Mercurial > dovecot > original-hg > dovecot-1.2

annotate src/login-common/ssl-proxy-openssl.c @ 2679:8f7b01c29bcb HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Show clear error messages if --ssl is tried to be used but it's not builtin/enabled.
author Timo Sirainen <tss@iki.fi>
date Fri, 01 Oct 2004 17:41:16 +0300
parents 6ba9dcff11b9
children 748ee6f41fc1
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
1 /* Copyright (C) 2002 Timo Sirainen */
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
2
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
3 #include "common.h"
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
4 #include "ioloop.h"
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
5 #include "network.h"
1231
6352baabd8a1 and compiler warning fixes..
Timo Sirainen <tss@iki.fi>
parents: 1230
diff changeset
6 #include "hash.h"
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
7 #include "ssl-proxy.h"
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
8
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
9 #ifdef HAVE_OPENSSL
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
10
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
11 #include <openssl/crypto.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
12 #include <openssl/x509.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
13 #include <openssl/pem.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
14 #include <openssl/ssl.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
15 #include <openssl/err.h>
1556
545f6b150e2c Make sure PRNG gets initialized before chrooting so it can open /dev/urandom.
Timo Sirainen <tss@iki.fi>
parents: 1544
diff changeset
16 #include <openssl/rand.h>
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
17
1996
d8f06a0c818e Added ssl_cipher_list setting.
Timo Sirainen <tss@iki.fi>
parents: 1907
diff changeset
18 #define DOVECOT_SSL_DEFAULT_CIPHER_LIST "ALL:!LOW"
1544
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
19
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
20 enum ssl_io_action {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
21 SSL_ADD_INPUT,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
22 SSL_REMOVE_INPUT,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
23 SSL_ADD_OUTPUT,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
24 SSL_REMOVE_OUTPUT
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
25 };
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
26
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
27 struct ssl_proxy {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
28 int refcount;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
29
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
30 SSL *ssl;
1235
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
31 struct ip_addr ip;
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
32
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
33 int fd_ssl, fd_plain;
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
34 struct io *io_ssl_read, *io_ssl_write, *io_plain_read, *io_plain_write;
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
35
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
36 unsigned char plainout_buf[1024];
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
37 unsigned int plainout_size;
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
38
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
39 unsigned char sslout_buf[1024];
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
40 unsigned int sslout_size;
1458
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
41
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
42 unsigned int handshaked:1;
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
43 unsigned int destroyed:1;
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
44 unsigned int cert_received:1;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
45 unsigned int cert_broken:1;
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
46 };
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
47
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
48 static int extdata_index;
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
49 static SSL_CTX *ssl_ctx;
1230
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents: 1215
diff changeset
50 static struct hash_table *ssl_proxies;
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
51
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
52 static void plain_read(void *context);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
53 static void plain_write(void *context);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
54 static void ssl_write(struct ssl_proxy *proxy);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
55 static void ssl_step(void *context);
1458
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
56 static void ssl_proxy_destroy(struct ssl_proxy *proxy);
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
57 static int ssl_proxy_unref(struct ssl_proxy *proxy);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
58
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
59 static void ssl_set_io(struct ssl_proxy *proxy, enum ssl_io_action action)
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
60 {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
61 switch (action) {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
62 case SSL_ADD_INPUT:
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
63 if (proxy->io_ssl_read != NULL)
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
64 break;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
65 proxy->io_ssl_read = io_add(proxy->fd_ssl, IO_READ,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
66 ssl_step, proxy);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
67 break;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
68 case SSL_REMOVE_INPUT:
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
69 if (proxy->io_ssl_read != NULL) {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
70 io_remove(proxy->io_ssl_read);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
71 proxy->io_ssl_read = NULL;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
72 }
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
73 break;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
74 case SSL_ADD_OUTPUT:
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
75 if (proxy->io_ssl_write != NULL)
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
76 break;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
77 proxy->io_ssl_write = io_add(proxy->fd_ssl, IO_WRITE,
1457
7dd0e88ed7ef cleanups
Timo Sirainen <tss@iki.fi>
parents: 1324
diff changeset
78 ssl_step, proxy);
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
79 break;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
80 case SSL_REMOVE_OUTPUT:
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
81 if (proxy->io_ssl_write != NULL) {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
82 io_remove(proxy->io_ssl_write);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
83 proxy->io_ssl_write = NULL;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
84 }
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
85 break;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
86 }
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
87 }
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
88
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
89 static void plain_block_input(struct ssl_proxy *proxy, int block)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
