static int server_connection_init_ssl(struct server_connection *conn)
{
struct ssl_iostream_settings ssl_set;
const char *error;
if (conn->server->ssl_ctx == NULL)
return 0;
memset(&ssl_set, 0, sizeof(ssl_set));
ssl_set.verify_remote_cert = TRUE;
ssl_set.require_valid_cert = TRUE;
ssl_set.verbose_invalid_cert = TRUE;
if (io_stream_create_ssl_client(conn->server->ssl_ctx,
conn->server->name, &ssl_set,
&conn->input, &conn->output,
&conn->ssl_iostream, &error) < 0) {
i_error("Couldn't initialize SSL client: %s", error);
return -1;
}
ssl_iostream_set_handshake_callback(conn->ssl_iostream,
server_connection_ssl_handshaked,
conn);
if (ssl_iostream_handshake(conn->ssl_iostream) < 0) {
i_error("SSL handshake failed: %s",
ssl_iostream_get_last_error(conn->ssl_iostream));
return -1;
}
return 0;
}
int cmd_starttls(struct client *client)
{
struct ostream *plain_output = client->output;
const char *error;
if (client->ssl_iostream != NULL) {
o_stream_nsend_str(client->output,
"443 5.5.1 TLS is already active.\r\n");
return 0;
}
if (master_service_ssl_init(master_service,
&client->input, &client->output,
&client->ssl_iostream, &error) < 0) {
i_error("TLS initialization failed: %s", error);
o_stream_nsend_str(client->output,
"454 4.7.0 Internal error, TLS not available.\r\n");
return 0;
}
o_stream_nsend_str(plain_output,
"220 2.0.0 Begin TLS negotiation now.\r\n");
if (ssl_iostream_handshake(client->ssl_iostream) < 0) {
client_destroy(client, NULL, NULL);
return -1;
}
return 0;
}
int openssl_iostream_more(struct ssl_iostream *ssl_io)
{
int ret;
if (!ssl_io->handshaked) {
if ((ret = ssl_iostream_handshake(ssl_io)) <= 0)
return ret;
}
(void)openssl_iostream_bio_sync(ssl_io);
return 1;
}
static int pop3c_client_ssl_init(struct pop3c_client *client)
{
struct ssl_iostream_settings ssl_set;
struct stat st;
const char *error;
if (client->ssl_ctx == NULL) {
i_error("pop3c(%s): No SSL context", client->set.host);
return -1;
}
memset(&ssl_set, 0, sizeof(ssl_set));
if (client->set.ssl_verify) {
ssl_set.verbose_invalid_cert = TRUE;
ssl_set.verify_remote_cert = TRUE;
ssl_set.require_valid_cert = TRUE;
}
if (client->set.debug)
i_debug("pop3c(%s): Starting SSL handshake", client->set.host);
if (client->raw_input != client->input) {
/* recreate rawlog after STARTTLS */
i_stream_ref(client->raw_input);
o_stream_ref(client->raw_output);
i_stream_destroy(&client->input);
o_stream_destroy(&client->output);
client->input = client->raw_input;
client->output = client->raw_output;
}
if (io_stream_create_ssl_client(client->ssl_ctx, client->set.host,
&ssl_set, &client->input, &client->output,
&client->ssl_iostream, &error) < 0) {
i_error("pop3c(%s): Couldn't initialize SSL client: %s",
client->set.host, error);
return -1;
}
ssl_iostream_set_handshake_callback(client->ssl_iostream,
pop3c_client_ssl_handshaked,
client);
if (ssl_iostream_handshake(client->ssl_iostream) < 0) {
i_error("pop3c(%s): SSL handshake failed: %s", client->set.host,
ssl_iostream_get_last_error(client->ssl_iostream));
return -1;
}
if (*client->set.rawlog_dir != '\0' &&
stat(client->set.rawlog_dir, &st) == 0) {
iostream_rawlog_create(client->set.rawlog_dir,
&client->input, &client->output);
}
return 0;
}
static int client_connection_init_ssl(struct client_connection *conn)
{
if (master_service_ssl_init(master_service,
&conn->input, &conn->output,
&conn->ssl_iostream) < 0)
return -1;
if (ssl_iostream_handshake(conn->ssl_iostream) < 0) {
i_error("SSL handshake failed: %s",
ssl_iostream_get_last_error(conn->ssl_iostream));
return -1;
}
return 0;
}
