Attachment #168521 for bug #208225

View | Details | Raw Unified | Return to bug 208225
Collapse All | Expand All




    unsigned int throwaway;
    SSL_CTX *ctx = NULL;
    SSL *ssl = NULL;
    const SSL_METHOD *meth;
    char zlib_on = 0;
    unsigned char *zlib_buf = NULL;
    int zlib_bufsiz = 0;

    if (flags & SPAMC_USE_SSL) {
#ifdef SPAMC_SSL
	SSLeay_add_ssl_algorithms();
	meth = SSLv23_client_method();
	    meth = TLSv1_client_method();
	} else {
	    meth = SSLv3_client_method(); /* default */
	}
	SSL_load_error_strings();
	ctx = SSL_CTX_new(meth);
#else

    int failureval;
    SSL_CTX *ctx = NULL;
    SSL *ssl = NULL;
    const SSL_METHOD *meth;

    assert(tp != NULL);
    assert(m != NULL);

    if (flags & SPAMC_USE_SSL) {
#ifdef SPAMC_SSL
	SSLeay_add_ssl_algorithms();
	meth = SSLv23_client_method();
	SSL_load_error_strings();
	ctx = SSL_CTX_new(meth);
#else




            case 'S':
            {
                flags |= SPAMC_USE_SSL;
                if(spamc_optarg) {
                    libspamc_log(flags, LOG_ERR,
                        "Explicit specification of an SSL/TLS version no longer supported.");
                    ret = EX_USAGE;
                }
		}
		else {
		    libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
		    ret = EX_USAGE;
		}
                break;
            }
#endif




  'sql-config!'              => \$opt{'sql-config'},
  'ssl'                      => \$opt{'ssl'},
  'ssl-port=s'               => \$opt{'ssl-port'},
  'ssl-version=s'            => \$opt{'ssl-version'},
  'syslog-socket=s'          => \$opt{'syslog-socket'},
  'syslog|s=s'               => \$opt{'syslog'},
  'log-timestamp-fmt:s'      => \$opt{'log-timestamp-fmt'},


# Do whitelist later in tmp dir. Side effect: this will be done as -u user.

my $sslversion = $opt{'ssl-version'} || 'sslv3';
if ($sslversion !~ /^(?:sslv3|tlsv1)$/) {
  die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
}

$opt{'server-key'}  ||= "$LOCAL_RULES_DIR/certs/server-key.pem";
$opt{'server-cert'} ||= "$LOCAL_RULES_DIR/certs/server-cert.pem";


                      $socket_info->{ip_addr}, $socket_info->{port}));

    } elsif ($socket->isa('IO::Socket::SSL')) {
      push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
                      $socket_info->{port}));
                      $opt{'ssl-version'}||'sslv3'));
    }
  }


    $sockopt{V6Only} = 1  if $io_socket_module_name eq 'IO::Socket::IP'
                             && IO::Socket::IP->VERSION >= 0.09;
    %sockopt = (%sockopt, (
      SSL_version     => $sslversion,
      SSL_verify_mode => 0x00,
      SSL_key_file    => $opt{'server-key'},
      SSL_cert_file   => $opt{'server-cert'},

    if (!$server_inet) {
      $diag = sprintf("could not create %s socket on [%s]:%s: %s",
                      $ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
                      $adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
                      "$!,$IO::Socket::SSL::SSL_ERROR" : $!);
      push(@diag_fail, $diag);
    } else {
      $diag = sprintf("created %s socket on [%s]:%s",

 -H [dir], --helper-home-dir[=dir] Specify a different HOME directory
 --ssl                             Enable SSL on TCP connections
 --ssl-port port                   Override --port setting for SSL connections
 --ssl-version sslversion          Specify SSL protocol version to use
 --server-key keyfile              Specify an SSL keyfile
 --server-cert certfile            Specify an SSL certificate
 --socketpath=path                 Listen on a given UNIX domain socket

SSL connections (default: whatever --port uses).  See B<--ssl> for
more details.

=item B<--ssl-version>=I<sslversion>

Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
higher hello handshake, then negotiating use of SSLv3 or TLSv1
protocol if the client can accept it.  Specifying B<--ssl-version>
implies B<--ssl>.

=item B<--server-key> I<keyfile>

Specify the SSL key file to use for SSL connections.




Sleep for I<sleep> seconds between failed spamd filtering attempts.
The default is 1 second.

