📄 auth_ssl.c
字号:
/* * Program: SSL authentication/encryption module * * Author: Mark Crispin * Networks and Distributed Computing * Computing & Communications * University of Washington * Administration Building, AG-44 * Seattle, WA 98195 * Internet: MRC@CAC.Washington.EDU * * Date: 22 September 1998 * Last Edited: 9 October 2000 * * Copyright 2000 by the University of Washington * * This software is provided under specific, written license from the * University of Washington and may only be used, copied, modified, and * distributed under the terms of such license. This software is made * available "as is", and * THE UNIVERSITY OF WASHINGTON DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, * WITH REGARD TO THIS SOFTWARE, INCLUDING WITHOUT LIMITATION ALL IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND IN * NO EVENT SHALL THE UNIVERSITY OF WASHINGTON BE LIABLE FOR ANY SPECIAL, * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, TORT * (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING OUT OF OR IN CONNECTION * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * * Export Regulations. Software, including technical data, is subject to U.S. * export control laws, including the U.S. Export Administration Act and its * associated regulations, and may be subject to export or import regulations * in other countries. Licensee agrees to comply strictly with all such * regulations and acknowledges that it has the responsibility to obtain * licenses to export, re-export, or import Software. Software may not be * downloaded, or otherwise exported or re-exported (i) into, or to a * national or resident of, Cuba, Iraq, Iran, North Korea, Libya, Sudan, * Syria or any country to which the U.S. has embargoed goods; or (ii) to * anyone on the U.S. Treasury Department's list of Specially Designated * Nations or the U.S. Commerce Department's Table of Denial Orders. */
#define crypt ssl_private_crypt#include <x509.h>#include <ssl.h>#include <err.h>#include <pem.h>#include <buffer.h>#include <bio.h>#include <crypto.h>#include <rand.h>#undef crypt#define SSLBUFLEN 8192#define SSLCIPHERLIST "ALL:!LOW"/* SSL I/O stream */typedef struct ssl_stream { TCPSTREAM *tcpstream; /* TCP stream */ SSL_CTX *context; /* SSL context */ SSL *con; /* SSL connection */ int ictr; /* input counter */ char *iptr; /* input pointer */ char ibuf[SSLBUFLEN]; /* input buffer */} SSLSTREAM;/* SSL stdio stream */typedef struct ssl_stdiostream { SSLSTREAM *sslstream; /* SSL stream */ int octr; /* output counter */ char *optr; /* output pointer */ char obuf[SSLBUFLEN]; /* output buffer */} SSLSTDIOSTREAM;/* SSL driver */struct ssl_driver { /* must parallel NETDRIVER in mail.h */ SSLSTREAM *(*open) (char *host,char *service,unsigned long port); SSLSTREAM *(*aopen) (NETMBX *mb,char *service,char *usrbuf); char *(*getline) (SSLSTREAM *stream); long (*getbuffer) (SSLSTREAM *stream,unsigned long size,char *buffer); long (*soutr) (SSLSTREAM *stream,char *string); long (*sout) (SSLSTREAM *stream,char *string,unsigned long size); void (*close) (SSLSTREAM *stream); char *(*host) (SSLSTREAM *stream); char *(*remotehost) (SSLSTREAM *stream); unsigned long (*port) (SSLSTREAM *stream); char *(*localhost) (SSLSTREAM *stream);};
