From: eric <eric@openbsd.org>
Date: Sun, 23 Dec 2018 16:37:53 +0000 (+0000)
Subject: remove dead code
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=d64dc2a52016675d37794acf17ac894c4b9713c4;p=openbsd

remove dead code

ok gilles@
---

diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c
index 27569d1978a..c08e834b281 100644
--- a/usr.sbin/smtpd/lka.c
+++ b/usr.sbin/smtpd/lka.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: lka.c,v 1.228 2018/12/21 14:33:52 gilles Exp $	*/
+/*	$OpenBSD: lka.c,v 1.229 2018/12/23 16:37:53 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -56,9 +56,6 @@ static int lka_userinfo(const char *, const char *, struct userinfo *);
 static int lka_addrname(const char *, const struct sockaddr *,
     struct addrname *);
 static int lka_mailaddrmap(const char *, const char *, const struct mailaddr *);
-static int lka_X509_verify(struct ca_vrfy_req_msg *, const char *, const char *);
-static void lka_certificate_verify(enum imsg_type, struct ca_vrfy_req_msg *);
-static void lka_certificate_verify_resume(enum imsg_type, struct ca_vrfy_req_msg *);
 
 static void proc_timeout(int fd, short event, void *p);
 
@@ -69,12 +66,6 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
 {
 	struct table		*table;
 	int			 ret;
-	struct pki		*pki;
-	struct iovec		iov[2];
-	static struct ca_vrfy_req_msg	*req_ca_vrfy = NULL;
-	struct ca_vrfy_req_msg		*req_ca_vrfy_chain;
-	struct ca_cert_req_msg		*req_ca_cert;
-	struct ca_cert_resp_msg		 resp_ca_cert;
 	struct sockaddr_storage	 ss;
 	struct userinfo		 userinfo;
 	struct addrname		 addrname;
@@ -168,63 +159,6 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
 		m_close(p);
 		return;
 
