Start the ssl stream off in non-ssl mode (useful for STARTTLS).

2002-03-05  Jeffrey Stedfast  <fejj@ximian.com>

	* camel-tcp-stream-openssl.c (camel_tcp_stream_openssl_new_raw):
	Start the ssl stream off in non-ssl mode (useful for STARTTLS).
	(camel_tcp_stream_openssl_enable_ssl): New function to toggle an
	ssl stream into ssl mode.
	(open_ssl_connection): Close the sockfd on fail so our caller
	doesn't have to - this also allows us to save the original errno.
	(stream_connect): If we want ssl mode, do our ssl stuff.
	(camel_tcp_stream_openssl_class_init): Init some SSL stuff here
	instead of in open_ssl_connection since these only ever need to be
	called once.
	(stream_read): Only use SSL_read if we are in ssl mode.
	(stream_write): Only use SSL_write if we are in ssl mode.

	* providers/smtp/camel-smtp-transport.c (smtp_helo): Check for the
	STARTTLS extension.
	(connect_to_server): Try to use STARTTLS whenever possible rather
	than the old way of doing things.
	(connect_to_server_wrapper): Wrapper around connect_to_server() to
	first try STARTTLS and then attempt normal SSL mode if we can't
	connect via STARTTLS.

	* camel-tcp-stream-ssl.c (camel_tcp_stream_ssl_enable_ssl): New
	function to toggle an ssl stream into ssl mode.
	(camel_tcp_stream_ssl_new_raw): Start the ssl stream off in
	non-ssl mode (useful for STARTTLS).
	(stream_connect): Only connect in SSL mode if required.

svn path=/trunk/; revision=15937

1 files changed, 120 insertions, 16 deletions

diff --git a/camel/camel-tcp-stream-ssl.c b/camel/camel-tcp-stream-ssl.c
index 50c4684980..9b467b3463 100644
--- a/camel/camel-tcp-stream-ssl.c
+++ b/camel/camel-tcp-stream-ssl.c
@@ -60,6 +60,8 @@ static ssize_t stream_write (CamelStream *stream, const char *buffer, size_t n);
 static int stream_flush  (CamelStream *stream);
 static int stream_close  (CamelStream *stream);
 
+static PRFileDesc *enable_ssl (CamelTcpStreamSSL *ssl, PRFileDesc *fd);
+
 static int stream_connect    (CamelTcpStream *stream, struct hostent *host, int port);
 static int stream_getsockopt (CamelTcpStream *stream, CamelSockOptData *data);
 static int stream_setsockopt (CamelTcpStream *stream, const CamelSockOptData *data);
@@ -70,6 +72,7 @@ struct _CamelTcpStreamSSLPrivate {
 	
 	CamelService *service;
 	char *expected_host;
+	gboolean ssl_mode;
 };
 
 static void
@@ -135,6 +138,7 @@ camel_tcp_stream_ssl_get_type (void)
 	return type;
 }
 
+
 /**
  * camel_tcp_stream_ssl_new:
  * @service: camel service
@@ -144,7 +148,7 @@ camel_tcp_stream_ssl_get_type (void)
  * user, a CamelService is needed. @expected_host is needed as a
  * protection against an MITM attack.
  *
- * Return value: a tcp stream
+ * Return value: a ssl stream (in ssl mode)
  **/
 CamelStream *
 camel_tcp_stream_ssl_new (CamelService *service, const char *expected_host)
@@ -155,10 +159,38 @@ camel_tcp_stream_ssl_new (CamelService *service, const char *expected_host)
 	
 	stream->priv->service = service;
 	stream->priv->expected_host = g_strdup (expected_host);
+	stream->priv->ssl_mode = TRUE;
 	
 	return CAMEL_STREAM (stream);
 }
 
+
+/**
+ * camel_tcp_stream_ssl_new_raw:
+ * @service: camel service
+ * @expected_host: host that the stream is expected to connect with.
+ *
+ * Since the SSL certificate authenticator may need to prompt the
+ * user, a CamelService is needed. @expected_host is needed as a
+ * protection against an MITM attack.
+ *
+ * Return value: a ssl-capable stream (in non ssl mode)
+ **/
+CamelStream *
+camel_tcp_stream_ssl_new_raw (CamelService *service, const char *expected_host)
+{
+	CamelTcpStreamSSL *stream;
+	
+	stream = CAMEL_TCP_STREAM_SSL (camel_object_new (camel_tcp_stream_ssl_get_type ()));
+	
+	stream->priv->service = service;
+	stream->priv->expected_host = g_strdup (expected_host);
+	stream->priv->ssl_mode = FALSE;
+	
+	return CAMEL_STREAM (stream);
+}
+
+
 static void
 set_errno (int code)
 {
@@ -181,6 +213,45 @@ set_errno (int code)
 	}
 }
 
