src - OpenBSD base system

diff options


context:
space:
mode:

author	Gilles Chehade <gilles@cvs.openbsd.org>	2015-12-12 17:16:57 +0000
committer	Gilles Chehade <gilles@cvs.openbsd.org>	2015-12-12 17:16:57 +0000
commit	63f2a531200dc4803a1caf38adfcfa143d0601b9 (patch)
tree	49a8da56b7fc1402966a5b7bc4ff8d4d074ef0c7 /usr.sbin/smtpd
parent	af1a86cc50219e7aa1749890716a412204c3ca23 (diff)

allow overriding the default cipher-suite

ok jung@, sunil@, millert@

Diffstat (limited to 'usr.sbin/smtpd')

-rw-r--r--

usr.sbin/smtpd/mta_session.c

-rw-r--r--

usr.sbin/smtpd/parse.y

-rw-r--r--

usr.sbin/smtpd/smtp.c

-rw-r--r--

usr.sbin/smtpd/smtpd.conf.5

-rw-r--r--

usr.sbin/smtpd/smtpd.h

-rw-r--r--

usr.sbin/smtpd/ssl.c

-rw-r--r--

usr.sbin/smtpd/ssl.h

-rw-r--r--

usr.sbin/smtpd/ssl_smtpd.c

8 files changed, 35 insertions, 20 deletions

diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c
index dcf2ec7d2aa..7856f0b4298 100644
--- a/usr.sbin/smtpd/mta_session.c
+++ b/usr.sbin/smtpd/mta_session.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: mta_session.c,v 1.80 2015/12/12 08:43:42 gilles Exp $ */

+/* $OpenBSD: mta_session.c,v 1.81 2015/12/12 17:16:56 gilles Exp $ */

@@ -326,7 +326,7 @@ mta_session_imsg(struct mproc *p, struct imsg *imsg)

return;

}

else {

- ssl = ssl_mta_init(NULL, NULL, 0);

+ ssl = ssl_mta_init(NULL, NULL, 0, env->sc_tls_ciphers);

if (ssl == NULL)

fatal("mta: ssl_mta_init");

io_start_tls(&s->io, ssl);

@@ -342,7 +342,7 @@ mta_session_imsg(struct mproc *p, struct imsg *imsg)

else

pkiname = s->helo;

ssl = ssl_mta_init(pkiname,

- resp_ca_cert->cert, resp_ca_cert->cert_len);

+ resp_ca_cert->cert, resp_ca_cert->cert_len, env->sc_tls_ciphers);

if (ssl == NULL)

fatal("mta: ssl_mta_init");

io_start_tls(&s->io, ssl);

diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 26aecfba828..2088d2edfff 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y

@@ -1,4 +1,4 @@

-/* $OpenBSD: parse.y,v 1.173 2015/12/12 14:44:36 gilles Exp $ */

+/* $OpenBSD: parse.y,v 1.174 2015/12/12 17:16:56 gilles Exp $ */

@@ -929,6 +929,9 @@ main : BOUNCEWARN {

dict_set(conf->sc_ca_dict, sca->ca_name, sca);

}

} ca

+ | CIPHERS STRING {

+ env->sc_tls_ciphers = $2;

+ }

;

filter_args :

diff --git a/usr.sbin/smtpd/smtp.c b/usr.sbin/smtpd/smtp.c
index 550ae4b7dac..9211a091f81 100644
--- a/usr.sbin/smtpd/smtp.c
+++ b/usr.sbin/smtpd/smtp.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: smtp.c,v 1.148 2015/12/12 12:22:25 gilles Exp $ */

+/* $OpenBSD: smtp.c,v 1.149 2015/12/12 17:16:56 gilles Exp $ */

@@ -179,7 +179,7 @@ smtp_setup_events(void)

iter = NULL;

while (dict_iter(env->sc_pki_dict, &iter, &k, (void **)&pki)) {

- if (! ssl_setup((SSL_CTX **)&ssl_ctx, pki))

+ if (! ssl_setup((SSL_CTX **)&ssl_ctx, pki, env->sc_tls_ciphers))

fatal("smtp_setup_events: ssl_setup failure");

dict_xset(env->sc_ssl_dict, k, ssl_ctx);

}

diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index 176e6d33812..78d865aba92 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5

@@ -1,4 +1,4 @@

-.\" $OpenBSD: smtpd.conf.5,v 1.139 2015/12/12 11:54:42 jmc Exp $

+.\" $OpenBSD: smtpd.conf.5,v 1.140 2015/12/12 17:16:56 gilles Exp $

.\"

@@ -571,6 +571,14 @@ will generate a failure report when an envelope is in the queue for more

than one hour, six hours and two days.

The default is 4h.

