src/login-common/ssl-proxy-gnutls.c

	ssl-proxy-gnutls.c revision 7cb128dc4cae2a03a742f63ba7afee23c78e3af0
02c335c23bf5fa225a467c19f2c063fb0dc7b8c3Timo Sirainen/* Copyright (c) 2002-2015 Dovecot authors, see the included COPYING file */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#include "login-common.h"
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#include "ioloop.h"
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#include "net.h"
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#include "hash.h"
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#include "ssl-proxy.h"
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#ifdef HAVE_GNUTLS
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#error broken currently
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#include <stdio.h>
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#include <stdlib.h>
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#include <unistd.h>
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#include <fcntl.h>
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen#include <gcrypt.h>
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch#include <gnutls/gnutls.h>
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstruct ssl_proxy {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	int refcount;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	gnutls_session session;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	struct ip_addr ip;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	int fd_ssl, fd_plain;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	struct io *io_ssl, *io_plain;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	int io_ssl_dir;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
fe779565bda49a0ed0476724819c6e3c1340c94bTimo Sirainen	unsigned char outbuf_plain[1024];
fe779565bda49a0ed0476724819c6e3c1340c94bTimo Sirainen	unsigned int outbuf_pos_plain;
fe779565bda49a0ed0476724819c6e3c1340c94bTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	size_t send_left_ssl, send_left_plain;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen};
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Boschconst int protocol_priority[] =
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	{ GNUTLS_TLS1, GNUTLS_SSL3, 0 };
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenconst int kx_priority[] =
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	{ GNUTLS_KX_DHE_DSS, GNUTLS_KX_RSA, GNUTLS_KX_DHE_RSA, 0 };
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenconst int cipher_priority[] =
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	{ GNUTLS_CIPHER_RIJNDAEL_CBC, GNUTLS_CIPHER_3DES_CBC,
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	  GNUTLS_CIPHER_ARCFOUR_128, GNUTLS_CIPHER_ARCFOUR_40, 0 };
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenconst int comp_priority[] =
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	{ GNUTLS_COMP_LZO, GNUTLS_COMP_ZLIB, GNUTLS_COMP_NULL, 0 };
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenconst int mac_priority[] =
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	{ GNUTLS_MAC_SHA, GNUTLS_MAC_MD5, 0 };
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenconst int cert_type_priority[] =
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	{ GNUTLS_CRT_X509, 0 };
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic struct hash_table *ssl_proxies;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic gnutls_certificate_credentials x509_cred;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic gnutls_dh_params dh_params;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic gnutls_rsa_params rsa_params;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic void ssl_input(struct ssl_proxy *proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic void plain_input(struct ssl_proxy *proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic bool ssl_proxy_destroy(struct ssl_proxy *proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic const char *get_alert_text(struct ssl_proxy *proxy)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen{
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	return gnutls_alert_get_name(gnutls_alert_get(proxy->session));
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic int handle_ssl_error(struct ssl_proxy *proxy, int error)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen{
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (!gnutls_error_is_fatal(error)) {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		if (!verbose_ssl)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen			return 0;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		if (error == GNUTLS_E_WARNING_ALERT_RECEIVED) {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen			i_warning("Received SSL warning alert: %s [%s]",
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen				  get_alert_text(proxy),
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen				  net_ip2addr(&proxy->ip));
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		} else {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen			i_warning("Non-fatal SSL error: %s: %s",
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen				  get_alert_text(proxy),
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen				  net_ip2addr(&proxy->ip));
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return 0;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (verbose_ssl) {
1c75bf24894a3fc0631caa4954e5130e9bb01d8dTimo Sirainen		/* fatal error occurred */
1c75bf24894a3fc0631caa4954e5130e9bb01d8dTimo Sirainen		if (error == GNUTLS_E_FATAL_ALERT_RECEIVED) {
1c75bf24894a3fc0631caa4954e5130e9bb01d8dTimo Sirainen			i_warning("Received SSL fatal alert: %s [%s]",
1c75bf24894a3fc0631caa4954e5130e9bb01d8dTimo Sirainen				  get_alert_text(proxy),
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen				  net_ip2addr(&proxy->ip));
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		} else {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen			i_warning("Error reading from SSL client: %s [%s]",
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen				  gnutls_strerror(error),
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch				  net_ip2addr(&proxy->ip));
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		}
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	}
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch        gnutls_alert_send_appropriate(proxy->session, error);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	ssl_proxy_destroy(proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	return -1;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic int proxy_recv_ssl(struct ssl_proxy *proxy, void *data, size_t size)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen{
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	int rcvd;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	rcvd = gnutls_record_recv(proxy->session, data, size);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (rcvd > 0)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return rcvd;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (rcvd == 0 || rcvd == GNUTLS_E_UNEXPECTED_PACKET_LENGTH) {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		/* disconnected, either by nicely telling us that we'll
