mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 09:57:34 +00:00
Code Issues Releases Wiki Activity

postfix-3.9-20230523

Browse Source
This commit is contained in:
Wietse Venema 2023-05-23 00:00:00 -05:00 committed by Viktor Dukhovni
parent 770f8c7630
commit 52a34fd4e6
12 changed files with 42 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
postfix/HISTORY
View File

@ -27207,3 +27207,16 @@ Apologies for any names omitted.
tls/tls_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
tlsproxy/tlsproxy.c.
20230523
Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
configuration settings. These are global, i.e. apply to all
client TLS contexts, and they do not belong in tls_client_init()
or tls_client_start() calls. The tlsproxy(8) server uses
TLS_CLIENT_PARAMS information to warn about differences
between its own global TLS settings, and those from its
clients. Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
tls/tls_proxy.h, tlsproxy/tlsproxy.c.

4
postfix/WISHLIST
View File

@ -1,9 +1,5 @@
Wish list:
In tlsproxy, diff the server-side TLS library settings
against those from a tlsproxy client, and make sure that
the diff covers the new cnf_file and cnf_name properties.
Things to do before the stable release:
make pre-release-check, HTML validator check.

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
#define MAIL_RELEASE_DATE "20230521"
#define MAIL_RELEASE_DATE "20230523"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT

4
postfix/src/posttls-finger/posttls-finger.c
View File

@ -793,8 +793,6 @@ static int starttls(STATE *state)
* Send all our wishes in one big request.
*/
TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = "-L option",
log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD,
@ -1856,8 +1854,6 @@ static void tls_init(STATE *state)
/* Needed for tls_dane_avail() and other DANE-related processing. */
state->tls_ctx =
TLS_CLIENT_INIT(&props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = "-L option",
log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD,

2
postfix/src/smtp/smtp.c
View File

@ -1512,8 +1512,6 @@ static void pre_init(char *unused_name, char **unused_argv)
*/
smtp_tls_ctx =
TLS_CLIENT_INIT(&props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,

2
postfix/src/smtp/smtp_proto.c
View File

@ -911,8 +911,6 @@ static int smtp_start_tls(SMTP_STATE *state)
* Send all our wishes in one big request.
*/
TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,

10
postfix/src/tls/tls.h
View File

@ -451,8 +451,6 @@ extern void tls_get_signature_params(TLS_SESS_STATE *);
* tls_client.c
*/
typedef struct {
const char *cnf_file;
const char *cnf_name;
const char *log_param;
const char *log_level;
int verifydepth;
@ -498,16 +496,16 @@ extern TLS_SESS_STATE *tls_client_post_connect(TLS_SESS_STATE *,
tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext))
#define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16) \
a10, a11, a12, a13, a14) \
(((props)->a1), ((props)->a2), ((props)->a3), ((props)->a4), \
((props)->a5), ((props)->a6), ((props)->a7), ((props)->a8), \
((props)->a9), ((props)->a10), ((props)->a11), ((props)->a12), \
((props)->a13), ((props)->a14), ((props)->a15), ((props)->a16), (props))
((props)->a13), ((props)->a14), (props))
#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16) \
a10, a11, a12, a13, a14) \
tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \
a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16))
a6, a7, a8, a9, a10, a11, a12, a13, a14))
#define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16, a17) \

17
postfix/src/tls/tls_proxy.h
View File

@ -32,8 +32,10 @@
#ifdef USE_TLS
/*
* TLS_CLIENT_PARAMS structure. If this changes, update all
* TLS_CLIENT_PARAMS related functions in tls_proxy_client_*.c.
* TLS_CLIENT_PARAMS structure, to communicate global TLS library settings
* that are the same for all TLS client contexts. This information is used
* in tlsproxy(8) to detect inconsistencies. If this structure is changed,
* update all TLS_CLIENT_PARAMS related functions in tls_proxy_client_*.c.
*
* In the serialization these attributes are identified by their configuration
* parameter names.
@ -44,6 +46,8 @@
* VAR_TLS_SERVER_SNI_MAPS.
*/
typedef struct TLS_CLIENT_PARAMS {
char *tls_cnf_file;
char *tls_cnf_name;
char *tls_high_clist;
char *tls_medium_clist;
char *tls_null_clist;
@ -64,12 +68,12 @@ typedef struct TLS_CLIENT_PARAMS {
} TLS_CLIENT_PARAMS;
#define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14, a15, a16, a17) \
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19) \
(((params)->a1), ((params)->a2), ((params)->a3), \
((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
((params)->a16), ((params)->a17))
((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19))
/*
* tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
@ -97,12 +101,11 @@ extern VSTREAM *tls_proxy_open(const char *, int, VSTREAM *, const char *,
void *, void *, void *);
#define TLS_PROXY_CLIENT_INIT_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14, a15, a16) \
a9, a10, a11, a12, a13, a14) \
(((props)->a1), ((props)->a2), ((props)->a3), \
((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \
((props)->a16))
((props)->a12), ((props)->a13), ((props)->a14))
#define TLS_PROXY_CLIENT_START_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14) \