-	case IMSG_SMTP_TLS_INIT:
-	case IMSG_MTA_TLS_INIT:
-		req_ca_cert = imsg->data;
-		resp_ca_cert.reqid = req_ca_cert->reqid;
-
-		xlowercase(buf, req_ca_cert->name, sizeof(buf));
-		log_debug("debug: lka: looking up pki \"%s\"", buf);
-		pki = dict_get(env->sc_pki_dict, buf);
-		if (pki == NULL)
-			if (req_ca_cert->fallback)
-				pki = dict_get(env->sc_pki_dict, "*");
-		if (pki == NULL) {
-			resp_ca_cert.status = CA_FAIL;
-			m_compose(p, imsg->hdr.type, 0, 0, -1, &resp_ca_cert,
-			    sizeof(resp_ca_cert));
-			return;
-		}
-		resp_ca_cert.status = CA_OK;
-		resp_ca_cert.cert_len = pki->pki_cert_len;
-		(void)strlcpy(resp_ca_cert.name, pki->pki_name, sizeof resp_ca_cert.name);
-		iov[0].iov_base = &resp_ca_cert;
-		iov[0].iov_len = sizeof(resp_ca_cert);
-		iov[1].iov_base = pki->pki_cert;
-		iov[1].iov_len = pki->pki_cert_len;
-		m_composev(p, imsg->hdr.type, 0, 0, -1, iov, nitems(iov));
-		return;
-
-	case IMSG_SMTP_TLS_VERIFY_CERT:
-	case IMSG_MTA_TLS_VERIFY_CERT:
-		req_ca_vrfy = xmemdup(imsg->data, sizeof *req_ca_vrfy);
-		req_ca_vrfy->cert = xmemdup((char *)imsg->data +
-		    sizeof *req_ca_vrfy, req_ca_vrfy->cert_len);
-		req_ca_vrfy->chain_cert = xcalloc(req_ca_vrfy->n_chain,
-		    sizeof (unsigned char *));
-		req_ca_vrfy->chain_cert_len = xcalloc(req_ca_vrfy->n_chain,
-		    sizeof (off_t));
-		return;
-
-	case IMSG_SMTP_TLS_VERIFY_CHAIN:
-	case IMSG_MTA_TLS_VERIFY_CHAIN:
-		if (req_ca_vrfy == NULL)
-			fatalx("lka:ca_vrfy: chain without a certificate");
-		req_ca_vrfy_chain = imsg->data;
-		req_ca_vrfy->chain_cert[req_ca_vrfy->chain_offset] = xmemdup((char *)imsg->data +
-		    sizeof *req_ca_vrfy_chain, req_ca_vrfy_chain->cert_len);
-		req_ca_vrfy->chain_cert_len[req_ca_vrfy->chain_offset] = req_ca_vrfy_chain->cert_len;
-		req_ca_vrfy->chain_offset++;
-		return;
-
-	case IMSG_SMTP_TLS_VERIFY:
-	case IMSG_MTA_TLS_VERIFY:
-		if (req_ca_vrfy == NULL)
-			fatalx("lka:ca_vrfy: verify without a certificate");
-		lka_certificate_verify(imsg->hdr.type, req_ca_vrfy);
-		req_ca_vrfy = NULL;
-		return;
-
 	case IMSG_SMTP_AUTHENTICATE:
 		m_msg(&m, imsg);
 		m_get_id(&m, &reqid);
@@ -906,88 +840,3 @@ lka_mailaddrmap(const char *tablename, const char *username, const struct mailad
 	}
 	return (LKA_OK);
 }
-
-static int
-lka_X509_verify(struct ca_vrfy_req_msg *vrfy,
-    const char *CAfile, const char *CRLfile)
-{
-	X509			*x509;
-	X509			*x509_tmp;
-	STACK_OF(X509)		*x509_chain;
-	const unsigned char    	*d2i;
-	size_t			i;
-	int			ret = 0;
-	const char		*errstr;
-
-	x509 = NULL;
-	x509_tmp = NULL;
-	x509_chain = NULL;
-
-	d2i = vrfy->cert;
-	if (d2i_X509(&x509, &d2i, vrfy->cert_len) == NULL) {
-		x509 = NULL;
-		goto end;
-	}
-
-	if (vrfy->n_chain) {
-		x509_chain = sk_X509_new_null();
-		for (i = 0; i < vrfy->n_chain; ++i) {
-			d2i = vrfy->chain_cert[i];
-			if (d2i_X509(&x509_tmp, &d2i, vrfy->chain_cert_len[i]) == NULL)
-				goto end;
-			sk_X509_insert(x509_chain, x509_tmp, i);
-			x509_tmp = NULL;
-		}
-	}
-	if (!ca_X509_verify(x509, x509_chain, CAfile, NULL, &errstr))
-		log_debug("debug: lka: X509 verify: %s", errstr);
-	else
-		ret = 1;
-
-end:
-	X509_free(x509);
-	X509_free(x509_tmp);
-	if (x509_chain)
-		sk_X509_pop_free(x509_chain, X509_free);
-
-	return ret;
-}
-
-static void
-lka_certificate_verify(enum imsg_type type, struct ca_vrfy_req_msg *req)
-{
-	lka_certificate_verify_resume(type, req);
-}
-
-static void
-lka_certificate_verify_resume(enum imsg_type type, struct ca_vrfy_req_msg *req)
-{
-	struct ca_vrfy_resp_msg		resp;
-	struct ca		       *sca;
-	const char		       *cafile;
-	size_t				i;
-
-	resp.reqid = req->reqid;
-	sca = dict_get(env->sc_ca_dict, req->name);
-	if (sca == NULL)
-		if (req->fallback)
-			sca = dict_get(env->sc_ca_dict, "*");
-	cafile = sca ? sca->ca_cert_file : CA_FILE;
-
-	if (sca == NULL && !req->fallback)
-		resp.status = CA_FAIL;
-	else if (!lka_X509_verify(req, cafile, NULL))
-		resp.status = CA_FAIL;
-	else
-		resp.status = CA_OK;
-
-	m_compose(p_pony, type, 0, 0, -1, &resp,
-	    sizeof resp);
-
-	for (i = 0; i < req->n_chain; ++i)
-		free(req->chain_cert[i]);
-	free(req->chain_cert);
-	free(req->chain_cert_len);
-	free(req->cert);
-	free(req);
-}
diff --git a/usr.sbin/smtpd/mta.c b/usr.sbin/smtpd/mta.c
index b7a841d15b0..6958384a115 100644
--- a/usr.sbin/smtpd/mta.c
+++ b/usr.sbin/smtpd/mta.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mta.c,v 1.226 2018/09/24 16:14:34 eric Exp $	*/
+/*	$OpenBSD: mta.c,v 1.227 2018/12/23 16:37:53 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -312,14 +312,6 @@ mta_imsg(struct mproc *p, struct imsg *imsg)
 		mta_on_preference(relay, preference);
 		return;
 
