From: Timo Sirainen Date: Tue, 31 Oct 2017 23:40:23 +0000 (+0200) Subject: lib-ssl-iostream: Add io_stream_ssl_global_init() X-Git-Tag: 2.3.0.rc1~514 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=15aa67e8a9dd7fc631d58ce13c54fe004bb4d0c1;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream: Add io_stream_ssl_global_init() --- diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index ae35005fa1..d83bccc615 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -23,9 +23,6 @@ struct ssl_iostream_password_context { static bool ssl_global_initialized = FALSE; int dovecot_ssl_extdata_index; -static int ssl_iostream_init_global(const struct ssl_iostream_settings *set, - const char **error_r); - static RSA *ssl_gen_rsa_key(SSL *ssl ATTR_UNUSED, int is_export ATTR_UNUSED, int keylength) { @@ -580,8 +577,6 @@ int openssl_iostream_context_init_client(const struct ssl_iostream_settings *set struct ssl_iostream_context *ctx; SSL_CTX *ssl_ctx; - if (ssl_iostream_init_global(set, error_r) < 0) - return -1; if ((ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { *error_r = t_strdup_printf("SSL_CTX_new() failed: %s", openssl_iostream_error()); @@ -608,8 +603,6 @@ int openssl_iostream_context_init_server(const struct ssl_iostream_settings *set struct ssl_iostream_context *ctx; SSL_CTX *ssl_ctx; - if (ssl_iostream_init_global(set, error_r) < 0) - return -1; if ((ssl_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) { *error_r = t_strdup_printf("SSL_CTX_new() failed: %s", openssl_iostream_error()); @@ -651,8 +644,8 @@ void openssl_iostream_global_deinit(void) dovecot_openssl_common_global_unref(); } -static int ssl_iostream_init_global(const struct ssl_iostream_settings *set, - const char **error_r) +int openssl_iostream_global_init(const struct ssl_iostream_settings *set, + const char **error_r) { static char dovecot[] = "dovecot"; const char *error; diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index e960f485ef..539b954588 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -798,6 +798,7 @@ openssl_iostream_get_last_error(struct ssl_iostream *ssl_io) } static const struct iostream_ssl_vfuncs ssl_vfuncs = { + .global_init = openssl_iostream_global_init, .context_init_client = openssl_iostream_context_init_client, .context_init_server = openssl_iostream_context_init_server, .context_ref = openssl_iostream_context_ref, diff --git a/src/lib-ssl-iostream/iostream-openssl.h b/src/lib-ssl-iostream/iostream-openssl.h index caa34ed1f2..137e0bfafb 100644 --- a/src/lib-ssl-iostream/iostream-openssl.h +++ b/src/lib-ssl-iostream/iostream-openssl.h @@ -73,6 +73,9 @@ extern int dovecot_ssl_extdata_index; struct istream *openssl_i_stream_create_ssl(struct ssl_iostream *ssl_io); struct ostream *openssl_o_stream_create_ssl(struct ssl_iostream *ssl_io); +int openssl_iostream_global_init(const struct ssl_iostream_settings *set, + const char **error_r); + int openssl_iostream_context_init_client(const struct ssl_iostream_settings *set, struct ssl_iostream_context **ctx_r, const char **error_r); diff --git a/src/lib-ssl-iostream/iostream-ssl-private.h b/src/lib-ssl-iostream/iostream-ssl-private.h index 19b581e28a..430dbc5f73 100644 --- a/src/lib-ssl-iostream/iostream-ssl-private.h +++ b/src/lib-ssl-iostream/iostream-ssl-private.h @@ -4,6 +4,8 @@ #include "iostream-ssl.h" struct iostream_ssl_vfuncs { + int (*global_init)(const struct ssl_iostream_settings *set, + const char **error_r); int (*context_init_client)(const struct ssl_iostream_settings *set, struct ssl_iostream_context **ctx_r, const char **error_r); diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c index 2daa04e1b1..79722a4bdf 100644 --- a/src/lib-ssl-iostream/iostream-ssl.c +++ b/src/lib-ssl-iostream/iostream-ssl.c @@ -76,6 +76,12 @@ int ssl_module_load(const char **error_r) #endif } +int io_stream_ssl_global_init(const struct ssl_iostream_settings *set, + const char **error_r) +{ + return ssl_vfuncs->global_init(set, error_r); +} + int ssl_iostream_context_init_client(const struct ssl_iostream_settings *set, struct ssl_iostream_context **ctx_r, const char **error_r) @@ -89,6 +95,8 @@ int ssl_iostream_context_init_client(const struct ssl_iostream_settings *set, if (ssl_module_load(error_r) < 0) return -1; } + if (io_stream_ssl_global_init(&set_copy, error_r) < 0) + return -1; return ssl_vfuncs->context_init_client(&set_copy, ctx_r, error_r); } @@ -100,6 +108,8 @@ int ssl_iostream_context_init_server(const struct ssl_iostream_settings *set, if (ssl_module_load(error_r) < 0) return -1; } + if (io_stream_ssl_global_init(set, error_r) < 0) + return -1; return ssl_vfuncs->context_init_server(set, ctx_r, error_r); } diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h index cee3810a10..80a681b99f 100644 --- a/src/lib-ssl-iostream/iostream-ssl.h +++ b/src/lib-ssl-iostream/iostream-ssl.h @@ -47,6 +47,13 @@ ssl_iostream_handshake_callback_t(const char **error_r, void *context); typedef int ssl_iostream_sni_callback_t(const char *name, const char **error_r, void *context); +/* Explicitly initialize SSL library globally. This is also done automatically + when the first SSL connection is created, but it may be useful to call it + earlier in case of chrooting. After the initialization is successful, any + further calls will just be ignored. Returns 0 on success, -1 on error. */ +int io_stream_ssl_global_init(const struct ssl_iostream_settings *set, + const char **error_r); + int io_stream_create_ssl_client(struct ssl_iostream_context *ctx, const char *host, const struct ssl_iostream_settings *set, struct istream **input, struct ostream **output,