WIP tls: move server-side ALPN negotiation into tls_init_serverengine

cyrusimap · Oct 28, 2024 · 78f4949 · 78f4949
1 parent 0ddd4ab
commit 78f4949
Show file tree

Hide file tree

Showing 11 changed files with 76 additions and 83 deletions.
diff --git a/cunit/backend.testc b/cunit/backend.testc
@@ -1210,8 +1210,11 @@ static void cmd_starttls(struct server_state *state)
     SSL *tls_conn = NULL;
     static struct saslprops_t saslprops = SASLPROPS_INITIALIZER;
 
-    r = tls_init_serverengine("backend_test", /*verifydepth*/5,
-                              /*askcert*/1, NULL);
+    r = tls_init_serverengine("backend_test",
+                              /*verifydepth*/5,
+                              /*askcert*/1,
+                              /*ALPN*/NULL,
+                              NULL);
     if (r < 0) {
         server_printf(state, "BAD error initializing TLS\r\n");
         server_flush(state);

diff --git a/imap/httpd.c b/imap/httpd.c
@@ -1289,16 +1289,16 @@ static int tls_init(int client_auth, struct buf *serverinfo)
     if (!tls_enabled()) return HTTP_UNAVAILABLE;
 
     SSL_CTX *ctx = NULL;
-    if (tls_init_serverengine("http", 5 /* depth */, client_auth, &ctx) == -1) {
+    if (tls_init_serverengine("http",
+                              5 /* depth */,
+                              client_auth,
+                              http_alpn_map,
+                              &ctx) == -1)
+    {
         syslog(LOG_ERR, "error initializing TLS");
         return HTTP_SERVER_ERROR;
     }
 
-#ifdef HAVE_TLS_ALPN
-    /* enable TLS ALPN extension */
-    SSL_CTX_set_alpn_select_cb(ctx, tls_alpn_select, (void *) http_alpn_map);
-#endif
-
     httpd_tls_enabled = 1;
 
     return 0;

diff --git a/imap/imapd.c b/imap/imapd.c
@@ -9301,6 +9301,7 @@ static void cmd_starttls(char *tag, int imaps)
     result=tls_init_serverengine("imap",
                                  5,        /* depth to verify */
                                  !imaps,   /* can client auth? */
+                                 imap_alpn_map,
                                  &ctx);
 
     if (result == -1) {
@@ -9316,11 +9317,6 @@ static void cmd_starttls(char *tag, int imaps)
         return;
     }
 
-#ifdef HAVE_TLS_ALPN
-    /* enable TLS ALPN extension */
-    SSL_CTX_set_alpn_select_cb(ctx, tls_alpn_select, (void *) imap_alpn_map);
-#endif
-
     if (imaps == 0)
     {
         prot_printf(imapd_out, "%s OK Begin TLS negotiation now\r\n", tag);

diff --git a/imap/lmtpengine.c b/imap/lmtpengine.c
@@ -1439,8 +1439,9 @@ void lmtpmode(struct lmtp_func *func,
                 }
 
                 r=tls_init_serverengine("lmtp",
-                                        5,   /* depth to verify */
-                                        1,   /* can client auth? */
+                                        5,    /* depth to verify */
+                                        1,    /* can client auth? */
+                                        NULL, /* no ALPN id for lmtp */
                                         NULL);
 
                 if (r == -1) {

diff --git a/imap/mupdate.c b/imap/mupdate.c
@@ -1974,6 +1974,7 @@ static void cmd_starttls(struct conn *C, const char *tag)
     result=tls_init_serverengine("mupdate",
                                  5,        /* depth to verify */
                                  1,        /* can client auth? */
+                                 NULL,     /* no ALPN id for mupdate */
                                  NULL);
 
     if (result == -1) {

diff --git a/imap/nntpd.c b/imap/nntpd.c
@@ -4021,8 +4021,9 @@ static void cmd_starttls(int nntps)
 
     SSL_CTX *ctx = NULL;
     result=tls_init_serverengine("nntp",
-                                 5,        /* depth to verify */
-                                 !nntps,   /* can client auth? */
+                                 5,             /* depth to verify */
+                                 !nntps,        /* can client auth? */
+                                 nntp_alpn_map, /* ALPN protocols */
                                  &ctx);
 
     if (result == -1) {
@@ -4037,11 +4038,6 @@ static void cmd_starttls(int nntps)
         return;
     }
 
