2
0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00

postfix-3.9-20230523

This commit is contained in:
Wietse Venema 2023-05-23 00:00:00 -05:00 committed by Viktor Dukhovni
parent 770f8c7630
commit 52a34fd4e6
12 changed files with 42 additions and 42 deletions

View File

@ -27207,3 +27207,16 @@ Apologies for any names omitted.
tls/tls_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
tlsproxy/tlsproxy.c.
20230523
Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
configuration settings. These are global, i.e. apply to all
client TLS contexts, and they do not belong in tls_client_init()
or tls_client_start() calls. The tlsproxy(8) server uses
TLS_CLIENT_PARAMS information to warn about differences
between its own global TLS settings, and those from its
clients. Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
tls/tls_proxy.h, tlsproxy/tlsproxy.c.

View File

@ -1,9 +1,5 @@
Wish list:
In tlsproxy, diff the server-side TLS library settings
against those from a tlsproxy client, and make sure that
the diff covers the new cnf_file and cnf_name properties.
Things to do before the stable release:
make pre-release-check, HTML validator check.

View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20230521"
#define MAIL_RELEASE_DATE "20230523"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT

View File

@ -793,8 +793,6 @@ static int starttls(STATE *state)
* Send all our wishes in one big request.
*/
TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = "-L option",
log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD,
@ -1856,8 +1854,6 @@ static void tls_init(STATE *state)
/* Needed for tls_dane_avail() and other DANE-related processing. */
state->tls_ctx =
TLS_CLIENT_INIT(&props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = "-L option",
log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD,

View File

@ -1512,8 +1512,6 @@ static void pre_init(char *unused_name, char **unused_argv)
*/
smtp_tls_ctx =
TLS_CLIENT_INIT(&props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,

View File

@ -911,8 +911,6 @@ static int smtp_start_tls(SMTP_STATE *state)
* Send all our wishes in one big request.
*/
TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,

View File

@ -451,8 +451,6 @@ extern void tls_get_signature_params(TLS_SESS_STATE *);
* tls_client.c
*/
typedef struct {
const char *cnf_file;
const char *cnf_name;
const char *log_param;
const char *log_level;
int verifydepth;
@ -498,16 +496,16 @@ extern TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *,
tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext))
#define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16) \
a10, a11, a12, a13, a14) \
(((props)->a1), ((props)->a2), ((props)->a3), ((props)->a4), \
((props)->a5), ((props)->a6), ((props)->a7), ((props)->a8), \
((props)->a9), ((props)->a10), ((props)->a11), ((props)->a12), \
((props)->a13), ((props)->a14), ((props)->a15), ((props)->a16), (props))
((props)->a13), ((props)->a14), (props))
#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16) \
a10, a11, a12, a13, a14) \
tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \
a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16))
a6, a7, a8, a9, a10, a11, a12, a13, a14))
#define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16, a17) \

View File

@ -32,8 +32,10 @@
#ifdef USE_TLS
/*
* TLS_CLIENT_PARAMS structure. If this changes, update all
* TLS_CLIENT_PARAMS related functions in tls_proxy_client_*.c.
* TLS_CLIENT_PARAMS structure, to communicate global TLS library settings
* that are the same for all TLS client contexts. This information is used
* in tlsproxy(8) to detect inconsistencies. If this structure is changed,
* update all TLS_CLIENT_PARAMS related functions in tls_proxy_client_*.c.
*
* In the serialization these attributes are identified by their configuration
* parameter names.
@ -44,6 +46,8 @@
* VAR_TLS_SERVER_SNI_MAPS.
*/
typedef struct TLS_CLIENT_PARAMS {
char *tls_cnf_file;
char *tls_cnf_name;
char *tls_high_clist;
char *tls_medium_clist;
char *tls_null_clist;
@ -64,12 +68,12 @@ typedef struct TLS_CLIENT_PARAMS {
} TLS_CLIENT_PARAMS;
#define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14, a15, a16, a17) \
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19) \
(((params)->a1), ((params)->a2), ((params)->a3), \
((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
((params)->a16), ((params)->a17))
((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19))
/*
* tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
@ -97,12 +101,11 @@ extern VSTREAM *tls_proxy_open(const char *, int, VSTREAM *, const char *,
void *, void *, void *);
#define TLS_PROXY_CLIENT_INIT_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14, a15, a16) \
a9, a10, a11, a12, a13, a14) \
(((props)->a1), ((props)->a2), ((props)->a3), \
((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \
((props)->a16))
((props)->a12), ((props)->a13), ((props)->a14))
#define TLS_PROXY_CLIENT_START_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14) \

