postfix-3.9-20230523

postfix/HISTORY

@@ -27207,3 +27207,16 @@ Apologies for any names omitted.
 	tls/tls_misc.c, tls/tls_proxy_client_print.c,
 	tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
 	tlsproxy/tlsproxy.c.
+
+20230523
+
+	Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
+	configuration settings. These are global, i.e. apply to all
+	client TLS contexts, and they do not belong in tls_client_init()
+	or tls_client_start() calls. The tlsproxy(8) server uses
+	TLS_CLIENT_PARAMS information to warn about differences
+	between its own global TLS settings, and those from its
+	clients. Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
+	smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
+	tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+	tls/tls_proxy.h, tlsproxy/tlsproxy.c.

postfix/WISHLIST

@@ -1,9 +1,5 @@
 Wish list:
 
-	In tlsproxy, diff the server-side TLS library settings
-	against those from a tlsproxy client, and make sure that
-	the diff covers the new cnf_file and cnf_name properties.
-
 	Things to do before the stable release:
 
 	make pre-release-check, HTML validator check.

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20230521"
+#define MAIL_RELEASE_DATE	"20230523"
 #define MAIL_VERSION_NUMBER	"3.9"
 
 #ifdef SNAPSHOT

postfix/src/posttls-finger/posttls-finger.c

@@ -793,8 +793,6 @@ static int starttls(STATE *state)
 	 * Send all our wishes in one big request.
 	 */
 	TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
-				    cnf_file = var_tls_cnf_file,
-				    cnf_name = var_tls_cnf_name,
 				    log_param = "-L option",
 				    log_level = state->options.logopts,
 				    verifydepth = DEF_SMTP_TLS_SCERT_VD,
@@ -1856,8 +1854,6 @@ static void tls_init(STATE *state)
     /* Needed for tls_dane_avail() and other DANE-related processing. */
     state->tls_ctx =
 	TLS_CLIENT_INIT(&props,
-			cnf_file = var_tls_cnf_file,
-			cnf_name = var_tls_cnf_name,
 			log_param = "-L option",
 			log_level = state->options.logopts,
 			verifydepth = DEF_SMTP_TLS_SCERT_VD,

postfix/src/smtp/smtp.c

@@ -1512,8 +1512,6 @@ static void pre_init(char *unused_name, char **unused_argv)
 	 */
 	smtp_tls_ctx =
 	    TLS_CLIENT_INIT(&props,
-			    cnf_file = var_tls_cnf_file,
-			    cnf_name = var_tls_cnf_name,
 			    log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
 			    log_level = var_smtp_tls_loglevel,
 			    verifydepth = var_smtp_tls_scert_vd,

postfix/src/smtp/smtp_proto.c

@@ -911,8 +911,6 @@ static int smtp_start_tls(SMTP_STATE *state)
 	 * Send all our wishes in one big request.
 	 */
 	TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
-				    cnf_file = var_tls_cnf_file,
-				    cnf_name = var_tls_cnf_name,
 				    log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
 				    log_level = var_smtp_tls_loglevel,
 				    verifydepth = var_smtp_tls_scert_vd,

postfix/src/tls/tls.h

@@ -451,8 +451,6 @@ extern void tls_get_signature_params(TLS_SESS_STATE *);
   * tls_client.c
   */
 typedef struct {
-    const char *cnf_file;
-    const char *cnf_name;
     const char *log_param;
     const char *log_level;
     int     verifydepth;
@@ -498,16 +496,16 @@ extern TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *,
 	tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext))
 
 #define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
-    a10, a11, a12, a13, a14, a15, a16) \
+    a10, a11, a12, a13, a14) \
     (((props)->a1), ((props)->a2), ((props)->a3), ((props)->a4), \
     ((props)->a5), ((props)->a6), ((props)->a7), ((props)->a8), \
     ((props)->a9), ((props)->a10), ((props)->a11), ((props)->a12), \
-    ((props)->a13), ((props)->a14), ((props)->a15), ((props)->a16), (props))
+    ((props)->a13), ((props)->a14), (props))
 
 #define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
-    a10, a11, a12, a13, a14, a15, a16) \
+    a10, a11, a12, a13, a14) \
     tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \
-    a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16))
+    a6, a7, a8, a9, a10, a11, a12, a13, a14))
 
