summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--usr.sbin/smtpd/ca.c30
-rw-r--r--usr.sbin/smtpd/lka.c14
-rw-r--r--usr.sbin/smtpd/mta_session.c15
-rw-r--r--usr.sbin/smtpd/smtp_session.c22
-rw-r--r--usr.sbin/smtpd/ssl_smtpd.c11
5 files changed, 63 insertions, 29 deletions
diff --git a/usr.sbin/smtpd/ca.c b/usr.sbin/smtpd/ca.c
index 970ccb921ed..0b643832693 100644
--- a/usr.sbin/smtpd/ca.c
+++ b/usr.sbin/smtpd/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.1 2013/01/26 09:37:23 gilles Exp $ */
+/* $OpenBSD: ca.c,v 1.2 2013/10/28 17:02:08 eric Exp $ */
/*
* Copyright (c) 2012 Gilles Chehade <gilles@poolp.org>
@@ -21,8 +21,34 @@
#include <openssl/err.h>
#include <openssl/ssl.h>
+#include "log.h"
+
int ca_X509_verify(X509 *, STACK_OF(X509) *, const char *, const char *, const char **);
+static int
+verify_cb(int ok, X509_STORE_CTX *ctx)
+{
+ switch (X509_STORE_CTX_get_error(ctx)) {
+ case X509_V_OK:
+ break;
+ case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
+ log_warnx("warn: unable to get issuer cert");
+ break;
+ case X509_V_ERR_CERT_NOT_YET_VALID:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
+ log_warnx("warn: certificate not yet valid");
+ break;
+ case X509_V_ERR_CERT_HAS_EXPIRED:
+ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
+ log_warnx("warn: certificate has expired");
+ break;
+ case X509_V_ERR_NO_EXPLICIT_POLICY:
+ log_warnx("warn: no explicit policy");
+ break;
+ }
+ return ok;
+}
+
int
ca_X509_verify(X509 *certificate, STACK_OF(X509) *chain, const char *CAfile,
const char *CRLfile, const char **errstr)
@@ -43,6 +69,8 @@ ca_X509_verify(X509 *certificate, STACK_OF(X509) *chain, const char *CAfile,
if (X509_STORE_CTX_init(xsc, store, certificate, chain) != 1)
goto end;
+ X509_STORE_CTX_set_verify_cb(xsc, verify_cb);
+
ret = X509_verify_cert(xsc);
end:
diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c
index 2ca05e1692a..7a550bbcfea 100644
--- a/usr.sbin/smtpd/lka.c
+++ b/usr.sbin/smtpd/lka.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: lka.c,v 1.156 2013/10/27 19:12:12 eric Exp $ */
+/* $OpenBSD: lka.c,v 1.157 2013/10/28 17:02:08 eric Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -773,7 +773,6 @@ lka_X509_verify(struct ca_vrfy_req_msg *vrfy,
{
X509 *x509;
X509 *x509_tmp;
- X509 *x509_tmp2;
STACK_OF(X509) *x509_chain;
const unsigned char *d2i;
size_t i;
@@ -794,15 +793,10 @@ lka_X509_verify(struct ca_vrfy_req_msg *vrfy,
x509_chain = sk_X509_new_null();
for (i = 0; i < vrfy->n_chain; ++i) {
d2i = vrfy->chain_cert[i];
- if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL) {
- x509_tmp = NULL;
+ if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL)
goto end;
- }
-
- if ((x509_tmp2 = X509_dup(x509_tmp)) == NULL)
- goto end;
- sk_X509_insert(x509_chain, x509_tmp2, i);
- x509_tmp = x509_tmp2 = NULL;
