summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Denker <jsd@av8n.com>2016-01-01 11:17:17 -0700
committerJohn Denker <jsd@av8n.com>2016-01-01 16:34:35 -0800
commit0fefe3a661fb5155f811d5a6412194a566f7de0a (patch)
tree11a712a24d842e9eeb58afcce80fcf75742ba121
parent67c1e178e1f1d171181e574186468b68a810ee25 (diff)
newly created files now added to repo
-rw-r--r--Makefile-cert.mk21
-rw-r--r--ssl_timeoutio.c95
-rw-r--r--ssl_timeoutio.h21
-rw-r--r--tls.c25
-rw-r--r--tls.h16
-rw-r--r--update_tmprsadh.sh19
6 files changed, 197 insertions, 0 deletions
diff --git a/Makefile-cert.mk b/Makefile-cert.mk
new file mode 100644
index 0000000..d869999
--- /dev/null
+++ b/Makefile-cert.mk
@@ -0,0 +1,21 @@
+cert-req: req.pem
+cert cert-req: QMAIL/control/clientcert.pem
+ @:
+
+QMAIL/control/clientcert.pem: QMAIL/control/servercert.pem
+ ln -s $< $@
+
+QMAIL/control/servercert.pem:
+ PATH=$$PATH:/usr/local/ssl/bin \
+ openssl req -new -x509 -nodes -days 366 -out $@ -keyout $@
+ chmod 640 $@
+ chown `head -2 conf-users | tail -1`:`head -1 conf-groups` $@
+
+req.pem:
+ PATH=$$PATH:/usr/local/ssl/bin openssl req \
+ -new -nodes -out $@ -keyout QMAIL/control/servercert.pem
+ chmod 640 QMAIL/control/servercert.pem
+ chown `head -2 conf-users | tail -1`:`head -1 conf-groups` QMAIL/control/servercert.pem
+ @echo
+ @echo "Send req.pem to your CA to obtain signed_req.pem, and do:"
+ @echo "cat signed_req.pem >> QMAIL/control/servercert.pem"
diff --git a/ssl_timeoutio.c b/ssl_timeoutio.c
new file mode 100644
index 0000000..5b2dc9d
--- /dev/null
+++ b/ssl_timeoutio.c
@@ -0,0 +1,95 @@
+#include "select.h"
+#include "error.h"
+#include "ndelay.h"
+#include "now.h"
+#include "ssl_timeoutio.h"
+
+int ssl_timeoutio(int (*fun)(),
+ int t, int rfd, int wfd, SSL *ssl, char *buf, int len)
+{
+ int n;
+ const datetime_sec end = (datetime_sec)t + now();
+
+ do {
+ fd_set fds;
+ struct timeval tv;
+
+ const int r = buf ? fun(ssl, buf, len) : fun(ssl);
+ if (r > 0) return r;
+
+ t = end - now();
+ if (t < 0) break;
+ tv.tv_sec = (time_t)t; tv.tv_usec = 0;
+
+ FD_ZERO(&fds);
+ switch (SSL_get_error(ssl, r))
+ {
+ default: return r; /* some other error */
+ case SSL_ERROR_WANT_READ:
+ FD_SET(rfd, &fds); n = select(rfd + 1, &fds, NULL, NULL, &tv);
+ break;
+ case SSL_ERROR_WANT_WRITE:
+ FD_SET(wfd, &fds); n = select(wfd + 1, NULL, &fds, NULL, &tv);
+ break;
+ }
+
+ /* n is the number of descriptors that changed status */
+ } while (n > 0);
+
+ if (n != -1) errno = error_timeout;
+ return -1;
+}
+
+int ssl_timeoutaccept(int t, int rfd, int wfd, SSL *ssl)
+{
+ int r;
+
+ /* if connection is established, keep NDELAY */
+ if (ndelay_on(rfd) == -1 || ndelay_on(wfd) == -1) return -1;
+ r = ssl_timeoutio(SSL_accept, t, rfd, wfd, ssl, NULL, 0);
+
+ if (r <= 0) { ndelay_off(rfd); ndelay_off(wfd); }
+ else SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
+
+ return r;
+}
+
+int ssl_timeoutconn(int t, int rfd, int wfd, SSL *ssl)
+{
+ int r;
+
+ /* if connection is established, keep NDELAY */
+ if (ndelay_on(rfd) == -1 || ndelay_on(wfd) == -1) return -1;
+ r = ssl_timeoutio(SSL_connect, t, rfd, wfd, ssl, NULL, 0);
+
+ if (r <= 0) { ndelay_off(rfd); ndelay_off(wfd); }
+ else SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
+
+ return r;
+}
+
+int ssl_timeoutrehandshake(int t, int rfd, int wfd, SSL *ssl)
+{
+ int r;
