Attachment #5345 for bug #7199

View | Details | Raw Unified | Return to bug 7199
Collapse All | Expand All




    unsigned int throwaway;
    SSL_CTX *ctx = NULL;
    SSL *ssl = NULL;
    const SSL_METHOD *meth;
    char zlib_on = 0;
    unsigned char *zlib_buf = NULL;
    int zlib_bufsiz = 0;

    if (flags & SPAMC_USE_SSL) {
#ifdef SPAMC_SSL
	SSLeay_add_ssl_algorithms();
	meth = SSLv23_client_method();
	    meth = TLSv1_client_method();
	} else {
	    meth = SSLv3_client_method(); /* default */
	}
	SSL_load_error_strings();
	ctx = SSL_CTX_new(meth);
#else

    int failureval;
    SSL_CTX *ctx = NULL;
    SSL *ssl = NULL;
    const SSL_METHOD *meth;

    assert(tp != NULL);
    assert(m != NULL);

    if (flags & SPAMC_USE_SSL) {
#ifdef SPAMC_SSL
	SSLeay_add_ssl_algorithms();
	meth = SSLv23_client_method();
	SSL_load_error_strings();
	ctx = SSL_CTX_new(meth);
#else




            case 'S':
            {
                flags |= SPAMC_USE_SSL;
                if(spamc_optarg) {
                    libspamc_log(flags, LOG_ERR,
                        "Explicit specification of an SSL/TLS version no longer supported.");
                    ret = EX_USAGE;
                }
		}
		else {
		    libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
		    ret = EX_USAGE;
		}
                break;
            }
#endif




  'sql-config!'              => \$opt{'sql-config'},
  'ssl'                      => \$opt{'ssl'},
  'ssl-port=s'               => \$opt{'ssl-port'},
  'ssl-version=s'            => \$opt{'ssl-version'},
  'syslog-socket=s'          => \$opt{'syslog-socket'},
  'syslog|s=s'               => \$opt{'syslog'},
  'log-timestamp-fmt:s'      => \$opt{'log-timestamp-fmt'},


# Do whitelist later in tmp dir. Side effect: this will be done as -u user.

my $sslversion = $opt{'ssl-version'} || 'sslv3';
if ($sslversion !~ /^(?:sslv3|tlsv1)$/) {
  die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
}

$opt{'server-key'}  ||= "$LOCAL_RULES_DIR/certs/server-key.pem";
$opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";


                      $socket_info->{ip_addr}, $socket_info->{port}));

    } elsif ($socket->isa('IO::Socket::SSL')) {
      push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
                      $socket_info->{port}));
                      $opt{'ssl-version'}||'sslv3'));
    }
  }


    $sockopt{V6Only} = 1  if $io_socket_module_name eq 'IO::Socket::IP'
                             && IO::Socket::IP->VERSION >= 0.09;
    %sockopt = (%sockopt, (
      SSL_version     => $sslversion,
      SSL_verify_mode => 0x00,
      SSL_key_file    => $opt{'server-key'},
      SSL_cert_file   => $opt{'server-cert'},

    if (!$server_inet) {
      $diag = sprintf("could not create %s socket on [%s]:%s: %s",
                      $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
                      $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
                      "$!,$IO::Socket::SSL::SSL_ERROR" : $!);
      push(@diag_fail, $diag);
    } else {
      $diag = sprintf("created %s socket on [%s]:%s",

 -H [dir], --helper-home-dir[=dir] Specify a different HOME directory
 --ssl                             Enable SSL on TCP connections
 --ssl-port port                   Override --port setting for SSL connections
 --ssl-version sslversion          Specify SSL protocol version to use
 --server-key keyfile              Specify an SSL keyfile
 --server-cert certfile            Specify an SSL certificate
 --socketpath=path                 Listen on a given UNIX domain socket

SSL connections (default: whatever --port uses).  See B<--ssl> for
more details.

=item B<--ssl-version>=I<sslversion>

Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
higher hello handshake, then negotiating use of SSLv3 or TLSv1
protocol if the client can accept it.  Specifying B<--ssl-version>
implies B<--ssl>.

