prepare the ground for the CA certificate handling refactor, this commit

adds the parse.y bit + structures & members needed but does not make use of it yet
author: gilles <gilles@openbsd.org> 2015-12-01 09:33:17 +0000
committer: gilles <gilles@openbsd.org> 2015-12-01 09:33:17 +0000
commit: aab92aecdf91c6f8d13472e4aba2ec6074174f01 (patch)
tree: 6adff4109aa74df5a570f340e207775aabcddee8
parent: crunks of Avvion (diff)
download: wireguard-openbsd-aab92aecdf91c6f8d13472e4aba2ec6074174f01.tar.xz
wireguard-openbsd-aab92aecdf91c6f8d13472e4aba2ec6074174f01.zip
3 files changed, 87 insertions, 7 deletions
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index ee3a73740a1..7f401b9d9e8 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.158 2015/11/30 14:13:03 gilles Exp $	*/
+/*	$OpenBSD: parse.y,v 1.159 2015/12/01 09:33:17 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -44,6 +44,7 @@
 #include <limits.h>
 #include <paths.h>
 #include <pwd.h>
+#include <resolv.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -99,6 +100,7 @@ struct rule		*rule = NULL;
 struct listener		 l;
 struct mta_limits	*limits;
 static struct pki	*pki;
+static struct ca	*sca;
 
 enum listen_options {
 	LO_FAMILY	= 0x01,
@@ -112,6 +114,7 @@ enum listen_options {
 	LO_HOSTNAMES   	= 0x100,
 	LO_MASKSOURCE  	= 0x200,
 	LO_NODSN	= 0x400,
+	LO_CA		= 0x010000
 };
 
 static struct listen_opts {
@@ -121,6 +124,7 @@ static struct listen_opts {
 	uint16_t	ssl;
 	char	       *filtername;
 	char	       *pki;
+	char	       *ca;
 	uint16_t       	auth;
 	struct table   *authtable;
 	char	       *tag;
@@ -128,7 +132,7 @@ static struct listen_opts {
 	struct table   *hostnametable;
 	uint16_t	flags;
 
-	uint16_t       	options;
+	uint32_t       	options;
 } listen_opts;
 
 static void	create_listener(struct listenerlist *,  struct listen_opts *);
@@ -351,6 +355,14 @@ limits_scheduler: opt_limit_scheduler limits_scheduler
 		| /* empty */
 		;
 
+opt_ca		: CERTIFICATE STRING {
+			sca->ca_cert_file = $2;
+		}
+		;
+
+ca		: opt_ca
+		;
+
 opt_pki		: CERTIFICATE STRING {
 			pki->pki_cert_file = $2;
 		}
@@ -480,6 +492,14 @@ opt_listen     	: INET4			{
 			listen_opts.options |= LO_PKI;
 			listen_opts.pki = $2;
 		}
+		| CA STRING			{
+			if (listen_opts.options & LO_CA) {
+				yyerror("ca already specified");
+				YYERROR;
+			}
+			listen_opts.options |= LO_CA;
+			listen_opts.ca = $2;
+		}
 		| AUTH				{
 			if (listen_opts.options & LO_AUTH) {
 				yyerror("auth already specified");
@@ -640,6 +660,21 @@ opt_relay_common: AS STRING	{
 			}
 			free($2);
 		}
+		| CA STRING {
+			if (! lowercase(rule->r_value.relayhost.ca_name, $2,
+				sizeof(rule->r_value.relayhost.ca_name))) {
+				yyerror("ca name too long: %s", $2);
+				free($2);
+				YYERROR;
+			}
+			if (dict_get(conf->sc_ca_dict,
+				rule->r_value.relayhost.ca_name) == NULL) {
+				log_warnx("ca name not found: %s", $2);
+				free($2);
+				YYERROR;
+			}
+			free($2);
+		}
 		;
 
 opt_relay	: BACKUP STRING			{
@@ -771,7 +806,7 @@ main		: BOUNCEWARN {
 					YYERROR;
 				}
 			}
-		} filter_args;
+		} filter_args
 		| PKI STRING	{
 			char buf[HOST_NAME_MAX+1];
 			xlowercase(buf, $2, sizeof(buf));
@@ -783,7 +818,27 @@ main		: BOUNCEWARN {
 				dict_set(conf->sc_pki_dict, pki->pki_name, pki);
 			}
 		} pki
-		;
+		| CA STRING	{
+			char buf[HOST_NAME_MAX+1];
+
+			/* if not catchall, check that it is a valid domain */
+			if (strcmp($2, "*") != 0) {
+				if (! res_hnok($2)) {
+					yyerror("not a valid domain name: %s", $2);
+					free($2);
+					YYERROR;
+				}
+			}
+			xlowercase(buf, $2, sizeof(buf));
+			free($2);
+			sca = dict_get(conf->sc_ca_dict, buf);
+			if (sca == NULL) {
+				sca = xcalloc(1, sizeof *sca, "parse:ca");
+				(void)strlcpy(sca->ca_name, buf, sizeof(sca->ca_name));
+				dict_set(conf->sc_ca_dict, sca->ca_name, sca);
+			}
+		  } ca
+		  ;
 
