dovecot -p (ask ssl key password from command line) works again.

author Timo Sirainen <tss@iki.fi>

Wed, 9 Sep 2009 00:00:18 +0000 (20:00 -0400)

committer Timo Sirainen <tss@iki.fi>

Wed, 9 Sep 2009 00:00:18 +0000 (20:00 -0400)
author Timo Sirainen <tss@iki.fi>
Wed, 9 Sep 2009 00:00:18 +0000 (20:00 -0400)
committer Timo Sirainen <tss@iki.fi>
Wed, 9 Sep 2009 00:00:18 +0000 (20:00 -0400)
diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c

index 82ceff173b918c061e9fa1670ee3745590b85a32..9fc768de12c5519800d0b35c0823be99b243e484 100644 (file)
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -889,16 +889,19 @@ static EVP_PKEY *ssl_proxy_load_key(const struct login_settings *set)
  {
         EVP_PKEY *pkey;
         BIO *bio;
-       char *password;
+       const char *password;
+       char *dup_password;
  
         bio = BIO_new_mem_buf(t_strdup_noconst(set->ssl_key),
                               strlen(set->ssl_key));
         if (bio == NULL)
                 i_fatal("BIO_new_mem_buf() failed");
  
-       password = t_strdup_noconst(set->ssl_key_password);
+       password = *set->ssl_key_password != '\0' ? set->ssl_key_password :
+               getenv("SSL_KEY_PASSWORD");
+       dup_password = t_strdup_noconst(password);
         pkey = PEM_read_bio_PrivateKey(bio, NULL, pem_password_callback,
-                                      password);
+                                      dup_password);
         if (pkey == NULL)
                 i_fatal("Couldn't parse private ssl_key");
         BIO_free(bio);
@@ -980,8 +983,6 @@ end:
  
  static void ssl_proxy_init_server(const struct login_settings *set)
  {
-       char *password;
-
         if ((ssl_server_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
                 i_fatal("SSL_CTX_new() failed");
         ssl_proxy_ctx_init(ssl_server_ctx, set);
@@ -997,13 +998,7 @@ static void ssl_proxy_init_server(const struct login_settings *set)
                         ssl_proxy_get_use_certificate_error(set->ssl_cert));
         }
  
-       password = t_strdup_noconst(set->ssl_key_password);
-        SSL_CTX_set_default_passwd_cb(ssl_server_ctx, pem_password_callback);
-        SSL_CTX_set_default_passwd_cb_userdata(ssl_server_ctx, password);
-
         ssl_proxy_ctx_use_key(ssl_server_ctx, set);
-       safe_memset(password, 0, strlen(password));
-
         if (set->verbose_ssl)
                 SSL_CTX_set_info_callback(ssl_server_ctx, ssl_info_callback);
  
diff --git a/src/master/Makefile.am b/src/master/Makefile.am

index 52eaee536dcf0cda18a2df255d161b01c0de41ec..26f8fe47c7c79a1453a7292f7c371d742b6d6ca6 100644 (file)
--- a/src/master/Makefile.am
+++ b/src/master/Makefile.am
@@ -20,6 +20,7 @@ dovecot_LDADD = $(libs)
  dovecot_DEPENDENCIES = $(libs)
  
  dovecot_SOURCES = \
+       askpass.c \
         capabilities-posix.c \
         dup2-array.c \
         main.c \
@@ -35,6 +36,7 @@ dovecot_SOURCES = \
         service.c
  
  noinst_HEADERS = \
+       askpass.h \
         capabilities.h \
         common.h \
         dup2-array.h \
diff --git a/src/master/common.h b/src/master/common.h

index 89e46b06bc3c740e6a2550c40443350f7d466037..ee365bf18ec531f94047c8d42a315b05f881630b 100644 (file)
--- a/src/master/common.h
+++ b/src/master/common.h
@@ -11,6 +11,7 @@ extern uid_t master_uid;
  extern gid_t master_gid;
  extern bool auth_success_written;
  extern bool core_dumps_disabled;
+extern char ssl_manual_key_password[];
  extern int null_fd;
  extern struct service_list *services;
  
