Lines Matching defs:ssl_io
11 static void openssl_iostream_free(struct ssl_iostream *ssl_io);
13 void openssl_iostream_set_error(struct ssl_iostream *ssl_io, const char *str)
22 if (ssl_io->verbose) {
26 i_debug("%sSSL error: %s", ssl_io->log_prefix, new_str);
28 i_free(ssl_io->last_error);
29 ssl_io->last_error = new_str;
34 struct ssl_iostream *ssl_io;
36 ssl_io = SSL_get_ex_data(ssl, dovecot_ssl_extdata_index);
41 ssl_io->log_prefix,
46 ssl_io->log_prefix, where, ret,
53 ssl_io->log_prefix, where, SSL_state_string_long(ssl));
56 ssl_io->log_prefix, where, ret,
62 openssl_iostream_use_certificate(struct ssl_iostream *ssl_io, const char *cert,
78 ret = SSL_use_certificate(ssl_io->ssl, x);
94 openssl_iostream_use_key(struct ssl_iostream *ssl_io,
103 if (SSL_use_PrivateKey(ssl_io->ssl, pkey) != 1) {
117 struct ssl_iostream *ssl_io;
122 ssl_io = SSL_get_ex_data(ssl, dovecot_ssl_extdata_index);
123 ssl_io->cert_received = TRUE;
132 openssl_iostream_set_error(ssl_io, t_strdup_printf(
135 if (ssl_io->verbose_invalid_cert)
136 i_info("%s", ssl_io->last_error);
137 } else if (ssl_io->verbose) {
141 ssl_io->cert_broken = TRUE;
142 if (!ssl_io->allow_invalid_cert) {
143 ssl_io->handshake_failed = TRUE;
151 openssl_iostream_set(struct ssl_iostream *ssl_io,
155 const struct ssl_iostream_settings *ctx_set = &ssl_io->ctx->set;
159 SSL_set_info_callback(ssl_io->ssl, openssl_info_callback);
163 if (SSL_set_cipher_list(ssl_io->ssl, set->cipher_list) == 0) {
173 if (SSL_set1_curves_list(ssl_io->ssl, set->curve_list) == 0) {
182 SSL_set_options(ssl_io->ssl, SSL_OP_CIPHER_SERVER_PREFERENCE);
185 SSL_clear_options(ssl_io->ssl, OPENSSL_ALL_PROTOCOL_OPTIONS);
197 SSL_set_min_proto_version(ssl_io->ssl, min_protocol);
199 SSL_set_options(ssl_io->ssl, opts);
204 if (openssl_iostream_use_certificate(ssl_io, set->cert.cert, error_r) < 0)
208 if (openssl_iostream_use_key(ssl_io, &set->cert, error_r) < 0)
212 if (openssl_iostream_use_certificate(ssl_io, set->alt_cert.cert, error_r) < 0)
216 if (openssl_iostream_use_key(ssl_io, &set->alt_cert, error_r) < 0)
220 if (ssl_io->ctx->client_ctx)
224 SSL_set_verify(ssl_io->ssl, verify_flags,
229 ssl_io->username_nid = OBJ_txt2nid(set->cert_username_field);
230 if (ssl_io->username_nid == NID_undef) {
237 ssl_io->username_nid = ssl_io->ctx->username_nid;
240 ssl_io->verbose = set->verbose;
241 ssl_io->verbose_invalid_cert = set->verbose_invalid_cert || set->verbose;
242 ssl_io->allow_invalid_cert = set->allow_invalid_cert;
253 struct ssl_iostream *ssl_io;
280 ssl_io = i_new(struct ssl_iostream, 1);
281 ssl_io->refcount = 1;
282 ssl_io->ctx = ctx;
283 ssl_iostream_context_ref(ssl_io->ctx);
284 ssl_io->ssl = ssl;
285 ssl_io->bio_ext = bio_ext;
286 ssl_io->plain_input = *input;
287 ssl_io->plain_output = *output;
288 ssl_io->connected_host = i_strdup(host);
289 ssl_io->log_prefix = host == NULL ? i_strdup("") :
292 SSL_set_bio(ssl_io->ssl, bio_int, bio_int);
293 SSL_set_ex_data(ssl_io->ssl, dovecot_ssl_extdata_index, ssl_io);
