dovecot-2.0: dovecot -p (ask ssl key password from command line)...
dovecot at dovecot.org
dovecot at dovecot.org
Wed Sep 9 03:05:51 EEST 2009
details: http://hg.dovecot.org/dovecot-2.0/rev/e819f6dfe5f4
changeset: 9913:e819f6dfe5f4
user: Timo Sirainen <tss at iki.fi>
date: Tue Sep 08 20:00:18 2009 -0400
description:
dovecot -p (ask ssl key password from command line) works again.
diffstat:
7 files changed, 23 insertions(+), 18 deletions(-)
src/login-common/ssl-proxy-openssl.c | 17 ++++++-----------
src/master/Makefile.am | 2 ++
src/master/common.h | 1 +
src/master/main.c | 11 ++++-------
src/master/service-process.c | 7 +++++++
src/master/service.c | 1 +
src/master/service.h | 2 ++
diffs (157 lines):
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c Tue Sep 08 19:34:49 2009 -0400
+++ b/src/login-common/ssl-proxy-openssl.c Tue Sep 08 20:00:18 2009 -0400
@@ -889,16 +889,19 @@ static EVP_PKEY *ssl_proxy_load_key(cons
{
EVP_PKEY *pkey;
BIO *bio;
- char *password;
+ const char *password;
+ char *dup_password;
bio = BIO_new_mem_buf(t_strdup_noconst(set->ssl_key),
strlen(set->ssl_key));
if (bio == NULL)
i_fatal("BIO_new_mem_buf() failed");
- password = t_strdup_noconst(set->ssl_key_password);
+ password = *set->ssl_key_password != '\0' ? set->ssl_key_password :
+ getenv("SSL_KEY_PASSWORD");
+ dup_password = t_strdup_noconst(password);
pkey = PEM_read_bio_PrivateKey(bio, NULL, pem_password_callback,
- password);
+ dup_password);
if (pkey == NULL)
i_fatal("Couldn't parse private ssl_key");
BIO_free(bio);
@@ -980,8 +983,6 @@ end:
static void ssl_proxy_init_server(const struct login_settings *set)
{
- char *password;
-
if ((ssl_server_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
i_fatal("SSL_CTX_new() failed");
ssl_proxy_ctx_init(ssl_server_ctx, set);
@@ -997,13 +998,7 @@ static void ssl_proxy_init_server(const
ssl_proxy_get_use_certificate_error(set->ssl_cert));
}
- password = t_strdup_noconst(set->ssl_key_password);
- SSL_CTX_set_default_passwd_cb(ssl_server_ctx, pem_password_callback);
- SSL_CTX_set_default_passwd_cb_userdata(ssl_server_ctx, password);
-
ssl_proxy_ctx_use_key(ssl_server_ctx, set);
- safe_memset(password, 0, strlen(password));
-
if (set->verbose_ssl)
SSL_CTX_set_info_callback(ssl_server_ctx, ssl_info_callback);
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/Makefile.am
--- a/src/master/Makefile.am Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/Makefile.am Tue Sep 08 20:00:18 2009 -0400
@@ -20,6 +20,7 @@ dovecot_DEPENDENCIES = $(libs)
dovecot_DEPENDENCIES = $(libs)
dovecot_SOURCES = \
+ askpass.c \
capabilities-posix.c \
dup2-array.c \
main.c \
@@ -35,6 +36,7 @@ dovecot_SOURCES = \
service.c
noinst_HEADERS = \
+ askpass.h \
capabilities.h \
common.h \
dup2-array.h \
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/common.h
--- a/src/master/common.h Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/common.h Tue Sep 08 20:00:18 2009 -0400
@@ -11,6 +11,7 @@ extern gid_t master_gid;
extern gid_t master_gid;
extern bool auth_success_written;
extern bool core_dumps_disabled;
+extern char ssl_manual_key_password[];
extern int null_fd;
extern struct service_list *services;
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/main.c
--- a/src/master/main.c Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/main.c Tue Sep 08 20:00:18 2009 -0400
@@ -11,6 +11,7 @@
#include "restrict-process-size.h"
#include "master-service.h"
#include "master-service-settings.h"
+#include "askpass.h"
#include "capabilities.h"
#include "service.h"
#include "service-listen.h"
@@ -37,6 +38,7 @@ gid_t master_gid;
gid_t master_gid;
bool auth_success_written;
bool core_dumps_disabled;
+char ssl_manual_key_password[100];
int null_fd;
struct service_list *services;
@@ -737,16 +739,11 @@ int main(int argc, char *argv[])
auth_warning_print(set);
}
-#if 0 // FIXME
if (ask_key_pass) {
- const char *prompt;
-
- prompt = t_strdup_printf("Give the password for SSL key file "
- "%s: ", set->ssl_key_file);
- askpass(prompt, ssl_manual_key_password,
+ askpass("Give the password for SSL keys",
+ ssl_manual_key_password,
sizeof(ssl_manual_key_password));
}
-#endif
/* save TZ environment. AIX depends on it to get the timezone
correctly. */
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/service-process.c
--- a/src/master/service-process.c Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/service-process.c Tue Sep 08 20:00:18 2009 -0400
@@ -458,6 +458,13 @@ handle_request(const struct service_proc
env_put(t_strconcat("LOCAL_IP=", net_ip2addr(&request->local_ip), NULL));
env_put(t_strconcat("IP=", net_ip2addr(&request->remote_ip), NULL));
+ if (*ssl_manual_key_password != '\0' &&
+ request->process->process.service->have_inet_listeners) {
+ /* manually given SSL password. give it only to services
+ that have inet listeners. */
+ env_put(t_strconcat("SSL_KEY_PASSWORD=",
+ ssl_manual_key_password, NULL));
+ }
}
struct service_process *
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/service.c
--- a/src/master/service.c Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/service.c Tue Sep 08 20:00:18 2009 -0400
@@ -293,6 +293,7 @@ service_create(pool_t pool, const struct
if (service_create_inet_listeners(service, inet_listeners[i],
error_r) < 0)
return NULL;
+ service->have_inet_listeners = TRUE;
}
return service;
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/service.h
--- a/src/master/service.h Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/service.h Tue Sep 08 20:00:18 2009 -0400
@@ -93,6 +93,8 @@ struct service {
unsigned int listen_pending:1;
/* service is currently listening for new connections */
unsigned int listening:1;
+ /* TRUE if service has at least one inet_listener */
+ unsigned int have_inet_listeners:1;
};
struct service_list {
More information about the dovecot-cvs
mailing list