remove dead code

author eric <eric@openbsd.org>

Sun, 23 Dec 2018 16:37:53 +0000 (16:37 +0000)

committer eric <eric@openbsd.org>

Sun, 23 Dec 2018 16:37:53 +0000 (16:37 +0000)
author eric <eric@openbsd.org>
Sun, 23 Dec 2018 16:37:53 +0000 (16:37 +0000)
committer eric <eric@openbsd.org>
Sun, 23 Dec 2018 16:37:53 +0000 (16:37 +0000)
diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c

index 27569d1..c08e834 100644 (file)
--- a/usr.sbin/smtpd/lka.c
+++ b/usr.sbin/smtpd/lka.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: lka.c,v 1.228 2018/12/21 14:33:52 gilles Exp $        */
+/*     $OpenBSD: lka.c,v 1.229 2018/12/23 16:37:53 eric Exp $  */
  
  /*
   * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -56,9 +56,6 @@ static int lka_userinfo(const char *, const char *, struct userinfo *);
  static int lka_addrname(const char *, const struct sockaddr *,
      struct addrname *);
  static int lka_mailaddrmap(const char *, const char *, const struct mailaddr *);
-static int lka_X509_verify(struct ca_vrfy_req_msg *, const char *, const char *);
-static void lka_certificate_verify(enum imsg_type, struct ca_vrfy_req_msg *);
-static void lka_certificate_verify_resume(enum imsg_type, struct ca_vrfy_req_msg *);
  
  static void proc_timeout(int fd, short event, void *p);
  
@@ -69,12 +66,6 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
  {
         struct table            *table;
         int                      ret;
-       struct pki              *pki;
-       struct iovec            iov[2];
-       static struct ca_vrfy_req_msg   *req_ca_vrfy = NULL;
-       struct ca_vrfy_req_msg          *req_ca_vrfy_chain;
-       struct ca_cert_req_msg          *req_ca_cert;
-       struct ca_cert_resp_msg          resp_ca_cert;
         struct sockaddr_storage  ss;
         struct userinfo          userinfo;
         struct addrname          addrname;
@@ -168,63 +159,6 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
                 m_close(p);
                 return;
  
