diff options
author | Sergey Poznyakoff <gray@gnu.org> | 2017-03-18 10:07:30 +0200 |
---|---|---|
committer | Sergey Poznyakoff <gray@gnu.org> | 2017-03-18 14:44:55 +0200 |
commit | afda9ba46c7eb2c061f3907dc7e80ae1ba38157b (patch) | |
tree | 84da1baef0e14dc0e70419913d4e1a5d84e9e16e /pop3d | |
parent | 0c8e598549a7cb99b9665f37814b006765344c43 (diff) | |
download | mailutils-afda9ba46c7eb2c061f3907dc7e80ae1ba38157b.tar.gz mailutils-afda9ba46c7eb2c061f3907dc7e80ae1ba38157b.tar.bz2 |
Rewrite TLS support
The new implementation allows for per-server certificates.
* libmu_auth/Makefile.am: Build tls support depending on the value of
MU_COND_GNUTLS.
* libmu_auth/notls.c: New file.
* libmu_auth/tls.c: Rewrite.
* libmu_auth/tlsiostr.c: New file.
* libmu_auth/tlsvar.c: New file.
* libmu_auth/tlsconf.c: New file.
* include/mailutils/sys/tls-stream.h (_mu_tls_stream): New members:
session_type, conf, cred.
(mu_tls_io_stream_create): New proto.
* include/mailutils/tls.h (mu_tls_module_config): Remove definition.
(mu_tls_config): New structure.
(mu_tls_server_stream_create): Remove proto.
(mu_tls_cert_file_checks)
(mu_tls_key_file_checksr)
(mu_tls_ca_file_checks): New globals
(MU_TLS_CERT_FILE_CHECKS)
(MU_TLS_KEY_FILE_CHECKS)
(MU_TLS_CA_FILE_CHECKS): New defines.
(mu_tls_stream_create): New proto.
(mu_tls_config_status): New constants.
(mu_tls_check_config): Remove.
(mu_tls_config_check): New function.
* include/mailutils/server.h (mu_m_server_preflight_fp): New typedef.
(mu_m_server_set_preflight): New proto.
* libmailutils/diag/debcat (tls): New category.
* libmailutils/server/ipsrv.c (mu_ip_server_get_data): New function.
* libmailutils/server/msrv.c (_mu_m_server) <preflight>: New method.
(mu_m_server_set_preflight): New function.
(mu_m_server_destroy): Destroy the srvlist.
(open_connection): New function.
(mu_m_server_run): Remove from srvlist only those servers that failed
to open. Run preflight check, if registered.
* include/mailutils/cfg.h (mu_cfg_section): New member: data.
* libmailutils/cfg/driver.c (dup_container): Copy the "data" pointer.
(mu_cfg_section_add_params): Preserve original pointer and offset when
necessary.
* libmailutils/cfg/parser.y (_scan_tree_helper): Use the section data
pointer (if set) as data target.
* configure.ac (MU_COND_GNUTLS): New conditional.
* imap4d/commands.c: Remove #ifdef WITH_TLS preprocessor conditional.
* imap4d/imap4d.c (tls_mode): Remove variable.
(imap4d_srv_config): Move definition to the header file.
Remove #ifdef WITH_TLS preprocessor conditionals.
Rename the tls configuration statement to tls-mode.
Add new subsection .server.tls;
Remove the legacy tls-required configuration statement.
(imap4d_mainloop): Change signature: take a pointer to the
struct imap4d_srv_config as the 3rd argument,
Use the cfg->tls_mode member to decide on TLS state.
(main): Call mu_tls_cfg_init.
Install server preflight checker.
* imap4d/imap4d.h: Remove #ifdef WITH_TLS preprocessor conditionals.
(imap4d_srv_config): Moved from imap4d.c
New member: tls_conf
(imap4d_session): New member: tls_conf
(global_tls_conf): New global.
(io_setio, imap4d_init_tls_server): Change prototypes.
* imap4d/io.c (io_setio): Change signature: take a pointer to the
struct mu_tls_config as the 3rd argument.
Rewrite TLS support.
(imap4d_init_tls_server): Take a pointer to the
struct mu_tls_config.
