Merge branch 'master' into portable

1 files changed, 8 insertions, 159 deletions

diff --git a/smtpd/lka.c b/smtpd/lka.c
index 519fb1d7..0291d49b 100644
--- a/smtpd/lka.c
+++ b/smtpd/lka.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: lka.c,v 1.228 2018/12/21 14:33:52 gilles Exp $	*/
+/*	$OpenBSD: lka.c,v 1.231 2018/12/26 20:13:43 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -60,9 +60,6 @@ static int lka_userinfo(const char *, const char *, struct userinfo *);
 static int lka_addrname(const char *, const struct sockaddr *,
     struct addrname *);
 static int lka_mailaddrmap(const char *, const char *, const struct mailaddr *);
-static int lka_X509_verify(struct ca_vrfy_req_msg *, const char *, const char *);
-static void lka_certificate_verify(enum imsg_type, struct ca_vrfy_req_msg *);
-static void lka_certificate_verify_resume(enum imsg_type, struct ca_vrfy_req_msg *);
 
 static void proc_timeout(int fd, short event, void *p);
 
@@ -73,12 +70,6 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
 {
 	struct table		*table;
 	int			 ret;
-	struct pki		*pki;
-	struct iovec		iov[2];
-	static struct ca_vrfy_req_msg	*req_ca_vrfy = NULL;
-	struct ca_vrfy_req_msg		*req_ca_vrfy_chain;
-	struct ca_cert_req_msg		*req_ca_cert;
-	struct ca_cert_resp_msg		 resp_ca_cert;
 	struct sockaddr_storage	 ss;
 	struct userinfo		 userinfo;
 	struct addrname		 addrname;
@@ -172,63 +163,6 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
 		m_close(p);
 		return;
 
-	case IMSG_SMTP_TLS_INIT:
-	case IMSG_MTA_TLS_INIT:
-		req_ca_cert = imsg->data;
-		resp_ca_cert.reqid = req_ca_cert->reqid;
-
-		xlowercase(buf, req_ca_cert->name, sizeof(buf));
-		log_debug("debug: lka: looking up pki \"%s\"", buf);
-		pki = dict_get(env->sc_pki_dict, buf);
-		if (pki == NULL)
-			if (req_ca_cert->fallback)
-				pki = dict_get(env->sc_pki_dict, "*");
-		if (pki == NULL) {
-			resp_ca_cert.status = CA_FAIL;
-			m_compose(p, imsg->hdr.type, 0, 0, -1, &resp_ca_cert,
-			    sizeof(resp_ca_cert));
-			return;
-		}
-		resp_ca_cert.status = CA_OK;
-		resp_ca_cert.cert_len = pki->pki_cert_len;
-		(void)strlcpy(resp_ca_cert.name, pki->pki_name, sizeof resp_ca_cert.name);
-		iov[0].iov_base = &resp_ca_cert;
-		iov[0].iov_len = sizeof(resp_ca_cert);
-		iov[1].iov_base = pki->pki_cert;
-		iov[1].iov_len = pki->pki_cert_len;
-		m_composev(p, imsg->hdr.type, 0, 0, -1, iov, nitems(iov));
-		return;
-
-	case IMSG_SMTP_TLS_VERIFY_CERT:
-	case IMSG_MTA_TLS_VERIFY_CERT:
-		req_ca_vrfy = xmemdup(imsg->data, sizeof *req_ca_vrfy);
-		req_ca_vrfy->cert = xmemdup((char *)imsg->data +
-		    sizeof *req_ca_vrfy, req_ca_vrfy->cert_len);
-		req_ca_vrfy->chain_cert = xcalloc(req_ca_vrfy->n_chain,
-		    sizeof (unsigned char *));
-		req_ca_vrfy->chain_cert_len = xcalloc(req_ca_vrfy->n_chain,
-		    sizeof (off_t));
-		return;
-
-	case IMSG_SMTP_TLS_VERIFY_CHAIN:
-	case IMSG_MTA_TLS_VERIFY_CHAIN:
-		if (req_ca_vrfy == NULL)
-			fatalx("lka:ca_vrfy: chain without a certificate");
-		req_ca_vrfy_chain = imsg->data;
-		req_ca_vrfy->chain_cert[req_ca_vrfy->chain_offset] = xmemdup((char *)imsg->data +
-		    sizeof *req_ca_vrfy_chain, req_ca_vrfy_chain->cert_len);
-		req_ca_vrfy->chain_cert_len[req_ca_vrfy->chain_offset] = req_ca_vrfy_chain->cert_len;
-		req_ca_vrfy->chain_offset++;
-		return;
-
-	case IMSG_SMTP_TLS_VERIFY:
-	case IMSG_MTA_TLS_VERIFY:
-		if (req_ca_vrfy == NULL)
-			fatalx("lka:ca_vrfy: verify without a certificate");
-		lka_certificate_verify(imsg->hdr.type, req_ca_vrfy);
-		req_ca_vrfy = NULL;
-		return;
-
 	case IMSG_SMTP_AUTHENTICATE:
 		m_msg(&m, imsg);
 		m_get_id(&m, &reqid);
@@ -304,7 +238,7 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
 			m_add_int(p, LKA_TEMPFAIL);
 		}
 		else {
-			ret = table_fetch(table, NULL, K_SOURCE, &lk);
+			ret = table_fetch(table, K_SOURCE, &lk);
 			if (ret == -1)
 				m_add_int(p, LKA_TEMPFAIL);
 			else if (ret == 0)
@@ -352,7 +286,7 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
 			m_add_int(p, LKA_TEMPFAIL);
 		}
 		else {
-			ret = table_fetch(table, NULL, K_RELAYHOST, &lk);
+			ret = table_fetch(table, K_RELAYHOST, &lk);
 			if (ret == -1)
 				m_add_int(p, LKA_TEMPFAIL);
 			else if (ret == 0)
@@ -759,7 +693,7 @@ lka_authenticate(const char *tablename, const char *user, const char *password)
 		return (LKA_TEMPFAIL);
 	}
 
