diff options
author | Sergey Poznyakoff <gray@gnu.org.ua> | 2011-11-04 21:30:38 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org.ua> | 2011-11-04 21:44:56 +0200 |
commit | e1233d5516f48cd7d786a69d4eebd40e73d95d45 (patch) | |
tree | 38692d813e645ac60bfababee4c5f7ec7f8cede9 /libmu_auth | |
parent | bad3c6c3a982f65af0fe137d1e5b7a98d13bb9d5 (diff) | |
download | mailutils-e1233d5516f48cd7d786a69d4eebd40e73d95d45.tar.gz mailutils-e1233d5516f48cd7d786a69d4eebd40e73d95d45.tar.bz2 |
Implement pop3s and imap4s in respective servers.
* comsat/comsat.c (comsat_prefork,comsat_connection): Change signatures.
* imap4d/imap4d.c: Implement imaps.
* imap4d/imap4d.h (io_setio): Change signature.
(tls_encryption_on): New proto.
* imap4d/io.c (io_setio): Change signature. Initialize TLS stream if
requested.
* imap4d/starttls.c (tls_encryption_on): New function.
* include/mailutils/server.h (mu_srv_config): New struct.
(mu_m_server_conn_fp, mu_m_server_prefork_fp): Remove typedefs.
(mu_m_server_handler_fp): New typedef.
(mu_m_server_set_conn): Change signature.
(mu_m_server_set_prefork): Change signature.
(mu_m_server_set_app_data_size)
(mu_m_server_set_config_size): New prototype.
(mu_m_server_cfg_init): Change signature.
* include/mailutils/tls.h (mu_init_tls_libs): Change signature.
* lib/tcpwrap.c: Include tcpwrap.h
(mu_tcp_wrapper_daemon): Fix declaration.
(mu_tcp_wrapper_prefork): Change signature.
* lib/tcpwrap.h (mu_tcp_wrapper_prefork): Change signature
* libmailutils/server/msrv.c (_mu_m_server) <conn,prefork>: Change
data type. All uses updated.
<app_data_size>: New member.
(m_srv_config): Remove struct. Replaced with mu_srv_config from tls.h
(mu_m_server_set_conn): Change signature.
(mu_m_server_set_prefork): Change signature.
(mu_m_server_set_app_data_size)
(mu_m_server_set_config_size): New functions.
(add_server): Allocate app_data_size additional bytes of data.
(mu_m_server_cfg_init): Take one argument.
* libmu_auth/tls.c (mu_tls_module_init): Update call to mu_init_tls_libs.
Don't call mu_file_safety_check with NULL argument.
(mu_init_tls_libs): Rewrite. Prepare x509 here, instead of
doing it each time a TLS stream is created.
(mu_deinit_tls_libs): Free x509, if exists.
(_tls_server_open): Update call to mu_init_tls_libs.
Remove x509 initialization.
* libmu_cfg/tls.c (cb2_safety_checks): Fix typos.
* maidag/lmtp.c (lmtp_connection): Change signature.
* maidag/maidag.c (main): Update call to mu_m_server_cfg_init.
* maidag/maidag.h (lmtp_connection): Change signature.
* pop3d/extra.c (pop3d_setio): Initialize TLS stream, if requested.
* pop3d/pop3d.c: Implement pops.
* pop3d/pop3d.h (pop3d_setio): Change prototype.