* imap4d/starttls.c (tls_available, tls_done): Remove globals.
(global_tls_conf): New global.
(imap4d_starttls): Keep TLS state in the session.
(tls_encryption_on): Likewise.
(starttls_init): Rewrite as a mserver preflight check function.
* pop3d/capa.c: Remove #ifdef WITH_TLS preprocessor conditional.
(capa_stls): Rewrite.
* pop3d/cmd.c (global_tls_conf): New global.
(stls_preflight): New function.
(pop3d_error_string): Rewrite using char ** array.
* pop3d/extra.c (pop3d_setio): Take a pointer to struct mu_tls_config
as the 3rd argument. Decide on TLS using it.
(pop3d_init_tls_server): Take a pointer to struct mu_tls_config.
* pop3d/pop3d.c: Rename the tls configuration statement to tls-mode.
Add new subsection .server.tls;
Remove the legacy tls-required configuration statement.
(pop3d_mainloop) Take a pointer to struct mu_tls_config
as the 3rd argument. Decide on TLS using it.
(main): Call mu_tls_cfg_init. Install server preflight check.
* pop3d/pop3d.h (pop3d_session): New member tls_conf.
(pop3d_srv_config): New definition.
(global_tls_conf): New extern.
* pop3d/stls.c: Rewrite TLS support.
* NEWS: Document new features.
* configure.ac: Version 3.2.90.
* doc/texinfo/programs.texi: Update.
Diffstat (limited to 'pop3d')
-rw-r--r-- | pop3d/capa.c | 17 | ||||
-rw-r--r-- | pop3d/cmd.c | 173 | ||||
-rw-r--r-- | pop3d/extra.c | 24 | ||||
-rw-r--r-- | pop3d/pop3d.c | 96 | ||||
-rw-r--r-- | pop3d/pop3d.h | 80 | ||||
-rw-r--r-- | pop3d/stls.c | 14 |
6 files changed, 209 insertions, 195 deletions
diff --git a/pop3d/capa.c b/pop3d/capa.c index bdba7d4ed..0011750d6 100644 --- a/pop3d/capa.c +++ b/pop3d/capa.c @@ -104,17 +104,20 @@ capa_implementation (const char *name, struct pop3d_session *session) pop3d_outf ("%s %s\n", name, PACKAGE_STRING); } -#ifdef WITH_TLS static void capa_stls (const char *name, struct pop3d_session *session) { - if ((session->tls == tls_ondemand || session->tls == tls_required) - && tls_available && tls_done == 0) - pop3d_outf ("%s\n", name); + switch (session->tls_mode) + { + case tls_ondemand: + case tls_required: + pop3d_outf ("%s\n", name); + break; + + default: + break; + } } -#else -# define capa_stls NULL -#endif /* WITH_TLS */ static void capa_user (const char *name, struct pop3d_session *session) diff --git a/pop3d/cmd.c b/pop3d/cmd.c index 16ceeb8ed..5983e0bb7 100644 --- a/pop3d/cmd.c +++ b/pop3d/cmd.c @@ -16,13 +16,12 @@ #include "pop3d.h" +struct mu_tls_config global_tls_conf; + static struct pop3d_command command_table[] = { -#ifdef WITH_TLS { "STLS", pop3d_stls }, -# define COMMAND_TABLE_HEAD 1 -#else -# define COMMAND_TABLE_HEAD 0 -#endif +#define COMMAND_TABLE_STLS 0 +#define COMMAND_TABLE_PLAIN 1 { "RETR", pop3d_retr }, { "DELE", pop3d_dele }, { "USER", pop3d_user }, @@ -39,8 +38,7 @@ static struct pop3d_command command_table[] = { { NULL } }; -static struct pop3d_command *command_table_head = - command_table + COMMAND_TABLE_HEAD; +static struct pop3d_command *command_table_head; pop3d_command_handler_t pop3d_find_command (const char *name) @@ -54,57 +52,130 @@ pop3d_find_command (const char *name) return p->handler; } -#ifdef