dovecot/original-hg/dovecot-1.2: src/login-common/ssl-proxy-openssl.c annotate

annotate src/login-common/ssl-proxy-openssl.c @ 9305:b7dbcf86086b HEAD

Fixed openssl malloc() failure check.

author	Timo Sirainen <tss@iki.fi>
date	Tue, 11 Aug 2009 17:38:06 -0400
parents	c00df1152f1f
children	26ca4ff5d269

rev	line source
8590 b9faf4db2a9f Updated copyright notices to include year 2009. Timo Sirainen <tss@iki.fi> parents: 8302 diff changeset	1 /* Copyright (c) 2002-2009 Dovecot authors, see the included COPYING file */
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	2
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	3 #include "common.h"
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	4 #include "array.h"
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	5 #include "ioloop.h"
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	6 #include "network.h"
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	7 #include "ostream.h"
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	8 #include "read-full.h"
7119 8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	9 #include "llist.h"
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	10 #include "ssl-proxy.h"
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	11
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	12 #include <fcntl.h>
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	13 #include <unistd.h>
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	14 #include <sys/stat.h>
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	15
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	16 #ifdef HAVE_OPENSSL
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	17
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	18 #include <openssl/crypto.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	19 #include <openssl/x509.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	20 #include <openssl/pem.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	21 #include <openssl/ssl.h>
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	22 #include <openssl/err.h>
1556 545f6b150e2c Make sure PRNG gets initialized before chrooting so it can open /dev/urandom. Timo Sirainen <tss@iki.fi> parents: 1544 diff changeset	23 #include <openssl/rand.h>
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	24
4696 abf9a1234b99 Don't allow SSLv2 by default. Timo Sirainen <tss@iki.fi> parents: 4695 diff changeset	25 #define DOVECOT_SSL_DEFAULT_CIPHER_LIST "ALL:!LOW:!SSLv2"
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	26 /* Check every 30 minutes if parameters file has been updated */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	27 #define SSL_PARAMFILE_CHECK_INTERVAL (60*30)
1544 ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	28
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	29 enum ssl_io_action {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	30 SSL_ADD_INPUT,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	31 SSL_REMOVE_INPUT,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	32 SSL_ADD_OUTPUT,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	33 SSL_REMOVE_OUTPUT
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	34 };
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	35
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	36 struct ssl_proxy {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	37 int refcount;
7119 8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	38 struct ssl_proxy prev, next;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	39
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	40 SSL *ssl;
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	41 struct ip_addr ip;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	42
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	43 int fd_ssl, fd_plain;
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	44 struct io io_ssl_read, io_ssl_write, io_plain_read, io_plain_write;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	45
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	46 unsigned char plainout_buf[1024];
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	47 unsigned int plainout_size;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	48
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	49 unsigned char sslout_buf[1024];
1324 13d8f69d4f1a rewrite, maybe it works properly now. Timo Sirainen <tss@iki.fi> parents: 1268 diff changeset	50 unsigned int sslout_size;
1458 98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	51
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	52 ssl_handshake_callback_t *handshake_callback;
8986 d475e17d01a3 ssl-proxy: Crashfix to previous commit. Timo Sirainen <tss@iki.fi> parents: 8985 diff changeset	53 void *handshake_context;
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	54
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	55 char *last_error;
1458 98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	56 unsigned int handshaked:1;
98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	57 unsigned int destroyed:1;
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	58 unsigned int cert_received:1;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	59 unsigned int cert_broken:1;
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	60 unsigned int client:1;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	61 };
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	62
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	63 struct ssl_parameters {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	64 const char *fname;
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	65 time_t last_mtime, last_check;
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	66 int fd;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	67
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	68 DH dh_512, dh_1024;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	69 };
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	70
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	71 static int extdata_index;
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	72 static SSL_CTX *ssl_server_ctx;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	73 static SSL_CTX *ssl_client_ctx;
7119 8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	74 static unsigned int ssl_proxy_count;
8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	75 static struct ssl_proxy *ssl_proxies;
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	76 static struct ssl_parameters ssl_params;
6364 7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	77 static int ssl_username_nid;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	78
4907 5b4c9b20eba0 Replaced void context from a lot of callbacks with the actual context Timo Sirainen <tss@iki.fi>* parents: 4827 diff changeset	79 static void plain_read(struct ssl_proxy *proxy);
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	80 static void ssl_read(struct ssl_proxy *proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	81 static void ssl_write(struct ssl_proxy *proxy);
4907 5b4c9b20eba0 Replaced void context from a lot of callbacks with the actual context Timo Sirainen <tss@iki.fi>* parents: 4827 diff changeset	82 static void ssl_step(struct ssl_proxy *proxy);
1458 98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	83 static void ssl_proxy_destroy(struct ssl_proxy *proxy);
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	84 static void ssl_proxy_unref(struct ssl_proxy *proxy);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	85
8621 22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	86 static void ssl_params_corrupted(const char *path)
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	87 {
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	88 i_fatal("Corrupted SSL parameters file: %s/%s "
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	89 "(delete it and also the one in %s)",
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	90 getenv("LOGIN_DIR"), path, PKG_STATEDIR);
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	91 }
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	92
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	93 static void read_next(struct ssl_parameters params, void data, size_t size)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	94 {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	95 int ret;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	96
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	97 if ((ret = read_full(params->fd, data, size)) < 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	98 i_fatal("read(%s) failed: %m", params->fname);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	99 if (ret == 0)
8621 22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	100 ssl_params_corrupted(params->fname);
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	101 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	102
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	103 static bool read_dh_parameters_next(struct ssl_parameters *params)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	104 {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	105 unsigned char *buf;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	106 const unsigned char *cbuf;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	107 unsigned int len;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	108 int bits;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	109
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	110 /* read bit size. 0 ends the DH parameters list. */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	111 read_next(params, &bits, sizeof(bits));
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	112
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	113 if (bits == 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	114 return FALSE;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	115
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	116 /* read data size. */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	117 read_next(params, &len, sizeof(len));
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	118 if (len > 1024100) / should be enough? */
8621 22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	119 ssl_params_corrupted(params->fname);