Diffstat (limited to 'libmu_auth')
-rw-r--r-- | libmu_auth/tls.c | 93 |
1 files changed, 50 insertions, 43 deletions
diff --git a/libmu_auth/tls.c b/libmu_auth/tls.c index 054fb921a..ef8df9302 100644 --- a/libmu_auth/tls.c +++ b/libmu_auth/tls.c @@ -55,7 +55,7 @@ mu_tls_module_init (enum mu_gocs_op op, void *data) case mu_gocs_op_flush: #ifdef WITH_TLS - mu_init_tls_libs (); + mu_init_tls_libs (0); #endif break; } @@ -99,14 +99,17 @@ mu_check_tls_environment (void) return 0; } - rc = mu_file_safety_check (mu_tls_module_config.ssl_cafile, - mu_tls_module_config.ssl_cafile_safety_checks, - -1, NULL); - if (rc) + if (mu_tls_module_config.ssl_cafile) { - mu_error ("%s: %s", mu_tls_module_config.ssl_cafile, - mu_strerror (rc)); - return 0; + rc = mu_file_safety_check (mu_tls_module_config.ssl_cafile, + mu_tls_module_config.ssl_cafile_safety_checks, + -1, NULL); + if (rc) + { + mu_error ("%s: %s", mu_tls_module_config.ssl_cafile, + mu_strerror (rc)); + return 0; + } } } else @@ -126,10 +129,40 @@ _mu_gtls_logger(int level, const char *text) #endif int -mu_init_tls_libs (void) +mu_init_tls_libs (int x509_setup) { if (!mu_tls_enable) - mu_tls_enable = !gnutls_global_init (); /* Returns 1 on success */ + { + int rc; + if ((rc = gnutls_global_init ()) == GNUTLS_E_SUCCESS) + mu_tls_enable = 1; + else + { + mu_error ("gnutls_global_init: %s", gnutls_strerror (rc)); + return 0; + } + } + + if (x509_setup && !x509_cred) + { + mu_diag_output (MU_DIAG_INFO, _("initializing X509...")); + gnutls_certificate_allocate_credentials (&x509_cred); + if (mu_tls_module_config.ssl_cafile) + gnutls_certificate_set_x509_trust_file (x509_cred, + mu_tls_module_config.ssl_cafile, + GNUTLS_X509_FMT_PEM); + + gnutls_certificate_set_x509_key_file (x509_cred, + mu_tls_module_config.ssl_cert, + mu_tls_module_config.ssl_key, + GNUTLS_X509_FMT_PEM); + + gnutls_dh_params_init (&dh_params); + gnutls_dh_params_generate2 (dh_params, DH_BITS); + gnutls_certificate_set_dh_params (x509_cred, dh_params); + mu_diag_output (MU_DIAG_INFO, _("finished initializing X509")); + } + #ifdef DEBUG_TLS gnutls_global_set_log_function (_mu_gtls_logger); gnutls_global_set_log_level (110); @@ -141,17 +174,14 @@ void mu_deinit_tls_libs (void) { if (mu_tls_enable) - gnutls_global_deinit (); + { + if (x509_cred) + gnutls_certificate_free_credentials (x509_cred); + gnutls_global_deinit (); + } mu_tls_enable = 0; } -static void -generate_dh_params (void) -{ - gnutls_dh_params_init (&dh_params); - gnutls_dh_params_generate2 (dh_params, DH_BITS); -} - static gnutls_session initialize_tls_session (void) { @@ -382,28 +412,8 @@ _tls_server_open (mu_stream_t stream) if (!stream || sp->state != state_init) return EINVAL; - mu_init_tls_libs (); + mu_init_tls_libs (1); - gnutls_certificate_allocate_credentials (&x509_cred); - - if (mu_tls_module_config.ssl_cafile) - gnutls_certificate_set_x509_trust_file (x509_cred, - mu_tls_module_config.ssl_cafile, - GNUTLS_X509_FMT_PEM); - - rc = gnutls_certificate_set_x509_key_file (x509_cred, - mu_tls_module_config.ssl_cert, - mu_tls_module_config.ssl_key, - GNUTLS_X509_FMT_PEM); - if (rc < 0) - { - sp->tls_err = rc; - return EIO; - } - - generate_dh_params (); - gnutls_certificate_set_dh_params (x509_cred, dh_params); - sp->session = initialize_tls_session (); mu_stream_ioctl (stream, MU_IOCTL_TRANSPORT, MU_IOCTL_OP_GET, transport); gnutls_transport_set_ptr2 (sp->session, @@ -478,13 +488,12 @@ _tls_client_open (mu_stream_t stream) switch (sp->state) { case state_closed: - gnutls_certificate_free_credentials (x509_cred); if (sp->session) gnutls_deinit (sp->session); /* FALLTHROUGH */ case state_init: - mu_init_tls_libs (); + mu_init_tls_libs (0); prepare_client_session (stream); rc = gnutls_handshake (sp->session); if (rc < 0) @@ -630,8 +639,6 @@ _tls_done (struct _mu_stream *stream) { struct _mu_tls_stream *sp = (struct _mu_tls_stream *) stream; - if (x509_cred) - gnutls_certificate_free_credentials (x509_cred); if (sp->session && sp->state == state_closed) { gnutls_deinit (sp->session); |