WITH_TLS -void -enable_stls () +int +stls_preflight (mu_m_server_t msrv) { - command_table_head = command_table; -} -#endif + mu_list_t srvlist; + mu_iterator_t itr; + int errors = 0; + int tls_ok = mu_init_tls_libs (); + int tls_requested = 0; + int global_conf_status = 0; -struct error_table -{ - int code; - const char *text; -}; + if (global_tls_conf.cert_file) + global_conf_status = mu_tls_config_check (&global_tls_conf, 1); + else + global_conf_status = MU_TLS_CONFIG_NULL; + + mu_m_server_get_srvlist (msrv, &srvlist); + mu_list_get_iterator (srvlist, &itr); + for (mu_iterator_first (itr); !mu_iterator_is_done (itr); mu_iterator_next (itr)) + { + mu_ip_server_t ipsrv; + struct pop3d_srv_config *cfg; + mu_iterator_current (itr, (void**) &ipsrv); + cfg = mu_ip_server_get_data (ipsrv); + switch (cfg->tls_mode) + { + case tls_unspecified: + if (cfg->tls_conf.cert_file) + { + cfg->tls_mode = tls_ondemand; + break; + } + else + cfg->tls_mode = tls_no; + /* fall through */ + case tls_no: + continue; + + default: + break; + } + + switch (mu_tls_config_check (&cfg->tls_conf, 1)) + { + case MU_TLS_CONFIG_OK: + if (!cfg->tls_conf.cert_file) + { + mu_error (_("server %s: no certificate set"), + mu_ip_server_addrstr (ipsrv)); + errors = 1; + } + break; + + case MU_TLS_CONFIG_NULL: + if (global_conf_status != MU_TLS_CONFIG_NULL) + { + cfg->tls_conf = global_tls_conf; + } + else + { + mu_error (_("server %s: no certificate set"), + mu_ip_server_addrstr (ipsrv)); + errors = 1; + } + break; + + default: + mu_error (_("server %s: TLS configuration failed"), + mu_ip_server_addrstr (ipsrv)); + errors = 1; + } + + tls_requested = 1; + } + mu_iterator_destroy (&itr); + + if (tls_requested && !tls_ok) + { + mu_error (_("TLS is not configured, but requested in the " + "configuration")); + errors = 1; + } + + if (errors) + return 1; + + if (tls_requested) + command_table_head = command_table + COMMAND_TABLE_STLS; + else + command_table_head = command_table + COMMAND_TABLE_PLAIN; + + return 0; +} -static struct error_table error_table[] = { - { ERR_WRONG_STATE, "Incorrect state" }, - { ERR_BAD_ARGS, "Invalid arguments" }, - { ERR_BAD_LOGIN, "[AUTH] Bad login" }, - { ERR_NO_MESG, "No such message" }, - { ERR_MESG_DELE, "Message has been deleted" }, - { ERR_NOT_IMPL, "Not implemented" }, - { ERR_BAD_CMD, "Invalid command" }, - { ERR_MBOX_LOCK, "[IN-USE] Mailbox in use" }, - { ERR_TOO_LONG, "Argument too long" }, - { ERR_NO_MEM, "Out of memory, quitting" }, - { ERR_SIGNAL, "Quitting on signal" }, - { ERR_FILE, "Some deleted messages not removed" }, - { ERR_NO_IFILE, "No input stream" }, - { ERR_NO_OFILE, "No output stream" }, - { ERR_IO, "I/O error" }, - { ERR_PROTO, "Remote protocol error" }, - { ERR_TIMEOUT, "Session timed out" }, - { ERR_UNKNOWN, "Unknown error" }, - { ERR_MBOX_SYNC, "Mailbox was updated by other process" }, -#ifdef WITH_TLS - { ERR_TLS_ACTIVE, "Command not permitted when TLS active" }, -#endif /* WITH_TLS */ - { ERR_TLS_IO, "TLS I/O error" }, - { ERR_LOGIN_DELAY, - "[LOGIN-DELAY] Attempt to log in within the minimum login delay interval" }, - { ERR_TERMINATE, "Terminating