295 SSL_set_tlsext_host_name(ssl_io->ssl, host);
298 if (openssl_iostream_set(ssl_io, set, error_r) < 0) {
299 openssl_iostream_free(ssl_io);
303 o_stream_uncork(ssl_io->plain_output);
305 *input = openssl_i_stream_create_ssl(ssl_io);
306 *output = openssl_o_stream_create_ssl(ssl_io);
308 i_stream_get_name(ssl_io->plain_input), NULL));
310 o_stream_get_name(ssl_io->plain_output), NULL));
312 if (ssl_io->plain_output->real_stream->error_handling_disabled)
315 ssl_io->ssl_input = *input;
316 ssl_io->ssl_output = *output;
317 *iostream_r = ssl_io;
321 static void openssl_iostream_free(struct ssl_iostream *ssl_io)
323 ssl_iostream_context_unref(&ssl_io->ctx);
324 o_stream_unref(&ssl_io->plain_output);
325 i_stream_unref(&ssl_io->plain_input);
326 BIO_free(ssl_io->bio_ext);
327 SSL_free(ssl_io->ssl);
328 i_free(ssl_io->plain_stream_errstr);
329 i_free(ssl_io->last_error);
330 i_free(ssl_io->connected_host);
331 i_free(ssl_io->sni_host);
332 i_free(ssl_io->log_prefix);
333 i_free(ssl_io);
336 static void openssl_iostream_unref(struct ssl_iostream *ssl_io)
338 i_assert(ssl_io->refcount > 0);
339 if (--ssl_io->refcount > 0)
342 openssl_iostream_free(ssl_io);
345 static void openssl_iostream_destroy(struct ssl_iostream *ssl_io)
347 if (SSL_shutdown(ssl_io->ssl) != 1) {
352 (void)openssl_iostream_more(ssl_io, OPENSSL_IOSTREAM_SYNC_TYPE_WRITE);
353 (void)o_stream_flush(ssl_io->plain_output);
356 i_stream_close(ssl_io->plain_input);
357 o_stream_close(ssl_io->plain_output);
359 ssl_iostream_unref(&ssl_io);
362 static bool openssl_iostream_bio_output(struct ssl_iostream *ssl_io)
370 o_stream_cork(ssl_io->plain_output);
371 while ((bytes = BIO_ctrl_pending(ssl_io->bio_ext)) > 0) {
374 max_bytes = o_stream_get_buffer_avail_size(ssl_io->plain_output);
378 o_stream_set_flush_pending(ssl_io->plain_output,
389 ret = BIO_read(ssl_io->bio_ext, buffer, bytes);
395 sent = o_stream_send(ssl_io->plain_output, buffer, bytes);
397 i_assert(ssl_io->plain_output->closed ||
398 ssl_io->plain_output->stream_errno != 0);
399 i_free(ssl_io->plain_stream_errstr);
400 ssl_io->plain_stream_errstr =
401 i_strdup(o_stream_get_error(ssl_io->plain_output));
402 ssl_io->plain_stream_errno =
403 ssl_io->plain_output->stream_errno;
404 ssl_io->closed = TRUE;
410 o_stream_uncork(ssl_io->plain_output);
415 openssl_iostream_read_more(struct ssl_iostream *ssl_io,
419 *data_r = i_stream_get_data(ssl_io->plain_input, size_r);
430 if (i_stream_read_more(ssl_io->plain_input, data_r, size_r) < 0)
435 static bool openssl_iostream_bio_input(struct ssl_iostream *ssl_io,
443 while ((bytes = BIO_ctrl_get_write_guarantee(ssl_io->bio_ext)) > 0) {
445 ssl_io->plain_input->real_stream->try_alloc_limit = bytes;
446 ret = openssl_iostream_read_more(ssl_io, type, &data, &size);
447 ssl_io->plain_input->real_stream->try_alloc_limit = 0;
449 if (ssl_io->plain_input->stream_errno != 0) {
450 i_free(ssl_io->plain_stream_errstr);
451 ssl_io->plain_stream_errstr =
452 i_strdup(i_stream_get_error(ssl_io->plain_input));