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		   close the connection, or by simply killing the
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		   connection which gives us the packet length error. */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		ssl_proxy_destroy(proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return -1;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	return handle_ssl_error(proxy, rcvd);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic int proxy_send_ssl(struct ssl_proxy *proxy,
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen			  const void *data, size_t size)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen{
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	int sent;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
3858a7a5da361c35f1e6e50c8e3214dc0cf379d6Phil Carmody	sent = gnutls_record_send(proxy->session, data, size);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (sent >= 0)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return sent;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (sent == GNUTLS_E_PUSH_ERROR || sent == GNUTLS_E_INVALID_SESSION) {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		/* don't warn about errors related to unexpected
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		   disconnection */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		ssl_proxy_destroy(proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return -1;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	return handle_ssl_error(proxy, sent);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen}
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic int ssl_proxy_destroy(struct ssl_proxy *proxy)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen{
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (--proxy->refcount > 0)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return TRUE;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	hash_table_remove(ssl_proxies, proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	gnutls_deinit(proxy->session);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (proxy->io_ssl != NULL)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		io_remove(proxy->io_ssl);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (proxy->io_plain != NULL)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		io_remove(proxy->io_plain);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	net_disconnect(proxy->fd_ssl);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	net_disconnect(proxy->fd_plain);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	i_free(proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	main_unref();
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	return FALSE;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic void ssl_output(struct ssl_proxy *proxy)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen{
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	int sent;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	sent = net_transmit(proxy->fd_plain,
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen			    proxy->outbuf_plain + proxy->outbuf_pos_plain,
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen			    proxy->send_left_plain);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (sent < 0) {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		/* disconnected */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		ssl_proxy_destroy(proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->send_left_plain -= sent;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->outbuf_pos_plain += sent;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (proxy->send_left_plain > 0)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	/* everything is sent, start reading again */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	io_remove(proxy->io_ssl);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->io_ssl = io_add(proxy->fd_ssl, IO_READ, ssl_input, proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic void ssl_input(struct ssl_proxy *proxy)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen{
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	int rcvd, sent;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	rcvd = proxy_recv_ssl(proxy, proxy->outbuf_plain,
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen			      sizeof(proxy->outbuf_plain));
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (rcvd <= 0)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	sent = net_transmit(proxy->fd_plain, proxy->outbuf_plain, (size_t)rcvd);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (sent == rcvd)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (sent < 0) {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		/* disconnected */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		ssl_proxy_destroy(proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	/* everything wasn't sent - don't read anything until we've
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	   sent it all */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen        proxy->outbuf_pos_plain = 0;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->send_left_plain = rcvd - sent;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	io_remove(proxy->io_ssl);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->io_ssl = io_add(proxy->fd_ssl, IO_WRITE, ssl_output, proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Boschstatic void plain_output(struct ssl_proxy *proxy)
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch{
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	int sent;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	sent = proxy_send_ssl(proxy, NULL, proxy->send_left_ssl);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (sent <= 0)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->send_left_ssl -= sent;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (proxy->send_left_ssl > 0)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	/* everything is sent, start reading again */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	io_remove(proxy->io_plain);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->io_plain = io_add(proxy->fd_plain, IO_READ, plain_input, proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainenstatic void plain_input(struct ssl_proxy *proxy)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen{
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	char buf[1024];
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	ssize_t rcvd, sent;
8855b8b57050fe3b6dc3f19283488512fae98648Timo Sirainen
8855b8b57050fe3b6dc3f19283488512fae98648Timo Sirainen	rcvd = net_receive(proxy->fd_plain, buf, sizeof(buf));
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (rcvd < 0) {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		/* disconnected */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		gnutls_bye(proxy->session, 1);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		ssl_proxy_destroy(proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	sent = proxy_send_ssl(proxy, buf, (size_t)rcvd);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (sent < 0 || sent == rcvd)
