Mercurial > dovecot > original-hg > dovecot-1.2
annotate src/login-common/ssl-proxy-openssl.c @ 9658:8ba4253adc9b HEAD tip
*-login: SSL connections didn't get closed when the client got destroyed.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Thu, 08 May 2014 16:41:29 +0300 |
parents | 9f3c8c59f8c4 |
children |
rev | line source |
---|---|
9532
00cd9aacd03c
Updated copyright notices to include year 2010.
Timo Sirainen <tss@iki.fi>
parents:
9514
diff
changeset
|
1 /* Copyright (c) 2002-2010 Dovecot authors, see the included COPYING file */ |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 #include "common.h" |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
4 #include "array.h" |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 #include "ioloop.h" |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 #include "network.h" |
4474
1ff1603403de
Second try with SSL proxy rewrite. Did some fixes since last try.
Timo Sirainen <tss@iki.fi>
parents:
4471
diff
changeset
|
7 #include "ostream.h" |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
8 #include "read-full.h" |
7119
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
9 #include "llist.h" |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 #include "ssl-proxy.h" |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
11 |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
12 #include <fcntl.h> |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
13 #include <unistd.h> |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
14 #include <sys/stat.h> |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
15 |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
16 #ifdef HAVE_OPENSSL |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
17 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
18 #include <openssl/crypto.h> |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
19 #include <openssl/x509.h> |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
20 #include <openssl/pem.h> |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
21 #include <openssl/ssl.h> |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
22 #include <openssl/err.h> |
1556
545f6b150e2c
Make sure PRNG gets initialized before chrooting so it can open /dev/urandom.
Timo Sirainen <tss@iki.fi>
parents:
1544
diff
changeset
|
23 #include <openssl/rand.h> |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
24 |
4696 | 25 #define DOVECOT_SSL_DEFAULT_CIPHER_LIST "ALL:!LOW:!SSLv2" |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
26 /* Check every 30 minutes if parameters file has been updated */ |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
27 #define SSL_PARAMFILE_CHECK_INTERVAL (60*30) |
1544
ac6ee442376d
OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents:
1492
diff
changeset
|
28 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
29 enum ssl_io_action { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
30 SSL_ADD_INPUT, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
31 SSL_REMOVE_INPUT, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
32 SSL_ADD_OUTPUT, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
33 SSL_REMOVE_OUTPUT |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
34 }; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
35 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
36 struct ssl_proxy { |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
37 int refcount; |
7119
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
38 struct ssl_proxy *prev, *next; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
39 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
40 SSL *ssl; |
1235 | 41 struct ip_addr ip; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
42 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
43 int fd_ssl, fd_plain; |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
44 struct io *io_ssl_read, *io_ssl_write, *io_plain_read, *io_plain_write; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
45 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
46 unsigned char plainout_buf[1024]; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
47 unsigned int plainout_size; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
48 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
49 unsigned char sslout_buf[1024]; |
1324
13d8f69d4f1a
rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents:
1268
diff
changeset
|
50 unsigned int sslout_size; |
1458
98362534b2c7
Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents:
1457
diff
changeset
|
51 |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
52 ssl_handshake_callback_t *handshake_callback; |
8986
d475e17d01a3
ssl-proxy: Crashfix to previous commit.
Timo Sirainen <tss@iki.fi>
parents:
8985
diff
changeset
|
53 void *handshake_context; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
54 |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
55 char *last_error; |
1458
98362534b2c7
Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents:
1457
diff
changeset
|
56 unsigned int handshaked:1; |
98362534b2c7
Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents:
1457
diff
changeset
|
57 unsigned int destroyed:1; |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
58 unsigned int cert_received:1; |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
59 unsigned int cert_broken:1; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
60 unsigned int client:1; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
61 }; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
62 |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
63 struct ssl_parameters { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
64 const char *fname; |
4505
886d7af1f38d
Don't constantly re-read ssl-parameters.dat. Make sure that in input handler
Timo Sirainen <tss@iki.fi>
parents:
4474
diff
changeset
|
65 time_t last_mtime, last_check; |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
66 int fd; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
67 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
68 DH *dh_512, *dh_1024; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
69 }; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
70 |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
71 static int extdata_index; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
72 static SSL_CTX *ssl_server_ctx; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
73 static SSL_CTX *ssl_client_ctx; |
7119
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
74 static unsigned int ssl_proxy_count; |
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
75 static struct ssl_proxy *ssl_proxies; |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
76 static struct ssl_parameters ssl_params; |
6364
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
77 static int ssl_username_nid; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
78 |
4907
5b4c9b20eba0
Replaced void *context from a lot of callbacks with the actual context
Timo Sirainen <tss@iki.fi>
parents:
4827
diff
changeset
|
79 static void plain_read(struct ssl_proxy *proxy); |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
80 static void ssl_read(struct ssl_proxy *proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
81 static void ssl_write(struct ssl_proxy *proxy); |
4907
5b4c9b20eba0
Replaced void *context from a lot of callbacks with the actual context
Timo Sirainen <tss@iki.fi>
parents:
4827
diff
changeset
|
82 static void ssl_step(struct ssl_proxy *proxy); |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3635
diff
changeset
|
83 static void ssl_proxy_unref(struct ssl_proxy *proxy); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
84 |
8621
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
85 static void ssl_params_corrupted(const char *path) |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
86 { |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
87 i_fatal("Corrupted SSL parameters file: %s/%s " |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
88 "(delete it and also the one in %s)", |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
89 getenv("LOGIN_DIR"), path, PKG_STATEDIR); |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
90 } |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
91 |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
92 static void read_next(struct ssl_parameters *params, void *data, size_t size) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
93 { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
94 int ret; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
95 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
96 if ((ret = read_full(params->fd, data, size)) < 0) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
97 i_fatal("read(%s) failed: %m", params->fname); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
98 if (ret == 0) |
8621
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
99 ssl_params_corrupted(params->fname); |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
100 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
101 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
102 static bool read_dh_parameters_next(struct ssl_parameters *params) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
103 { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
104 unsigned char *buf; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
105 const unsigned char *cbuf; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
106 unsigned int len; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
107 int bits; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
108 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
109 /* read bit size. 0 ends the DH parameters list. */ |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
110 read_next(params, &bits, sizeof(bits)); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
111 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
112 if (bits == 0) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
113 return FALSE; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
114 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
115 /* read data size. */ |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
116 read_next(params, &len, sizeof(len)); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
117 if (len > 1024*100) /* should be enough? */ |
8621
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
118 ssl_params_corrupted(params->fname); |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
119 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
120 buf = i_malloc(len); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
121 read_next(params, buf, len); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
122 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
123 cbuf = buf; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
124 switch (bits) { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
125 case 512: |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
126 params->dh_512 = d2i_DHparams(NULL, &cbuf, len); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
127 break; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
128 case 1024: |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
129 params->dh_1024 = d2i_DHparams(NULL, &cbuf, len); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
130 break; |
8621
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
131 default: |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
132 ssl_params_corrupted(params->fname); |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
133 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
134 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
135 i_free(buf); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
136 return TRUE; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
137 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
138 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
139 static void ssl_free_parameters(struct ssl_parameters *params) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
140 { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
141 if (params->dh_512 != NULL) { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
142 DH_free(params->dh_512); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
143 params->dh_512 = NULL; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
144 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
145 if (params->dh_1024 != NULL) { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
146 DH_free(params->dh_1024); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
147 params->dh_1024 = NULL; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
148 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