.It Xo

+.Ic ciphers Ar cipher-list

+.Xc

+Specify an alternate ciphers list to use when establishing TLS sessions.

+It is highly recommanded to avoid making use of this option unless there

+is a good understanding of the implications.

+.Pp

+When not specified, only ciphers considered safe are chosen.

+.It Xo

.Ic expire

.Sm off

.Ar n

diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 3d0efbe995d..31c7b36e6f7 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: smtpd.h,v 1.505 2015/12/12 12:22:26 gilles Exp $ */

+/* $OpenBSD: smtpd.h,v 1.506 2015/12/12 17:16:56 gilles Exp $ */

@@ -625,6 +625,8 @@ struct smtpd {

uint32_t filtermask;

char sc_enqueue_filter[PATH_MAX];

+ char *sc_tls_ciphers;

};

#define TRACE_DEBUG 0x0001

@@ -1398,7 +1400,7 @@ int fork_proc_backend(const char *, const char *, const char *);

/* ssl_smtpd.c */

-void *ssl_mta_init(void *, char *, off_t);

+void *ssl_mta_init(void *, char *, off_t, const char *);

void *ssl_smtp_init(void *, void *, int);

diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c
index e9affe0c6a1..9a70718b6ed 100644
--- a/usr.sbin/smtpd/ssl.c
+++ b/usr.sbin/smtpd/ssl.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl.c,v 1.81 2015/12/12 17:14:40 gilles Exp $ */

+/* $OpenBSD: ssl.c,v 1.82 2015/12/12 17:16:56 gilles Exp $ */

@@ -68,13 +68,13 @@ ssl_init(void)

}

int

-ssl_setup(SSL_CTX **ctxp, struct pki *pki)

+ssl_setup(SSL_CTX **ctxp, struct pki *pki, const char *ciphers)

{

DH *dh;

SSL_CTX *ctx;

uint8_t sid[SSL_MAX_SID_CTX_LENGTH];

- ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len);

+ ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len, ciphers);

* Set session ID context to a random value. We don't support

@@ -256,7 +256,7 @@ fail:

}

SSL_CTX *

-ssl_ctx_create(const char *pkiname, char *cert, off_t cert_len)

+ssl_ctx_create(const char *pkiname, char *cert, off_t cert_len, const char *ciphers)

{

SSL_CTX *ctx;

size_t pkinamelen = 0;

@@ -274,7 +274,9 @@ ssl_ctx_create(const char *pkiname, char *cert, off_t cert_len)

SSL_CTX_set_options(ctx,

SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);

- if (!SSL_CTX_set_cipher_list(ctx, SSL_CIPHERS)) {

+ if (ciphers == NULL)

+ ciphers = SSL_CIPHERS;

+ if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {

ssl_error("ssl_ctx_create");

fatal("ssl_ctx_create: could not set cipher list");

}

diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h
index 48cc1645b34..30e73ac9bb6 100644
--- a/usr.sbin/smtpd/ssl.h
+++ b/usr.sbin/smtpd/ssl.h

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl.h,v 1.16 2015/12/12 17:14:40 gilles Exp $ */

+/* $OpenBSD: ssl.h,v 1.17 2015/12/12 17:16:56 gilles Exp $ */

@@ -51,8 +51,8 @@ struct ca {

/* ssl.c */

void ssl_init(void);

-int ssl_setup(SSL_CTX **, struct pki *);

-SSL_CTX *ssl_ctx_create(const char *, char *, off_t);

+int ssl_setup(SSL_CTX **, struct pki *, const char *);

+SSL_CTX *ssl_ctx_create(const char *, char *, off_t, const char *);

int ssl_cmp(struct pki *, struct pki *);

void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *);

char *ssl_load_file(const char *, off_t *, mode_t);

diff --git a/usr.sbin/smtpd/ssl_smtpd.c b/usr.sbin/smtpd/ssl_smtpd.c
index 87450eb1f5a..20d927c9256 100644
--- a/usr.sbin/smtpd/ssl_smtpd.c
+++ b/usr.sbin/smtpd/ssl_smtpd.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: ssl_smtpd.c,v 1.10 2015/10/21 16:44:28 jsing Exp $ */

+/* $OpenBSD: ssl_smtpd.c,v 1.11 2015/12/12 17:16:56 gilles Exp $ */

@@ -45,12 +45,12 @@

void *

-ssl_mta_init(void *pkiname, char *cert, off_t cert_len)

+ssl_mta_init(void *pkiname, char *cert, off_t cert_len, const char *ciphers)

{

SSL_CTX *ctx = NULL;

SSL *ssl = NULL;

- ctx = ssl_ctx_create(pkiname, cert, cert_len);

+ ctx = ssl_ctx_create(pkiname, cert, cert_len, ciphers);

if ((ssl = SSL_new(ctx)) == NULL)

goto err;