-	case IMSG_MTA_TLS_INIT:
-		mta_session_imsg(p, imsg);
-		return;
-
-	case IMSG_MTA_TLS_VERIFY:
-		mta_session_imsg(p, imsg);
-		return;
-
 	case IMSG_CTL_RESUME_ROUTE:
 		u64 = *((uint64_t *)imsg->data);
 		if (u64)
diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c
index 755ac86dd20..959b45e8b68 100644
--- a/usr.sbin/smtpd/mta_session.c
+++ b/usr.sbin/smtpd/mta_session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mta_session.c,v 1.114 2018/12/17 11:14:56 eric Exp $	*/
+/*	$OpenBSD: mta_session.c,v 1.115 2018/12/23 16:37:53 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -148,8 +148,6 @@ static void mta_send(struct mta_session *, char *, ...);
 static ssize_t mta_queue_data(struct mta_session *);
 static void mta_response(struct mta_session *, char *);
 static const char * mta_strstate(int);
-static void mta_start_tls(struct mta_session *);
-static int mta_verify_certificate(struct mta_session *);
 static void mta_cert_init(struct mta_session *);
 static void mta_cert_init_cb(void *, int, const char *, const void *, size_t);
 static void mta_cert_verify(struct mta_session *);
@@ -242,13 +240,10 @@ mta_session(struct mta_relay *relay, struct mta_route *route)
 void
 mta_session_imsg(struct mproc *p, struct imsg *imsg)
 {
-	struct ca_vrfy_resp_msg	*resp_ca_vrfy;
-	struct ca_cert_resp_msg	*resp_ca_cert;
 	struct mta_session	*s;
 	struct msg		 m;
 	uint64_t		 reqid;
 	const char		*name;
-	void			*ssl;
 	int			 status;
 	struct stat		 sb;
 	
@@ -300,61 +295,6 @@ mta_session_imsg(struct mproc *p, struct imsg *imsg)
 		mta_enter_state(s, MTA_MAIL);
 		return;
 
-	case IMSG_MTA_TLS_INIT:
-		resp_ca_cert = imsg->data;
-		s = mta_tree_pop(&wait_ssl_init, resp_ca_cert->reqid);
-		if (s == NULL)
-			return;
-
-		if (resp_ca_cert->status == CA_FAIL) {
-			if (s->relay->pki_name) {
-				log_info("%016"PRIx64" mta "
-				    "closing reason=ca-failure",
-				    s->id);
-				mta_free(s);
-				return;
-			}
-			else {
-				ssl = ssl_mta_init(NULL, NULL, 0, env->sc_tls_ciphers);
-				if (ssl == NULL)
-					fatal("mta: ssl_mta_init");
-				io_start_tls(s->io, ssl);
-				return;
-			}
-		}
-
-		resp_ca_cert = xmemdup(imsg->data, sizeof *resp_ca_cert);
-		resp_ca_cert->cert = xstrdup((char *)imsg->data +
-		    sizeof *resp_ca_cert);
-		ssl = ssl_mta_init(resp_ca_cert->name,
-		    resp_ca_cert->cert, resp_ca_cert->cert_len, env->sc_tls_ciphers);
-		if (ssl == NULL)
-			fatal("mta: ssl_mta_init");
-		io_start_tls(s->io, ssl);
-
-		freezero(resp_ca_cert->cert, resp_ca_cert->cert_len);
-		free(resp_ca_cert);
-		return;
-
-	case IMSG_MTA_TLS_VERIFY:
-		resp_ca_vrfy = imsg->data;
-		s = mta_tree_pop(&wait_ssl_verify, resp_ca_vrfy->reqid);
-		if (s == NULL)
-			return;
-
-		if (resp_ca_vrfy->status == CA_OK)
-			s->flags |= MTA_TLS_VERIFIED;
-		else if (s->relay->flags & RELAY_TLS_VERIFY) {
-			errno = 0;
-			mta_error(s, "SSL certificate check failed");
-			mta_free(s);
-			return;
-		}
-
-		mta_tls_verified(s);
-		io_resume(s->io, IO_IN);
-		return;
-
 	case IMSG_MTA_LOOKUP_HELO:
 		m_msg(&m, imsg);
 		m_get_id(&m, &reqid);
@@ -1507,153 +1447,6 @@ mta_error(struct mta_session *s, const char *fmt, ...)
 	free(error);
 }
 