90 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
91 if (block) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
92 if (proxy->io_plain_read != NULL) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
93 io_remove(proxy->io_plain_read);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
94 proxy->io_plain_read = NULL;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
95 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
96 } else {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
97 if (proxy->io_plain_read == NULL) {
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
98 proxy->io_plain_read = io_add(proxy->fd_plain, IO_READ,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
99 plain_read, proxy);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
100 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
101 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
102 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
103
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
104 static void plain_read(void *context)
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
105 {
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
106 struct ssl_proxy *proxy = context;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
107 ssize_t ret;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
108
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
109 if (proxy->sslout_size == sizeof(proxy->sslout_buf)) {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
110 /* buffer full, block input until it's written */
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
111 plain_block_input(proxy, TRUE);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
112 return;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
113 }
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
114
1490
Timo Sirainen <tss@iki.fi>
parents: 1485
diff changeset
115 proxy->refcount++;
Timo Sirainen <tss@iki.fi>
parents: 1485
diff changeset
116
1458
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
117 while (proxy->sslout_size < sizeof(proxy->sslout_buf) &&
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
118 !proxy->destroyed) {
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
119 ret = net_receive(proxy->fd_plain,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
120 proxy->sslout_buf + proxy->sslout_size,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
121 sizeof(proxy->sslout_buf) -
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
122 proxy->sslout_size);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
123 if (ret <= 0) {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
124 if (ret < 0)
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
125 ssl_proxy_destroy(proxy);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
126 break;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
127 } else {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
128 proxy->sslout_size += ret;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
129 ssl_write(proxy);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
130 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
131 }
1490
Timo Sirainen <tss@iki.fi>
parents: 1485
diff changeset
132
Timo Sirainen <tss@iki.fi>
parents: 1485
diff changeset
133 ssl_proxy_unref(proxy);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
134 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
135
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
136 static void plain_write(void *context)
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
137 {
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
138 struct ssl_proxy *proxy = context;
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
139 ssize_t ret;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
140
1490
Timo Sirainen <tss@iki.fi>
parents: 1485
diff changeset
141 proxy->refcount++;
Timo Sirainen <tss@iki.fi>
parents: 1485
diff changeset
142
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
143 ret = net_transmit(proxy->fd_plain, proxy->plainout_buf,
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
144 proxy->plainout_size);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
145 if (ret < 0)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
146 ssl_proxy_destroy(proxy);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
147 else {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
148 proxy->plainout_size -= ret;
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
149 memmove(proxy->plainout_buf, proxy->plainout_buf + ret,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
150 proxy->plainout_size);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
151
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
152 if (proxy->plainout_size > 0) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
153 if (proxy->io_plain_write == NULL) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
154 proxy->io_plain_write =
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
155 io_add(proxy->fd_plain, IO_WRITE,
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
156 plain_write, proxy);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
157 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
158 } else {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
159 if (proxy->io_plain_write != NULL) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
160 io_remove(proxy->io_plain_write);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
161 proxy->io_plain_write = NULL;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
162 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
163 }
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
164
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
165 ssl_set_io(proxy, SSL_ADD_INPUT);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
166 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
167
1490
Timo Sirainen <tss@iki.fi>
parents: 1485
diff changeset
168 ssl_proxy_unref(proxy);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
169 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
170
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
171 static const char *ssl_last_error(void)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
172 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
173 unsigned long err;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
174 char *buf;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
175 size_t err_size = 256;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
176
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
177 err = ERR_get_error();
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
178 if (err == 0)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
179 return strerror(errno);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
180
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
181 buf = t_malloc(err_size);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
182 buf[err_size-1] = '\0';
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
183 ERR_error_string_n(err, buf, err_size-1);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
184 return buf;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
185 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
186
1235
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
187 static void ssl_handle_error(struct ssl_proxy *proxy, int ret, const char *func)
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
188 {
1235
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
189 const char *errstr;