-       case IMSG_SMTP_TLS_INIT:
-       case IMSG_MTA_TLS_INIT:
-               req_ca_cert = imsg->data;
-               resp_ca_cert.reqid = req_ca_cert->reqid;
-
-               xlowercase(buf, req_ca_cert->name, sizeof(buf));
-               log_debug("debug: lka: looking up pki \"%s\"", buf);
-               pki = dict_get(env->sc_pki_dict, buf);
-               if (pki == NULL)
-                       if (req_ca_cert->fallback)
-                               pki = dict_get(env->sc_pki_dict, "*");
-               if (pki == NULL) {
-                       resp_ca_cert.status = CA_FAIL;
-                       m_compose(p, imsg->hdr.type, 0, 0, -1, &resp_ca_cert,
-                           sizeof(resp_ca_cert));
-                       return;
-               }
-               resp_ca_cert.status = CA_OK;
-               resp_ca_cert.cert_len = pki->pki_cert_len;
-               (void)strlcpy(resp_ca_cert.name, pki->pki_name, sizeof resp_ca_cert.name);
-               iov[0].iov_base = &resp_ca_cert;
-               iov[0].iov_len = sizeof(resp_ca_cert);
-               iov[1].iov_base = pki->pki_cert;
-               iov[1].iov_len = pki->pki_cert_len;
-               m_composev(p, imsg->hdr.type, 0, 0, -1, iov, nitems(iov));
-               return;
-
-       case IMSG_SMTP_TLS_VERIFY_CERT:
-       case IMSG_MTA_TLS_VERIFY_CERT:
-               req_ca_vrfy = xmemdup(imsg->data, sizeof *req_ca_vrfy);
-               req_ca_vrfy->cert = xmemdup((char *)imsg->data +
-                   sizeof *req_ca_vrfy, req_ca_vrfy->cert_len);
-               req_ca_vrfy->chain_cert = xcalloc(req_ca_vrfy->n_chain,
-                   sizeof (unsigned char *));
-               req_ca_vrfy->chain_cert_len = xcalloc(req_ca_vrfy->n_chain,
-                   sizeof (off_t));
-               return;
-
-       case IMSG_SMTP_TLS_VERIFY_CHAIN:
-       case IMSG_MTA_TLS_VERIFY_CHAIN:
-               if (req_ca_vrfy == NULL)
-                       fatalx("lka:ca_vrfy: chain without a certificate");
-               req_ca_vrfy_chain = imsg->data;
-               req_ca_vrfy->chain_cert[req_ca_vrfy->chain_offset] = xmemdup((char *)imsg->data +
-                   sizeof *req_ca_vrfy_chain, req_ca_vrfy_chain->cert_len);
-               req_ca_vrfy->chain_cert_len[req_ca_vrfy->chain_offset] = req_ca_vrfy_chain->cert_len;
-               req_ca_vrfy->chain_offset++;
-               return;
-
-       case IMSG_SMTP_TLS_VERIFY:
-       case IMSG_MTA_TLS_VERIFY:
-               if (req_ca_vrfy == NULL)
-                       fatalx("lka:ca_vrfy: verify without a certificate");
-               lka_certificate_verify(imsg->hdr.type, req_ca_vrfy);
-               req_ca_vrfy = NULL;
-               return;
-
         case IMSG_SMTP_AUTHENTICATE:
                 m_msg(&m, imsg);
                 m_get_id(&m, &reqid);
@@ -906,88 +840,3 @@ lka_mailaddrmap(const char *tablename, const char *username, const struct mailad
         }
         return (LKA_OK);
  }
-
-static int
-lka_X509_verify(struct ca_vrfy_req_msg *vrfy,
-    const char *CAfile, const char *CRLfile)
-{
-       X509                    *x509;
-       X509                    *x509_tmp;
-       STACK_OF(X509)          *x509_chain;
-       const unsigned char     *d2i;
-       size_t                  i;
-       int                     ret = 0;
-       const char              *errstr;
-
-       x509 = NULL;
-       x509_tmp = NULL;
-       x509_chain = NULL;
-
-       d2i = vrfy->cert;
-       if (d2i_X509(&x509, &d2i, vrfy->cert_len) == NULL) {
-               x509 = NULL;
-               goto end;
-       }
-
-       if (vrfy->n_chain) {
-               x509_chain = sk_X509_new_null();
-               for (i = 0; i < vrfy->n_chain; ++i) {
-                       d2i = vrfy->chain_cert[i];
-                       if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL)
-                               goto end;
-                       sk_X509_insert(x509_chain, x509_tmp, i);
-                       x509_tmp = NULL;
-               }
-       }
-       if (!ca_X509_verify(x509, x509_chain, CAfile, NULL, &errstr))
-               log_debug("debug: lka: X509 verify: %s", errstr);
-       else
-               ret = 1;
-
-end:
-       X509_free(x509);
-       X509_free(x509_tmp);
-       if (x509_chain)
-               sk_X509_pop_free(x509_chain, X509_free);
-
-       return ret;
-}
-
-static void
-lka_certificate_verify(enum imsg_type type, struct ca_vrfy_req_msg *req)
-{
-       lka_certificate_verify_resume(type, req);
-}
-
-static void
-lka_certificate_verify_resume(enum imsg_type type, struct ca_vrfy_req_msg *req)
-{
-       struct ca_vrfy_resp_msg         resp;
-       struct ca                      *sca;
-       const char                     *cafile;
-       size_t                          i;
-
-       resp.reqid = req->reqid;
-       sca = dict_get(env->sc_ca_dict, req->name);
-       if (sca == NULL)
-               if (req->fallback)
-                       sca = dict_get(env->sc_ca_dict, "*");
-       cafile = sca ? sca->ca_cert_file : CA_FILE;
-
-       if (sca == NULL && !req->fallback)
-               resp.status = CA_FAIL;
-       else if (!lka_X509_verify(req, cafile, NULL))
-               resp.status = CA_FAIL;
-       else
-               resp.status = CA_OK;
-
-       m_compose(p_pony, type, 0, 0, -1, &resp,
-           sizeof resp);
-
-       for (i = 0; i < req->n_chain; ++i)
-               free(req->chain_cert[i]);
-       free(req->chain_cert);
-       free(req->chain_cert_len);
-       free(req->cert);
-       free(req);
-}
diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c

index b7a841d..6958384 100644 (file)
--- a/usr.sbin/smtpd/mta.c
+++ b/usr.sbin/smtpd/mta.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: mta.c,v 1.226 2018/09/24 16:14:34 eric Exp $  */
+/*     $OpenBSD: mta.c,v 1.227 2018/12/23 16:37:53 eric Exp $  */
  
  /*
   * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -312,14 +312,6 @@ mta_imsg(struct mproc *p, struct imsg *imsg)
                 mta_on_preference(relay, preference);
                 return;
  