=item B<-S>, B<--ssl>, B<--ssl>

If spamc was built with support for SSL, encrypt data to and from the
spamd process with SSL; spamd must support SSL as well.
I<sslversion> specifies the SSL protocol version to use, either
C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.

=item B<-t> I<timeout>, B<--timeout>=I<timeout>





#!/usr/bin/perl

use lib '.'; use lib 't';
use SATest; sa_t_init("spamd_ssl_tls");
use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);

exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);

# ---------------------------------------------------------------------------

%patterns = (

q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
q{ Subject: There yours for FREE!}, 'subj',
q{ X-Spam-Status: Yes, score=}, 'status',
q{ X-Spam-Flag: YES}, 'flag',
q{ X-Spam-Level: **********}, 'stars',
q{ TEST_ENDSNUMS}, 'endsinnums',
q{ TEST_NOREALNAME}, 'noreal',
q{ This must be the very last line}, 'lastline',


);

ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
           "--ssl=tlsv1 < data/spam/001",
           \&patterns_run_cb));
ok_all_patterns();




#!/usr/bin/perl

use lib '.'; use lib 't';
use SATest; sa_t_init("spamd_sslv3");
use Test; plan tests => (($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE) ? 0 : 9);

exit if ($SKIP_SPAMD_TESTS || !$SSL_AVAILABLE);

# ---------------------------------------------------------------------------

%patterns = (

q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
q{ Subject: There yours for FREE!}, 'subj',
q{ X-Spam-Status: Yes, score=}, 'status',
q{ X-Spam-Flag: YES}, 'flag',
q{ X-Spam-Level: **********}, 'stars',
q{ TEST_ENDSNUMS}, 'endsinnums',
q{ TEST_NOREALNAME}, 'noreal',
q{ This must be the very last line}, 'lastline',


);

ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
           "--ssl=sslv3 < data/spam/001",
           \&patterns_run_cb));
ok_all_patterns();

Lines 23-31 q{ This must be the very last line}, 'la Link Here

(-)t/spamd_ssl_accept_fail.t (-2 / +2 lines)
23		23
24	);	24	);
25		25
26	ok (start_spamd ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));	26	ok (start_spamd ("-L --ssl --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert"));
27	ok (spamcrun ("< data/spam/001", \&patterns_run_cb));	27	ok (spamcrun ("< data/spam/001", \&patterns_run_cb));
28	ok (spamcrun ("--ssl=sslv3 < data/spam/001", \&patterns_run_cb));	28	ok (spamcrun ("--ssl < data/spam/001", \&patterns_run_cb));
29	ok (stop_spamd ());	29	ok (stop_spamd ());
30		30
31	ok_all_patterns();	31	ok_all_patterns();

Lines 2-11 Link Here

(-)t/spamd_ssl.t (-4 / +1 lines)
2		2
3	use lib '.'; use lib 't';	3	use lib '.'; use lib 't';
4	use SATest; sa_t_init("spamd_ssl");	4	use SATest; sa_t_init("spamd_ssl");
5	use Test; plan tests => (($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE) ? 0 : 9),	5	use Test; plan tests => (($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE) ? 0 : 9);
6	onfail => sub {
7	warn "\n\nNote: This may not be a SpamAssassin bug, as some platforms require that you" .
8	"\nspecify a protocol in spamc --ssl option, and possibly in spamd --ssl-version.\n\n" };
9		6
10	exit if ($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE);	7	exit if ($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE);
11		8

Lines 511-518 t/spamd_report_ifspam.t Link Here

(-)MANIFEST (-2 lines)
511	t/spamd_sql_prefs.t	511	t/spamd_sql_prefs.t
512	t/spamd_ssl.t	512	t/spamd_ssl.t
513	t/spamd_ssl_accept_fail.t	513	t/spamd_ssl_accept_fail.t
514	t/spamd_ssl_tls.t
515	t/spamd_ssl_v3.t
516	t/spamd_stop.t	514	t/spamd_stop.t
517	t/spamd_symbols.t	515	t/spamd_symbols.t
518	t/spamd_syslog.t	516	t/spamd_syslog.t