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
190 int err;
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
191
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
192 err = SSL_get_error(proxy->ssl, ret);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
193
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
194 switch (err) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
195 case SSL_ERROR_WANT_READ:
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
196 ssl_set_io(proxy, SSL_ADD_INPUT);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
197 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
198 case SSL_ERROR_WANT_WRITE:
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
199 ssl_set_io(proxy, SSL_ADD_OUTPUT);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
200 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
201 case SSL_ERROR_SYSCALL:
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
202 /* eat up the error queue */
1235
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
203 if (verbose_ssl) {
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
204 if (ERR_peek_error() != 0)
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
205 errstr = ssl_last_error();
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
206 else {
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
207 if (ret == 0)
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
208 errstr = "EOF";
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
209 else
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
210 errstr = strerror(errno);
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
211 }
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
212
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
213 i_warning("%s syscall failed: %s [%s]",
1485
8c28289a15a1 s/host/addr/ in a few network functions
Timo Sirainen <tss@iki.fi>
parents: 1458
diff changeset
214 func, errstr, net_ip2addr(&proxy->ip));
1235
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
215 }
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
216 ssl_proxy_destroy(proxy);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
217 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
218 case SSL_ERROR_ZERO_RETURN:
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
219 /* clean connection closing */
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
220 ssl_proxy_destroy(proxy);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
221 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
222 case SSL_ERROR_SSL:
1235
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
223 if (verbose_ssl) {
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
224 i_warning("%s failed: %s [%s]", func, ssl_last_error(),
1485
8c28289a15a1 s/host/addr/ in a few network functions
Timo Sirainen <tss@iki.fi>
parents: 1458
diff changeset
225 net_ip2addr(&proxy->ip));
1235
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
226 }
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
227 ssl_proxy_destroy(proxy);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
228 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
229 default:
1235
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
230 i_warning("%s failed: unknown failure %d (%s) [%s]",
1485
8c28289a15a1 s/host/addr/ in a few network functions
Timo Sirainen <tss@iki.fi>
parents: 1458
diff changeset
231 func, err, ssl_last_error(), net_ip2addr(&proxy->ip));
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
232 ssl_proxy_destroy(proxy);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
233 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
234 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
235 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
236
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
237 static void ssl_handshake(struct ssl_proxy *proxy)
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
238 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
239 int ret;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
240
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
241 ret = SSL_accept(proxy->ssl);
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
242 if (ret != 1)
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
243 ssl_handle_error(proxy, ret, "SSL_accept()");
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
244 else {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
245 proxy->handshaked = TRUE;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
246
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
247 ssl_set_io(proxy, SSL_ADD_INPUT);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
248 plain_block_input(proxy, FALSE);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
249 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
250 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
251
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
252 static void ssl_read(struct ssl_proxy *proxy)
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
253 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
254 int ret;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
255
1458
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
256 while (proxy->plainout_size < sizeof(proxy->plainout_buf) &&
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
257 !proxy->destroyed) {
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
258 ret = SSL_read(proxy->ssl,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
259 proxy->plainout_buf + proxy->plainout_size,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
260 sizeof(proxy->plainout_buf) -
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
261 proxy->plainout_size);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
262 if (ret <= 0) {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
263 ssl_handle_error(proxy, ret, "SSL_read()");
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
264 break;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
265 } else {
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
266 proxy->plainout_size += ret;
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
267 plain_write(proxy);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
268 }
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
269 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
270 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
271
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
272 static void ssl_write(struct ssl_proxy *proxy)
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
273 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
274 int ret;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
275
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
276 ret = SSL_write(proxy->ssl, proxy->sslout_buf, proxy->sslout_size);
1215
69bd0ea4c718 error handling fixes
Timo Sirainen <tss@iki.fi>
parents: 1117
diff changeset
277 if (ret <= 0)
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
278 ssl_handle_error(proxy, ret, "SSL_write()");
1215
69bd0ea4c718 error handling fixes
Timo Sirainen <tss@iki.fi>
parents: 1117
diff changeset
279 else {
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
280 proxy->sslout_size -= ret;
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
281 memmove(proxy->sslout_buf, proxy->sslout_buf + ret,
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
282 proxy->sslout_size);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
283
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
284 ssl_set_io(proxy, proxy->sslout_size > 0 ?