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	120
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	121 buf = i_malloc(len);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	122 read_next(params, buf, len);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	123
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	124 cbuf = buf;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	125 switch (bits) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	126 case 512:
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	127 params->dh_512 = d2i_DHparams(NULL, &cbuf, len);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	128 break;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	129 case 1024:
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	130 params->dh_1024 = d2i_DHparams(NULL, &cbuf, len);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	131 break;
8621 22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	132 default:
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	133 ssl_params_corrupted(params->fname);
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	134 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	135
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	136 i_free(buf);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	137 return TRUE;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	138 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	139
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	140 static void ssl_free_parameters(struct ssl_parameters *params)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	141 {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	142 if (params->dh_512 != NULL) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	143 DH_free(params->dh_512);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	144 params->dh_512 = NULL;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	145 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	146 if (params->dh_1024 != NULL) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	147 DH_free(params->dh_1024);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	148 params->dh_1024 = NULL;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	149 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	150 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	151
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	152 static void ssl_read_parameters(struct ssl_parameters *params)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	153 {
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	154 struct stat st;
8621 22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	155 ssize_t ret;
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	156 char c;
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	157 bool warned = FALSE;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	158
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	159 /* we'll wait until parameter file exists */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	160 for (;;) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	161 params->fd = open(params->fname, O_RDONLY);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	162 if (params->fd != -1)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	163 break;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	164
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	165 if (errno != ENOENT) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	166 i_fatal("Can't open SSL parameter file %s: %m",
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	167 params->fname);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	168 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	169
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	170 if (!warned) {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	171 i_warning("Waiting for SSL parameter file %s",
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	172 params->fname);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	173 warned = TRUE;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	174 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	175 sleep(1);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	176 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	177
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	178 if (fstat(params->fd, &st) < 0)
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	179 i_error("fstat(%s) failed: %m", params->fname);
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	180 else
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	181 params->last_mtime = st.st_mtime;
886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	182
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	183 ssl_free_parameters(params);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	184 while (read_dh_parameters_next(params)) ;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	185
8621 22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	186 if ((ret = read_full(params->fd, &c, 1)) < 0)
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	187 i_fatal("read(%s) failed: %m", params->fname);
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	188 else if (ret != 0) {
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	189 /* more data than expected */
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	190 ssl_params_corrupted(params->fname);
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	191 }
22985329af92 Check broken ssl-parameters.dat files better and give a better error message when seeing one. Timo Sirainen <tss@iki.fi> parents: 8590 diff changeset	192
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	193 if (close(params->fd) < 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	194 i_error("close() failed: %m");
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	195 params->fd = -1;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	196 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	197
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	198 static void ssl_refresh_parameters(struct ssl_parameters *params)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	199 {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	200 struct stat st;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	201
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	202 if (params->last_check > ioloop_time - SSL_PARAMFILE_CHECK_INTERVAL)
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	203 return;
4505 886d7af1f38d Don't constantly re-read ssl-parameters.dat. Make sure that in input handler Timo Sirainen <tss@iki.fi> parents: 4474 diff changeset	204 params->last_check = ioloop_time;
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	205
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	206 if (params->last_mtime == 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	207 ssl_read_parameters(params);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	208 else {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	209 if (stat(params->fname, &st) < 0)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	210 i_error("stat(%s) failed: %m", params->fname);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	211 else if (st.st_mtime != params->last_mtime)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	212 ssl_read_parameters(params);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	213 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	214 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	215
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	216 static void ssl_set_io(struct ssl_proxy *proxy, enum ssl_io_action action)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	217 {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	218 switch (action) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	219 case SSL_ADD_INPUT:
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	220 if (proxy->io_ssl_read != NULL)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	221 break;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	222 proxy->io_ssl_read = io_add(proxy->fd_ssl, IO_READ,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	223 ssl_step, proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	224 break;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	225 case SSL_REMOVE_INPUT:
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	226 if (proxy->io_ssl_read != NULL)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	227 io_remove(&proxy->io_ssl_read);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	228 break;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	229 case SSL_ADD_OUTPUT:
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	230 if (proxy->io_ssl_write != NULL)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	231 break;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	232 proxy->io_ssl_write = io_add(proxy->fd_ssl, IO_WRITE,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	233 ssl_step, proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	234 break;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	235 case SSL_REMOVE_OUTPUT:
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	236 if (proxy->io_ssl_write != NULL)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	237 io_remove(&proxy->io_ssl_write);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	238 break;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	239 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	240 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	241
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	242 static void plain_block_input(struct ssl_proxy *proxy, bool block)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	243 {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	244 if (block) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	245 if (proxy->io_plain_read != NULL)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	246 io_remove(&proxy->io_plain_read);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	247 } else {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	248 if (proxy->io_plain_read == NULL) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	249 proxy->io_plain_read = io_add(proxy->fd_plain, IO_READ,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	250 plain_read, proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	251 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	252 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	253 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	254
