dovecot-2.1: login proxy: Added ssl_client_cert/key settings.

dovecot at dovecot.org dovecot at dovecot.org
Fri Nov 18 21:31:37 EET 2011 

details:   http://hg.dovecot.org/dovecot-2.1/rev/700e92b43c74
changeset: 13725:700e92b43c74
user:      Timo Sirainen <tss at iki.fi>
date:      Fri Nov 18 21:31:15 2011 +0200
description:
login proxy: Added ssl_client_cert/key settings.
The client cert is used sent to proxy destination server when SSL is used.

diffstat:

 src/login-common/login-settings.c    |   4 +++
 src/login-common/login-settings.h    |   2 +
 src/login-common/ssl-proxy-openssl.c |  38 +++++++++++++++++++++++++++++------
 3 files changed, 37 insertions(+), 7 deletions(-)

diffs (111 lines):

diff -r dafa6dc27398 -r 700e92b43c74 src/login-common/login-settings.c
--- a/src/login-common/login-settings.c	Fri Nov 18 16:22:44 2011 +0200
+++ b/src/login-common/login-settings.c	Fri Nov 18 21:31:15 2011 +0200
@@ -33,6 +33,8 @@
 	DEF(SET_STR, ssl_cipher_list),
 	DEF(SET_STR, ssl_protocols),
 	DEF(SET_STR, ssl_cert_username_field),
+	DEF(SET_STR, ssl_client_cert),
+	DEF(SET_STR, ssl_client_key),
 	DEF(SET_BOOL, ssl_verify_client_cert),
 	DEF(SET_BOOL, auth_ssl_require_client_cert),
 	DEF(SET_BOOL, auth_ssl_username_from_cert),
@@ -63,6 +65,8 @@
 	.ssl_cipher_list = "ALL:!LOW:!SSLv2:!EXP:!aNULL",
 	.ssl_protocols = "!SSLv2",
 	.ssl_cert_username_field = "commonName",
+	.ssl_client_cert = "",
+	.ssl_client_key = "",
 	.ssl_verify_client_cert = FALSE,
 	.auth_ssl_require_client_cert = FALSE,
 	.auth_ssl_username_from_cert = FALSE,
diff -r dafa6dc27398 -r 700e92b43c74 src/login-common/login-settings.h
--- a/src/login-common/login-settings.h	Fri Nov 18 16:22:44 2011 +0200
+++ b/src/login-common/login-settings.h	Fri Nov 18 21:31:15 2011 +0200
@@ -15,6 +15,8 @@
 	const char *ssl_cipher_list;
 	const char *ssl_protocols;
 	const char *ssl_cert_username_field;
+	const char *ssl_client_cert;
+	const char *ssl_client_key;
 	bool ssl_verify_client_cert;
 	bool auth_ssl_require_client_cert;
 	bool auth_ssl_username_from_cert;
diff -r dafa6dc27398 -r 700e92b43c74 src/login-common/ssl-proxy-openssl.c
--- a/src/login-common/ssl-proxy-openssl.c	Fri Nov 18 16:22:44 2011 +0200
+++ b/src/login-common/ssl-proxy-openssl.c	Fri Nov 18 21:31:15 2011 +0200
@@ -993,20 +993,17 @@
 	}
 }
 
-static EVP_PKEY *ssl_proxy_load_key(const struct login_settings *set)
+static EVP_PKEY *
+ssl_proxy_load_key(const char *key, const char *password)
 {
 	EVP_PKEY *pkey;
 	BIO *bio;
-	const char *password;
 	char *dup_password;
 
-	bio = BIO_new_mem_buf(t_strdup_noconst(set->ssl_key),
-			      strlen(set->ssl_key));
+	bio = BIO_new_mem_buf(t_strdup_noconst(key), strlen(key));
 	if (bio == NULL)
 		i_fatal("BIO_new_mem_buf() failed");
 
-	password = *set->ssl_key_password != '\0' ? set->ssl_key_password :
-		getenv(MASTER_SSL_KEY_PASSWORD_ENV);
 	dup_password = t_strdup_noconst(password);
 	pkey = PEM_read_bio_PrivateKey(bio, NULL, pem_password_callback,
 				       dup_password);
@@ -1030,8 +1027,11 @@
 static void ssl_proxy_ctx_use_key(SSL_CTX *ctx, const struct login_settings *set)
 {
 	EVP_PKEY *pkey;
+	const char *password;
 
-	pkey = ssl_proxy_load_key(set);
+	password = *set->ssl_key_password != '\0' ? set->ssl_key_password :
+		getenv(MASTER_SSL_KEY_PASSWORD_ENV);
+	pkey = ssl_proxy_load_key(set->ssl_key, password);
 	if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1)
 		i_fatal("Can't load private ssl_key: %s", ssl_key_load_error());
 	EVP_PKEY_free(pkey);
@@ -1227,6 +1227,28 @@
 	pool_unref(&ctx->pool);
 }
 
+static void
+ssl_proxy_client_ctx_set_client_cert(SSL_CTX *ctx,
+				     const struct login_settings *set)
+{
+	EVP_PKEY *pkey;
+
+	if (*set->ssl_client_cert == '\0')
+		return;
+
+	if (ssl_proxy_ctx_use_certificate_chain(ctx, set->ssl_client_cert) != 1) {
+		i_fatal("Can't load ssl_client_cert: %s",
+			ssl_proxy_get_use_certificate_error(set->ssl_client_cert));
+	}
+
+	pkey = ssl_proxy_load_key(set->ssl_client_key, NULL);
+	if (SSL_CTX_use_PrivateKey(ctx, pkey) != 1) {
+		i_fatal("Can't load private ssl_client_key: %s",
+			ssl_key_load_error());
+	}
+	EVP_PKEY_free(pkey);
+}
+
 static void ssl_proxy_init_client(const struct login_settings *set)
 {
 	STACK_OF(X509_NAME) *xnames;
@@ -1235,6 +1257,8 @@
 		i_fatal("SSL_CTX_new() failed");
 	xnames = ssl_proxy_ctx_init(ssl_client_ctx, set);
 	ssl_proxy_ctx_verify_client(ssl_client_ctx, xnames);
+
+	ssl_proxy_client_ctx_set_client_cert(ssl_client_ctx, set);
 }
 
 void ssl_proxy_init(void)

More information about the dovecot-cvs mailing list