/* Function prototypes */void ssl_onceonlyinit (void);SSLSTREAM *ssl_open (char *host,char *service,unsigned long port);int ssl_open_verify (int ok,X509_STORE_CTX *ctx);SSLSTREAM *ssl_aopen (NETMBX *mb,char *service,char *usrbuf);char *ssl_getline (SSLSTREAM *stream);long ssl_getbuffer (SSLSTREAM *stream,unsigned long size,char *buffer);long ssl_getdata (SSLSTREAM *stream);long ssl_soutr (SSLSTREAM *stream,char *string);long ssl_sout (SSLSTREAM *stream,char *string,unsigned long size);void ssl_close (SSLSTREAM *stream);long ssl_abort (SSLSTREAM *stream);char *ssl_host (SSLSTREAM *stream);char *ssl_remotehost (SSLSTREAM *stream);unsigned long ssl_port (SSLSTREAM *stream);char *ssl_localhost (SSLSTREAM *stream);long auth_plain_valid (void);long auth_plain_client (authchallenge_t challenger,authrespond_t responder, NETMBX *mb,void *stream,unsigned long *trial, char *user);char *auth_plain_server (authresponse_t responder,int argc,char *argv[]);void Server_init (char *server,char *service,char *altservice,char *sasl, void *clkint,void *kodint,void *hupint,void *trmint);long Server_input_wait (long seconds);char *ssl_start_tls (char *server);SSLSTDIOSTREAM *ssl_server_init (char *server);static RSA *ssl_genkey (SSL *con,int export,int keylength);int ssl_getchar (void);char *ssl_gets (char *s,int n);int ssl_putchar (int c);int ssl_puts (char *s);int ssl_flush (void);
/* Secure Sockets Layer network driver dispatch */static struct ssl_driver ssldriver = { ssl_open, /* open connection */ ssl_aopen, /* open preauthenticated connection */ ssl_getline, /* get a line */ ssl_getbuffer, /* get a buffer */ ssl_soutr, /* output pushed data */ ssl_sout, /* output string */ ssl_close, /* close connection */ ssl_host, /* return host name */ ssl_remotehost, /* return remote host name */ ssl_port, /* return port number */ ssl_localhost /* return local host name */}; /* non-NIL if doing SSL primary I/O */static SSLSTDIOSTREAM *sslstdio = NIL;static char *start_tls = NIL; /* non-NIL if start TLS requested *//* Secure sockets layer authenticator */AUTHENTICATOR auth_ssl = { AU_AUTHUSER, /* allow authuser */ "PLAIN", /* authenticator name */ auth_plain_valid, /* check if valid */ auth_plain_client, /* client method */ auth_plain_server, /* server method */ NIL /* next authenticator */};
/* One-time SSL initialization */static int sslonceonly = 0;void ssl_onceonlyinit (void){ if (!sslonceonly++) { /* only need to call it once */ int fd; unsigned long i; char tmp[MAILTMPLEN]; struct stat sbuf; /* if system doesn't have /dev/urandom */ if (stat ("/dev/urandom",&sbuf)) { if ((fd = open (tmpnam (tmp),O_WRONLY|O_CREAT,0600)) < 0) i = (unsigned long) tmp; else { unlink (tmp); /* don't need the file */ fstat (fd,&sbuf); /* get information about the file */ i = sbuf.st_ino; /* remember its inode */ close (fd); /* or its descriptor */ } /* not great but it'll have to do */ sprintf (tmp + strlen (tmp),"%.80s%lx%lx%lx", tcp_serverhost (),i, (unsigned long) (time (0) ^ gethostid ()), (unsigned long) getpid ()); RAND_seed (tmp,strlen (tmp)); } /* apply runtime linkage */ mail_parameters (NIL,SET_ALTDRIVER,(void *) &ssldriver); mail_parameters (NIL,SET_ALTDRIVERNAME,(void *) "ssl"); mail_parameters (NIL,SET_ALTOPTIONNAME,(void *) "novalidate-cert"); mail_parameters (NIL,SET_ALTIMAPNAME,(void *) "*imaps"); mail_parameters (NIL,SET_ALTIMAPPORT,(void *) 993); mail_parameters (NIL,SET_ALTPOPNAME,(void *) "*pop3s"); mail_parameters (NIL,SET_ALTPOPPORT,(void *) 995); mail_parameters (NIL,SET_ALTNNTPNAME,(void *) "*nntps"); mail_parameters (NIL,SET_ALTNNTPPORT,(void *) 563); mail_parameters (NIL,SET_ALTSMTPNAME,(void *) "*smtps"); mail_parameters (NIL,SET_ALTSMTPPORT,(void *) 465); /* add all algorithms */ SSLeay_add_ssl_algorithms (); }}
