remove unused code

ok millert@

usr.sbin/smtpd/config.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.55 2021/04/09 16:43:43 eric Exp $	*/
+/*	$OpenBSD: config.c,v 1.56 2021/05/26 07:05:50 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <[email protected]>
@@ -285,7 +285,6 @@ purge_config(uint8_t what)
 		while (dict_poproot(env->sc_pki_dict, (void **)&p)) {
 			freezero(p->pki_cert, p->pki_cert_len);
 			freezero(p->pki_key, p->pki_key_len);
-			EVP_PKEY_free(p->pki_pkey);
 			free(p);
 		}
 		free(env->sc_pki_dict);
@@ -298,8 +297,6 @@ purge_config(uint8_t what)
 			p->pki_cert = NULL;
 			freezero(p->pki_key, p->pki_key_len);
 			p->pki_key = NULL;
-			EVP_PKEY_free(p->pki_pkey);
-			p->pki_pkey = NULL;
 		}
 	}
 }

usr.sbin/smtpd/ssl.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.c,v 1.94 2021/03/05 12:37:32 eric Exp $	*/
+/*	$OpenBSD: ssl.c,v 1.95 2021/05/26 07:05:50 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <[email protected]>
@@ -65,41 +65,7 @@ ssl_init(void)
 	inited = 1;
 }
 
-int
-ssl_setup(SSL_CTX **ctxp, struct pki *pki,
-    int (*sni_cb)(SSL *,int *,void *), const char *ciphers)
-{
-	SSL_CTX	*ctx;
-	uint8_t sid[SSL_MAX_SID_CTX_LENGTH];
-
-	ctx = ssl_ctx_create(pki->pki_name, pki->pki_cert, pki->pki_cert_len, ciphers);
-
-	/*
-	 * Set session ID context to a random value.  We don't support
-	 * persistent caching of sessions so it is OK to set a temporary
-	 * session ID context that is valid during run time.
-	 */
-	arc4random_buf(sid, sizeof(sid));
-	if (!SSL_CTX_set_session_id_context(ctx, sid, sizeof(sid)))
-		goto err;
-
-	if (sni_cb)
-		SSL_CTX_set_tlsext_servername_callback(ctx, sni_cb);
-
-	SSL_CTX_set_dh_auto(ctx, pki->pki_dhe);
-
-	SSL_CTX_set_ecdh_auto(ctx, 1);
-
-	*ctxp = ctx;
-	return 1;
-
-err:
-	SSL_CTX_free(ctx);
-	ssl_error("ssl_setup");
-	return 0;
-}
-
-char *
+static char *
 ssl_load_file(const char *name, off_t *len, mode_t perm)
 {
 	struct stat	 st;
@@ -177,7 +143,7 @@ ssl_password_cb(char *buf, int size, int rwflag, void *u)
 	return ret;
 }
 
-char *
+static char *
 ssl_load_key(const char *name, off_t *len, char *pass, mode_t perm, const char *pkiname)
 {
 	FILE		*fp = NULL;
@@ -253,53 +219,6 @@ ssl_load_key(const char *name, off_t *len, char *pass, mode_t perm, const char *
 	return (NULL);
 }
 
-SSL_CTX *
-ssl_ctx_create(const char *pkiname, char *cert, off_t cert_len, const char *ciphers)
-{
-	SSL_CTX	*ctx;
-	size_t	 pkinamelen = 0;
-
-	ctx = SSL_CTX_new(SSLv23_method());
-	if (ctx == NULL) {
-		ssl_error("ssl_ctx_create");
-		fatal("ssl_ctx_create: could not create SSL context");
-	}
-
-	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
-	SSL_CTX_set_timeout(ctx, SSL_SESSION_TIMEOUT);
-	SSL_CTX_set_options(ctx,
-	    SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TICKET);
-	SSL_CTX_set_options(ctx,
-	    SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
-	SSL_CTX_set_options(ctx, SSL_OP_NO_CLIENT_RENEGOTIATION);
-	SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
-
-	if (ciphers == NULL)
-		ciphers = SSL_CIPHERS;
-	if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
-		ssl_error("ssl_ctx_create");
-		fatal("ssl_ctx_create: could not set cipher list");
-	}
-
-	if (cert != NULL) {
-		if (pkiname != NULL)
-			pkinamelen = strlen(pkiname) + 1;
-		if (!SSL_CTX_use_certificate_chain_mem(ctx, cert, cert_len)) {
-			ssl_error("ssl_ctx_create");
-			fatal("ssl_ctx_create: invalid certificate chain");
-		} else if (!ssl_ctx_fake_private_key(ctx,
-		    pkiname, pkinamelen, cert, cert_len, NULL, NULL)) {
-			ssl_error("ssl_ctx_create");
-			fatal("ssl_ctx_create: could not fake private key");
-		} else if (!SSL_CTX_check_private_key(ctx)) {
-			ssl_error("ssl_ctx_create");
-			fatal("ssl_ctx_create: invalid private key");
-		}
-	}
-
-	return (ctx);
-}
-
 int
 ssl_load_certificate(struct pki *p, const char *pathname)
 {
@@ -329,19 +248,6 @@ ssl_load_cafile(struct ca *c, const char *pathname)
 	return 1;
 }
 
-const char *
-ssl_to_text(const SSL *ssl)
-{
-	static char buf[256];
-
-	(void)snprintf(buf, sizeof buf, "%s:%s:%d",
-	    SSL_get_version(ssl),
-	    SSL_get_cipher_name(ssl),
-	    SSL_get_cipher_bits(ssl, NULL));
-
-	return (buf);
-}
-
 void
 ssl_error(const char *where)
 {
@@ -354,103 +260,6 @@ ssl_error(const char *where)
 	}
 }
 