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
285 SSL_ADD_OUTPUT : SSL_REMOVE_OUTPUT);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
286 plain_block_input(proxy, FALSE);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
287 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
288 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
289
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
290 static void ssl_step(void *context)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
291 {
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
292 struct ssl_proxy *proxy = context;
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
293
1458
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
294 proxy->refcount++;
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
295
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
296 if (!proxy->handshaked)
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
297 ssl_handshake(proxy);
1458
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
298
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
299 if (proxy->handshaked) {
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
300 if (proxy->plainout_size == sizeof(proxy->plainout_buf))
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
301 ssl_set_io(proxy, SSL_REMOVE_INPUT);
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
302 else
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
303 ssl_read(proxy);
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
304
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
305 if (proxy->sslout_size == 0)
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
306 ssl_set_io(proxy, SSL_REMOVE_OUTPUT);
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
307 else
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
308 ssl_write(proxy);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
309 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
310
1458
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
311 ssl_proxy_unref(proxy);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
312 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
313
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
314 int ssl_proxy_new(int fd, struct ip_addr *ip, struct ssl_proxy **proxy_r)
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
315 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
316 struct ssl_proxy *proxy;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
317 SSL *ssl;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
318 int sfd[2];
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
319
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
320 *proxy_r = NULL;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
321
2679
8f7b01c29bcb Show clear error messages if --ssl is tried to be used but it's not
Timo Sirainen <tss@iki.fi>
parents: 2629
diff changeset
322 if (!ssl_initialized) {
8f7b01c29bcb Show clear error messages if --ssl is tried to be used but it's not
Timo Sirainen <tss@iki.fi>
parents: 2629
diff changeset
323 i_error("SSL support not enabled in configuration");
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
324 return -1;
2679
8f7b01c29bcb Show clear error messages if --ssl is tried to be used but it's not
Timo Sirainen <tss@iki.fi>
parents: 2629
diff changeset
325 }
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
326
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
327 ssl = SSL_new(ssl_ctx);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
328 if (ssl == NULL) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
329 i_error("SSL_new() failed: %s", ssl_last_error());
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
330 return -1;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
331 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
332
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
333 if (SSL_set_fd(ssl, fd) != 1) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
334 i_error("SSL_set_fd() failed: %s", ssl_last_error());
1457
7dd0e88ed7ef cleanups
Timo Sirainen <tss@iki.fi>
parents: 1324
diff changeset
335 SSL_free(ssl);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
336 return -1;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
337 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
338
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
339 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sfd) == -1) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
340 i_error("socketpair() failed: %m");
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
341 SSL_free(ssl);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
342 return -1;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
343 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
344
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
345 net_set_nonblock(sfd[0], TRUE);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
346 net_set_nonblock(sfd[1], TRUE);
1268
0d9f0e617a1a net_* functions don't anymore set sockets to non-blocking by default.
