src - OpenBSD base system

diff options


context:
space:
mode:

author	Eric Faurot <eric@cvs.openbsd.org>	2014-02-04 13:44:42 +0000
committer	Eric Faurot <eric@cvs.openbsd.org>	2014-02-04 13:44:42 +0000
commit	5466a3045acfc02b1542c40152b69df386bcf9e0 (patch)
tree	bd0ebdfd026b293d6b0de4ba08d970ce0ffbce92 /usr.sbin/smtpd/lka.c
parent	18a6e075a482dcb67a689f725c9795e20a72a992 (diff)

pki code cleanup

- rename "struct ssl" and "cert" to "struct pki" and "cert" to "pki_name" - inherit pki conf on fork instead of passing it through imsg at startup - implement SNI on smtp listeners

Diffstat (limited to 'usr.sbin/smtpd/lka.c')

-rw-r--r--

usr.sbin/smtpd/lka.c

196

1 files changed, 25 insertions, 171 deletions

diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c
index c03838a1b59..30205777408 100644
--- a/usr.sbin/smtpd/lka.c
+++ b/usr.sbin/smtpd/lka.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: lka.c,v 1.163 2014/02/04 09:50:31 eric Exp $ */

+/* $OpenBSD: lka.c,v 1.164 2014/02/04 13:44:41 eric Exp $ */

@@ -59,16 +59,10 @@ static int lka_X509_verify(struct ca_vrfy_req_msg *, const char *, const char *)

static void

lka_imsg(struct mproc *p, struct imsg *imsg)

{

- struct rule *rule;

struct table *table;

- void *tmp;

int ret;

- const char *key, *val;

- struct ssl *ssl;

+ struct pki *pki;

struct iovec iov[3];

- static struct dict *ssl_dict;

- static struct dict *tables_dict;

- static struct table *table_last;

static struct ca_vrfy_req_msg *req_ca_vrfy_smtp = NULL;

static struct ca_vrfy_req_msg *req_ca_vrfy_mta = NULL;

struct ca_vrfy_req_msg *req_ca_vrfy_chain;

@@ -130,29 +124,27 @@ lka_imsg(struct mproc *p, struct imsg *imsg)

xlowercase(buf, req_ca_cert->name, sizeof(buf));

log_debug("debug: lka: looking up pki \"%s\"", buf);

- ssl = dict_get(env->sc_ssl_dict, buf);

- if (ssl == NULL) {

+ pki = dict_get(env->sc_pki_dict, buf);

+ if (pki == NULL) {

resp_ca_cert.status = CA_FAIL;

m_compose(p, IMSG_LKA_SSL_INIT, 0, 0, -1, &resp_ca_cert,

sizeof(resp_ca_cert));

return;

}

resp_ca_cert.status = CA_OK;

- resp_ca_cert.cert_len = ssl->ssl_cert_len;

- resp_ca_cert.key_len = ssl->ssl_key_len;

+ resp_ca_cert.cert_len = pki->pki_cert_len;

+ resp_ca_cert.key_len = pki->pki_key_len;

iov[0].iov_base = &resp_ca_cert;

iov[0].iov_len = sizeof(resp_ca_cert);

- iov[1].iov_base = ssl->ssl_cert;

- iov[1].iov_len = ssl->ssl_cert_len;

- iov[2].iov_base = ssl->ssl_key;

- iov[2].iov_len = ssl->ssl_key_len;

+ iov[1].iov_base = pki->pki_cert;

+ iov[1].iov_len = pki->pki_cert_len;

+ iov[2].iov_base = pki->pki_key;

+ iov[2].iov_len = pki->pki_key_len;

m_composev(p, IMSG_LKA_SSL_INIT, 0, 0, -1, iov, nitems(iov));

return;

case IMSG_LKA_SSL_VERIFY_CERT:

req_ca_vrfy_smtp = xmemdup(imsg->data, sizeof *req_ca_vrfy_smtp, "lka:ca_vrfy");

- if (req_ca_vrfy_smtp == NULL)

- fatal(NULL);

req_ca_vrfy_smtp->cert = xmemdup((char *)imsg->data +

sizeof *req_ca_vrfy_smtp, req_ca_vrfy_smtp->cert_len, "lka:ca_vrfy");

req_ca_vrfy_smtp->chain_cert = xcalloc(req_ca_vrfy_smtp->n_chain,

@@ -176,10 +168,10 @@ lka_imsg(struct mproc *p, struct imsg *imsg)

fatalx("lka:ca_vrfy: verify without a certificate");

resp_ca_vrfy.reqid = req_ca_vrfy_smtp->reqid;

- ssl = dict_xget(env->sc_ssl_dict, req_ca_vrfy_smtp->pkiname);

+ pki = dict_xget(env->sc_pki_dict, req_ca_vrfy_smtp->pkiname);

cafile = CA_FILE;

