13
/* int tls_mgr_policy(cache_type, cachable)
13
/* int tls_mgr_policy(cache_type, cachable, timeout)
14
14
/* const char *cache_type;
17
18
/* int tls_mgr_update(cache_type, cache_id, buf, len)
18
19
/* const char *cache_type;
28
29
/* int tls_mgr_delete(cache_type, cache_id)
29
30
/* const char *cache_type;
30
31
/* const char *cache_id;
33
/* TLS_TICKET_KEY *tls_mgr_key(keyname, timeout)
34
/* unsigned char *keyname;
32
37
/* These routines communicate with the tlsmgr(8) server for
33
38
/* entropy and session cache management. Since these are
48
53
/* tls_mgr_delete() removes specified session from
49
54
/* the specified session cache.
56
/* tls_mgr_key() is used to retrieve the current TLS session ticket
57
/* encryption or decryption keys.
53
61
/* One of TLS_MGR_SCACHE_SMTPD, TLS_MGR_SCACHE_SMTP or
54
62
/* TLS_MGR_SCACHE_LMTP.
56
64
/* Pointer to int, set non-zero if the requested cache_type
67
/* Pointer to int, returns the cache entry timeout.
59
69
/* The session cache lookup key.
61
71
/* The result or input buffer.
63
73
/* The length of the input buffer, or the amount of data requested.
75
/* Is null when requesting the current encryption keys. Otherwise,
76
/* keyname is a pointer to an array of TLS_TICKET_NAMELEN unsigned
77
/* chars (not NUL terminated) that is an identifier for a key
78
/* previously used to encrypt a session ticket. When encrypting
79
/* a null result indicates that session tickets are not supported, when
80
/* decrypting it indicates that no matching keys were found.
82
/* The encryption key timeout. Once a key has been active for this many
83
/* seconds it is retired and used only for decrypting previously issued
84
/* session tickets for another timeout seconds, and is then destroyed.
85
/* The timeout must not be longer than half the SSL session lifetime.
65
87
/* All client functions return one of the following status codes:
66
88
/* .IP TLS_MGR_STAT_OK
104
126
#include <vstring.h>
105
127
#include <attr.h>
106
128
#include <attr_clnt.h>
129
#include <mymalloc.h>
130
#include <stringops.h>
108
132
/* Global library. */
110
134
#include <mail_params.h>
111
135
#include <mail_proto.h>
112
138
#include <tls_mgr.h>
114
140
/* Application-specific. */
142
#define STR(x) vstring_str(x)
143
#define LEN(x) VSTRING_LEN(x)
116
145
static ATTR_CLNT *tls_mgr;
118
147
/* tls_mgr_open - create client handle */
120
149
static void tls_mgr_open(void)
130
160
* Use whatever IPC is preferred for internal use: UNIX-domain sockets or
131
161
* Solaris streams.
133
#ifndef VAR_TLS_MGR_SERVICE
134
tls_mgr = attr_clnt_create("local:" TLS_MGR_CLASS "/" TLS_MGR_SERVICE,
135
var_ipc_timeout, var_ipc_idle_limit,
138
tls_mgr = attr_clnt_create(var_tlsmgr_service, var_ipc_timeout,
163
service = concatenate("local:" TLS_MGR_CLASS "/", var_tls_mgr_service,
165
tls_mgr = attr_clnt_create(service, var_ipc_timeout,
139
166
var_ipc_idle_limit, var_ipc_ttl_limit);
141
169
attr_clnt_control(tls_mgr,
142
170
ATTR_CLNT_CTL_PROTO, attr_vprint, attr_vscan,
143
171
ATTR_CLNT_CTL_END);
174
202
/* tls_mgr_policy - request caching policy */
176
int tls_mgr_policy(const char *cache_type, int *cachable)
204
int tls_mgr_policy(const char *cache_type, int *cachable, int *timeout)
194
222
ATTR_FLAG_MISSING, /* Reply attributes */
195
223
ATTR_TYPE_INT, TLS_MGR_ATTR_STATUS, &status,
196
224
ATTR_TYPE_INT, TLS_MGR_ATTR_CACHABLE, cachable,
225
ATTR_TYPE_INT, TLS_MGR_ATTR_SESSTOUT, timeout,
198
227
status = TLS_MGR_STAT_FAIL;
319
/* request_scache_key - ask tlsmgr(8) for matching key */
321
static TLS_TICKET_KEY *request_scache_key(unsigned char *keyname)
324
static VSTRING *keybuf;
330
* Create the tlsmgr client handle.
336
keybuf = vstring_alloc(sizeof(tmp));
338
/* In tlsmgr requests we encode null key names as empty strings. */
339
name = keyname ? (char *) keyname : "";
340
len = keyname ? TLS_TICKET_NAMELEN : 0;
343
* Send the request and receive the reply.
345
if (attr_clnt_request(tls_mgr,
346
ATTR_FLAG_NONE, /* Request */
347
ATTR_TYPE_STR, TLS_MGR_ATTR_REQ, TLS_MGR_REQ_TKTKEY,
348
ATTR_TYPE_DATA, TLS_MGR_ATTR_KEYNAME, len, name,
350
ATTR_FLAG_MISSING, /* Reply */
351
ATTR_TYPE_INT, TLS_MGR_ATTR_STATUS, &status,
352
ATTR_TYPE_DATA, TLS_MGR_ATTR_KEYBUF, keybuf,
354
|| status != TLS_MGR_STAT_OK
355
|| LEN(keybuf) != sizeof(tmp))
358
memcpy((char *) &tmp, STR(keybuf), sizeof(tmp));
359
return (tls_scache_key_rotate(&tmp));
362
/* tls_mgr_key - session ticket key lookup, local cache, then tlsmgr(8) */
364
TLS_TICKET_KEY *tls_mgr_key(unsigned char *keyname, int timeout)
366
TLS_TICKET_KEY *key = 0;
367
time_t now = time((time_t *) 0);
369
/* A zero timeout disables session tickets. */
373
if ((key = tls_scache_key(keyname, now, timeout)) == 0)
374
key = request_scache_key(keyname);
292
380
/* System library. */
307
395
/* Application-specific. */
309
#define STR(x) vstring_str(x)
310
#define LEN(x) VSTRING_LEN(x)
312
397
int main(int unused_ac, char **av)
314
399
VSTRING *inbuf = vstring_alloc(10);
335
419
#define COMMAND(argv, str, len) \
336
420
(strcasecmp(argv->argv[0], str) == 0 && argv->argc == len)
338
422
if (COMMAND(argv, "policy", 2)) {
341
status = tls_mgr_policy(argv->argv[1], &cachable);
342
vstream_printf("status=%d cachable=%d\n", status, cachable);
426
status = tls_mgr_policy(argv->argv[1], &cachable, &timeout);
427
vstream_printf("status=%d cachable=%d timeout=%d\n",
428
status, cachable, timeout);
343
429
} else if (COMMAND(argv, "seed", 2)) {
344
430
VSTRING *buf = vstring_alloc(10);
345
431
VSTRING *hex = vstring_alloc(10);