diff options
author | John Denker <jsd@av8n.com> | 2016-01-01 11:17:17 -0700 |
---|---|---|
committer | John Denker <jsd@av8n.com> | 2016-01-01 16:34:35 -0800 |
commit | 0fefe3a661fb5155f811d5a6412194a566f7de0a (patch) | |
tree | 11a712a24d842e9eeb58afcce80fcf75742ba121 | |
parent | 67c1e178e1f1d171181e574186468b68a810ee25 (diff) |
newly created files now added to repo
-rw-r--r-- | Makefile-cert.mk | 21 | ||||
-rw-r--r-- | ssl_timeoutio.c | 95 | ||||
-rw-r--r-- | ssl_timeoutio.h | 21 | ||||
-rw-r--r-- | tls.c | 25 | ||||
-rw-r--r-- | tls.h | 16 | ||||
-rw-r--r-- | update_tmprsadh.sh | 19 |
6 files changed, 197 insertions, 0 deletions
diff --git a/Makefile-cert.mk b/Makefile-cert.mk new file mode 100644 index 0000000..d869999 --- /dev/null +++ b/Makefile-cert.mk @@ -0,0 +1,21 @@ +cert-req: req.pem +cert cert-req: QMAIL/control/clientcert.pem + @: + +QMAIL/control/clientcert.pem: QMAIL/control/servercert.pem + ln -s $< $@ + +QMAIL/control/servercert.pem: + PATH=$$PATH:/usr/local/ssl/bin \ + openssl req -new -x509 -nodes -days 366 -out $@ -keyout $@ + chmod 640 $@ + chown `head -2 conf-users | tail -1`:`head -1 conf-groups` $@ + +req.pem: + PATH=$$PATH:/usr/local/ssl/bin openssl req \ + -new -nodes -out $@ -keyout QMAIL/control/servercert.pem + chmod 640 QMAIL/control/servercert.pem + chown `head -2 conf-users | tail -1`:`head -1 conf-groups` QMAIL/control/servercert.pem + @echo + @echo "Send req.pem to your CA to obtain signed_req.pem, and do:" + @echo "cat signed_req.pem >> QMAIL/control/servercert.pem" diff --git a/ssl_timeoutio.c b/ssl_timeoutio.c new file mode 100644 index 0000000..5b2dc9d --- /dev/null +++ b/ssl_timeoutio.c @@ -0,0 +1,95 @@ +#include "select.h" +#include "error.h" +#include "ndelay.h" +#include "now.h" +#include "ssl_timeoutio.h" + +int ssl_timeoutio(int (*fun)(), + int t, int rfd, int wfd, SSL *ssl, char *buf, int len) +{ + int n; + const datetime_sec end = (datetime_sec)t + now(); + + do { + fd_set fds; + struct timeval tv; + + const int r = buf ? fun(ssl, buf, len) : fun(ssl); + if (r > 0) return r; + + t = end - now(); + if (t < 0) break; + tv.tv_sec = (time_t)t; tv.tv_usec = 0; + + FD_ZERO(&fds); + switch (SSL_get_error(ssl, r)) + { + default: return r; /* some other error */ + case SSL_ERROR_WANT_READ: + FD_SET(rfd, &fds); n = select(rfd + 1, &fds, NULL, NULL, &tv); + break; + case SSL_ERROR_WANT_WRITE: + FD_SET(wfd, &fds); n = select(wfd + 1, NULL, &fds, NULL, &tv); + break; + } + + /* n is the number of descriptors that changed status */ + } while (n > 0); + + if (n != -1) errno = error_timeout; + return -1; +} + +int ssl_timeoutaccept(int t, int rfd, int wfd, SSL *ssl) +{ + int r; + + /* if connection is established, keep NDELAY */ + if (ndelay_on(rfd) == -1 || ndelay_on(wfd) == -1) return -1; + r = ssl_timeoutio(SSL_accept, t, rfd, wfd, ssl, NULL, 0); + + if (r <= 0) { ndelay_off(rfd); ndelay_off(wfd); } + else SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE); + + return r; +} + +int ssl_timeoutconn(int t, int rfd, int wfd, SSL *ssl) +{ + int r; + + /* if connection is established, keep NDELAY */ + if (ndelay_on(rfd) == -1 || ndelay_on(wfd) == -1) return -1; + r = ssl_timeoutio(SSL_connect, t, rfd, wfd, ssl, NULL, 0); + + if (r <= 0) { ndelay_off(rfd); ndelay_off(wfd); } + else SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE); + + return r; +} + +int ssl_timeoutrehandshake(int t, int rfd, int wfd, SSL *ssl) +{ + int r; + + SSL_renegotiate(ssl); + r = ssl_timeoutio(SSL_do_handshake, t, rfd, wfd, ssl, NULL, 0); + if (r <= 0 || ssl->type == SSL_ST_CONNECT) return r; + + /* this is for the server only */ + ssl->state = SSL_ST_ACCEPT; + return ssl_timeoutio(SSL_do_handshake, t, rfd, wfd, ssl, NULL, 0); +} + +int ssl_timeoutread(int t, int rfd, int wfd, SSL *ssl, char *buf, int len) +{ + if (!buf) return 0; + if (SSL_pending(ssl)) return SSL_read(ssl, buf, len); + return ssl_timeoutio(SSL_read, t, rfd, wfd, ssl, buf, len); +} + +int ssl_timeoutwrite(int t, int rfd, int wfd, SSL *ssl, char *buf, int len) +{ + if (!buf) return 0; + return ssl_timeoutio(SSL_write, t, rfd, wfd, ssl, buf, len); +} diff --git a/ssl_timeoutio.h b/ssl_timeoutio.h new file mode 100644 index 0000000..073cb67 --- /dev/null +++ b/ssl_timeoutio.h @@ -0,0 +1,21 @@ +#ifndef SSL_TIMEOUTIO_H +#define SSL_TIMEOUTIO_H + +#include <openssl/ssl.h> + +/* the version is like this: 0xMNNFFPPS: major minor fix patch status */ +#if OPENSSL_VERSION_NUMBER < 0x00906000L +# error "Need OpenSSL version at least 0.9.6" +#endif + +int ssl_timeoutconn(int t, int rfd, int wfd, SSL *ssl); +int ssl_timeoutaccept(int t, int rfd, int wfd, SSL *ssl); +int ssl_timeoutrehandshake(int t, int rfd, int wfd, SSL *ssl); + +int ssl_timeoutread(int t, int rfd, int wfd, SSL *ssl, char *buf, int len); +int ssl_timeoutwrite(int t, int rfd, int wfd, SSL *ssl, char *buf, int len); + +int ssl_timeoutio( + int (*fun)(), int t, int rfd, int wfd, SSL *ssl, char *buf, int len); + +#endif @@ -0,0 +1,25 @@ +#include "exit.h" +#include "error.h" +#include <openssl/ssl.h> +#include <openssl/err.h> + +int smtps = 0; +SSL *ssl = NULL; + +void ssl_free(SSL *myssl) { SSL_shutdown(myssl); SSL_free(myssl); } +void ssl_exit(int status) { if (ssl) ssl_free(ssl); _exit(status); } + +const char *ssl_error() +{ + int r = ERR_get_error(); + if (!r) return NULL; + SSL_load_error_strings(); + return ERR_error_string(r, NULL); +} +const char *ssl_error_str() +{ + const char *err = ssl_error(); + if (err) return err; + if (!errno) return 0; + return (errno == error_timeout) ? "timed out" : error_str(errno); +} @@ -0,0 +1,16 @@ +#ifndef TLS_H +#define TLS_H + +#include <openssl/ssl.h> + +extern int smtps; +extern SSL *ssl; + +void ssl_free(SSL *myssl); +void ssl_exit(int status); +# define _exit ssl_exit + +const char *ssl_error(); +const char *ssl_error_str(); + +#endif diff --git a/update_tmprsadh.sh b/update_tmprsadh.sh new file mode 100644 index 0000000..beab94f --- /dev/null +++ b/update_tmprsadh.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Update temporary RSA and DH keys +# Frederik Vermeulen 2004-05-31 GPL + +umask 0077 || exit 0 + +export PATH="$PATH:/usr/local/bin/ssl:/usr/sbin" + +openssl genrsa -out QMAIL/control/rsa2048.new 2048 && +chmod 600 QMAIL/control/rsa2048.new && +chown UGQMAILD QMAIL/control/rsa2048.new && +mv -f QMAIL/control/rsa2048.new QMAIL/control/rsa2048.pem +echo + +openssl dhparam -2 -out QMAIL/control/dh2048.new 2048 && +chmod 600 QMAIL/control/dh2048.new && +chown UGQMAILD QMAIL/control/dh2048.new && +mv -f QMAIL/control/dh2048.new QMAIL/control/dh2048.pem |