diff --git a/postfix/HISTORY b/postfix/HISTORY index c0119def5..a23dcad81 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24114,3 +24114,17 @@ Apologies for any names omitted. Documentation: global TLS settings. Files: mantools/postlink, smtp/smtp.c, tlsproxy/tlsproxy.c. + +20190211 + + Cleanup: removed obsolete parameters: tls_dane_digest_agility, + tls_dane_trust_anchor_digest_enable; removed openssl_path + parameter from configuration difference checks in tlsproxy. + Files: global/mail_params.h, tls/tls_misc.c, + tls/tls_proxy_client_misc.c, tls/tls_proxy_client_print.c, + tls/tls_proxy_client_scan.c, tls/tls_proxy.h. + +20190212 + + Cleanup: missing #ifdef USE_TLS. Files: smtp/smtp_session.c, + posttls-finger/posttls-finger.c. diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index 575a5b07e..638daa15d 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3323,16 +3323,6 @@ extern bool var_tls_bc_pkey_fprint; #define DEF_TLS_SERVER_SNI_MAPS "" extern char *var_tls_server_sni_maps; - /* - * Ordered list of DANE digest algorithms. - */ -#define TLS_DANE_AGILITY_OFF "off" -#define TLS_DANE_AGILITY_ON "on" -#define TLS_DANE_AGILITY_MAYBE "maybe" -#define VAR_TLS_DANE_AGILITY "tls_dane_digest_agility" -#define DEF_TLS_DANE_AGILITY TLS_DANE_AGILITY_ON -extern char *var_tls_dane_agility; - /* * Ordered list of DANE digest algorithms. */ @@ -3340,15 +3330,6 @@ extern char *var_tls_dane_agility; #define DEF_TLS_DANE_DIGESTS "sha512 sha256" extern char *var_tls_dane_digests; - /* - * External interface for enabling trust-anchor digests, which are risky - * when the corresponding certificate is missing from the peer chain (this - * can't happen with the leaf certificate). - */ -#define VAR_TLS_DANE_TAA_DGST "tls_dane_trust_anchor_digest_enable" -#define DEF_TLS_DANE_TAA_DGST 1 -extern bool var_tls_dane_taa_dgst; - /* * Sendmail-style mail filter support. */ diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index f0738ca9f..5e6d64fb3 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20190210" +#define MAIL_RELEASE_DATE "20190212" #define MAIL_VERSION_NUMBER "3.5" #ifdef SNAPSHOT diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c index f623b8329..c142d43f5 100644 --- a/postfix/src/posttls-finger/posttls-finger.c +++ b/postfix/src/posttls-finger/posttls-finger.c @@ -1987,8 +1987,10 @@ static void parse_options(STATE *state, int argc, char *argv[]) if (state->addr_pref < 0) msg_fatal("bad '-a' option value: %s", state->options.addr_pref); +#ifdef USE_TLS if (state->tlsproxy_mode && state->reconnect) msg_fatal("The -X and -r options are mutually exclusive"); +#endif /* * Select hostname lookup mechanisms. diff --git a/postfix/src/smtp/smtp_session.c b/postfix/src/smtp/smtp_session.c index 6983b17b1..1b3a20e9c 100644 --- a/postfix/src/smtp/smtp_session.c +++ b/postfix/src/smtp/smtp_session.c @@ -336,11 +336,16 @@ SMTP_SESSION *smtp_session_activate(int fd, SMTP_ITERATOR *iter, TLS_SESS_STATE *tls_context = 0; SMTP_TLS_POLICY *tls = iter->parent->tls; +#define TLS_PROXY_CONTEXT_FREE() do { \ + if (tls_context) \ + tls_proxy_context_free(tls_context); \ + } while (0) +#else +#define TLS_PROXY_CONTEXT_FREE() /* nothing */ #endif #define SMTP_SESSION_ACTIVATE_ERR_RETURN() do { \ - if (tls_context) \ - tls_proxy_context_free(tls_context); \ + TLS_PROXY_CONTEXT_FREE(); \ return (0); \ } while (0) @@ -416,7 +421,9 @@ SMTP_SESSION *smtp_session_activate(int fd, SMTP_ITERATOR *iter, (time_t) 0, NO_FLAGS); session->features = (endp_features | dest_features | SMTP_FEATURE_FROM_CACHE); +#ifdef USE_TLS session->tls_context = tls_context; +#endif CACHE_THIS_SESSION_UNTIL(expire_time); session->reuse_count = ++reuse_count; diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index 51cbd3530..01dda8a97 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -37,11 +37,9 @@ /* char *var_tls_eecdh_auto; /* char *var_tls_eecdh_strong; /* char *var_tls_eecdh_ultra; -/* char *var_tls_dane_agility; /* char *var_tls_dane_digests; /* int var_tls_daemon_rand_bytes; /* bool var_tls_append_def_CA; -/* bool var_tls_dane_taa_dgst; /* bool var_tls_preempt_clist; /* bool var_tls_bc_pkey_fprint; /* bool var_tls_multi_wildcard; @@ -284,13 +282,11 @@ int var_tls_daemon_rand_bytes; char *var_tls_eecdh_auto; char *var_tls_eecdh_strong; char *var_tls_eecdh_ultra; -char *var_tls_dane_agility; char *var_tls_dane_digests; bool var_tls_append_def_CA; char *var_tls_bug_tweaks; char *var_tls_ssl_options; bool var_tls_bc_pkey_fprint; -bool var_tls_dane_taa_dgst; bool var_tls_multi_wildcard; char *var_tls_mgr_service; char *var_tls_tkt_cipher; @@ -724,6 +720,7 @@ int tls_protocol_mask(const char *plist) void tls_param_init(void) { + /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */ static const CONFIG_STR_TABLE str_table[] = { VAR_TLS_HIGH_CLIST, DEF_TLS_HIGH_CLIST, &var_tls_high_clist, 1, 0, VAR_TLS_MEDIUM_CLIST, DEF_TLS_MEDIUM_CLIST, &var_tls_medium_clist, 1, 0, @@ -735,21 +732,21 @@ void tls_param_init(void) VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 1, 0, VAR_TLS_BUG_TWEAKS, DEF_TLS_BUG_TWEAKS, &var_tls_bug_tweaks, 0, 0, VAR_TLS_SSL_OPTIONS, DEF_TLS_SSL_OPTIONS, &var_tls_ssl_options, 0, 0, - VAR_TLS_DANE_AGILITY, DEF_TLS_DANE_AGILITY, &var_tls_dane_agility, 1, 0, VAR_TLS_DANE_DIGESTS, DEF_TLS_DANE_DIGESTS, &var_tls_dane_digests, 1, 0, VAR_TLS_MGR_SERVICE, DEF_TLS_MGR_SERVICE, &var_tls_mgr_service, 1, 0, VAR_TLS_TKT_CIPHER, DEF_TLS_TKT_CIPHER, &var_tls_tkt_cipher, 0, 0, VAR_OPENSSL_PATH, DEF_OPENSSL_PATH, &var_openssl_path, 1, 0, 0, }; + /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */ static const CONFIG_INT_TABLE int_table[] = { VAR_TLS_DAEMON_RAND_BYTES, DEF_TLS_DAEMON_RAND_BYTES, &var_tls_daemon_rand_bytes, 1, 0, 0, }; + /* If this changes, update TLS_CLIENT_PARAMS in tls_proxy.h. */ static const CONFIG_BOOL_TABLE