iostream-openssl.c revision 148a8396be2c1cf7d2aaa55566f7f7dea05388dd
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen/* Copyright (c) 2009 Dovecot authors, see the included COPYING file */
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenstatic void ssl_iostream_free(struct ssl_iostream *ssl_io);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenstatic void ssl_info_callback(const SSL *ssl, int where, int ret)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ssl_io = SSL_get_ex_data(ssl, dovecot_ssl_extdata_index);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen i_warning("%s: SSL alert: where=0x%x, ret=%d: %s %s",
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen } else if (ret == 0) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ssl_io->source, where, SSL_state_string_long(ssl));
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenssl_iostream_use_certificate(struct ssl_iostream *ssl_io, const char *cert)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen in = BIO_new_mem_buf(t_strdup_noconst(cert), strlen(cert));
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen i_error("BIO_new_mem_buf() failed: %s", ssl_iostream_error());
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen i_error("%s: Can't load ssl_cert: %s", ssl_io->source,
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ssl_iostream_get_use_certificate_error(cert));
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenssl_iostream_use_key(struct ssl_iostream *ssl_io,
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (ssl_iostream_load_key(set, ssl_io->source, &pkey) < 0)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (SSL_use_PrivateKey(ssl_io->ssl, pkey) != 1) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ssl_io->source, ssl_iostream_key_load_error());
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenssl_iostream_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen int ssl_extidx = SSL_get_ex_data_X509_STORE_CTX_idx();
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ssl = X509_STORE_CTX_get_ex_data(ctx, ssl_extidx);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ssl_io = SSL_get_ex_data(ssl, dovecot_ssl_extdata_index);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen (ssl_io->verbose_invalid_cert && !preverify_ok)) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen subject = X509_get_subject_name(ctx->current_cert);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (X509_NAME_oneline(subject, buf, sizeof(buf)) == NULL)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen buf[sizeof(buf)-1] = '\0'; /* just in case.. */
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen X509_verify_cert_error_string(ctx->error), buf);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen const struct ssl_iostream_settings *ctx_set = ssl_io->ctx->set;
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen SSL_set_info_callback(ssl_io->ssl, ssl_info_callback);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen strcmp(ctx_set->cipher_list, set->cipher_list) != 0) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (!SSL_set_cipher_list(ssl_io->ssl, set->cipher_list)) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen i_error("%s: Can't set cipher list to '%s': %s",
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (set->cert != NULL && strcmp(ctx_set->cert, set->cert) != 0) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (ssl_iostream_use_certificate(ssl_io, set->cert) < 0)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (set->key != NULL && strcmp(ctx_set->key, set->key) != 0) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ssl_io->username_nid = OBJ_txt2nid(set->cert_username_field);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen i_error("%s: Invalid cert_username_field: %s",
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ssl_io->username_nid = ssl_io->ctx->username_nid;
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ssl_io->verbose_invalid_cert = set->verbose_invalid_cert;
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ssl_io->require_valid_cert = set->require_valid_cert;
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenint io_stream_create_ssl(struct ssl_iostream_context *ctx, const char *source,
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen struct istream **input, struct ostream **output,
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen i_error("SSL_new() failed: %s", ssl_iostream_error());
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (BIO_new_bio_pair(&bio_int, 0, &bio_ext, 0) != 1) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen i_error("BIO_new_bio_pair() failed: %s", ssl_iostream_error());
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen SSL_set_ex_data(ssl_io->ssl, dovecot_ssl_extdata_index, ssl_io);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenstatic void ssl_iostream_free(struct ssl_iostream *ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenvoid ssl_iostream_unref(struct ssl_iostream **_ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenstatic bool ssl_iostream_bio_output(struct ssl_iostream *ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen while ((bytes = BIO_ctrl_pending(ssl_io->bio_ext)) > 0) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen max_bytes = o_stream_get_buffer_avail_size(ssl_io->plain_output);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen /* wait until output buffer clears */
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen ret = BIO_read(ssl_io->bio_ext, buffer, bytes);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen sent = o_stream_send(ssl_io->plain_output, buffer, bytes);
148a8396be2c1cf7d2aaa55566f7f7dea05388ddTimo Sirainen i_assert(ssl_io->plain_output->stream_errno != 0);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenstatic bool ssl_iostream_bio_input(struct ssl_iostream *ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen const unsigned char *data;
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen while (BIO_ctrl_get_read_request(ssl_io->bio_ext) > 0) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen (void)i_stream_read_data(ssl_io->plain_input, &data, &size, 0);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen /* wait for more input */
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenbool ssl_iostream_bio_sync(struct ssl_iostream *ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenint ssl_iostream_handle_error(struct ssl_iostream *ssl_io, int ret,
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen /* eat up the error queue */
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen } else if (ret != 0) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen errstr = t_strdup_printf("%s syscall failed: %s",
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen /* clean connection closing */
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen errstr = t_strdup_printf("%s failed: unknown failure %d (%s)",
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenint ssl_iostream_handshake(struct ssl_iostream *ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen while ((ret = SSL_connect(ssl_io->ssl)) <= 0) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen "SSL_connect()");
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen while ((ret = SSL_accept(ssl_io->ssl)) <= 0) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen "SSL_accept()");
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (ssl_io->handshake_callback(ssl_io->handshake_context) < 0) {
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenvoid ssl_iostream_set_handshake_callback(struct ssl_iostream *ssl_io,
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenbool ssl_iostream_is_handshaked(const struct ssl_iostream *ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenbool ssl_iostream_has_valid_client_cert(const struct ssl_iostream *ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen return ssl_io->cert_received && !ssl_io->cert_broken;
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenbool ssl_iostream_has_broken_client_cert(struct ssl_iostream *ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen return ssl_io->cert_received && ssl_io->cert_broken;
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenconst char *ssl_iostream_get_peer_name(struct ssl_iostream *ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (!ssl_iostream_has_valid_client_cert(ssl_io))
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen len = X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen if (X509_NAME_get_text_by_NID(X509_get_subject_name(x509),
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen /* NUL characters in name. Someone's trying to fake
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen being another user? Don't allow it. */
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainenconst char *ssl_iostream_get_security_string(struct ssl_iostream *ssl_io)
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen bits = SSL_CIPHER_get_bits(cipher, &alg_bits);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen comp = SSL_get_current_compression(ssl_io->ssl);
e98de01b5644c88b6053e2921eb5e9a506fe263fTimo Sirainen t_strconcat(" ", SSL_COMP_get_name(comp), NULL);
8f2444f788368b08edb4ac037d5f7e5919cdee0aTimo Sirainen return t_strdup_printf("%s with cipher %s (%d/%d bits)%s",