-	switch (table_lookup(table, NULL, user, K_CREDENTIALS, &lk)) {
+	switch (table_lookup(table, K_CREDENTIALS, user, &lk)) {
 	case -1:
 		log_warnx("warn: user credentials lookup fail for %s:%s",
 		    tablename, user);
@@ -789,7 +723,7 @@ lka_credentials(const char *tablename, const char *label, char *dst, size_t sz)
 
 	dst[0] = '\0';
 
-	switch (table_lookup(table, NULL, label, K_CREDENTIALS, &lk)) {
+	switch (table_lookup(table, K_CREDENTIALS, label, &lk)) {
 	case -1:
 		log_warnx("warn: credentials lookup fail for %s:%s",
 		    tablename, label);
@@ -830,7 +764,7 @@ lka_userinfo(const char *tablename, const char *username, struct userinfo *res)
 		return (LKA_TEMPFAIL);
 	}
 
-	switch (table_lookup(table, NULL, username, K_USERINFO, &lk)) {
+	switch (table_lookup(table, K_USERINFO, username, &lk)) {
 	case -1:
 		log_warnx("warn: failure during userinfo lookup %s:%s",
 		    tablename, username);
@@ -860,7 +794,7 @@ lka_addrname(const char *tablename, const struct sockaddr *sa,
 		return (LKA_TEMPFAIL);
 	}
 
-	switch (table_lookup(table, NULL, source, K_ADDRNAME, &lk)) {
+	switch (table_lookup(table, K_ADDRNAME, source, &lk)) {
 	case -1:
 		log_warnx("warn: failure during helo lookup %s:%s",
 		    tablename, source);
@@ -888,7 +822,7 @@ lka_mailaddrmap(const char *tablename, const char *username, const struct mailad
 		return (LKA_TEMPFAIL);
 	}
 
-	switch (table_lookup(table, NULL, username, K_MAILADDRMAP, &lk)) {
+	switch (table_lookup(table, K_MAILADDRMAP, username, &lk)) {
 	case -1:
 		log_warnx("warn: failure during mailaddrmap lookup %s:%s",
 		    tablename, username);
@@ -910,88 +844,3 @@ lka_mailaddrmap(const char *tablename, const char *username, const struct mailad
 	}
 	return (LKA_OK);
 }
-
-static int
-lka_X509_verify(struct ca_vrfy_req_msg *vrfy,
-    const char *CAfile, const char *CRLfile)
-{
-	X509			*x509;
-	X509			*x509_tmp;
-	STACK_OF(X509)		*x509_chain;
-	const unsigned char    	*d2i;
-	size_t			i;
-	int			ret = 0;
-	const char		*errstr;
-
-	x509 = NULL;
-	x509_tmp = NULL;
-	x509_chain = NULL;
-
-	d2i = vrfy->cert;
-	if (d2i_X509(&x509, &d2i, vrfy->cert_len) == NULL) {
-		x509 = NULL;
-		goto end;
-	}
-
-	if (vrfy->n_chain) {
-		x509_chain = sk_X509_new_null();
-		for (i = 0; i < vrfy->n_chain; ++i) {
-			d2i = vrfy->chain_cert[i];
-			if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL)
-				goto end;
-			sk_X509_insert(x509_chain, x509_tmp, i);
-			x509_tmp = NULL;
-		}
-	}
-	if (!ca_X509_verify(x509, x509_chain, CAfile, NULL, &errstr))
-		log_debug("debug: lka: X509 verify: %s", errstr);
-	else
-		ret = 1;
-
-end:
-	X509_free(x509);
-	X509_free(x509_tmp);
-	if (x509_chain)
-		sk_X509_pop_free(x509_chain, X509_free);
-
-	return ret;
-}
-
-static void
-lka_certificate_verify(enum imsg_type type, struct ca_vrfy_req_msg *req)
-{
-	lka_certificate_verify_resume(type, req);
-}
-
-static void
-lka_certificate_verify_resume(enum imsg_type type, struct ca_vrfy_req_msg *req)
-{
-	struct ca_vrfy_resp_msg		resp;
-	struct ca		       *sca;
-	const char		       *cafile;
-	size_t				i;
-
-	resp.reqid = req->reqid;
-	sca = dict_get(env->sc_ca_dict, req->name);
-	if (sca == NULL)
-		if (req->fallback)
-			sca = dict_get(env->sc_ca_dict, "*");
-	cafile = sca ? sca->ca_cert_file : CA_FILE;
-
-	if (sca == NULL && !req->fallback)
-		resp.status = CA_FAIL;
-	else if (!lka_X509_verify(req, cafile, NULL))
-		resp.status = CA_FAIL;
-	else
-		resp.status = CA_OK;
-
-	m_compose(p_pony, type, 0, 0, -1, &resp,
-	    sizeof resp);
-
-	for (i = 0; i < req->n_chain; ++i)
-		free(req->chain_cert[i]);
-	free(req->chain_cert);
-	free(req->chain_cert_len);
-	free(req->cert);
-	free(req);
-}