bool_table[] = { VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA, VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint, - VAR_TLS_DANE_TAA_DGST, DEF_TLS_DANE_TAA_DGST, &var_tls_dane_taa_dgst, VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist, VAR_TLS_MULTI_WILDCARD, DEF_TLS_MULTI_WILDCARD, &var_tls_multi_wildcard, 0, diff --git a/postfix/src/tls/tls_proxy.h b/postfix/src/tls/tls_proxy.h index 4a9db08fb..3a899b954 100644 --- a/postfix/src/tls/tls_proxy.h +++ b/postfix/src/tls/tls_proxy.h @@ -38,6 +38,8 @@ * In the serialization these attributes are identified by their configuration * parameter names. * + * NOTE: this does not include openssl_path. + * * TODO: TLS_SERVER_PARAM structure, like TLS_CLIENT_PARAMS plus * VAR_TLS_SERVER_SNI_MAPS. */ @@ -52,27 +54,23 @@ typedef struct TLS_CLIENT_PARAMS { char *tls_eecdh_ultra; char *tls_bug_tweaks; char *tls_ssl_options; - char *tls_dane_agility; char *tls_dane_digests; char *tls_mgr_service; char *tls_tkt_cipher; - char *openssl_path; int tls_daemon_rand_bytes; int tls_append_def_CA; int tls_bc_pkey_fprint; - int tls_dane_taa_dgst; int tls_preempt_clist; int tls_multi_wildcard; } TLS_CLIENT_PARAMS; #define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \ - a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20, a21) \ + a9, a10, a11, a12, a13, a14, a15, a16, a17, a18) \ (((params)->a1), ((params)->a2), ((params)->a3), \ ((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \ ((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \ ((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \ - ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19), \ - ((params)->a20), ((params)->a21)) + ((params)->a16), ((params)->a17), ((params)->a18)) /* * tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and diff --git a/postfix/src/tls/tls_proxy_client_misc.c b/postfix/src/tls/tls_proxy_client_misc.c index 2c67f62ad..6c4158563 100644 --- a/postfix/src/tls/tls_proxy_client_misc.c +++ b/postfix/src/tls/tls_proxy_client_misc.c @@ -88,15 +88,12 @@ TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params) tls_eecdh_ultra = var_tls_eecdh_ultra, tls_bug_tweaks = var_tls_bug_tweaks, tls_ssl_options = var_tls_ssl_options, - tls_dane_agility = var_tls_dane_agility, tls_dane_digests = var_tls_dane_digests, tls_mgr_service = var_tls_mgr_service, tls_tkt_cipher = var_tls_tkt_cipher, - openssl_path = var_openssl_path, tls_daemon_rand_bytes = var_tls_daemon_rand_bytes, tls_append_def_CA = var_tls_append_def_CA, tls_bc_pkey_fprint = var_tls_bc_pkey_fprint, - tls_dane_taa_dgst = var_tls_dane_taa_dgst, tls_preempt_clist = var_tls_preempt_clist, tls_multi_wildcard = var_tls_multi_wildcard); return (params); @@ -107,18 +104,16 @@ TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params) char *tls_proxy_client_param_to_string(VSTRING *buf, TLS_CLIENT_PARAMS *params) { vstring_sprintf(buf, "%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n%s\n" - "%s\n%s\n%s\n%s\n%d\n%d\n%d\n%d\n%d\n%d\n", + "%s\n%s\n%d\n%d\n%d\n%d\n%d\n", params->tls_high_clist, params->tls_medium_clist, params->tls_low_clist, params->tls_export_clist, params->tls_null_clist, params->tls_eecdh_auto, params->tls_eecdh_strong, params->tls_eecdh_ultra, params->tls_bug_tweaks, params->tls_ssl_options, - params->tls_dane_agility, params->tls_dane_digests, - params->tls_mgr_service, params->tls_tkt_cipher, - params->openssl_path, params->tls_daemon_rand_bytes, + params->tls_dane_digests, params->tls_mgr_service, + params->tls_tkt_cipher, params->tls_daemon_rand_bytes, params->tls_append_def_CA, params->tls_bc_pkey_fprint, - params->tls_dane_taa_dgst, params->tls_preempt_clist, - params->tls_multi_wildcard); + params->tls_preempt_clist, params->tls_multi_wildcard); return (vstring_str(buf)); } @@ -128,7 +123,7 @@ char *tls_proxy_client_param_with_names_to_string(VSTRING *buf, TLS_CLIENT_PAR { vstring_sprintf(buf, "%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n" "%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %s\n" - "%s = %s\n%s = %s\n%s = %s\n%s = %s\n%s = %d\n%s = %d\n" + "%s = %s\n%s = %s\n%s = %d\n" "%s = %d\n%s = %d\n%s = %d\n%s = %d\n", VAR_TLS_HIGH_CLIST, params->tls_high_clist, VAR_TLS_MEDIUM_CLIST, params->tls_medium_clist, @@ -140,15 +135,12 @@ char *tls_proxy_client_param_with_names_to_string(VSTRING *buf, TLS_CLIENT_PAR VAR_TLS_EECDH_ULTRA, params->tls_eecdh_ultra, VAR_TLS_BUG_TWEAKS, params->tls_bug_tweaks, VAR_TLS_SSL_OPTIONS, params->tls_ssl_options, - VAR_TLS_DANE_AGILITY, params->tls_dane_agility, VAR_TLS_DANE_DIGESTS, params->tls_dane_digests, VAR_TLS_MGR_SERVICE, params->tls_mgr_service, VAR_TLS_TKT_CIPHER, params->tls_tkt_cipher, - VAR_OPENSSL_PATH, params->openssl_path, VAR_TLS_DAEMON_RAND_BYTES, params->tls_daemon_rand_bytes, VAR_TLS_APPEND_DEF_CA, params->tls_append_def_CA, VAR_TLS_BC_PKEY_FPRINT, params->tls_bc_pkey_fprint, - VAR_TLS_DANE_TAA_DGST, params->tls_dane_taa_dgst, VAR_TLS_PREEMPT_CLIST, params->tls_preempt_clist, VAR_TLS_MULTI_WILDCARD, params->tls_multi_wildcard); return (vstring_str(buf)); diff --git a/postfix/src/tls/tls_proxy_client_print.c b/postfix/src/tls/tls_proxy_client_print.c index 0aa245fd4..68fb56b17 100644 --- a/postfix/src/tls/tls_proxy_client_print.c +++ b/postfix/src/tls/tls_proxy_client_print.c @@ -110,22 +110,17 @@ int tls_proxy_client_param_print(ATTR_PRINT_MASTER_FN print_fn, VSTREAM *fp, SEND_ATTR_STR(VAR_TLS_BUG_TWEAKS, params->tls_bug_tweaks), SEND_ATTR_STR(VAR_TLS_SSL_OPTIONS, params->tls_ssl_options), - SEND_ATTR_STR(VAR_TLS_DANE_AGILITY, - params->tls_dane_agility), SEND_ATTR_STR(VAR_TLS_DANE_DIGESTS, params->tls_dane_digests), SEND_ATTR_STR(VAR_TLS_MGR_SERVICE, params->tls_mgr_service), SEND_ATTR_STR(VAR_TLS_TKT_CIPHER, params->tls_tkt_cipher), - SEND_ATTR_STR(VAR_OPENSSL_PATH, params->openssl_path), SEND_ATTR_INT(VAR_TLS_DAEMON_RAND_BYTES, params->tls_daemon_rand_bytes), SEND_ATTR_INT(VAR_TLS_APPEND_DEF_CA, params->tls_append_def_CA), SEND_ATTR_INT(VAR_TLS_BC_PKEY_FPRINT, params->tls_bc_pkey_fprint), - SEND_ATTR_INT(VAR_TLS_DANE_TAA_DGST, - params->tls_dane_taa_dgst), SEND_ATTR_INT(VAR_TLS_PREEMPT_CLIST, params->tls_preempt_clist), SEND_ATTR_INT(VAR_TLS_MULTI_WILDCARD, diff --git a/postfix/src/tls/tls_proxy_client_scan.c b/postfix/src/tls/tls_proxy_client_scan.c index 61aa6ef2e..4c748ae3c 100644 --- a/postfix/src/tls/tls_proxy_client_scan.c +++ b/postfix/src/tls/tls_proxy_client_scan.c @@ -130,11 +130,9 @@ void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params) myfree(params->tls_eecdh_ultra); myfree(params->tls_bug_tweaks); myfree(params->tls_ssl_options); - myfree(params->tls_dane_agility); myfree(params->tls_dane_digests); myfree(params->tls_mgr_service); myfree(params->tls_tkt_cipher); - myfree(params->openssl_path); myfree((void *) params); } @@ -156,11 +154,9 @@ int tls_proxy_client_param_scan(ATTR_SCAN_MASTER_FN scan_fn, VSTREAM *fp, VSTRING *tls_eecdh_ultra = vstring_alloc(25); VSTRING *tls_bug_tweaks = vstring_alloc(25); VSTRING *tls_ssl_options = vstring_alloc(25); - VSTRING *tls_dane_agility = vstring_alloc(25); VSTRING *tls_dane_digests = vstring_alloc(25); VSTRING *tls_mgr_service = vstring_alloc(25); VSTRING *tls_tkt_cipher = vstring_alloc(25); - VSTRING *openssl_path = vstring_alloc(25); if (msg_verbose) msg_info("begin tls_proxy_client_param_scan"); @@ -180,19 +176,15 @@ int tls_proxy_client_param_scan(ATTR_SCAN_MASTER_FN scan_fn, VSTREAM *fp, RECV_ATTR_STR(VAR_TLS_EECDH_ULTRA, tls_eecdh_ultra), RECV_ATTR_STR(VAR_TLS_BUG_TWEAKS, tls_bug_tweaks), RECV_ATTR_STR(VAR_TLS_SSL_OPTIONS, tls_ssl_options), - RECV_ATTR_STR(VAR_TLS_DANE_AGILITY, tls_dane_agility), RECV_ATTR_STR(VAR_TLS_DANE_DIGESTS, tls_dane_digests), RECV_ATTR_STR(VAR_TLS_MGR_SERVICE, tls_mgr_service), RECV_ATTR_STR(VAR_TLS_TKT_CIPHER, tls_tkt_cipher), - RECV_ATTR_STR(VAR_OPENSSL_PATH, openssl_path), RECV_ATTR_INT(VAR_TLS_DAEMON_RAND_BYTES, ¶ms->tls_daemon_rand_bytes), RECV_ATTR_INT(VAR_TLS_APPEND_DEF_CA, ¶ms->tls_append_def_CA), RECV_ATTR_INT(VAR_TLS_BC_PKEY_FPRINT, ¶ms->tls_bc_pkey_fprint), - RECV_ATTR_INT(VAR_TLS_DANE_TAA_DGST, - ¶ms->tls_dane_taa_dgst), RECV_ATTR_INT(VAR_TLS_PREEMPT_CLIST, ¶ms->tls_preempt_clist), RECV_ATTR_INT(VAR_TLS_MULTI_WILDCARD, @@ -209,13 +201,11 @@ int tls_proxy_client_param_scan(ATTR_SCAN_MASTER_FN scan_fn, VSTREAM *fp, params->tls_eecdh_ultra = vstring_export(tls_eecdh_ultra); params->tls_bug_tweaks = vstring_export(tls_bug_tweaks); params->tls_ssl_options = vstring_export(tls_ssl_options); - params->tls_dane_agility = vstring_export(tls_dane_agility); params->tls_dane_digests = vstring_export(tls_dane_digests); params->tls_mgr_service = vstring_export(tls_mgr_service); params->tls_tkt_cipher = vstring_export(tls_tkt_cipher); - params->openssl_path = vstring_export(openssl_path); - ret = (ret == 21 ? 1 : -1); + ret = (ret == 18 ? 1 : -1); if (ret != 1) { tls_proxy_client_param_free(params); params = 0;