From 735c6a189a721f451e7d7dc170c4279675be1e3a Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Wed, 21 Oct 2015 16:44:28 +0000
Subject: [PATCH] Only enable SSL_VERIFY_PEER when the verify option is set on
 a listener.

Always enabling SSL_VERIFY_PEER unnecessarily increases the number of
messages/bytes in the TLS handshake and increases our attack surface,
since we request and then process client certificates.

ok gilles@
---
 usr.sbin/smtpd/smtp_session.c | 5 +++--
 usr.sbin/smtpd/smtpd.h        | 4 ++--
 usr.sbin/smtpd/ssl_smtpd.c    | 7 ++++---
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c
index 9ba6fa683de..6f745459c14 100644
--- a/usr.sbin/smtpd/smtp_session.c
+++ b/usr.sbin/smtpd/smtp_session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtp_session.c,v 1.237 2015/10/16 21:13:33 sthen Exp $	*/
+/*	$OpenBSD: smtp_session.c,v 1.238 2015/10/21 16:44:28 jsing Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -828,7 +828,8 @@ smtp_session_imsg(struct mproc *p, struct imsg *imsg)
 			pkiname = s->smtpname;
 		ssl_ctx = dict_get(env->sc_ssl_dict, pkiname);
 
-		ssl = ssl_smtp_init(ssl_ctx, smtp_sni_callback);
+		ssl = ssl_smtp_init(ssl_ctx, smtp_sni_callback,
+		    s->listener->flags & F_TLS_VERIFY);
 		io_set_read(&s->io);
 		io_start_tls(&s->io, ssl);
 
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index 0c6228f0f41..56c9bcc9218 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.h,v 1.478 2015/10/17 22:24:36 gilles Exp $	*/
+/*	$OpenBSD: smtpd.h,v 1.479 2015/10/21 16:44:28 jsing Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1324,7 +1324,7 @@ int fork_proc_backend(const char *, const char *, const char *);
 
 /* ssl_smtpd.c */
 void   *ssl_mta_init(void *, char *, off_t);
-void   *ssl_smtp_init(void *, void *);
+void   *ssl_smtp_init(void *, void *, int);
 
 
 /* stat_backend.c */
diff --git a/usr.sbin/smtpd/ssl_smtpd.c b/usr.sbin/smtpd/ssl_smtpd.c
index 74fa20726ee..87450eb1f5a 100644
--- a/usr.sbin/smtpd/ssl_smtpd.c
+++ b/usr.sbin/smtpd/ssl_smtpd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl_smtpd.c,v 1.9 2015/04/19 20:29:12 gilles Exp $	*/
+/*	$OpenBSD: ssl_smtpd.c,v 1.10 2015/10/21 16:44:28 jsing Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -82,14 +82,15 @@ dummy_verify(int ok, X509_STORE_CTX *store)
 }
 
 void *
-ssl_smtp_init(void *ssl_ctx, void *sni)
+ssl_smtp_init(void *ssl_ctx, void *sni, int verify)
 {
 	SSL	*ssl = NULL;
 	int	(*cb)(SSL *,int *,void *) = sni;
 
 	log_debug("debug: session_start_ssl: switching to SSL");
 
-	SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_verify);
+	if (verify)
+		SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, dummy_verify);
 
 	if (cb)
 		SSL_CTX_set_tlsext_servername_callback(ssl_ctx, cb);
-- 
2.20.1