From fa917446d27705e0fa3c44184e6e9b99906c1af2 Mon Sep 17 00:00:00 2001 From: Gilles Chehade Date: Tue, 13 Dec 2011 23:55:01 +0000 Subject: *finally* make use of certificate authority file if available ! bits from relayd, ok chl@, ok eric@ --- usr.sbin/smtpd/smtp.c | 10 +++++++++- usr.sbin/smtpd/smtpd.c | 10 +++++----- usr.sbin/smtpd/smtpd.conf.5 | 7 +++++-- usr.sbin/smtpd/smtpd.h | 4 +++- usr.sbin/smtpd/ssl.c | 21 ++++++++++++++++++--- 5 files changed, 40 insertions(+), 12 deletions(-) (limited to 'usr.sbin') diff --git a/usr.sbin/smtpd/smtp.c b/usr.sbin/smtpd/smtp.c index e12d8728b8a..70b9e0f3dcc 100644 --- a/usr.sbin/smtpd/smtp.c +++ b/usr.sbin/smtpd/smtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtp.c,v 1.95 2011/12/12 17:17:55 eric Exp $ */ +/* $OpenBSD: smtp.c,v 1.96 2011/12/13 23:55:00 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -209,6 +209,14 @@ smtp_imsg(struct imsgev *iev, struct imsg *imsg) if (ssl->ssl_dhparams == NULL) fatal(NULL); } + if (ssl->ssl_ca_len) { + ssl->ssl_ca = strdup((char *)imsg->data + + sizeof *ssl + ssl->ssl_cert_len + + ssl->ssl_key_len + ssl->ssl_dhparams_len); + if (ssl->ssl_ca == NULL) + fatal(NULL); + } + SPLAY_INSERT(ssltree, env->sc_ssl, ssl); return; diff --git a/usr.sbin/smtpd/smtpd.c b/usr.sbin/smtpd/smtpd.c index fd216ae8262..2ea72c43737 100644 --- a/usr.sbin/smtpd/smtpd.c +++ b/usr.sbin/smtpd/smtpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.c,v 1.142 2011/12/13 22:04:35 eric Exp $ */ +/* $OpenBSD: smtpd.c,v 1.143 2011/12/13 23:55:00 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -205,7 +205,7 @@ parent_send_config_listeners(void) { struct listener *l; struct ssl *s; - struct iovec iov[4]; + struct iovec iov[5]; int opt; log_debug("parent_send_config: configuring smtp"); @@ -224,6 +224,8 @@ parent_send_config_listeners(void) iov[2].iov_len = s->ssl_key_len; iov[3].iov_base = s->ssl_dhparams; iov[3].iov_len = s->ssl_dhparams_len; + iov[4].iov_base = s->ssl_ca; + iov[4].iov_len = s->ssl_ca_len; imsg_composev(&env->sc_ievs[PROC_SMTP]->ibuf, IMSG_CONF_SSL, 0, 0, -1, iov, nitems(iov)); @@ -250,7 +252,7 @@ static void parent_send_config_client_certs(void) { struct ssl *s; - struct iovec iov[4]; + struct iovec iov[3]; log_debug("parent_send_config_client_certs: configuring smtp"); imsg_compose_event(env->sc_ievs[PROC_MTA], IMSG_CONF_START, @@ -266,8 +268,6 @@ parent_send_config_client_certs(void) iov[1].iov_len = s->ssl_cert_len; iov[2].iov_base = s->ssl_key; iov[2].iov_len = s->ssl_key_len; - iov[3].iov_base = s->ssl_dhparams; - iov[3].iov_len = s->ssl_dhparams_len; imsg_composev(&env->sc_ievs[PROC_MTA]->ibuf, IMSG_CONF_SSL, 0, 0, -1, iov, nitems(iov)); diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index f5b32e12bb5..17302a4c016 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.46 2011/12/13 21:47:09 gilles Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.47 2011/12/13 23:55:00 gilles Exp $ .\" .\" Copyright (c) 2008 Janne Johansson .\" Copyright (c) 2009 Jacek Masiulaniec @@ -126,7 +126,9 @@ is specified, a certificate .Ao Ar name Ac Ns .crt , a key -.Ao Ar name Ac Ns .key +.Ao Ar name Ac Ns .key , +a certificate authority +.Ao Ar name Ac Ns .ca and Diffie-Hellman parameters .Ao Ar name Ac Ns .dh are searched for. @@ -137,6 +139,7 @@ the default interface name is instead used, for example .Pa fxp0.crt , .Pa fxp0.key , +.Pa fxp0.ca , and .Pa fxp0.dh . If no DH parameters are provided, smtpd will use diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index 5f088c0f4a6..e3acfd5f470 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.262 2011/12/13 22:04:35 eric Exp $ */ +/* $OpenBSD: smtpd.h,v 1.263 2011/12/13 23:55:00 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -477,6 +477,8 @@ enum session_state { struct ssl { SPLAY_ENTRY(ssl) ssl_nodes; char ssl_name[PATH_MAX]; + char *ssl_ca; + off_t ssl_ca_len; char *ssl_cert; off_t ssl_cert_len; char *ssl_key; diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index 02b233452ed..63bec89a6aa 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.40 2011/10/27 04:23:19 guenther Exp $ */ +/* $OpenBSD: ssl.c,v 1.41 2011/12/13 23:55:00 gilles Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -344,6 +344,7 @@ ssl_ctx_create(void) ssl_error("ssl_ctx_create"); fatal("ssl_ctx_create: could not set cipher list"); } + return (ctx); } @@ -386,6 +387,15 @@ ssl_load_certfile(const char *name, u_int8_t flags) if ((s->ssl_key = ssl_load_file(certfile, &s->ssl_key_len)) == NULL) goto err; + if (! bsnprintf(certfile, sizeof(certfile), + "/etc/mail/certs/%s.ca", name)) + goto err; + + if ((s->ssl_ca = ssl_load_file(certfile, + &s->ssl_ca_len)) == NULL) { + log_info("no CA found in %s", certfile); + } + if (! bsnprintf(certfile, sizeof(certfile), "/etc/mail/certs/%s.dh", name)) goto err; @@ -442,6 +452,13 @@ ssl_setup(struct listener *l) l->ssl_ctx = ssl_ctx_create(); + if (l->ssl->ssl_ca != NULL) { + if (! ssl_ctx_load_verify_memory(l->ssl_ctx, + l->ssl->ssl_ca, l->ssl->ssl_ca_len)) + goto err; + SSL_CTX_set_verify(l->ssl_ctx, SSL_VERIFY_PEER, NULL); + } + if (!ssl_ctx_use_certificate_chain(l->ssl_ctx, l->ssl->ssl_cert, l->ssl->ssl_cert_len)) goto err; @@ -456,8 +473,6 @@ ssl_setup(struct listener *l) strlen(l->ssl_cert_name) + 1)) goto err; - - if (l->ssl->ssl_dhparams_len == 0) dh = get_dh1024(); else -- cgit v1.2.3