149 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
150 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
151 static void ssl_read_parameters(struct ssl_parameters *params) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
152 { |
4505
886d7af1f38d
Don't constantly re-read ssl-parameters.dat. Make sure that in input handler
Timo Sirainen <tss@iki.fi>
parents:
4474
diff
changeset
|
153 struct stat st; |
8621
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
154 ssize_t ret; |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
155 char c; |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
156 bool warned = FALSE; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
157 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
158 /* we'll wait until parameter file exists */ |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
159 for (;;) { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
160 params->fd = open(params->fname, O_RDONLY); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
161 if (params->fd != -1) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
162 break; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
163 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
164 if (errno != ENOENT) { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
165 i_fatal("Can't open SSL parameter file %s: %m", |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
166 params->fname); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
167 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
168 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
169 if (!warned) { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
170 i_warning("Waiting for SSL parameter file %s", |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
171 params->fname); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
172 warned = TRUE; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
173 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
174 sleep(1); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
175 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
176 |
4505
886d7af1f38d
Don't constantly re-read ssl-parameters.dat. Make sure that in input handler
Timo Sirainen <tss@iki.fi>
parents:
4474
diff
changeset
|
177 if (fstat(params->fd, &st) < 0) |
886d7af1f38d
Don't constantly re-read ssl-parameters.dat. Make sure that in input handler
Timo Sirainen <tss@iki.fi>
parents:
4474
diff
changeset
|
178 i_error("fstat(%s) failed: %m", params->fname); |
886d7af1f38d
Don't constantly re-read ssl-parameters.dat. Make sure that in input handler
Timo Sirainen <tss@iki.fi>
parents:
4474
diff
changeset
|
179 else |
886d7af1f38d
Don't constantly re-read ssl-parameters.dat. Make sure that in input handler
Timo Sirainen <tss@iki.fi>
parents:
4474
diff
changeset
|
180 params->last_mtime = st.st_mtime; |
886d7af1f38d
Don't constantly re-read ssl-parameters.dat. Make sure that in input handler
Timo Sirainen <tss@iki.fi>
parents:
4474
diff
changeset
|
181 |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
182 ssl_free_parameters(params); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
183 while (read_dh_parameters_next(params)) ; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
184 |
8621
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
185 if ((ret = read_full(params->fd, &c, 1)) < 0) |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
186 i_fatal("read(%s) failed: %m", params->fname); |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
187 else if (ret != 0) { |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
188 /* more data than expected */ |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
189 ssl_params_corrupted(params->fname); |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
190 } |
22985329af92
Check broken ssl-parameters.dat files better and give a better error message when seeing one.
Timo Sirainen <tss@iki.fi>
parents:
8590
diff
changeset
|
191 |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
192 if (close(params->fd) < 0) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
193 i_error("close() failed: %m"); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
194 params->fd = -1; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
195 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
196 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
197 static void ssl_refresh_parameters(struct ssl_parameters *params) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
198 { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
199 struct stat st; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
200 |
4505
886d7af1f38d
Don't constantly re-read ssl-parameters.dat. Make sure that in input handler
Timo Sirainen <tss@iki.fi>
parents:
4474
diff
changeset
|
201 if (params->last_check > ioloop_time - SSL_PARAMFILE_CHECK_INTERVAL) |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
202 return; |
4505
886d7af1f38d
Don't constantly re-read ssl-parameters.dat. Make sure that in input handler
Timo Sirainen <tss@iki.fi>
parents:
4474
diff
changeset
|
203 params->last_check = ioloop_time; |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
204 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
205 if (params->last_mtime == 0) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
206 ssl_read_parameters(params); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
207 else { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
208 if (stat(params->fname, &st) < 0) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
209 i_error("stat(%s) failed: %m", params->fname); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
210 else if (st.st_mtime != params->last_mtime) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
211 ssl_read_parameters(params); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
212 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
213 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
214 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
215 static void ssl_set_io(struct ssl_proxy *proxy, enum ssl_io_action action) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
216 { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
217 switch (action) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
218 case SSL_ADD_INPUT: |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
219 if (proxy->io_ssl_read != NULL) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
220 break; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
221 proxy->io_ssl_read = io_add(proxy->fd_ssl, IO_READ, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
222 ssl_step, proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
223 break; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
224 case SSL_REMOVE_INPUT: |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
225 if (proxy->io_ssl_read != NULL) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
226 io_remove(&proxy->io_ssl_read); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
227 break; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
228 case SSL_ADD_OUTPUT: |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
229 if (proxy->io_ssl_write != NULL) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
230 break; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
231 proxy->io_ssl_write = io_add(proxy->fd_ssl, IO_WRITE, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
232 ssl_step, proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
233 break; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
234 case SSL_REMOVE_OUTPUT: |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
235 if (proxy->io_ssl_write != NULL) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
236 io_remove(&proxy->io_ssl_write); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
237 break; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
238 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
239 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
240 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
241 static void plain_block_input(struct ssl_proxy *proxy, bool block) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
242 { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
243 if (block) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
244 if (proxy->io_plain_read != NULL) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
245 io_remove(&proxy->io_plain_read); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
246 } else { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
247 if (proxy->io_plain_read == NULL) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
248 proxy->io_plain_read = io_add(proxy->fd_plain, IO_READ, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
249 plain_read, proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
250 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
251 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
252 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
253 |
4907
5b4c9b20eba0
Replaced void *context from a lot of callbacks with the actual context
Timo Sirainen <tss@iki.fi>
parents:
4827
diff
changeset
|
254 static void plain_read(struct ssl_proxy *proxy) |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
255 { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
256 ssize_t ret; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
257 bool corked = FALSE; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
258 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
259 if (proxy->sslout_size == sizeof(proxy->sslout_buf)) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
260 /* buffer full, block input until it's written */ |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
261 plain_block_input(proxy, TRUE); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
262 return; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
263 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
264 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
265 proxy->refcount++; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
266 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
267 while (proxy->sslout_size < sizeof(proxy->sslout_buf) && |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
268 !proxy->destroyed) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
269 ret = net_receive(proxy->fd_plain, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
270 proxy->sslout_buf + proxy->sslout_size, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
271 sizeof(proxy->sslout_buf) - |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
272 proxy->sslout_size); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
273 if (ret <= 0) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
274 if (ret < 0) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
275 ssl_proxy_destroy(proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
276 break; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
277 } else { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
278 proxy->sslout_size += ret; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
279 if (!corked) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
280 net_set_cork(proxy->fd_ssl, TRUE); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
281 corked = TRUE; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
282 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
283 ssl_write(proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
284 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
285 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
286 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
287 if (corked) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
288 net_set_cork(proxy->fd_ssl, FALSE); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
289 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
290 ssl_proxy_unref(proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
291 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
292 |
4907
5b4c9b20eba0
Replaced void *context from a lot of callbacks with the actual context
Timo Sirainen <tss@iki.fi>
parents:
4827
diff
changeset
|
293 static void plain_write(struct ssl_proxy *proxy) |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
294 { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
295 ssize_t ret; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
296 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
297 proxy->refcount++; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
298 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
299 ret = net_transmit(proxy->fd_plain, proxy->plainout_buf, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
300 proxy->plainout_size); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