View File

@ -66,6 +66,8 @@
TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
{
TLS_PROXY_PARAMS(params,
tls_cnf_file = var_tls_cnf_file,
tls_cnf_name = var_tls_cnf_name,
tls_high_clist = var_tls_high_clist,
tls_medium_clist = var_tls_medium_clist,
tls_null_clist = var_tls_null_clist,

View File

@ -95,6 +95,8 @@ int tls_proxy_client_param_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
msg_info("begin tls_proxy_client_param_print");
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file),
SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name),
SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
params->tls_medium_clist),
@ -144,10 +146,6 @@ int tls_proxy_client_init_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
#define STRING_OR_EMPTY(s) ((s) ? (s) : "")
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_STR(TLS_ATTR_CNF_FILE,
STRING_OR_EMPTY(props->cnf_file)),
SEND_ATTR_STR(TLS_ATTR_CNF_NAME,
STRING_OR_EMPTY(props->cnf_name)),
SEND_ATTR_STR(TLS_ATTR_LOG_PARAM,
STRING_OR_EMPTY(props->log_param)),
SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL,

View File

@ -121,6 +121,8 @@
void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
{
myfree(params->tls_cnf_file);
myfree(params->tls_cnf_name);
myfree(params->tls_high_clist);
myfree(params->tls_medium_clist);
myfree(params->tls_null_clist);
@ -144,6 +146,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
TLS_CLIENT_PARAMS *params
= (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params));
int ret;
VSTRING *cnf_file = vstring_alloc(25);
VSTRING *cnf_name = vstring_alloc(25);
VSTRING *tls_high_clist = vstring_alloc(25);
VSTRING *tls_medium_clist = vstring_alloc(25);
VSTRING *tls_null_clist = vstring_alloc(25);
@ -165,6 +169,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
*/
memset(params, 0, sizeof(*params));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
RECV_ATTR_STR(VAR_TLS_NULL_CLIST, tls_null_clist),
@ -189,6 +195,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
&params->tls_multi_wildcard),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
params->tls_cnf_file = vstring_export(cnf_file);
params->tls_cnf_name = vstring_export(cnf_name);
params->tls_high_clist = vstring_export(tls_high_clist);
params->tls_medium_clist = vstring_export(tls_medium_clist);
params->tls_null_clist = vstring_export(tls_null_clist);
@ -202,7 +210,7 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
params->tls_mgr_service = vstring_export(tls_mgr_service);
params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
ret = (ret == 17 ? 1 : -1);
ret = (ret == 19 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_param_free(params);
params = 0;
@ -217,8 +225,6 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *props)
{
myfree((void *) props->cnf_file);
myfree((void *) props->cnf_name);
myfree((void *) props->log_param);
myfree((void *) props->log_level);
myfree((void *) props->cache_type);
@ -243,8 +249,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
TLS_CLIENT_INIT_PROPS *props
= (TLS_CLIENT_INIT_PROPS *) mymalloc(sizeof(*props));
int ret;
VSTRING *cnf_file = vstring_alloc(25);
VSTRING *cnf_name = vstring_alloc(25);
VSTRING *log_param = vstring_alloc(25);
VSTRING *log_level = vstring_alloc(25);
VSTRING *cache_type = vstring_alloc(25);
@ -267,8 +271,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
*/
memset(props, 0, sizeof(*props));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(TLS_ATTR_LOG_PARAM, log_param),
RECV_ATTR_STR(TLS_ATTR_LOG_LEVEL, log_level),
RECV_ATTR_INT(TLS_ATTR_VERIFYDEPTH, &props->verifydepth),
@ -285,8 +287,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
RECV_ATTR_STR(TLS_ATTR_MDALG, mdalg),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
props->cnf_file = vstring_export(cnf_file);
props->cnf_name = vstring_export(cnf_name);
props->log_param = vstring_export(log_param);
props->log_level = vstring_export(log_level);
props->cache_type = vstring_export(cache_type);
@ -300,7 +300,7 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
props->CAfile = vstring_export(CAfile);
props->CApath = vstring_export(CApath);
props->mdalg = vstring_export(mdalg);
ret = (ret == 16 ? 1 : -1);
ret = (ret == 14 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_init_free(props);
props = 0;

View File

@ -1742,8 +1742,6 @@ static void pre_jail_init_client(void)
*/
(void) tls_proxy_client_param_from_config(&tls_params);
(void) TLS_CLIENT_INIT_ARGS(&init_props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = var_tlsp_clnt_logparam,
log_level = var_tlsp_clnt_loglevel,
verifydepth = var_tlsp_clnt_scert_vd,