 #define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
     a10, a11, a12, a13, a14, a15, a16, a17) \

postfix/src/tls/tls_proxy.h

@@ -32,8 +32,10 @@
 #ifdef USE_TLS
 
  /*
-  * TLS_CLIENT_PARAMS structure. If this changes, update all
+  * TLS_CLIENT_PARAMS structure, to communicate global TLS library settings
-  * TLS_CLIENT_PARAMS related functions in tls_proxy_client_*.c.
+  * that are the same for all TLS client contexts. This information is used
+  * in tlsproxy(8) to detect inconsistencies. If this structure is changed,
+  * update all TLS_CLIENT_PARAMS related functions in tls_proxy_client_*.c.
   * 
   * In the serialization these attributes are identified by their configuration
   * parameter names.
@@ -44,6 +46,8 @@
   * VAR_TLS_SERVER_SNI_MAPS.
   */
 typedef struct TLS_CLIENT_PARAMS {
+    char   *tls_cnf_file;
+    char   *tls_cnf_name;
     char   *tls_high_clist;
     char   *tls_medium_clist;
     char   *tls_null_clist;
@@ -64,12 +68,12 @@ typedef struct TLS_CLIENT_PARAMS {
 } TLS_CLIENT_PARAMS;
 
 #define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
-    a9, a10, a11, a12, a13, a14, a15, a16, a17) \
+    a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19) \
     (((params)->a1), ((params)->a2), ((params)->a3), \
     ((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
     ((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
     ((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
-    ((params)->a16), ((params)->a17))
+    ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19))
 
  /*
   * tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
@@ -97,12 +101,11 @@ extern VSTREAM *tls_proxy_open(const char *, int, VSTREAM *, const char *,
 			               void *, void *, void *);
 
 #define TLS_PROXY_CLIENT_INIT_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
-    a9, a10, a11, a12, a13, a14, a15, a16) \
+    a9, a10, a11, a12, a13, a14) \
     (((props)->a1), ((props)->a2), ((props)->a3), \
     ((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
     ((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
-    ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \
+    ((props)->a12), ((props)->a13), ((props)->a14))
-    ((props)->a16))
 
 #define TLS_PROXY_CLIENT_START_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
     a9, a10, a11, a12, a13, a14) \

postfix/src/tls/tls_proxy_client_misc.c

@@ -66,6 +66,8 @@
 TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
 {
     TLS_PROXY_PARAMS(params,
+		     tls_cnf_file = var_tls_cnf_file,
+		     tls_cnf_name = var_tls_cnf_name,
 		     tls_high_clist = var_tls_high_clist,
 		     tls_medium_clist = var_tls_medium_clist,
 		     tls_null_clist = var_tls_null_clist,

postfix/src/tls/tls_proxy_client_print.c

@@ -95,6 +95,8 @@ int     tls_proxy_client_param_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
 	msg_info("begin tls_proxy_client_param_print");
 
     ret = print_fn(fp, flags | ATTR_FLAG_MORE,
+		   SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file),
+		   SEND_ATTR_STR(TLS_ATTR_CNF_NAME,  params->tls_cnf_name),
 		   SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
 		   SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
 				 params->tls_medium_clist),
@@ -144,10 +146,6 @@ int     tls_proxy_client_init_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
 #define STRING_OR_EMPTY(s) ((s) ? (s) : "")
 
     ret = print_fn(fp, flags | ATTR_FLAG_MORE,
-		   SEND_ATTR_STR(TLS_ATTR_CNF_FILE,
-				 STRING_OR_EMPTY(props->cnf_file)),
-		   SEND_ATTR_STR(TLS_ATTR_CNF_NAME,
-				 STRING_OR_EMPTY(props->cnf_name)),
 		   SEND_ATTR_STR(TLS_ATTR_LOG_PARAM,
 				 STRING_OR_EMPTY(props->log_param)),
 		   SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL,

