diff --git a/configure.ac b/configure.ac index 0621487945..320670761d 100644 --- a/configure.ac +++ b/configure.ac @@ -904,7 +904,6 @@ src/pop3-login/Makefile src/replication/Makefile src/replication/aggregator/Makefile src/replication/replicator/Makefile -src/ssl-params/Makefile src/stats/Makefile src/util/Makefile src/plugins/Makefile diff --git a/src/Makefile.am b/src/Makefile.am index dd76173d8a..9ccd0e745c 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -58,6 +58,5 @@ SUBDIRS = \ replication \ util \ doveadm \ - ssl-params \ stats \ plugins diff --git a/src/lib-ssl-iostream/Makefile.am b/src/lib-ssl-iostream/Makefile.am index 769de87b28..a0c6d5c08b 100644 --- a/src/lib-ssl-iostream/Makefile.am +++ b/src/lib-ssl-iostream/Makefile.am @@ -21,7 +21,6 @@ libssl_iostream_openssl_la_SOURCES = \ iostream-openssl.c \ iostream-openssl-common.c \ iostream-openssl-context.c \ - iostream-openssl-params.c \ istream-openssl.c \ ostream-openssl.c endif diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index 1eafcfa6f8..b1cf1af9b2 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -516,7 +516,6 @@ int openssl_iostream_context_init_server(const struct ssl_iostream_settings *set void openssl_iostream_context_deinit(struct ssl_iostream_context *ctx) { SSL_CTX_free(ctx->ssl_ctx); - openssl_iostream_context_free_params(ctx); pool_unref(&ctx->pool); i_free(ctx); } diff --git a/src/lib-ssl-iostream/iostream-openssl-params.c b/src/lib-ssl-iostream/iostream-openssl-params.c deleted file mode 100644 index 74bb3fbb55..0000000000 --- a/src/lib-ssl-iostream/iostream-openssl-params.c +++ /dev/null @@ -1,132 +0,0 @@ -/* Copyright (c) 2009-2016 Dovecot authors, see the included COPYING file */ - -#include "lib.h" -#include "buffer.h" -#include "iostream-openssl.h" - -/* 2 or 5. Haven't seen their difference explained anywhere, but 2 is the - default.. */ -#define DH_GENERATOR 2 - -static int -generate_dh_parameters(int bitsize, buffer_t *output, const char **error_r) -{ - DH *dh; - unsigned char *p; - int len, len2; - - dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL); - if (dh == NULL) { - *error_r = t_strdup_printf( - "DH_generate_parameters(bits=%d, gen=%d) failed: %s", - bitsize, DH_GENERATOR, openssl_iostream_error()); - return -1; - } - - len = i2d_DHparams(dh, NULL); - if (len < 0) { - *error_r = t_strdup_printf("i2d_DHparams() failed: %s", - openssl_iostream_error()); - DH_free(dh); - return -1; - } - - buffer_append(output, &bitsize, sizeof(bitsize)); - buffer_append(output, &len, sizeof(len)); - - p = buffer_append_space_unsafe(output, len); - len2 = i2d_DHparams(dh, &p); - i_assert(len == len2); - DH_free(dh); - return 0; -} - -int openssl_iostream_generate_params(buffer_t *output, unsigned int dh_length, - const char **error_r) -{ - if (generate_dh_parameters(512, output, error_r) < 0) - return -1; - if (dh_length != 512) { - if (generate_dh_parameters(dh_length, output, error_r) < 0) - return -1; - } - buffer_append_zero(output, sizeof(int)); - return 0; -} - -static int read_int(const unsigned char **data, const unsigned char *end) -{ - unsigned int len = end - *data; - int ret; - - if (len < sizeof(ret)) - return -1; - memcpy(&ret, *data, sizeof(ret)); - *data += sizeof(ret); - return ret; -} - -static int -read_dh_parameters_next(struct ssl_iostream_context *ctx, - const unsigned char **data, const unsigned char *end) -{ - const unsigned