dovecot-2.2: ssl-params: Use lib-ssl-iostream's ssl_iostream_gen...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/8b3ae8a07f31
changeset: 18051:8b3ae8a07f31
user:      Timo Sirainen <tss at iki.fi>
date:      Fri Oct 31 17:05:31 2014 -0700
description:
ssl-params: Use lib-ssl-iostream's ssl_iostream_generate_params() instead of OpenSSL directly

diffstat:

 src/ssl-params/Makefile.am          |   6 +-
 src/ssl-params/ssl-params-openssl.c |  71 -------------------------------------
 src/ssl-params/ssl-params.c         |  17 ++++++--
 src/ssl-params/ssl-params.h         |   2 -
 4 files changed, 16 insertions(+), 80 deletions(-)

diffs (154 lines):

diff -r f7ebc677fdb9 -r 8b3ae8a07f31 src/ssl-params/Makefile.am
--- a/src/ssl-params/Makefile.am	Fri Oct 31 17:04:58 2014 -0700
+++ b/src/ssl-params/Makefile.am	Fri Oct 31 17:05:31 2014 -0700
@@ -6,14 +6,14 @@
 	-I$(top_srcdir)/src/lib \
 	-I$(top_srcdir)/src/lib-master \
 	-I$(top_srcdir)/src/lib-settings \
+	-I$(top_srcdir)/src/lib-ssl-iostream \
 	-DPKG_STATEDIR=\""$(statedir)"\"
 
-ssl_params_LDADD = $(LIBDOVECOT) $(SSL_LIBS)
-ssl_params_DEPENDENCIES = $(LIBDOVECOT_DEPS)
+ssl_params_LDADD = $(LIBDOVECOT) ../lib-ssl-iostream/libssl_iostream.la
+ssl_params_DEPENDENCIES = $(LIBDOVECOT_DEPS) ../lib-ssl-iostream/libssl_iostream.la
 ssl_params_SOURCES = \
 	main.c \
 	ssl-params.c \
-	ssl-params-openssl.c \
 	ssl-params-settings.c
 
 noinst_HEADERS = \
diff -r f7ebc677fdb9 -r 8b3ae8a07f31 src/ssl-params/ssl-params-openssl.c
--- a/src/ssl-params/ssl-params-openssl.c	Fri Oct 31 17:04:58 2014 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,71 +0,0 @@
-/* Copyright (c) 2002-2014 Dovecot authors, see the included COPYING file */
-
-#include "lib.h"
-#include "write-full.h"
-#include "ssl-params.h"
-
-#ifdef HAVE_OPENSSL
-
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-
-/* 2 or 5. Haven't seen their difference explained anywhere, but 2 is the
-   default.. */
-#define DH_GENERATOR 2
-
-static const char *ssl_last_error(void)
-{
-	unsigned long err;
-	char *buf;
-	size_t err_size = 256;
-
-	err = ERR_get_error();
-	if (err == 0)
-		return strerror(errno);
-
-	buf = t_malloc(err_size);
-	buf[err_size-1] = '\0';
-	ERR_error_string_n(err, buf, err_size-1);
-	return buf;
-}
-
-static bool generate_dh_parameters(int bitsize, int fd, const char *fname)
-{
-        DH *dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL);
-	unsigned char *buf, *p;
-	int len;
-
-	if (dh == NULL)
-		return FALSE;
-
-	len = i2d_DHparams(dh, NULL);
-	if (len < 0)
-		i_fatal("i2d_DHparams() failed: %s", ssl_last_error());
-
-	buf = p = i_malloc(len);
-	len = i2d_DHparams(dh, &p);
-
-	if (write_full(fd, &bitsize, sizeof(bitsize)) < 0 ||
-	    write_full(fd, &len, sizeof(len)) < 0 ||
-	    write_full(fd, buf, len) < 0)
-		i_fatal("write_full() failed for file %s: %m", fname);
-	i_free(buf);
-	return TRUE;
-}
-
-void ssl_generate_parameters(int fd, unsigned int dh_length, const char *fname)
-{
-	int bits;
-
-	/* this fails in FIPS mode */
-	(void)generate_dh_parameters(512, fd, fname);
-	if (!generate_dh_parameters(dh_length, fd, fname)) {
-		i_fatal("DH_generate_parameters(bits=%d, gen=%d) failed: %s",
-			dh_length, DH_GENERATOR, ssl_last_error());
-	}
-	bits = 0;
-	if (write_full(fd, &bits, sizeof(bits)) < 0)
-		i_fatal("write_full() failed for file %s: %m", fname);
-}
-
-#endif
diff -r f7ebc677fdb9 -r 8b3ae8a07f31 src/ssl-params/ssl-params.c
--- a/src/ssl-params/ssl-params.c	Fri Oct 31 17:04:58 2014 -0700
+++ b/src/ssl-params/ssl-params.c	Fri Oct 31 17:05:31 2014 -0700
@@ -5,9 +5,11 @@
 #include "buffer.h"
 #include "file-lock.h"
 #include "read-full.h"
+#include "write-full.h"
 #include "master-interface.h"
 #include "master-service.h"
 #include "master-service-settings.h"
+#include "iostream-ssl.h"
 #include "ssl-params-settings.h"
 #include "ssl-params.h"
 
@@ -38,11 +40,12 @@
 ssl_params_if_unchanged(const char *path, time_t mtime,
 			unsigned int ssl_dh_parameters_length ATTR_UNUSED)
 {
-	const char *temp_path;
+	const char *temp_path, *error;
 	struct file_lock *lock;
 	struct stat st, st2;
 	mode_t old_mask;
 	int fd, ret;
+	buffer_t *buf;
 
 #ifdef HAVE_SETPRIORITY
 	if (setpriority(PRIO_PROCESS, 0, SSL_PARAMS_PRIORITY) < 0)
@@ -99,9 +102,15 @@
 		i_fatal("ftruncate(%s) failed: %m", temp_path);
 
 	i_info("Generating SSL parameters");
-#ifdef HAVE_SSL
-	ssl_generate_parameters(fd, ssl_dh_parameters_length, temp_path);
-#endif
+
+	buf = buffer_create_dynamic(pool_datastack_create(), 1024);
+	if (ssl_iostream_generate_params(buf, ssl_dh_parameters_length,
+					 &error) < 0) {
+		i_fatal("ssl_iostream_generate_params(%u) failed: %s",
+			ssl_dh_parameters_length, error);
+	}
+	if (write_full(fd, buf->data, buf->used) < 0)
+		i_fatal("write(%s) failed: %m", temp_path);
 
 	if (rename(temp_path, path) < 0)
 		i_fatal("rename(%s, %s) failed: %m", temp_path, path);
diff -r f7ebc677fdb9 -r 8b3ae8a07f31 src/ssl-params/ssl-params.h
--- a/src/ssl-params/ssl-params.h	Fri Oct 31 17:04:58 2014 -0700
+++ b/src/ssl-params/ssl-params.h	Fri Oct 31 17:05:31 2014 -0700
@@ -12,6 +12,4 @@
 
 void ssl_params_refresh(struct ssl_params *param);
 
-void ssl_generate_parameters(int fd, unsigned int dh_length, const char *fname);
-
 #endif