl_initialized)
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	737 return;
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	738
1897 1e6ed8045f2b Changed hash_foreach() to iterator. Timo Sirainen <tss@iki.fi> parents: 1556 diff changeset	739 iter = hash_iterate_init(ssl_proxies);
1e6ed8045f2b Changed hash_foreach() to iterator. Timo Sirainen <tss@iki.fi> parents: 1556 diff changeset	740 while (hash_iterate(iter, &key, &value))
1e6ed8045f2b Changed hash_foreach() to iterator. Timo Sirainen <tss@iki.fi> parents: 1556 diff changeset	741 ssl_proxy_destroy(value);
1e6ed8045f2b Changed hash_foreach() to iterator. Timo Sirainen <tss@iki.fi> parents: 1556 diff changeset	742 hash_iterate_deinit(iter);
1230 e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	743 hash_destroy(ssl_proxies);
1232 f7da7d46e3f2 destroy proxies before destroying ssl context Timo Sirainen <tss@iki.fi> parents: 1231 diff changeset	744
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	745 ssl_free_parameters(&ssl_params);
1232 f7da7d46e3f2 destroy proxies before destroying ssl context Timo Sirainen <tss@iki.fi> parents: 1231 diff changeset	746 SSL_CTX_free(ssl_ctx);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	747 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	748
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	749 #endif

Mercurial > dovecot > original-hg > dovecot-1.2

annotate src/login-common/ssl-proxy-openssl.c @ 4506:025ffc5a3643 HEAD