summaryrefslogtreecommitdiff
path: root/usr.sbin/smtpd/mta_session.c
diff options
context:
space:
mode:
Diffstat (limited to 'usr.sbin/smtpd/mta_session.c')
-rw-r--r--usr.sbin/smtpd/mta_session.c114
1 files changed, 105 insertions, 9 deletions
diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c
index 644cac17003..755ac86dd20 100644
--- a/usr.sbin/smtpd/mta_session.c
+++ b/usr.sbin/smtpd/mta_session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mta_session.c,v 1.113 2018/10/31 15:13:21 gilles Exp $ */
+/* $OpenBSD: mta_session.c,v 1.114 2018/12/17 11:14:56 eric Exp $ */
/*
* Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -150,6 +150,10 @@ static void mta_response(struct mta_session *, char *);
static const char * mta_strstate(int);
static void mta_start_tls(struct mta_session *);
static int mta_verify_certificate(struct mta_session *);
+static void mta_cert_init(struct mta_session *);
+static void mta_cert_init_cb(void *, int, const char *, const void *, size_t);
+static void mta_cert_verify(struct mta_session *);
+static void mta_cert_verify_cb(void *, int);
static void mta_tls_verified(struct mta_session *);
static struct mta_session *mta_tree_pop(struct tree *, uint64_t);
static const char * dsn_strret(enum dsn_ret);
@@ -937,7 +941,7 @@ mta_response(struct mta_session *s, char *line)
return;
}
- mta_start_tls(s);
+ mta_cert_init(s);
break;
case MTA_AUTH_PLAIN:
@@ -1149,7 +1153,7 @@ mta_io(struct io *io, int evt, void *arg)
if (s->use_smtps) {
io_set_write(io);
- mta_start_tls(s);
+ mta_cert_init(s);
}
else {
mta_enter_state(s, MTA_BANNER);
@@ -1162,12 +1166,7 @@ mta_io(struct io *io, int evt, void *arg)
s->id, ssl_to_text(io_ssl(s->io)));
s->flags |= MTA_TLS;
- if (mta_verify_certificate(s)) {
- io_pause(s->io, IO_IN);
- break;
- }
-
- mta_tls_verified(s);
+ mta_cert_verify(s);
break;
case IO_DATAIN:
@@ -1656,6 +1655,103 @@ mta_verify_certificate(struct mta_session *s)
}
static void
+mta_cert_init(struct mta_session *s)
+{
+ const char *name;
+ int fallback;
+
+ if (s->relay->pki_name) {
+ name = s->relay->pki_name;
+ fallback = 0;
+ }
+ else {
+ name = s->helo;
+ fallback = 1;
+ }
+
+ if (cert_init(name, fallback, mta_cert_init_cb, s)) {
+ tree_xset(&wait_ssl_init, s->id, s);
+ s->flags |= MTA_WAIT;
+ }
+}
+
+static void
+mta_cert_init_cb(void *arg, int status, const char *name, const void *cert,
+ size_t cert_len)
+{
+ struct mta_session *s = arg;
+ void *ssl;
+ char *xname = NULL, *xcert = NULL;
+
+ if (s->flags & MTA_WAIT)
+ mta_tree_pop(&wait_ssl_init, s->id);
+
+ if (status == CA_FAIL && s->relay->pki_name) {
+ log_info("%016"PRIx64" mta closing reason=ca-failure", s->id);
+ mta_free(s);
+ return;
+ }
+
+ if (name)
+ xname = xstrdup(name);
+ if (cert)
+ xcert = xmemdup(cert, cert_len);
+ ssl = ssl_mta_init(xname, xcert, cert_len, env->sc_tls_ciphers);
+ free(xname);
+ free(xcert);
+ if (ssl == NULL)
+ fatal("mta: ssl_mta_init");
+ io_start_tls(s->io, ssl);
+}
+
+static void
+mta_cert_verify(struct mta_session *s)
+{
+ const char *name;
+ int fallback;
+
+ if (s->relay->ca_name) {
+ name = s->relay->ca_name;
+ fallback = 0;
+ }
+ else {
+ name = s->helo;
+ fallback = 1;
+ }
+
+ if (cert_verify(io_ssl(s->io), name, fallback, mta_cert_verify_cb, s)) {
+ tree_xset(&wait_ssl_verify, s->id, s);
+ io_pause(s->io, IO_IN);
+ s->flags |= MTA_WAIT;
+ }
+}
+
+static void
+mta_cert_verify_cb(void *arg, int status)
+{
+ struct mta_session *s = arg;
+ int resume = 0;
+
+ if (s->flags & MTA_WAIT) {
+ mta_tree_pop(&wait_ssl_verify, s->id);
+ resume = 1;
+ }
+
+ if (status == CERT_OK)
+ s->flags |= MTA_TLS_VERIFIED;
+ else if (s->relay->flags & RELAY_TLS_VERIFY) {
+ errno = 0;
+ mta_error(s, "SSL certificate check failed");
+ mta_free(s);
+ return;
+ }
+
+ mta_tls_verified(s);
+ if (resume)
+ io_resume(s->io, IO_IN);
+}
+
+static void
mta_tls_verified(struct mta_session *s)
{
X509 *x;