453 ssl_io->plain_stream_errno =
454 ssl_io->plain_input->stream_errno;
456 ssl_io->closed = TRUE;
466 ret = BIO_write(ssl_io->bio_ext, data, size);
469 i_stream_skip(ssl_io->plain_input, size);
472 if (bytes == 0 && !bytes_read && ssl_io->want_read) {
475 i_free(ssl_io->plain_stream_errstr);
476 ssl_io->plain_stream_errstr =
478 ssl_io->plain_stream_errno = EINVAL;
479 ssl_io->closed = TRUE;
482 if (i_stream_get_data_size(ssl_io->plain_input) > 0) {
484 i_free(ssl_io->plain_stream_errstr);
485 ssl_io->plain_stream_errstr =
487 ssl_io->plain_stream_errno = EINVAL;
488 ssl_io->closed = TRUE;
492 if (ssl_io->ostream_flush_waiting_input) {
493 ssl_io->ostream_flush_waiting_input = FALSE;
494 o_stream_set_flush_pending(ssl_io->plain_output, TRUE);
498 i_stream_set_input_pending(ssl_io->ssl_input, TRUE);
499 ssl_io->want_read = FALSE;
504 bool openssl_iostream_bio_sync(struct ssl_iostream *ssl_io,
509 ret = openssl_iostream_bio_output(ssl_io);
510 if (openssl_iostream_bio_input(ssl_io, type))
515 int openssl_iostream_more(struct ssl_iostream *ssl_io,
520 if (!ssl_io->handshaked) {
521 if ((ret = ssl_iostream_handshake(ssl_io)) <= 0)
524 (void)openssl_iostream_bio_sync(ssl_io, type);
528 static void openssl_iostream_closed(struct ssl_iostream *ssl_io)
530 if (ssl_io->plain_stream_errno != 0) {
531 i_assert(ssl_io->plain_stream_errstr != NULL);
532 openssl_iostream_set_error(ssl_io, ssl_io->plain_stream_errstr);
533 errno = ssl_io->plain_stream_errno;
535 openssl_iostream_set_error(ssl_io, "Connection closed");
540 int openssl_iostream_handle_error(struct ssl_iostream *ssl_io, int ret,
547 err = SSL_get_error(ssl_io->ssl, ret);
550 if (!openssl_iostream_bio_sync(ssl_io, type)) {
555 if (ssl_io->closed) {
556 openssl_iostream_closed(ssl_io);
561 ssl_io->want_read = TRUE;
562 (void)openssl_iostream_bio_sync(ssl_io, type);
563 if (ssl_io->closed) {
564 openssl_iostream_closed(ssl_io);
567 return ssl_io->want_read ? 0 : 1;
588 if (ssl_io->handshaked)
589 i_free_and_null(ssl_io->last_error);
590 else if (ssl_io->last_error == NULL) {
608 openssl_iostream_set_error(ssl_io, errstr);
613 openssl_iostream_cert_match_name(struct ssl_iostream *ssl_io,
616 if (ssl_io->allow_invalid_cert)
618 if (!ssl_iostream_has_valid_client_cert(ssl_io)) {
623 return openssl_cert_match_name(ssl_io->ssl, verify_name, reason_r);
626 static int openssl_iostream_handshake(struct ssl_iostream *ssl_io)
631 i_assert(!ssl_io->handshaked);
633 if (ssl_io->ctx->client_ctx) {
634 while ((ret = SSL_connect(ssl_io->ssl)) <= 0) {
635 ret = openssl_iostream_handle_error(ssl_io, ret,
641 while ((ret = SSL_accept(ssl_io->ssl)) <= 0) {
642 ret = openssl_iostream_handle_error(ssl_io, ret,
649 (void)openssl_iostream_bio_sync(ssl_io, OPENSSL_IOSTREAM_SYNC_TYPE_HANDSHAKE);
651 if (ssl_io->handshake_callback != NULL) {
652 if (ssl_io->handshake_callback(&error, ssl_io->handshake_context) < 0) {
654 openssl_iostream_set_error(ssl_io, error);
655 ssl_io->handshake_failed = TRUE;