Return to bug 208225

Lines 1187-1193 int message_filter(struct transport *tp, Link Here

(-)spamc/libspamc.c (-8 / +4 lines)
1187	unsigned int throwaway;	1187	unsigned int throwaway;
1188	SSL_CTX *ctx = NULL;	1188	SSL_CTX *ctx = NULL;
1189	SSL *ssl = NULL;	1189	SSL *ssl = NULL;
1190	SSL_METHOD *meth;	1190	const SSL_METHOD *meth;
1191	char zlib_on = 0;	1191	char zlib_on = 0;
1192	unsigned char *zlib_buf = NULL;	1192	unsigned char *zlib_buf = NULL;
1193	int zlib_bufsiz = 0;	1193	int zlib_bufsiz = 0;
Lines 1213-1223 int message_filter(struct transport *tp, Link Here
1213	if (flags & SPAMC_USE_SSL) {	1213	if (flags & SPAMC_USE_SSL) {
1214	#ifdef SPAMC_SSL	1214	#ifdef SPAMC_SSL
1215	SSLeay_add_ssl_algorithms();	1215	SSLeay_add_ssl_algorithms();
1216	if (flags & SPAMC_TLSV1) {	1216	meth = SSLv23_client_method();
1217	meth = TLSv1_client_method();
1218	} else {
1219	meth = SSLv3_client_method(); /* default */
1220	}
1221	SSL_load_error_strings();	1217	SSL_load_error_strings();
1222	ctx = SSL_CTX_new(meth);	1218	ctx = SSL_CTX_new(meth);
1223	#else	1219	#else
Lines 1596-1602 int message_tell(struct transport *tp, c Link Here
1596	int failureval;	1592	int failureval;
1597	SSL_CTX *ctx = NULL;	1593	SSL_CTX *ctx = NULL;
1598	SSL *ssl = NULL;	1594	SSL *ssl = NULL;
1599	SSL_METHOD *meth;	1595	const SSL_METHOD *meth;
1600		1596
1601	assert(tp != NULL);	1597	assert(tp != NULL);
1602	assert(m != NULL);	1598	assert(m != NULL);
Lines 1604-1610 int message_tell(struct transport *tp, c Link Here
1604	if (flags & SPAMC_USE_SSL) {	1600	if (flags & SPAMC_USE_SSL) {
1605	#ifdef SPAMC_SSL	1601	#ifdef SPAMC_SSL
1606	SSLeay_add_ssl_algorithms();	1602	SSLeay_add_ssl_algorithms();
1607	meth = SSLv3_client_method();	1603	meth = SSLv23_client_method();
1608	SSL_load_error_strings();	1604	SSL_load_error_strings();
1609	ctx = SSL_CTX_new(meth);	1605	ctx = SSL_CTX_new(meth);
1610	#else	1606	#else

Lines 368-383 read_args(int argc, char **argv, Link Here

(-)spamc/spamc.c (-10 / +5 lines)
368	case 'S':	368	case 'S':
369	{	369	{
370	flags \|= SPAMC_USE_SSL;	370	flags \|= SPAMC_USE_SSL;
371	if (!spamc_optarg \|\| (strcmp(spamc_optarg,"sslv3") == 0)) {	371	if(spamc_optarg) {
372	flags \|= SPAMC_SSLV3;	372	libspamc_log(flags, LOG_ERR,
373	}	373	"Explicit specification of an SSL/TLS version no longer supported.");
374	else if (strcmp(spamc_optarg,"tlsv1") == 0) {	374	ret = EX_USAGE;
375	flags \|= SPAMC_TLSV1;	375	}
376	}
377	else {
378	libspamc_log(flags, LOG_ERR, "Please specify a legal ssl version (%s)", spamc_optarg);
379	ret = EX_USAGE;
380	}
381	break;	376	break;
382	}	377	}
383	#endif	378	#endif