-       case IMSG_MTA_TLS_INIT:
-               mta_session_imsg(p, imsg);
-               return;
-
-       case IMSG_MTA_TLS_VERIFY:
-               mta_session_imsg(p, imsg);
-               return;
-
         case IMSG_CTL_RESUME_ROUTE:
                 u64 = *((uint64_t *)imsg->data);
                 if (u64)
diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c

index 755ac86..959b45e 100644 (file)
--- a/usr.sbin/smtpd/mta_session.c
+++ b/usr.sbin/smtpd/mta_session.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: mta_session.c,v 1.114 2018/12/17 11:14:56 eric Exp $  */
+/*     $OpenBSD: mta_session.c,v 1.115 2018/12/23 16:37:53 eric Exp $  */
  
  /*
   * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -148,8 +148,6 @@ static void mta_send(struct mta_session *, char *, ...);
  static ssize_t mta_queue_data(struct mta_session *);
  static void mta_response(struct mta_session *, char *);
  static const char * mta_strstate(int);
-static void mta_start_tls(struct mta_session *);
-static int mta_verify_certificate(struct mta_session *);
  static void mta_cert_init(struct mta_session *);
  static void mta_cert_init_cb(void *, int, const char *, const void *, size_t);
  static void mta_cert_verify(struct mta_session *);
@@ -242,13 +240,10 @@ mta_session(struct mta_relay *relay, struct mta_route *route)
  void
  mta_session_imsg(struct mproc *p, struct imsg *imsg)
  {
-       struct ca_vrfy_resp_msg *resp_ca_vrfy;
-       struct ca_cert_resp_msg *resp_ca_cert;
         struct mta_session      *s;
         struct msg               m;
         uint64_t                 reqid;
         const char              *name;
-       void                    *ssl;
         int                      status;
         struct stat              sb;
         
@@ -300,61 +295,6 @@ mta_session_imsg(struct mproc *p, struct imsg *imsg)
                 mta_enter_state(s, MTA_MAIL);
                 return;
  
-       case IMSG_MTA_TLS_INIT:
-               resp_ca_cert = imsg->data;
-               s = mta_tree_pop(&wait_ssl_init, resp_ca_cert->reqid);
-               if (s == NULL)
-                       return;
-
-               if (resp_ca_cert->status == CA_FAIL) {
-                       if (s->relay->pki_name) {
-                               log_info("%016"PRIx64" mta "
-                                   "closing reason=ca-failure",
-                                   s->id);
-                               mta_free(s);
-                               return;
-                       }
-                       else {
-                               ssl = ssl_mta_init(NULL, NULL, 0, env->sc_tls_ciphers);
-                               if (ssl == NULL)
-                                       fatal("mta: ssl_mta_init");
-                               io_start_tls(s->io, ssl);
-                               return;
-                       }
-               }
-
-               resp_ca_cert = xmemdup(imsg->data, sizeof *resp_ca_cert);
-               resp_ca_cert->cert = xstrdup((char *)imsg->data +
-                   sizeof *resp_ca_cert);
-               ssl = ssl_mta_init(resp_ca_cert->name,
-                   resp_ca_cert->cert, resp_ca_cert->cert_len, env->sc_tls_ciphers);
-               if (ssl == NULL)
-                       fatal("mta: ssl_mta_init");
-               io_start_tls(s->io, ssl);
-
-               freezero(resp_ca_cert->cert, resp_ca_cert->cert_len);
-               free(resp_ca_cert);
-               return;
-
-       case IMSG_MTA_TLS_VERIFY:
-               resp_ca_vrfy = imsg->data;
-               s = mta_tree_pop(&wait_ssl_verify, resp_ca_vrfy->reqid);
-               if (s == NULL)
-                       return;
-
-               if (resp_ca_vrfy->status == CA_OK)
-                       s->flags |= MTA_TLS_VERIFIED;
-               else if (s->relay->flags & RELAY_TLS_VERIFY) {
-                       errno = 0;
-                       mta_error(s, "SSL certificate check failed");
-                       mta_free(s);
-                       return;
-               }
-
-               mta_tls_verified(s);
-               io_resume(s->io, IO_IN);
-               return;
-
         case IMSG_MTA_LOOKUP_HELO:
                 m_msg(&m, imsg);
                 m_get_id(&m, &reqid);
@@ -1507,153 +1447,6 @@ mta_error(struct mta_session *s, const char *fmt, ...)
         free(error);
  }
  