+ sk_X509_insert(x509_chain, x509_tmp, i);
+ x509_tmp = NULL;
}
}
if (! ca_X509_verify(x509, x509_chain, CAfile, NULL, &errstr))
diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c
index 3ad77b70f6f..d32def7613e 100644
--- a/usr.sbin/smtpd/mta_session.c
+++ b/usr.sbin/smtpd/mta_session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mta_session.c,v 1.43 2013/10/27 20:39:44 eric Exp $ */
+/* $OpenBSD: mta_session.c,v 1.44 2013/10/28 17:02:08 eric Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -330,16 +330,15 @@ mta_session_imsg(struct mproc *p, struct imsg *imsg)
return;
}
- resp_ca_cert = xmemdup(imsg->data, sizeof *resp_ca_cert, "mta:ca_cert");
+ resp_ca_cert = xmemdup(imsg->data, sizeof *resp_ca_cert,
+ "mta:ca_cert");
if (resp_ca_cert == NULL)
fatal(NULL);
resp_ca_cert->cert = xstrdup((char *)imsg->data +
sizeof *resp_ca_cert, "mta:ca_cert");
-
resp_ca_cert->key = xstrdup((char *)imsg->data +
sizeof *resp_ca_cert + resp_ca_cert->cert_len,
"mta:ca_key");
-
ssl = ssl_mta_init(resp_ca_cert->cert, resp_ca_cert->cert_len,
resp_ca_cert->key, resp_ca_cert->key_len);
if (ssl == NULL)
@@ -351,7 +350,6 @@ mta_session_imsg(struct mproc *p, struct imsg *imsg)
free(resp_ca_cert->cert);
free(resp_ca_cert->key);
free(resp_ca_cert);
-
return;
case IMSG_LKA_SSL_VERIFY:
@@ -1107,6 +1105,7 @@ mta_io(struct io *io, int evt)
size_t len;
const char *error;
int cont;
+ X509 *x;
log_trace(TRACE_IO, "mta: %p: %s %s", s, io_strevent(evt),
io_strio(io));
@@ -1137,11 +1136,14 @@ mta_io(struct io *io, int evt)
}
case IO_TLSVERIFIED:
- if (SSL_get_peer_certificate(s->io.ssl))
+ x = SSL_get_peer_certificate(s->io.ssl);
+ if (x) {
log_info("smtp-out: Server certificate verification %s "
"on session %016"PRIx64,
(s->flags & MTA_VERIFIED) ? "succeeded" : "failed",
s->id);
+ X509_free(x);
+ }
if (s->use_smtps) {
mta_enter_state(s, MTA_BANNER);
@@ -1549,6 +1551,7 @@ mta_verify_certificate(struct mta_session *s)
m_composev(p_lka, IMSG_LKA_SSL_VERIFY_CERT, 0, 0, -1,
iov, nitems(iov));
free(req_ca_vrfy.cert);
+ X509_free(x);
if (xchain) {
/* Send the chain, one cert at a time */
diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c
index 48971efad13..bc59a6e0bf3 100644
--- a/usr.sbin/smtpd/smtp_session.c
+++ b/usr.sbin/smtpd/smtp_session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smtp_session.c,v 1.186 2013/10/27 11:01:47 eric Exp $ */
+/* $OpenBSD: smtp_session.c,v 1.187 2013/10/28 17:02:08 eric Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -277,6 +277,7 @@ smtp_session_imsg(struct mproc *p, struct imsg *imsg)
uint64_t reqid, evpid;
uint32_t code, msgid;
int status, success, dnserror;
+ X509 *x;
switch (imsg->hdr.type) {
case IMSG_DNS_PTR:
@@ -382,17 +383,15 @@ smtp_session_imsg(struct mproc *p, struct imsg *imsg)
evpid_to_msgid(s->evp.id));
if (s->flags & SF_SECURE) {
+ x = SSL_get_peer_certificate(s->io.ssl);