-#ifdef HAVE_TLS_ALPN
-    /* enable TLS ALPN extension */
-    SSL_CTX_set_alpn_select_cb(ctx, tls_alpn_select, (void *) nntp_alpn_map);
-#endif
-
     if (nntps == 0)
     {
         prot_printf(nntp_out, "382 %s\r\n", "Begin TLS negotiation now");

diff --git a/imap/pop3d.c b/imap/pop3d.c
@@ -1169,8 +1169,9 @@ static void cmd_starttls(int pop3s)
 
     SSL_CTX *ctx = NULL;
     result=tls_init_serverengine("pop3",
-                                 5,        /* depth to verify */
-                                 !pop3s,   /* can client auth? */
+                                 5,             /* depth to verify */
+                                 !pop3s,        /* can client auth? */
+                                 pop3_alpn_map, /* ALPN protocols */
                                  &ctx);
 
     if (result == -1) {
@@ -1185,11 +1186,6 @@ static void cmd_starttls(int pop3s)
         return;
     }
 
-#ifdef HAVE_TLS_ALPN
-    /* enable TLS ALPN extension */
-    SSL_CTX_set_alpn_select_cb(ctx, tls_alpn_select, (void *) pop3_alpn_map);
-#endif
-
     if (pop3s == 0)
     {
         prot_printf(popd_out, "+OK %s\r\n", "Begin TLS negotiation now");

diff --git a/imap/sync_server.c b/imap/sync_server.c
@@ -837,6 +837,7 @@ static void cmd_starttls(void)
     result=tls_init_serverengine("csync",
                                  5,        /* depth to verify */
                                  1,        /* can client auth? */
+                                 NULL,     /* no ALPN id for csync */
                                  NULL);
 
     if (result == -1) {

diff --git a/imap/tls.c b/imap/tls.c
@@ -716,6 +716,41 @@ static int tls_rand_init(void)
 #endif
 }
 
+/* Select an application protocol from the client list in order of preference */
+static int alpn_select_cb(SSL *ssl __attribute__((unused)),
+                          const unsigned char **out, unsigned char *outlen,
+                          const unsigned char *in, unsigned int inlen,
+                          void *server_list)
+{
+    strarray_t ids = STRARRAY_INITIALIZER;
+
+    for (; inlen; inlen -= (in[0] + 1), in += in[0] + 1) {
+        struct tls_alpn_t *alpn;
+
+        for (alpn = (struct tls_alpn_t *) server_list; alpn->id; alpn++) {
+            if ((in[0] == strlen(alpn->id)) &&
+                memcmp(alpn->id, in + 1, in[0]) == 0 &&
+                (!alpn->check_availabilty || alpn->check_availabilty(alpn->rock))) {
+
+                strarray_fini(&ids);
+
+                *out = in + 1;
+                *outlen = in[0];
+                return SSL_TLSEXT_ERR_OK;
+            }
+        }
+
+        strarray_appendm(&ids, xstrndup((const char *) in + 1, in[0]));
+    }
+
+    char *proto = strarray_join(&ids, ", ");
+    xsyslog(LOG_NOTICE, "ALPN failed", "proto=<%s>", proto);
+    free(proto);
+    strarray_fini(&ids);
+
+    return SSL_TLSEXT_ERR_ALERT_FATAL;
+}
+
  /*
   * This is the setup routine for the SSL server. As smtpd might be called
   * more than once, we only want to do the initialization one time.
@@ -727,10 +762,11 @@ static int tls_rand_init(void)
 
 /* must be called after cyrus_init */
 // I am the server
-EXPORTED int     tls_init_serverengine(const char *ident,
-                              int verifydepth,
-                              int askcert,
-                              SSL_CTX **ret)
+EXPORTED int tls_init_serverengine(const char *ident,
+                                   int verifydepth,
+                                   int askcert,
+                                   const struct tls_alpn_t *alpn_map,
+                                   SSL_CTX **ret)
 {
     int     off = 0;
     int     verify_flags = SSL_VERIFY_NONE;
@@ -1082,6 +1118,13 @@ EXPORTED int     tls_init_serverengine(const char *ident,
         free(tofree);
     }
 
