dovecot-2.0: dovecot -p (ask ssl key password from command line)...

Wed Sep 9 03:05:51 EEST 2009

details:   http://hg.dovecot.org/dovecot-2.0/rev/e819f6dfe5f4
changeset: 9913:e819f6dfe5f4
user:      Timo Sirainen <tss at iki.fi>
date:      Tue Sep 08 20:00:18 2009 -0400
description:
dovecot -p (ask ssl key password from command line) works again.

diffstat:

7 files changed, 23 insertions(+), 18 deletions(-)
src/login-common/ssl-proxy-openssl.c |   17 ++++++-----------
src/master/Makefile.am               |    2 ++
src/master/common.h                  |    1 +
src/master/main.c                    |   11 ++++-------
src/master/service-process.c         |    7 +++++++
src/master/service.c                 |    1 +
src/master/service.h                 |    2 ++

diffs (157 lines):

diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/login-common/ssl-proxy-openssl.c

--- a/src/login-common/ssl-proxy-openssl.c	Tue Sep 08 19:34:49 2009 -0400
+++ b/src/login-common/ssl-proxy-openssl.c	Tue Sep 08 20:00:18 2009 -0400
@@ -889,16 +889,19 @@ static EVP_PKEY *ssl_proxy_load_key(cons
 {
 	EVP_PKEY *pkey;
 	BIO *bio;
-	char *password;
+	const char *password;
+	char *dup_password;
 
 	bio = BIO_new_mem_buf(t_strdup_noconst(set->ssl_key),
 			      strlen(set->ssl_key));
 	if (bio == NULL)
 		i_fatal("BIO_new_mem_buf() failed");
 
-	password = t_strdup_noconst(set->ssl_key_password);
+	password = *set->ssl_key_password != '\0' ? set->ssl_key_password :
+		getenv("SSL_KEY_PASSWORD");
+	dup_password = t_strdup_noconst(password);
 	pkey = PEM_read_bio_PrivateKey(bio, NULL, pem_password_callback,
-				       password);
+				       dup_password);
 	if (pkey == NULL)
 		i_fatal("Couldn't parse private ssl_key");
 	BIO_free(bio);
@@ -980,8 +983,6 @@ end:
 
 static void ssl_proxy_init_server(const struct login_settings *set)
 {
-	char *password;
-
 	if ((ssl_server_ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
 		i_fatal("SSL_CTX_new() failed");
 	ssl_proxy_ctx_init(ssl_server_ctx, set);
@@ -997,13 +998,7 @@ static void ssl_proxy_init_server(const 
 			ssl_proxy_get_use_certificate_error(set->ssl_cert));
 	}
 
-	password = t_strdup_noconst(set->ssl_key_password);
-        SSL_CTX_set_default_passwd_cb(ssl_server_ctx, pem_password_callback);
-        SSL_CTX_set_default_passwd_cb_userdata(ssl_server_ctx, password);
-
 	ssl_proxy_ctx_use_key(ssl_server_ctx, set);
-	safe_memset(password, 0, strlen(password));
-
 	if (set->verbose_ssl)
 		SSL_CTX_set_info_callback(ssl_server_ctx, ssl_info_callback);
 
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/Makefile.am
--- a/src/master/Makefile.am	Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/Makefile.am	Tue Sep 08 20:00:18 2009 -0400
@@ -20,6 +20,7 @@ dovecot_DEPENDENCIES = $(libs)
 dovecot_DEPENDENCIES = $(libs)
 
 dovecot_SOURCES = \
+	askpass.c \
 	capabilities-posix.c \
 	dup2-array.c \
 	main.c \
@@ -35,6 +36,7 @@ dovecot_SOURCES = \
 	service.c
 
 noinst_HEADERS = \
+	askpass.h \
 	capabilities.h \
 	common.h \
 	dup2-array.h \
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/common.h
--- a/src/master/common.h	Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/common.h	Tue Sep 08 20:00:18 2009 -0400
@@ -11,6 +11,7 @@ extern gid_t master_gid;
 extern gid_t master_gid;
 extern bool auth_success_written;
 extern bool core_dumps_disabled;
+extern char ssl_manual_key_password[];
 extern int null_fd;
 extern struct service_list *services;
 
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/main.c
--- a/src/master/main.c	Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/main.c	Tue Sep 08 20:00:18 2009 -0400
@@ -11,6 +11,7 @@
 #include "restrict-process-size.h"
 #include "master-service.h"
 #include "master-service-settings.h"
+#include "askpass.h"
 #include "capabilities.h"
 #include "service.h"
 #include "service-listen.h"
@@ -37,6 +38,7 @@ gid_t master_gid;
 gid_t master_gid;
 bool auth_success_written;
 bool core_dumps_disabled;
+char ssl_manual_key_password[100];
 int null_fd;
 struct service_list *services;
 
@@ -737,16 +739,11 @@ int main(int argc, char *argv[])
 		auth_warning_print(set);
 	}
 
-#if 0 // FIXME
 	if (ask_key_pass) {
-		const char *prompt;
-
-		prompt = t_strdup_printf("Give the password for SSL key file "
-					 "%s: ", set->ssl_key_file);
-		askpass(prompt, ssl_manual_key_password,
+		askpass("Give the password for SSL keys",
+			ssl_manual_key_password,
 			sizeof(ssl_manual_key_password));
 	}
-#endif
 
 	/* save TZ environment. AIX depends on it to get the timezone
 	   correctly. */
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/service-process.c
--- a/src/master/service-process.c	Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/service-process.c	Tue Sep 08 20:00:18 2009 -0400
@@ -458,6 +458,13 @@ handle_request(const struct service_proc
 
 	env_put(t_strconcat("LOCAL_IP=", net_ip2addr(&request->local_ip), NULL));
 	env_put(t_strconcat("IP=", net_ip2addr(&request->remote_ip), NULL));
+	if (*ssl_manual_key_password != '\0' &&
+	    request->process->process.service->have_inet_listeners) {
+		/* manually given SSL password. give it only to services
+		   that have inet listeners. */
+		env_put(t_strconcat("SSL_KEY_PASSWORD=",
+				    ssl_manual_key_password, NULL));
+	}
 }
 
 struct service_process *
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/service.c
--- a/src/master/service.c	Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/service.c	Tue Sep 08 20:00:18 2009 -0400
@@ -293,6 +293,7 @@ service_create(pool_t pool, const struct
 		if (service_create_inet_listeners(service, inet_listeners[i],
 						  error_r) < 0)
 			return NULL;
+		service->have_inet_listeners = TRUE;
 	}
 
 	return service;
diff -r 37bc3a3d4464 -r e819f6dfe5f4 src/master/service.h
--- a/src/master/service.h	Tue Sep 08 19:34:49 2009 -0400
+++ b/src/master/service.h	Tue Sep 08 20:00:18 2009 -0400
@@ -93,6 +93,8 @@ struct service {
 	unsigned int listen_pending:1;
 	/* service is currently listening for new connections */
 	unsigned int listening:1;
+	/* TRUE if service has at least one inet_listener */
+	unsigned int have_inet_listeners:1;
 };
 
 struct service_list {