4907 5b4c9b20eba0 Replaced void context from a lot of callbacks with the actual context Timo Sirainen <tss@iki.fi>* parents: 4827 diff changeset	255 static void plain_read(struct ssl_proxy *proxy)
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	256 {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	257 ssize_t ret;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	258 bool corked = FALSE;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	259
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	260 if (proxy->sslout_size == sizeof(proxy->sslout_buf)) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	261 /* buffer full, block input until it's written */
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	262 plain_block_input(proxy, TRUE);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	263 return;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	264 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	265
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	266 proxy->refcount++;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	267
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	268 while (proxy->sslout_size < sizeof(proxy->sslout_buf) &&
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	269 !proxy->destroyed) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	270 ret = net_receive(proxy->fd_plain,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	271 proxy->sslout_buf + proxy->sslout_size,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	272 sizeof(proxy->sslout_buf) -
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	273 proxy->sslout_size);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	274 if (ret <= 0) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	275 if (ret < 0)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	276 ssl_proxy_destroy(proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	277 break;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	278 } else {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	279 proxy->sslout_size += ret;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	280 if (!corked) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	281 net_set_cork(proxy->fd_ssl, TRUE);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	282 corked = TRUE;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	283 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	284 ssl_write(proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	285 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	286 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	287
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	288 if (corked)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	289 net_set_cork(proxy->fd_ssl, FALSE);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	290
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	291 ssl_proxy_unref(proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	292 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	293
4907 5b4c9b20eba0 Replaced void context from a lot of callbacks with the actual context Timo Sirainen <tss@iki.fi>* parents: 4827 diff changeset	294 static void plain_write(struct ssl_proxy *proxy)
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	295 {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	296 ssize_t ret;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	297
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	298 proxy->refcount++;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	299
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	300 ret = net_transmit(proxy->fd_plain, proxy->plainout_buf,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	301 proxy->plainout_size);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	302 if (ret < 0)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	303 ssl_proxy_destroy(proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	304 else {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	305 proxy->plainout_size -= ret;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	306 memmove(proxy->plainout_buf, proxy->plainout_buf + ret,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	307 proxy->plainout_size);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	308
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	309 if (proxy->plainout_size > 0) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	310 if (proxy->io_plain_write == NULL) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	311 proxy->io_plain_write =
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	312 io_add(proxy->fd_plain, IO_WRITE,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	313 plain_write, proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	314 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	315 } else {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	316 if (proxy->io_plain_write != NULL)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	317 io_remove(&proxy->io_plain_write);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	318 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	319
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	320 ssl_set_io(proxy, SSL_ADD_INPUT);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	321 if (SSL_pending(proxy->ssl) > 0)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	322 ssl_read(proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	323 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	324
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	325 ssl_proxy_unref(proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	326 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	327
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	328 static const char *ssl_last_error(void)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	329 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	330 unsigned long err;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	331 char *buf;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	332 size_t err_size = 256;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	333
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	334 err = ERR_get_error();
7508 bec3cd8e8151 If SSL function fails and there are no errors, return "Unknown error" Timo Sirainen <tss@iki.fi> parents: 7500 diff changeset	335 if (err == 0) {
bec3cd8e8151 If SSL function fails and there are no errors, return "Unknown error" Timo Sirainen <tss@iki.fi> parents: 7500 diff changeset	336 if (errno != 0)
bec3cd8e8151 If SSL function fails and there are no errors, return "Unknown error" Timo Sirainen <tss@iki.fi> parents: 7500 diff changeset	337 return strerror(errno);
bec3cd8e8151 If SSL function fails and there are no errors, return "Unknown error" Timo Sirainen <tss@iki.fi> parents: 7500 diff changeset	338 return "Unknown error";
bec3cd8e8151 If SSL function fails and there are no errors, return "Unknown error" Timo Sirainen <tss@iki.fi> parents: 7500 diff changeset	339 }
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	340
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	341 buf = t_malloc(err_size);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	342 buf[err_size-1] = '\0';
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	343 ERR_error_string_n(err, buf, err_size-1);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	344 return buf;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	345 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	346
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	347 static void ssl_handle_error(struct ssl_proxy *proxy, int ret,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	348 const char *func_name)
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	349 {
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	350 const char *errstr = NULL;
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	351 int err;
2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	352
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	353 proxy->refcount++;
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	354
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	355 i_free_and_null(proxy->last_error);
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	356 err = SSL_get_error(proxy->ssl, ret);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	357
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	358 switch (err) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	359 case SSL_ERROR_WANT_READ:
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	360 ssl_set_io(proxy, SSL_ADD_INPUT);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	361 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	362 case SSL_ERROR_WANT_WRITE:
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	363 ssl_set_io(proxy, SSL_ADD_OUTPUT);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	364 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	365 case SSL_ERROR_SYSCALL:
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	366 /* eat up the error queue */
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	367 if (ERR_peek_error() != 0)
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	368 errstr = ssl_last_error();
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	369 else if (ret != 0)
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	370 errstr = strerror(errno);
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	371 else {
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	372 /* EOF. */
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	373 errstr = "Disconnected";
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	374 break;
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	375 }
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	376 errstr = t_strdup_printf("%s syscall failed: %s",
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	377 func_name, errstr);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	378 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	379 case SSL_ERROR_ZERO_RETURN:
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	380 /* clean connection closing */