-static void
-mta_start_tls(struct mta_session *s)
-{
-       struct ca_cert_req_msg  req_ca_cert;
-       const char             *certname;
-
-       if (s->relay->pki_name) {
-               certname = s->relay->pki_name;
-               req_ca_cert.fallback = 0;
-       }
-       else {
-               certname = s->helo;
-               req_ca_cert.fallback = 1;
-       }
-
-       req_ca_cert.reqid = s->id;
-       (void)strlcpy(req_ca_cert.name, certname, sizeof req_ca_cert.name);
-       m_compose(p_lka, IMSG_MTA_TLS_INIT, 0, 0, -1,
-           &req_ca_cert, sizeof(req_ca_cert));
-       tree_xset(&wait_ssl_init, s->id, s);
-       s->flags |= MTA_WAIT;
-       return;
-}
-
-static int
-mta_verify_certificate(struct mta_session *s)
-{
-#define MAX_CERTS      16
-#define MAX_CERT_LEN   (MAX_IMSGSIZE - (IMSG_HEADER_SIZE + sizeof(req_ca_vrfy)))
-       struct ca_vrfy_req_msg  req_ca_vrfy;
-       struct iovec            iov[2];
-       X509                   *x;
-       STACK_OF(X509)         *xchain;
-       const char             *name;
-       unsigned char          *cert_der[MAX_CERTS];
-       int                     cert_len[MAX_CERTS];
-       int                     i, cert_count, res;
-
-       res = 0;
-       memset(cert_der, 0, sizeof(cert_der));
-       memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-
-       /* Send the client certificate */
-       if (s->relay->ca_name) {
-               name = s->relay->ca_name;
-               req_ca_vrfy.fallback = 0;
-       }
-       else {
-               name = s->helo;
-               req_ca_vrfy.fallback = 1;
-       }
-       if (strlcpy(req_ca_vrfy.name, name, sizeof req_ca_vrfy.name)
-           >= sizeof req_ca_vrfy.name)
-               return 0;
-
-       x = SSL_get_peer_certificate(io_ssl(s->io));
-       if (x == NULL)
-               return 0;
-       xchain = SSL_get_peer_cert_chain(io_ssl(s->io));
-
-       /*
-        * Client provided a certificate and possibly a certificate chain.
-        * SMTP can't verify because it does not have the information that
-        * it needs, instead it will pass the certificate and chain to the
-        * lookup process and wait for a reply.
-        *
-        */
-
-       cert_len[0] = i2d_X509(x, &cert_der[0]);
-       X509_free(x);
-
-       if (cert_len[0] < 0) {
-               log_warnx("warn: failed to encode certificate");
-               goto end;
-       }
-       log_debug("debug: certificate 0: len=%d", cert_len[0]);
-       if (cert_len[0] > (int)MAX_CERT_LEN) {
-               log_warnx("warn: certificate too long");
-               goto end;
-       }
-
-       if (xchain) {
-               cert_count = sk_X509_num(xchain);
-               log_debug("debug: certificate chain len: %d", cert_count);
-               if (cert_count >= MAX_CERTS) {
-                       log_warnx("warn: certificate chain too long");
-                       goto end;
-               }
-       }
-       else
-               cert_count = 0;
-
-       for (i = 0; i < cert_count; ++i) {
-               x = sk_X509_value(xchain, i);
-               cert_len[i+1] = i2d_X509(x, &cert_der[i+1]);
-               if (cert_len[i+1] < 0) {
-                       log_warnx("warn: failed to encode certificate");
-                       goto end;
-               }
-               log_debug("debug: certificate %i: len=%d", i+1, cert_len[i+1]);
-               if (cert_len[i+1] > (int)MAX_CERT_LEN) {
-                       log_warnx("warn: certificate too long");
-                       goto end;
-               }
-       }
-
-       tree_xset(&wait_ssl_verify, s->id, s);
-       s->flags |= MTA_WAIT;
-
-       /* Send the client certificate */
-       req_ca_vrfy.reqid = s->id;
-       req_ca_vrfy.cert_len = cert_len[0];
-       req_ca_vrfy.n_chain = cert_count;
-       iov[0].iov_base = &req_ca_vrfy;
-       iov[0].iov_len = sizeof(req_ca_vrfy);
-       iov[1].iov_base = cert_der[0];
-       iov[1].iov_len = cert_len[0];
-       m_composev(p_lka, IMSG_MTA_TLS_VERIFY_CERT, 0, 0, -1,
-           iov, nitems(iov));
-
-       memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-       req_ca_vrfy.reqid = s->id;
-
-       /* Send the chain, one cert at a time */
-       for (i = 0; i < cert_count; ++i) {
-               req_ca_vrfy.cert_len = cert_len[i+1];
-               iov[1].iov_base = cert_der[i+1];
-               iov[1].iov_len  = cert_len[i+1];
-               m_composev(p_lka, IMSG_MTA_TLS_VERIFY_CHAIN, 0, 0, -1,
-                   iov, nitems(iov));
-       }
-
-       /* Tell lookup process that it can start verifying, we're done */
-       memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-       req_ca_vrfy.reqid = s->id;
-       m_compose(p_lka, IMSG_MTA_TLS_VERIFY, 0, 0, -1,
-           &req_ca_vrfy, sizeof req_ca_vrfy);
-
-       res = 1;
-
-    end:
-       for (i = 0; i < MAX_CERTS; ++i)
-               free(cert_der[i]);
-
-       return res;
-}
-
  static void
  mta_cert_init(struct mta_session *s)
  {
diff --git a/usr.sbin/smtpd/pony.c b/usr.sbin/smtpd/pony.c

