diff options
author | Gilles Chehade <gilles@poolp.org> | 2018-12-27 10:54:44 +0100 |
---|---|---|
committer | Gilles Chehade <gilles@poolp.org> | 2018-12-27 10:54:44 +0100 |
commit | 995cc445c2dc0228ef8a31d88d2bc13d3c608311 (patch) | |
tree | f34c145f0219157938f7eb2738d43b3dec368c40 /smtpd/lka.c | |
parent | Merge branch 'master' into portable (diff) | |
parent | sync (diff) | |
download | OpenSMTPD-995cc445c2dc0228ef8a31d88d2bc13d3c608311.tar.xz OpenSMTPD-995cc445c2dc0228ef8a31d88d2bc13d3c608311.zip |
Merge branch 'master' into portable
Diffstat (limited to 'smtpd/lka.c')
-rw-r--r-- | smtpd/lka.c | 167 |
1 files changed, 8 insertions, 159 deletions
diff --git a/smtpd/lka.c b/smtpd/lka.c index 519fb1d7..0291d49b 100644 --- a/smtpd/lka.c +++ b/smtpd/lka.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lka.c,v 1.228 2018/12/21 14:33:52 gilles Exp $ */ +/* $OpenBSD: lka.c,v 1.231 2018/12/26 20:13:43 eric Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -60,9 +60,6 @@ static int lka_userinfo(const char *, const char *, struct userinfo *); static int lka_addrname(const char *, const struct sockaddr *, struct addrname *); static int lka_mailaddrmap(const char *, const char *, const struct mailaddr *); -static int lka_X509_verify(struct ca_vrfy_req_msg *, const char *, const char *); -static void lka_certificate_verify(enum imsg_type, struct ca_vrfy_req_msg *); -static void lka_certificate_verify_resume(enum imsg_type, struct ca_vrfy_req_msg *); static void proc_timeout(int fd, short event, void *p); @@ -73,12 +70,6 @@ lka_imsg(struct mproc *p, struct imsg *imsg) { struct table *table; int ret; - struct pki *pki; - struct iovec iov[2]; - static struct ca_vrfy_req_msg *req_ca_vrfy = NULL; - struct ca_vrfy_req_msg *req_ca_vrfy_chain; - struct ca_cert_req_msg *req_ca_cert; - struct ca_cert_resp_msg resp_ca_cert; struct sockaddr_storage ss; struct userinfo userinfo; struct addrname addrname; @@ -172,63 +163,6 @@ lka_imsg(struct mproc *p, struct imsg *imsg) m_close(p); return; - case IMSG_SMTP_TLS_INIT: - case IMSG_MTA_TLS_INIT: - req_ca_cert = imsg->data; - resp_ca_cert.reqid = req_ca_cert->reqid; - - xlowercase(buf, req_ca_cert->name, sizeof(buf)); - log_debug("debug: lka: looking up pki \"%s\"", buf); - pki = dict_get(env->sc_pki_dict, buf); - if (pki == NULL) - if (req_ca_cert->fallback) - pki = dict_get(env->sc_pki_dict, "*"); - if (pki == NULL) { - resp_ca_cert.status = CA_FAIL; - m_compose(p, imsg->hdr.type, 0, 0, -1, &resp_ca_cert, - sizeof(resp_ca_cert)); - return; - } - resp_ca_cert.status = CA_OK; - resp_ca_cert.cert_len = pki->pki_cert_len; - (void)strlcpy(resp_ca_cert.name, pki->pki_name, sizeof resp_ca_cert.name); - iov[0].iov_base = &resp_ca_cert; - iov[0].iov_len = sizeof(resp_ca_cert); - iov[1].iov_base = pki->pki_cert; - iov[1].iov_len = pki->pki_cert_len; - m_composev(p, imsg->hdr.type, 0, 0, -1, iov, nitems(iov)); - return; - - case IMSG_SMTP_TLS_VERIFY_CERT: - case IMSG_MTA_TLS_VERIFY_CERT: - req_ca_vrfy = xmemdup(imsg->data, sizeof *req_ca_vrfy); - req_ca_vrfy->cert = xmemdup((char *)imsg->data + - sizeof *req_ca_vrfy, req_ca_vrfy->cert_len); - req_ca_vrfy->chain_cert = xcalloc(req_ca_vrfy->n_chain, - sizeof (unsigned char *)); - req_ca_vrfy->chain_cert_len = xcalloc(req_ca_vrfy->n_chain, - sizeof (off_t)); - return; - - case IMSG_SMTP_TLS_VERIFY_CHAIN: - case IMSG_MTA_TLS_VERIFY_CHAIN: - if (req_ca_vrfy == NULL) - fatalx("lka:ca_vrfy: chain without a certificate"); - req_ca_vrfy_chain = imsg->data; - req_ca_vrfy->chain_cert[req_ca_vrfy->chain_offset] = xmemdup((char *)imsg->data + - sizeof *req_ca_vrfy_chain, req_ca_vrfy_chain->cert_len); - req_ca_vrfy->chain_cert_len[req_ca_vrfy->chain_offset] = req_ca_vrfy_chain->cert_len; - req_ca_vrfy->chain_offset++; - return; - - case IMSG_SMTP_TLS_VERIFY: - case IMSG_MTA_TLS_VERIFY: - if (req_ca_vrfy == NULL) - fatalx("lka:ca_vrfy: verify without a certificate"); - lka_certificate_verify(imsg->hdr.type, req_ca_vrfy); - req_ca_vrfy = NULL; - return; - case IMSG_SMTP_AUTHENTICATE: m_msg(&m, imsg); m_get_id(&m, &reqid); @@ -304,7 +238,7 @@ lka_imsg(struct mproc *p, struct