Lines 409-415 GetOptions( Link Here

(-)spamd/spamd.raw (-20 / +4 lines)
409	'sql-config!' => \$opt{'sql-config'},	409	'sql-config!' => \$opt{'sql-config'},
410	'ssl' => \$opt{'ssl'},	410	'ssl' => \$opt{'ssl'},
411	'ssl-port=s' => \$opt{'ssl-port'},	411	'ssl-port=s' => \$opt{'ssl-port'},
412	'ssl-version=s' => \$opt{'ssl-version'},
413	'syslog-socket=s' => \$opt{'syslog-socket'},	412	'syslog-socket=s' => \$opt{'syslog-socket'},
414	'syslog\|s=s' => \$opt{'syslog'},	413	'syslog\|s=s' => \$opt{'syslog'},
415	'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'},	414	'log-timestamp-fmt:s' => \$opt{'log-timestamp-fmt'},
Lines 743-753 if ( defined $ENV{'HOME'} ) { Link Here
743		742
744	# Do whitelist later in tmp dir. Side effect: this will be done as -u user.	743	# Do whitelist later in tmp dir. Side effect: this will be done as -u user.
745		744
746	my $sslversion = $opt{'ssl-version'} \|\| 'sslv3';
747	if ($sslversion !~ /^(?:sslv3\|tlsv1)$/) {
748	die "spamd: invalid ssl-version: $opt{'ssl-version'}\n";
749	}
750
751	$opt{'server-key'} \|\|= "$LOCAL_RULES_DIR/certs/server-key.pem";	745	$opt{'server-key'} \|\|= "$LOCAL_RULES_DIR/certs/server-key.pem";
752	$opt{'server-cert'} \|\|= "$LOCAL_RULES_DIR/certs/server-cert.pem";	746	$opt{'server-cert'} \|\|= "$LOCAL_RULES_DIR/certs/server-cert.pem";
753		747
Lines 898-906 sub compose_listen_info_string { Link Here
898	$socket_info->{ip_addr}, $socket_info->{port}));	892	$socket_info->{ip_addr}, $socket_info->{port}));
899		893
900	} elsif ($socket->isa('IO::Socket::SSL')) {	894	} elsif ($socket->isa('IO::Socket::SSL')) {
901	push(@listeninfo, sprintf("SSL [%s]:%s, ssl version %s",	895	push(@listeninfo, sprintf("SSL [%r]:%s", $socket_info->{ip_addr},
902	$socket_info->{ip_addr}, $socket_info->{port},	896	$socket_info->{port}));
903	$opt{'ssl-version'}\|\|'sslv3'));
904	}	897	}
905	}	898	}
906		899
Lines 1071-1077 sub server_sock_setup_inet { Link Here
1071	$sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP'	1064	$sockopt{V6Only} = 1 if $io_socket_module_name eq 'IO::Socket::IP'
1072	&& IO::Socket::IP->VERSION >= 0.09;	1065	&& IO::Socket::IP->VERSION >= 0.09;
1073	%sockopt = (%sockopt, (	1066	%sockopt = (%sockopt, (
1074	SSL_version => $sslversion,
1075	SSL_verify_mode => 0x00,	1067	SSL_verify_mode => 0x00,
1076	SSL_key_file => $opt{'server-key'},	1068	SSL_key_file => $opt{'server-key'},
1077	SSL_cert_file => $opt{'server-cert'},	1069	SSL_cert_file => $opt{'server-cert'},
Lines 1092-1098 sub server_sock_setup_inet { Link Here
1092	if (!$server_inet) {	1084	if (!$server_inet) {
1093	$diag = sprintf("could not create %s socket on [%s]:%s: %s",	1085	$diag = sprintf("could not create %s socket on [%s]:%s: %s",
1094	$ssl ? 'IO::Socket::SSL' : $io_socket_module_name,	1086	$ssl ? 'IO::Socket::SSL' : $io_socket_module_name,
1095	$adr, $port, $!);	1087	$adr, $port, $ssl && $IO::Socket::SSL::SSL_ERROR ?
		1088	"$!,$IO::Socket::SSL::SSL_ERROR" : $!);
1096	push(@diag_fail, $diag);	1089	push(@diag_fail, $diag);
1097	} else {	1090	} else {
1098	$diag = sprintf("created %s socket on [%s]:%s",	1091	$diag = sprintf("created %s socket on [%s]:%s",
Lines 3232-3238 Options: Link Here
3232	-H [dir], --helper-home-dir[=dir] Specify a different HOME directory	3225	-H [dir], --helper-home-dir[=dir] Specify a different HOME directory
3233	--ssl Enable SSL on TCP connections	3226	--ssl Enable SSL on TCP connections
3234	--ssl-port port Override --port setting for SSL connections	3227	--ssl-port port Override --port setting for SSL connections
3235	--ssl-version sslversion Specify SSL protocol version to use
3236	--server-key keyfile Specify an SSL keyfile	3228	--server-key keyfile Specify an SSL keyfile
3237	--server-cert certfile Specify an SSL certificate	3229	--server-cert certfile Specify an SSL certificate
3238	--socketpath=path Listen on a given UNIX domain socket	3230	--socketpath=path Listen on a given UNIX domain socket
Lines 3720-3733 Optionally specifies the port number for Link Here
3720	SSL connections (default: whatever --port uses). See B<--ssl> for	3712	SSL connections (default: whatever --port uses). See B<--ssl> for
3721	more details.	3713	more details.
3722		3714
3723	=item B<--ssl-version>=I<sslversion>
3724
3725	Specify the SSL protocol version to use, one of B<sslv3> or B<tlsv1>.
3726	The default, B<sslv3>, is the most flexible, accepting a SSLv3 or
3727	higher hello handshake, then negotiating use of SSLv3 or TLSv1
3728	protocol if the client can accept it. Specifying B<--ssl-version>
3729	implies B<--ssl>.
3730
3731	=item B<--server-key> I<keyfile>	3715	=item B<--server-key> I<keyfile>
3732		3716
3733	Specify the SSL key file to use for SSL connections.	3717	Specify the SSL key file to use for SSL connections.