-static void
-mta_start_tls(struct mta_session *s)
-{
-	struct ca_cert_req_msg	req_ca_cert;
-	const char	       *certname;
-
-	if (s->relay->pki_name) {
-		certname = s->relay->pki_name;
-		req_ca_cert.fallback = 0;
-	}
-	else {
-		certname = s->helo;
-		req_ca_cert.fallback = 1;
-	}
-
-	req_ca_cert.reqid = s->id;
-	(void)strlcpy(req_ca_cert.name, certname, sizeof req_ca_cert.name);
-	m_compose(p_lka, IMSG_MTA_TLS_INIT, 0, 0, -1,
-	    &req_ca_cert, sizeof(req_ca_cert));
-	tree_xset(&wait_ssl_init, s->id, s);
-	s->flags |= MTA_WAIT;
-	return;
-}
-
-static int
-mta_verify_certificate(struct mta_session *s)
-{
-#define MAX_CERTS	16
-#define MAX_CERT_LEN	(MAX_IMSGSIZE - (IMSG_HEADER_SIZE + sizeof(req_ca_vrfy)))
-	struct ca_vrfy_req_msg	req_ca_vrfy;
-	struct iovec		iov[2];
-	X509		       *x;
-	STACK_OF(X509)	       *xchain;
-	const char	       *name;
-	unsigned char	       *cert_der[MAX_CERTS];
-	int			cert_len[MAX_CERTS];
-	int			i, cert_count, res;
-
-	res = 0;
-	memset(cert_der, 0, sizeof(cert_der));
-	memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-
-	/* Send the client certificate */
-	if (s->relay->ca_name) {
-		name = s->relay->ca_name;
-		req_ca_vrfy.fallback = 0;
-	}
-	else {
-		name = s->helo;
-		req_ca_vrfy.fallback = 1;
-	}
-	if (strlcpy(req_ca_vrfy.name, name, sizeof req_ca_vrfy.name)
-	    >= sizeof req_ca_vrfy.name)
-		return 0;
-
-	x = SSL_get_peer_certificate(io_ssl(s->io));
-	if (x == NULL)
-		return 0;
-	xchain = SSL_get_peer_cert_chain(io_ssl(s->io));
-
-	/*
-	 * Client provided a certificate and possibly a certificate chain.
-	 * SMTP can't verify because it does not have the information that
-	 * it needs, instead it will pass the certificate and chain to the
-	 * lookup process and wait for a reply.
-	 *
-	 */
-
-	cert_len[0] = i2d_X509(x, &cert_der[0]);
-	X509_free(x);
-
-	if (cert_len[0] < 0) {
-		log_warnx("warn: failed to encode certificate");
-		goto end;
-	}
-	log_debug("debug: certificate 0: len=%d", cert_len[0]);
-	if (cert_len[0] > (int)MAX_CERT_LEN) {
-		log_warnx("warn: certificate too long");
-		goto end;
-	}
-
-	if (xchain) {
-		cert_count = sk_X509_num(xchain);
-		log_debug("debug: certificate chain len: %d", cert_count);
-		if (cert_count >= MAX_CERTS) {
-			log_warnx("warn: certificate chain too long");
-			goto end;
-		}
-	}
-	else
-		cert_count = 0;
-
-	for (i = 0; i < cert_count; ++i) {
-		x = sk_X509_value(xchain, i);
-		cert_len[i+1] = i2d_X509(x, &cert_der[i+1]);
-		if (cert_len[i+1] < 0) {
-			log_warnx("warn: failed to encode certificate");
-			goto end;
-		}
-		log_debug("debug: certificate %i: len=%d", i+1, cert_len[i+1]);
-		if (cert_len[i+1] > (int)MAX_CERT_LEN) {
-			log_warnx("warn: certificate too long");
-			goto end;
-		}
-	}
-
-	tree_xset(&wait_ssl_verify, s->id, s);
-	s->flags |= MTA_WAIT;
-
-	/* Send the client certificate */
-	req_ca_vrfy.reqid = s->id;
-	req_ca_vrfy.cert_len = cert_len[0];
-	req_ca_vrfy.n_chain = cert_count;
-	iov[0].iov_base = &req_ca_vrfy;
-	iov[0].iov_len = sizeof(req_ca_vrfy);
-	iov[1].iov_base = cert_der[0];
-	iov[1].iov_len = cert_len[0];
-	m_composev(p_lka, IMSG_MTA_TLS_VERIFY_CERT, 0, 0, -1,
-	    iov, nitems(iov));
-
-	memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-	req_ca_vrfy.reqid = s->id;
-
-	/* Send the chain, one cert at a time */
-	for (i = 0; i < cert_count; ++i) {
-		req_ca_vrfy.cert_len = cert_len[i+1];
-		iov[1].iov_base = cert_der[i+1];
-		iov[1].iov_len  = cert_len[i+1];
-		m_composev(p_lka, IMSG_MTA_TLS_VERIFY_CHAIN, 0, 0, -1,
-		    iov, nitems(iov));
-	}
-
-	/* Tell lookup process that it can start verifying, we're done */
-	memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-	req_ca_vrfy.reqid = s->id;
-	m_compose(p_lka, IMSG_MTA_TLS_VERIFY, 0, 0, -1,
-	    &req_ca_vrfy, sizeof req_ca_vrfy);
-
-	res = 1;
-
-    end:
-	for (i = 0; i < MAX_CERTS; ++i)
-		free(cert_der[i]);
-
-	return res;
-}
-
 static void
 mta_cert_init(struct mta_session *s)
 {
diff --git a/usr.sbin/smtpd/pony.c b/usr.sbin/smtpd/pony.c
index abbde55e730..aeb7a52204e 100644
--- a/usr.sbin/smtpd/pony.c
+++ b/usr.sbin/smtpd/pony.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pony.c,v 1.25 2018/12/11 13:40:30 gilles Exp $	*/
+/*	$OpenBSD: pony.c,v 1.26 2018/12/23 16:37:53 eric Exp $	*/
 