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	381 ssl_proxy_destroy(proxy);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	382 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	383 case SSL_ERROR_SSL:
9305 b7dbcf86086b Fixed openssl malloc() failure check. Timo Sirainen <tss@iki.fi> parents: 9288 diff changeset	384 if (ERR_GET_REASON(ERR_peek_error()) == ERR_R_MALLOC_FAILURE) {
9288 c00df1152f1f -login: If OpenSSL fails with malloc failure, log an error. Timo Sirainen <tss@iki.fi>* parents: 9283 diff changeset	385 i_error("OpenSSL malloc() failed. "
c00df1152f1f -login: If OpenSSL fails with malloc failure, log an error. Timo Sirainen <tss@iki.fi>* parents: 9283 diff changeset	386 "You may need to increase login_process_size");
c00df1152f1f -login: If OpenSSL fails with malloc failure, log an error. Timo Sirainen <tss@iki.fi>* parents: 9283 diff changeset	387 }
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	388 errstr = t_strdup_printf("%s failed: %s",
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	389 func_name, ssl_last_error());
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	390 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	391 default:
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	392 errstr = t_strdup_printf("%s failed: unknown failure %d (%s)",
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	393 func_name, err, ssl_last_error());
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	394 break;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	395 }
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	396
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	397 if (errstr != NULL) {
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	398 proxy->last_error = i_strdup(errstr);
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	399 ssl_proxy_destroy(proxy);
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	400 }
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	401 ssl_proxy_unref(proxy);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	402 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	403
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	404 static void ssl_handshake(struct ssl_proxy *proxy)
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	405 {
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	406 int ret;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	407
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	408 if (proxy->client) {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	409 ret = SSL_connect(proxy->ssl);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	410 if (ret != 1) {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	411 ssl_handle_error(proxy, ret, "SSL_connect()");
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	412 return;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	413 }
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	414 } else {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	415 ret = SSL_accept(proxy->ssl);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	416 if (ret != 1) {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	417 ssl_handle_error(proxy, ret, "SSL_accept()");
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	418 return;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	419 }
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	420 }
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	421 i_free_and_null(proxy->last_error);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	422 proxy->handshaked = TRUE;
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	423
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	424 ssl_set_io(proxy, SSL_ADD_INPUT);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	425 plain_block_input(proxy, FALSE);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	426
8986 d475e17d01a3 ssl-proxy: Crashfix to previous commit. Timo Sirainen <tss@iki.fi> parents: 8985 diff changeset	427 if (proxy->handshake_callback != NULL) {
d475e17d01a3 ssl-proxy: Crashfix to previous commit. Timo Sirainen <tss@iki.fi> parents: 8985 diff changeset	428 if (proxy->handshake_callback(proxy->handshake_context) < 0)
d475e17d01a3 ssl-proxy: Crashfix to previous commit. Timo Sirainen <tss@iki.fi> parents: 8985 diff changeset	429 ssl_proxy_destroy(proxy);
d475e17d01a3 ssl-proxy: Crashfix to previous commit. Timo Sirainen <tss@iki.fi> parents: 8985 diff changeset	430 }
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	431 }
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	432
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	433 static void ssl_read(struct ssl_proxy *proxy)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	434 {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	435 int ret;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	436
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	437 while (proxy->plainout_size < sizeof(proxy->plainout_buf) &&
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	438 !proxy->destroyed) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	439 ret = SSL_read(proxy->ssl,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	440 proxy->plainout_buf + proxy->plainout_size,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	441 sizeof(proxy->plainout_buf) -
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	442 proxy->plainout_size);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	443 if (ret <= 0) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	444 ssl_handle_error(proxy, ret, "SSL_read()");
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	445 break;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	446 } else {
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	447 i_free_and_null(proxy->last_error);
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	448 proxy->plainout_size += ret;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	449 plain_write(proxy);
4131 c12bb541f925 Reverted back for now. Timo Sirainen <tss@iki.fi> parents: 4127 diff changeset	450 }
4127 60583fb75d9e Rewrite. Hopefully works better. Timo Sirainen <tss@iki.fi> parents: 3960 diff changeset	451 }
60583fb75d9e Rewrite. Hopefully works better. Timo Sirainen <tss@iki.fi> parents: 3960 diff changeset	452 }
60583fb75d9e Rewrite. Hopefully works better. Timo Sirainen <tss@iki.fi> parents: 3960 diff changeset	453
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	454 static void ssl_write(struct ssl_proxy *proxy)
4127 60583fb75d9e Rewrite. Hopefully works better. Timo Sirainen <tss@iki.fi> parents: 3960 diff changeset	455 {
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	456 int ret;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	457
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	458 ret = SSL_write(proxy->ssl, proxy->sslout_buf, proxy->sslout_size);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	459 if (ret <= 0)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	460 ssl_handle_error(proxy, ret, "SSL_write()");
4127 60583fb75d9e Rewrite. Hopefully works better. Timo Sirainen <tss@iki.fi> parents: 3960 diff changeset	461 else {
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	462 i_free_and_null(proxy->last_error);
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	463 proxy->sslout_size -= ret;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	464 memmove(proxy->sslout_buf, proxy->sslout_buf + ret,
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	465 proxy->sslout_size);
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	466
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	467 ssl_set_io(proxy, proxy->sslout_size > 0 ?
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	468 SSL_ADD_OUTPUT : SSL_REMOVE_OUTPUT);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	469 plain_block_input(proxy, FALSE);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	470 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	471 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	472
4907 5b4c9b20eba0 Replaced void context from a lot of callbacks with the actual context Timo Sirainen <tss@iki.fi>* parents: 4827 diff changeset	473 static void ssl_step(struct ssl_proxy *proxy)
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	474 {
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	475 proxy->refcount++;
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	476
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	477 if (!proxy->handshaked)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	478 ssl_handshake(proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	479
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	480 if (proxy->handshaked) {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	481 if (proxy->plainout_size == sizeof(proxy->plainout_buf))
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	482 ssl_set_io(proxy, SSL_REMOVE_INPUT);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	483 else
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	484 ssl_read(proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	485
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	486 if (proxy->sslout_size == 0)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	487 ssl_set_io(proxy, SSL_REMOVE_OUTPUT);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	488 else {
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	489 net_set_cork(proxy->fd_ssl, TRUE);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	490 ssl_write(proxy);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	491 net_set_cork(proxy->fd_ssl, FALSE);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	492 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	493 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	494
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	495 ssl_proxy_unref(proxy);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	496 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	497
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	498 static int ssl_proxy_new_common(SSL_CTX ssl_ctx, int fd, struct ip_addr ip,
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	499 struct ssl_proxy **proxy_r)
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	500 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	501 struct ssl_proxy *proxy;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	502 SSL *ssl;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	503 int sfd[2];
