From: Timo Sirainen <tss@iki.fi>
Date: Sat, 1 Nov 2014 00:05:31 +0000 (-0700)
Subject: ssl-params: Use lib-ssl-iostream's ssl_iostream_generate_params() instead of OpenSSL... 
X-Git-Tag: 2.2.16.rc1~255
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bc7c48e8b63f1abffb36daf97b7c1c8722b43372;p=thirdparty%2Fdovecot%2Fcore.git

ssl-params: Use lib-ssl-iostream's ssl_iostream_generate_params() instead of OpenSSL directly
---

diff --git a/src/ssl-params/Makefile.am b/src/ssl-params/Makefile.am
index 65db579c0c..e0724ecdb5 100644
--- a/src/ssl-params/Makefile.am
+++ b/src/ssl-params/Makefile.am
@@ -6,14 +6,14 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/lib \
 	-I$(top_srcdir)/src/lib-master \
 	-I$(top_srcdir)/src/lib-settings \
+	-I$(top_srcdir)/src/lib-ssl-iostream \
 	-DPKG_STATEDIR=\""$(statedir)"\"
 
-ssl_params_LDADD = $(LIBDOVECOT) $(SSL_LIBS)
-ssl_params_DEPENDENCIES = $(LIBDOVECOT_DEPS)
+ssl_params_LDADD = $(LIBDOVECOT) ../lib-ssl-iostream/libssl_iostream.la
+ssl_params_DEPENDENCIES = $(LIBDOVECOT_DEPS) ../lib-ssl-iostream/libssl_iostream.la
 ssl_params_SOURCES = \
 	main.c \
 	ssl-params.c \
-	ssl-params-openssl.c \
 	ssl-params-settings.c
 
 noinst_HEADERS = \
diff --git a/src/ssl-params/ssl-params-openssl.c b/src/ssl-params/ssl-params-openssl.c
deleted file mode 100644
index 38392d8553..0000000000
--- a/src/ssl-params/ssl-params-openssl.c
+++ /dev/null
@@ -1,71 +0,0 @@
-/* Copyright (c) 2002-2014 Dovecot authors, see the included COPYING file */
-
-#include "lib.h"
-#include "write-full.h"
-#include "ssl-params.h"
-
-#ifdef HAVE_OPENSSL
-
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-
-/* 2 or 5. Haven't seen their difference explained anywhere, but 2 is the
-   default.. */
-#define DH_GENERATOR 2
-
-static const char *ssl_last_error(void)
-{
-	unsigned long err;
-	char *buf;
-	size_t err_size = 256;
-
-	err = ERR_get_error();
-	if (err == 0)
-		return strerror(errno);
-
-	buf = t_malloc(err_size);
-	buf[err_size-1] = '\0';
-	ERR_error_string_n(err, buf, err_size-1);
-	return buf;
-}
-
-static bool generate_dh_parameters(int bitsize, int fd, const char *fname)
-{
-        DH *dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL);
-	unsigned char *buf, *p;
-	int len;
-
-	if (dh == NULL)
-		return FALSE;
-
-	len = i2d_DHparams(dh, NULL);
-	if (len < 0)
-		i_fatal("i2d_DHparams() failed: %s", ssl_last_error());
-
-	buf = p = i_malloc(len);
-	len = i2d_DHparams(dh, &p);
-
-	if (write_full(fd, &bitsize, sizeof(bitsize)) < 0 ||
-	    write_full(fd, &len, sizeof(len)) < 0 ||
-	    write_full(fd, buf, len) < 0)
-		i_fatal("write_full() failed for file %s: %m", fname);
-	i_free(buf);
-	return TRUE;
-}
-
-void ssl_generate_parameters(int fd, unsigned int dh_length, const char *fname)
-{
-	int bits;
-
-	/* this fails in FIPS mode */
-	(void)generate_dh_parameters(512, fd, fname);
-	if (!generate_dh_parameters(dh_length, fd, fname)) {
-		i_fatal("DH_generate_parameters(bits=%d, gen=%d) failed: %s",
-			dh_length, DH_GENERATOR, ssl_last_error());
-	}
-	bits = 0;
-	if (write_full(fd, &bits, sizeof(bits)) < 0)
-		i_fatal("write_full() failed for file %s: %m", fname);
-}
-
-#endif
diff --git a/src/ssl-params/ssl-params.c b/src/ssl-params/ssl-params.c
index 0761be4621..fae2b56a00 100644
--- a/src/ssl-params/ssl-params.c
+++ b/src/ssl-params/ssl-params.c
@@ -5,9 +5,11 @@
 #include "buffer.h"
 #include "file-lock.h"
 #include "read-full.h"
+#include "write-full.h"
 #include "master-interface.h"
 #include "master-service.h"
 #include "master-service-settings.h"
+#include "iostream-ssl.h"
 #include "ssl-params-settings.h"
 #include "ssl-params.h"
 
@@ -38,11 +40,12 @@ static void
 ssl_params_if_unchanged(const char *path, time_t mtime,
 			unsigned int ssl_dh_parameters_length ATTR_UNUSED)
 {
-	const char *temp_path;
+	const char *temp_path, *error;
 	struct file_lock *lock;
 	struct stat st, st2;
 	mode_t old_mask;
 	int fd, ret;
+	buffer_t *buf;
 
 #ifdef HAVE_SETPRIORITY
 	if (setpriority(PRIO_PROCESS, 0, SSL_PARAMS_PRIORITY) < 0)
@@ -99,9 +102,15 @@ ssl_params_if_unchanged(const char *path, time_t mtime,
 		i_fatal("ftruncate(%s) failed: %m", temp_path);
 
 	i_info("Generating SSL parameters");
-#ifdef HAVE_SSL
-	ssl_generate_parameters(fd, ssl_dh_parameters_length, temp_path);
-#endif
+
+	buf = buffer_create_dynamic(pool_datastack_create(), 1024);
+	if (ssl_iostream_generate_params(buf, ssl_dh_parameters_length,
+					 &error) < 0) {
+		i_fatal("ssl_iostream_generate_params(%u) failed: %s",
+			ssl_dh_parameters_length, error);
+	}
+	if (write_full(fd, buf->data, buf->used) < 0)
+		i_fatal("write(%s) failed: %m", temp_path);
 
 	if (rename(temp_path, path) < 0)
 		i_fatal("rename(%s, %s) failed: %m", temp_path, path);
diff --git a/src/ssl-params/ssl-params.h b/src/ssl-params/ssl-params.h
index 19d8f6e9db..1af2b6f2ed 100644
--- a/src/ssl-params/ssl-params.h
+++ b/src/ssl-params/ssl-params.h
@@ -12,6 +12,4 @@ void ssl_params_deinit(struct ssl_params **param);
 
 void ssl_params_refresh(struct ssl_params *param);
 
-void ssl_generate_parameters(int fd, unsigned int dh_length, const char *fname);
-
 #endif