 /*
  * Copyright (c) 2014 Gilles Chehade <gilles@poolp.org>
@@ -91,8 +91,6 @@ pony_imsg(struct mproc *p, struct imsg *imsg)
 	case IMSG_SMTP_EXPAND_RCPT:
 	case IMSG_SMTP_LOOKUP_HELO:
 	case IMSG_SMTP_AUTHENTICATE:
-	case IMSG_SMTP_TLS_INIT:
-	case IMSG_SMTP_TLS_VERIFY:
 	case IMSG_SMTP_MESSAGE_COMMIT:
 	case IMSG_SMTP_MESSAGE_CREATE:
 	case IMSG_SMTP_MESSAGE_OPEN:
@@ -117,8 +115,6 @@ pony_imsg(struct mproc *p, struct imsg *imsg)
 	case IMSG_MTA_DNS_HOST:
 	case IMSG_MTA_DNS_HOST_END:
 	case IMSG_MTA_DNS_MX_PREFERENCE:
-	case IMSG_MTA_TLS_INIT:
-	case IMSG_MTA_TLS_VERIFY:
 	case IMSG_CTL_RESUME_ROUTE:
 	case IMSG_CTL_MTA_SHOW_HOSTS:
 	case IMSG_CTL_MTA_SHOW_RELAYS:
diff --git a/usr.sbin/smtpd/smtp.c b/usr.sbin/smtpd/smtp.c
index 61c99e5a32a..921d9f8a6d0 100644
--- a/usr.sbin/smtpd/smtp.c
+++ b/usr.sbin/smtpd/smtp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtp.c,v 1.163 2018/12/11 13:40:30 gilles Exp $	*/
+/*	$OpenBSD: smtp.c,v 1.164 2018/12/23 16:37:53 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -66,8 +66,6 @@ smtp_imsg(struct mproc *p, struct imsg *imsg)
 	case IMSG_SMTP_EXPAND_RCPT:
 	case IMSG_SMTP_LOOKUP_HELO:
 	case IMSG_SMTP_AUTHENTICATE:
-	case IMSG_SMTP_TLS_INIT:
-	case IMSG_SMTP_TLS_VERIFY:
 	case IMSG_FILTER_SMTP_PROTOCOL:
 	case IMSG_FILTER_SMTP_DATA_BEGIN:
 		smtp_session_imsg(p, imsg);
diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c
index 0a3d1025e2b..77081606462 100644
--- a/usr.sbin/smtpd/smtp_session.c
+++ b/usr.sbin/smtpd/smtp_session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtp_session.c,v 1.379 2018/12/21 14:41:41 gilles Exp $	*/
+/*	$OpenBSD: smtp_session.c,v 1.380 2018/12/23 16:37:53 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -189,8 +189,6 @@ static void smtp_rfc4954_auth_plain(struct smtp_session *, char *);
 static void smtp_rfc4954_auth_login(struct smtp_session *, char *);
 static void smtp_free(struct smtp_session *, const char *);
 static const char *smtp_strstate(int);
-static void smtp_tls_init(struct smtp_session *);
-static int smtp_verify_certificate(struct smtp_session *);
 static void smtp_cert_init(struct smtp_session *);
 static void smtp_cert_init_cb(void *, int, const char *, const void *, size_t);
 static void smtp_cert_verify(struct smtp_session *);
@@ -684,18 +682,14 @@ smtp_getaddrinfo_cb(void *arg, int gaierrno, struct addrinfo *ai0)
 void
 smtp_session_imsg(struct mproc *p, struct imsg *imsg)
 {
-	struct ca_cert_resp_msg       	*resp_ca_cert;
-	struct ca_vrfy_resp_msg       	*resp_ca_vrfy;
 	struct smtp_session		*s;
 	struct smtp_rcpt		*rcpt;
-	void				*ssl;
 	char				 user[LOGIN_NAME_MAX];
 	struct msg			 m;
 	const char			*line, *helo;
 	uint64_t			 reqid, evpid;
 	uint32_t			 msgid;
 	int				 status, success;
-	void				*ssl_ctx;
 	int                              filter_response;
 	const char                      *filter_param;
 	uint8_t                          i;
@@ -956,47 +950,6 @@ smtp_session_imsg(struct mproc *p, struct imsg *imsg)
 		smtp_enter_state(s, STATE_HELO);
 		return;
 