char *dbuf; - DH *dh; - int bits, len, ret = 1; - - /* get bit size. 0 ends the DH parameters list. */ - if ((bits = read_int(data, end)) <= 0) - return bits; - - /* get data size */ - if ((len = read_int(data, end)) <= 0 || end - *data < len) - return -1; - - dbuf = *data; - dh = d2i_DHparams(NULL, &dbuf, len); - *data += len; - - if (dh == NULL) - return -1; - - switch (bits) { - case 512: - if (ctx->dh_512 != NULL) - return -1; - ctx->dh_512 = dh; - break; - default: - if (ctx->dh_default != NULL) - return -1; - ctx->dh_default = dh; - break; - } - return ret; -} - -int openssl_iostream_context_import_params(struct ssl_iostream_context *ctx, - const buffer_t *input) -{ - const unsigned char *data, *end; - int ret; - - openssl_iostream_context_free_params(ctx); - - data = input->data; - end = data + input->used; - while ((ret = read_dh_parameters_next(ctx, &data, end)) > 0) ; - - return ret < 0 || data != end ? -1 : 0; -} - -void openssl_iostream_context_free_params(struct ssl_iostream_context *ctx) -{ - if (ctx->dh_512 != NULL) { - DH_free(ctx->dh_512); - ctx->dh_512 = NULL; - } - if (ctx->dh_default != NULL) { - DH_free(ctx->dh_default); - ctx->dh_default = NULL; - } -} diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c index 955010233e..7a25def24d 100644 --- a/src/lib-ssl-iostream/iostream-openssl.c +++ b/src/lib-ssl-iostream/iostream-openssl.c @@ -726,9 +726,6 @@ const struct iostream_ssl_vfuncs ssl_vfuncs = { openssl_iostream_context_init_server, openssl_iostream_context_deinit, - openssl_iostream_generate_params, - openssl_iostream_context_import_params, - openssl_iostream_create, openssl_iostream_unref, openssl_iostream_destroy, diff --git a/src/lib-ssl-iostream/iostream-openssl.h b/src/lib-ssl-iostream/iostream-openssl.h index 3bfefbf23c..78c4548a4e 100644 --- a/src/lib-ssl-iostream/iostream-openssl.h +++ b/src/lib-ssl-iostream/iostream-openssl.h @@ -95,10 +95,4 @@ const char * openssl_iostream_use_certificate_error(const char *cert, const char *set_name); void openssl_iostream_clear_errors(void); -int openssl_iostream_generate_params(buffer_t *output, unsigned int dh_length, - const char **error_r); -int openssl_iostream_context_import_params(struct ssl_iostream_context *ctx, - const buffer_t *input); -void openssl_iostream_context_free_params(struct ssl_iostream_context *ctx); - #endif diff --git a/src/lib-ssl-iostream/iostream-ssl-private.h b/src/lib-ssl-iostream/iostream-ssl-private.h index d20d606ddc..9be2bbd1e9 100644 --- a/src/lib-ssl-iostream/iostream-ssl-private.h +++ b/src/lib-ssl-iostream/iostream-ssl-private.h @@ -13,11 +13,6 @@ struct iostream_ssl_vfuncs { const char **error_r); void (*context_deinit)(struct ssl_iostream_context *ctx); - int (*generate_params)(buffer_t *output, unsigned int dh_length, - const char **error_r); - int (*context_import_params)(struct ssl_iostream_context *ctx, - const buffer_t *input); - int (*create)(struct ssl_iostream_context *ctx, const char *host, const struct ssl_iostream_settings *set, struct istream **input, struct ostream **output, diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c index 7ff03df300..77349b6c58 100644 --- a/src/lib-ssl-iostream/iostream-ssl.c +++ b/src/lib-ssl-iostream/iostream-ssl.c @@ -81,22 +81,6 @@ void ssl_iostream_context_deinit(struct ssl_iostream_context **_ctx) ssl_vfuncs->context_deinit(ctx); } -int ssl_iostream_generate_params(buffer_t *output, unsigned