diff options
author | Gilles Chehade <gilles@poolp.org> | 2015-05-07 18:34:21 +0200 |
---|---|---|
committer | Gilles Chehade <gilles@poolp.org> | 2015-05-07 18:34:21 +0200 |
commit | ec95b68d29d0d82d4239a073e9d7e24a1c63f999 (patch) | |
tree | b54fe7e88d7c3bb008ebe908c7c311984187dfcc | |
parent | db is no longer a hard depdendency for portable (diff) | |
download | OpenSMTPD-ec95b68d29d0d82d4239a073e9d7e24a1c63f999.tar.xz OpenSMTPD-ec95b68d29d0d82d4239a073e9d7e24a1c63f999.zip |
remove ca from struct pki
-rw-r--r-- | smtpd/lka.c | 2 | ||||
-rw-r--r-- | smtpd/parse.y | 6 | ||||
-rw-r--r-- | smtpd/smtpd.c | 8 | ||||
-rw-r--r-- | smtpd/smtpd.h | 3 | ||||
-rw-r--r-- | smtpd/ssl.c | 18 | ||||
-rw-r--r-- | smtpd/ssl.h | 17 |
6 files changed, 32 insertions, 22 deletions
diff --git a/smtpd/lka.c b/smtpd/lka.c index 734979bb..366d12a0 100644 --- a/smtpd/lka.c +++ b/smtpd/lka.c @@ -683,8 +683,10 @@ lka_certificate_verify_resume(enum imsg_type type, struct ca_vrfy_req_msg *req) cafile = CA_FILE; pki = dict_get(env->sc_pki_dict, req->pkiname); + /* if (pki && pki->pki_ca_file) cafile = pki->pki_ca_file; + */ if (! lka_X509_verify(req, cafile, NULL)) resp.status = CA_FAIL; else diff --git a/smtpd/parse.y b/smtpd/parse.y index 348b2984..6d8d31d5 100644 --- a/smtpd/parse.y +++ b/smtpd/parse.y @@ -384,9 +384,6 @@ opt_pki : CERTIFICATE STRING { | KEY STRING { pki->pki_key_file = $2; } - | CA STRING { - pki->pki_ca_file = $2; - } | DHPARAMS STRING { pki->pki_dhparams_file = $2; } @@ -866,6 +863,9 @@ main : BOUNCEWARN { } filter_args | PKI STRING { char buf[HOST_NAME_MAX+1]; + + warnx("###### checking %s", $2); + xlowercase(buf, $2, sizeof(buf)); free($2); pki = dict_get(conf->sc_pki_dict, buf); diff --git a/smtpd/smtpd.c b/smtpd/smtpd.c index ea6cd2c6..5820e198 100644 --- a/smtpd/smtpd.c +++ b/smtpd/smtpd.c @@ -723,12 +723,14 @@ load_pki_tree(void) if (! ssl_load_certificate(pki, pki->pki_cert_file)) fatalx("load_pki_tree: failed to load certificate file"); - if (pki->pki_ca_file) - if (! ssl_load_cafile(pki, pki->pki_ca_file)) - fatalx("load_pki_tree: failed to load CA file"); if (pki->pki_dhparams_file) if (! ssl_load_dhparams(pki, pki->pki_dhparams_file)) fatalx("load_pki_tree: failed to load dhparams file"); + /* + if (pki->pki_ca_file) + if (! ssl_load_cafile(pki, pki->pki_ca_file)) + fatalx("load_pki_tree: failed to load CA file"); + */ } } diff --git a/smtpd/smtpd.h b/smtpd/smtpd.h index 6843ed42..c7cd962b 100644 --- a/smtpd/smtpd.h +++ b/smtpd/smtpd.h @@ -609,7 +609,8 @@ struct smtpd { TAILQ_HEAD(listenerlist, listener) *sc_listeners; TAILQ_HEAD(rulelist, rule) *sc_rules; - + + struct dict *sc_ca_dict; struct dict *sc_pki_dict; struct dict *sc_ssl_dict; diff --git a/smtpd/ssl.c b/smtpd/ssl.c index 95fd4868..c16b4ede 100644 --- a/smtpd/ssl.c +++ b/smtpd/ssl.c @@ -319,15 +319,6 @@ ssl_load_keyfile(struct pki *p, const char *pathname, const char *pkiname) } int -ssl_load_cafile(struct pki *p, const char *pathname) -{ - p->pki_ca = ssl_load_file(pathname, &p->pki_ca_len, 0755); - if (p->pki_ca == NULL) - return 0; - return 1; -} - -int ssl_load_dhparams(struct pki *p, const char *pathname) { p->pki_dhparams = ssl_load_file(pathname, &p->pki_dhparams_len, 0755); @@ -340,6 +331,15 @@ ssl_load_dhparams(struct pki *p, const char *pathname) return 1; } +int +ssl_load_cafile(struct ca *c, const char *pathname) +{ + c->ca_cert = ssl_load_file(pathname, &c->ca_cert_len, 0755); + if (c->ca_cert == NULL) + return 0; + return 1; +} + const char * ssl_to_text(const SSL *ssl) { diff --git a/smtpd/ssl.h b/smtpd/ssl.h index cf3c1952..b81d4093 100644 --- a/smtpd/ssl.h +++ b/smtpd/ssl.h @@ -20,11 +20,7 @@ #define SSL_SESSION_TIMEOUT 300 struct pki { - char pki_name[PATH_MAX]; - - char *pki_ca_file; - char *pki_ca; - off_t pki_ca_len; + char pki_name[HOST_NAME_MAX+1]; char *pki_cert_file; char *pki_cert; @@ -41,6 +37,14 @@ struct pki { off_t pki_dhparams_len; }; +struct ca { + char ca_name[HOST_NAME_MAX+1]; + + char *ca_cert_file; + char *ca_cert; + off_t ca_cert_len; +}; + /* ssl.c */ void ssl_init(void); int ssl_setup(SSL_CTX **, struct pki *, const char *, const char *); @@ -58,12 +62,13 @@ void ssl_error(const char *); int ssl_load_certificate(struct pki *, const char *); int ssl_load_keyfile(struct pki *, const char *, const char *); -int ssl_load_cafile(struct pki *, const char *); int ssl_load_dhparams(struct pki *, const char *); int ssl_load_pkey(const void *, size_t, char *, off_t, X509 **, EVP_PKEY **); int ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t, char *, off_t, X509 **, EVP_PKEY **); +int ssl_load_cafile(struct ca *, const char *); + /* libressl.c */ int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, void *, int); |