- if (ssl->ssl_ca_file)

- cafile = ssl->ssl_ca_file;

+ if (pki->pki_ca_file)

+ cafile = pki->pki_ca_file;

if (! lka_X509_verify(req_ca_vrfy_smtp, cafile, NULL))

resp_ca_vrfy.status = CA_FAIL;

else

@@ -254,29 +246,27 @@ lka_imsg(struct mproc *p, struct imsg *imsg)

xlowercase(buf, req_ca_cert->name, sizeof(buf));

log_debug("debug: lka: looking up pki \"%s\"", buf);

- ssl = dict_get(env->sc_ssl_dict, buf);

- if (ssl == NULL) {

+ pki = dict_get(env->sc_pki_dict, buf);

+ if (pki == NULL) {

resp_ca_cert.status = CA_FAIL;

m_compose(p, IMSG_LKA_SSL_INIT, 0, 0, -1, &resp_ca_cert,

sizeof(resp_ca_cert));

return;

}

resp_ca_cert.status = CA_OK;

- resp_ca_cert.cert_len = ssl->ssl_cert_len;

- resp_ca_cert.key_len = ssl->ssl_key_len;

+ resp_ca_cert.cert_len = pki->pki_cert_len;

+ resp_ca_cert.key_len = pki->pki_key_len;

iov[0].iov_base = &resp_ca_cert;

iov[0].iov_len = sizeof(resp_ca_cert);

- iov[1].iov_base = ssl->ssl_cert;

- iov[1].iov_len = ssl->ssl_cert_len;

- iov[2].iov_base = ssl->ssl_key;

- iov[2].iov_len = ssl->ssl_key_len;

+ iov[1].iov_base = pki->pki_cert;

+ iov[1].iov_len = pki->pki_cert_len;

+ iov[2].iov_base = pki->pki_key;

+ iov[2].iov_len = pki->pki_key_len;

m_composev(p, IMSG_LKA_SSL_INIT, 0, 0, -1, iov, nitems(iov));

return;

case IMSG_LKA_SSL_VERIFY_CERT:

req_ca_vrfy_mta = xmemdup(imsg->data, sizeof *req_ca_vrfy_mta, "lka:ca_vrfy");

- if (req_ca_vrfy_mta == NULL)

- fatal(NULL);

req_ca_vrfy_mta->cert = xmemdup((char *)imsg->data +

sizeof *req_ca_vrfy_mta, req_ca_vrfy_mta->cert_len, "lka:ca_vrfy");

req_ca_vrfy_mta->chain_cert = xcalloc(req_ca_vrfy_mta->n_chain,

@@ -301,11 +291,11 @@ lka_imsg(struct mproc *p, struct imsg *imsg)

fatalx("lka:ca_vrfy: verify without a certificate");

resp_ca_vrfy.reqid = req_ca_vrfy_mta->reqid;

- ssl = dict_get(env->sc_ssl_dict, req_ca_vrfy_mta->pkiname);

+ pki = dict_get(env->sc_pki_dict, req_ca_vrfy_mta->pkiname);

cafile = CA_FILE;

- if (ssl && ssl->ssl_ca_file)

- cafile = ssl->ssl_ca_file;

+ if (pki && pki->pki_ca_file)

+ cafile = pki->pki_ca_file;

if (! lka_X509_verify(req_ca_vrfy_mta, cafile, NULL))

resp_ca_vrfy.status = CA_FAIL;

else

@@ -392,149 +382,13 @@ lka_imsg(struct mproc *p, struct imsg *imsg)

if (p->proc == PROC_PARENT) {

switch (imsg->hdr.type) {

case IMSG_CONF_START:

- env->sc_rules_reload = xcalloc(1,

- sizeof *env->sc_rules, "lka:sc_rules_reload");

- tables_dict = xcalloc(1,

- sizeof *tables_dict, "lka:tables_dict");

- ssl_dict = calloc(1, sizeof *ssl_dict);

- if (ssl_dict == NULL)

- fatal(NULL);

- dict_init(ssl_dict);

- dict_init(tables_dict);

- TAILQ_INIT(env->sc_rules_reload);

- return;

- case IMSG_CONF_SSL:

- ssl = calloc(1, sizeof *ssl);

- if (ssl == NULL)

- fatal(NULL);

- *ssl = *(struct ssl *)imsg->data;

- ssl->ssl_cert = xstrdup((char *)imsg->data +

- sizeof *ssl, "smtp:ssl_cert");

- ssl->ssl_key = xstrdup((char *)imsg->data +

- sizeof *ssl + ssl->ssl_cert_len, "smtp:ssl_key");

- if (ssl->ssl_dhparams_len) {

- ssl->ssl_dhparams = xstrdup((char *)imsg->data

- + sizeof *ssl + ssl->ssl_cert_len +

- ssl->ssl_key_len, "smtp:ssl_dhparams");