Lines 177-188 The default is 1 time (ie. one attempt a Link Here

(-)spamc/spamc.pod (-3 / +1 lines)
177	Sleep for I<sleep> seconds between failed spamd filtering attempts.	177	Sleep for I<sleep> seconds between failed spamd filtering attempts.
178	The default is 1 second.	178	The default is 1 second.
179		179
180	=item B<-S>, B<--ssl>, B<--ssl>=I<sslversion>	180	=item B<-S>, B<--ssl>, B<--ssl>
181		181
182	If spamc was built with support for SSL, encrypt data to and from the	182	If spamc was built with support for SSL, encrypt data to and from the
183	spamd process with SSL; spamd must support SSL as well.	183	spamd process with SSL; spamd must support SSL as well.
184	I<sslversion> specifies the SSL protocol version to use, either
185	C<sslv3>, or C<tlsv1>. The default, is C<sslv3>.
186		184
187	=item B<-t> I<timeout>, B<--timeout>=I<timeout>	185	=item B<-t> I<timeout>, B<--timeout>=I<timeout>
188		186

Lines 1-28 Link Here

(-)t/spamd_ssl_tls.t (-28 lines)
1	#!/usr/bin/perl
2
3	use lib '.'; use lib 't';
4	use SATest; sa_t_init("spamd_ssl_tls");
5	use Test; plan tests => (($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE) ? 0 : 9);
6
7	exit if ($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE);
8
9	# ---------------------------------------------------------------------------
10
11	%patterns = (
12
13	q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
14	q{ Subject: There yours for FREE!}, 'subj',
15	q{ X-Spam-Status: Yes, score=}, 'status',
16	q{ X-Spam-Flag: YES}, 'flag',
17	q{ X-Spam-Level: **********}, 'stars',
18	q{ TEST_ENDSNUMS}, 'endsinnums',
19	q{ TEST_NOREALNAME}, 'noreal',
20	q{ This must be the very last line}, 'lastline',
21
22
23	);
24
25	ok (sdrun ("-L --ssl --ssl-version=tlsv1 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
26	"--ssl=tlsv1 < data/spam/001",
27	\&patterns_run_cb));
28	ok_all_patterns();

Lines 1-28 Link Here

(-)t/spamd_ssl_v3.t (-28 lines)
1	#!/usr/bin/perl
2
3	use lib '.'; use lib 't';
4	use SATest; sa_t_init("spamd_sslv3");
5	use Test; plan tests => (($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE) ? 0 : 9);
6
7	exit if ($SKIP_SPAMD_TESTS \|\| !$SSL_AVAILABLE);
8
9	# ---------------------------------------------------------------------------
10
11	%patterns = (
12
13	q{ Return-Path: sb55sb55@yahoo.com}, 'firstline',
14	q{ Subject: There yours for FREE!}, 'subj',
15	q{ X-Spam-Status: Yes, score=}, 'status',
16	q{ X-Spam-Flag: YES}, 'flag',
17	q{ X-Spam-Level: **********}, 'stars',
18	q{ TEST_ENDSNUMS}, 'endsinnums',
19	q{ TEST_NOREALNAME}, 'noreal',
20	q{ This must be the very last line}, 'lastline',
21
22
23	);
24
25	ok (sdrun ("-L --ssl --ssl-version=sslv3 --server-key data/etc/testhost.key --server-cert data/etc/testhost.cert",
26	"--ssl=sslv3 < data/spam/001",
27	\&patterns_run_cb));
28	ok_all_patterns();