dovecot-2.1: SSL proxying: Remote's host never matched cert, bec...
dovecot at dovecot.org
dovecot at dovecot.org
Wed Apr 25 21:32:08 EEST 2012
details: http://hg.dovecot.org/dovecot-2.1/rev/773ca397d799
changeset: 14482:773ca397d799
user: Timo Sirainen <tss at iki.fi>
date: Wed Apr 25 21:32:00 2012 +0300
description:
SSL proxying: Remote's host never matched cert, because auth process changed it to IP.
Now the "host" parameter isn't changed, but a new optional "hostip"
parameter contains the IP address where to connect to.
diffstat:
src/auth/auth-request.c | 4 ++--
src/login-common/client-common-auth.c | 5 +++++
src/login-common/client-common.h | 2 +-
src/login-common/login-proxy.c | 4 +++-
src/login-common/login-proxy.h | 3 +++
5 files changed, 14 insertions(+), 4 deletions(-)
diffs (89 lines):
diff -r c2b7767afc38 -r 773ca397d799 src/auth/auth-request.c
--- a/src/auth/auth-request.c Wed Apr 25 21:29:14 2012 +0300
+++ b/src/auth/auth-request.c Wed Apr 25 21:32:00 2012 +0300
@@ -1521,8 +1521,8 @@
"DNS lookup for %s took %u.%03u s",
host, result->msecs/1000, result->msecs % 1000);
}
- auth_stream_reply_remove(request->extra_fields, "host");
- auth_stream_reply_add(request->extra_fields, "host",
+ auth_stream_reply_remove(request->extra_fields, "hostip");
+ auth_stream_reply_add(request->extra_fields, "hostip",
net_ip2addr(&result->ips[0]));
for (i = 0; i < result->ips_count; i++) {
if (auth_request_proxy_ip_is_self(request,
diff -r c2b7767afc38 -r 773ca397d799 src/login-common/client-common-auth.c
--- a/src/login-common/client-common-auth.c Wed Apr 25 21:29:14 2012 +0300
+++ b/src/login-common/client-common-auth.c Wed Apr 25 21:32:00 2012 +0300
@@ -86,6 +86,8 @@
reply_r->reason = value;
else if (strcmp(key, "host") == 0)
reply_r->host = value;
+ else if (strcmp(key, "hostip") == 0)
+ reply_r->hostip = value;
else if (strcmp(key, "port") == 0)
reply_r->port = atoi(value);
else if (strcmp(key, "destuser") == 0)
@@ -294,6 +296,9 @@
memset(&proxy_set, 0, sizeof(proxy_set));
proxy_set.host = reply->host;
+ if (reply->hostip != NULL &&
+ net_addr2ip(reply->hostip, &proxy_set.ip) < 0)
+ proxy_set.ip.family = 0;
proxy_set.port = reply->port;
proxy_set.dns_client_socket_path = LOGIN_DNS_CLIENT_SOCKET_PATH;
proxy_set.connect_timeout_msecs = reply->proxy_timeout_msecs;
diff -r c2b7767afc38 -r 773ca397d799 src/login-common/client-common.h
--- a/src/login-common/client-common.h Wed Apr 25 21:29:14 2012 +0300
+++ b/src/login-common/client-common.h Wed Apr 25 21:32:00 2012 +0300
@@ -49,7 +49,7 @@
struct client_auth_reply {
const char *master_user, *reason;
/* for proxying */
- const char *host, *destuser, *password;
+ const char *host, *hostip, *destuser, *password;
unsigned int port;
unsigned int proxy_timeout_msecs;
unsigned int proxy_refresh_secs;
diff -r c2b7767afc38 -r 773ca397d799 src/login-common/login-proxy.c
--- a/src/login-common/login-proxy.c Wed Apr 25 21:29:14 2012 +0300
+++ b/src/login-common/login-proxy.c Wed Apr 25 21:32:00 2012 +0300
@@ -308,6 +308,7 @@
proxy->client_fd = -1;
proxy->server_fd = -1;
proxy->created = ioloop_timeval;
+ proxy->ip = set->ip;
proxy->host = i_strdup(set->host);
proxy->port = set->port;
proxy->connect_timeout_msecs = set->connect_timeout_msecs;
@@ -319,7 +320,8 @@
dns_lookup_set.dns_client_socket_path = set->dns_client_socket_path;
dns_lookup_set.timeout_msecs = set->connect_timeout_msecs;
- if (net_addr2ip(set->host, &proxy->ip) < 0) {
+ if (set->ip.family == 0 &&
+ net_addr2ip(set->host, &proxy->ip) < 0) {
if (dns_lookup(set->host, &dns_lookup_set,
login_proxy_dns_done, proxy) < 0)
return -1;
diff -r c2b7767afc38 -r 773ca397d799 src/login-common/login-proxy.h
--- a/src/login-common/login-proxy.h Wed Apr 25 21:29:14 2012 +0300
+++ b/src/login-common/login-proxy.h Wed Apr 25 21:32:00 2012 +0300
@@ -1,6 +1,8 @@
#ifndef LOGIN_PROXY_H
#define LOGIN_PROXY_H
+#include "network.h"
+
struct client;
struct login_proxy;
@@ -15,6 +17,7 @@
struct login_proxy_settings {
const char *host;
+ struct ip_addr ip;
const char *dns_client_socket_path;
unsigned int port;
unsigned int connect_timeout_msecs;
More information about the dovecot-cvs
mailing list