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	504
4664 881ed99266a2 New asserts / cleanup Timo Sirainen <tss@iki.fi> parents: 4570 diff changeset	505 i_assert(fd != -1);
881ed99266a2 New asserts / cleanup Timo Sirainen <tss@iki.fi> parents: 4570 diff changeset	506
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	507 *proxy_r = NULL;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	508
2679 8f7b01c29bcb Show clear error messages if --ssl is tried to be used but it's not Timo Sirainen <tss@iki.fi> parents: 2629 diff changeset	509 if (!ssl_initialized) {
8f7b01c29bcb Show clear error messages if --ssl is tried to be used but it's not Timo Sirainen <tss@iki.fi> parents: 2629 diff changeset	510 i_error("SSL support not enabled in configuration");
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	511 return -1;
2679 8f7b01c29bcb Show clear error messages if --ssl is tried to be used but it's not Timo Sirainen <tss@iki.fi> parents: 2629 diff changeset	512 }
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	513
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	514 ssl_refresh_parameters(&ssl_params);
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	515
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	516 ssl = SSL_new(ssl_ctx);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	517 if (ssl == NULL) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	518 i_error("SSL_new() failed: %s", ssl_last_error());
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	519 return -1;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	520 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	521
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	522 if (SSL_set_fd(ssl, fd) != 1) {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	523 i_error("SSL_set_fd() failed: %s", ssl_last_error());
1457 7dd0e88ed7ef cleanups Timo Sirainen <tss@iki.fi> parents: 1324 diff changeset	524 SSL_free(ssl);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	525 return -1;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	526 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	527
4664 881ed99266a2 New asserts / cleanup Timo Sirainen <tss@iki.fi> parents: 4570 diff changeset	528 if (socketpair(AF_UNIX, SOCK_STREAM, 0, sfd) < 0) {
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	529 i_error("socketpair() failed: %m");
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	530 SSL_free(ssl);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	531 return -1;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	532 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	533
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	534 net_set_nonblock(sfd[0], TRUE);
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	535 net_set_nonblock(sfd[1], TRUE);
1268 0d9f0e617a1a net_* functions don't anymore set sockets to non-blocking by default. Timo Sirainen <tss@iki.fi> parents: 1235 diff changeset	536 net_set_nonblock(fd, TRUE);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	537
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	538 proxy = i_new(struct ssl_proxy, 1);
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	539 proxy->refcount = 2;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	540 proxy->ssl = ssl;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	541 proxy->fd_ssl = fd;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	542 proxy->fd_plain = sfd[0];
1235 2660b47fd9bc Added setting verbose_ssl Timo Sirainen <tss@iki.fi> parents: 1234 diff changeset	543 proxy->ip = *ip;
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	544 SSL_set_ex_data(ssl, extdata_index, proxy);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	545
7119 8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	546 ssl_proxy_count++;
8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	547 DLLIST_PREPEND(&ssl_proxies, proxy);
1544 ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	548
4474 1ff1603403de Second try with SSL proxy rewrite. Did some fixes since last try. Timo Sirainen <tss@iki.fi> parents: 4471 diff changeset	549 main_ref();
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	550
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	551 *proxy_r = proxy;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	552 return sfd[1];
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	553 }
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	554
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	555 int ssl_proxy_new(int fd, struct ip_addr ip, struct ssl_proxy *proxy_r)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	556 {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	557 int ret;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	558
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	559 if ((ret = ssl_proxy_new_common(ssl_server_ctx, fd, ip, proxy_r)) < 0)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	560 return -1;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	561
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	562 ssl_step(*proxy_r);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	563 return ret;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	564 }
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	565
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	566 int ssl_proxy_client_new(int fd, struct ip_addr *ip,
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	567 ssl_handshake_callback_t callback, void context,
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	568 struct ssl_proxy **proxy_r)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	569 {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	570 int ret;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	571
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	572 if ((ret = ssl_proxy_new_common(ssl_client_ctx, fd, ip, proxy_r)) < 0)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	573 return -1;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	574
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	575 (*proxy_r)->handshake_callback = callback;
8986 d475e17d01a3 ssl-proxy: Crashfix to previous commit. Timo Sirainen <tss@iki.fi> parents: 8985 diff changeset	576 (*proxy_r)->handshake_context = context;
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	577 (*proxy_r)->client = TRUE;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	578 ssl_step(*proxy_r);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	579 return ret;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	580 }
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	581
7912 81806d402514 Added more consts, ATTR_CONSTs and ATTR_PUREs. Timo Sirainen <tss@iki.fi> parents: 7508 diff changeset	582 bool ssl_proxy_has_valid_client_cert(const struct ssl_proxy *proxy)
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	583 {
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	584 return proxy->cert_received && !proxy->cert_broken;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	585 }
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	586
8302 0db37acdc59f Login process: Log auth failure reasons better in disconnect message. Timo Sirainen <tss@iki.fi> parents: 8224 diff changeset	587 bool ssl_proxy_has_broken_client_cert(struct ssl_proxy *proxy)
0db37acdc59f Login process: Log auth failure reasons better in disconnect message. Timo Sirainen <tss@iki.fi> parents: 8224 diff changeset	588 {
0db37acdc59f Login process: Log auth failure reasons better in disconnect message. Timo Sirainen <tss@iki.fi> parents: 8224 diff changeset	589 return proxy->cert_received && proxy->cert_broken;
0db37acdc59f Login process: Log auth failure reasons better in disconnect message. Timo Sirainen <tss@iki.fi> parents: 8224 diff changeset	590 }
0db37acdc59f Login process: Log auth failure reasons better in disconnect message. Timo Sirainen <tss@iki.fi> parents: 8224 diff changeset	591
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	592 const char ssl_proxy_get_peer_name(struct ssl_proxy proxy)
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	593 {
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	594 X509 *x509;
9283 0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	595 char *name;
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	596 int len;
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	597
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	598 if (!ssl_proxy_has_valid_client_cert(proxy))
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	599 return NULL;
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	600
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	601 x509 = SSL_get_peer_certificate(proxy->ssl);
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	602 if (x509 == NULL)
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	603 return NULL; /* we should have had it.. */
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	604
9283 0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	605 len = X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	606 ssl_username_nid, NULL, 0);
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	607 if (len < 0)
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	608 name = "";
9283 0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	609 else {
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	610 name = t_malloc(len + 1);
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	611 if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	612 ssl_username_nid, name, len + 1) < 0)
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	613 name = "";
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	614 else if (strlen(name) != (size_t)len) {
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	615 /* NUL characters in name. Someone's trying to fake
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	616 being another user? Don't allow it. */
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	617 name = "";
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	618 }
0de21e725d4e ssl_username_from_cert=yes: Don't truncate username, don't allow NULs in it. Timo Sirainen <tss@iki.fi> parents: 8986 diff changeset	619 }
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	620 X509_free(x509);