index abbde55..aeb7a52 100644 (file)
--- a/usr.sbin/smtpd/pony.c
+++ b/usr.sbin/smtpd/pony.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: pony.c,v 1.25 2018/12/11 13:40:30 gilles Exp $        */
+/*     $OpenBSD: pony.c,v 1.26 2018/12/23 16:37:53 eric Exp $  */
  
  /*
   * Copyright (c) 2014 Gilles Chehade <gilles@poolp.org>
@@ -91,8 +91,6 @@ pony_imsg(struct mproc *p, struct imsg *imsg)
         case IMSG_SMTP_EXPAND_RCPT:
         case IMSG_SMTP_LOOKUP_HELO:
         case IMSG_SMTP_AUTHENTICATE:
-       case IMSG_SMTP_TLS_INIT:
-       case IMSG_SMTP_TLS_VERIFY:
         case IMSG_SMTP_MESSAGE_COMMIT:
         case IMSG_SMTP_MESSAGE_CREATE:
         case IMSG_SMTP_MESSAGE_OPEN:
@@ -117,8 +115,6 @@ pony_imsg(struct mproc *p, struct imsg *imsg)
         case IMSG_MTA_DNS_HOST:
         case IMSG_MTA_DNS_HOST_END:
         case IMSG_MTA_DNS_MX_PREFERENCE:
-       case IMSG_MTA_TLS_INIT:
-       case IMSG_MTA_TLS_VERIFY:
         case IMSG_CTL_RESUME_ROUTE:
         case IMSG_CTL_MTA_SHOW_HOSTS:
         case IMSG_CTL_MTA_SHOW_RELAYS:
diff --git a/usr.sbin/smtpd/smtp.c b/usr.sbin/smtpd/smtp.c

index 61c99e5..921d9f8 100644 (file)
--- a/usr.sbin/smtpd/smtp.c
+++ b/usr.sbin/smtpd/smtp.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: smtp.c,v 1.163 2018/12/11 13:40:30 gilles Exp $       */
+/*     $OpenBSD: smtp.c,v 1.164 2018/12/23 16:37:53 eric Exp $ */
  
  /*
   * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -66,8 +66,6 @@ smtp_imsg(struct mproc *p, struct imsg *imsg)
         case IMSG_SMTP_EXPAND_RCPT:
         case IMSG_SMTP_LOOKUP_HELO:
         case IMSG_SMTP_AUTHENTICATE:
-       case IMSG_SMTP_TLS_INIT:
-       case IMSG_SMTP_TLS_VERIFY:
         case IMSG_FILTER_SMTP_PROTOCOL:
         case IMSG_FILTER_SMTP_DATA_BEGIN:
                 smtp_session_imsg(p, imsg);
diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c

index 0a3d102..7708160 100644 (file)
--- a/usr.sbin/smtpd/smtp_session.c
+++ b/usr.sbin/smtpd/smtp_session.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: smtp_session.c,v 1.379 2018/12/21 14:41:41 gilles Exp $       */
+/*     $OpenBSD: smtp_session.c,v 1.380 2018/12/23 16:37:53 eric Exp $ */
  