301 if (ret < 0) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
302 ssl_proxy_destroy(proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
303 else { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
304 proxy->plainout_size -= ret; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
305 memmove(proxy->plainout_buf, proxy->plainout_buf + ret, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
306 proxy->plainout_size); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
307 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
308 if (proxy->plainout_size > 0) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
309 if (proxy->io_plain_write == NULL) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
310 proxy->io_plain_write = |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
311 io_add(proxy->fd_plain, IO_WRITE, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
312 plain_write, proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
313 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
314 } else { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
315 if (proxy->io_plain_write != NULL) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
316 io_remove(&proxy->io_plain_write); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
317 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
318 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
319 ssl_set_io(proxy, SSL_ADD_INPUT); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
320 if (SSL_pending(proxy->ssl) > 0) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
321 ssl_read(proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
322 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
323 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
324 ssl_proxy_unref(proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
325 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
326 |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
327 static const char *ssl_last_error(void) |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
328 { |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
329 unsigned long err; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
330 char *buf; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
331 size_t err_size = 256; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
332 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
333 err = ERR_get_error(); |
7508
bec3cd8e8151
If SSL function fails and there are no errors, return "Unknown error"
Timo Sirainen <tss@iki.fi>
parents:
7500
diff
changeset
|
334 if (err == 0) { |
bec3cd8e8151
If SSL function fails and there are no errors, return "Unknown error"
Timo Sirainen <tss@iki.fi>
parents:
7500
diff
changeset
|
335 if (errno != 0) |
bec3cd8e8151
If SSL function fails and there are no errors, return "Unknown error"
Timo Sirainen <tss@iki.fi>
parents:
7500
diff
changeset
|
336 return strerror(errno); |
bec3cd8e8151
If SSL function fails and there are no errors, return "Unknown error"
Timo Sirainen <tss@iki.fi>
parents:
7500
diff
changeset
|
337 return "Unknown error"; |
bec3cd8e8151
If SSL function fails and there are no errors, return "Unknown error"
Timo Sirainen <tss@iki.fi>
parents:
7500
diff
changeset
|
338 } |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
339 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
340 buf = t_malloc(err_size); |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
341 buf[err_size-1] = '\0'; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
342 ERR_error_string_n(err, buf, err_size-1); |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
343 return buf; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
344 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
345 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
346 static void ssl_handle_error(struct ssl_proxy *proxy, int ret, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
347 const char *func_name) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
348 { |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
349 const char *errstr = NULL; |
1235 | 350 int err; |
351 | |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
352 proxy->refcount++; |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
353 |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
354 i_free_and_null(proxy->last_error); |
1235 | 355 err = SSL_get_error(proxy->ssl, ret); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
356 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
357 switch (err) { |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
358 case SSL_ERROR_WANT_READ: |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
359 ssl_set_io(proxy, SSL_ADD_INPUT); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
360 break; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
361 case SSL_ERROR_WANT_WRITE: |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
362 ssl_set_io(proxy, SSL_ADD_OUTPUT); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
363 break; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
364 case SSL_ERROR_SYSCALL: |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
365 /* eat up the error queue */ |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
366 if (ERR_peek_error() != 0) |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
367 errstr = ssl_last_error(); |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
368 else if (ret != 0) |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
369 errstr = strerror(errno); |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
370 else { |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
371 /* EOF. */ |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
372 errstr = "Disconnected"; |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
373 break; |
1235 | 374 } |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
375 errstr = t_strdup_printf("%s syscall failed: %s", |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
376 func_name, errstr); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
377 break; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
378 case SSL_ERROR_ZERO_RETURN: |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
379 /* clean connection closing */ |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
380 ssl_proxy_destroy(proxy); |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
381 break; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
382 case SSL_ERROR_SSL: |
9305
b7dbcf86086b
Fixed openssl malloc() failure check.
Timo Sirainen <tss@iki.fi>
parents:
9288
diff
changeset
|
383 if (ERR_GET_REASON(ERR_peek_error()) == ERR_R_MALLOC_FAILURE) { |
9288
c00df1152f1f
*-login: If OpenSSL fails with malloc failure, log an error.
Timo Sirainen <tss@iki.fi>
parents:
9283
diff
changeset
|
384 i_error("OpenSSL malloc() failed. " |
c00df1152f1f
*-login: If OpenSSL fails with malloc failure, log an error.
Timo Sirainen <tss@iki.fi>
parents:
9283
diff
changeset
|
385 "You may need to increase login_process_size"); |
c00df1152f1f
*-login: If OpenSSL fails with malloc failure, log an error.
Timo Sirainen <tss@iki.fi>
parents:
9283
diff
changeset
|
386 } |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
387 errstr = t_strdup_printf("%s failed: %s", |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
388 func_name, ssl_last_error()); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
389 break; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
390 default: |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
391 errstr = t_strdup_printf("%s failed: unknown failure %d (%s)", |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
392 func_name, err, ssl_last_error()); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
393 break; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
394 } |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
395 |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
396 if (errstr != NULL) { |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
397 proxy->last_error = i_strdup(errstr); |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
398 ssl_proxy_destroy(proxy); |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
399 } |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
400 ssl_proxy_unref(proxy); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
401 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
402 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
403 static void ssl_handshake(struct ssl_proxy *proxy) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
404 { |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
405 int ret; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
406 |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
407 if (proxy->client) { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
408 ret = SSL_connect(proxy->ssl); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
409 if (ret != 1) { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
410 ssl_handle_error(proxy, ret, "SSL_connect()"); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
411 return; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
412 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
413 } else { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
414 ret = SSL_accept(proxy->ssl); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
415 if (ret != 1) { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
416 ssl_handle_error(proxy, ret, "SSL_accept()"); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
417 return; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
418 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
419 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
420 i_free_and_null(proxy->last_error); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
421 proxy->handshaked = TRUE; |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
422 |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
423 ssl_set_io(proxy, SSL_ADD_INPUT); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
424 plain_block_input(proxy, FALSE); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
425 |
8986
d475e17d01a3
ssl-proxy: Crashfix to previous commit.
Timo Sirainen <tss@iki.fi>
parents:
8985
diff
changeset
|
426 if (proxy->handshake_callback != NULL) { |
d475e17d01a3
ssl-proxy: Crashfix to previous commit.
Timo Sirainen <tss@iki.fi>
parents:
8985
diff
changeset
|
427 if (proxy->handshake_callback(proxy->handshake_context) < 0) |
d475e17d01a3
ssl-proxy: Crashfix to previous commit.
Timo Sirainen <tss@iki.fi>
parents:
8985
diff
changeset
|
428 ssl_proxy_destroy(proxy); |
d475e17d01a3
ssl-proxy: Crashfix to previous commit.
Timo Sirainen <tss@iki.fi>
parents:
8985
diff
changeset
|
429 } |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
430 } |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
431 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
432 static void ssl_read(struct ssl_proxy *proxy) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
433 { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
434 int ret; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
435 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
436 while (proxy->plainout_size < sizeof(proxy->plainout_buf) && |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
437 !proxy->destroyed) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
438 ret = SSL_read(proxy->ssl, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
439 proxy->plainout_buf + proxy->plainout_size, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
440 sizeof(proxy->plainout_buf) - |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
441 proxy->plainout_size); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
442 if (ret <= 0) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
443 ssl_handle_error(proxy, ret, "SSL_read()"); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
444 break; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
445 } else { |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
446 i_free_and_null(proxy->last_error); |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
447 proxy->plainout_size += ret; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
448 plain_write(proxy); |
4131 | 449 } |
4127
60583fb75d9e
Rewrite. Hopefully works better.
Timo Sirainen <tss@iki.fi>
parents:
3960
diff
changeset
|
450 } |
60583fb75d9e
Rewrite. Hopefully works better.
Timo Sirainen <tss@iki.fi>
parents:
3960
diff
changeset
|
451 } |
60583fb75d9e
Rewrite. Hopefully works better.
Timo Sirainen <tss@iki.fi>
parents:
3960
diff
changeset
|
452 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
453 static void ssl_write(struct ssl_proxy *proxy) |
4127
60583fb75d9e
Rewrite. Hopefully works better.
Timo Sirainen <tss@iki.fi>
parents:
3960
diff
changeset
|
454 { |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
455 int ret; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
456 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
457 ret = SSL_write(proxy->ssl, proxy->sslout_buf, proxy->sslout_size); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
458 if (ret <= 0) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
459 ssl_handle_error(proxy, ret, "SSL_write()"); |
4127
60583fb75d9e
Rewrite. Hopefully works better.
Timo Sirainen <tss@iki.fi>
parents:
3960
diff
changeset
|
460 else { |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
461 i_free_and_null(proxy->last_error); |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
462 proxy->sslout_size -= ret; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
463 memmove(proxy->sslout_buf, proxy->sslout_buf + ret, |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
464 proxy->sslout_size); |
4474
1ff1603403de
Second try with SSL proxy rewrite. Did some fixes since last try.
Timo Sirainen <tss@iki.fi>
parents:
4471
diff
changeset
|
465 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
466 ssl_set_io(proxy, proxy->sslout_size > 0 ? |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
467 SSL_ADD_OUTPUT : SSL_REMOVE_OUTPUT); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
468 plain_block_input(proxy, FALSE); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
469 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
470 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
471 |
4907
5b4c9b20eba0
Replaced void *context from a lot of callbacks with the actual context
Timo Sirainen <tss@iki.fi>
parents:
4827
diff
changeset
|
472 static void ssl_step(struct ssl_proxy *proxy) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
473 { |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
474 proxy->refcount++; |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
475 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
476 if (!proxy->handshaked) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
477 ssl_handshake(proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
478 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
479 if (proxy->handshaked) { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
480 if (proxy->plainout_size == sizeof(proxy->plainout_buf)) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
481 ssl_set_io(proxy, SSL_REMOVE_INPUT); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
482 else |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
483 ssl_read(proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
484 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
485 if (proxy->sslout_size == 0) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
486 ssl_set_io(proxy, SSL_REMOVE_OUTPUT); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
487 else { |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
488 net_set_cork(proxy->fd_ssl, TRUE); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
489 ssl_write(proxy); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
490 net_set_cork(proxy->fd_ssl, FALSE); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
491 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
492 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
493 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
494 ssl_proxy_unref(proxy); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
495 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
496 |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
497 static int ssl_proxy_new_common(SSL_CTX *ssl_ctx, int fd, struct ip_addr *ip, |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
498 struct ssl_proxy **proxy_r) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
499 { |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
500 struct ssl_proxy *proxy; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
501 SSL *ssl; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
502 int sfd[2]; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
503 |
4664 | 504 i_assert(fd != -1); |
505 | |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
506 *proxy_r = NULL; |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
507 |
2679
8f7b01c29bcb
Show clear error messages if --ssl is tried to be used but it's not
Timo Sirainen <tss@iki.fi>
parents:
2629
diff
changeset
|
508 if (!ssl_initialized) { |
8f7b01c29bcb
Show clear error messages if --ssl is tried to be used but it's not
Timo Sirainen <tss@iki.fi>
parents:
2629
diff
changeset
|
509 i_error("SSL support not enabled in configuration"); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
510 return -1; |
2679
8f7b01c29bcb
Show clear error messages if --ssl is tried to be used but it's not
Timo Sirainen <tss@iki.fi>
parents:
2629
diff
changeset
|
511 } |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
512 |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
513 ssl_refresh_parameters(&ssl_params); |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
514 |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
515 ssl = SSL_new(ssl_ctx); |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
516 if (ssl == NULL) { |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
517 i_error("SSL_new() failed: %s", ssl_last_error()); |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
518 return -1; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
519 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
520 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
521 if (SSL_set_fd(ssl, fd) != 1) { |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
522 i_error("SSL_set_fd() failed: %s", ssl_last_error()); |
1457 | 523 SSL_free(ssl); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
524 return -1; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
525 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
526 |
4664 | 527 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sfd) < 0) { |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
528 i_error("socketpair() failed: %m"); |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
529 SSL_free(ssl); |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
530 return -1; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
531 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
532 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
533 net_set_nonblock(sfd[0], TRUE); |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
534 net_set_nonblock(sfd[1], TRUE); |
1268
0d9f0e617a1a
net_* functions don't anymore set sockets to non-blocking by default.
Timo Sirainen <tss@iki.fi>
parents:
1235
diff
changeset
|
535 net_set_nonblock(fd, TRUE); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
536 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
537 proxy = i_new(struct ssl_proxy, 1); |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
538 proxy->refcount = 2; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
539 proxy->ssl = ssl; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
540 proxy->fd_ssl = fd; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
541 proxy->fd_plain = sfd[0]; |
1235 | 542 proxy->ip = *ip; |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
543 SSL_set_ex_data(ssl, extdata_index, proxy); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
544 |
7119
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
545 ssl_proxy_count++; |
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
546 DLLIST_PREPEND(&ssl_proxies, proxy); |
1544
ac6ee442376d
OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents:
1492
diff
changeset
|
547 |
4474
1ff1603403de
Second try with SSL proxy rewrite. Did some fixes since last try.
Timo Sirainen <tss@iki.fi>
parents:
4471
diff
changeset
|
548 main_ref(); |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
549 |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
550 *proxy_r = proxy; |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
551 return sfd[1]; |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
552 } |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
553 |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
554 int ssl_proxy_new(int fd, struct ip_addr *ip, struct ssl_proxy **proxy_r) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
555 { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
556 int ret; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
557 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
558 if ((ret = ssl_proxy_new_common(ssl_server_ctx, fd, ip, proxy_r)) < 0) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
559 return -1; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
560 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
561 ssl_step(*proxy_r); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
562 return ret; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
563 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
564 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
565 int ssl_proxy_client_new(int fd, struct ip_addr *ip, |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
566 ssl_handshake_callback_t *callback, void *context, |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
567 struct ssl_proxy **proxy_r) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
568 { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
569 int ret; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
570 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
571 if ((ret = ssl_proxy_new_common(ssl_client_ctx, fd, ip, proxy_r)) < 0) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
572 return -1; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
573 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
574 (*proxy_r)->handshake_callback = callback; |
8986
d475e17d01a3
ssl-proxy: Crashfix to previous commit.
Timo Sirainen <tss@iki.fi>
parents:
8985
diff
changeset
|
575 (*proxy_r)->handshake_context = context; |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
576 (*proxy_r)->client = TRUE; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
577 ssl_step(*proxy_r); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
578 return ret; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
579 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
580 |
7912
81806d402514
Added more consts, ATTR_CONSTs and ATTR_PUREs.
Timo Sirainen <tss@iki.fi>
parents:
7508
diff
changeset
|
581 bool ssl_proxy_has_valid_client_cert(const struct ssl_proxy *proxy) |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
582 { |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
583 return proxy->cert_received && !proxy->cert_broken; |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
584 } |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
585 |
8302
0db37acdc59f
Login process: Log auth failure reasons better in disconnect message.
Timo Sirainen <tss@iki.fi>
parents:
8224
diff
changeset
|
586 bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy) |
0db37acdc59f
Login process: Log auth failure reasons better in disconnect message.
Timo Sirainen <tss@iki.fi>
parents:
8224
diff
changeset
|
587 { |
0db37acdc59f
Login process: Log auth failure reasons better in disconnect message.
Timo Sirainen <tss@iki.fi>
parents:
8224
diff
changeset
|
588 return proxy->cert_received && proxy->cert_broken; |
0db37acdc59f
Login process: Log auth failure reasons better in disconnect message.
Timo Sirainen <tss@iki.fi>
parents:
8224
diff
changeset
|
589 } |
0db37acdc59f
Login process: Log auth failure reasons better in disconnect message.
Timo Sirainen <tss@iki.fi>
parents:
8224
diff
changeset
|
590 |
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
591 const char *ssl_proxy_get_peer_name(struct ssl_proxy *proxy) |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
592 { |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
593 X509 *x509; |
9283
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
594 char *name; |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
595 int len; |
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
596 |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
597 if (!ssl_proxy_has_valid_client_cert(proxy)) |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
598 return NULL; |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
599 |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
600 x509 = SSL_get_peer_certificate(proxy->ssl); |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
601 if (x509 == NULL) |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
602 return NULL; /* we should have had it.. */ |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
603 |
9283
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
604 len = X509_NAME_get_text_by_NID(X509_get_subject_name(x509), |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
605 ssl_username_nid, NULL, 0); |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
606 if (len < 0) |
4352
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
607 name = ""; |
9283
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
608 else { |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
609 name = t_malloc(len + 1); |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
610 if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509), |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
611 ssl_username_nid, name, len + 1) < 0) |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
612 name = ""; |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
613 else if (strlen(name) != (size_t)len) { |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
614 /* NUL characters in name. Someone's trying to fake |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
615 being another user? Don't allow it. */ |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
616 name = ""; |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
617 } |
0de21e725d4e
ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it.
Timo Sirainen <tss@iki.fi>
parents:
8986
diff
changeset
|
618 } |
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
619 X509_free(x509); |
4352
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
620 |
3635
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
621 return *name == '\0' ? NULL : name; |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
622 } |
c12df370e1b2
Added ssl_username_from_cert setting. Not actually tested yet..
Timo Sirainen <tss@iki.fi>
parents:
3584
diff
changeset
|
623 |
7912
81806d402514
Added more consts, ATTR_CONSTs and ATTR_PUREs.
Timo Sirainen <tss@iki.fi>
parents:
7508
diff
changeset
|
624 bool ssl_proxy_is_handshaked(const struct ssl_proxy *proxy) |
4570
cbbe2377f591
If SSL/TLS handshake didn't finish, show "TLS handshaking" instead of "TLS"
Timo Sirainen <tss@iki.fi>
parents:
4549
diff
changeset
|
625 { |
cbbe2377f591
If SSL/TLS handshake didn't finish, show "TLS handshaking" instead of "TLS"
Timo Sirainen <tss@iki.fi>
parents:
4549
diff
changeset
|
626 return proxy->handshaked; |
cbbe2377f591
If SSL/TLS handshake didn't finish, show "TLS handshaking" instead of "TLS"
Timo Sirainen <tss@iki.fi>
parents:
4549
diff
changeset
|
627 } |
cbbe2377f591
If SSL/TLS handshake didn't finish, show "TLS handshaking" instead of "TLS"
Timo Sirainen <tss@iki.fi>
parents:
4549
diff
changeset
|
628 |
7912
81806d402514
Added more consts, ATTR_CONSTs and ATTR_PUREs.
Timo Sirainen <tss@iki.fi>
parents:
7508
diff
changeset
|
629 const char *ssl_proxy_get_last_error(const struct ssl_proxy *proxy) |
7374
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
630 { |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
631 return proxy->last_error; |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
632 } |
0bb3fc72a74f
If TLS connection closes with anything except a clean disconnection, log the
Timo Sirainen <tss@iki.fi>
parents:
7346
diff
changeset
|
633 |
8122
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
634 const char *ssl_proxy_get_security_string(struct ssl_proxy *proxy) |
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
635 { |
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
636 SSL_CIPHER *cipher; |
9416
4add5c3f13ea
Compiling fix for OpenSSL 0.9.7 and older.
Timo Sirainen <tss@iki.fi>
parents:
9394
diff
changeset
|
637 #ifdef HAVE_SSL_COMPRESSION |
9389
26ca4ff5d269
login: ssl_security string now also shows the used compression.
Timo Sirainen <tss@iki.fi>
parents:
9305
diff
changeset
|
638 const COMP_METHOD *comp; |
9416
4add5c3f13ea
Compiling fix for OpenSSL 0.9.7 and older.
Timo Sirainen <tss@iki.fi>
parents:
9394
diff
changeset
|
639 #endif |
8122
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
640 int bits, alg_bits; |
9389
26ca4ff5d269
login: ssl_security string now also shows the used compression.
Timo Sirainen <tss@iki.fi>
parents:
9305
diff
changeset
|
641 const char *comp_str; |
8122
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
642 |
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
643 if (!proxy->handshaked) |
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
644 return ""; |
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
645 |
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
646 cipher = SSL_get_current_cipher(proxy->ssl); |
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
647 bits = SSL_CIPHER_get_bits(cipher, &alg_bits); |
9416
4add5c3f13ea
Compiling fix for OpenSSL 0.9.7 and older.
Timo Sirainen <tss@iki.fi>
parents:
9394
diff
changeset
|
648 #ifdef HAVE_SSL_COMPRESSION |
9389
26ca4ff5d269
login: ssl_security string now also shows the used compression.
Timo Sirainen <tss@iki.fi>
parents:
9305
diff
changeset
|
649 comp = SSL_get_current_compression(proxy->ssl); |
26ca4ff5d269
login: ssl_security string now also shows the used compression.
Timo Sirainen <tss@iki.fi>
parents:
9305
diff
changeset
|
650 comp_str = comp == NULL ? "" : |
26ca4ff5d269
login: ssl_security string now also shows the used compression.
Timo Sirainen <tss@iki.fi>
parents:
9305
diff
changeset
|
651 t_strconcat(" ", SSL_COMP_get_name(comp), NULL); |
9416
4add5c3f13ea
Compiling fix for OpenSSL 0.9.7 and older.
Timo Sirainen <tss@iki.fi>
parents:
9394
diff
changeset
|
652 #else |
9435
0aa7357761a5
Potential crashfix for OpenSSL < 0.9.8.
Timo Sirainen <tss@iki.fi>
parents:
9416
diff
changeset
|
653 comp_str = ""; |
9416
4add5c3f13ea
Compiling fix for OpenSSL 0.9.7 and older.
Timo Sirainen <tss@iki.fi>
parents:
9394
diff
changeset
|
654 #endif |
9389
26ca4ff5d269
login: ssl_security string now also shows the used compression.
Timo Sirainen <tss@iki.fi>
parents:
9305
diff
changeset
|
655 return t_strdup_printf("%s with cipher %s (%d/%d bits)%s", |
8122
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
656 SSL_get_version(proxy->ssl), |
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
657 SSL_CIPHER_get_name(cipher), |
9389
26ca4ff5d269
login: ssl_security string now also shows the used compression.
Timo Sirainen <tss@iki.fi>
parents:
9305
diff
changeset
|
658 bits, alg_bits, comp_str); |
8122
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
659 } |
3917bf9cf311
login_log_format_elements: Added %k to show SSL protocol/cipher information.
Timo Sirainen <tss@iki.fi>
parents:
7912
diff
changeset
|
660 |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
661 void ssl_proxy_free(struct ssl_proxy *proxy) |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
662 { |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
663 ssl_proxy_unref(proxy); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
664 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
665 |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3635
diff
changeset
|
666 static void ssl_proxy_unref(struct ssl_proxy *proxy) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
667 { |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
668 if (--proxy->refcount > 0) |
3863
55df57c028d4
Added "bool" type and changed all ints that were used as booleans to bool.
