(void) close(fds[1]);
if ( (dup2(fds[0],0) == -1) || (dup2(fds[0],1) == -1) ) {
report(stderr, GT_("dup2 failed\n"));
- exit(1);
+ _exit(EXIT_FAILURE);
}
/* fds[0] is now connected to 0 and 1; close it */
(void) close(fds[0]);
argvec = parse_plugin(plugin,host,service);
execvp(*argvec, argvec);
report(stderr, GT_("execvp(%s) failed\n"), *argvec);
- exit(0);
+ _exit(EXIT_FAILURE);
break;
default: /* parent */
/* NOP */
}
#endif /* HAVE_SOCKETPAIR */
-#ifdef __UNUSED__
-
-int SockCheckOpen(int fd)
-/* poll given socket; is it selectable? */
-{
- fd_set r, w, e;
- int rt;
+static int setsocktimeout(int sock, int which, int timeout) {
struct timeval tv;
-
- for (;;)
- {
- FD_ZERO(&r); FD_ZERO(&w); FD_ZERO(&e);
- FD_SET(fd, &e);
-
- tv.tv_sec = 0; tv.tv_usec = 0;
- rt = select(fd+1, &r, &w, &e, &tv);
- if (rt == -1 && (errno != EAGAIN && errno != EINTR))
- return 0;
- if (rt != -1)
- return 1;
+ int rc;
+
+ tv.tv_sec = timeout;
+ tv.tv_usec = 0;
+ rc = setsockopt(sock, SOL_SOCKET, which, &tv, sizeof(tv));
+ if (rc) {
+ report(stderr, GT_("setsockopt(%d, SOL_SOCKET) failed: %s"), sock, strerror(errno));
}
+ return rc;
+}
+
+/** Configure socket options such as send/receive timeout at the socket
+ * level, to avoid network-induced stalls.
+ */
+int SockTimeout(int sock, int timeout)
+{
+ int err = 0;
+
+ if (setsocktimeout(sock, SO_RCVTIMEO, timeout)) err = 1;
+ if (setsocktimeout(sock, SO_SNDTIMEO, timeout)) err = 1;
+ return err;
}
-#endif /* __UNUSED__ */
int UnixOpen(const char *path)
{
/* OK... SSL_peek works a little different from MSG_PEEK
Problem is that SSL_peek can return 0 if there
is no data currently available. If, on the other
- hand, we loose the socket, we also get a zero, but
+ hand, we lose the socket, we also get a zero, but
the SSL_read then SEGFAULTS! To deal with this,
we'll check the error code any time we get a return
of zero from SSL_peek. If we have an error, we bail.
return _ssl_context[sock];
}
-/** A picky certificate name check:
- * check if the pattern or string in s1 (from a certificate) matches the
- * hostname (in s2), returns true if matched.
- *
- * The only place where a wildcard is allowed is in the leftmost
- * position of p1. */
-static int name_match(const char *p1, const char *p2) {
- const char *const dom = "0123456789.";
- int wildcard_ok = 1;
-
- /* blank patterns never match */
- if (p1[0] == '\0')
- return 0;
-
- /* disallow wildcards in certificates for domain literals
- * (10.9.8.7-like) */
- if (strspn(p1+(*p1 == '*' ? 1 : 0), dom) == strlen(p1))
- wildcard_ok = 0;
-
- /* disallow wildcards for domain literals */
- if (strspn(p2, dom) == strlen(p2))
- wildcard_ok = 0;
-
- if (wildcard_ok && p1[0] == '*' && p1[1] == '.') {
- size_t l1, l2;
-
- ++p1;
- l1 = strlen(p1);
- l2 = strlen(p2);
- if (l2 > l1)
- p2 += l2 - l1;
- }
-
- return (0 == strcasecmp(p1, p2));
-}
-
/* ok_return (preverify_ok) is 1 if this stage of certificate verification
passed, or 0 if it failed. This callback lets us display informative
errors, and perform additional validation (e.g. CN matches) */
for (j = 0, r = sk_GENERAL_NAME_num(gens); j < r; ++j) {
const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, j);
if (gn->type == GEN_DNS) {
- char *p1 = (char *)gn->d.ia5->data;
- char *p2 = _ssl_server_cname;
+ char *pp1 = (char *)gn->d.ia5->data;
+ char *pp2 = _ssl_server_cname;
if (outlevel >= O_VERBOSE) {
- report(stdout, GT_("Subject Alternative Name: %s\n"), (tt = sdump(p1, (size_t)gn->d.ia5->length)));
+ report(stdout, GT_("Subject Alternative Name: %s\n"), (tt = sdump(pp1, (size_t)gn->d.ia5->length)));
xfree(tt);
}
/* Name contains embedded NUL characters, so we complain. This
* is likely a certificate spoofing attack. */
- if ((size_t)gn->d.ia5->length != strlen(p1)) {
+ if ((size_t)gn->d.ia5->length != strlen(pp1)) {
report(stderr, GT_("Bad certificate: Subject Alternative Name contains NUL, aborting!\n"));
sk_GENERAL_NAME_free(gens);
return 0;
}
- if (name_match(p1, p2)) {
+ if (name_match(pp1, pp2)) {
matched = 1;
}
}
/* Make sure a connection referring to an older context is not left */
_ssl_context[sock] = NULL;
if(myproto) {
- if(!strcasecmp("ssl2",myproto)) {
- _ctx[sock] = SSL_CTX_new(SSLv2_client_method());
- } else if(!strcasecmp("ssl3",myproto)) {
+ if(!strcasecmp("ssl3",myproto)) {
_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
} else if(!strcasecmp("tls1",myproto)) {
_ctx[sock] = SSL_CTX_new(TLSv1_client_method());
} else if (!strcasecmp("ssl23",myproto)) {
myproto = NULL;
} else {
- fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
+ fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSL23).\n"), myproto);
myproto = NULL;
}
}
return(-1);
}
- SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL);
+ SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL | SSL_OP_NO_SSLv2);
if (certck) {
SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
}
#endif
-#ifdef __UNUSED__
- /*
- * This hangs in RedHat 6.2 after fetchmail runs for a while a
- * FIN_WAIT2 comes up in netstat and fetchmail never returns from
- * the recv system call. (Reported from jtnews
- * <jtnews@bellatlantic.net>, Wed, 24 May 2000 21:26:02.)
- *
- * Half-close the connection first so the other end gets notified.
- *
- * This stops sends but allows receives (effectively, it sends a
- * TCP <FIN>). */
- if (shutdown(sock, 1) == 0) {
- char ch;
- /* If there is any data still waiting in the queue, discard it.
- * Call recv() until either it returns 0 (meaning we received a FIN)
- * or any error occurs. This makes sure all data sent by the other
- * side is acknowledged at the TCP level.
- */
- if (fm_peek(sock, &ch, 1) > 0)
- while (fm_read(sock, &ch, 1) > 0)
- continue;
- }
-#endif /* __UNUSED__ */
-
/* if there's an error closing at this point, not much we can do */
return(fm_close(sock)); /* this is guarded */
}
*/
static ssize_t cygwin_read(int sock, void *buf, size_t count)
{
- char *bp = buf;
+ char *bp = (char *)buf;
size_t n = 0;
if ((n = read(sock, bp, count)) == (size_t)-1)
projects / ~andy / fetchmail / blobdiff