  /*
   * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -189,8 +189,6 @@ static void smtp_rfc4954_auth_plain(struct smtp_session *, char *);
  static void smtp_rfc4954_auth_login(struct smtp_session *, char *);
  static void smtp_free(struct smtp_session *, const char *);
  static const char *smtp_strstate(int);
-static void smtp_tls_init(struct smtp_session *);
-static int smtp_verify_certificate(struct smtp_session *);
  static void smtp_cert_init(struct smtp_session *);
  static void smtp_cert_init_cb(void *, int, const char *, const void *, size_t);
  static void smtp_cert_verify(struct smtp_session *);
@@ -684,18 +682,14 @@ smtp_getaddrinfo_cb(void *arg, int gaierrno, struct addrinfo *ai0)
  void
  smtp_session_imsg(struct mproc *p, struct imsg *imsg)
  {
-       struct ca_cert_resp_msg         *resp_ca_cert;
-       struct ca_vrfy_resp_msg         *resp_ca_vrfy;
         struct smtp_session             *s;
         struct smtp_rcpt                *rcpt;
-       void                            *ssl;
         char                             user[LOGIN_NAME_MAX];
         struct msg                       m;
         const char                      *line, *helo;
         uint64_t                         reqid, evpid;
         uint32_t                         msgid;
         int                              status, success;
-       void                            *ssl_ctx;
         int                              filter_response;
         const char                      *filter_param;
         uint8_t                          i;
@@ -956,47 +950,6 @@ smtp_session_imsg(struct mproc *p, struct imsg *imsg)
                 smtp_enter_state(s, STATE_HELO);
                 return;
  
-       case IMSG_SMTP_TLS_INIT:
-               resp_ca_cert = imsg->data;
-               s = tree_xpop(&wait_ssl_init, resp_ca_cert->reqid);
-
-               if (resp_ca_cert->status == CA_FAIL) {
-                       log_info("%016"PRIx64" smtp disconnected "
-                           "reason=ca-failure",
-                           s->id);
-                       smtp_free(s, "CA failure");
-                       return;
-               }
-
-               resp_ca_cert = xmemdup(imsg->data, sizeof *resp_ca_cert);
-               resp_ca_cert->cert = xstrdup((char *)imsg->data +
-                   sizeof *resp_ca_cert);
-               ssl_ctx = dict_get(env->sc_ssl_dict, resp_ca_cert->name);
-               ssl = ssl_smtp_init(ssl_ctx, s->listener->flags & F_TLS_VERIFY);
-               io_set_read(s->io);
-               io_start_tls(s->io, ssl);
-
-               freezero(resp_ca_cert->cert, resp_ca_cert->cert_len);
-               free(resp_ca_cert);
-               return;
-
-       case IMSG_SMTP_TLS_VERIFY:
-               resp_ca_vrfy = imsg->data;
-               s = tree_xpop(&wait_ssl_verify, resp_ca_vrfy->reqid);
-
-               if (resp_ca_vrfy->status == CA_OK)
-                       s->flags |= SF_VERIFIED;
-               else if (s->listener->flags & F_TLS_VERIFY) {
-                       log_info("%016"PRIx64" smtp "
-                           "disconnected reason=cert-check-failed",
-                           s->id);
-                       smtp_free(s, "SSL certificate check failed");
-                       return;
-               }
-               smtp_tls_verified(s);
-               io_resume(s->io, IO_IN);
-               return;
-
         case IMSG_FILTER_SMTP_PROTOCOL:
                 m_msg(&m, imsg);
                 m_get_id(&m, &reqid);
@@ -2174,150 +2127,6 @@ smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,
         return (1);
  }
  