Timo Sirainen <tss@iki.fi>
parents:
3635
diff
changeset
|
669 return; |
1490 | 670 i_assert(proxy->refcount == 0); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
671 |
2302
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
672 SSL_free(proxy->ssl); |
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
673 i_free(proxy); |
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
674 |
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
675 main_unref(); |
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
676 } |
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
677 |
9658
8ba4253adc9b
*-login: SSL connections didn't get closed when the client got destroyed.
Timo Sirainen <tss@iki.fi>
parents:
9653
diff
changeset
|
678 void ssl_proxy_destroy(struct ssl_proxy *proxy) |
2302
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
679 { |
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
680 if (proxy->destroyed) |
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
681 return; |
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
682 proxy->destroyed = TRUE; |
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
683 |
7119
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
684 ssl_proxy_count--; |
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
685 DLLIST_REMOVE(&ssl_proxies, proxy); |
1230
e6d2b8c78519
Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents:
1215
diff
changeset
|
686 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
687 if (proxy->io_ssl_read != NULL) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
688 io_remove(&proxy->io_ssl_read); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
689 if (proxy->io_ssl_write != NULL) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
690 io_remove(&proxy->io_ssl_write); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
691 if (proxy->io_plain_read != NULL) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
692 io_remove(&proxy->io_plain_read); |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
693 if (proxy->io_plain_write != NULL) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
694 io_remove(&proxy->io_plain_write); |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
695 |
7346 | 696 (void)SSL_shutdown(proxy->ssl); |
697 | |
3960
aeb424e64f24
Call io_remove() before closing the fd. It's required by kqueue.
Timo Sirainen <tss@iki.fi>
parents:
3889
diff
changeset
|
698 (void)net_disconnect(proxy->fd_ssl); |
aeb424e64f24
Call io_remove() before closing the fd. It's required by kqueue.
Timo Sirainen <tss@iki.fi>
parents:
3889
diff
changeset
|
699 (void)net_disconnect(proxy->fd_plain); |
aeb424e64f24
Call io_remove() before closing the fd. It's required by kqueue.
Timo Sirainen <tss@iki.fi>
parents:
3889
diff
changeset
|
700 |
2302
8438064ddf08
Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents:
2027
diff
changeset
|
701 ssl_proxy_unref(proxy); |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
702 |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
703 main_listen_start(); |
1458
98362534b2c7
Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents:
1457
diff
changeset
|
704 } |
98362534b2c7
Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents:
1457
diff
changeset
|
705 |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6364
diff
changeset
|
706 static RSA *ssl_gen_rsa_key(SSL *ssl ATTR_UNUSED, |
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6364
diff
changeset
|
707 int is_export ATTR_UNUSED, int keylength) |
1492
383d87166963
Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents:
1490
diff
changeset
|
708 { |
383d87166963
Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents:
1490
diff
changeset
|
709 return RSA_generate_key(keylength, RSA_F4, NULL, NULL); |
383d87166963
Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents:
1490
diff
changeset
|
710 } |
383d87166963
Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents:
1490
diff
changeset
|
711 |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6364
diff
changeset
|
712 static DH *ssl_tmp_dh_callback(SSL *ssl ATTR_UNUSED, |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
713 int is_export, int keylength) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
714 { |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
715 /* Well, I'm not exactly sure why the logic in here is this. |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
716 It's the same as in Postfix, so it can't be too wrong. */ |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
717 if (is_export && keylength == 512 && ssl_params.dh_512 != NULL) |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
718 return ssl_params.dh_512; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
719 |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
720 return ssl_params.dh_1024; |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
721 } |
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
722 |
9448
ab32d7e2c0d6
imap-login: If imap_capability is set, show it in the banner instead of the default.
Timo Sirainen <tss@iki.fi>
parents:
9435
diff
changeset
|
723 #ifdef HAVE_SSL_CTX_SET_INFO_CALLBACK |
4471
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
724 static void ssl_info_callback(const SSL *ssl, int where, int ret) |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
725 { |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
726 struct ssl_proxy *proxy; |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
727 |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
728 proxy = SSL_get_ex_data(ssl, extdata_index); |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
729 |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
730 if ((where & SSL_CB_ALERT) != 0) { |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
731 i_warning("SSL alert: where=0x%x, ret=%d: %s %s [%s]", |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
732 where, ret, SSL_alert_type_string_long(ret), |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
733 SSL_alert_desc_string_long(ret), |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
734 net_ip2addr(&proxy->ip)); |
9514
eecb23d78acf
verbose_ssl: Don't log SSL info messages with "BIO failed" prefix.
Timo Sirainen <tss@iki.fi>
parents:
9448
diff
changeset
|
735 } else if (ret == 0) { |
eecb23d78acf
verbose_ssl: Don't log SSL info messages with "BIO failed" prefix.
Timo Sirainen <tss@iki.fi>
parents:
9448
diff
changeset
|
736 i_warning("SSL failed: where=0x%x: %s [%s]", |
eecb23d78acf
verbose_ssl: Don't log SSL info messages with "BIO failed" prefix.
Timo Sirainen <tss@iki.fi>
parents:
9448
diff
changeset
|
737 where, SSL_state_string_long(ssl), |
eecb23d78acf
verbose_ssl: Don't log SSL info messages with "BIO failed" prefix.
Timo Sirainen <tss@iki.fi>
parents:
9448
diff
changeset
|
738 net_ip2addr(&proxy->ip)); |
4471
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
739 } else { |
9514
eecb23d78acf
verbose_ssl: Don't log SSL info messages with "BIO failed" prefix.
Timo Sirainen <tss@iki.fi>
parents:
9448
diff
changeset
|
740 i_warning("SSL: where=0x%x, ret=%d: %s [%s]", |
4471
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
741 where, ret, SSL_state_string_long(ssl), |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
742 net_ip2addr(&proxy->ip)); |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
743 } |
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
744 } |
9448
ab32d7e2c0d6
imap-login: If imap_capability is set, show it in the banner instead of the default.
Timo Sirainen <tss@iki.fi>
parents:
9435
diff
changeset
|
745 #endif |
4471
a939ee143a96
If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO
Timo Sirainen <tss@iki.fi>
parents:
4352
diff
changeset
|
746 |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
747 static int ssl_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx) |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
748 { |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
749 SSL *ssl; |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
750 struct ssl_proxy *proxy; |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
751 |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
752 ssl = X509_STORE_CTX_get_ex_data(ctx, |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
753 SSL_get_ex_data_X509_STORE_CTX_idx()); |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
754 proxy = SSL_get_ex_data(ssl, extdata_index); |
4352
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
755 proxy->cert_received = TRUE; |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
756 |
4352
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
757 if (verbose_ssl || (verbose_auth && !preverify_ok)) { |
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
758 char buf[1024]; |
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
759 X509_NAME *subject; |
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
760 |
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
761 subject = X509_get_subject_name(ctx->current_cert); |
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
762 (void)X509_NAME_oneline(subject, buf, sizeof(buf)); |
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
763 buf[sizeof(buf)-1] = '\0'; /* just in case.. */ |
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
764 if (!preverify_ok) |
4695
07afd19bc53e
Updates to ssl_ca_file and ssl_username_from_cert comments in
Timo Sirainen <tss@iki.fi>
parents:
4664
diff
changeset
|
765 i_info("Invalid certificate: %s: %s", X509_verify_cert_error_string(ctx->error),buf); |
4352
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
766 else |
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
767 i_info("Valid certificate: %s", buf); |
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
768 } |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
769 if (!preverify_ok) |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
770 proxy->cert_broken = TRUE; |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
771 |
4352
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
772 /* Return success anyway, because if ssl_require_client_cert=no we |
d57c83c64b20
Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log
Timo Sirainen <tss@iki.fi>
parents:
4131
diff
changeset
|
773 could still allow authentication. */ |
2027
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
774 return 1; |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
775 } |
dc5d0da1abe9
Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents:
2007
diff
changeset
|
776 |
3889
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
777 static int |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6364
diff
changeset
|
778 pem_password_callback(char *buf, int size, int rwflag ATTR_UNUSED, |
3889
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
779 void *userdata) |
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
780 { |
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
781 if (userdata == NULL) { |
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
782 i_error("SSL private key file is password protected, " |
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
783 "but password isn't given"); |
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
784 return 0; |
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
785 } |
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
786 |
6422
18173a52f721
Renamed strocpy() to i_strocpy().