/* SSL open * Accepts: host name * contact service name * contact port number * Returns: SSL stream if success else NIL */SSLSTREAM *ssl_open (char *host,char *service,unsigned long port){ char tmp[MAILTMPLEN]; SSLSTREAM *stream = NIL; TCPSTREAM *ts = tcp_open (host,service,port); if (ts) { /* got a TCPSTREAM? */ blocknotify_t bn = (blocknotify_t)mail_parameters(NIL,GET_BLOCKNOTIFY,NIL); void *data = (*bn)(BLOCK_SENSITIVE,NIL); /* instantiate SSLSTREAM */ (stream = (SSLSTREAM *) memset (fs_get (sizeof (SSLSTREAM)),0, sizeof (SSLSTREAM)))->tcpstream = ts; if (stream->context = SSL_CTX_new (SSLv23_client_method ())) { BIO *bio = BIO_new_socket (ts->tcpsi,BIO_NOCLOSE); SSL_CTX_set_options (stream->context,0); if (port & NET_ALTOPT) /* disable certificate validation? */ SSL_CTX_set_verify (stream->context,SSL_VERIFY_NONE,NIL); else SSL_CTX_set_verify(stream->context,SSL_VERIFY_PEER,ssl_open_verify); /* set up CAs to look up */ if (!SSL_CTX_load_verify_locations (stream->context,NIL,NIL)) SSL_CTX_set_default_verify_paths (stream->context); /* create connection */ if (stream->con = (SSL *) SSL_new (stream->context)) { SSL_set_bio (stream->con,bio,bio); SSL_set_connect_state (stream->con); if (SSL_in_init (stream->con)) SSL_total_renegotiations (stream->con); /* now negotiate SSL */ if (SSL_write (stream->con,"",0) >= 0) { (*bn) (BLOCK_NONSENSITIVE,data); return stream; } } } (*bn) (BLOCK_NONSENSITIVE,data); sprintf (tmp,"Can't establish SSL session to %.80s/%.80s,%lu", host,service ? service : "SSL",port & 0xffff); mm_log (tmp,ERROR); ssl_close (stream); /* failed to do SSL */ } return NIL;}
/* SSL certificate verification callback * Accepts: error flag * X509 context * Returns: error flag */int ssl_open_verify (int ok,X509_STORE_CTX *ctx){ if (!ok) { char tmp[MAILTMPLEN]; sprintf (tmp,"%.128s: ", X509_verify_cert_error_string (X509_STORE_CTX_get_error (ctx))); X509_NAME_oneline (X509_get_subject_name (X509_STORE_CTX_get_current_cert (ctx)), tmp + strlen (tmp),256); mm_log (tmp,WARN); } /* *** need to check the host name somehow *** */ return ok;}/* SSL authenticated open * Accepts: host name * service name * returned user name buffer * Returns: SSL stream if success else NIL */SSLSTREAM *ssl_aopen (NETMBX *mb,char *service,char *usrbuf){ return NIL; /* don't use this mechanism with SSL */}
/* SSL receive line * Accepts: SSL stream * Returns: text line string or NIL if failure */char *ssl_getline (SSLSTREAM *stream){ int n,m; char *st,*ret,*stp; char c = '\0'; char d; /* make sure have data */ if (!ssl_getdata (stream)) return NIL; st = stream->iptr; /* save start of string */ n = 0; /* init string count */ while (stream->ictr--) { /* look for end of line */ d = *stream->iptr++; /* slurp another character */ if ((c == '\015') && (d == '\012')) { ret = (char *) fs_get (n--); memcpy (ret,st,n); /* copy into a free storage string */ ret[n] = '\0'; /* tie off string with null */ return ret; } n++; /* count another character searched */ c = d; /* remember previous character */ } /* copy partial string from buffer */ memcpy ((ret = stp = (char *) fs_get (n)),st,n); /* get more data from the net */ if (!ssl_getdata (stream)) fs_give ((void **) &ret); /* special case of newline broken by buffer */ else if ((c == '\015') && (*stream->iptr == '\012')) { stream->iptr++; /* eat the line feed */ stream->ictr--; ret[n - 1] = '\0'; /* tie off string with null */ } /* else recurse to get remainder */ else if (st = ssl_getline (stream)) { ret = (char *) fs_get (n + 1 + (m = strlen (st))); memcpy (ret,stp,n); /* copy first part */ memcpy (ret + n,st,m); /* and second part */ fs_give ((void **) &stp); /* flush first part */ fs_give ((void **) &st); /* flush second part */ ret[n + m] = '\0'; /* tie off string with null */ } return ret;}
/* SSL receive buffer * Accepts: SSL stream * size in bytes * buffer to read into * Returns: T if success, NIL otherwise */long ssl_getbuffer (SSLSTREAM *stream,unsigned long size,char *buffer){ unsigned long n; while (size > 0) { /* until request satisfied */ if (!ssl_getdata (stream)) return NIL; n = min (size,stream->ictr);/* number of bytes to transfer */ /* do the copy */ memcpy (buffer,stream->iptr,n); buffer += n; /* update pointer */ stream->iptr += n; size -= n; /* update # of bytes to do */ stream->ictr -= n; } buffer[0] = '\0'; /* tie off string */ return T;}/* SSL receive data * Accepts: TCP/IP stream * Returns: T if success, NIL otherwise */long ssl_getdata (SSLSTREAM *stream){ int i,sock; fd_set fds,efds; struct timeval tmo; tcptimeout_t tmoh = (tcptimeout_t) mail_parameters (NIL,GET_TIMEOUT,NIL); long ttmo_read = (long) mail_parameters (NIL,GET_READTIMEOUT,NIL); time_t t = time (0); blocknotify_t bn = (blocknotify_t) mail_parameters (NIL,GET_BLOCKNOTIFY,NIL); if (!stream->con || ((sock = SSL_get_fd (stream->con)) < 0)) return NIL; (*bn) (BLOCK_TCPREAD,NIL); while (stream->ictr < 1) { /* if nothing in the buffer */ if (!SSL_pending (stream->con)) { time_t tl = time (0); /* start of request */ time_t now = tl; int ti = ttmo_read ? now + ttmo_read : 0; tmo.tv_usec = 0; FD_ZERO (&fds); /* initialize selection vector */ FD_ZERO (&efds); /* handle errors too */ FD_SET (sock,&fds); /* set bit in selection vector */ FD_SET (sock,&efds); /* set bit in error selection vector */ errno = NIL; /* block and read */ do { /* block under timeout */ tmo.tv_sec = ti ? ti - now : 0; i = select (sock+1,&fds,0,&efds,ti ? &tmo : 0); now = time (0); } while ((i < 0) && ((errno == EINTR) && (!ti || (ti > now)))); if (!i) { /* timeout? */ if (tmoh && ((*tmoh) (now - t,now - tl))) continue; else return ssl_abort (stream); } else if (i < 0) return ssl_abort (stream); } while (((i = SSL_read (stream->con,stream->ibuf,SSLBUFLEN)) < 0) && (errno == EINTR)); if (i < 1) return ssl_abort (stream); stream->iptr = stream->ibuf;/* point at TCP buffer */ stream->ictr = i; /* set new byte count */ } (*bn) (BLOCK_NONE,NIL); return T;}
/* SSL send string as record * Accepts: SSL stream * string pointer * Returns: T if success else NIL */long ssl_soutr (SSLSTREAM *stream,char *string){ return ssl_sout (stream,string,(unsigned long) strlen (string));}/* SSL send string * Accepts: SSL stream * string pointer * byte count * Returns: T if success else NIL */long ssl_sout (SSLSTREAM *stream,char *string,unsigned long size){ long i; extern long maxposint; blocknotify_t bn = (blocknotify_t) mail_parameters (NIL,GET_BLOCKNOTIFY,NIL); if (!stream->con) return NIL; (*bn) (BLOCK_TCPWRITE,NIL);⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -