diff options
| author |   eric <eric@openbsd.org> | 2013-11-18 12:24:26 +0000 |
|---|---|---|
| committer | eric <eric@openbsd.org> | 2013-11-18 12:24:26 +0000 |
| commit | 1b0c7b9f9eea6debe140958c90aa15a6b8148f52 (patch) | |
| tree | 9f506416464a1a96de167c223d083a094bd6870c | |
| parent | When looking up a MX, parse the address if the domain is a "[ipaddr]" string. (diff) | |
| download | wireguard-openbsd-1b0c7b9f9eea6debe140958c90aa15a6b8148f52.tar.xz wireguard-openbsd-1b0c7b9f9eea6debe140958c90aa15a6b8148f52.zip | |
Allow overriding the local ca
| -rw-r--r-- | usr.sbin/smtpd/lka.c | 16 | ||||
| -rw-r--r-- | usr.sbin/smtpd/mta_session.c | 11 | ||||
| -rw-r--r-- | usr.sbin/smtpd/smtp_session.c | 6 | ||||
| -rw-r--r-- | usr.sbin/smtpd/smtpd.conf.5 | 9 | ||||
| -rw-r--r-- | usr.sbin/smtpd/smtpd.h | 3 |
5 files changed, 36 insertions, 9 deletions
diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c index 95fdf332034..471220960a3 100644 --- a/usr.sbin/smtpd/lka.c +++ b/usr.sbin/smtpd/lka.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lka.c,v 1.159 2013/11/13 08:39:33 eric Exp $ */ +/* $OpenBSD: lka.c,v 1.160 2013/11/18 12:24:26 eric Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -86,6 +86,7 @@ lka_imsg(struct mproc *p, struct imsg *imsg) uint64_t reqid; size_t i; int v; + const char *cafile = NULL; if (imsg->hdr.type == IMSG_DNS_HOST || imsg->hdr.type == IMSG_DNS_PTR || @@ -175,8 +176,11 @@ lka_imsg(struct mproc *p, struct imsg *imsg) fatalx("lka:ca_vrfy: verify without a certificate"); resp_ca_vrfy.reqid = req_ca_vrfy_smtp->reqid; - - if (! lka_X509_verify(req_ca_vrfy_smtp, CA_FILE, NULL)) + ssl = dict_xget(env->sc_ssl_dict, req_ca_vrfy_smtp->pkiname); + cafile = CA_FILE; + if (ssl->ssl_ca_file) + cafile = ssl->ssl_ca_file; + if (! lka_X509_verify(req_ca_vrfy_smtp, cafile, NULL)) resp_ca_vrfy.status = CA_FAIL; else resp_ca_vrfy.status = CA_OK; @@ -297,8 +301,12 @@ lka_imsg(struct mproc *p, struct imsg *imsg) fatalx("lka:ca_vrfy: verify without a certificate"); resp_ca_vrfy.reqid = req_ca_vrfy_mta->reqid; + ssl = dict_get(env->sc_ssl_dict, req_ca_vrfy_mta->pkiname); - if (! lka_X509_verify(req_ca_vrfy_mta, CA_FILE, NULL)) + cafile = CA_FILE; + if (ssl && ssl->ssl_ca_file) + cafile = ssl->ssl_ca_file; + if (! lka_X509_verify(req_ca_vrfy_mta, cafile, NULL)) resp_ca_vrfy.status = CA_FAIL; else resp_ca_vrfy.status = CA_OK; diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c index 56442c807b8..8dc1f795ce4 100644 --- a/usr.sbin/smtpd/mta_session.c +++ b/usr.sbin/smtpd/mta_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta_session.c,v 1.46 2013/11/06 10:01:29 eric Exp $ */ +/* $OpenBSD: mta_session.c,v 1.47 2013/11/18 12:24:26 eric Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -1534,6 +1534,7 @@ mta_verify_certificate(struct mta_session *s) X509 *x; STACK_OF(X509) *xchain; int i; + const char *pkiname; x = SSL_get_peer_certificate(s->io.ssl); if (x == NULL) @@ -1553,6 +1554,14 @@ mta_verify_certificate(struct mta_session *s) /* Send the client certificate */ bzero(&req_ca_vrfy, sizeof req_ca_vrfy); + if (s->relay->cert) + pkiname = s->relay->cert; + else + pkiname = s->helo; + if (strlcpy(req_ca_vrfy.pkiname, pkiname, sizeof req_ca_vrfy.pkiname) + >= sizeof req_ca_vrfy.pkiname) + return 0; + req_ca_vrfy.reqid = s->id; req_ca_vrfy.cert_len = i2d_X509(x, &req_ca_vrfy.cert); if (xchain) diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c index 0e7563c7bba..08df9e41e1a 100644 --- a/usr.sbin/smtpd/smtp_session.c +++ b/usr.sbin/smtpd/smtp_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtp_session.c,v 1.188 2013/11/06 10:01:29 eric Exp $ */ +/* $OpenBSD: smtp_session.c,v 1.189 2013/11/18 12:24:26 eric Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -1653,6 +1653,10 @@ smtp_verify_certificate(struct smtp_session *s) /* Send the client certificate */ bzero(&req_ca_vrfy, sizeof req_ca_vrfy); + if (strlcpy(req_ca_vrfy.pkiname, s->listener->ssl_cert_name, sizeof req_ca_vrfy.pkiname) + >= sizeof req_ca_vrfy.pkiname) + return 0; + req_ca_vrfy.reqid = s->id; req_ca_vrfy.cert_len = i2d_X509(x, &req_ca_vrfy.cert); if (xchain) diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index 13a2c56dd27..9787309ef0c 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.107 2013/11/06 10:01:29 eric Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.108 2013/11/18 12:24:26 eric Exp $ .\" .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: November 6 2013 $ +.Dd $Mdocdate: November 18 2013 $ .Dt SMTPD.CONF 5 .Os .Sh NAME @@ -673,6 +673,11 @@ Associate the key located in .Ar keyfile with .Ar hostname . +.It Ic pki Ar hostname Ic ca Ar cafile +Associate a custom CA certificate +.Ar cafile +with +.Ar hostname . .It Ic pki Ar hostname Ic dhparams Ar dhfile Associate the Diffie-Hellman parameters located in .Ar dhfile diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index 782d7ffb71c..d9b26c77688 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.433 2013/11/06 10:01:29 eric Exp $ */ +/* $OpenBSD: smtpd.h,v 1.434 2013/11/18 12:24:26 eric Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -973,6 +973,7 @@ struct ca_cert_resp_msg { struct ca_vrfy_req_msg { uint64_t reqid; + char pkiname[SMTPD_MAXHOSTNAMELEN]; unsigned char *cert; off_t cert_len; size_t n_chain; |