=item B<--server-key> I<keyfile>

Specify the SSL key file to use for SSL connections.




Sleep for I<sleep> seconds between failed spamd filtering attempts.
The default is 1 second.

=item B<-S>, B<--ssl>, B<--ssl>

If spamc was built with support for SSL, encrypt data to and from the
spamd process with SSL; spamd must support SSL as well.
I<sslversion> specifies the SSL protocol version to use, either
C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.

=item B<-t> I<timeout>, B<--timeout>=I<timeout>





#!/usr/bin/perl

use lib '.'; use lib 't';
use SATest; sa_t_init("spamd_ssl_tls");
use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);

exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);

# ---------------------------------------------------------------------------

%patterns = (

q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
q{ Subject: There yours for FREE!}, 'subj',
q{ X-Spam-Status: Yes, score=}, 'status',
q{ X-Spam-Flag: YES}, 'flag',
q{ X-Spam-Level: **********}, 'stars',
q{ TEST_ENDSNUMS}, 'endsinnums',
q{ TEST_NOREALNAME}, 'noreal',
q{ This must be the very last line}, 'lastline',


);

ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
           "--ssl=tlsv1 < data/spam/001",
           \&patterns_run_cb));
ok_all_patterns();




#!/usr/bin/perl

use lib '.'; use lib 't';
use SATest; sa_t_init("spamd_sslv3");
use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);

exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);

# ---------------------------------------------------------------------------

%patterns = (

q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
q{ Subject: There yours for FREE!}, 'subj',
q{ X-Spam-Status: Yes, score=}, 'status',
q{ X-Spam-Flag: YES}, 'flag',
q{ X-Spam-Level: **********}, 'stars',
q{ TEST_ENDSNUMS}, 'endsinnums',
q{ TEST_NOREALNAME}, 'noreal',
q{ This must be the very last line}, 'lastline',


);

ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
           "--ssl=sslv3 < data/spam/001",
           \&patterns_run_cb));
ok_all_patterns();

Lines 23-31 q{ This must be the very last line}, 'la Link Here

(-)trunk/t/spamd_ssl_accept_fail.t (-2 / +2 lines)
23		23
24	);	24	);
25		25
26	ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));	26	ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
27	ok (spamcrun ("< data/spam/001", \&patterns_run_cb));	27	ok (spamcrun ("< data/spam/001", \&patterns_run_cb));
28	ok (spamcrun ("--ssl=sslv3 < data/spam/001", \&patterns_run_cb));	28	ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb));
29	ok (stop_spamd ());	29	ok (stop_spamd ());
30		30
31	ok_all_patterns();	31	ok_all_patterns();

Lines 2-11 Link Here

(-)trunk/t/spamd_ssl.t (-4 / +1 lines)
2		2
3	use lib '.'; use lib 't';	3	use lib '.'; use lib 't';
4	use SATest; sa_t_init("spamd_ssl");	4	use SATest; sa_t_init("spamd_ssl");
5	use Test; plan tests => (($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE) ? 0 : 9),	5	use Test; plan tests => (($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE) ? 0 : 9);
6	onfail => sub {
7	warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" .
8	"\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" };
9		6
10	exit if ($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE);	7	exit if ($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE);
11		8

Lines 513-520 t/spamd_report_ifspam.t Link Here

(-)trunk/MANIFEST (-2 lines)
513	t/spamd_sql_prefs.t	513	t/spamd_sql_prefs.t
514	t/spamd_ssl.t	514	t/spamd_ssl.t
515	t/spamd_ssl_accept_fail.t	515	t/spamd_ssl_accept_fail.t
516	t/spamd_ssl_tls.t
517	t/spamd_ssl_v3.t
518	t/spamd_stop.t	516	t/spamd_stop.t
519	t/spamd_symbols.t	517	t/spamd_symbols.t
520	t/spamd_syslog.t	518	t/spamd_syslog.t