Timo Sirainen <tss@iki.fi>
parents:
6417
diff
changeset
|
787 if (i_strocpy(buf, userdata, size) < 0) |
3889
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
788 return 0; |
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
789 return strlen(buf); |
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
790 } |
c7462001227b
Added support for password protected SSL private keys. The password can be
Timo Sirainen <tss@iki.fi>
parents:
3888
diff
changeset
|
791 |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
792 unsigned int ssl_proxy_get_count(void) |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
793 { |
7119
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
794 return ssl_proxy_count; |
4538
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
795 } |
9d9e72374164
Fixes to login process handling, especially with
Timo Sirainen <tss@iki.fi>
parents:
4506
diff
changeset
|
796 |
8224
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
797 static bool is_pem_key_file(const char *path) |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
798 { |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
799 char buf[4096]; |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
800 int fd, ret; |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
801 |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
802 /* this code is used only for giving a better error message, |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
803 so it needs to catch only the normal key files */ |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
804 fd = open(path, O_RDONLY); |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
805 if (fd == -1) |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
806 return FALSE; |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
807 ret = read(fd, buf, sizeof(buf)-1); |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
808 close(fd); |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
809 if (ret <= 0) |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
810 return FALSE; |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
811 buf[ret] = '\0'; |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
812 return strstr(buf, "PRIVATE KEY---") != NULL; |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
813 } |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
814 |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
815 static void ssl_proxy_ctx_init(SSL_CTX *ssl_ctx) |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
816 { |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
817 const char *cafile; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
818 |
9653
9f3c8c59f8c4
SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag for extra security.
Timo Sirainen <tss@iki.fi>
parents:
9628
diff
changeset
|
819 /* enable all SSL workarounds, except empty fragments as it |
9f3c8c59f8c4
SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag for extra security.
Timo Sirainen <tss@iki.fi>
parents:
9628
diff
changeset
|
820 makes SSL more vulnerable against attacks */ |
9f3c8c59f8c4
SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag for extra security.
Timo Sirainen <tss@iki.fi>
parents:
9628
diff
changeset
|
821 SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL & |
9f3c8c59f8c4
SSL: Enable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS flag for extra security.
Timo Sirainen <tss@iki.fi>
parents:
9628
diff
changeset
|
822 ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); |
1544
ac6ee442376d
OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents:
1492
diff
changeset
|
823 |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
824 cafile = getenv("SSL_CA_FILE"); |
1907
190f1d315ce6
Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents:
1897
diff
changeset
|
825 if (cafile != NULL) { |
190f1d315ce6
Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents:
1897
diff
changeset
|
826 if (SSL_CTX_load_verify_locations(ssl_ctx, cafile, NULL) != 1) { |
190f1d315ce6
Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents:
1897
diff
changeset
|
827 i_fatal("Can't load CA file %s: %s", |
190f1d315ce6
Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents:
1897
diff
changeset
|
828 cafile, ssl_last_error()); |
190f1d315ce6
Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents:
1897
diff
changeset
|
829 } |
190f1d315ce6
Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents:
1897
diff
changeset
|
830 } |
9448
ab32d7e2c0d6
imap-login: If imap_capability is set, show it in the banner instead of the default.
Timo Sirainen <tss@iki.fi>
parents:
9435
diff
changeset
|
831 #ifdef HAVE_SSL_CTX_SET_INFO_CALLBACK |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
832 if (verbose_ssl) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
833 SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback); |
9448
ab32d7e2c0d6
imap-login: If imap_capability is set, show it in the banner instead of the default.
Timo Sirainen <tss@iki.fi>
parents:
9435
diff
changeset
|
834 #endif |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
835 if (SSL_CTX_need_tmp_RSA(ssl_ctx)) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
836 SSL_CTX_set_tmp_rsa_callback(ssl_ctx, ssl_gen_rsa_key); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
837 SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_tmp_dh_callback); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
838 } |
1907
190f1d315ce6
Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents:
1897
diff
changeset
|
839 |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
840 static void ssl_proxy_ctx_verify_client(SSL_CTX *ssl_ctx) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
841 { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
842 const char *cafile; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
843 #if OPENSSL_VERSION_NUMBER >= 0x00907000L |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
844 X509_STORE *store; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
845 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
846 store = SSL_CTX_get_cert_store(ssl_ctx); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
847 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
848 X509_V_FLAG_CRL_CHECK_ALL); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
849 #endif |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
850 cafile = getenv("SSL_CA_FILE"); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
851 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
852 ssl_verify_client_cert); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
853 SSL_CTX_set_client_CA_list(ssl_ctx, SSL_load_client_CA_file(cafile)); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
854 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
855 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
856 static void ssl_proxy_init_server(const char *certfile, const char *keyfile) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
857 { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
858 const char *cipher_list, *username_field; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
859 char *password; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
860 unsigned long err; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
861 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
862 password = getenv("SSL_KEY_PASSWORD"); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
863 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
864 if ((ssl_server_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
865 i_fatal("SSL_CTX_new() failed"); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
866 ssl_proxy_ctx_init(ssl_server_ctx); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
867 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
868 cipher_list = getenv("SSL_CIPHER_LIST"); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
869 if (cipher_list == NULL) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
870 cipher_list = DOVECOT_SSL_DEFAULT_CIPHER_LIST; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
871 if (SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list) != 1) { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
872 i_fatal("Can't set cipher list to '%s': %s", |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
873 cipher_list, ssl_last_error()); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
874 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
875 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
876 if (SSL_CTX_use_certificate_chain_file(ssl_server_ctx, certfile) != 1) { |
8224
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
877 err = ERR_peek_error(); |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
878 if (ERR_GET_LIB(err) != ERR_LIB_PEM || |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
879 ERR_GET_REASON(err) != PEM_R_NO_START_LINE) { |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
880 i_fatal("Can't load certificate file %s: %s", |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
881 certfile, ssl_last_error()); |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
882 } else if (is_pem_key_file(certfile)) { |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
883 i_fatal("Can't load certificate file %s: " |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
884 "The file contains a private key " |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
885 "(you've mixed ssl_cert_file and ssl_key_file settings)", |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
886 certfile); |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
887 } else { |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
888 i_fatal("Can't load certificate file %s: " |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
889 "The file doesn't contain a certificate.", |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
890 certfile); |
7ac86b33ad64
Log a better error message if ssl_cert_file doesn't point to a valid certificate.
Timo Sirainen <tss@iki.fi>
parents:
8122
diff
changeset
|
891 } |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
892 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
893 |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
894 SSL_CTX_set_default_passwd_cb(ssl_server_ctx, pem_password_callback); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
895 SSL_CTX_set_default_passwd_cb_userdata(ssl_server_ctx, password); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
896 if (SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile, |
3584
b686c8bbcd6f
Don't require private key to be RSA
Timo Sirainen <tss@iki.fi>
parents:
3580
diff
changeset
|
897 SSL_FILETYPE_PEM) != 1) { |
9394
e7a973c0101b
ssl: If given ssl key is for a different cert, give a nicer error message.