Timo Sirainen <tss@iki.fi>
parents: 1235
diff changeset
347 net_set_nonblock(fd, TRUE);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
348
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
349 proxy = i_new(struct ssl_proxy, 1);
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
350 proxy->refcount = 2;
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
351 proxy->ssl = ssl;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
352 proxy->fd_ssl = fd;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
353 proxy->fd_plain = sfd[0];
1235
2660b47fd9bc Added setting verbose_ssl
Timo Sirainen <tss@iki.fi>
parents: 1234
diff changeset
354 proxy->ip = *ip;
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
355 SSL_set_ex_data(ssl, extdata_index, proxy);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
356
1544
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
357 hash_insert(ssl_proxies, proxy, proxy);
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
358
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
359 ssl_handshake(proxy);
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
360 main_ref();
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
361
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
362 *proxy_r = proxy;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
363 return sfd[1];
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
364 }
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
365
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
366 int ssl_proxy_has_valid_client_cert(struct ssl_proxy *proxy)
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
367 {
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
368 return proxy->cert_received && !proxy->cert_broken;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
369 }
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
370
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
371 void ssl_proxy_free(struct ssl_proxy *proxy)
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
372 {
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
373 ssl_proxy_unref(proxy);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
374 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
375
1458
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
376 static int ssl_proxy_unref(struct ssl_proxy *proxy)
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
377 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
378 if (--proxy->refcount > 0)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
379 return TRUE;
1490
Timo Sirainen <tss@iki.fi>
parents: 1485
diff changeset
380 i_assert(proxy->refcount == 0);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
381
2302
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
382 SSL_free(proxy->ssl);
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
383 i_free(proxy);
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
384
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
385 main_unref();
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
386 return FALSE;
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
387 }
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
388
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
389 static void ssl_proxy_destroy(struct ssl_proxy *proxy)
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
390 {
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
391 if (proxy->destroyed)
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
392 return;
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
393 proxy->destroyed = TRUE;
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
394
1230
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents: 1215
diff changeset
395 hash_remove(ssl_proxies, proxy);
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents: 1215
diff changeset
396
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
397 (void)net_disconnect(proxy->fd_ssl);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
398 (void)net_disconnect(proxy->fd_plain);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
399
1324
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
400 if (proxy->io_ssl_read != NULL)
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
401 io_remove(proxy->io_ssl_read);
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
402 if (proxy->io_ssl_write != NULL)
13d8f69d4f1a rewrite, maybe it works properly now.
Timo Sirainen <tss@iki.fi>
parents: 1268
diff changeset
403 io_remove(proxy->io_ssl_write);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
404 if (proxy->io_plain_read != NULL)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
405 io_remove(proxy->io_plain_read);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
406 if (proxy->io_plain_write != NULL)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
407 io_remove(proxy->io_plain_write);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
408
2302
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left
Timo Sirainen <tss@iki.fi>
parents: 2027
diff changeset
409 ssl_proxy_unref(proxy);
1458
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
410 }
98362534b2c7 Unexpected SSL connection errors sometimes crashed
Timo Sirainen <tss@iki.fi>
parents: 1457
diff changeset
411
1492
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents: 1490
diff changeset
412 static RSA *ssl_gen_rsa_key(SSL *ssl __attr_unused__,
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents: 1490
diff changeset
413 int is_export __attr_unused__, int keylength)
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents: 1490
diff changeset
414 {
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents: 1490
diff changeset
415 return RSA_generate_key(keylength, RSA_F4, NULL, NULL);
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents: 1490
diff changeset
416 }
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents: 1490
diff changeset
417
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
418 static int ssl_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx)
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
419 {
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
420 SSL *ssl;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
421 struct ssl_proxy *proxy;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
422
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
423 ssl = X509_STORE_CTX_get_ex_data(ctx,
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
424 SSL_get_ex_data_X509_STORE_CTX_idx());
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
425 proxy = SSL_get_ex_data(ssl, extdata_index);
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
426
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
427 proxy->cert_received = TRUE;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
428 if (!preverify_ok)
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
429 proxy->cert_broken = TRUE;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
430
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
431 return 1;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
432 }
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
433
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
434 void ssl_proxy_init(void)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
435 {
1996
d8f06a0c818e Added ssl_cipher_list setting.