-int
-ssl_load_pkey(const void *data, size_t datalen, char *buf, off_t len,
-    X509 **x509ptr, EVP_PKEY **pkeyptr)
-{
-	BIO		*in;
-	X509		*x509 = NULL;
-	EVP_PKEY	*pkey = NULL;
-	RSA		*rsa = NULL;
-	EC_KEY		*eckey = NULL;
-	void		*exdata = NULL;
-
-	if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
-		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_BUF_LIB);
-		return (0);
-	}
-
-	if ((x509 = PEM_read_bio_X509(in, NULL,
-	    ssl_password_cb, NULL)) == NULL) {
-		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_PEM_LIB);
-		goto fail;
-	}
-
-	if ((pkey = X509_get_pubkey(x509)) == NULL) {
-		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_X509_LIB);
-		goto fail;
-	}
-
-	BIO_free(in);
-	in = NULL;
-
-	if (data != NULL && datalen) {
-		if (((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL &&
-			(eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL) ||
-		    (exdata = malloc(datalen)) == NULL) {
-			SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_R_EVP_LIB);
-			goto fail;
-		}
-
-		memcpy(exdata, data, datalen);
-		if (rsa)
-			RSA_set_ex_data(rsa, 0, exdata);
-		if (eckey)
-			ECDSA_set_ex_data(eckey, 0, exdata);
-		RSA_free(rsa); /* dereference, will be cleaned up with pkey */
-		EC_KEY_free(eckey); /* dereference, will be cleaned up with pkey */
-	}
-
-	*x509ptr = x509;
-	*pkeyptr = pkey;
-
-	return (1);
-
- fail:
-	RSA_free(rsa);
-	EC_KEY_free(eckey);
-	BIO_free(in);
-	EVP_PKEY_free(pkey);
-	X509_free(x509);
-	free(exdata);
-
-	return (0);
-}
-
-int
-ssl_ctx_fake_private_key(SSL_CTX *ctx, const void *data, size_t datalen,
-    char *buf, off_t len, X509 **x509ptr, EVP_PKEY **pkeyptr)
-{
-	int		 ret = 0;
-	EVP_PKEY	*pkey = NULL;
-	X509		*x509 = NULL;
-
-	if (!ssl_load_pkey(data, datalen, buf, len, &x509, &pkey))
-		return (0);
-
-	/*
-	 * Use the public key as the "private" key - the secret key
-	 * parameters are hidden in an extra process that will be
-	 * contacted by the RSA engine.  The SSL/TLS library needs at
-	 * least the public key parameters in the current process.
-	 */
-	ret = SSL_CTX_use_PrivateKey(ctx, pkey);
-	if (!ret)
-		SSLerr(SSL_F_SSL_CTX_USE_PRIVATEKEY, ERR_LIB_SSL);
-
-	if (pkeyptr != NULL)
-		*pkeyptr = pkey;
-	else
-		EVP_PKEY_free(pkey);
-
-	if (x509ptr != NULL)
-		*x509ptr = x509;
-	else
-		X509_free(x509);
-
-	return (ret);
-}
-
 static void
 hash_x509(X509 *cert, char *hash, size_t hashlen)
 {

usr.sbin/smtpd/ssl.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ssl.h,v 1.23 2021/04/11 07:18:08 eric Exp $	*/
+/*	$OpenBSD: ssl.h,v 1.24 2021/05/26 07:05:50 eric Exp $	*/
 /*
  * Copyright (c) 2013 Gilles Chehade <[email protected]>
  *
@@ -15,11 +15,6 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include <openssl/ssl.h>
-
-#define SSL_CIPHERS		"HIGH:!aNULL:!MD5"
-#define	SSL_SESSION_TIMEOUT	300
-
 struct pki {
 	char			 pki_name[HOST_NAME_MAX+1];
 
@@ -31,8 +26,6 @@ struct pki {
 	char			*pki_key;
 	off_t			 pki_key_len;
 
-	EVP_PKEY		*pki_pkey;
-
 	int			 pki_dhe;
 };
 
@@ -46,22 +39,9 @@ struct ca {
 
 
 /* ssl.c */
-void		ssl_init(void);
-int		ssl_setup(SSL_CTX **, struct pki *,
-    int (*)(SSL *, int *, void *), const char *);
-SSL_CTX	       *ssl_ctx_create(const char *, char *, off_t, const char *);
-int	        ssl_cmp(struct pki *, struct pki *);
-char	       *ssl_load_file(const char *, off_t *, mode_t);
-char	       *ssl_load_key(const char *, off_t *, char *, mode_t, const char *);
-
-const char     *ssl_to_text(const SSL *);
-void		ssl_error(const char *);
-
-int		ssl_load_certificate(struct pki *, const char *);
-int		ssl_load_keyfile(struct pki *, const char *, const char *);
-int		ssl_load_cafile(struct ca *, const char *);
-int		ssl_load_pkey(const void *, size_t, char *, off_t,
-		    X509 **, EVP_PKEY **);
-int		ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t,
-		    char *, off_t, X509 **, EVP_PKEY **);
+void ssl_init(void);
+void ssl_error(const char *);
+int ssl_load_certificate(struct pki *, const char *);
+int ssl_load_keyfile(struct pki *, const char *, const char *);
+int ssl_load_cafile(struct ca *, const char *);
 char *ssl_pubkey_hash(const char *, off_t);