 filter_args	:
 		| STRING {
@@ -1698,6 +1753,7 @@ parse_config(struct smtpd *x_conf, const char *filename, int opts)
 	conf->sc_tables_dict = calloc(1, sizeof(*conf->sc_tables_dict));
 	conf->sc_rules = calloc(1, sizeof(*conf->sc_rules));
 	conf->sc_listeners = calloc(1, sizeof(*conf->sc_listeners));
+	conf->sc_ca_dict = calloc(1, sizeof(*conf->sc_ca_dict));
 	conf->sc_pki_dict = calloc(1, sizeof(*conf->sc_pki_dict));
 	conf->sc_ssl_dict = calloc(1, sizeof(*conf->sc_ssl_dict));
 	conf->sc_limits_dict = calloc(1, sizeof(*conf->sc_limits_dict));
@@ -1708,12 +1764,14 @@ parse_config(struct smtpd *x_conf, const char *filename, int opts)
 	if (conf->sc_tables_dict == NULL	||
 	    conf->sc_rules == NULL		||
 	    conf->sc_listeners == NULL		||
+	    conf->sc_ca_dict == NULL		||
 	    conf->sc_pki_dict == NULL		||
 	    conf->sc_limits_dict == NULL) {
 		log_warn("warn: cannot allocate memory");
 		free(conf->sc_tables_dict);
 		free(conf->sc_rules);
 		free(conf->sc_listeners);
+		free(conf->sc_ca_dict);
 		free(conf->sc_pki_dict);
 		free(conf->sc_ssl_dict);
 		free(conf->sc_limits_dict);
@@ -1727,6 +1785,7 @@ parse_config(struct smtpd *x_conf, const char *filename, int opts)
 
 	dict_init(&conf->sc_filters);
 
+	dict_init(conf->sc_ca_dict);
 	dict_init(conf->sc_pki_dict);
 	dict_init(conf->sc_ssl_dict);
 	dict_init(conf->sc_tables_dict);
@@ -1964,6 +2023,17 @@ config_listener(struct listener *h,  struct listen_opts *lo)
 			fatalx(NULL);
 		}
 	}
+
+	if (lo->ca != NULL) {
+		if (! lowercase(h->ca_name, lo->ca, sizeof(h->ca_name))) {
+			log_warnx("ca name too long: %s", lo->ca);
+			fatalx(NULL);
+		}
+		if (dict_get(conf->sc_ca_dict, h->ca_name) == NULL) {
+			log_warnx("ca name not found: %s", lo->ca);
+			fatalx(NULL);
+		}
+	}	
 	if (lo->tag != NULL)
 		(void)strlcpy(h->tag, lo->tag, sizeof(h->tag));
 
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 1cb96580fe8..695fe7743cb 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.h,v 1.489 2015/11/30 14:27:25 gilles Exp $	*/
+/*	$OpenBSD: smtpd.h,v 1.490 2015/12/01 09:33:17 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -604,7 +604,8 @@ struct smtpd {
 	TAILQ_HEAD(listenerlist, listener)	*sc_listeners;
 
 	TAILQ_HEAD(rulelist, rule)		*sc_rules;
-	
+
+	struct dict			       *sc_ca_dict;
 	struct dict			       *sc_pki_dict;
 	struct dict			       *sc_ssl_dict;
 
diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h
index 860eaca4b69..93690992ac3 100644
--- a/usr.sbin/smtpd/ssl.h
+++ b/usr.sbin/smtpd/ssl.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.h,v 1.12 2015/10/21 16:45:13 jsing Exp $	*/
+/*	$OpenBSD: ssl.h,v 1.13 2015/12/01 09:33:17 gilles Exp $	*/
 /*
  * Copyright (c) 2013 Gilles Chehade <gilles@poolp.org>
  *
@@ -40,6 +40,15 @@ struct pki {
 	off_t			 pki_dhparams_len;
 };
 
+struct ca {
+	char                     ca_name[HOST_NAME_MAX+1];
+
+	char                    *ca_cert_file;
+	char                    *ca_cert;
+	off_t                    ca_cert_len;
+};
+
+
 /* ssl.c */
 void		ssl_init(void);
 int		ssl_setup(SSL_CTX **, struct pki *);
author	gilles <gilles@openbsd.org>	2015-12-01 09:33:17 +0000
committer	gilles <gilles@openbsd.org>	2015-12-01 09:33:17 +0000
commit	aab92aecdf91c6f8d13472e4aba2ec6074174f01 (patch)
tree	6adff4109aa74df5a570f340e207775aabcddee8
parent	crunks of Avvion (diff)
download	wireguard-openbsd-aab92aecdf91c6f8d13472e4aba2ec6074174f01.tar.xz wireguard-openbsd-aab92aecdf91c6f8d13472e4aba2ec6074174f01.zip