diff options
| author |   gilles <gilles@openbsd.org> | 2015-12-13 09:52:44 +0000 |
|---|---|---|
| committer | gilles <gilles@openbsd.org> | 2015-12-13 09:52:44 +0000 |
| commit | c3e2e87d571c6245e73d92a1ff68a637b9f9e4fb (patch) | |
| tree | f2ab70bf7763c858909f2fff2d9e8ae6b84153dd | |
| parent | decipher comment. ok bcook@ (diff) | |
| download | wireguard-openbsd-c3e2e87d571c6245e73d92a1ff68a637b9f9e4fb.tar.xz wireguard-openbsd-c3e2e87d571c6245e73d92a1ff68a637b9f9e4fb.zip | |
refactor a bit to move the SNI handling away from smtp_session into smtp
ok sunil@, jung@
| -rw-r--r-- | usr.sbin/smtpd/smtp.c | 22 | ||||
| -rw-r--r-- | usr.sbin/smtpd/smtp_session.c | 38 | ||||
| -rw-r--r-- | usr.sbin/smtpd/smtpd.h | 4 | ||||
| -rw-r--r-- | usr.sbin/smtpd/ssl.c | 8 | ||||
| -rw-r--r-- | usr.sbin/smtpd/ssl.h | 5 | ||||
| -rw-r--r-- | usr.sbin/smtpd/ssl_smtpd.c | 8 |
6 files changed, 35 insertions, 50 deletions
diff --git a/usr.sbin/smtpd/smtp.c b/usr.sbin/smtpd/smtp.c index 9211a091f81..b4c00d8f034 100644 --- a/usr.sbin/smtpd/smtp.c +++ b/usr.sbin/smtpd/smtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtp.c,v 1.149 2015/12/12 17:16:56 gilles Exp $ */ +/* $OpenBSD: smtp.c,v 1.150 2015/12/13 09:52:44 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -49,6 +49,7 @@ static void smtp_accept(int, short, void *); static int smtp_enqueue(uid_t *); static int smtp_can_accept(void); static void smtp_setup_listeners(void); +static int smtp_sni_callback(SSL *, int *, void *); #define SMTP_FD_RESERVE 5 static size_t sessions; @@ -179,7 +180,8 @@ smtp_setup_events(void) iter = NULL; while (dict_iter(env->sc_pki_dict, &iter, &k, (void **)&pki)) { - if (! ssl_setup((SSL_CTX **)&ssl_ctx, pki, env->sc_tls_ciphers)) + if (! ssl_setup((SSL_CTX **)&ssl_ctx, pki, smtp_sni_callback, + env->sc_tls_ciphers)) fatal("smtp_setup_events: ssl_setup failure"); dict_xset(env->sc_ssl_dict, k, ssl_ctx); } @@ -338,3 +340,19 @@ smtp_collect(void) smtp_resume(); } } + +static int +smtp_sni_callback(SSL *ssl, int *ad, void *arg) +{ + const char *sn; + void *ssl_ctx; + + sn = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); + if (sn == NULL) + return SSL_TLSEXT_ERR_NOACK; + ssl_ctx = dict_get(env->sc_ssl_dict, sn); + if (ssl_ctx == NULL) + return SSL_TLSEXT_ERR_NOACK; + SSL_set_SSL_CTX(ssl, ssl_ctx); + return SSL_TLSEXT_ERR_OK; +} diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c index 3410a9491b2..99fc6c542fd 100644 --- a/usr.sbin/smtpd/smtp_session.c +++ b/usr.sbin/smtpd/smtp_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtp_session.c,v 1.259 2015/12/12 20:02:31 gilles Exp $ */ +/* $OpenBSD: smtp_session.c,v 1.260 2015/12/13 09:52:44 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -119,7 +119,6 @@ struct smtp_session { struct sockaddr_storage ss; char hostname[HOST_NAME_MAX+1]; char smtpname[HOST_NAME_MAX+1]; - char sni[HOST_NAME_MAX+1]; int flags; int phase; @@ -190,7 +189,6 @@ static int smtp_verify_certificate(struct smtp_session *); static uint8_t dsn_notify_str_to_uint8(const char *); static void smtp_auth_failure_pause(struct smtp_session *); static void smtp_auth_failure_resume(int, short, void *); -static int smtp_sni_callback(SSL *, int *, void *); static const char *smtp_sni_get_servername(struct smtp_session *); static void smtp_filter_connect(struct smtp_session *, struct sockaddr *); @@ -1040,8 +1038,7 @@ smtp_session_imsg(struct mproc *p, struct imsg *imsg) resp_ca_cert->cert = xstrdup((char *)imsg->data + sizeof *resp_ca_cert, "smtp:ca_cert"); ssl_ctx = dict_get(env->sc_ssl_dict, resp_ca_cert->name); - ssl = ssl_smtp_init(ssl_ctx, smtp_sni_callback, - s->listener->flags & F_TLS_VERIFY); + ssl = ssl_smtp_init(ssl_ctx, s->listener->flags & F_TLS_VERIFY); io_set_read(&s->io); io_start_tls(&s->io, ssl); @@ -1228,7 +1225,6 @@ smtp_io(struct io *io, int evt) { struct ca_cert_req_msg req_ca_cert; struct smtp_session *s = io->arg; - const char *sn; char *line; size_t len; X509 *x; @@ -1245,14 +1241,6 @@ smtp_io(struct