diff --git a/postfix/HISTORY b/postfix/HISTORY index 282a31c7d..1cdc562cd 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -27207,3 +27207,16 @@ Apologies for any names omitted. tls/tls_misc.c, tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c, tlsproxy/tlsproxy.c. + +20230523 + + Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init' + configuration settings. These are global, i.e. apply to all + client TLS contexts, and they do not belong in tls_client_init() + or tls_client_start() calls. The tlsproxy(8) server uses + TLS_CLIENT_PARAMS information to warn about differences + between its own global TLS settings, and those from its + clients. Files: posttls-finger/posttls-finger.c, smtp/smtp.c, + smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c, + tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c, + tls/tls_proxy.h, tlsproxy/tlsproxy.c. diff --git a/postfix/WISHLIST b/postfix/WISHLIST index a041835b3..43f0baadc 100644 --- a/postfix/WISHLIST +++ b/postfix/WISHLIST @@ -1,9 +1,5 @@ Wish list: - In tlsproxy, diff the server-side TLS library settings - against those from a tlsproxy client, and make sure that - the diff covers the new cnf_file and cnf_name properties. - Things to do before the stable release: make pre-release-check, HTML validator check. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 924362f83..16046d9c1 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20230521" +#define MAIL_RELEASE_DATE "20230523" #define MAIL_VERSION_NUMBER "3.9" #ifdef SNAPSHOT diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c index 027fd9a89..b9a46999d 100644 --- a/postfix/src/posttls-finger/posttls-finger.c +++ b/postfix/src/posttls-finger/posttls-finger.c @@ -793,8 +793,6 @@ static int starttls(STATE *state) * Send all our wishes in one big request. */ TLS_PROXY_CLIENT_INIT_PROPS(&init_props, - cnf_file = var_tls_cnf_file, - cnf_name = var_tls_cnf_name, log_param = "-L option", log_level = state->options.logopts, verifydepth = DEF_SMTP_TLS_SCERT_VD, @@ -1856,8 +1854,6 @@ static void tls_init(STATE *state) /* Needed for tls_dane_avail() and other DANE-related processing. */ state->tls_ctx = TLS_CLIENT_INIT(&props, - cnf_file = var_tls_cnf_file, - cnf_name = var_tls_cnf_name, log_param = "-L option", log_level = state->options.logopts, verifydepth = DEF_SMTP_TLS_SCERT_VD, diff --git a/postfix/src/smtp/smtp.c b/postfix/src/smtp/smtp.c index 793802a5f..56096ac6c 100644 --- a/postfix/src/smtp/smtp.c +++ b/postfix/src/smtp/smtp.c @@ -1512,8 +1512,6 @@ static void pre_init(char *unused_name, char **unused_argv) */ smtp_tls_ctx = TLS_CLIENT_INIT(&props, - cnf_file = var_tls_cnf_file, - cnf_name = var_tls_cnf_name, log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL), log_level = var_smtp_tls_loglevel, verifydepth = var_smtp_tls_scert_vd, diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index 4bbec9405..097d51842 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -911,8 +911,6 @@ static int smtp_start_tls(SMTP_STATE *state) * Send all our wishes in one big request. */ TLS_PROXY_CLIENT_INIT_PROPS(&init_props, - cnf_file = var_tls_cnf_file, - cnf_name = var_tls_cnf_name, log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL), log_level = var_smtp_tls_loglevel, verifydepth = var_smtp_tls_scert_vd, diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index 90100cd37..56a92968d 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -451,8 +451,6 @@ extern void tls_get_signature_params(TLS_SESS_STATE *); * tls_client.c */ typedef struct { - const char *cnf_file; - const char *cnf_name; const char *log_param; const char *log_level; int verifydepth; @@ -498,16 +496,16 @@ extern TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *, tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext)) #define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ - a10, a11, a12, a13, a14, a15, a16) \ + a10, a11, a12, a13, a14) \ (((props)->a1), ((props)->a2), ((props)->a3), ((props)->a4), \ ((props)->a5), ((props)->a6), ((props)->a7), ((props)->a8), \ ((props)->a9), ((props)->a10), ((props)->a11), ((props)->a12), \ - ((props)->a13), ((props)->a14), ((props)->a15), ((props)->a16), (props)) + ((props)->a13), ((props)->a14), (props)) #define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ - a10, a11, a12, a13, a14, a15, a16) \ + a10, a11, a12, a13, a14) \ tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \ - a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16)) + a6, a7, a8, a9, a10, a11, a12, a13, a14)) #define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ a10, a11, a12, a13, a14, a15, a16, a17) \ diff --git a/postfix/src/tls/tls_proxy.h b/postfix/src/tls/tls_proxy.h index 70c188a91..9bb94769a 100644 --- a/postfix/src/tls/tls_proxy.h +++ b/postfix/src/tls/tls_proxy.h @@ -32,8 +32,10 @@ #ifdef USE_TLS /* - * TLS_CLIENT_PARAMS structure. If this changes, update all - * TLS_CLIENT_PARAMS related functions in tls_proxy_client_*.c. + * TLS_CLIENT_PARAMS structure, to communicate global TLS library settings + * that are the same for all TLS client contexts. This information is used + * in tlsproxy(8) to detect inconsistencies. If this structure is changed, + * update all TLS_CLIENT_PARAMS related functions in tls_proxy_client_*.c. * * In the serialization these attributes are identified by their configuration * parameter names. @@ -44,6 +46,8 @@ * VAR_TLS_SERVER_SNI_MAPS. */ typedef struct TLS_CLIENT_PARAMS { + char *tls_cnf_file; + char *tls_cnf_name; char *tls_high_clist; char *tls_medium_clist; char *tls_null_clist; @@ -64,12 +68,12 @@ typedef struct TLS_CLIENT_PARAMS { } TLS_CLIENT_PARAMS; #define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \ - a9, a10, a11, a12, a13, a14, a15, a16, a17) \ + a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19) \ (((params)->a1), ((params)->a2), ((params)->a3), \ ((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \ ((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \ ((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \ - ((params)->a16), ((params)->a17)) + ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19)) /* * tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and @@ -97,12 +101,11 @@ extern VSTREAM *tls_proxy_open(const char *, int, VSTREAM *, const char *, void *, void *, void *); #define TLS_PROXY_CLIENT_INIT_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \ - a9, a10, a11, a12, a13, a14, a15, a16) \ + a9, a10, a11, a12, a13, a14) \ (((props)->a1), ((props)->a2), ((props)->a3), \ ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \ ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \ - ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \ - ((props)->a16)) + ((props)->a12), ((props)->a13), ((props)->a14)) #define TLS_PROXY_CLIENT_START_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \ a9, a10, a11, a12, a13, a14) \ diff --git a/postfix/src/tls/tls_proxy_client_misc.c b/postfix/src/tls/tls_proxy_client_misc.c index e9a24ea79..a8fb45cb2 100644 --- a/postfix/src/tls/tls_proxy_client_misc.c +++ b/postfix/src/tls/tls_proxy_client_misc.c @@ -66,6 +66,8 @@ TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params) { TLS_PROXY_PARAMS(params, + tls_cnf_file = var_tls_cnf_file, + tls_cnf_name = var_tls_cnf_name, tls_high_clist = var_tls_high_clist, tls_medium_clist = var_tls_medium_clist, tls_null_clist = var_tls_null_clist, diff --git a/postfix/src/tls/tls_proxy_client_print.c b/postfix/src/tls/tls_proxy_client_print.c index 39a1e1c74..1cc5778eb 100644 --- a/postfix/src/tls/tls_proxy_client_print.c +++ b/postfix/src/tls/tls_proxy_client_print.c @@ -95,6 +95,8 @@ int tls_proxy_client_param_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp, msg_info("begin tls_proxy_client_param_print"); ret = print_fn(fp, flags | ATTR_FLAG_MORE, + SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file), + SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name), SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist), SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST, params->tls_medium_clist), @@ -144,10 +146,6 @@ int tls_proxy_client_init_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp, #define STRING_OR_EMPTY(s) ((s) ? (s) : "") ret = print_fn(fp, flags | ATTR_FLAG_MORE, - SEND_ATTR_STR(TLS_ATTR_CNF_FILE, - STRING_OR_EMPTY(props->cnf_file)), - SEND_ATTR_STR(TLS_ATTR_CNF_NAME, - STRING_OR_EMPTY(props->cnf_name)), SEND_ATTR_STR(TLS_ATTR_LOG_PARAM, STRING_OR_EMPTY(props->log_param)), SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL, diff --git a/postfix/src/tls/tls_proxy_client_scan.c