fprintf(s->ofile,
"\tTLS version=%s cipher=%s bits=%d verify=%s;\n",
SSL_get_cipher_version(s->io.ssl),
SSL_get_cipher_name(s->io.ssl),
SSL_get_cipher_bits(s->io.ssl, NULL),
- "NO");
- /* XXX - this can be uncommented when we *fully* verify */
- /*
- * (s->flags & SF_VERIFIED) ? "YES" :
- * (SSL_get_peer_certificate(s->io.ssl) ? "FAIL" : "NO"));
- */
+ (s->flags & SF_VERIFIED) ? "YES" : (x ? "FAIL" : "NO"));
+ if (x)
+ X509_free(x);
}
if (s->rcptcount == 1) {
@@ -566,6 +565,8 @@ smtp_session_imsg(struct mproc *p, struct imsg *imsg)
bzero(resp_ca_cert->cert, resp_ca_cert->cert_len);
bzero(resp_ca_cert->key, resp_ca_cert->key_len);
+ free(resp_ca_cert->cert);
+ free(resp_ca_cert->key);
free(resp_ca_cert);
return;
@@ -734,6 +735,7 @@ smtp_io(struct io *io, int evt)
struct smtp_session *s = io->arg;
char *line;
size_t len, i;
+ X509 *x;
log_trace(TRACE_IO, "smtp: %p: %s %s", s, io_strevent(evt),
io_strio(io));
@@ -756,11 +758,14 @@ smtp_io(struct io *io, int evt)
/* No verification required, cascade */
case IO_TLSVERIFIED:
- if (SSL_get_peer_certificate(s->io.ssl))
+ x = SSL_get_peer_certificate(s->io.ssl);
+ if (x) {
log_info("smtp-in: Client certificate verification %s "
"on session %016"PRIx64,
(s->flags & SF_VERIFIED) ? "succeeded" : "failed",
s->id);
+ X509_free(x);
+ }
if (s->listener->flags & F_SMTPS) {
stat_increment("smtp.smtps", 1);
@@ -1587,6 +1592,7 @@ smtp_verify_certificate(struct smtp_session *s)
m_composev(p_lka, IMSG_LKA_SSL_VERIFY_CERT, 0, 0, -1,
iov, nitems(iov));
free(req_ca_vrfy.cert);
+ X509_free(x);
if (xchain) {
/* Send the chain, one cert at a time */
diff --git a/usr.sbin/smtpd/ssl_smtpd.c b/usr.sbin/smtpd/ssl_smtpd.c
index 20aa6ad313f..5de8c53c35d 100644
--- a/usr.sbin/smtpd/ssl_smtpd.c
+++ b/usr.sbin/smtpd/ssl_smtpd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_smtpd.c,v 1.2 2013/05/24 17:03:14 eric Exp $ */
+/* $OpenBSD: ssl_smtpd.c,v 1.3 2013/10/28 17:02:08 eric Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -46,8 +46,8 @@
void *
ssl_mta_init(char *cert, off_t cert_len, char *key, off_t key_len)
{
- SSL_CTX *ctx;
- SSL *ssl = NULL;
+ SSL_CTX *ctx = NULL;
+ SSL *ssl = NULL;
ctx = ssl_ctx_create();
@@ -65,11 +65,14 @@ ssl_mta_init(char *cert, off_t cert_len, char *key, off_t key_len)
if (!SSL_set_ssl_method(ssl, SSLv23_client_method()))
goto err;
+ SSL_CTX_free(ctx);
return (void *)(ssl);
err:
if (ssl != NULL)
SSL_free(ssl);
+ if (ctx != NULL)
+ SSL_CTX_free(ctx);
ssl_error("ssl_mta_init");
return (NULL);
}
@@ -89,7 +92,7 @@ dummy_verify(int ok, X509_STORE_CTX *store)
void *
ssl_smtp_init(void *ssl_ctx, char *cert, off_t cert_len, char *key, off_t key_len)
{
- SSL *ssl = NULL;
+ SSL *ssl = NULL;
log_debug("debug: session_start_ssl: switching to SSL");
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-08 23:46:10 +0000