-static void
-smtp_tls_init(struct smtp_session *s)
-{
-       struct ca_cert_req_msg req_ca_cert;
-
-       req_ca_cert.reqid = s->id;
-       if (s->listener->pki_name[0]) {
-               (void)strlcpy(req_ca_cert.name, s->listener->pki_name,
-                   sizeof req_ca_cert.name);
-               req_ca_cert.fallback = 0;
-       }
-       else {
-               (void)strlcpy(req_ca_cert.name, s->smtpname,
-                   sizeof req_ca_cert.name);
-               req_ca_cert.fallback = 1;
-       }
-       m_compose(p_lka, IMSG_SMTP_TLS_INIT, 0, 0, -1,
-           &req_ca_cert, sizeof(req_ca_cert));
-       tree_xset(&wait_ssl_init, s->id, s);
-}
-
-static int
-smtp_verify_certificate(struct smtp_session *s)
-{
-#define MAX_CERTS      16
-#define MAX_CERT_LEN   (MAX_IMSGSIZE - (IMSG_HEADER_SIZE + sizeof(req_ca_vrfy)))
-       struct ca_vrfy_req_msg  req_ca_vrfy;
-       struct iovec            iov[2];
-       X509                   *x;
-       STACK_OF(X509)         *xchain;
-       const char             *name;
-       unsigned char          *cert_der[MAX_CERTS];
-       int                     cert_len[MAX_CERTS];
-       int                     i, cert_count, res;
-
-       res = 0;
-       memset(cert_der, 0, sizeof(cert_der));
-       memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-
-       /* Send the client certificate */
-       if (s->listener->ca_name[0]) {
-               name = s->listener->ca_name;
-               req_ca_vrfy.fallback = 0;
-       }
-       else {
-               name = s->smtpname;
-               req_ca_vrfy.fallback = 1;
-       }
-
-       if (strlcpy(req_ca_vrfy.name, name, sizeof req_ca_vrfy.name)
-           >= sizeof req_ca_vrfy.name)
-               return 0;
-
-       x = SSL_get_peer_certificate(io_ssl(s->io));
-       if (x == NULL)
-               return 0;
-       xchain = SSL_get_peer_cert_chain(io_ssl(s->io));
-
-       /*
-        * Client provided a certificate and possibly a certificate chain.
-        * SMTP can't verify because it does not have the information that
-        * it needs, instead it will pass the certificate and chain to the
-        * lookup process and wait for a reply.
-        *
-        */
-
-       cert_len[0] = i2d_X509(x, &cert_der[0]);
-       X509_free(x);
-
-       if (cert_len[0] < 0) {
-               log_warnx("warn: failed to encode certificate");
-               goto end;
-       }
-       log_debug("debug: certificate 0: len=%d", cert_len[0]);
-       if (cert_len[0] > (int)MAX_CERT_LEN) {
-               log_warnx("warn: certificate too long");
-               goto end;
-       }
-
-       if (xchain) {
-               cert_count = sk_X509_num(xchain);
-               log_debug("debug: certificate chain len: %d", cert_count);
-               if (cert_count >= MAX_CERTS) {
-                       log_warnx("warn: certificate chain too long");
-                       goto end;
-               }
-       }
-       else
-               cert_count = 0;
-
-       for (i = 0; i < cert_count; ++i) {
-               x = sk_X509_value(xchain, i);
-               cert_len[i+1] = i2d_X509(x, &cert_der[i+1]);
-               if (cert_len[i+1] < 0) {
-                       log_warnx("warn: failed to encode certificate");
-                       goto end;
-               }
-               log_debug("debug: certificate %i: len=%d", i+1, cert_len[i+1]);
-               if (cert_len[i+1] > (int)MAX_CERT_LEN) {
-                       log_warnx("warn: certificate too long");
-                       goto end;
-               }
-       }
-
-       tree_xset(&wait_ssl_verify, s->id, s);
-
-       /* Send the client certificate */
-       req_ca_vrfy.reqid = s->id;
-       req_ca_vrfy.cert_len = cert_len[0];
-       req_ca_vrfy.n_chain = cert_count;
-       iov[0].iov_base = &req_ca_vrfy;
-       iov[0].iov_len = sizeof(req_ca_vrfy);
-       iov[1].iov_base = cert_der[0];
-       iov[1].iov_len = cert_len[0];
-       m_composev(p_lka, IMSG_SMTP_TLS_VERIFY_CERT, 0, 0, -1,
-           iov, nitems(iov));
-
-       memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-       req_ca_vrfy.reqid = s->id;
-
-       /* Send the chain, one cert at a time */
-       for (i = 0; i < cert_count; ++i) {
-               req_ca_vrfy.cert_len = cert_len[i+1];
-               iov[1].iov_base = cert_der[i+1];
-               iov[1].iov_len  = cert_len[i+1];
-               m_composev(p_lka, IMSG_SMTP_TLS_VERIFY_CHAIN, 0, 0, -1,
-                   iov, nitems(iov));
-       }
-
-       /* Tell lookup process that it can start verifying, we're done */
-       memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-       req_ca_vrfy.reqid = s->id;
-       m_compose(p_lka, IMSG_SMTP_TLS_VERIFY, 0, 0, -1,
-           &req_ca_vrfy, sizeof req_ca_vrfy);
-
-       res = 1;
-
-    end:
-       for (i = 0; i < MAX_CERTS; ++i)
-               free(cert_der[i]);
-
-       return res;
-}
-
  static void
  smtp_cert_init(struct smtp_session *s)
  {
diff --git a/usr.sbin/smtpd/smtpd.c b/usr.sbin/smtpd/smtpd.c

index 52f4cbc..87344b5 100644 (file)
--- a/usr.sbin/smtpd/smtpd.c
+++ b/usr.sbin/smtpd/smtpd.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: smtpd.c,v 1.314 2018/12/23 14:26:02 gilles Exp $      */
+/*     $OpenBSD: smtpd.c,v 1.315 2018/12/23 16:37:53 eric Exp $        */
  