on request" }, - { ERR_SYS_LOGIN, "[SYS/PERM] Cannot authenticate" }, - { 0 } +static char *error_table[] = { + [ERR_WRONG_STATE] = "Incorrect state", + [ERR_BAD_ARGS] = "Invalid arguments", + [ERR_BAD_LOGIN] = "[AUTH] Bad login", + [ERR_NO_MESG] = "No such message", + [ERR_MESG_DELE] = "Message has been deleted", + [ERR_NOT_IMPL] = "Not implemented", + [ERR_BAD_CMD] = "Invalid command", + [ERR_MBOX_LOCK] = "[IN-USE] Mailbox in use", + [ERR_TOO_LONG] = "Argument too long", + [ERR_NO_MEM] = "Out of memory] =quitting", + [ERR_SIGNAL] = "Quitting on signal", + [ERR_FILE] = "Some deleted messages not removed", + [ERR_NO_IFILE] = "No input stream", + [ERR_NO_OFILE] = "No output stream", + [ERR_IO] = "I/O error", + [ERR_PROTO] = "Remote protocol error", + [ERR_TIMEOUT] = "Session timed out", + [ERR_UNKNOWN] = "Unknown error", + [ERR_MBOX_SYNC] = "Mailbox was updated by other process", + [ERR_TLS_IO] = "TLS I/O error", + [ERR_LOGIN_DELAY] = + "[LOGIN-DELAY] Attempt to log in within the minimum login delay interval", + [ERR_TERMINATE] = "Terminating on request", + [ERR_SYS_LOGIN] = "[SYS/PERM] Cannot authenticate", }; const char * pop3d_error_string (int code) { - struct error_table *ep; - for (ep = error_table; ep->code != 0; ep++) - if (ep->code == code) - return ep->text; + if (code >= 0 && code < MU_ARRAY_SIZE (error_table) && error_table[code]) + return error_table[code]; return "unknown error"; } diff --git a/pop3d/extra.c b/pop3d/extra.c index a6fdfcd33..3dc08efea 100644 --- a/pop3d/extra.c +++ b/pop3d/extra.c @@ -158,7 +158,7 @@ log_cipher (mu_stream_t stream) } void -pop3d_setio (int ifd, int ofd, int tls) +pop3d_setio (int ifd, int ofd, struct mu_tls_config *tls_conf) { mu_stream_t str, istream, ostream; @@ -175,10 +175,12 @@ pop3d_setio (int ifd, int ofd, int tls) pop3d_abquit (ERR_NO_OFILE); /* Combine the two streams into an I/O one. */ -#ifdef WITH_TLS - if (tls) + if (tls_conf) { - int rc = mu_tls_server_stream_create (&str, istream, ostream, 0); + int rc = mu_tls_stream_create (&str, istream, ostream, + tls_conf, + MU_TLS_SERVER, + 0); if (rc) { mu_stream_unref (istream); @@ -186,12 +188,9 @@ pop3d_setio (int ifd, int ofd, int tls) mu_error (_("failed to create TLS stream: %s"), mu_strerror (rc)); pop3d_abquit (ERR_FILE); } - tls_done = 1; log_cipher (str); } - else -#endif - if (mu_iostream_create (&str, istream, ostream)) + else if (mu_iostream_create (&str, istream, ostream)) pop3d_abquit (ERR_FILE); /* Convert all writes to CRLF form. @@ -228,9 +227,8 @@ pop3d_setio (int ifd, int ofd, int tls) } } -#ifdef WITH_TLS int -pop3d_init_tls_server () +pop3d_init_tls_server (struct mu_tls_config *tls_conf) { mu_stream_t tlsstream, stream[2]; int rc; @@ -243,7 +241,10 @@ pop3d_init_tls_server () return 1; } - rc = mu_tls_server_stream_create (&tlsstream, stream[0], stream[1], 0); + rc = mu_tls_stream_create (&tlsstream, stream[0], stream[1], + tls_conf, + MU_TLS_SERVER, + 0); mu_stream_unref (stream[0]); mu_stream_unref (stream[1]); if (rc) @@ -263,7 +264,6 @@ pop3d_init_tls_server () } return 0; } -#endif void pop3d_bye () diff --git a/pop3d/pop3d.c