+#ifdef HAVE_TLS_ALPN
+    if (alpn_map)
+        SSL_CTX_set_alpn_select_cb(s_ctx, alpn_select_cb, (void *) alpn_map);
+    else
+        SSL_CTX_set_alpn_select_cb(s_ctx, NULL, NULL);
+#endif
+
     tls_serverengine = 1;
     if (ret) *ret = s_ctx;
 
@@ -1751,41 +1794,6 @@ HIDDEN int tls_start_clienttls(int readfd, int writefd,
     return r;
 }
 
-/* Select an application protocol from the client list in order of preference */
-EXPORTED int tls_alpn_select(SSL *ssl __attribute__((unused)),
-                             const unsigned char **out, unsigned char *outlen,
-                             const unsigned char *in, unsigned int inlen,
-                             void *server_list)
-{
-    strarray_t ids = STRARRAY_INITIALIZER;
-
-    for (; inlen; inlen -= (in[0] + 1), in += in[0] + 1) {
-        struct tls_alpn_t *alpn;
-
-        for (alpn = (struct tls_alpn_t *) server_list; alpn->id; alpn++) {
-            if ((in[0] == strlen(alpn->id)) &&
-                memcmp(alpn->id, in + 1, in[0]) == 0 &&
-                (!alpn->check_availabilty || alpn->check_availabilty(alpn->rock))) {
-
-                strarray_fini(&ids);
-
-                *out = in + 1;
-                *outlen = in[0];
-                return SSL_TLSEXT_ERR_OK;
-            }
-        }
-
-        strarray_appendm(&ids, xstrndup((const char *) in + 1, in[0]));
-    }
-
-    char *proto = strarray_join(&ids, ", ");
-    xsyslog(LOG_NOTICE, "ALPN failed", "proto=<%s>", proto);
-    free(proto);
-    strarray_fini(&ids);
-
-    return SSL_TLSEXT_ERR_ALERT_FATAL;
-}
-
 #else
 
 EXPORTED int tls_enabled(void)

diff --git a/imap/tls.h b/imap/tls.h
@@ -67,8 +67,9 @@ struct tls_alpn_t {
 
 /* init tls */
 int tls_init_serverengine(const char *ident,
-                          int verifydepth, /* depth to verify */
-                          int askcert,     /* 1 = client auth */
+                          int verifydepth,                   /* depth to verify */
+                          int askcert,                       /* 1 = client auth */
+                          const struct tls_alpn_t *alpn_map, /* ALPN protocols */
                           SSL_CTX **ret);
 
 int tls_init_clientengine(int verifydepth,
@@ -95,12 +96,6 @@ int tls_prune_sessions(void);
 /* fill string buffer with info about tls connection */
 int tls_get_info(SSL *conn, char *buf, size_t len);
 
-/* Select an application protocol from the client list in order of preference */
-int tls_alpn_select(SSL *ssl,
-                    const unsigned char **out, unsigned char *outlen,
-                    const unsigned char *in, unsigned int inlen,
-                    void *server_list);
-
 #endif /* HAVE_SSL */
 
 #endif /* INCLUDED_TLS_H */
diff --git a/timsieved/parser.c b/timsieved/parser.c
@@ -935,8 +935,9 @@ static int cmd_starttls(struct protstream *sieved_out,
 
     SSL_CTX *ctx = NULL;
     result=tls_init_serverengine("sieve",
-                                 5,        /* depth to verify */
-                                 1,        /* can client auth? */
+                                 5,              /* depth to verify */
+                                 1,              /* can client auth? */
+                                 sieve_alpn_map, /* ALPN protocols */
                                  &ctx);
 
     if (result == -1) {
@@ -948,11 +949,6 @@ static int cmd_starttls(struct protstream *sieved_out,
         return TIMSIEVE_FAIL;
     }
 
-#ifdef HAVE_TLS_ALPN
-    /* enable TLS ALPN extension */
-    SSL_CTX_set_alpn_select_cb(ctx, tls_alpn_select, (void *) sieve_alpn_map);
-#endif
-
     prot_printf(sieved_out, "OK \"Begin TLS negotiation now\"\r\n");
     /* must flush our buffers before starting tls */
     prot_flush(sieved_out);