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	621
3635 c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	622 return *name == '\0' ? NULL : name;
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	623 }
c12df370e1b2 Added ssl_username_from_cert setting. Not actually tested yet.. Timo Sirainen <tss@iki.fi> parents: 3584 diff changeset	624
7912 81806d402514 Added more consts, ATTR_CONSTs and ATTR_PUREs. Timo Sirainen <tss@iki.fi> parents: 7508 diff changeset	625 bool ssl_proxy_is_handshaked(const struct ssl_proxy *proxy)
4570 cbbe2377f591 If SSL/TLS handshake didn't finish, show "TLS handshaking" instead of "TLS" Timo Sirainen <tss@iki.fi> parents: 4549 diff changeset	626 {
cbbe2377f591 If SSL/TLS handshake didn't finish, show "TLS handshaking" instead of "TLS" Timo Sirainen <tss@iki.fi> parents: 4549 diff changeset	627 return proxy->handshaked;
cbbe2377f591 If SSL/TLS handshake didn't finish, show "TLS handshaking" instead of "TLS" Timo Sirainen <tss@iki.fi> parents: 4549 diff changeset	628 }
cbbe2377f591 If SSL/TLS handshake didn't finish, show "TLS handshaking" instead of "TLS" Timo Sirainen <tss@iki.fi> parents: 4549 diff changeset	629
7912 81806d402514 Added more consts, ATTR_CONSTs and ATTR_PUREs. Timo Sirainen <tss@iki.fi> parents: 7508 diff changeset	630 const char ssl_proxy_get_last_error(const struct ssl_proxy proxy)
7374 0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	631 {
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	632 return proxy->last_error;
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	633 }
0bb3fc72a74f If TLS connection closes with anything except a clean disconnection, log the Timo Sirainen <tss@iki.fi> parents: 7346 diff changeset	634
8122 3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	635 const char ssl_proxy_get_security_string(struct ssl_proxy proxy)
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	636 {
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	637 SSL_CIPHER *cipher;
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	638 int bits, alg_bits;
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	639
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	640 if (!proxy->handshaked)
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	641 return "";
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	642
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	643 cipher = SSL_get_current_cipher(proxy->ssl);
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	644 bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	645 return t_strdup_printf("%s with cipher %s (%d/%d bits)",
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	646 SSL_get_version(proxy->ssl),
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	647 SSL_CIPHER_get_name(cipher),
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	648 bits, alg_bits);
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	649 }
3917bf9cf311 login_log_format_elements: Added %k to show SSL protocol/cipher information. Timo Sirainen <tss@iki.fi> parents: 7912 diff changeset	650
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	651 void ssl_proxy_free(struct ssl_proxy *proxy)
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	652 {
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	653 ssl_proxy_unref(proxy);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	654 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	655
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	656 static void ssl_proxy_unref(struct ssl_proxy *proxy)
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	657 {
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	658 if (--proxy->refcount > 0)
3863 55df57c028d4 Added "bool" type and changed all ints that were used as booleans to bool. Timo Sirainen <tss@iki.fi> parents: 3635 diff changeset	659 return;
1490 63242ba50ea4 fixes Timo Sirainen <tss@iki.fi> parents: 1485 diff changeset	660 i_assert(proxy->refcount == 0);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	661
2302 8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	662 SSL_free(proxy->ssl);
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	663 i_free(proxy);
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	664
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	665 main_unref();
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	666 }
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	667
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	668 static void ssl_proxy_destroy(struct ssl_proxy *proxy)
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	669 {
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	670 if (proxy->destroyed)
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	671 return;
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	672 proxy->destroyed = TRUE;
8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	673
7119 8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	674 ssl_proxy_count--;
8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	675 DLLIST_REMOVE(&ssl_proxies, proxy);
1230 e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	676
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	677 if (proxy->io_ssl_read != NULL)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	678 io_remove(&proxy->io_ssl_read);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	679 if (proxy->io_ssl_write != NULL)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	680 io_remove(&proxy->io_ssl_write);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	681 if (proxy->io_plain_read != NULL)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	682 io_remove(&proxy->io_plain_read);
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	683 if (proxy->io_plain_write != NULL)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	684 io_remove(&proxy->io_plain_write);
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	685
7346 393abdd250bb Call SSL_shutdown() Timo Sirainen <tss@iki.fi> parents: 7119 diff changeset	686 (void)SSL_shutdown(proxy->ssl);
393abdd250bb Call SSL_shutdown() Timo Sirainen <tss@iki.fi> parents: 7119 diff changeset	687
3960 aeb424e64f24 Call io_remove() before closing the fd. It's required by kqueue. Timo Sirainen <tss@iki.fi> parents: 3889 diff changeset	688 (void)net_disconnect(proxy->fd_ssl);
aeb424e64f24 Call io_remove() before closing the fd. It's required by kqueue. Timo Sirainen <tss@iki.fi> parents: 3889 diff changeset	689 (void)net_disconnect(proxy->fd_plain);
aeb424e64f24 Call io_remove() before closing the fd. It's required by kqueue. Timo Sirainen <tss@iki.fi> parents: 3889 diff changeset	690
2302 8438064ddf08 Refcounting fixes. Unexpectedly destroyed SSL connection could have left Timo Sirainen <tss@iki.fi> parents: 2027 diff changeset	691 ssl_proxy_unref(proxy);
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	692
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	693 main_listen_start();
1458 98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	694 }
98362534b2c7 Unexpected SSL connection errors sometimes crashed Timo Sirainen <tss@iki.fi> parents: 1457 diff changeset	695
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6364 diff changeset	696 static RSA ssl_gen_rsa_key(SSL ssl ATTR_UNUSED,
6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6364 diff changeset	697 int is_export ATTR_UNUSED, int keylength)
1492 383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	698 {
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	699 return RSA_generate_key(keylength, RSA_F4, NULL, NULL);
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	700 }
383d87166963 Generate temporary RSA key when requested. Could be slow, should do some Timo Sirainen <tss@iki.fi> parents: 1490 diff changeset	701
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6364 diff changeset	702 static DH ssl_tmp_dh_callback(SSL ssl ATTR_UNUSED,
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	703 int is_export, int keylength)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	704 {
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	705 /* Well, I'm not exactly sure why the logic in here is this.
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	706 It's the same as in Postfix, so it can't be too wrong. */
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	707 if (is_export && keylength == 512 && ssl_params.dh_512 != NULL)
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	708 return ssl_params.dh_512;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	709
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	710 return ssl_params.dh_1024;
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	711 }
650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	712
4471 a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	713 static void ssl_info_callback(const SSL *ssl, int where, int ret)
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	714 {
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	715 struct ssl_proxy *proxy;
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	716
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	717 proxy = SSL_get_ex_data(ssl, extdata_index);
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	718
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	719 if ((where & SSL_CB_ALERT) != 0) {
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	720 i_warning("SSL alert: where=0x%x, ret=%d: %s %s [%s]",
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	721 where, ret, SSL_alert_type_string_long(ret),
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	722 SSL_alert_desc_string_long(ret),
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	723 net_ip2addr(&proxy->ip));
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	724 } else {
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	725 i_warning("SSL BIO failed: where=0x%x, ret=%d: %s [%s]",
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	726 where, ret, SSL_state_string_long(ssl),
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	727 net_ip2addr(&proxy->ip));
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	728 }
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	729 }
a939ee143a96 If verbose_ssl=yes set ssl_info_callback and print any alerts and BIO Timo Sirainen <tss@iki.fi> parents: 4352 diff changeset	730