b/postfix/src/tls/tls_proxy_client_scan.c index 914710649..a69388c96 100644 --- a/postfix/src/tls/tls_proxy_client_scan.c +++ b/postfix/src/tls/tls_proxy_client_scan.c @@ -121,6 +121,8 @@ void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params) { + myfree(params->tls_cnf_file); + myfree(params->tls_cnf_name); myfree(params->tls_high_clist); myfree(params->tls_medium_clist); myfree(params->tls_null_clist); @@ -144,6 +146,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp, TLS_CLIENT_PARAMS *params = (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params)); int ret; + VSTRING *cnf_file = vstring_alloc(25); + VSTRING *cnf_name = vstring_alloc(25); VSTRING *tls_high_clist = vstring_alloc(25); VSTRING *tls_medium_clist = vstring_alloc(25); VSTRING *tls_null_clist = vstring_alloc(25); @@ -165,6 +169,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp, */ memset(params, 0, sizeof(*params)); ret = scan_fn(fp, flags | ATTR_FLAG_MORE, + RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file), + RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name), RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist), RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist), RECV_ATTR_STR(VAR_TLS_NULL_CLIST, tls_null_clist), @@ -189,6 +195,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp, ¶ms->tls_multi_wildcard), ATTR_TYPE_END); /* Always construct a well-formed structure. */ + params->tls_cnf_file = vstring_export(cnf_file); + params->tls_cnf_name = vstring_export(cnf_name); params->tls_high_clist = vstring_export(tls_high_clist); params->tls_medium_clist = vstring_export(tls_medium_clist); params->tls_null_clist = vstring_export(tls_null_clist); @@ -202,7 +210,7 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp, params->tls_mgr_service = vstring_export(tls_mgr_service); params->tls_tkt_cipher = vstring_export(tls_tkt_cipher); - ret = (ret == 17 ? 1 : -1); + ret = (ret == 19 ? 1 : -1); if (ret != 1) { tls_proxy_client_param_free(params); params = 0; @@ -217,8 +225,6 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp, void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *props) { - myfree((void *) props->cnf_file); - myfree((void *) props->cnf_name); myfree((void *) props->log_param); myfree((void *) props->log_level); myfree((void *) props->cache_type); @@ -243,8 +249,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp, TLS_CLIENT_INIT_PROPS *props = (TLS_CLIENT_INIT_PROPS *) mymalloc(sizeof(*props)); int ret; - VSTRING *cnf_file = vstring_alloc(25); - VSTRING *cnf_name = vstring_alloc(25); VSTRING *log_param = vstring_alloc(25); VSTRING *log_level = vstring_alloc(25); VSTRING *cache_type = vstring_alloc(25); @@ -267,8 +271,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp, */ memset(props, 0, sizeof(*props)); ret = scan_fn(fp, flags | ATTR_FLAG_MORE, - RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file), - RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name), RECV_ATTR_STR(TLS_ATTR_LOG_PARAM, log_param), RECV_ATTR_STR(TLS_ATTR_LOG_LEVEL, log_level), RECV_ATTR_INT(TLS_ATTR_VERIFYDEPTH, &props->verifydepth), @@ -285,8 +287,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp, RECV_ATTR_STR(TLS_ATTR_MDALG, mdalg), ATTR_TYPE_END); /* Always construct a well-formed structure. */ - props->cnf_file = vstring_export(cnf_file); - props->cnf_name = vstring_export(cnf_name); props->log_param = vstring_export(log_param); props->log_level = vstring_export(log_level); props->cache_type = vstring_export(cache_type); @@ -300,7 +300,7 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp, props->CAfile = vstring_export(CAfile); props->CApath = vstring_export(CApath); props->mdalg = vstring_export(mdalg); - ret = (ret == 16 ? 1 : -1); + ret = (ret == 14 ? 1 : -1); if (ret != 1) { tls_proxy_client_init_free(props); props = 0; diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 58215e8c2..18203f787 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -1742,8 +1742,6 @@ static void pre_jail_init_client(void) */ (void) tls_proxy_client_param_from_config(&tls_params); (void) TLS_CLIENT_INIT_ARGS(&init_props, - cnf_file = var_tls_cnf_file, - cnf_name = var_tls_cnf_name, log_param = var_tlsp_clnt_logparam, log_level = var_tlsp_clnt_loglevel, verifydepth = var_tlsp_clnt_scert_vd,