io *io, int evt) s->flags |= SF_SECURE; s->phase = PHASE_INIT; - sn = smtp_sni_get_servername(s); - if (sn) { - if (strlcpy(s->sni, sn, sizeof s->sni) >= sizeof s->sni) { - smtp_free(s, "client SNI exceeds max hostname length"); - return; - } - } - if (smtp_verify_certificate(s)) { io_pause(&s->io, IO_PAUSE_IN); break; @@ -2417,28 +2405,6 @@ smtp_auth_failure_pause(struct smtp_session *s) evtimer_add(&s->pause, &tv); } -static const char * -smtp_sni_get_servername(struct smtp_session *s) -{ - return SSL_get_servername(s->io.ssl, TLSEXT_NAMETYPE_host_name); -} - -static int -smtp_sni_callback(SSL *ssl, int *ad, void *arg) -{ - const char *sn; - void *ssl_ctx; - - sn = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); - if (sn == NULL) - return SSL_TLSEXT_ERR_NOACK; - ssl_ctx = dict_get(env->sc_ssl_dict, sn); - if (ssl_ctx == NULL) - return SSL_TLSEXT_ERR_NOACK; - SSL_set_SSL_CTX(ssl, ssl_ctx); - return SSL_TLSEXT_ERR_OK; -} - static void smtp_filter_rset(struct smtp_session *s) { diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index 31c7b36e6f7..95c037af2ef 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.506 2015/12/12 17:16:56 gilles Exp $ */ +/* $OpenBSD: smtpd.h,v 1.507 2015/12/13 09:52:44 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -1401,7 +1401,7 @@ int fork_proc_backend(const char *, const char *, const char *); /* ssl_smtpd.c */ void *ssl_mta_init(void *, char *, off_t, const char *); -void *ssl_smtp_init(void *, void *, int); +void *ssl_smtp_init(void *, int); /* stat_backend.c */ diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index 6699fb7f05b..819dfa14580 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.84 2015/12/12 20:02:31 gilles Exp $ */ +/* $OpenBSD: ssl.c,v 1.85 2015/12/13 09:52:44 gilles Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -68,7 +68,8 @@ ssl_init(void) } int -ssl_setup(SSL_CTX **ctxp, struct pki *pki, const char *ciphers) +ssl_setup(SSL_CTX **ctxp, struct pki *pki, + int (*sni_cb)(SSL *,int *,void *), const char *ciphers) { DH *dh; SSL_CTX *ctx; @@ -85,6 +86,9 @@ ssl_setup(SSL_CTX **ctxp, struct pki *pki, const char *ciphers) if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid))) goto err; + if (sni_cb) + SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb); + if (pki->pki_dhparams_len == 0) dh = get_dh2048(); else diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h index 01586f3cf63..f86705a83d9 100644 --- a/usr.sbin/smtpd/ssl.h +++ b/usr.sbin/smtpd/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.18 2015/12/12 20:02:31 gilles Exp $ */ +/* $OpenBSD: ssl.h,v 1.19 2015/12/13 09:52:44 gilles Exp $ */ /* * Copyright (c) 2013 Gilles Chehade <gilles@poolp.org> * @@ -47,7 +47,8 @@ struct ca { /* ssl.c */ void ssl_init(void); -int ssl_setup(SSL_CTX **, struct pki *, const char *); +int ssl_setup(SSL_CTX **, struct pki *, + int (*)(SSL *, int *, void *), const char *); SSL_CTX *ssl_ctx_create(const char *, char *, off_t, const char *); int ssl_cmp(struct pki *, struct pki *); void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *); diff --git a/usr.sbin/smtpd/ssl_smtpd.c b/usr.sbin/smtpd/ssl_smtpd.c index 20d927c9256..e6510e77ee4 100644 --- a/usr.sbin/smtpd/ssl_smtpd.c +++ b/usr.sbin/smtpd/ssl_smtpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_smtpd.c,v 1.11 2015/12/12 17:16:56 gilles Exp $ */ +/* $OpenBSD: ssl_smtpd.c,v 1.12 2015/12/13 09:52:44 gilles Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -82,19 +82,15 @@ dummy_verify(int ok, X509_STORE_CTX *store) } void * -ssl_smtp_init(void *ssl_ctx, void *sni, int verify) +ssl_smtp_init(void *ssl_ctx, int verify) { SSL *ssl = NULL; - int (*cb)(SSL *,int *,void *) = sni; log_debug("debug: session_start_ssl: switching to SSL"); if (verify) SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_verify); - if (cb) - SSL_CTX_set_tlsext_servername_callback(ssl_ctx, cb); - if ((ssl = SSL_new(ssl_ctx)) == NULL) goto err; if (!SSL_set_ssl_method(ssl, SSLv23_server_method())) |