Return to bug 7199

Lines 1187-1193 int message_filter(struct transport *tp, Link Here

(-)trunk/spamc/libspamc.c (-8 / +4 lines)
1187	unsigned int throwaway;	1187	unsigned int throwaway;
1188	SSL_CTX *ctx = NULL;	1188	SSL_CTX *ctx = NULL;
1189	SSL *ssl = NULL;	1189	SSL *ssl = NULL;
1190	SSL_METHOD *meth;	1190	const SSL_METHOD *meth;
1191	char zlib_on = 0;	1191	char zlib_on = 0;
1192	unsigned char *zlib_buf = NULL;	1192	unsigned char *zlib_buf = NULL;
1193	int zlib_bufsiz = 0;	1193	int zlib_bufsiz = 0;
Lines 1213-1223 int message_filter(struct transport *tp, Link Here
1213	if (flags & SPAMC_USE_SSL) {	1213	if (flags & SPAMC_USE_SSL) {
1214	#ifdef SPAMC_SSL	1214	#ifdef SPAMC_SSL
1215	SSLeay_add_ssl_algorithms();	1215	SSLeay_add_ssl_algorithms();
1216	if (flags & SPAMC_TLSV1) {	1216	meth = SSLv23_client_method();
1217	meth = TLSv1_client_method();
1218	} else {
1219	meth = SSLv3_client_method(); /* default */
1220	}
1221	SSL_load_error_strings();	1217	SSL_load_error_strings();
1222	ctx = SSL_CTX_new(meth);	1218	ctx = SSL_CTX_new(meth);
1223	#else	1219	#else
Lines 1596-1602 int message_tell(struct transport *tp, c Link Here
1596	int failureval;	1592	int failureval;
1597	SSL_CTX *ctx = NULL;	1593	SSL_CTX *ctx = NULL;
1598	SSL *ssl = NULL;	1594	SSL *ssl = NULL;
1599	SSL_METHOD *meth;	1595	const SSL_METHOD *meth;
1600		1596
1601	assert(tp != NULL);	1597	assert(tp != NULL);
1602	assert(m != NULL);	1598	assert(m != NULL);
Lines 1604-1610 int message_tell(struct transport *tp, c Link Here
1604	if (flags & SPAMC_USE_SSL) {	1600	if (flags & SPAMC_USE_SSL) {
1605	#ifdef SPAMC_SSL	1601	#ifdef SPAMC_SSL
1606	SSLeay_add_ssl_algorithms();	1602	SSLeay_add_ssl_algorithms();
1607	meth = SSLv3_client_method();	1603	meth = SSLv23_client_method();
1608	SSL_load_error_strings();	1604	SSL_load_error_strings();
1609	ctx = SSL_CTX_new(meth);	1605	ctx = SSL_CTX_new(meth);
1610	#else	1606	#else

Lines 368-383 read_args(int argc, char **argv, Link Here

(-)trunk/spamc/spamc.c (-10 / +5 lines)
368	case 'S':	368	case 'S':
369	{	369	{
370	flags \|= SPAMC_USE_SSL;	370	flags \|= SPAMC_USE_SSL;
371	if (!spamc_optarg \|\| (strcmp(spamc_optarg,"sslv3") == 0)) {	371	if(spamc_optarg) {
372	flags \|= SPAMC_SSLV3;	372	libspamc_log(flags, LOG_ERR,
373	}	373	"Explicit specification of an SSL/TLS version no longer supported.");
374	else if (strcmp(spamc_optarg,"tlsv1") == 0) {	374	ret = EX_USAGE;
375	flags \|= SPAMC_TLSV1;	375	}
376	}
377	else {
378	libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
379	ret = EX_USAGE;
380	}
381	break;	376	break;
382	}	377	}
383	#endif	378	#endif