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	731 static int ssl_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx)
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	732 {
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	733 SSL *ssl;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	734 struct ssl_proxy *proxy;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	735
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	736 ssl = X509_STORE_CTX_get_ex_data(ctx,
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	737 SSL_get_ex_data_X509_STORE_CTX_idx());
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	738 proxy = SSL_get_ex_data(ssl, extdata_index);
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	739 proxy->cert_received = TRUE;
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	740
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	741 if (verbose_ssl \|\| (verbose_auth && !preverify_ok)) {
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	742 char buf[1024];
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	743 X509_NAME *subject;
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	744
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	745 subject = X509_get_subject_name(ctx->current_cert);
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	746 (void)X509_NAME_oneline(subject, buf, sizeof(buf));
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	747 buf[sizeof(buf)-1] = '\0'; /* just in case.. */
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	748 if (!preverify_ok)
4695 07afd19bc53e Updates to ssl_ca_file and ssl_username_from_cert comments in Timo Sirainen <tss@iki.fi> parents: 4664 diff changeset	749 i_info("Invalid certificate: %s: %s", X509_verify_cert_error_string(ctx->error),buf);
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	750 else
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	751 i_info("Valid certificate: %s", buf);
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	752 }
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	753 if (!preverify_ok)
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	754 proxy->cert_broken = TRUE;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	755
4352 d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	756 /* Return success anyway, because if ssl_require_client_cert=no we
d57c83c64b20 Updates to ssl_verify_client_cert: Check CRLs. If auth_verbose=yes, log Timo Sirainen <tss@iki.fi> parents: 4131 diff changeset	757 could still allow authentication. */
2027 dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	758 return 1;
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	759 }
dc5d0da1abe9 Added ssl_require_client_cert auth-specific setting. Hide Timo Sirainen <tss@iki.fi> parents: 2007 diff changeset	760
3889 c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	761 static int
6411 6a64e64fa3a3 Renamed __attr___ to ATTR_. Renamed __attrs_used__ to ATTRS_DEFINED. Timo Sirainen <tss@iki.fi> parents: 6364 diff changeset	762 pem_password_callback(char *buf, int size, int rwflag ATTR_UNUSED,
3889 c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	763 void *userdata)
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	764 {
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	765 if (userdata == NULL) {
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	766 i_error("SSL private key file is password protected, "
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	767 "but password isn't given");
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	768 return 0;
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	769 }
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	770
6422 18173a52f721 Renamed strocpy() to i_strocpy(). Timo Sirainen <tss@iki.fi> parents: 6417 diff changeset	771 if (i_strocpy(buf, userdata, size) < 0)
3889 c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	772 return 0;
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	773 return strlen(buf);
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	774 }
c7462001227b Added support for password protected SSL private keys. The password can be Timo Sirainen <tss@iki.fi> parents: 3888 diff changeset	775
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	776 unsigned int ssl_proxy_get_count(void)
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	777 {
7119 8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	778 return ssl_proxy_count;
4538 9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	779 }
9d9e72374164 Fixes to login process handling, especially with Timo Sirainen <tss@iki.fi> parents: 4506 diff changeset	780
8224 7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	781 static bool is_pem_key_file(const char *path)
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	782 {
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	783 char buf[4096];
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	784 int fd, ret;
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	785
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	786 /* this code is used only for giving a better error message,
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	787 so it needs to catch only the normal key files */
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	788 fd = open(path, O_RDONLY);
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	789 if (fd == -1)
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	790 return FALSE;
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	791 ret = read(fd, buf, sizeof(buf)-1);
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	792 close(fd);
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	793 if (ret <= 0)
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	794 return FALSE;
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	795 buf[ret] = '\0';
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	796 return strstr(buf, "PRIVATE KEY---") != NULL;
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	797 }
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	798
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	799 static void ssl_proxy_ctx_init(SSL_CTX *ssl_ctx)
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	800 {
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	801 const char *cafile;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	802
1544 ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	803 SSL_CTX_set_options(ssl_ctx, SSL_OP_ALL);
ac6ee442376d OpenSSL proxy changes - hopefully fixes something. Also don't crash with Timo Sirainen <tss@iki.fi> parents: 1492 diff changeset	804
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	805 cafile = getenv("SSL_CA_FILE");
1907 190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	806 if (cafile != NULL) {
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	807 if (SSL_CTX_load_verify_locations(ssl_ctx, cafile, NULL) != 1) {
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	808 i_fatal("Can't load CA file %s: %s",
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	809 cafile, ssl_last_error());
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	810 }
190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	811 }
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	812 if (verbose_ssl)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	813 SSL_CTX_set_info_callback(ssl_ctx, ssl_info_callback);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	814 if (SSL_CTX_need_tmp_RSA(ssl_ctx))
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	815 SSL_CTX_set_tmp_rsa_callback(ssl_ctx, ssl_gen_rsa_key);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	816 SSL_CTX_set_tmp_dh_callback(ssl_ctx, ssl_tmp_dh_callback);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	817 }
1907 190f1d315ce6 Added setting ssl_ca_file, patch by Zach Bagnall Timo Sirainen <tss@iki.fi> parents: 1897 diff changeset	818
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	819 static void ssl_proxy_ctx_verify_client(SSL_CTX *ssl_ctx)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	820 {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	821 const char *cafile;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	822 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	823 X509_STORE *store;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	824
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	825 store = SSL_CTX_get_cert_store(ssl_ctx);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	826 X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK \|
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	827 X509_V_FLAG_CRL_CHECK_ALL);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	828 #endif
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	829 cafile = getenv("SSL_CA_FILE");
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	830 SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER \| SSL_VERIFY_CLIENT_ONCE,
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	831 ssl_verify_client_cert);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	832 SSL_CTX_set_client_CA_list(ssl_ctx, SSL_load_client_CA_file(cafile));
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	833 }
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	834
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	835 static void ssl_proxy_init_server(const char certfile, const char keyfile)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	836 {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	837 const char cipher_list, username_field;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	838 char *password;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	839 unsigned long err;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	840
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	841 password = getenv("SSL_KEY_PASSWORD");
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	842
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	843 if ((ssl_server_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	844 i_fatal("SSL_CTX_new() failed");
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	845 ssl_proxy_ctx_init(ssl_server_ctx);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	846
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	847 cipher_list = getenv("SSL_CIPHER_LIST");