+
+ SSL_renegotiate(ssl);
+ r = ssl_timeoutio(SSL_do_handshake, t, rfd, wfd, ssl, NULL, 0);
+ if (r <= 0 || ssl->type == SSL_ST_CONNECT) return r;
+
+ /* this is for the server only */
+ ssl->state = SSL_ST_ACCEPT;
+ return ssl_timeoutio(SSL_do_handshake, t, rfd, wfd, ssl, NULL, 0);
+}
+
+int ssl_timeoutread(int t, int rfd, int wfd, SSL *ssl, char *buf, int len)
+{
+ if (!buf) return 0;
+ if (SSL_pending(ssl)) return SSL_read(ssl, buf, len);
+ return ssl_timeoutio(SSL_read, t, rfd, wfd, ssl, buf, len);
+}
+
+int ssl_timeoutwrite(int t, int rfd, int wfd, SSL *ssl, char *buf, int len)
+{
+ if (!buf) return 0;
+ return ssl_timeoutio(SSL_write, t, rfd, wfd, ssl, buf, len);
+}
diff --git a/ssl_timeoutio.h b/ssl_timeoutio.h
new file mode 100644
index 0000000..073cb67
--- /dev/null
+++ b/ssl_timeoutio.h
@@ -0,0 +1,21 @@
+#ifndef SSL_TIMEOUTIO_H
+#define SSL_TIMEOUTIO_H
+
+#include <openssl/ssl.h>
+
+/* the version is like this: 0xMNNFFPPS: major minor fix patch status */
+#if OPENSSL_VERSION_NUMBER < 0x00906000L
+# error "Need OpenSSL version at least 0.9.6"
+#endif
+
+int ssl_timeoutconn(int t, int rfd, int wfd, SSL *ssl);
+int ssl_timeoutaccept(int t, int rfd, int wfd, SSL *ssl);
+int ssl_timeoutrehandshake(int t, int rfd, int wfd, SSL *ssl);
+
+int ssl_timeoutread(int t, int rfd, int wfd, SSL *ssl, char *buf, int len);
+int ssl_timeoutwrite(int t, int rfd, int wfd, SSL *ssl, char *buf, int len);
+
+int ssl_timeoutio(
+ int (*fun)(), int t, int rfd, int wfd, SSL *ssl, char *buf, int len);
+
+#endif
diff --git a/tls.c b/tls.c
new file mode 100644
index 0000000..aed5d57
--- /dev/null
+++ b/tls.c
@@ -0,0 +1,25 @@
+#include "exit.h"
+#include "error.h"
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+int smtps = 0;
+SSL *ssl = NULL;
+
+void ssl_free(SSL *myssl) { SSL_shutdown(myssl); SSL_free(myssl); }
+void ssl_exit(int status) { if (ssl) ssl_free(ssl); _exit(status); }
+
+const char *ssl_error()
+{
+ int r = ERR_get_error();
+ if (!r) return NULL;
+ SSL_load_error_strings();
+ return ERR_error_string(r, NULL);
+}
+const char *ssl_error_str()
+{
+ const char *err = ssl_error();
+ if (err) return err;
+ if (!errno) return 0;
+ return (errno == error_timeout) ? "timed out" : error_str(errno);
+}
diff --git a/tls.h b/tls.h
new file mode 100644
index 0000000..a4650af
--- /dev/null
+++ b/tls.h
@@ -0,0 +1,16 @@
+#ifndef TLS_H
+#define TLS_H
+
+#include <openssl/ssl.h>
+
+extern int smtps;
+extern SSL *ssl;
+
+void ssl_free(SSL *myssl);
+void ssl_exit(int status);
+# define _exit ssl_exit
+
+const char *ssl_error();
+const char *ssl_error_str();
+
+#endif
diff --git a/update_tmprsadh.sh b/update_tmprsadh.sh
new file mode 100644
index 0000000..beab94f
--- /dev/null
+++ b/update_tmprsadh.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Update temporary RSA and DH keys
+# Frederik Vermeulen 2004-05-31 GPL
+
+umask 0077 || exit 0
+
+export PATH="$PATH:/usr/local/bin/ssl:/usr/sbin"
+
+openssl genrsa -out QMAIL/control/rsa2048.new 2048 &&
+chmod 600 QMAIL/control/rsa2048.new &&
+chown UGQMAILD QMAIL/control/rsa2048.new &&
+mv -f QMAIL/control/rsa2048.new QMAIL/control/rsa2048.pem
+echo
+
+openssl dhparam -2 -out QMAIL/control/dh2048.new 2048 &&
+chmod 600 QMAIL/control/dh2048.new &&
+chown UGQMAILD QMAIL/control/dh2048.new &&
+mv -f QMAIL/control/dh2048.new QMAIL/control/dh2048.pem