+
+/**
+ * camel_tcp_stream_ssl_enable_ssl:
+ * @ssl: ssl stream
+ *
+ * Toggles an ssl-capable stream into ssl mode (if it isn't already).
+ *
+ * Returns 0 on success or -1 on fail.
+ **/
+int
+camel_tcp_stream_ssl_enable_ssl (CamelTcpStreamSSL *ssl)
+{
+	PRFileDesc *fd;
+	
+	g_return_val_if_fail (CAMEL_IS_TCP_STREAM_SSL (ssl), -1);
+	
+	if (ssl->priv->sockfd && !ssl->priv->ssl_mode) {
+		fd = enable_ssl (ssl, NULL);
+		if (fd == NULL) {
+			int errnosave;
+			
+			set_errno (PR_GetError ());
+			errnosave = errno;
+			errno = errnosave;
+			
+			return -1;
+		}
+		
+		SSL_ResetHandshake (fd, FALSE);
+		
+		ssl->priv->sockfd = fd;
+	}
+	
+	ssl->priv->ssl_mode = TRUE;
+	
+	return 0;
+}
+
+
 static ssize_t
 stream_read (CamelStream *stream, char *buffer, size_t n)
 {
@@ -486,13 +557,34 @@ ssl_bad_cert (void *data, PRFileDesc *sockfd)
 	return SECFailure;
 }
 
+static PRFileDesc *
+enable_ssl (CamelTcpStreamSSL *ssl, PRFileDesc *fd)
+{
+	PRFileDesc *ssl_fd;
+	
+	ssl_fd = SSL_ImportFD (NULL, fd ? fd : ssl->priv->sockfd);
+	if (!ssl_fd)
+		return NULL;
+	
+	SSL_OptionSet (ssl_fd, SSL_SECURITY, PR_TRUE);
+	SSL_SetURL (ssl_fd, ssl->priv->expected_host);
+	
+	/*SSL_GetClientAuthDataHook (sslSocket, ssl_get_client_auth, (void *) certNickname);*/
+	/*SSL_AuthCertificateHook (ssl_fd, ssl_auth_cert, (void *) CERT_GetDefaultCertDB ());*/
+	SSL_BadCertHook (ssl_fd, ssl_bad_cert, ssl);
+	
+	ssl->priv->ssl_mode = TRUE;
+	
+	return ssl_fd;
+}
+
 static int
 stream_connect (CamelTcpStream *stream, struct hostent *host, int port)
 {
 	CamelTcpStreamSSL *ssl = CAMEL_TCP_STREAM_SSL (stream);
 	PRIntervalTime timeout = PR_INTERVAL_MIN;
 	PRNetAddr netaddr;
-	PRFileDesc *fd, *ssl_fd;
+	PRFileDesc *fd;
 	
 	g_return_val_if_fail (host != NULL, -1);
 	
@@ -505,30 +597,42 @@ stream_connect (CamelTcpStream *stream, struct hostent *host, int port)
 	}
 	
 	fd = PR_OpenTCPSocket (host->h_addrtype);
-	ssl_fd = SSL_ImportFD (NULL, fd);
-	
-	SSL_OptionSet (ssl_fd, SSL_SECURITY, PR_TRUE);
-	SSL_SetURL (ssl_fd, ssl->priv->expected_host);
+	if (fd == NULL) {
+		set_errno (PR_GetError ());
+		return -1;
+	}
 	
-	if (ssl_fd == NULL || PR_Connect (ssl_fd, &netaddr, timeout) == PR_FAILURE) {
-		if (ssl_fd != NULL) {
+	if (ssl->priv->ssl_mode) {
+		PRFileDesc *ssl_fd;
+		
+		ssl_fd = enable_ssl (ssl, fd);
+		if (ssl_fd == NULL) {
 			int errnosave;
 			
 			set_errno (PR_GetError ());
 			errnosave = errno;
-			PR_Close (ssl_fd);
+			PR_Close (fd);
 			errno = errnosave;
-		} else
-			errno = EINVAL;
+			
+			return -1;
+		}
 		
-		return -1;
+		fd = ssl_fd;
 	}
 	
-	/*SSL_GetClientAuthDataHook (sslSocket, ssl_get_client_auth, (void *) certNickname);*/
-	/*SSL_AuthCertificateHook (ssl_fd, ssl_auth_cert, (void *) CERT_GetDefaultCertDB ());*/
-	SSL_BadCertHook (ssl_fd, ssl_bad_cert, ssl);
+	if (PR_Connect (fd, &netaddr, timeout) == PR_FAILURE) {
+		int errnosave;
+		
+		set_errno (PR_GetError ());
+		errnosave = errno;
+		PR_Close (fd);
+		ssl->priv->sockfd = NULL;
+		errno = errnosave;
+		
+		return -1;
+	}
 	
-	ssl->priv->sockfd = ssl_fd;
+	ssl->priv->sockfd = fd;
 	
 	return 0;
 }