1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
/* Copyright (c) 2013-2018 Dovecot authors, see the included COPYING file */
#include "lib.h"
#include "ioloop.h"
#include "buffer.h"
#include "iostream-ssl.h"
#include "master-service-private.h"
#include "master-service-settings.h"
#include "master-service-ssl-settings.h"
#include "master-service-ssl.h"
#include <unistd.h>
int master_service_ssl_init(struct master_service *service,
struct istream **input, struct ostream **output,
struct ssl_iostream **ssl_iostream_r,
const char **error_r)
{
const struct master_service_ssl_settings *set;
struct ssl_iostream_settings ssl_set;
i_assert(service->ssl_ctx_initialized);
set = master_service_ssl_settings_get(service);
if (service->ssl_ctx == NULL) {
if (strcmp(set->ssl, "no") == 0)
*error_r = "SSL is disabled (ssl=no)";
else
*error_r = "Failed to initialize SSL context";
return -1;
}
i_zero(&ssl_set);
ssl_set.verbose = set->verbose_ssl;
ssl_set.verify_remote_cert = set->ssl_verify_client_cert;
return io_stream_create_ssl_server(service->ssl_ctx, &ssl_set,
input, output, ssl_iostream_r, error_r);
}
bool master_service_ssl_is_enabled(struct master_service *service)
{
return service->ssl_ctx != NULL;
}
void master_service_ssl_ctx_init(struct master_service *service)
{
const struct master_service_ssl_settings *set;
const struct master_service_ssl_server_settings *server_set;
struct ssl_iostream_settings ssl_set;
const char *error;
if (service->ssl_ctx_initialized)
return;
service->ssl_ctx_initialized = TRUE;
/* must be called after master_service_init_finish() so that if
initialization fails we can close the SSL listeners */
i_assert(service->listeners != NULL || service->socket_count == 0);
set = master_service_ssl_settings_get(service);
server_set = master_service_ssl_server_settings_get(service);
if (strcmp(set->ssl, "no") == 0) {
/* SSL disabled, don't use it */
return;
}
i_zero(&ssl_set);
ssl_set.min_protocol = set->ssl_min_protocol;
ssl_set.cipher_list = set->ssl_cipher_list;
ssl_set.curve_list = set->ssl_curve_list;
ssl_set.ca = set->ssl_ca;
ssl_set.cert.cert = server_set->ssl_cert;
ssl_set.cert.key = server_set->ssl_key;
ssl_set.dh = server_set->ssl_dh;
ssl_set.cert.key_password = server_set->ssl_key_password;
ssl_set.cert_username_field = set->ssl_cert_username_field;
if (server_set->ssl_alt_cert != NULL &&
*server_set->ssl_alt_cert != '\0') {
ssl_set.alt_cert.cert = server_set->ssl_alt_cert;
ssl_set.alt_cert.key = server_set->ssl_alt_key;
ssl_set.alt_cert.key_password = server_set->ssl_key_password;
}
ssl_set.crypto_device = set->ssl_crypto_device;
ssl_set.skip_crl_check = !set->ssl_require_crl;
ssl_set.verbose = set->verbose_ssl;
ssl_set.verify_remote_cert = set->ssl_verify_client_cert;
ssl_set.prefer_server_ciphers = set->ssl_prefer_server_ciphers;
ssl_set.compression = set->parsed_opts.compression;
if (ssl_iostream_context_init_server(&ssl_set, &service->ssl_ctx,
&error) < 0) {
i_error("SSL context initialization failed, disabling SSL: %s",
error);
master_service_ssl_io_listeners_remove(service);
return;
}
}
void master_service_ssl_ctx_deinit(struct master_service *service)
{
if (service->ssl_ctx != NULL)
ssl_iostream_context_unref(&service->ssl_ctx);
service->ssl_ctx_initialized = FALSE;
}
|