2
postfix/src/tls/tls_proxy_client_misc.c
View File

@ -66,6 +66,8 @@
TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
{
TLS_PROXY_PARAMS(params,
tls_cnf_file = var_tls_cnf_file,
tls_cnf_name = var_tls_cnf_name,
tls_high_clist = var_tls_high_clist,
tls_medium_clist = var_tls_medium_clist,
tls_null_clist = var_tls_null_clist,

6
postfix/src/tls/tls_proxy_client_print.c
View File

@ -95,6 +95,8 @@ int tls_proxy_client_param_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
msg_info("begin tls_proxy_client_param_print");
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file),
SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name),
SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
params->tls_medium_clist),
@ -144,10 +146,6 @@ int tls_proxy_client_init_print(ATTR_PRINT_COMMON_FN print_fn, VSTREAM *fp,
#define STRING_OR_EMPTY(s) ((s) ? (s) : "")
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
SEND_ATTR_STR(TLS_ATTR_CNF_FILE,
STRING_OR_EMPTY(props->cnf_file)),
SEND_ATTR_STR(TLS_ATTR_CNF_NAME,
STRING_OR_EMPTY(props->cnf_name)),
SEND_ATTR_STR(TLS_ATTR_LOG_PARAM,
STRING_OR_EMPTY(props->log_param)),
SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL,

20
postfix/src/tls/tls_proxy_client_scan.c
View File

@ -121,6 +121,8 @@
void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
{
myfree(params->tls_cnf_file);
myfree(params->tls_cnf_name);
myfree(params->tls_high_clist);
myfree(params->tls_medium_clist);
myfree(params->tls_null_clist);
@ -144,6 +146,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
TLS_CLIENT_PARAMS *params
= (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params));
int ret;
VSTRING *cnf_file = vstring_alloc(25);
VSTRING *cnf_name = vstring_alloc(25);
VSTRING *tls_high_clist = vstring_alloc(25);
VSTRING *tls_medium_clist = vstring_alloc(25);
VSTRING *tls_null_clist = vstring_alloc(25);
@ -165,6 +169,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
*/
memset(params, 0, sizeof(*params));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
RECV_ATTR_STR(VAR_TLS_NULL_CLIST, tls_null_clist),
@ -189,6 +195,8 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
&params->tls_multi_wildcard),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
params->tls_cnf_file = vstring_export(cnf_file);
params->tls_cnf_name = vstring_export(cnf_name);
params->tls_high_clist = vstring_export(tls_high_clist);
params->tls_medium_clist = vstring_export(tls_medium_clist);
params->tls_null_clist = vstring_export(tls_null_clist);
@ -202,7 +210,7 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
params->tls_mgr_service = vstring_export(tls_mgr_service);
params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
ret = (ret == 17 ? 1 : -1);
ret = (ret == 19 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_param_free(params);
params = 0;
@ -217,8 +225,6 @@ int tls_proxy_client_param_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *props)
{
myfree((void *) props->cnf_file);
myfree((void *) props->cnf_name);
myfree((void *) props->log_param);
myfree((void *) props->log_level);
myfree((void *) props->cache_type);
@ -243,8 +249,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
TLS_CLIENT_INIT_PROPS *props
= (TLS_CLIENT_INIT_PROPS *) mymalloc(sizeof(*props));
int ret;
VSTRING *cnf_file = vstring_alloc(25);
VSTRING *cnf_name = vstring_alloc(25);
VSTRING *log_param = vstring_alloc(25);
VSTRING *log_level = vstring_alloc(25);
VSTRING *cache_type = vstring_alloc(25);
@ -267,8 +271,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
*/
memset(props, 0, sizeof(*props));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(TLS_ATTR_LOG_PARAM, log_param),
RECV_ATTR_STR(TLS_ATTR_LOG_LEVEL, log_level),
RECV_ATTR_INT(TLS_ATTR_VERIFYDEPTH, &props->verifydepth),
@ -285,8 +287,6 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
RECV_ATTR_STR(TLS_ATTR_MDALG, mdalg),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
props->cnf_file = vstring_export(cnf_file);
props->cnf_name = vstring_export(cnf_name);
props->log_param = vstring_export(log_param);
props->log_level = vstring_export(log_level);
props->cache_type = vstring_export(cache_type);
@ -300,7 +300,7 @@ int tls_proxy_client_init_scan(ATTR_SCAN_COMMON_FN scan_fn, VSTREAM *fp,
props->CAfile = vstring_export(CAfile);
props->CApath = vstring_export(CApath);
props->mdalg = vstring_export(mdalg);
ret = (ret == 16 ? 1 : -1);
ret = (ret == 14 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_init_free(props);
props = 0;

2
postfix/src/tlsproxy/tlsproxy.c
View File

@ -1742,8 +1742,6 @@ static void pre_jail_init_client(void)
*/
(void) tls_proxy_client_param_from_config(&tls_params);
(void) TLS_CLIENT_INIT_ARGS(&init_props,
cnf_file = var_tls_cnf_file,
cnf_name = var_tls_cnf_name,
log_param = var_tlsp_clnt_logparam,
log_level = var_tlsp_clnt_loglevel,
verifydepth = var_tlsp_clnt_scert_vd,