-	case IMSG_SMTP_TLS_INIT:
-		resp_ca_cert = imsg->data;
-		s = tree_xpop(&wait_ssl_init, resp_ca_cert->reqid);
-
-		if (resp_ca_cert->status == CA_FAIL) {
-			log_info("%016"PRIx64" smtp disconnected "
-			    "reason=ca-failure",
-			    s->id);
-			smtp_free(s, "CA failure");
-			return;
-		}
-
-		resp_ca_cert = xmemdup(imsg->data, sizeof *resp_ca_cert);
-		resp_ca_cert->cert = xstrdup((char *)imsg->data +
-		    sizeof *resp_ca_cert);
-		ssl_ctx = dict_get(env->sc_ssl_dict, resp_ca_cert->name);
-		ssl = ssl_smtp_init(ssl_ctx, s->listener->flags & F_TLS_VERIFY);
-		io_set_read(s->io);
-		io_start_tls(s->io, ssl);
-
-		freezero(resp_ca_cert->cert, resp_ca_cert->cert_len);
-		free(resp_ca_cert);
-		return;
-
-	case IMSG_SMTP_TLS_VERIFY:
-		resp_ca_vrfy = imsg->data;
-		s = tree_xpop(&wait_ssl_verify, resp_ca_vrfy->reqid);
-
-		if (resp_ca_vrfy->status == CA_OK)
-			s->flags |= SF_VERIFIED;
-		else if (s->listener->flags & F_TLS_VERIFY) {
-			log_info("%016"PRIx64" smtp "
-			    "disconnected reason=cert-check-failed",
-			    s->id);
-			smtp_free(s, "SSL certificate check failed");
-			return;
-		}
-		smtp_tls_verified(s);
-		io_resume(s->io, IO_IN);
-		return;
-
 	case IMSG_FILTER_SMTP_PROTOCOL:
 		m_msg(&m, imsg);
 		m_get_id(&m, &reqid);
@@ -2174,150 +2127,6 @@ smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,
 	return (1);
 }
 
-static void
-smtp_tls_init(struct smtp_session *s)
-{
-	struct ca_cert_req_msg req_ca_cert;
-
-	req_ca_cert.reqid = s->id;
-	if (s->listener->pki_name[0]) {
-		(void)strlcpy(req_ca_cert.name, s->listener->pki_name,
-		    sizeof req_ca_cert.name);
-		req_ca_cert.fallback = 0;
-	}
-	else {
-		(void)strlcpy(req_ca_cert.name, s->smtpname,
-		    sizeof req_ca_cert.name);
-		req_ca_cert.fallback = 1;
-	}
-	m_compose(p_lka, IMSG_SMTP_TLS_INIT, 0, 0, -1,
-	    &req_ca_cert, sizeof(req_ca_cert));
-	tree_xset(&wait_ssl_init, s->id, s);
-}
-
-static int
-smtp_verify_certificate(struct smtp_session *s)
-{
-#define MAX_CERTS	16
-#define MAX_CERT_LEN	(MAX_IMSGSIZE - (IMSG_HEADER_SIZE + sizeof(req_ca_vrfy)))
-	struct ca_vrfy_req_msg	req_ca_vrfy;
-	struct iovec		iov[2];
-	X509		       *x;
-	STACK_OF(X509)	       *xchain;
-	const char	       *name;
-	unsigned char	       *cert_der[MAX_CERTS];
-	int			cert_len[MAX_CERTS];
-	int			i, cert_count, res;
-
-	res = 0;
-	memset(cert_der, 0, sizeof(cert_der));
-	memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-
-	/* Send the client certificate */
-	if (s->listener->ca_name[0]) {
-		name = s->listener->ca_name;
-		req_ca_vrfy.fallback = 0;
-	}
-	else {
-		name = s->smtpname;
-		req_ca_vrfy.fallback = 1;
-	}
-
-	if (strlcpy(req_ca_vrfy.name, name, sizeof req_ca_vrfy.name)
-	    >= sizeof req_ca_vrfy.name)
-		return 0;
-
-	x = SSL_get_peer_certificate(io_ssl(s->io));
-	if (x == NULL)
-		return 0;
-	xchain = SSL_get_peer_cert_chain(io_ssl(s->io));
-
-	/*
-	 * Client provided a certificate and possibly a certificate chain.
-	 * SMTP can't verify because it does not have the information that
-	 * it needs, instead it will pass the certificate and chain to the
-	 * lookup process and wait for a reply.
-	 *
-	 */
-
-	cert_len[0] = i2d_X509(x, &cert_der[0]);
-	X509_free(x);
-
-	if (cert_len[0] < 0) {
-		log_warnx("warn: failed to encode certificate");
-		goto end;
-	}
-	log_debug("debug: certificate 0: len=%d", cert_len[0]);
-	if (cert_len[0] > (int)MAX_CERT_LEN) {
-		log_warnx("warn: certificate too long");
-		goto end;
-	}
-
-	if (xchain) {
-		cert_count = sk_X509_num(xchain);
-		log_debug("debug: certificate chain len: %d", cert_count);
-		if (cert_count >= MAX_CERTS) {
-			log_warnx("warn: certificate chain too long");
-			goto end;
-		}
-	}
-	else
-		cert_count = 0;
-
-	for (i = 0; i < cert_count; ++i) {
-		x = sk_X509_value(xchain, i);
-		cert_len[i+1] = i2d_X509(x, &cert_der[i+1]);
-		if (cert_len[i+1] < 0) {
-			log_warnx("warn: failed to encode certificate");
-			goto end;
-		}
-		log_debug("debug: certificate %i: len=%d", i+1, cert_len[i+1]);
-		if (cert_len[i+1] > (int)MAX_CERT_LEN) {
-			log_warnx("warn: certificate too long");
-			goto end;
-		}
-	}
-
-	tree_xset(&wait_ssl_verify, s->id, s);
-
-	/* Send the client certificate */
-	req_ca_vrfy.reqid = s->id;
-	req_ca_vrfy.cert_len = cert_len[0];
-	req_ca_vrfy.n_chain = cert_count;
-	iov[0].iov_base = &req_ca_vrfy;
-	iov[0].iov_len = sizeof(req_ca_vrfy);
-	iov[1].iov_base = cert_der[0];
-	iov[1].iov_len = cert_len[0];
-	m_composev(p_lka, IMSG_SMTP_TLS_VERIFY_CERT, 0, 0, -1,
-	    iov, nitems(iov));
-
-	memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-	req_ca_vrfy.reqid = s->id;
-
-	/* Send the chain, one cert at a time */
-	for (i = 0; i < cert_count; ++i) {
-		req_ca_vrfy.cert_len = cert_len[i+1];
-		iov[1].iov_base = cert_der[i+1];
-		iov[1].iov_len  = cert_len[i+1];
-		m_composev(p_lka, IMSG_SMTP_TLS_VERIFY_CHAIN, 0, 0, -1,
-		    iov, nitems(iov));
-	}
-
-	/* Tell lookup process that it can start verifying, we're done */
-	memset(&req_ca_vrfy, 0, sizeof req_ca_vrfy);
-	req_ca_vrfy.reqid = s->id;
-	m_compose(p_lka, IMSG_SMTP_TLS_VERIFY, 0, 0, -1,
-	    &req_ca_vrfy, sizeof req_ca_vrfy);
-
-	res = 1;
-
-    end:
-	for (i = 0; i < MAX_CERTS; ++i)
-		free(cert_der[i]);
-
-	return res;
-}
-
 static void
 smtp_cert_init(struct smtp_session *s)
 {
diff --git a/usr.sbin/smtpd/smtpd.c b/usr.sbin/smtpd/smtpd.c
index 52f4cbc5aae..87344b5377d 100644
--- a/usr.sbin/smtpd/smtpd.c
+++ b/usr.sbin/smtpd/smtpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.c,v 1.314 2018/12/23 14:26:02 gilles Exp $	*/
+/*	$OpenBSD: smtpd.c,v 1.315 2018/12/23 16:37:53 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1970,10 +1970,6 @@ imsg_to_str(int type)
 	CASE(IMSG_MTA_LOOKUP_SMARTHOST);
 	CASE(IMSG_MTA_OPEN_MESSAGE);
 	CASE(IMSG_MTA_SCHEDULE);
-	CASE(IMSG_MTA_TLS_INIT);
-	CASE(IMSG_MTA_TLS_VERIFY_CERT);
-	CASE(IMSG_MTA_TLS_VERIFY_CHAIN);
-	CASE(IMSG_MTA_TLS_VERIFY);
 
