Hi, This patch adds the missing bits for verifying the server certificate in smtp(1).
Eric. Index: smtpc.c =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtpc.c,v retrieving revision 1.8 diff -u -p -r1.8 smtpc.c --- smtpc.c 2 Sep 2019 20:05:21 -0000 1.8 +++ smtpc.c 6 Sep 2019 06:39:15 -0000 @@ -20,6 +20,7 @@ #include <sys/socket.h> #include <event.h> +#include <limits.h> #include <netdb.h> #include <pwd.h> #include <resolv.h> @@ -30,12 +31,12 @@ #include <syslog.h> #include <unistd.h> +#include <openssl/ssl.h> + #include "smtp.h" +#include "ssl.h" #include "log.h" -void ssl_init(void); -void *ssl_mta_init(void *, char *, off_t, const char *); - static void parse_server(char *); static void parse_message(FILE *); static void resume(void); @@ -47,6 +48,8 @@ static struct addrinfo *res0, *ai; static struct smtp_params params; static struct smtp_mail mail; +static SSL_CTX *ssl_ctx; + static void usage(void) { @@ -132,6 +135,13 @@ main(int argc, char **argv) ssl_init(); event_init(); + ssl_ctx = ssl_ctx_create(NULL, NULL, 0, NULL); + if (!SSL_CTX_load_verify_locations(ssl_ctx, "/etc/ssl/cert.pem", NULL)) + fatal("SSL_CTX_load_verify_locations"); + if (!SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method())) + fatal("SSL_CTX_set_ssl_version"); + SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE , NULL); + if (pledge("stdio inet dns tmppath", NULL) == -1) fatal("pledge"); @@ -330,20 +340,34 @@ log_trace(int lvl, const char *emsg, ... void smtp_verify_server_cert(void *tag, struct smtp_client *proto, void *ctx) { - log_debug("validating server certificate..."); + SSL *ssl = ctx; + X509 *cert; + long res; + + if ((cert = SSL_get_peer_certificate(ssl))) { + X509_free(cert); + res = SSL_get_verify_result(ssl); + if (res == X509_V_OK) { + log_debug("valid certificate"); + smtp_cert_verified(proto, CERT_OK); + return; + } + log_debug("certificate validation error %ld", res); + } + else + log_debug("no certificate provided"); - /* Not implemented for now. */ - smtp_cert_verified(proto, CERT_UNKNOWN); + smtp_cert_verified(proto, CERT_INVALID); } void smtp_require_tls(void *tag, struct smtp_client *proto) { - void *ctx; - - ctx = ssl_mta_init(NULL, NULL, 0, NULL); + SSL *ssl = NULL; - smtp_set_tls(proto, ctx); + if ((ssl = SSL_new(ssl_ctx)) == NULL) + fatal("SSL_new"); + smtp_set_tls(proto, ssl); } void Index: smtp/Makefile =================================================================== RCS file: /cvs/src/usr.sbin/smtpd/smtp/Makefile,v retrieving revision 1.2 diff -u -p -r1.2 Makefile --- smtp/Makefile 12 Jun 2019 17:42:53 -0000 1.2 +++ smtp/Makefile 5 Sep 2019 18:42:07 -0000 @@ -13,7 +13,6 @@ SRCS+= log.c SRCS+= smtp_client.c SRCS+= smtpc.c SRCS+= ssl.c -SRCS+= ssl_smtpd.c CPPFLAGS+= -DIO_TLS