imsg *imsg) m_add_int(p, LKA_TEMPFAIL); } else { - ret = table_fetch(table, NULL, K_SOURCE, &lk); + ret = table_fetch(table, K_SOURCE, &lk); if (ret == -1) m_add_int(p, LKA_TEMPFAIL); else if (ret == 0) @@ -352,7 +286,7 @@ lka_imsg(struct mproc *p, struct imsg *imsg) m_add_int(p, LKA_TEMPFAIL); } else { - ret = table_fetch(table, NULL, K_RELAYHOST, &lk); + ret = table_fetch(table, K_RELAYHOST, &lk); if (ret == -1) m_add_int(p, LKA_TEMPFAIL); else if (ret == 0) @@ -759,7 +693,7 @@ lka_authenticate(const char *tablename, const char *user, const char *password) return (LKA_TEMPFAIL); } - switch (table_lookup(table, NULL, user, K_CREDENTIALS, &lk)) { + switch (table_lookup(table, K_CREDENTIALS, user, &lk)) { case -1: log_warnx("warn: user credentials lookup fail for %s:%s", tablename, user); @@ -789,7 +723,7 @@ lka_credentials(const char *tablename, const char *label, char *dst, size_t sz) dst[0] = '\0'; - switch (table_lookup(table, NULL, label, K_CREDENTIALS, &lk)) { + switch (table_lookup(table, K_CREDENTIALS, label, &lk)) { case -1: log_warnx("warn: credentials lookup fail for %s:%s", tablename, label); @@ -830,7 +764,7 @@ lka_userinfo(const char *tablename, const char *username, struct userinfo *res) return (LKA_TEMPFAIL); } - switch (table_lookup(table, NULL, username, K_USERINFO, &lk)) { + switch (table_lookup(table, K_USERINFO, username, &lk)) { case -1: log_warnx("warn: failure during userinfo lookup %s:%s", tablename, username); @@ -860,7 +794,7 @@ lka_addrname(const char *tablename, const struct sockaddr *sa, return (LKA_TEMPFAIL); } - switch (table_lookup(table, NULL, source, K_ADDRNAME, &lk)) { + switch (table_lookup(table, K_ADDRNAME, source, &lk)) { case -1: log_warnx("warn: failure during helo lookup %s:%s", tablename, source); @@ -888,7 +822,7 @@ lka_mailaddrmap(const char *tablename, const char *username, const struct mailad return (LKA_TEMPFAIL); } - switch (table_lookup(table, NULL, username, K_MAILADDRMAP, &lk)) { + switch (table_lookup(table, K_MAILADDRMAP, username, &lk)) { case -1: log_warnx("warn: failure during mailaddrmap lookup %s:%s", tablename, username); @@ -910,88 +844,3 @@ lka_mailaddrmap(const char *tablename, const char *username, const struct mailad } return (LKA_OK); } - -static int -lka_X509_verify(struct ca_vrfy_req_msg *vrfy, - const char *CAfile, const char *CRLfile) -{ - X509 *x509; - X509 *x509_tmp; - STACK_OF(X509) *x509_chain; - const unsigned char *d2i; - size_t i; - int ret = 0; - const char *errstr; - - x509 = NULL; - x509_tmp = NULL; - x509_chain = NULL; - - d2i = vrfy->cert; - if (d2i_X509(&x509, &d2i, vrfy->cert_len) == NULL) { - x509 = NULL; - goto end; - } - - if (vrfy->n_chain) { - x509_chain = sk_X509_new_null(); - for (i = 0; i < vrfy->n_chain; ++i) { - d2i = vrfy->chain_cert[i]; - if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL) - goto end; - sk_X509_insert(x509_chain, x509_tmp, i); - x509_tmp = NULL; - } - } - if (!ca_X509_verify(x509, x509_chain, CAfile, NULL, &errstr)) - log_debug("debug: lka: X509 verify: %s", errstr); - else - ret = 1; - -end: - X509_free(x509); - X509_free(x509_tmp); - if (x509_chain) - sk_X509_pop_free(x509_chain, X509_free); - - return ret; -} - -static void -lka_certificate_verify(enum imsg_type type, struct ca_vrfy_req_msg *req) -{ - lka_certificate_verify_resume(type, req); -} - -static void -lka_certificate_verify_resume(enum imsg_type type, struct ca_vrfy_req_msg *req) -{ - struct ca_vrfy_resp_msg resp; - struct ca *sca; - const char *cafile; - size_t i; - - resp.reqid = req->reqid; - sca = dict_get(env->sc_ca_dict, req->name); - if (sca == NULL) - if (req->fallback) - sca = dict_get(env->sc_ca_dict, "*"); - cafile = sca ? sca->ca_cert_file : CA_FILE; - - if (sca == NULL && !req->fallback) - resp.status = CA_FAIL; - else if (!lka_X509_verify(req, cafile, NULL)) - resp.status = CA_FAIL; - else - resp.status = CA_OK; - - m_compose(p_pony, type, 0, 0, -1, &resp, - sizeof resp); - - for (i = 0; i < req->n_chain; ++i) - free(req->chain_cert[i]); - free(req->chain_cert); - free(req->chain_cert_len); - free(req->cert); - free(req); -} |