On Wed, Nov 16, 2016 at 11:09:43PM +0100, Eric Faurot wrote:
> This diff removes the IO_TLSVERIFIED which is not a io event, and
> inlines the necessary code where the callback functions are called
> for this event.
>
yes, it was confusing too
ok
> Index: ioev.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/ioev.c,v
> retrieving revision 1.27
> diff -u -p -r1.27 ioev.c
> --- ioev.c 16 Nov 2016 21:30:37 -0000 1.27
> +++ ioev.c 16 Nov 2016 21:56:25 -0000
> @@ -118,7 +118,6 @@ io_strevent(int evt)
> switch (evt) {
> CASE(IO_CONNECTED);
> CASE(IO_TLSREADY);
> - CASE(IO_TLSVERIFIED);
> CASE(IO_DATAIN);
> CASE(IO_LOWAT);
> CASE(IO_DISCONNECTED);
> Index: ioev.h
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/ioev.h,v
> retrieving revision 1.7
> diff -u -p -r1.7 ioev.h
> --- ioev.h 16 Nov 2016 21:30:37 -0000 1.7
> +++ ioev.h 16 Nov 2016 21:56:25 -0000
> @@ -20,7 +20,6 @@
> enum {
> IO_CONNECTED = 0, /* connection successful */
> IO_TLSREADY, /* TLS started successfully */
> - IO_TLSVERIFIED, /* XXX - needs more work */
> IO_TLSERROR, /* XXX - needs more work */
> IO_DATAIN, /* new data in input buffer */
> IO_LOWAT, /* output queue running low */
> Index: mta_session.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/mta_session.c,v
> retrieving revision 1.84
> diff -u -p -r1.84 mta_session.c
> --- mta_session.c 16 Nov 2016 21:30:37 -0000 1.84
> +++ mta_session.c 16 Nov 2016 21:56:25 -0000
> @@ -259,6 +259,7 @@ mta_session_imsg(struct mproc *p, struct
> const char *name;
> void *ssl;
> int dnserror, status;
> + X509 *x;
>
> switch (imsg->hdr.type) {
>
> @@ -363,7 +364,22 @@ mta_session_imsg(struct mproc *p, struct
> return;
> }
>
> - mta_io(&s->io, IO_TLSVERIFIED, s->io.arg);
> + x = SSL_get_peer_certificate(s->io.ssl);
> + if (x) {
> + log_info("smtp-out: Server certificate verification %s "
> + "on session %016"PRIx64,
> + (s->flags & MTA_VERIFIED) ? "succeeded" : "failed",
> + s->id);
> + X509_free(x);
> + }
> +
> + if (s->use_smtps) {
> + mta_enter_state(s, MTA_BANNER);
> + io_set_read(&s->io);
> + }
> + else
> + mta_enter_state(s, MTA_EHLO);
> +
> io_resume(&s->io, IO_PAUSE_IN);
> io_reload(&s->io);
> return;
> @@ -1141,7 +1157,6 @@ mta_io(struct io *io, int evt, void *arg
> size_t len;
> const char *error;
> int cont;
> - X509 *x;
>
> log_trace(TRACE_IO, "mta: %p: %s %s", s, io_strevent(evt),
> io_strio(io));
> @@ -1170,24 +1185,6 @@ mta_io(struct io *io, int evt, void *arg
> io_pause(&s->io, IO_PAUSE_IN);
> break;
> }
> -
> - case IO_TLSVERIFIED:
> - x = SSL_get_peer_certificate(s->io.ssl);
> - if (x) {
> - log_info("smtp-out: Server certificate verification %s "
> - "on session %016"PRIx64,
> - (s->flags & MTA_VERIFIED) ? "succeeded" : "failed",
> - s->id);
> - X509_free(x);
> - }
> -
> - if (s->use_smtps) {
> - mta_enter_state(s, MTA_BANNER);
> - io_set_read(io);
> - }
> - else
> - mta_enter_state(s, MTA_EHLO);
> - break;
>
> case IO_DATAIN:
> nextline:
> Index: smtp_session.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/smtp_session.c,v
> retrieving revision 1.290
> diff -u -p -r1.290 smtp_session.c
> --- smtp_session.c 16 Nov 2016 21:30:37 -0000 1.290
> +++ smtp_session.c 16 Nov 2016 21:56:26 -0000
> @@ -698,6 +698,7 @@ smtp_session_imsg(struct mproc *p, struc
> uint32_t msgid;
> int status, success, dnserror;
> void *ssl_ctx;
> + X509 *x;
>
> switch (imsg->hdr.type) {
> case IMSG_SMTP_DNS_PTR:
> @@ -993,7 +994,26 @@ smtp_session_imsg(struct mproc *p, struc
> smtp_free(s, "SSL certificate check failed");
> return;
> }
> - smtp_io(&s->io, IO_TLSVERIFIED, s->io.arg);
> +
> + x = SSL_get_peer_certificate(s->io.ssl);
> + if (x) {
> + log_info("%016"PRIx64" smtp "
> + "event=client-cert-check address=%s host=%s
> result=\"%s\"",
> + s->id, ss_to_text(&s->ss), s->hostname,
> + (s->flags & SF_VERIFIED) ? "success" : "failure");
> + X509_free(x);
> + }
> +
> + if (s->listener->flags & F_SMTPS) {
> + stat_increment("smtp.smtps", 1);
> + io_set_write(&s->io);
> + smtp_send_banner(s);
> + }
> + else {
> + stat_increment("smtp.tls", 1);
> + smtp_enter_state(s, STATE_HELO);
> + }
> +
> io_resume(&s->io, IO_PAUSE_IN);
> return;
> }
> @@ -1238,7 +1258,6 @@ smtp_io(struct io *io, int evt, void *ar
> struct smtp_session *s = arg;
> char *line;
> size_t len;
> - X509 *x;
>
> log_trace(TRACE_IO, "smtp: %p: %s %s", s, io_strevent(evt),
> io_strio(io));
> @@ -1266,27 +1285,6 @@ smtp_io(struct io *io, int evt, void *ar
> }
>
> /* No verification required, cascade */
> -
> - case IO_TLSVERIFIED:
> - x = SSL_get_peer_certificate(s->io.ssl);
> - if (x) {
> - log_info("%016"PRIx64" smtp "
> - "event=client-cert-check address=%s host=%s
> result=\"%s\"",
> - s->id, ss_to_text(&s->ss), s->hostname,
> - (s->flags & SF_VERIFIED) ? "success" : "failure");
> - X509_free(x);
> - }
> -
> - if (s->listener->flags & F_SMTPS) {
> - stat_increment("smtp.smtps", 1);
> - io_set_write(&s->io);
> - smtp_send_banner(s);
> - }
> - else {
> - stat_increment("smtp.tls", 1);
> - smtp_enter_state(s, STATE_HELO);
> - }
> - break;
>
> case IO_DATAIN:
> nextline:
>
--
Gilles Chehade
https://www.poolp.org @poolpOrg
