From 44593728dbb10317a8ec0ca60e1ca7bbb8989d98 Mon Sep 17 00:00:00 2001 From: Sunil Nimmagadda Date: Mon, 9 Jan 2017 15:30:35 +0500 Subject: Provide an option to specify cert/key on commandline. While here, document new options and fix mandoc lint warnings. --- pop3d.8 | 16 ++++++++++------ pop3d.c | 16 +++++++++++++--- pop3d.h | 2 +- pop3e.c | 4 ++-- ssl.c | 12 +++++------- ssl.h | 2 +- 6 files changed, 32 insertions(+), 20 deletions(-) diff --git a/pop3d.8 b/pop3d.8 index 344316c..d43a7ee 100644 --- a/pop3d.8 +++ b/pop3d.8 @@ -20,7 +20,9 @@ .Nd Post Office Protocol (POP3) daemon. .Sh SYNOPSIS .Nm +.Op Fl c Ar certfile .Op Fl d +.Op Fl k Ar keyfile .Op Fl p Ar path .Op Fl t Ar type .Sh DESCRIPTION @@ -34,13 +36,17 @@ behalf of its remote users. .Pp The options are as follows: .Bl -tag -width Ds +.It Fl c Ar certfile +Specify the certificate file. Defaults to /etc/ssl/server.crt. .It Fl d Do not daemonize. If this option is specified, .Nm will run in foreground and log to .Em stderr . +.It Fl k Ar keyfile +Specify the key file. Defaults to /etc/ssl/private.key. .It Fl p -Path to the maildrop. Defaults to /var/mail/%u in case of mbox and +Path to the maildrop. Defaults to /var/mail/%u in case of mbox and ~/Maildir in case of maildir. .Nm expands '~' to user's home dir @@ -49,14 +55,11 @@ and '%u' to user's name if specified in the path. Specify maildrop type. Options are mbox and maildir. Defaults to mbox. .El .Sh FILES -.Bl -tag -width "/etc/ssl/private/server.key" -compact +.Bl -tag -width Ds -compact .It Pa ~/maildir .It Pa /var/mail/%u User maildrops -.Pp -.It /etc/ssl/server.crt -.It /etc/ssl/private/server.key -Location of SSL certificate and key +.El .Sh SEE ALSO .Xr smtpd 8 , .Xr ssl 8 @@ -82,5 +85,6 @@ Location of SSL certificate and key .%A M. Yevstifeyev .%D August 2011 .%R draft-melnikov-pop3-over-tls-02 +.Re .Sh CAVEATS POP3 authenticates using cleartext passwords on 110(POP3) port. diff --git a/pop3d.c b/pop3d.c index f16b0cd..e24f24b 100644 --- a/pop3d.c +++ b/pop3d.c @@ -38,6 +38,8 @@ #define MBOX_PATH "/var/mail/%u" #define MAILDIR_PATH "~/Maildir" #define POP3D_USER "_pop3d" +#define CERTFILE "/etc/ssl/server.crt" +#define KEYFILE "/etc/ssl/private/server.key" static void authenticate(struct imsgev *, struct imsg *); static void pop3e_imsgev(struct imsgev *, int , struct imsg *); @@ -56,13 +58,20 @@ main(int argc, char *argv[]) struct passwd *pw; struct event ev_sigint, ev_sigterm, ev_sighup, ev_sigchld; const char *path = NULL, *mtype_str = "mbox"; + const char *cert = CERTFILE, *key = KEYFILE; int ch, d = 0, pair[2]; - while ((ch = getopt(argc, argv, "dp:t:")) != -1) { + while ((ch = getopt(argc, argv, "c:dk:p:t:")) != -1) { switch (ch) { + case 'c': + cert = optarg; + break; case 'd': d = 1; break; + case 'k': + key = optarg; + break; case 'p': path = optarg; break; @@ -101,7 +110,7 @@ main(int argc, char *argv[]) if ((pw = getpwnam(POP3D_USER)) == NULL) fatalx("main: getpwnam " POP3D_USER); - pop3_main(pair, pw); + pop3_main(pair, pw, cert, key); close(pair[1]); setproctitle("[priv]"); logit(LOG_INFO, "pop3d ready; type:%s, path:%s", mtype_str, mpath); @@ -233,7 +242,8 @@ usage(void) { extern char *__progname; - fprintf(stderr, "usage: %s [-d] [-p path] [-t type]\n", __progname); + fprintf(stderr, "usage: %s [-c certfile] [-d] " + "[-k keyfile] [-p path] [-t type]\n", __progname); exit(EXIT_FAILURE); } diff --git a/pop3d.h b/pop3d.h index 7e3b47f..cbe9f9b 100644 --- a/pop3d.h +++ b/pop3d.h @@ -143,7 +143,7 @@ struct session { }; /* pop3e.c */ -void pop3_main(int [2], struct passwd *); +void pop3_main(int [2], struct passwd *, const char *, const char *); /* session.c */ void session_init(struct listener *, int, const struct sockaddr_storage *); diff --git a/pop3e.c b/pop3e.c index 1bd8635..88e3c33 100644 --- a/pop3e.c +++ b/pop3e.c @@ -48,7 +48,7 @@ struct imsgev iev_pop3d; void *ssl_ctx; void -pop3_main(int pair[2], struct passwd *pw) +pop3_main(int pair[2], struct passwd *pw, const char *cert, const char *key) { extern struct session_tree sessions; struct event ev_sigint, ev_sigterm; @@ -73,7 +73,7 @@ pop3_main(int pair[2], struct passwd *pw) pop3_listen("pop3"); ssl_init(); - if ((ssl_ctx = ssl_setup()) == NULL) + if ((ssl_ctx = ssl_setup(cert, key)) == NULL) fatal("ssl_setup failed"); pop3_listen("pop3s"); diff --git a/ssl.c b/ssl.c index fce300f..9d1af2a 100644 --- a/ssl.c +++ b/ssl.c @@ -33,8 +33,6 @@ #define SSL_CIPHERS "HIGH" #define SSL_SESSION_TIMEOUT 300 -#define CERTFILE "/etc/ssl/server.crt" -#define KEYFILE "/etc/ssl/private/server.key" static char *ssl_load_file(const char *, off_t *); @@ -52,7 +50,7 @@ ssl_init(void) } void * -ssl_setup(void) +ssl_setup(const char *certfile, const char *keyfile) { SSL_CTX *ctx = NULL; char *cert, *key; @@ -73,13 +71,13 @@ ssl_setup(void) SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); /* SSL certificate, key loading */ - cert = ssl_load_file(CERTFILE, &cert_len); + cert = ssl_load_file(certfile, &cert_len); if (cert == NULL) - fatal("ssl_load_file: Unable to load " CERTFILE); + fatal("ssl_load_file: certificate"); - key = ssl_load_file(KEYFILE, &key_len); + key = ssl_load_file(keyfile, &key_len); if (key == NULL) - fatal("ssl_load_file: Unable to load " KEYFILE); + fatal("ssl_load_file: key"); if (!SSL_CTX_set_cipher_list(ctx, SSL_CIPHERS)) goto err; diff --git a/ssl.h b/ssl.h index b52d626..3da7b6f 100644 --- a/ssl.h +++ b/ssl.h @@ -2,7 +2,7 @@ /* ssl.c */ void ssl_init(void); -void *ssl_setup(void); +void *ssl_setup(const char *, const char *); void *pop3s_init(SSL_CTX *, int); void ssl_error(const char *); -- cgit v1.2.3