int dh_length, - const char **error_r) -{ - if (!ssl_module_loaded) { - if (ssl_module_load(error_r) < 0) - return -1; - } - return ssl_vfuncs->generate_params(output, dh_length, error_r); -} - -int ssl_iostream_context_import_params(struct ssl_iostream_context *ctx, - const buffer_t *input) -{ - return ssl_vfuncs->context_import_params(ctx, input); -} - int io_stream_create_ssl_client(struct ssl_iostream_context *ctx, const char *host, const struct ssl_iostream_settings *set, struct istream **input, struct ostream **output, diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h index 79d5e0d2b2..9aab8889f4 100644 --- a/src/lib-ssl-iostream/iostream-ssl.h +++ b/src/lib-ssl-iostream/iostream-ssl.h @@ -65,11 +65,6 @@ const char *ssl_iostream_get_server_name(struct ssl_iostream *ssl_io); const char *ssl_iostream_get_security_string(struct ssl_iostream *ssl_io); const char *ssl_iostream_get_last_error(struct ssl_iostream *ssl_io); -int ssl_iostream_generate_params(buffer_t *output, unsigned int dh_length, - const char **error_r); -int ssl_iostream_context_import_params(struct ssl_iostream_context *ctx, - const buffer_t *input); - int ssl_iostream_context_init_client(const struct ssl_iostream_settings *set, struct ssl_iostream_context **ctx_r, const char **error_r); diff --git a/src/ssl-params/Makefile.am b/src/ssl-params/Makefile.am deleted file mode 100644 index 861dc00fc9..0000000000 --- a/src/ssl-params/Makefile.am +++ /dev/null @@ -1,22 +0,0 @@ -pkglibexecdir = $(libexecdir)/dovecot - -pkglibexec_PROGRAMS = ssl-params - -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/lib \ - -I$(top_srcdir)/src/lib-master \ - -I$(top_srcdir)/src/lib-settings \ - -I$(top_srcdir)/src/lib-ssl-iostream \ - -DPKG_STATEDIR=\""$(statedir)"\" \ - $(BINARY_CFLAGS) - -ssl_params_LDADD = $(LIBDOVECOT) $(BINARY_LDFLAGS) -ssl_params_DEPENDENCIES = $(LIBDOVECOT_DEPS) -ssl_params_SOURCES = \ - main.c \ - ssl-params.c \ - ssl-params-settings.c - -noinst_HEADERS = \ - ssl-params.h \ - ssl-params-settings.h diff --git a/src/ssl-params/main.c b/src/ssl-params/main.c deleted file mode 100644 index 1158623c17..0000000000 --- a/src/ssl-params/main.c +++ /dev/null @@ -1,161 +0,0 @@ -/* Copyright (c) 2009-2016 Dovecot authors, see the included COPYING file */ - -#include "lib.h" -#include "lib-signals.h" -#include "array.h" -#include "ostream.h" -#include "restrict-access.h" -#include "master-service.h" -#include "master-service-settings.h" -#include "ssl-params-settings.h" -#include "ssl-params.h" - -#include - -#define SSL_BUILD_PARAM_FNAME "ssl-parameters.dat" -#define STARTUP_IDLE_TIMEOUT_MSECS 1000 - -struct client { - int fd; - struct ostream *output; -}; - -static ARRAY(int) delayed_fds; -static struct ssl_params *param; -static buffer_t *ssl_params; -static struct timeout *to_startup; - -static void client_deinit(struct ostream *output) -{ - o_stream_destroy(&output); - master_service_client_connection_destroyed(master_service); -} - -static int client_output_flush(struct ostream *output) -{ - if (o_stream_flush(output) == 0) { - /* more to come */ - return 0; - } - /* finished / disconnected */ - client_deinit(output); - return -1; -} - -static void client_handle(int fd) -{ - struct ostream *output; - - output = o_stream_create_fd_autoclose(&fd, (size_t)-1); - if (o_stream_send(output, ssl_params->data, ssl_params->used) < 0 || - o_stream_get_buffer_used_size(output) == 