Lines 409-415 GetOptions( Link Here

(-)trunk/spamd/spamd.raw (-20 / +4 lines)
409	'sql-config!' => \$opt{'sql-config'},	409	'sql-config!' => \$opt{'sql-config'},
410	'ssl' => \$opt{'ssl'},	410	'ssl' => \$opt{'ssl'},
411	'ssl-port=s' => \$opt{'ssl-port'},	411	'ssl-port=s' => \$opt{'ssl-port'},
412	'ssl-version=s' => \$opt{'ssl-version'},
413	'syslog-socket=s' => \$opt{'syslog-socket'},	412	'syslog-socket=s' => \$opt{'syslog-socket'},
414	'syslog\|s=s' => \$opt{'syslog'},	413	'syslog\|s=s' => \$opt{'syslog'},
415	'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'},	414	'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'},
Lines 744-754 if ( defined $ENV{'HOME'} ) { Link Here
744		743
745	# Do whitelist later in tmp dir. Side effect: this will be done as -u user.	744	# Do whitelist later in tmp dir. Side effect: this will be done as -u user.
746		745
747	my $sslversion = $opt{'ssl-version'} \|\| 'sslv3';
748	if ($sslversion !~ /^(?:sslv3\|tlsv1)$/) {
749	die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
750	}
751
752	$opt{'server-key'} \|\|= "$LOCAL_RULES_DIR/certs/server-key.pem";	746	$opt{'server-key'} \|\|= "$LOCAL_RULES_DIR/certs/server-key.pem";
753	$opt{'server-cert'} \|\|= "$LOCAL_RULES_DIR/certs/server-cert.pem";	747	$opt{'server-cert'} \|\|= "$LOCAL_RULES_DIR/certs/server-cert.pem";
754		748
Lines 899-907 sub compose_listen_info_string { Link Here
899	$socket_info->{ip_addr}, $socket_info->{port}));	893	$socket_info->{ip_addr}, $socket_info->{port}));
900		894
901	} elsif ($socket->isa('IO::Socket::SSL')) {	895	} elsif ($socket->isa('IO::Socket::SSL')) {
902	push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s",	896	push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
903	$socket_info->{ip_addr}, $socket_info->{port},	897	$socket_info->{port}));
904	$opt{'ssl-version'}\|\|'sslv3'));
905	}	898	}
906	}	899	}
907		900
Lines 1072-1078 sub server_sock_setup_inet { Link Here
1072	$sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP'	1065	$sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP'
1073	&& IO::Socket::IP->VERSION >= 0.09;	1066	&& IO::Socket::IP->VERSION >= 0.09;
1074	%sockopt = (%sockopt, (	1067	%sockopt = (%sockopt, (
1075	SSL_version => $sslversion,
1076	SSL_verify_mode => 0x00,	1068	SSL_verify_mode => 0x00,
1077	SSL_key_file => $opt{'server-key'},	1069	SSL_key_file => $opt{'server-key'},
1078	SSL_cert_file => $opt{'server-cert'},	1070	SSL_cert_file => $opt{'server-cert'},
Lines 1093-1099 sub server_sock_setup_inet { Link Here
1093	if (!$server_inet) {	1085	if (!$server_inet) {
1094	$diag = sprintf("could not create %s socket on [%s]:%s: %s",	1086	$diag = sprintf("could not create %s socket on [%s]:%s: %s",
1095	$ssl ? 'IO::Socket::SSL' : $io_socket_module_name,	1087	$ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
1096	$adr, $port, $!);	1088	$adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
		1089	"$!,$IO::Socket::SSL::SSL_ERROR" : $!);
1097	push(@diag_fail, $diag);	1090	push(@diag_fail, $diag);
1098	} else {	1091	} else {
1099	$diag = sprintf("created %s socket on [%s]:%s",	1092	$diag = sprintf("created %s socket on [%s]:%s",
Lines 3238-3244 Options: Link Here
3238	-H [dir], --helper-home-dir[=dir] Specify a different HOME directory	3231	-H [dir], --helper-home-dir[=dir] Specify a different HOME directory
3239	--ssl Enable SSL on TCP connections	3232	--ssl Enable SSL on TCP connections
3240	--ssl-port port Override --port setting for SSL connections	3233	--ssl-port port Override --port setting for SSL connections
3241	--ssl-version sslversion Specify SSL protocol version to use
3242	--server-key keyfile Specify an SSL keyfile	3234	--server-key keyfile Specify an SSL keyfile
3243	--server-cert certfile Specify an SSL certificate	3235	--server-cert certfile Specify an SSL certificate
3244	--socketpath=path Listen on a given UNIX domain socket	3236	--socketpath=path Listen on a given UNIX domain socket
Lines 3727-3740 Optionally specifies the port number for Link Here
3727	SSL connections (default: whatever --port uses). See B<--ssl> for	3719	SSL connections (default: whatever --port uses). See B<--ssl> for
3728	more details.	3720	more details.
3729		3721
3730	=item B<--ssl-version>=I<sslversion>
3731
3732	Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
3733	The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
3734	higher hello handshake, then negotiating use of SSLv3 or TLSv1
3735	protocol if the client can accept it. Specifying B<--ssl-version>
3736	implies B<--ssl>.
3737
3738	=item B<--server-key> I<keyfile>	3722	=item B<--server-key> I<keyfile>
3739		3723
3740	Specify the SSL key file to use for SSL connections.	3724	Specify the SSL key file to use for SSL connections.

