X-Git-Url: http://pileus.org/git/?a=blobdiff_plain;f=socket.c;h=3e4a3acd68390b721a72597e020704f709519ab7;hb=5b0e1fdef9c55b9c8a54f5c146fc84dab3b82e63;hp=5573b4eef2b9cafdea3f6eba6c21ebd8e9c22a5d;hpb=c7abefc668b1351ded4a58b93f78e84c62be1684;p=~andy%2Ffetchmail

diff --git a/socket.c b/socket.c
index 5573b4ee..3e4a3acd 100644
--- a/socket.c
+++ b/socket.c
@@ -200,31 +200,6 @@ static int handle_plugin(const char *host,
 }
 #endif /* HAVE_SOCKETPAIR */
 
-static int setsocktimeout(int sock, int which, int timeout) {
-    struct timeval tv;
-    int rc;
-
-    tv.tv_sec = timeout;
-    tv.tv_usec = 0;
-    rc = setsockopt(sock, SOL_SOCKET, which, &tv, sizeof(tv));
-    if (rc) {
-	report(stderr, GT_("setsockopt(%d, SOL_SOCKET) failed: %s"), sock, strerror(errno));
-    }
-    return rc;
-}
-
-/** Configure socket options such as send/receive timeout at the socket
- * level, to avoid network-induced stalls.
- */
-int SockTimeout(int sock, int timeout)
-{
-    int err = 0;
-
-    if (setsocktimeout(sock, SO_RCVTIMEO, timeout)) err = 1;
-    if (setsocktimeout(sock, SO_SNDTIMEO, timeout)) err = 1;
-    return err;
-}
-
 /** Set socket to SO_KEEPALIVE. \return 0 for success. */
 int SockKeepalive(int sock) {
     int keepalive = 1;
@@ -246,12 +221,12 @@ int UnixOpen(const char *path)
 	return -1;
     }
 
-	/* Socket opened saved. Usefull if connect timeout 
-	 * because it can be closed.
-	 */
-	mailserver_socket_temp = sock;
-    
-	if (connect(sock, (struct sockaddr *) &ad, sizeof(ad)) < 0)
+    /* Socket opened saved. Usefull if connect timeout 
+     * because it can be closed.
+     */
+    mailserver_socket_temp = sock;
+
+    if (connect(sock, (struct sockaddr *) &ad, sizeof(ad)) < 0)
     {
 	int olderr = errno;
 	fm_close(sock);	/* don't use SockClose, no traffic yet */
@@ -259,9 +234,9 @@ int UnixOpen(const char *path)
 	errno = olderr;
 	sock = -1;
     }
-	
-	/* No connect timeout, then no need to set mailserver_socket_temp */
-	mailserver_socket_temp = -1;
+
+    /* No connect timeout, then no need to set mailserver_socket_temp */
+    mailserver_socket_temp = -1;
 
     return sock;
 }
@@ -325,7 +300,6 @@ int SockOpen(const char *host, const char *service,
 	    continue;
 	}
 
-	SockTimeout(i, mytimeout);
 	SockKeepalive(i);
 
 	/* Save socket descriptor.
@@ -628,7 +602,7 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
 
 	if (outlevel >= O_VERBOSE) {
 		if (depth == 0 && SSLverbose)
-			report(stderr, GT_("Server certificate:\n"));
+			report(stdout, GT_("Server certificate:\n"));
 		else {
 			if (_firstrun) {
 				_firstrun = 0;
@@ -715,7 +689,7 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
 							}
 						}
 					}
-					sk_GENERAL_NAME_free(gens);
+					GENERAL_NAMES_free(gens);
 				}
 				if (name_match(p1, p2)) {
 					matched = 1;
@@ -870,6 +844,7 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 {
         struct stat randstat;
         int i;
+	long sslopts = SSL_OP_ALL;
 
 	SSL_load_error_strings();
 	SSL_library_init();
@@ -899,14 +874,21 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 	/* Make sure a connection referring to an older context is not left */
 	_ssl_context[sock] = NULL;
 	if(myproto) {
-		if(!strcasecmp("ssl3",myproto)) {
+		if(!strcasecmp("ssl2",myproto)) {
+#if HAVE_DECL_SSLV2_CLIENT_METHOD + 0 > 0
+			_ctx[sock] = SSL_CTX_new(SSLv2_client_method());
+#else
+			report(stderr, GT_("Your operating system does not support SSLv2.\n"));
+			return -1;
+#endif
+		} else if(!strcasecmp("ssl3",myproto)) {
 			_ctx[sock] = SSL_CTX_new(SSLv3_client_method());
 		} else if(!strcasecmp("tls1",myproto)) {
 			_ctx[sock] = SSL_CTX_new(TLSv1_client_method());
 		} else if (!strcasecmp("ssl23",myproto)) {
 			myproto = NULL;
 		} else {
-			fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSL23).\n"), myproto);
+			fprintf(stderr,GT_("Invalid SSL protocol '%s' specified, using default (SSLv23).\n"), myproto);
 			myproto = NULL;
 		}
 	}
@@ -918,7 +900,13 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 		return(-1);
 	}
 
-	SSL_CTX_set_options(_ctx[sock], SSL_OP_ALL | SSL_OP_NO_SSLv2);
+	{
+	    char *tmp = getenv("FETCHMAIL_DISABLE_CBC_IV_COUNTERMEASURE");
+	    if (tmp == NULL || *tmp == '\0' || strspn(tmp, " \t") == strlen(tmp))
+		sslopts &= ~ SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+	}
+
+	SSL_CTX_set_options(_ctx[sock], sslopts);
 
 	if (certck) {
 		SSL_CTX_set_verify(_ctx[sock], SSL_VERIFY_PEER, SSL_ck_verify_callback);
@@ -1069,21 +1057,3 @@ static ssize_t cygwin_read(int sock, void *buf, size_t count)
     return count;
 }
 #endif /* __CYGWIN__ */
-
-#ifdef MAIN
-/*
- * Use the chargen service to test input buffering directly.
- * You may have to uncomment the `chargen' service description in your
- * inetd.conf (and then SIGHUP inetd) for this to work.  */
-main()
-{
-    int	 	sock = SockOpen("localhost", "chargen", NULL);
-    char	buf[80];
-
-    while (SockRead(sock, buf, sizeof(buf)-1))
-	SockWrite(1, buf, strlen(buf));
-    SockClose(sock);
-}
-#endif /* MAIN */
-
-/* socket.c ends here */