diff options
| author | Eric Faurot <eric@cvs.openbsd.org> | 2013-10-28 17:02:09 +0000 |
|---|---|---|
| committer | Eric Faurot <eric@cvs.openbsd.org> | 2013-10-28 17:02:09 +0000 |
| commit | 230cb19ea6987bba57e1af008fe5ce11a6ef0256 (patch) | |
| tree | b8a275200d3780f694650ff0758813da0874f231 /usr.sbin/smtpd/mta_session.c | |
| parent | e7a31aaad4e59498aa85d95f4db4d2d590f46f57 (diff) | |
Report the ssl certificate verification status in the mail header.
Log ssl certificate validation errors.
Fix several ssl-related leaks.
Diffstat (limited to 'usr.sbin/smtpd/mta_session.c')
| -rw-r--r-- | usr.sbin/smtpd/mta_session.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c index 3ad77b70f6f..d32def7613e 100644 --- a/usr.sbin/smtpd/mta_session.c +++ b/usr.sbin/smtpd/mta_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta_session.c,v 1.43 2013/10/27 20:39:44 eric Exp $ */ +/* $OpenBSD: mta_session.c,v 1.44 2013/10/28 17:02:08 eric Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -330,16 +330,15 @@ mta_session_imsg(struct mproc *p, struct imsg *imsg) return; } - resp_ca_cert = xmemdup(imsg->data, sizeof *resp_ca_cert, "mta:ca_cert"); + resp_ca_cert = xmemdup(imsg->data, sizeof *resp_ca_cert, + "mta:ca_cert"); if (resp_ca_cert == NULL) fatal(NULL); resp_ca_cert->cert = xstrdup((char *)imsg->data + sizeof *resp_ca_cert, "mta:ca_cert"); - resp_ca_cert->key = xstrdup((char *)imsg->data + sizeof *resp_ca_cert + resp_ca_cert->cert_len, "mta:ca_key"); - ssl = ssl_mta_init(resp_ca_cert->cert, resp_ca_cert->cert_len, resp_ca_cert->key, resp_ca_cert->key_len); if (ssl == NULL) @@ -351,7 +350,6 @@ mta_session_imsg(struct mproc *p, struct imsg *imsg) free(resp_ca_cert->cert); free(resp_ca_cert->key); free(resp_ca_cert); - return; case IMSG_LKA_SSL_VERIFY: @@ -1107,6 +1105,7 @@ mta_io(struct io *io, int evt) size_t len; const char *error; int cont; + X509 *x; log_trace(TRACE_IO, "mta: %p: %s %s", s, io_strevent(evt), io_strio(io)); @@ -1137,11 +1136,14 @@ mta_io(struct io *io, int evt) } case IO_TLSVERIFIED: - if (SSL_get_peer_certificate(s->io.ssl)) + x = SSL_get_peer_certificate(s->io.ssl); + if (x) { log_info("smtp-out: Server certificate verification %s " "on session %016"PRIx64, (s->flags & MTA_VERIFIED) ? "succeeded" : "failed", s->id); + X509_free(x); + } if (s->use_smtps) { mta_enter_state(s, MTA_BANNER); @@ -1549,6 +1551,7 @@ mta_verify_certificate(struct mta_session *s) m_composev(p_lka, IMSG_LKA_SSL_VERIFY_CERT, 0, 0, -1, iov, nitems(iov)); free(req_ca_vrfy.cert); + X509_free(x); if (xchain) { /* Send the chain, one cert at a time */ |