  /*
   * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1970,10 +1970,6 @@ imsg_to_str(int type)
         CASE(IMSG_MTA_LOOKUP_SMARTHOST);
         CASE(IMSG_MTA_OPEN_MESSAGE);
         CASE(IMSG_MTA_SCHEDULE);
-       CASE(IMSG_MTA_TLS_INIT);
-       CASE(IMSG_MTA_TLS_VERIFY_CERT);
-       CASE(IMSG_MTA_TLS_VERIFY_CHAIN);
-       CASE(IMSG_MTA_TLS_VERIFY);
  
         CASE(IMSG_SCHED_ENVELOPE_BOUNCE);
         CASE(IMSG_SCHED_ENVELOPE_DELIVER);
@@ -1990,10 +1986,6 @@ imsg_to_str(int type)
         CASE(IMSG_SMTP_CHECK_SENDER);
         CASE(IMSG_SMTP_EXPAND_RCPT);
         CASE(IMSG_SMTP_LOOKUP_HELO);
-       CASE(IMSG_SMTP_TLS_INIT);
-       CASE(IMSG_SMTP_TLS_VERIFY_CERT);
-       CASE(IMSG_SMTP_TLS_VERIFY_CHAIN);
-       CASE(IMSG_SMTP_TLS_VERIFY);
  
         CASE(IMSG_SMTP_REQ_CONNECT);
         CASE(IMSG_SMTP_REQ_HELO);
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h

index 324e643..47914bd 100644 (file)
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: smtpd.h,v 1.602 2018/12/23 15:53:24 eric Exp $        */
+/*     $OpenBSD: smtpd.h,v 1.603 2018/12/23 16:37:53 eric Exp $        */
  
  /*
   * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -275,10 +275,6 @@ enum imsg_type {
         IMSG_MTA_LOOKUP_SMARTHOST,
         IMSG_MTA_OPEN_MESSAGE,
         IMSG_MTA_SCHEDULE,
-       IMSG_MTA_TLS_INIT,
-       IMSG_MTA_TLS_VERIFY_CERT,
-       IMSG_MTA_TLS_VERIFY_CHAIN,
-       IMSG_MTA_TLS_VERIFY,
  
         IMSG_SCHED_ENVELOPE_BOUNCE,
         IMSG_SCHED_ENVELOPE_DELIVER,
@@ -295,10 +291,6 @@ enum imsg_type {
         IMSG_SMTP_CHECK_SENDER,
         IMSG_SMTP_EXPAND_RCPT,
         IMSG_SMTP_LOOKUP_HELO,
-       IMSG_SMTP_TLS_INIT,
-       IMSG_SMTP_TLS_VERIFY_CERT,
-       IMSG_SMTP_TLS_VERIFY_CHAIN,
-       IMSG_SMTP_TLS_VERIFY,
  
         IMSG_SMTP_REQ_CONNECT,
         IMSG_SMTP_REQ_HELO,
@@ -1114,37 +1106,6 @@ enum mda_resp_status {
         MDA_PERMFAIL
  };
  
-struct ca_cert_req_msg {
-       uint64_t                reqid;
-       char                    name[HOST_NAME_MAX+1];
-       int                     fallback;
-};
-
-struct ca_cert_resp_msg {
-       uint64_t                reqid;
-       enum ca_resp_status     status;
-       char                    name[HOST_NAME_MAX+1];
-       char                   *cert;
-       off_t                   cert_len;
-};
-
-struct ca_vrfy_req_msg {
-       uint64_t                reqid;
-       char                    name[HOST_NAME_MAX+1];
-       int                     fallback;
-       unsigned char          *cert;
-       off_t                   cert_len;
-       size_t                  n_chain;
-       size_t                  chain_offset;
-       unsigned char         **chain_cert;
-       off_t                  *chain_cert_len;
-};
-
-struct ca_vrfy_resp_msg {
-       uint64_t                reqid;
-       enum ca_resp_status     status;
-};
-
  struct msg_walkinfo {
         struct event     ev;
         uint32_t         msgid;
author	eric <eric@openbsd.org>
	Sun, 23 Dec 2018 16:37:53 +0000 (16:37 +0000)
committer	eric <eric@openbsd.org>
	Sun, 23 Dec 2018 16:37:53 +0000 (16:37 +0000)
usr.sbin/smtpd/lka.c		patch \| blob \| history
usr.sbin/smtpd/mta.c		patch \| blob \| history
usr.sbin/smtpd/mta_session.c		patch \| blob \| history
usr.sbin/smtpd/pony.c		patch \| blob \| history
usr.sbin/smtpd/smtp.c		patch \| blob \| history
usr.sbin/smtpd/smtp_session.c		patch \| blob \| history
usr.sbin/smtpd/smtpd.c		patch \| blob \| history
usr.sbin/smtpd/smtpd.h		patch \| blob \| history