diff --git a/src/master/main.c b/src/master/main.c

index fd55a7d96825bae757048f8170fbdc007ae9dc3f..e4dc59b522a2cf9016769045da5fc2313b1e9972 100644 (file)
--- a/src/master/main.c
+++ b/src/master/main.c
@@ -11,6 +11,7 @@
  #include "restrict-process-size.h"
  #include "master-service.h"
  #include "master-service-settings.h"
+#include "askpass.h"
  #include "capabilities.h"
  #include "service.h"
  #include "service-listen.h"
@@ -37,6 +38,7 @@ uid_t master_uid;
  gid_t master_gid;
  bool auth_success_written;
  bool core_dumps_disabled;
+char ssl_manual_key_password[100];
  int null_fd;
  struct service_list *services;
  
@@ -737,16 +739,11 @@ int main(int argc, char *argv[])
                 auth_warning_print(set);
         }
  
-#if 0 // FIXME
         if (ask_key_pass) {
-               const char *prompt;
-
-               prompt = t_strdup_printf("Give the password for SSL key file "
-                                        "%s: ", set->ssl_key_file);
-               askpass(prompt, ssl_manual_key_password,
+               askpass("Give the password for SSL keys",
+                       ssl_manual_key_password,
                         sizeof(ssl_manual_key_password));
         }
-#endif
  
         /* save TZ environment. AIX depends on it to get the timezone
            correctly. */
diff --git a/src/master/service-process.c b/src/master/service-process.c

index 63687334377376962514a2b1881dea99ceecca90..008ce86d637b4eeb11bf478867761c5ba0deaa10 100644 (file)
--- a/src/master/service-process.c
+++ b/src/master/service-process.c
@@ -458,6 +458,13 @@ handle_request(const struct service_process_auth_request *request)
  
         env_put(t_strconcat("LOCAL_IP=", net_ip2addr(&request->local_ip), NULL));
         env_put(t_strconcat("IP=", net_ip2addr(&request->remote_ip), NULL));
+       if (*ssl_manual_key_password != '\0' &&
+           request->process->process.service->have_inet_listeners) {
+               /* manually given SSL password. give it only to services
+                  that have inet listeners. */
+               env_put(t_strconcat("SSL_KEY_PASSWORD=",
+                                   ssl_manual_key_password, NULL));
+       }
  }
  
  struct service_process *
diff --git a/src/master/service.c b/src/master/service.c

index 9bf35353a9a7a846ba809a3f44f04a71a4386411..99052855a11709dfe7d8c725aa1bfc7997613482 100644 (file)
--- a/src/master/service.c
+++ b/src/master/service.c
@@ -293,6 +293,7 @@ service_create(pool_t pool, const struct service_settings *set,
                 if (service_create_inet_listeners(service, inet_listeners[i],
                                                   error_r) < 0)
                         return NULL;
+               service->have_inet_listeners = TRUE;
         }
  
         return service;
diff --git a/src/master/service.h b/src/master/service.h

index 7653a2b0770bc8e45792a77f8f4f20ce64953d53..b1a30cbafbe80e58c717f552880d7b1233ed4dd3 100644 (file)
--- a/src/master/service.h
+++ b/src/master/service.h
@@ -93,6 +93,8 @@ struct service {
         unsigned int listen_pending:1;
         /* service is currently listening for new connections */
         unsigned int listening:1;
+       /* TRUE if service has at least one inet_listener */
+       unsigned int have_inet_listeners:1;
  };
  
  struct service_list {
author	Timo Sirainen <tss@iki.fi>
	Wed, 9 Sep 2009 00:00:18 +0000 (20:00 -0400)
committer	Timo Sirainen <tss@iki.fi>
	Wed, 9 Sep 2009 00:00:18 +0000 (20:00 -0400)
src/login-common/ssl-proxy-openssl.c		patch \| blob \| blame \| history
src/master/Makefile.am		patch \| blob \| blame \| history
src/master/common.h		patch \| blob \| blame \| history
src/master/main.c		patch \| blob \| blame \| history
src/master/service-process.c		patch \| blob \| blame \| history
src/master/service.c		patch \| blob \| blame \| history
src/master/service.h		patch \| blob \| blame \| history