 	CASE(IMSG_SCHED_ENVELOPE_BOUNCE);
 	CASE(IMSG_SCHED_ENVELOPE_DELIVER);
@@ -1990,10 +1986,6 @@ imsg_to_str(int type)
 	CASE(IMSG_SMTP_CHECK_SENDER);
 	CASE(IMSG_SMTP_EXPAND_RCPT);
 	CASE(IMSG_SMTP_LOOKUP_HELO);
-	CASE(IMSG_SMTP_TLS_INIT);
-	CASE(IMSG_SMTP_TLS_VERIFY_CERT);
-	CASE(IMSG_SMTP_TLS_VERIFY_CHAIN);
-	CASE(IMSG_SMTP_TLS_VERIFY);
 
 	CASE(IMSG_SMTP_REQ_CONNECT);
 	CASE(IMSG_SMTP_REQ_HELO);
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 324e64323c0..47914bd5428 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.h,v 1.602 2018/12/23 15:53:24 eric Exp $	*/
+/*	$OpenBSD: smtpd.h,v 1.603 2018/12/23 16:37:53 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -275,10 +275,6 @@ enum imsg_type {
 	IMSG_MTA_LOOKUP_SMARTHOST,
 	IMSG_MTA_OPEN_MESSAGE,
 	IMSG_MTA_SCHEDULE,
-	IMSG_MTA_TLS_INIT,
-	IMSG_MTA_TLS_VERIFY_CERT,
-	IMSG_MTA_TLS_VERIFY_CHAIN,
-	IMSG_MTA_TLS_VERIFY,
 
 	IMSG_SCHED_ENVELOPE_BOUNCE,
 	IMSG_SCHED_ENVELOPE_DELIVER,
@@ -295,10 +291,6 @@ enum imsg_type {
 	IMSG_SMTP_CHECK_SENDER,
 	IMSG_SMTP_EXPAND_RCPT,
 	IMSG_SMTP_LOOKUP_HELO,
-	IMSG_SMTP_TLS_INIT,
-	IMSG_SMTP_TLS_VERIFY_CERT,
-	IMSG_SMTP_TLS_VERIFY_CHAIN,
-	IMSG_SMTP_TLS_VERIFY,
 
 	IMSG_SMTP_REQ_CONNECT,
 	IMSG_SMTP_REQ_HELO,
@@ -1114,37 +1106,6 @@ enum mda_resp_status {
 	MDA_PERMFAIL
 };
 
-struct ca_cert_req_msg {
-	uint64_t		reqid;
-	char			name[HOST_NAME_MAX+1];
-	int			fallback;
-};
-
-struct ca_cert_resp_msg {
-	uint64_t		reqid;
-	enum ca_resp_status	status;
-	char			name[HOST_NAME_MAX+1];
-	char		       *cert;
-	off_t			cert_len;
-};
-
-struct ca_vrfy_req_msg {
-	uint64_t		reqid;
-	char			name[HOST_NAME_MAX+1];
-	int			fallback;
-	unsigned char  	       *cert;
-	off_t			cert_len;
-	size_t			n_chain;
-	size_t			chain_offset;
-	unsigned char	      **chain_cert;
-	off_t		       *chain_cert_len;
-};
-
-struct ca_vrfy_resp_msg {
-	uint64_t		reqid;
-	enum ca_resp_status	status;
-};
-
 struct msg_walkinfo {
 	struct event	 ev;
 	uint32_t	 msgid;