0) - client_deinit(output); - else { - o_stream_set_flush_callback(output, client_output_flush, - output); - } -} - -static void client_connected(struct master_service_connection *conn) -{ - if (to_startup != NULL) - timeout_remove(&to_startup); - master_service_client_connection_accept(conn); - if (ssl_params->used == 0) { - /* waiting for parameter building to finish */ - if (!array_is_created(&delayed_fds)) - i_array_init(&delayed_fds, 32); - array_append(&delayed_fds, &conn->fd, 1); - } else { - client_handle(conn->fd); - } -} - -static void ssl_params_callback(const unsigned char *data, size_t size) -{ - const int *fds; - - buffer_set_used_size(ssl_params, 0); - buffer_append(ssl_params, data, size); - - if (!array_is_created(&delayed_fds)) { - /* if we don't get client connections soon, it means master - ran us at startup to make sure ssl parameters are generated - asap. if we're here because of that, don't bother hanging - around to see if we get any client connections. */ - if (to_startup == NULL) { - to_startup = timeout_add(STARTUP_IDLE_TIMEOUT_MSECS, - master_service_stop, - master_service); - } - return; - } - - array_foreach(&delayed_fds, fds) - client_handle(*fds); - array_free(&delayed_fds); -} - -static void sig_chld(const siginfo_t *si ATTR_UNUSED, void *context ATTR_UNUSED) -{ - int status; - - if (waitpid(-1, &status, WNOHANG) < 0) - i_error("waitpid() failed: %m"); - else if (status != 0) - i_error("child process failed with status %d", status); - else { - /* params should have been created now. try refreshing. */ - ssl_params_refresh(param); - } -} - -static void main_init(const struct ssl_params_settings *set) -{ - const struct master_service_settings *service_set; - const char *filename; - - lib_signals_set_handler(SIGCHLD, LIBSIG_FLAGS_SAFE, sig_chld, NULL); - - ssl_params = buffer_create_dynamic(default_pool, 1024); - service_set = master_service_settings_get(master_service); - filename = t_strconcat(service_set->state_dir, - "/"SSL_BUILD_PARAM_FNAME, NULL); - param = ssl_params_init(filename, ssl_params_callback, set); -} - -static void main_deinit(void) -{ - ssl_params_deinit(¶m); - if (to_startup != NULL) - timeout_remove(&to_startup); - if (array_is_created(&delayed_fds)) - array_free(&delayed_fds); -} - -int main(int argc, char *argv[]) -{ - const struct ssl_params_settings *set; - - master_service = master_service_init("ssl-params", 0, &argc, &argv, ""); - master_service_init_log(master_service, "ssl-params: "); - - if (master_getopt(master_service) > 0) - return FATAL_DEFAULT; - set = ssl_params_settings_read(master_service); - - restrict_access_by_env(NULL, FALSE); - restrict_access_allow_coredumps(TRUE); - -#ifndef HAVE_SSL - i_fatal("Dovecot built without SSL support"); -#endif - - main_init(set); - master_service_init_finish(master_service); - master_service_run(master_service, client_connected); - main_deinit(); - - master_service_deinit(&master_service); - return 0; -} diff --git a/src/ssl-params/ssl-params-settings.c b/src/ssl-params/ssl-params-settings.c deleted file mode 100644 index d6ed8f4f16..0000000000 --- a/src/ssl-params/ssl-params-settings.c +++ /dev/null @@ -1,99 +0,0 @@ -/* Copyright (c) 2009-2016 Dovecot authors, see the included COPYING file */ - -#include "lib.h" -#include "buffer.h" -#include "settings-parser.h" -#include "service-settings.h" -#include "master-service-settings.h" -#include "ssl-params-settings.h" - -#include -#include - -/* */ -static struct file_listener_settings ssl_params_unix_listeners_array[] = { - { "ssl-params", 0666, "", "" }, - { "login/ssl-params", 0666, "", "" } -}; -static struct file_listener_settings *ssl_params_unix_listeners[] = { - &ssl_params_unix_listeners_array[0], - &ssl_params_unix_listeners_array[1] -}; -static buffer_t ssl_params_unix_listeners_buf = { - ssl_params_unix_listeners, sizeof(ssl_params_unix_listeners), { NULL, } -}; -/* */ - -struct service_settings ssl_params_service_settings = { - .name = "ssl-params", - .protocol = "", -#ifdef HAVE_SSL - .type = "startup", -#else - .type = "", -#endif - .executable = "ssl-params", - .user = "", - .group = "", - .privileged_group = "", - .extra_groups = "", - .chroot = "", - - .drop_priv_before_exec = FALSE, - - .process_min_avail = 0, - .process_limit = 0, - .client_limit = 0, - .service_count = 0, - .idle_kill = 0, - .vsz_limit = (uoff_t)-1, - - .unix_listeners = { { &ssl_params_unix_listeners_buf, - sizeof(ssl_params_unix_listeners[0]) } }, - .fifo_listeners = ARRAY_INIT, - .inet_listeners = ARRAY_INIT -}; - -#undef DEF -#define DEF(type, name) \ - { type, #name, offsetof(struct ssl_params_settings, name), NULL } - -static const struct setting_define ssl_params_setting_defines[] = { - DEF(SET_TIME, ssl_parameters_regenerate), - DEF(SET_UINT, ssl_dh_parameters_length), - - SETTING_DEFINE_LIST_END -}; - -static const struct ssl_params_settings ssl_params_default_settings = { - .ssl_parameters_regenerate = 0, - .ssl_dh_parameters_length = 1024 -}; - -const struct setting_parser_info ssl_params_setting_parser_info = { - .module_name = "ssl-params", - .defines = ssl_params_setting_defines, - .defaults = &ssl_params_default_settings, - - .type_offset = (size_t)-1, - .struct_size = sizeof(struct ssl_params_settings), - - .parent_offset = (size_t)-1 -}; - -struct ssl_params_settings * -ssl_params_settings_read(struct master_service *service) -{ - static const struct setting_parser_info *set_roots[] = { - &ssl_params_setting_parser_info, - NULL - }; - const char *error; - void **sets; - - if (master_service_settings_read_simple(service, set_roots, &error) < 0) - i_fatal("Error reading configuration: %s", error); - - sets = master_service_settings_get_others(service); - return sets[0]; -} diff --git a/src/ssl-params/ssl-params-settings.h b/src/ssl-params/ssl-params-settings.h deleted file mode 100644 index 951c6a05ed..0000000000 --- a/src/ssl-params/ssl-params-settings.h +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef SSL_PARAMS_SETTINGS_H -#define SSL_PARAMS_SETTINGS_H - -struct master_service; - -struct ssl_params_settings { - unsigned int ssl_parameters_regenerate; - unsigned int ssl_dh_parameters_length; -}; - -struct ssl_params_settings * -ssl_params_settings_read(struct master_service *service); - -#endif diff --git a/src/ssl-params/ssl-params.c b/src/ssl-params/ssl-params.c deleted file mode 100644 index 04ba39e569..0000000000 --- a/src/ssl-params/ssl-params.c +++ /dev/null @@ -1,262 +0,0 @@ -/* Copyright (c) 2009-2016 Dovecot authors, see the included COPYING file */ - -#include "lib.h" -#include "ioloop.h" -#include "buffer.h" -#include "file-lock.h" -#include "read-full.h" -#include "write-full.h" -#include "master-interface.h" -#include "master-service.h" -#include "master-service-settings.h" -#include "iostream-ssl.h" -#include "ssl-params-settings.h" -#include "ssl-params.h" - -#include -#include -#include -#ifdef HAVE_SYS_TIME_H -# include -#endif -#ifdef HAVE_SYS_RESOURCE_H -# include -#endif - -#define MAX_PARAM_FILE_SIZE 1024*1024 -#define SSL_BUILD_PARAM_TIMEOUT_SECS (60*30) -#define SSL_PARAMS_PRIORITY 15 - -struct ssl_params { - char *path; - struct ssl_params_settings set; - - time_t last_mtime; - ssl_params_callback_t *callback; -}; - -static void -ssl_params_if_unchanged(const char *path, time_t mtime, - unsigned int ssl_dh_parameters_length ATTR_UNUSED) -{ - const char *temp_path, *error; - struct file_lock *lock; - struct stat st, st2; - mode_t old_mask; - int fd, ret; - buffer_t *buf; - -#ifdef HAVE_SETPRIORITY - if (setpriority(PRIO_PROCESS, 0, SSL_PARAMS_PRIORITY) < 0) - i_error("setpriority(%d) failed: %m", SSL_PARAMS_PRIORITY); -#endif - - temp_path = t_strconcat(path, ".tmp", NULL); - - old_mask = umask(0); - fd = open(temp_path, O_WRONLY | O_CREAT, 0644); - umask(old_mask); - - if (fd == -1) - i_fatal("creat(%s) failed: %m", temp_path); - - /* If multiple dovecot instances are running, only one of them needs - to regenerate this file. */ - ret = file_wait_lock(fd, temp_path, F_WRLCK, - FILE_LOCK_METHOD_FCNTL, - SSL_BUILD_PARAM_TIMEOUT_SECS, &lock); - if (ret < 0) - i_fatal("file_try_lock(%s) failed: %m", temp_path); - if (ret == 0) { - /* someone else is writing this */ - i_fatal("Timeout while waiting for %s generation to complete", - path); - } - - /* make sure the .tmp file is still the one we created */ - if (fstat(fd, &st) < 0) - i_fatal("fstat(%s) failed: %m", temp_path); - if (stat(temp_path, &st2) < 0) { - if (errno != ENOENT) - i_fatal("stat(%s) failed: %m", temp_path); - st2.st_ino = st.st_ino+1; - } - if (st.st_ino != st2.st_ino) { - /* nope. so someone else just generated the file. */ - i_close_fd(&fd); - return; - } - - /* check that the parameters file is still the same */ - if (stat(path, &st) == 0) { - if (st.st_mtime != mtime) { - i_close_fd(&fd); - return; - } - } else if (errno != ENOENT) - i_fatal("stat(%s) failed: %m", path); - - /* ok, we really want to generate it. */ - if (ftruncate(fd, 0) < 0) - i_fatal("ftruncate(%s) failed: %m", temp_path); - - i_info("Generating SSL parameters"); - - buf = buffer_create_dynamic(pool_datastack_create(), 1024); - if (ssl_iostream_generate_params(buf, ssl_dh_parameters_length, - &error) < 0) { - i_fatal("ssl_iostream_generate_params(%u) failed: %s", - ssl_dh_parameters_length, error); - } - if (write_full(fd, buf->data, buf->used) < 0) - i_fatal("write(%s) failed: %m", temp_path); - - if (rename(temp_path, path) < 0) - i_fatal("rename(%s, %s) failed: %m", temp_path, path); - if (close(fd) < 0) - i_fatal("close(%s) failed: %m", temp_path); - file_lock_free(&lock); - - i_info("SSL parameters regeneration completed"); -} - -static void ssl_params_close_listeners(void) -{ - unsigned int i; - - /* we have forked, but the fds are still shared. we can't go - io_remove()ing the fds from ioloop, because with many ioloops - (e.g. epoll) the fds get removed from the main process's ioloop - as well. so we'll just do the closing here manually. */ - for (i = 0; i < master_service_get_socket_count(master_service); i++) { - int fd = MASTER_LISTEN_FD_FIRST + i; - - if (close(fd) < 0) - i_error("close(listener %d) failed: %m", fd); - } -} - -static void ssl_params_rebuild(struct ssl_params *param) -{ - switch (fork()) { - case -1: - i_fatal("fork() failed: %m"); - case 0: - /* child - close listener fds so a long-running ssl-params - doesn't cause Dovecot restart to fail */ - ssl_params_close_listeners(); - ssl_params_if_unchanged(param->path, param->last_mtime, - param->set.ssl_dh_parameters_length); - exit(0); - default: - /* parent */ - break; - } -} - -static bool -ssl_params_verify(struct ssl_params *param, - const unsigned char *data, size_t size) -{ - unsigned int bitsize, len; - bool found = FALSE; - - /* ... */ - while (size >= sizeof(bitsize)) { - memcpy(&bitsize, data, sizeof(bitsize)); - if (bitsize == 0) { - if (found) - return TRUE; - i_warning("Regenerating %s for ssl_dh_parameters_length=%u", - param->path, param->set.ssl_dh_parameters_length); - return FALSE; - } - data += sizeof(bitsize); - size -= sizeof(bitsize); - if (bitsize == param->set.ssl_dh_parameters_length) - found = TRUE; - - if (size < sizeof(len)) - break; - memcpy(&len, data, sizeof(len)); - if (len > size - sizeof(len)) - break; - data += sizeof(bitsize) + len; - size -= sizeof(bitsize) + len; - } - i_error("Corrupted %s", param->path); - return FALSE; -} - -static int ssl_params_read(struct ssl_params *param) -{ - unsigned char *buffer; - struct stat st; - int fd, ret; - - fd = open(param->path, O_RDONLY); - if (fd == -1) { - if (errno != ENOENT) - i_error("open(%s) failed: %m", param->path); - return -1; - } - - if (fstat(fd, &st) < 0) { - i_error("fstat(%s) failed: %m", param->path); - i_close_fd(&fd); - return -1; - } - param->last_mtime = st.st_mtime; - if (st.st_size == 0 || st.st_size > MAX_PARAM_FILE_SIZE) { - i_error("Corrupted file: %s", param->path); - i_close_fd(&fd); - i_unlink(param->path); - return -1; - } - - buffer = t_malloc_no0(st.st_size); - ret = read_full(fd, buffer, st.st_size); - if (ret < 0) - i_error("read(%s) failed: %m", param->path); - else if (ret == 0) { - i_error("File unexpectedly shrank: %s", param->path); - ret = -1; - } else if (!ssl_params_verify(param, buffer, st.st_size)) { - ret = -1; - } else { - param->callback(buffer, st.st_size); - } - - if (close(fd) < 0) - i_error("close(%s) failed: %m", param->path); - return ret; -} - -struct ssl_params * -ssl_params_init(const char *path, ssl_params_callback_t *callback, - const struct ssl_params_settings *set) -{ - struct ssl_params *param; - - param = i_new(struct ssl_params, 1); - param->path = i_strdup(path); - param->set = *set; - param->callback = callback; - ssl_params_refresh(param); - return param; -} - -void ssl_params_refresh(struct ssl_params *param) -{ - if (ssl_params_read(param) < 0) - ssl_params_rebuild(param); -} - -void ssl_params_deinit(struct ssl_params **_param) -{ - struct ssl_params *param = *_param; - - *_param = NULL; - i_free(param->path); - i_free(param); -} diff --git a/src/ssl-params/ssl-params.h b/src/ssl-params/ssl-params.h deleted file mode 100644 index 1af2b6f2ed..0000000000 --- a/src/ssl-params/ssl-params.h +++ /dev/null @@ -1,15 +0,0 @@ -#ifndef SSL_BUILD_PARAMS_H -#define SSL_BUILD_PARAMS_H - -struct ssl_params_settings; - -typedef void ssl_params_callback_t(const unsigned char *data, size_t size); - -struct ssl_params * -ssl_params_init(const char *path, ssl_params_callback_t *callback, - const struct ssl_params_settings *set); -void ssl_params_deinit(struct ssl_params **param); - -void ssl_params_refresh(struct ssl_params *param); - -#endif