b/pop3d/pop3d.c index 78eb51eaf..133024520 100644 --- a/pop3d/pop3d.c +++ b/pop3d/pop3d.c @@ -37,15 +37,6 @@ int apop_database_safety = MU_FILE_SAFETY_ALL; uid_t apop_database_owner; int apop_database_owner_set; -enum tls_mode tls_mode; - -#ifdef WITH_TLS -int tls_available; -int tls_done; -#else -# define tls_available 0 -#endif /* WITH_TLS */ - int initial_state = AUTHORIZATION; /* Should all the messages be undeleted on startup */ @@ -169,13 +160,6 @@ cb_bulletin_db (void *data, mu_config_value_t *val) } #endif -struct pop3d_srv_config -{ - struct mu_srv_config m_cfg; - enum tls_mode tls_mode; -}; - -#ifdef WITH_TLS static int cb_tls (void *data, mu_config_value_t *val) { @@ -205,39 +189,14 @@ cb_tls (void *data, mu_config_value_t *val) return 0; } -static int -cb_tls_required (void *data, mu_config_value_t *val) -{ - int bv; - - if (mu_cfg_assert_value_type (val, MU_CFG_STRING)) - return 1; - if (mu_str_to_c (val->v.string, mu_c_bool, &bv, NULL)) - mu_error (_("Not a boolean value")); - else if (bv) - { - tls_mode = tls_required; - mu_diag_output (MU_DIAG_WARNING, - "the \"tls-required\" statement is deprecated, " - "use \"tls required\" instead"); - } - else - mu_diag_output (MU_DIAG_WARNING, - "the \"tls-required\" statement is deprecated, " - "use \"tls\" instead"); - - return 0; -} -#endif - static struct mu_cfg_param pop3d_srv_param[] = { -#ifdef WITH_TLS - { "tls", mu_cfg_callback, + { "tls-mode", mu_cfg_callback, NULL, mu_offsetof (struct pop3d_srv_config, tls_mode), cb_tls, N_("Kind of TLS encryption to use for this server"), /* TRANSLATORS: words to the right of : are keywords - do not translate */ N_("arg: false|true|ondemand|stls|requred|connection") }, -#endif + { "tls", mu_cfg_section, + NULL, mu_offsetof (struct pop3d_srv_config, tls_conf) }, { NULL } }; @@ -272,16 +231,8 @@ static struct mu_cfg_param pop3d_cfg_param[] = { " awrdir forbid files in world writable directories\n"), N_("arg: list") }, -#ifdef WITH_TLS - { "tls", mu_cfg_callback, &tls_mode, 0, cb_tls, - N_("Kind of TLS encryption to use"), - /* TRANSLATORS: words to the right of : are keywords - do not translate */ - N_("arg: false|true|ondemand|stls|requred|connection") }, - { "tls-required", mu_cfg_callback, &tls_mode, 0, cb_tls_required, - N_("Always require STLS before entering authentication phase.\n" - "Deprecated, use \"tls required\" instead."), - N_("arg: bool") }, -#endif + { "tls", mu_cfg_section, &global_tls_conf }, + #ifdef ENABLE_LOGIN_DELAY { "login-delay", mu_c_time, &login_delay, 0, NULL, N_("Set the minimal allowed delay between two successive logins.") }, @@ -355,7 +306,7 @@ pop3d_get_client_address (int fd, struct sockaddr_in *pcs) ofd -- output descriptor tls -- initiate encrypted connection */ int -pop3d_mainloop (int ifd, int ofd, enum tls_mode tls) +pop3d_mainloop (int ifd, int ofd, struct pop3d_srv_config *cfg) { int status = OK; char buffer[512]; @@ -365,24 +316,18 @@ pop3d_mainloop (int ifd, int ofd, enum tls_mode tls) mu_set_signals (pop3d_child_signal, sigtab, MU_ARRAY_SIZE (sigtab)); - if (tls == tls_unspecified) - tls = tls_available ? tls_ondemand : tls_no; - else if (tls != tls_no && !tls_available) - { - mu_error (_("TLS is not configured, but requested in the " - "configuration")); - tls = tls_no; - } - - pop3d_setio (ifd, ofd, tls == tls_connection); + pop3d_setio (ifd, ofd, + cfg->tls_mode == tls_connection ? &cfg->tls_conf : NULL); - if (tls == tls_required) + if (cfg->tls_mode == tls_required) initial_state = INITIAL; - state = tls == tls_connection ? AUTHORIZATION : initial_state; + state = cfg->tls_mode == tls_connection ? AUTHORIZATION : initial_state; pop3d_session_init (&session); - session.tls = tls; + session.tls_mode = cfg->tls_mode; + session.tls_conf = &cfg->tls_conf; + /* FIXME: state should also be in the session? */ /* Prepare the shared secret for APOP. */ @@ -528,8 +473,7 @@ pop3d_connection (int fd, struct sockaddr *sa, int salen, else rc = 1; - pop3d_mainloop (fd, fd, - cfg->tls_mode == tls_unspecified ? tls_mode : cfg->tls_mode); + pop3d_mainloop (fd, fd, cfg); if (rc == 0) clr_strerr_flt (); @@ -569,6 +513,7 @@ main (int argc, char **argv) mu_tcpwrapper_cfg_init (); manlock_cfg_init (); mu_acl_cfg_init (); + mu_tls_cfg_init (); mu_m_server_create (&server, program_version); mu_m_server_set_config_size (server, sizeof (struct pop3d_srv_config)); @@ -645,11 +590,7 @@ main (int argc, char **argv) umask (S_IROTH | S_IWOTH | S_IXOTH); /* 007 */ /* Check TLS environment, i.e. cert and key files */ -#ifdef WITH_TLS - tls_available = mu_check_tls_environment (); - if (tls_available) - enable_stls (); -#endif /* WITH_TLS */ + mu_m_server_set_preflight (server, stls_preflight); /* Actually run the daemon. */ if (mu_m_server_mode (server) == MODE_DAEMON) @@ -661,9 +602,12 @@ main (int argc, char **argv) } else { + struct pop3d_srv_config cfg; + memset (&cfg, 0, sizeof cfg); + cfg.tls_mode = tls_no; /* Make sure we are in the root directory. */ chdir ("/"); - status = pop3d_mainloop (MU_STDIN_FD, MU_STDOUT_FD, tls_mode); + status = pop3d_mainloop (MU_STDIN_FD, MU_STDOUT_FD, &cfg); } if (status) diff --git a/pop3d/pop3d.h b/pop3d/pop3d.h index 962dc1eb9..0168da6e1 100644 --- a/pop3d/pop3d.h +++ b/pop3d/pop3d.h @@ -145,31 +145,32 @@ extern int expire_on_exit; #define UPDATE 2 #define ABORT 3 -#define OK 0 -#define ERR_WRONG_STATE 1 -#define ERR_BAD_ARGS 2 -#define ERR_BAD_LOGIN 3 -#define ERR_NO_MESG 4 -#define ERR_MESG_DELE 5 -#define ERR_NOT_IMPL 6 -#define ERR_BAD_CMD 7 -#define ERR_MBOX_LOCK 8 -#define ERR_TOO_LONG 9 -#define ERR_NO_MEM 10 -#define ERR_SIGNAL 11 -#define ERR_FILE 12 -#define ERR_NO_IFILE 13 -#define ERR_NO_OFILE 14 -#define ERR_IO 15 -#define ERR_PROTO 16 -#define ERR_TIMEOUT 17 -#define ERR_UNKNOWN 18 -#define ERR_MBOX_SYNC 19 -#define ERR_TLS_ACTIVE 20 -#define ERR_TLS_IO 21 -#define ERR_LOGIN_DELAY 22 -#define ERR_TERMINATE 23 -#define ERR_SYS_LOGIN 24 +enum pop3d_error { + OK = 0, + ERR_WRONG_STATE, + ERR_BAD_ARGS, + ERR_BAD_LOGIN, + ERR_NO_MESG, + ERR_MESG_DELE, + ERR_NOT_IMPL, + ERR_BAD_CMD, + ERR_MBOX_LOCK, + ERR_TOO_LONG, + ERR_NO_MEM, + ERR_SIGNAL, + ERR_FILE, + ERR_NO_IFILE, + ERR_NO_OFILE, + ERR_IO, + ERR_PROTO, + ERR_TIMEOUT, + ERR_UNKNOWN, + ERR_MBOX_SYNC, + ERR_TLS_IO, + ERR_LOGIN_DELAY, + ERR_TERMINATE, + ERR_SYS_LOGIN +}; enum tls_mode { @@ -200,7 +201,15 @@ struct pop3d_capa struct pop3d_session { mu_list_t capa; - enum tls_mode tls; + enum tls_mode tls_mode; + struct mu_tls_config *tls_conf; +}; + +struct pop3d_srv_config +{ + struct mu_srv_config m_cfg; + enum tls_mode tls_mode; + struct mu_tls_config tls_conf; }; void pop3d_session_init (struct pop3d_session *session); @@ -227,10 +236,7 @@ extern char *md5shared; extern size_t children; extern struct daemon_param daemon_param; extern int debug_mode; -#ifdef WITH_TLS -extern int tls_available; -extern int tls_done; -#endif /* WITH_TLS */ + extern int undelete_on_startup; extern struct mu_auth_data *auth_data; extern unsigned int idle_timeout; @@ -242,6 +248,8 @@ extern int apop_database_safety; extern uid_t apop_database_owner; extern int apop_database_owner_set; +extern struct mu_tls_config global_tls_conf; + /* Safety checks for group-rw database files, such as stat and bulletin databases */ @@ -282,13 +290,12 @@ extern void pop3d_parse_command (char *cmd, char **pcmd, char **parg); extern RETSIGTYPE pop3d_master_signal (int); extern RETSIGTYPE pop3d_child_signal (int); -#ifdef WITH_TLS extern int pop3d_stls (char *, struct pop3d_session *); -extern void enable_stls (void); -#endif /* WITH_TLS */ +int stls_preflight (mu_m_server_t msrv); + extern void pop3d_outf (const char *fmt, ...) MU_PRINTFLIKE(1,2); -extern void pop3d_setio (int, int, int); +extern void pop3d_setio (int, int, struct mu_tls_config *); extern char *pop3d_readline (char *, size_t); extern void pop3d_flush_output (void); @@ -299,10 +306,7 @@ extern int pop3d_is_deleted (mu_attribute_t attr); extern void pop3d_unset_deleted (mu_attribute_t attr); void pop3d_undelete_all (void); -#ifdef WITH_TLS -extern int pop3d_init_tls_server (void); -extern void pop3d_deinit_tls_server (void); -#endif /* WITH_TLS */ +extern int pop3d_init_tls_server (struct mu_tls_config *tls_conf); extern void pop3d_mark_retr (mu_attribute_t attr); extern int pop3d_is_retr (mu_attribute_t attr); diff --git a/pop3d/stls.c b/pop3d/stls.c index 9729b6b57..b83dcb6bb 100644 --- a/pop3d/stls.c +++ b/pop3d/stls.c @@ -19,8 +19,6 @@ /* STLS command -- TLS/SSL encryption */ -#ifdef WITH_TLS - int pop3d_stls (char *arg, struct pop3d_session *session) { @@ -30,7 +28,7 @@ pop3d_stls (char *arg, struct pop3d_session *session) if (state != initial_state) return ERR_WRONG_STATE; - switch (session->tls) + switch (session->tls_mode) { case tls_ondemand: case tls_required: @@ -39,26 +37,20 @@ pop3d_stls (char *arg, struct pop3d_session *session) return ERR_WRONG_STATE; } - if (tls_done) - return ERR_TLS_ACTIVE; - pop3d_outf ("+OK Begin TLS negotiation\n"); pop3d_flush_output (); - tls_done = pop3d_init_tls_server () == 0; - - if (!tls_done) + if (pop3d_init_tls_server (session->tls_conf)) { mu_diag_output (MU_DIAG_ERROR, _("Session terminated")); state = ABORT; return ERR_UNKNOWN; } + session->tls_mode = tls_no; state = AUTHORIZATION; /* Confirm we're in this state. Necessary for "tls required" to work */ return OK; } -#endif /* WITH_TLS */ - |