postfix/src/tls/tls_proxy_client_scan.c

@@ -121,6 +121,8 @@
 
 void    tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
 {
+    myfree(params->tls_cnf_file);
+    myfree(params->tls_cnf_name);
     myfree(params->tls_high_clist);
     myfree(params->tls_medium_clist);
     myfree(params->tls_null_clist);
@@ -144,6 +146,8 @@ int     tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
     TLS_CLIENT_PARAMS *params
     = (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params));
     int     ret;
+    VSTRING *cnf_file = vstring_alloc(25);
+    VSTRING *cnf_name = vstring_alloc(25);
     VSTRING *tls_high_clist = vstring_alloc(25);
     VSTRING *tls_medium_clist = vstring_alloc(25);
     VSTRING *tls_null_clist = vstring_alloc(25);
@@ -165,6 +169,8 @@ int     tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
      */
     memset(params, 0, sizeof(*params));
     ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
+		  RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
+		  RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
 		  RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
 		  RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
 		  RECV_ATTR_STR(VAR_TLS_NULL_CLIST, tls_null_clist),
@@ -189,6 +195,8 @@ int     tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
 				&params->tls_multi_wildcard),
 		  ATTR_TYPE_END);
     /* Always construct a well-formed structure. */
+    params->tls_cnf_file = vstring_export(cnf_file);
+    params->tls_cnf_name = vstring_export(cnf_name);
     params->tls_high_clist = vstring_export(tls_high_clist);
     params->tls_medium_clist = vstring_export(tls_medium_clist);
     params->tls_null_clist = vstring_export(tls_null_clist);
@@ -202,7 +210,7 @@ int     tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
     params->tls_mgr_service = vstring_export(tls_mgr_service);
     params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
 
-    ret = (ret == 17 ? 1 : -1);
+    ret = (ret == 19 ? 1 : -1);
     if (ret != 1) {
 	tls_proxy_client_param_free(params);
 	params = 0;
@@ -217,8 +225,6 @@ int     tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
 
 void    tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *props)
 {
-    myfree((void *) props->cnf_file);
-    myfree((void *) props->cnf_name);
     myfree((void *) props->log_param);
     myfree((void *) props->log_level);
     myfree((void *) props->cache_type);
@@ -243,8 +249,6 @@ int     tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
     TLS_CLIENT_INIT_PROPS *props
     = (TLS_CLIENT_INIT_PROPS *) mymalloc(sizeof(*props));
     int     ret;
-    VSTRING *cnf_file = vstring_alloc(25);
-    VSTRING *cnf_name = vstring_alloc(25);
     VSTRING *log_param = vstring_alloc(25);
     VSTRING *log_level = vstring_alloc(25);
     VSTRING *cache_type = vstring_alloc(25);
@@ -267,8 +271,6 @@ int     tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
      */
     memset(props, 0, sizeof(*props));
     ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
-		  RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
-		  RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
 		  RECV_ATTR_STR(TLS_ATTR_LOG_PARAM, log_param),
 		  RECV_ATTR_STR(TLS_ATTR_LOG_LEVEL, log_level),
 		  RECV_ATTR_INT(TLS_ATTR_VERIFYDEPTH, &props->verifydepth),
@@ -285,8 +287,6 @@ int     tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
 		  RECV_ATTR_STR(TLS_ATTR_MDALG, mdalg),
 		  ATTR_TYPE_END);
     /* Always construct a well-formed structure. */
-    props->cnf_file = vstring_export(cnf_file);
-    props->cnf_name = vstring_export(cnf_name);
     props->log_param = vstring_export(log_param);
     props->log_level = vstring_export(log_level);
     props->cache_type = vstring_export(cache_type);
@@ -300,7 +300,7 @@ int     tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
     props->CAfile = vstring_export(CAfile);
     props->CApath = vstring_export(CApath);
     props->mdalg = vstring_export(mdalg);
-    ret = (ret == 16 ? 1 : -1);
+    ret = (ret == 14 ? 1 : -1);
     if (ret != 1) {
 	tls_proxy_client_init_free(props);
 	props = 0;

postfix/src/tlsproxy/tlsproxy.c

@@ -1742,8 +1742,6 @@ static void pre_jail_init_client(void)
 	 */
 	(void) tls_proxy_client_param_from_config(&tls_params);
 	(void) TLS_CLIENT_INIT_ARGS(&init_props,
-				    cnf_file = var_tls_cnf_file,
-				    cnf_name = var_tls_cnf_name,
 				    log_param = var_tlsp_clnt_logparam,
 				    log_level = var_tlsp_clnt_loglevel,
 				    verifydepth = var_tlsp_clnt_scert_vd,