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		return;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	/* everything wasn't sent - don't read anything until we've
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	   sent it all */
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	proxy->send_left_ssl = rcvd - sent;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	io_remove(proxy->io_plain);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	proxy->io_plain = io_add(proxy->fd_ssl, IO_WRITE, plain_output, proxy);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch}
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Boschstatic void ssl_handshake(struct ssl_proxy *proxy)
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch{
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	int ret, dir;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen        ret = gnutls_handshake(proxy->session);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	if (ret >= 0) {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		/* handshake done, now we can start reading */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		if (proxy->io_ssl != NULL)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen			io_remove(proxy->io_ssl);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		proxy->io_plain = io_add(proxy->fd_plain, IO_READ,
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch					 plain_input, proxy);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		proxy->io_ssl = io_add(proxy->fd_ssl, IO_READ,
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch				       ssl_input, proxy);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		return;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	}
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	if (handle_ssl_error(proxy, ret) < 0)
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		return;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	/* i/o interrupted */
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	dir = gnutls_record_get_direction(proxy->session) == 0 ?
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		IO_READ : IO_WRITE;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	if (proxy->io_ssl_dir != dir) {
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		if (proxy->io_ssl != NULL)
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch			io_remove(proxy->io_ssl);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		proxy->io_ssl = io_add(proxy->fd_ssl, dir,
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch				       ssl_handshake, proxy);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		proxy->io_ssl_dir = dir;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	}
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch}
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Boschstatic gnutls_session initialize_state(void)
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch{
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_session session;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_init(&session, GNUTLS_SERVER);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_protocol_set_priority(session, protocol_priority);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_cipher_set_priority(session, cipher_priority);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_compression_set_priority(session, comp_priority);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_kx_set_priority(session, kx_priority);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_mac_set_priority(session, mac_priority);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_certificate_type_set_priority(session, cert_type_priority);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	return session;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch}
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Boschint ssl_proxy_new(int fd, struct ip_addr *ip)
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch{
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch        struct ssl_proxy *proxy;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_session session;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	int sfd[2];
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	if (!ssl_initialized) {
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		i_error("SSL support not enabled in configuration");
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch		return -1;
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	}
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	session = initialize_state();
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch	gnutls_transport_set_ptr(session, fd);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (socketpair(AF_UNIX, SOCK_STREAM, 0, sfd) == -1) {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		i_error("socketpair() failed: %m");
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		gnutls_deinit(session);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return -1;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	net_set_nonblock(sfd[0], TRUE);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	net_set_nonblock(sfd[1], TRUE);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	net_set_nonblock(fd, TRUE);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy = i_new(struct ssl_proxy, 1);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->refcount = 1;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->session = session;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->fd_ssl = fd;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->fd_plain = sfd[0];
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->ip = *ip;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	hash_table_insert(ssl_proxies, proxy, proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	proxy->refcount++;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	ssl_handshake(proxy);
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	if (!ssl_proxy_destroy(proxy)) {
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		/* handshake failed. return the disconnected socket anyway
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		   so the caller doesn't try to use the old closed fd */
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen		return sfd[1];
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen        main_ref();
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen	return sfd[1];
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen}
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Boschstatic void read_next_field(int fd, gnutls_datum *datum,
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen			    const char *fname, const char *field_name)
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen{
8ccdf195768afdfbc32088d7be77dfca7dddd829Stephan Bosch        ssize_t ret;
02c75e04c6ff80726bb59e3ea34a7995ad1f6f7cTimo Sirainen
	/* get size */
	ret = read(fd, &datum->size, sizeof(datum->size));
	if (ret < 0)
		i_fatal("read() failed for %s: %m", fname);