Timo Sirainen <tss@iki.fi>
parents: 1907
diff changeset
436 const char *cafile, *certfile, *keyfile, *paramfile, *cipher_list;
2629
6ba9dcff11b9 Compiler warning fixes and cleanups
Timo Sirainen <tss@iki.fi>
parents: 2335
diff changeset
437 unsigned char buf;
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
438
1907
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents: 1897
diff changeset
439 cafile = getenv("SSL_CA_FILE");
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
440 certfile = getenv("SSL_CERT_FILE");
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
441 keyfile = getenv("SSL_KEY_FILE");
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
442 paramfile = getenv("SSL_PARAM_FILE");
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
443
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
444 if (certfile == NULL || keyfile == NULL || paramfile == NULL) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
445 /* SSL support is disabled */
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
446 return;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
447 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
448
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
449 SSL_library_init();
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
450 SSL_load_error_strings();
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
451
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
452 extdata_index = SSL_get_ex_new_index(0, "dovecot", NULL, NULL, NULL);
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
453
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
454 if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
455 i_fatal("SSL_CTX_new() failed");
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
456
1544
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
457 SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
458
1996
d8f06a0c818e Added ssl_cipher_list setting.
Timo Sirainen <tss@iki.fi>
parents: 1907
diff changeset
459 cipher_list = getenv("SSL_CIPHER_LIST");
d8f06a0c818e Added ssl_cipher_list setting.
Timo Sirainen <tss@iki.fi>
parents: 1907
diff changeset
460 if (cipher_list == NULL)
d8f06a0c818e Added ssl_cipher_list setting.
Timo Sirainen <tss@iki.fi>
parents: 1907
diff changeset
461 cipher_list = DOVECOT_SSL_DEFAULT_CIPHER_LIST;
d8f06a0c818e Added ssl_cipher_list setting.
Timo Sirainen <tss@iki.fi>
parents: 1907
diff changeset
462 if (SSL_CTX_set_cipher_list(ssl_ctx, cipher_list) != 1) {
1544
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
463 i_fatal("Can't set cipher list to '%s': %s",
1996
d8f06a0c818e Added ssl_cipher_list setting.
Timo Sirainen <tss@iki.fi>
parents: 1907
diff changeset
464 cipher_list, ssl_last_error());
1544
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
465 }
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
466
1907
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents: 1897
diff changeset
467 if (cafile != NULL) {
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents: 1897
diff changeset
468 if (SSL_CTX_load_verify_locations(ssl_ctx, cafile, NULL) != 1) {
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents: 1897
diff changeset
469 i_fatal("Can't load CA file %s: %s",
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents: 1897
diff changeset
470 cafile, ssl_last_error());
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents: 1897
diff changeset
471 }
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents: 1897
diff changeset
472 }
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall
Timo Sirainen <tss@iki.fi>
parents: 1897
diff changeset
473
1544
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
474 if (SSL_CTX_use_certificate_chain_file(ssl_ctx, certfile) != 1) {
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
475 i_fatal("Can't load certificate file %s: %s",
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
476 certfile, ssl_last_error());
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
477 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
478
1544
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
479 if (SSL_CTX_use_RSAPrivateKey_file(ssl_ctx, keyfile,
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with
Timo Sirainen <tss@iki.fi>
parents: 1492
diff changeset
480 SSL_FILETYPE_PEM) != 1) {
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
481 i_fatal("Can't load private key file %s: %s",
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
482 keyfile, ssl_last_error());
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
483 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
484
1492
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents: 1490
diff changeset
485 if (SSL_CTX_need_tmp_RSA(ssl_ctx))
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents: 1490
diff changeset
486 SSL_CTX_set_tmp_rsa_callback(ssl_ctx, ssl_gen_rsa_key);
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some
Timo Sirainen <tss@iki.fi>
parents: 1490
diff changeset
487
1997
1d0985f6bdd9 Added ssl_verify_client_cert setting.
Timo Sirainen <tss@iki.fi>
parents: 1996
diff changeset
488 if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL) {
1d0985f6bdd9 Added ssl_verify_client_cert setting.
