diff options
Diffstat (limited to 'usr.sbin/smtpd/ssl_smtpd.c')
-rw-r--r-- | usr.sbin/smtpd/ssl_smtpd.c | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/usr.sbin/smtpd/ssl_smtpd.c b/usr.sbin/smtpd/ssl_smtpd.c new file mode 100644 index 00000000..4e5b7e75 --- /dev/null +++ b/usr.sbin/smtpd/ssl_smtpd.c @@ -0,0 +1,105 @@ +/* $OpenBSD: ssl_smtpd.c,v 1.13 2015/12/30 16:02:08 benno Exp $ */ + +/* + * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> + * Copyright (c) 2008 Reyk Floeter <reyk@openbsd.org> + * Copyright (c) 2012 Gilles Chehade <gilles@poolp.org> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "includes.h" + +#include <sys/types.h> +#include <sys/queue.h> +#include <sys/tree.h> +#include <sys/socket.h> +#include <sys/stat.h> + +#include <ctype.h> +#include <event.h> +#include <fcntl.h> +#include <limits.h> +#include <imsg.h> +#include <pwd.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +#include <openssl/ssl.h> +#include <openssl/engine.h> +#include <openssl/err.h> + +#include "smtpd.h" +#include "log.h" +#include "ssl.h" + + +void * +ssl_mta_init(void *pkiname, char *cert, off_t cert_len, const char *ciphers) +{ + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + + ctx = ssl_ctx_create(pkiname, cert, cert_len, ciphers); + + if ((ssl = SSL_new(ctx)) == NULL) + goto err; + if (!SSL_set_ssl_method(ssl, SSLv23_client_method())) + goto err; + + SSL_CTX_free(ctx); + return (void *)(ssl); + +err: + SSL_free(ssl); + SSL_CTX_free(ctx); + ssl_error("ssl_mta_init"); + return (NULL); +} + +/* dummy_verify */ +static int +dummy_verify(int ok, X509_STORE_CTX *store) +{ + /* + * We *want* SMTP to request an optional client certificate, however we don't want the + * verification to take place in the SMTP process. This dummy verify will allow us to + * asynchronously verify in the lookup process. + */ + return 1; +} + +void * +ssl_smtp_init(void *ssl_ctx, int verify) +{ + SSL *ssl = NULL; + + log_debug("debug: session_start_ssl: switching to SSL"); + + if (verify) + SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_verify); + + if ((ssl = SSL_new(ssl_ctx)) == NULL) + goto err; + if (!SSL_set_ssl_method(ssl, SSLv23_server_method())) + goto err; + + return (void *)(ssl); + +err: + SSL_free(ssl); + ssl_error("ssl_smtp_init"); + return (NULL); +} |