- }

- if (ssl->ssl_ca_len) {

- ssl->ssl_ca = xstrdup((char *)imsg->data

- + sizeof *ssl + ssl->ssl_cert_len +

- ssl->ssl_key_len + ssl->ssl_dhparams_len,

- "smtp:ssl_ca");

- }

- dict_set(ssl_dict, ssl->ssl_name, ssl);

- return;

- case IMSG_CONF_RULE:

- rule = xmemdup(imsg->data, sizeof *rule, "lka:rule");

- TAILQ_INSERT_TAIL(env->sc_rules_reload, rule, r_entry);

- return;

- case IMSG_CONF_TABLE:

- table_last = table = xmemdup(imsg->data, sizeof *table,

- "lka:table");

- dict_init(&table->t_dict);

- dict_set(tables_dict, table->t_name, table);

- return;

- case IMSG_CONF_RULE_SOURCE:

- rule = TAILQ_LAST(env->sc_rules_reload, rulelist);

- tmp = env->sc_tables_dict;

- env->sc_tables_dict = tables_dict;

- rule->r_sources = table_find(imsg->data, NULL);

- if (rule->r_sources == NULL)

- fatalx("lka: tables inconsistency");

- env->sc_tables_dict = tmp;

- return;

- case IMSG_CONF_RULE_SENDER:

- rule = TAILQ_LAST(env->sc_rules_reload, rulelist);

- tmp = env->sc_tables_dict;

- env->sc_tables_dict = tables_dict;

- rule->r_senders = table_find(imsg->data, NULL);

- if (rule->r_senders == NULL)

- fatalx("lka: tables inconsistency");

- env->sc_tables_dict = tmp;

- return;

- case IMSG_CONF_RULE_RECIPIENT:

- rule = TAILQ_LAST(env->sc_rules_reload, rulelist);

- tmp = env->sc_tables_dict;

- env->sc_tables_dict = tables_dict;

- rule->r_recipients = table_find(imsg->data, NULL);

- if (rule->r_recipients == NULL)

- fatalx("lka: tables inconsistency");

- env->sc_tables_dict = tmp;

- return;

- case IMSG_CONF_RULE_DESTINATION:

- rule = TAILQ_LAST(env->sc_rules_reload, rulelist);

- tmp = env->sc_tables_dict;

- env->sc_tables_dict = tables_dict;

- rule->r_destination = table_find(imsg->data, NULL);

- if (rule->r_destination == NULL)

- fatalx("lka: tables inconsistency");

- env->sc_tables_dict = tmp;

- return;

- case IMSG_CONF_RULE_MAPPING:

- rule = TAILQ_LAST(env->sc_rules_reload, rulelist);

- tmp = env->sc_tables_dict;

- env->sc_tables_dict = tables_dict;

- rule->r_mapping = table_find(imsg->data, NULL);

- if (rule->r_mapping == NULL)

- fatalx("lka: tables inconsistency");

- env->sc_tables_dict = tmp;

- return;

- case IMSG_CONF_RULE_USERS:

- rule = TAILQ_LAST(env->sc_rules_reload, rulelist);

- tmp = env->sc_tables_dict;

- env->sc_tables_dict = tables_dict;

- rule->r_userbase = table_find(imsg->data, NULL);

- if (rule->r_userbase == NULL)

- fatalx("lka: tables inconsistency");

- env->sc_tables_dict = tmp;

- return;

- case IMSG_CONF_TABLE_CONTENT:

- table = table_last;

- if (table == NULL)

- fatalx("lka: tables inconsistency");

- key = imsg->data;

- if (table->t_type == T_HASH)

- val = key + strlen(key) + 1;

- else

- val = NULL;

- dict_set(&table->t_dict, key,

- val ? xstrdup(val, "lka:dict_set") : NULL);

return;

case IMSG_CONF_END:

- if (env->sc_rules)

- purge_config(PURGE_RULES);

- if (env->sc_tables_dict) {

- table_close_all();

- purge_config(PURGE_TABLES);

- }

- env->sc_rules = env->sc_rules_reload;

- env->sc_ssl_dict = ssl_dict;

- env->sc_tables_dict = tables_dict;

if (verbose & TRACE_TABLES)

table_dump_all();

table_open_all();

- ssl_dict = NULL;

- table_last = NULL;

- tables_dict = NULL;

/* Start fulfilling requests */

mproc_enable(p_mda);

mproc_enable(p_mta);

@@ -629,7 +483,7 @@ lka(void)

return (pid);

}

- purge_config(PURGE_EVERYTHING);

+ purge_config(PURGE_LISTENERS);

if ((pw = getpwnam(SMTPD_USER)) == NULL)

fatalx("unknown user " SMTPD_USER);