Timo Sirainen <tss@iki.fi>
parents: 1996
diff changeset
489 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER |
2027
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
490 SSL_VERIFY_CLIENT_ONCE,
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide
Timo Sirainen <tss@iki.fi>
parents: 2007
diff changeset
491 ssl_verify_client_cert);
1997
1d0985f6bdd9 Added ssl_verify_client_cert setting.
Timo Sirainen <tss@iki.fi>
parents: 1996
diff changeset
492 }
1d0985f6bdd9 Added ssl_verify_client_cert setting.
Timo Sirainen <tss@iki.fi>
parents: 1996
diff changeset
493
1556
545f6b150e2c Make sure PRNG gets initialized before chrooting so it can open /dev/urandom.
Timo Sirainen <tss@iki.fi>
parents: 1544
diff changeset
494 /* PRNG initialization might want to use /dev/urandom, make sure it
2007
3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong
Timo Sirainen <tss@iki.fi>
parents: 1997
diff changeset
495 does it before chrooting. We might not have enough entropy at
3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong
Timo Sirainen <tss@iki.fi>
parents: 1997
diff changeset
496 the first try, so this function may fail. It's still been
3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong
Timo Sirainen <tss@iki.fi>
parents: 1997
diff changeset
497 initialized though. */
3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong
Timo Sirainen <tss@iki.fi>
parents: 1997
diff changeset
498 (void)RAND_bytes(&buf, 1);
1556
545f6b150e2c Make sure PRNG gets initialized before chrooting so it can open /dev/urandom.
Timo Sirainen <tss@iki.fi>
parents: 1544
diff changeset
499
1230
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents: 1215
diff changeset
500 ssl_proxies = hash_create(default_pool, default_pool, 0, NULL, NULL);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
501 ssl_initialized = TRUE;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
502 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
503
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
504 void ssl_proxy_deinit(void)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
505 {
1897
1e6ed8045f2b Changed hash_foreach() to iterator.
Timo Sirainen <tss@iki.fi>
parents: 1556
diff changeset
506 struct hash_iterate_context *iter;
1e6ed8045f2b Changed hash_foreach() to iterator.
Timo Sirainen <tss@iki.fi>
parents: 1556
diff changeset
507 void *key, *value;
1e6ed8045f2b Changed hash_foreach() to iterator.
Timo Sirainen <tss@iki.fi>
parents: 1556
diff changeset
508
1230
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents: 1215
diff changeset
509 if (!ssl_initialized)
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents: 1215
diff changeset
510 return;
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents: 1215
diff changeset
511
1897
1e6ed8045f2b Changed hash_foreach() to iterator.
Timo Sirainen <tss@iki.fi>
parents: 1556
diff changeset
512 iter = hash_iterate_init(ssl_proxies);
1e6ed8045f2b Changed hash_foreach() to iterator.
Timo Sirainen <tss@iki.fi>
parents: 1556
diff changeset
513 while (hash_iterate(iter, &key, &value))
1e6ed8045f2b Changed hash_foreach() to iterator.
Timo Sirainen <tss@iki.fi>
parents: 1556
diff changeset
514 ssl_proxy_destroy(value);
1e6ed8045f2b Changed hash_foreach() to iterator.
Timo Sirainen <tss@iki.fi>
parents: 1556
diff changeset
515 hash_iterate_deinit(iter);
1230
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have
Timo Sirainen <tss@iki.fi>
parents: 1215
diff changeset
516 hash_destroy(ssl_proxies);
1232
f7da7d46e3f2 destroy proxies before destroying ssl context
Timo Sirainen <tss@iki.fi>
parents: 1231
diff changeset
517
f7da7d46e3f2 destroy proxies before destroying ssl context
Timo Sirainen <tss@iki.fi>
parents: 1231
diff changeset
518 SSL_CTX_free(ssl_ctx);
1049
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
519 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
520
c41787e8c3f4 Moved common login process code to login-common, created pop3-login.
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
521 #endif