diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2015-10-21 16:44:29 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2015-10-21 16:44:29 +0000 |
commit | 4bb9547a002e989124ed06dd9020d62d9c2c649b (patch) | |
tree | c2abd226495470124443db79b40fcb7ac66d6350 /usr.sbin/smtpd | |
parent | e406b8d2b07fd632185dfda31ba70efbfe6766ee (diff) |
Only enable SSL_VERIFY_PEER when the verify option is set on a listener.
Always enabling SSL_VERIFY_PEER unnecessarily increases the number of
messages/bytes in the TLS handshake and increases our attack surface,
since we request and then process client certificates.
ok gilles@
Diffstat (limited to 'usr.sbin/smtpd')
-rw-r--r-- | usr.sbin/smtpd/smtp_session.c | 5 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.h | 4 | ||||
-rw-r--r-- | usr.sbin/smtpd/ssl_smtpd.c | 7 |
3 files changed, 9 insertions, 7 deletions
diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c index 9ba6fa683de..6f745459c14 100644 --- a/usr.sbin/smtpd/smtp_session.c +++ b/usr.sbin/smtpd/smtp_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtp_session.c,v 1.237 2015/10/16 21:13:33 sthen Exp $ */ +/* $OpenBSD: smtp_session.c,v 1.238 2015/10/21 16:44:28 jsing Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -828,7 +828,8 @@ smtp_session_imsg(struct mproc *p, struct imsg *imsg) pkiname = s->smtpname; ssl_ctx = dict_get(env->sc_ssl_dict, pkiname); - ssl = ssl_smtp_init(ssl_ctx, smtp_sni_callback); + ssl = ssl_smtp_init(ssl_ctx, smtp_sni_callback, + s->listener->flags & F_TLS_VERIFY); io_set_read(&s->io); io_start_tls(&s->io, ssl); diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index 0c6228f0f41..56c9bcc9218 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.478 2015/10/17 22:24:36 gilles Exp $ */ +/* $OpenBSD: smtpd.h,v 1.479 2015/10/21 16:44:28 jsing Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -1324,7 +1324,7 @@ int fork_proc_backend(const char *, const char *, const char *); /* ssl_smtpd.c */ void *ssl_mta_init(void *, char *, off_t); -void *ssl_smtp_init(void *, void *); +void *ssl_smtp_init(void *, void *, int); /* stat_backend.c */ diff --git a/usr.sbin/smtpd/ssl_smtpd.c b/usr.sbin/smtpd/ssl_smtpd.c index 74fa20726ee..87450eb1f5a 100644 --- a/usr.sbin/smtpd/ssl_smtpd.c +++ b/usr.sbin/smtpd/ssl_smtpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_smtpd.c,v 1.9 2015/04/19 20:29:12 gilles Exp $ */ +/* $OpenBSD: ssl_smtpd.c,v 1.10 2015/10/21 16:44:28 jsing Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -82,14 +82,15 @@ dummy_verify(int ok, X509_STORE_CTX *store) } void * -ssl_smtp_init(void *ssl_ctx, void *sni) +ssl_smtp_init(void *ssl_ctx, void *sni, int verify) { SSL *ssl = NULL; int (*cb)(SSL *,int *,void *) = sni; log_debug("debug: session_start_ssl: switching to SSL"); - SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_verify); + if (verify) + SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_verify); if (cb) SSL_CTX_set_tlsext_servername_callback(ssl_ctx, cb); |