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	848 if (cipher_list == NULL)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	849 cipher_list = DOVECOT_SSL_DEFAULT_CIPHER_LIST;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	850 if (SSL_CTX_set_cipher_list(ssl_server_ctx, cipher_list) != 1) {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	851 i_fatal("Can't set cipher list to '%s': %s",
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	852 cipher_list, ssl_last_error());
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	853 }
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	854
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	855 if (SSL_CTX_use_certificate_chain_file(ssl_server_ctx, certfile) != 1) {
8224 7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	856 err = ERR_peek_error();
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	857 if (ERR_GET_LIB(err) != ERR_LIB_PEM \|\|
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	858 ERR_GET_REASON(err) != PEM_R_NO_START_LINE) {
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	859 i_fatal("Can't load certificate file %s: %s",
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	860 certfile, ssl_last_error());
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	861 } else if (is_pem_key_file(certfile)) {
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	862 i_fatal("Can't load certificate file %s: "
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	863 "The file contains a private key "
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	864 "(you've mixed ssl_cert_file and ssl_key_file settings)",
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	865 certfile);
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	866 } else {
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	867 i_fatal("Can't load certificate file %s: "
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	868 "The file doesn't contain a certificate.",
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	869 certfile);
7ac86b33ad64 Log a better error message if ssl_cert_file doesn't point to a valid certificate. Timo Sirainen <tss@iki.fi> parents: 8122 diff changeset	870 }
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	871 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	872
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	873 SSL_CTX_set_default_passwd_cb(ssl_server_ctx, pem_password_callback);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	874 SSL_CTX_set_default_passwd_cb_userdata(ssl_server_ctx, password);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	875 if (SSL_CTX_use_PrivateKey_file(ssl_server_ctx, keyfile,
3584 b686c8bbcd6f Don't require private key to be RSA Timo Sirainen <tss@iki.fi> parents: 3580 diff changeset	876 SSL_FILETYPE_PEM) != 1) {
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	877 i_fatal("Can't load private key file %s: %s",
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	878 keyfile, ssl_last_error());
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	879 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	880
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	881 if (getenv("SSL_VERIFY_CLIENT_CERT") != NULL)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	882 ssl_proxy_ctx_verify_client(ssl_server_ctx);
1997 1d0985f6bdd9 Added ssl_verify_client_cert setting. Timo Sirainen <tss@iki.fi> parents: 1996 diff changeset	883
6364 7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	884 username_field = getenv("SSL_CERT_USERNAME_FIELD");
7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	885 if (username_field == NULL)
7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	886 ssl_username_nid = NID_commonName;
7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	887 else {
7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	888 ssl_username_nid = OBJ_txt2nid(username_field);
7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	889 if (ssl_username_nid == NID_undef) {
7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	890 i_fatal("Invalid ssl_cert_username_field: %s",
7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	891 username_field);
7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	892 }
7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	893 }
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	894 }
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	895
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	896 static void ssl_proxy_init_client(void)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	897 {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	898 if ((ssl_client_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	899 i_fatal("SSL_CTX_new() failed");
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	900 ssl_proxy_ctx_init(ssl_client_ctx);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	901 ssl_proxy_ctx_verify_client(ssl_client_ctx);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	902 }
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	903
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	904 void ssl_proxy_init(void)
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	905 {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	906 static char dovecot[] = "dovecot";
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	907 const char certfile, keyfile;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	908 unsigned char buf;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	909
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	910 memset(&ssl_params, 0, sizeof(ssl_params));
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	911
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	912 certfile = getenv("SSL_CERT_FILE");
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	913 keyfile = getenv("SSL_KEY_FILE");
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	914 ssl_params.fname = getenv("SSL_PARAM_FILE");
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	915
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	916 if (certfile == NULL \|\| keyfile == NULL \|\| ssl_params.fname == NULL) {
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	917 /* SSL support is disabled */
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	918 return;
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	919 }
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	920
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	921 SSL_library_init();
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	922 SSL_load_error_strings();
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	923
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	924 extdata_index = SSL_get_ex_new_index(0, dovecot, NULL, NULL, NULL);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	925 ssl_proxy_init_server(certfile, keyfile);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	926 ssl_proxy_init_client();
6364 7ad61f00ee55 Added ssl_cert_username_field setting. Timo Sirainen <tss@iki.fi> parents: 5528 diff changeset	927
1556 545f6b150e2c Make sure PRNG gets initialized before chrooting so it can open /dev/urandom. Timo Sirainen <tss@iki.fi> parents: 1544 diff changeset	928 /* PRNG initialization might want to use /dev/urandom, make sure it
2007 3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong Timo Sirainen <tss@iki.fi> parents: 1997 diff changeset	929 does it before chrooting. We might not have enough entropy at
3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong Timo Sirainen <tss@iki.fi> parents: 1997 diff changeset	930 the first try, so this function may fail. It's still been
3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong Timo Sirainen <tss@iki.fi> parents: 1997 diff changeset	931 initialized though. */
3dd9d3165bff Don't require initializing RAND_bytes() to return cryptographically strong Timo Sirainen <tss@iki.fi> parents: 1997 diff changeset	932 (void)RAND_bytes(&buf, 1);
1556 545f6b150e2c Make sure PRNG gets initialized before chrooting so it can open /dev/urandom. Timo Sirainen <tss@iki.fi> parents: 1544 diff changeset	933
7119 8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	934 ssl_proxy_count = 0;
8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	935 ssl_proxies = NULL;
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	936 ssl_initialized = TRUE;
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	937 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	938
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	939 void ssl_proxy_deinit(void)
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	940 {
1230 e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	941 if (!ssl_initialized)
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	942 return;
e6d2b8c78519 Keep list of the SSL proxies, so they're deinitialized properly if we have Timo Sirainen <tss@iki.fi> parents: 1215 diff changeset	943
7119 8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	944 while (ssl_proxies != NULL)
8c6a7af67e8c Replaced clients hash with a linked list. Timo Sirainen <tss@iki.fi> parents: 7086 diff changeset	945 ssl_proxy_destroy(ssl_proxies);
1232 f7da7d46e3f2 destroy proxies before destroying ssl context Timo Sirainen <tss@iki.fi> parents: 1231 diff changeset	946
3888 650701d41cdf Generate DH parameters and use them. Changed default regeneration time to 1 Timo Sirainen <tss@iki.fi> parents: 3879 diff changeset	947 ssl_free_parameters(&ssl_params);
8985 f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	948 SSL_CTX_free(ssl_server_ctx);
f43bebab3dac imap/pop3 proxy: Support SSL/TLS connections to remote servers. Timo Sirainen <tss@iki.fi> parents: 8935 diff changeset	949 SSL_CTX_free(ssl_client_ctx);
7500 74e2c7b68c71 Free OpenSSL memory at deinit. Timo Sirainen <tss@iki.fi> parents: 7374 diff changeset	950 EVP_cleanup();
74e2c7b68c71 Free OpenSSL memory at deinit. Timo Sirainen <tss@iki.fi> parents: 7374 diff changeset	951 ERR_free_strings();
1049 c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	952 }
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	953
c41787e8c3f4 Moved common login process code to login-common, created pop3-login. Timo Sirainen <tss@iki.fi> parents: diff changeset	954 #endif

Mercurial > dovecot > original-hg > dovecot-1.2

annotate src/login-common/ssl-proxy-openssl.c @ 9305:b7dbcf86086b HEAD