	if (ret != sizeof(datum->size)) {
		(void)unlink(fname);
		i_fatal("Corrupted SSL parameter file %s: File too small",
			fname);
	}

	if (datum->size > 10240) {
		(void)unlink(fname);
		i_fatal("Corrupted SSL parameter file %s: "
			"Field '%s' too large (%u)",
			fname, field_name, datum->size);
	}

	/* read the actual data */
	datum->data = t_malloc(datum->size);
	ret = read(fd, datum->data, datum->size);
	if (ret < 0)
		i_fatal("read() failed for %s: %m", fname);

	if ((size_t)ret != datum->size) {
		(void)unlink(fname);
		i_fatal("Corrupted SSL parameter file %s: "
			"Field '%s' not fully in file (%u < %u)",
			fname, field_name, datum->size - ret, datum->size);
	}
}

static void read_dh_parameters(int fd, const char *fname)
{
	gnutls_datum dbits, prime, generator;
	int ret, bits;

	if ((ret = gnutls_dh_params_init(&dh_params)) < 0) {
		i_fatal("gnutls_dh_params_init() failed: %s",
			gnutls_strerror(ret));
	}

	/* read until bits field is 0 */
	for (;;) {
		read_next_field(fd, &dbits, fname, "DH bits");

		if (dbits.size != sizeof(int)) {
			(void)unlink(fname);
			i_fatal("Corrupted SSL parameter file %s: "
				"Field 'DH bits' has invalid size %u",
				fname, dbits.size);
		}

		bits = *((int *) dbits.data);
		if (bits == 0)
			break;

		read_next_field(fd, &prime, fname, "DH prime");
		read_next_field(fd, &generator, fname, "DH generator");

		ret = gnutls_dh_params_set(dh_params, prime, generator, bits);
		if (ret < 0) {
			i_fatal("gnutls_dh_params_set() failed: %s",
				gnutls_strerror(ret));
		}
	}
}

static void read_rsa_parameters(int fd, const char *fname)
{
	gnutls_datum m, e, d, p, q, u;
	int ret;

	read_next_field(fd, &m, fname, "RSA m");
	read_next_field(fd, &e, fname, "RSA e");
	read_next_field(fd, &d, fname, "RSA d");
	read_next_field(fd, &p, fname, "RSA p");
	read_next_field(fd, &q, fname, "RSA q");
	read_next_field(fd, &u, fname, "RSA u");

	if ((ret = gnutls_rsa_params_init(&rsa_params)) < 0) {
		i_fatal("gnutls_rsa_params_init() failed: %s",
			gnutls_strerror(ret));
	}

	/* only 512bit is allowed */
	ret = gnutls_rsa_params_set(rsa_params, m, e, d, p, q, u, 512);
	if (ret < 0) {
		i_fatal("gnutls_rsa_params_set() failed: %s",
			gnutls_strerror(ret));
	}
}

static void read_parameters(const char *fname)
{
	int fd;

	/* we'll wait until parameter file exists */
	for (;;) {
		fd = open(fname, O_RDONLY);
		if (fd != -1)
			break;

		if (errno != ENOENT)
			i_fatal("Can't open SSL parameter file %s: %m", fname);

		sleep(1);
	}

	read_dh_parameters(fd, fname);
	read_rsa_parameters(fd, fname);

	i_close_fd(&fd);
}

static void gcrypt_log_handler(void *context ATTR_UNUSED, int level,
			       const char *fmt, va_list args)
{
	if (level != GCRY_LOG_FATAL)
		return;

	T_BEGIN {
		i_error("gcrypt fatal: %s", t_strdup_vprintf(fmt, args));
	} T_END;
}

void ssl_proxy_init(void)
{
	const char *certfile, *keyfile, *paramfile;
	unsigned char buf[4];
	int ret;

	certfile = getenv("SSL_CERT_FILE");
	keyfile = getenv("SSL_KEY_FILE");
	paramfile = getenv("SSL_PARAM_FILE");

	if (certfile == NULL || keyfile == NULL || paramfile == NULL) {
		/* SSL support is disabled */
		return;
	}

	if ((ret = gnutls_global_init() < 0)) {
		i_fatal("gnu_tls_global_init() failed: %s",
			gnutls_strerror(ret));
	}

	/* gcrypt initialization - set log handler and make sure randomizer
	   opens /dev/urandom now instead of after we've chrooted */
	gcry_set_log_handler(gcrypt_log_handler, NULL);
	gcry_randomize(buf, sizeof(buf), GCRY_STRONG_RANDOM);

	read_parameters(paramfile);

	if ((ret = gnutls_certificate_allocate_credentials(&x509_cred)) < 0) {
		i_fatal("gnutls_certificate_allocate_credentials() failed: %s",
			gnutls_strerror(ret));
	}

	ret = gnutls_certificate_set_x509_key_file(x509_cred, certfile, keyfile,
						   GNUTLS_X509_FMT_PEM);
	if (ret < 0) {
		i_fatal("Can't load certificate files %s and %s: %s",
			certfile, keyfile, gnutls_strerror(ret));
	}

        gnutls_certificate_set_dh_params(x509_cred, dh_params);
        gnutls_certificate_set_rsa_export_params(x509_cred, rsa_params);

	ssl_proxies = hash_table_create(default_pool, 0, NULL, NULL);
	ssl_initialized = TRUE;
}

void ssl_proxy_deinit(void)
{
	struct hash_iterate_context *iter;
	void *key, *value;

	if (!ssl_initialized)
		return;

	iter = hash_table_iterate_init(ssl_proxies);
	while (hash_table_iterate(iter, &key, &value))
		ssl_proxy_destroy(value);
	hash_table_iterate_deinit(iter);
	hash_table_destroy(ssl_proxies);

	gnutls_certificate_free_credentials(x509_cred);
	gnutls_global_deinit();
}

#endif