EXPORTED int backend_starttls( struct backend *s, struct tls_cmd_t *tls_cmd, const char *c_cert_file, const char *c_key_file) { #ifndef HAVE_SSL return -1; #else char *auth_id = NULL; int *layerp = NULL; int r = 0; if (tls_cmd) { char buf[2048]; /* send starttls command */ prot_printf(s->out, "%s\r\n", tls_cmd->cmd); prot_flush(s->out); /* check response */ if (!prot_fgets(buf, sizeof(buf), s->in) || strncmp(buf, tls_cmd->ok, strlen(tls_cmd->ok))) return -1; } r = tls_init_clientengine(5, c_cert_file, c_key_file); if (r == -1) return -1; /* SASL and openssl have different ideas about whether ssf is signed */ layerp = (int *) &s->ext_ssf; r = tls_start_clienttls(s->in->fd, s->out->fd, layerp, &auth_id, &s->tlsconn, &s->tlssess); if (r == -1) return -1; if (s->saslconn) { r = sasl_setprop(s->saslconn, SASL_SSF_EXTERNAL, &s->ext_ssf); if (r == SASL_OK) r = sasl_setprop(s->saslconn, SASL_AUTH_EXTERNAL, auth_id); if (auth_id) free(auth_id); if (r != SASL_OK) return -1; } prot_settls(s->in, s->tlsconn); prot_settls(s->out, s->tlsconn); ask_capability(s, /*dobanner*/1, tls_cmd->auto_capa); return 0; #endif /* HAVE_SSL */ }
static int do_starttls(struct backend *s) { #ifndef HAVE_SSL return -1; #else const struct tls_cmd_t *tls_cmd = &s->prot->tls_cmd; char buf[2048]; int r; int *layerp; char *auth_id; sasl_ssf_t ssf; /* send starttls command */ prot_printf(s->out, "%s\r\n", tls_cmd->cmd); prot_flush(s->out); /* check response */ if (!prot_fgets(buf, sizeof(buf), s->in) || strncmp(buf, tls_cmd->ok, strlen(tls_cmd->ok))) return -1; r = tls_init_clientengine(5, "", ""); if (r == -1) return -1; /* SASL and openssl have different ideas about whether ssf is signed */ layerp = (int *) &ssf; r = tls_start_clienttls(s->in->fd, s->out->fd, layerp, &auth_id, &s->tlsconn, &s->tlssess); if (r == -1) return -1; r = sasl_setprop(s->saslconn, SASL_SSF_EXTERNAL, &ssf); if (r == SASL_OK) r = sasl_setprop(s->saslconn, SASL_AUTH_EXTERNAL, auth_id); if (auth_id) free(auth_id); if (r != SASL_OK) return -1; prot_settls(s->in, s->tlsconn); prot_settls(s->out, s->tlsconn); ask_capability(s, /*dobanner*/1, s->prot->tls_cmd.auto_capa); return 0; #endif /* HAVE_SSL */ }