657 } else if (ssl_io->connected_host != NULL && !ssl_io->handshake_failed) {
658 if (!ssl_iostream_cert_match_name(ssl_io, ssl_io->connected_host, &reason)) {
659 openssl_iostream_set_error(ssl_io, t_strdup_printf(
661 ssl_io->connected_host, reason));
662 ssl_io->handshake_failed = TRUE;
665 if (ssl_io->handshake_failed) {
666 i_stream_close(ssl_io->plain_input);
667 o_stream_close(ssl_io->plain_output);
671 i_free_and_null(ssl_io->last_error);
672 ssl_io->handshaked = TRUE;
674 if (ssl_io->ssl_output != NULL)
675 (void)o_stream_flush(ssl_io->ssl_output);
680 openssl_iostream_set_handshake_callback(struct ssl_iostream *ssl_io,
684 ssl_io->handshake_callback = callback;
685 ssl_io->handshake_context = context;
689 openssl_iostream_set_sni_callback(struct ssl_iostream *ssl_io,
693 ssl_io->sni_callback = callback;
694 ssl_io->sni_context = context;
698 openssl_iostream_change_context(struct ssl_iostream *ssl_io,
701 if (ctx != ssl_io->ctx) {
702 SSL_set_SSL_CTX(ssl_io->ssl, ctx->ssl_ctx);
704 ssl_iostream_context_unref(&ssl_io->ctx);
705 ssl_io->ctx = ctx;
709 static void openssl_iostream_set_log_prefix(struct ssl_iostream *ssl_io,
712 i_free(ssl_io->log_prefix);
713 ssl_io->log_prefix = i_strdup(prefix);
716 static bool openssl_iostream_is_handshaked(const struct ssl_iostream *ssl_io)
718 return ssl_io->handshaked;
722 openssl_iostream_has_handshake_failed(const struct ssl_iostream *ssl_io)
724 return ssl_io->handshake_failed;
728 openssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io)
730 return ssl_io->cert_received && !ssl_io->cert_broken;
734 openssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io)
736 return ssl_io->cert_received && ssl_io->cert_broken;
740 openssl_iostream_get_peer_name(struct ssl_iostream *ssl_io)
746 if (!ssl_iostream_has_valid_client_cert(ssl_io))
749 x509 = SSL_get_peer_certificate(ssl_io->ssl);
753 ssl_io->username_nid, NULL, 0);
759 ssl_io->username_nid,
773 static const char *openssl_iostream_get_server_name(struct ssl_iostream *ssl_io)
775 return ssl_io->sni_host;
779 openssl_iostream_get_compression(struct ssl_iostream *ssl_io)
784 comp = SSL_get_current_compression(ssl_io->ssl);
792 openssl_iostream_get_security_string(struct ssl_iostream *ssl_io)
801 if (!ssl_io->handshaked)
804 cipher = SSL_get_current_cipher(ssl_io->ssl);
807 comp = SSL_get_current_compression(ssl_io->ssl);
814 SSL_get_version(ssl_io->ssl),
820 openssl_iostream_get_last_error(struct ssl_iostream *ssl_io)
822 return ssl_io->last_error;
826 openssl_iostream_get_cipher(struct ssl_iostream *ssl_io, unsigned int *bits_r)
828 if (!ssl_io->handshaked)
831 const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl_io->ssl);
837 openssl_iostream_get_pfs(struct ssl_iostream *ssl_io)
839 if (!ssl_io->handshaked)
842 const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl_io->ssl);
857 openssl_iostream_get_protocol_name(struct ssl_iostream *ssl_io)
859 if (!ssl_io->handshaked)
861 return SSL_get_version(ssl_io->ssl);