Fix SSL CTX bug and add support for TLS1.1/1.2

SSL CTXs should be created after the SSL library initialization, and be kept until program termination. Also, TLS version 1.1 and 1.2 are now supported for secure connections.
2024-12-21 23:28:49 -05:00 · 2013-05-20 22:49:22 +02:00 · 2013-05-20 22:49:22 +02:00 · 594339056b
commit 594339056b
parent 7e8560f57a
4 changed files with 33 additions and 24 deletions
--- a/doc/imapfilter_config.5
+++ b/doc/imapfilter_config.5
@ -1,4 +1,4 @@
-.Dd April 25, 2012
+.Dd May 20, 2013
 .Dt IMAPFILTER_CONFIG 5
 .Os
 .Sh NAME
@ -241,9 +241,11 @@ Forces an imaps connection and specifies the SSL/TLS protocol to be used.  It
 takes a
 .Vt string
 as a value, specifically one of:
-.Dq ssl2 ,
 .Dq ssl3 ,
-.Dq tls1 .
+.Dq ssl23 ,
+.Dq tls1 ,
+.Dq tls11 ,
+.Dq tls12 .
 .El
 .Pp
 .Ss LISTING
--- a/src/imapfilter.c
+++ b/src/imapfilter.c
@ -21,6 +21,7 @@

 extern buffer ibuf, obuf, nbuf, cbuf;
 extern regexp responses[];
+extern SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx, *tls11ctx, *tls12ctx;

 options opts;			/* Program options. */
 environment env;		/* Environment variables. */
@ -100,6 +101,11 @@ main(int argc, char *argv[])

 	SSL_library_init();
 	SSL_load_error_strings();
+	ssl3ctx = SSL_CTX_new(SSLv3_client_method());
+	ssl23ctx = SSL_CTX_new(SSLv23_client_method());
+	tls1ctx = SSL_CTX_new(TLSv1_client_method());
+	tls11ctx = SSL_CTX_new(TLSv1_1_client_method());
+	tls12ctx = SSL_CTX_new(TLSv1_2_client_method());

 	start_lua();
 #if LUA_VERSION_NUM < 502
@ -118,6 +124,11 @@ main(int argc, char *argv[])
 #endif
 	stop_lua();

+	SSL_CTX_free(ssl3ctx);
+	SSL_CTX_free(ssl23ctx);
+	SSL_CTX_free(tls1ctx);
+	SSL_CTX_free(tls11ctx);
+	SSL_CTX_free(tls12ctx);
 	ERR_free_strings();

 	regexp_free(responses);
--- a/src/request.c
+++ b/src/request.c
@ -167,9 +167,7 @@ request_login(session **ssnptr, const char *server, const char *port, const
 		ssn->username = user;
 		ssn->password = pass;

-		if ((!strncasecmp(ssl, "tls1", 4) ||
-		    !strncasecmp(ssl, "ssl3", 4) ||
-		    !strncasecmp(ssl, "ssl2", 4)))
+		if (strlen(ssl) != 0)
 			ssn->sslproto = ssl;
 	} else {
 		debug("recovering connection: %s://%s@%s:%s/%s\n",
--- a/src/socket.c
+++ b/src/socket.c
@ -17,6 +17,9 @@
 #include "session.h"


+SSL_CTX *ssl3ctx, *ssl23ctx, *tls1ctx, *tls11ctx, *tls12ctx;
+
+
 /*
 * Connect to mail server.
 */
@ -85,22 +88,20 @@ open_secure_connection(session *ssn)
 {
 	int r, e;
 	SSL_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
-	const SSL_METHOD *method;
-#else		
-	SSL_METHOD *method;
-#endif

-	method = NULL;
-
-	if (ssn->sslproto && (!strncasecmp(ssn->sslproto, "ssl3", 4) ||
-	    !strncasecmp(ssn->sslproto, "ssl2", 4)))
-		method = SSLv23_client_method();
-	else
-		method = TLSv1_client_method();
-
-	if (!(ctx = SSL_CTX_new(method)))
-		goto fail;
+	if (!ssn->sslproto) {
+		ctx = ssl23ctx;
+	} else if (!strcasecmp(ssn->sslproto, "ssl3")) {
+		ctx = ssl3ctx;
+	} else if (!strcasecmp(ssn->sslproto, "tls1")) {
+		ctx = tls1ctx;
+	} else if (!strcasecmp(ssn->sslproto, "tls11")) {
+		ctx = tls11ctx;
+	} else if (!strcasecmp(ssn->sslproto, "tls12")) {
+		ctx = tls12ctx;
+	} else {
+		ctx = ssl23ctx;
+	}

 	if (!(ssn->sslconn = SSL_new(ctx)))
 		goto fail;
@ -148,13 +149,10 @@ open_secure_connection(session *ssn)
 	if (get_option_boolean("certificates") && get_cert(ssn) == -1)
 		goto fail;

-	SSL_CTX_free(ctx);
-
 	return 0;

 fail:
 	ssn->sslconn = NULL;
-	SSL_CTX_free(ctx);

 	return -1;
 }