smtp(1) certificate validation

Thu, 05 Sep 2019 23:42:15 -0700 

Hi,

This patch adds the missing bits for verifying the server certificate
in smtp(1).

Eric.

Index: smtpc.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpc.c,v
retrieving revision 1.8
diff -u -p -r1.8 smtpc.c
--- smtpc.c     2 Sep 2019 20:05:21 -0000       1.8
+++ smtpc.c     6 Sep 2019 06:39:15 -0000
@@ -20,6 +20,7 @@
 #include <sys/socket.h>
 
 #include <event.h>
+#include <limits.h>
 #include <netdb.h>
 #include <pwd.h>
 #include <resolv.h>
@@ -30,12 +31,12 @@
 #include <syslog.h>
 #include <unistd.h>
 
+#include <openssl/ssl.h>
+
 #include "smtp.h"
+#include "ssl.h"
 #include "log.h"
 
-void ssl_init(void);
-void *ssl_mta_init(void *, char *, off_t, const char *);
-
 static void parse_server(char *);
 static void parse_message(FILE *);
 static void resume(void);
@@ -47,6 +48,8 @@ static struct addrinfo *res0, *ai;
 static struct smtp_params params;
 static struct smtp_mail mail;
 
+static SSL_CTX *ssl_ctx;
+
 static void
 usage(void)
 {
@@ -132,6 +135,13 @@ main(int argc, char **argv)
        ssl_init();
        event_init();
 
+       ssl_ctx = ssl_ctx_create(NULL, NULL, 0, NULL);
+       if (!SSL_CTX_load_verify_locations(ssl_ctx, "/etc/ssl/cert.pem", NULL))
+               fatal("SSL_CTX_load_verify_locations");
+       if (!SSL_CTX_set_ssl_version(ssl_ctx, SSLv23_client_method()))
+               fatal("SSL_CTX_set_ssl_version");
+       SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_NONE , NULL);
+
        if (pledge("stdio inet dns tmppath", NULL) == -1)
                fatal("pledge");
 
@@ -330,20 +340,34 @@ log_trace(int lvl, const char *emsg, ...
 void
 smtp_verify_server_cert(void *tag, struct smtp_client *proto, void *ctx)
 {
-       log_debug("validating server certificate...");
+       SSL *ssl = ctx;
+       X509 *cert;
+       long res;
+
+       if ((cert = SSL_get_peer_certificate(ssl))) {
+               X509_free(cert);
+               res = SSL_get_verify_result(ssl);
+               if (res == X509_V_OK) {
+                       log_debug("valid certificate");
+                       smtp_cert_verified(proto, CERT_OK);
+                       return;
+               }
+               log_debug("certificate validation error %ld", res);
+       }
+       else
+               log_debug("no certificate provided");
 
-       /* Not implemented for now. */
-       smtp_cert_verified(proto, CERT_UNKNOWN);
+       smtp_cert_verified(proto, CERT_INVALID);
 }
 
 void
 smtp_require_tls(void *tag, struct smtp_client *proto)
 {
-       void *ctx;
-
-       ctx = ssl_mta_init(NULL, NULL, 0, NULL);
+       SSL *ssl = NULL;
 
-       smtp_set_tls(proto, ctx);
+       if ((ssl = SSL_new(ssl_ctx)) == NULL)
+               fatal("SSL_new");
+       smtp_set_tls(proto, ssl);
 }
 
 void
Index: smtp/Makefile
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtp/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- smtp/Makefile       12 Jun 2019 17:42:53 -0000      1.2
+++ smtp/Makefile       5 Sep 2019 18:42:07 -0000
@@ -13,7 +13,6 @@ SRCS+=        log.c
 SRCS+= smtp_client.c
 SRCS+= smtpc.c
 SRCS+= ssl.c
-SRCS+= ssl_smtpd.c
 
 CPPFLAGS+= -DIO_TLS

Reply via email to