Lines 177-188 The default is 1 time (ie. one attempt a Link Here

(-)trunk/spamc/spamc.pod (-3 / +1 lines)
177	Sleep for I<sleep> seconds between failed spamd filtering attempts.	177	Sleep for I<sleep> seconds between failed spamd filtering attempts.
178	The default is 1 second.	178	The default is 1 second.
179		179
180	=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion>	180	=item B<-S>, B<--ssl>, B<--ssl>
181		181
182	If spamc was built with support for SSL, encrypt data to and from the	182	If spamc was built with support for SSL, encrypt data to and from the
183	spamd process with SSL; spamd must support SSL as well.	183	spamd process with SSL; spamd must support SSL as well.
184	I<sslversion> specifies the SSL protocol version to use, either
185	C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.
186		184
187	=item B<-t> I<timeout>, B<--timeout>=I<timeout>	185	=item B<-t> I<timeout>, B<--timeout>=I<timeout>
188		186

Lines 1-28 Link Here

(-)trunk/t/spamd_ssl_tls.t (-28 lines)
1	#!/usr/bin/perl
2
3	use lib '.'; use lib 't';
4	use SATest; sa_t_init("spamd_ssl_tls");
5	use Test; plan tests => (($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE) ? 0 : 9);
6
7	exit if ($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE);
8
9	# ---------------------------------------------------------------------------
10
11	%patterns = (
12
13	q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
14	q{ Subject: There yours for FREE!}, 'subj',
15	q{ X-Spam-Status: Yes, score=}, 'status',
16	q{ X-Spam-Flag: YES}, 'flag',
17	q{ X-Spam-Level: **********}, 'stars',
18	q{ TEST_ENDSNUMS}, 'endsinnums',
19	q{ TEST_NOREALNAME}, 'noreal',
20	q{ This must be the very last line}, 'lastline',
21
22
23	);
24
25	ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
26	"--ssl=tlsv1 < data/spam/001",
27	\&patterns_run_cb));
28	ok_all_patterns();

Lines 1-28 Link Here

(-)trunk/t/spamd_ssl_v3.t (-28 lines)
1	#!/usr/bin/perl
2
3	use lib '.'; use lib 't';
4	use SATest; sa_t_init("spamd_sslv3");
5	use Test; plan tests => (($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE) ? 0 : 9);
6
7	exit if ($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE);
8
9	# ---------------------------------------------------------------------------
10
11	%patterns = (
12
13	q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
14	q{ Subject: There yours for FREE!}, 'subj',
15	q{ X-Spam-Status: Yes, score=}, 'status',
16	q{ X-Spam-Flag: YES}, 'flag',
17	q{ X-Spam-Level: **********}, 'stars',
18	q{ TEST_ENDSNUMS}, 'endsinnums',
19	q{ TEST_NOREALNAME}, 'noreal',
20	q{ This must be the very last line}, 'lastline',
21
22
23	);
24
25	ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
26	"--ssl=sslv3 < data/spam/001",
27	\&patterns_run_cb));
28	ok_all_patterns();