Timo Sirainen <tss@iki.fi>
parents:
9389
diff
changeset
|
898 err = ERR_peek_error(); |
e7a973c0101b
ssl: If given ssl key is for a different cert, give a nicer error message.
Timo Sirainen <tss@iki.fi>
parents:
9389
diff
changeset
|
899 if (ERR_GET_LIB(err) == ERR_LIB_X509 && |
e7a973c0101b
ssl: If given ssl key is for a different cert, give a nicer error message.
Timo Sirainen <tss@iki.fi>
parents:
9389
diff
changeset
|
900 ERR_GET_REASON(err) == X509_R_KEY_VALUES_MISMATCH) { |
e7a973c0101b
ssl: If given ssl key is for a different cert, give a nicer error message.
Timo Sirainen <tss@iki.fi>
parents:
9389
diff
changeset
|
901 i_fatal("Can't load private key file %s: " |
e7a973c0101b
ssl: If given ssl key is for a different cert, give a nicer error message.
Timo Sirainen <tss@iki.fi>
parents:
9389
diff
changeset
|
902 "Key is for a different cert than %s", |
e7a973c0101b
ssl: If given ssl key is for a different cert, give a nicer error message.
Timo Sirainen <tss@iki.fi>
parents:
9389
diff
changeset
|
903 keyfile, certfile); |
e7a973c0101b
ssl: If given ssl key is for a different cert, give a nicer error message.
Timo Sirainen <tss@iki.fi>
parents:
9389
diff
changeset
|
904 } else { |
e7a973c0101b
ssl: If given ssl key is for a different cert, give a nicer error message.
Timo Sirainen <tss@iki.fi>
parents:
9389
diff
changeset
|
905 i_fatal("Can't load private key file %s: %s", |
e7a973c0101b
ssl: If given ssl key is for a different cert, give a nicer error message.
Timo Sirainen <tss@iki.fi>
parents:
9389
diff
changeset
|
906 keyfile, ssl_last_error()); |
e7a973c0101b
ssl: If given ssl key is for a different cert, give a nicer error message.
Timo Sirainen <tss@iki.fi>
parents:
9389
diff
changeset
|
907 } |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
908 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
909 |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
910 if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
911 ssl_proxy_ctx_verify_client(ssl_server_ctx); |
1997
1d0985f6bdd9
Added ssl_verify_client_cert setting.
Timo Sirainen <tss@iki.fi>
parents:
1996
diff
changeset
|
912 |
6364
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
913 username_field = getenv("SSL_CERT_USERNAME_FIELD"); |
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
914 if (username_field == NULL) |
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
915 ssl_username_nid = NID_commonName; |
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
916 else { |
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
917 ssl_username_nid = OBJ_txt2nid(username_field); |
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
918 if (ssl_username_nid == NID_undef) { |
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
919 i_fatal("Invalid ssl_cert_username_field: %s", |
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
920 username_field); |
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
921 } |
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
922 } |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
923 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
924 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
925 static void ssl_proxy_init_client(void) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
926 { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
927 if ((ssl_client_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
928 i_fatal("SSL_CTX_new() failed"); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
929 ssl_proxy_ctx_init(ssl_client_ctx); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
930 ssl_proxy_ctx_verify_client(ssl_client_ctx); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
931 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
932 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
933 void ssl_proxy_init(void) |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
934 { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
935 static char dovecot[] = "dovecot"; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
936 const char *certfile, *keyfile; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
937 unsigned char buf; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
938 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
939 memset(&ssl_params, 0, sizeof(ssl_params)); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
940 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
941 certfile = getenv("SSL_CERT_FILE"); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
942 keyfile = getenv("SSL_KEY_FILE"); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
943 ssl_params.fname = getenv("SSL_PARAM_FILE"); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
944 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
945 if (certfile == NULL || keyfile == NULL || ssl_params.fname == NULL) { |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
946 /* SSL support is disabled */ |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
947 return; |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
948 } |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
949 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
950 SSL_library_init(); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
951 SSL_load_error_strings(); |
9628
e388554e373f
ssl: Call OpenSSL_add_all_algorithms() to make some OpenSSL versions happy.
Timo Sirainen <tss@iki.fi>
parents:
9532
diff
changeset
|
952 OpenSSL_add_all_algorithms(); |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
953 |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
954 extdata_index = SSL_get_ex_new_index(0, dovecot, NULL, NULL, NULL); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
955 ssl_proxy_init_server(certfile, keyfile); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
956 ssl_proxy_init_client(); |
6364
7ad61f00ee55
Added ssl_cert_username_field setting.
Timo Sirainen <tss@iki.fi>
parents:
5528
diff
changeset
|
957 |
1556
545f6b150e2c
Make sure PRNG gets initialized before chrooting so it can open /dev/urandom.
Timo Sirainen <tss@iki.fi>
parents:
1544
diff
changeset
|
958 /* PRNG initialization might want to use /dev/urandom, make sure it |
2007
3dd9d3165bff
Don't require initializing RAND_bytes() to return cryptographically strong
Timo Sirainen <tss@iki.fi>
parents:
1997
diff
changeset
|
959 does it before chrooting. We might not have enough entropy at |
3dd9d3165bff
Don't require initializing RAND_bytes() to return cryptographically strong
Timo Sirainen <tss@iki.fi>
parents:
1997
diff
changeset
|
960 the first try, so this function may fail. It's still been |
3dd9d3165bff
Don't require initializing RAND_bytes() to return cryptographically strong
Timo Sirainen <tss@iki.fi>
parents:
1997
diff
changeset
|
961 initialized though. */ |
3dd9d3165bff
Don't require initializing RAND_bytes() to return cryptographically strong
Timo Sirainen <tss@iki.fi>
parents:
1997
diff
changeset
|
962 (void)RAND_bytes(&buf, 1); |
1556
545f6b150e2c
Make sure PRNG gets initialized before chrooting so it can open /dev/urandom.
Timo Sirainen <tss@iki.fi>
parents:
1544
diff
changeset
|
963 |
7119
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
964 ssl_proxy_count = 0; |
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
965 ssl_proxies = NULL; |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
966 ssl_initialized = TRUE; |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
967 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
968 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
969 void ssl_proxy_deinit(void) |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
970 { |
1230
e6d2b8c78519
Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents:
1215
diff
changeset
|
971 if (!ssl_initialized) |
e6d2b8c78519
Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents:
1215
diff
changeset
|
972 return; |
e6d2b8c78519
Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents:
1215
diff
changeset
|
973 |
7119
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
974 while (ssl_proxies != NULL) |
8c6a7af67e8c
Replaced clients hash with a linked list.
Timo Sirainen <tss@iki.fi>
parents:
7086
diff
changeset
|
975 ssl_proxy_destroy(ssl_proxies); |
1232
f7da7d46e3f2
destroy proxies before destroying ssl context
Timo Sirainen <tss@iki.fi>
parents:
1231
diff
changeset
|
976 |
3888
650701d41cdf
Generate DH parameters and use them. Changed default regeneration time to 1
Timo Sirainen <tss@iki.fi>
parents:
3879
diff
changeset
|
977 ssl_free_parameters(&ssl_params); |
8985
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
978 SSL_CTX_free(ssl_server_ctx); |
f43bebab3dac
imap/pop3 proxy: Support SSL/TLS connections to remote servers.
Timo Sirainen <tss@iki.fi>
parents:
8935
diff
changeset
|
979 SSL_CTX_free(ssl_client_ctx); |
7500 | 980 EVP_cleanup(); |
981 ERR_free_strings(); | |
1049
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
982 } |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
983 |
c41787e8c3f4
Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
984 #endif |