tls/tls_misc.c, tls/tls_proxy_client_print.c,
tls/tls_proxy_client_scan.c, tls/tls_proxy.h, tls/tls_server.c,
tlsproxy/tlsproxy.c.
+
+20230523
+
+ Cleanup: use TLS_CLIENT_PARAMS to pass the OpensSSL 'init'
+ configuration settings. These are global, i.e. apply to all
+ client TLS contexts, and they do not belong in tls_client_init()
+ or tls_client_start() calls. The tlsproxy(8) server uses
+ TLS_CLIENT_PARAMS information to warn about differences
+ between its own global TLS settings, and those from its
+ clients. Files: posttls-finger/posttls-finger.c, smtp/smtp.c,
+ smtp/smtp_proto.c, tls/tls.h, tls/tls_proxy_client_misc.c,
+ tls/tls_proxy_client_print.c, tls/tls_proxy_client_scan.c,
+ tls/tls_proxy.h, tlsproxy/tlsproxy.c.
Wish list:
- In tlsproxy, diff the server-side TLS library settings
- against those from a tlsproxy client, and make sure that
- the diff covers the new cnf_file and cnf_name properties.
-
Things to do before the stable release:
make pre-release-check, HTML validator check.
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20230521"
+#define MAIL_RELEASE_DATE "20230523"
#define MAIL_VERSION_NUMBER "3.9"
#ifdef SNAPSHOT
* Send all our wishes in one big request.
*/
TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
- cnf_file = var_tls_cnf_file,
- cnf_name = var_tls_cnf_name,
log_param = "-L option",
log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD,
/* Needed for tls_dane_avail() and other DANE-related processing. */
state->tls_ctx =
TLS_CLIENT_INIT(&props,
- cnf_file = var_tls_cnf_file,
- cnf_name = var_tls_cnf_name,
log_param = "-L option",
log_level = state->options.logopts,
verifydepth = DEF_SMTP_TLS_SCERT_VD,
*/
smtp_tls_ctx =
TLS_CLIENT_INIT(&props,
- cnf_file = var_tls_cnf_file,
- cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,
* Send all our wishes in one big request.
*/
TLS_PROXY_CLIENT_INIT_PROPS(&init_props,
- cnf_file = var_tls_cnf_file,
- cnf_name = var_tls_cnf_name,
log_param = VAR_LMTP_SMTP(TLS_LOGLEVEL),
log_level = var_smtp_tls_loglevel,
verifydepth = var_smtp_tls_scert_vd,
* tls_client.c
*/
typedef struct {
- const char *cnf_file;
- const char *cnf_name;
const char *log_param;
const char *log_level;
int verifydepth;
tls_session_stop(ctx, (stream), (timeout), (failure), (TLScontext))
#define TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
- a10, a11, a12, a13, a14, a15, a16) \
+ a10, a11, a12, a13, a14) \
(((props)->a1), ((props)->a2), ((props)->a3), ((props)->a4), \
((props)->a5), ((props)->a6), ((props)->a7), ((props)->a8), \
((props)->a9), ((props)->a10), ((props)->a11), ((props)->a12), \
- ((props)->a13), ((props)->a14), ((props)->a15), ((props)->a16), (props))
+ ((props)->a13), ((props)->a14), (props))
#define TLS_CLIENT_INIT(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
- a10, a11, a12, a13, a14, a15, a16) \
+ a10, a11, a12, a13, a14) \
tls_client_init(TLS_CLIENT_INIT_ARGS(props, a1, a2, a3, a4, a5, \
- a6, a7, a8, a9, a10, a11, a12, a13, a14, a15, a16))
+ a6, a7, a8, a9, a10, a11, a12, a13, a14))
#define TLS_CLIENT_START(props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \
a10, a11, a12, a13, a14, a15, a16, a17) \
#ifdef USE_TLS
/*
- * TLS_CLIENT_PARAMS structure. If this changes, update all
- * TLS_CLIENT_PARAMS related functions in tls_proxy_client_*.c.
+ * TLS_CLIENT_PARAMS structure, to communicate global TLS library settings
+ * that are the same for all TLS client contexts. This information is used
+ * in tlsproxy(8) to detect inconsistencies. If this structure is changed,
+ * update all TLS_CLIENT_PARAMS related functions in tls_proxy_client_*.c.
*
* In the serialization these attributes are identified by their configuration
* parameter names.
* VAR_TLS_SERVER_SNI_MAPS.
*/
typedef struct TLS_CLIENT_PARAMS {
+ char *tls_cnf_file;
+ char *tls_cnf_name;
char *tls_high_clist;
char *tls_medium_clist;
char *tls_null_clist;
} TLS_CLIENT_PARAMS;
#define TLS_PROXY_PARAMS(params, a1, a2, a3, a4, a5, a6, a7, a8, \
- a9, a10, a11, a12, a13, a14, a15, a16, a17) \
+ a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19) \
(((params)->a1), ((params)->a2), ((params)->a3), \
((params)->a4), ((params)->a5), ((params)->a6), ((params)->a7), \
((params)->a8), ((params)->a9), ((params)->a10), ((params)->a11), \
((params)->a12), ((params)->a13), ((params)->a14), ((params)->a15), \
- ((params)->a16), ((params)->a17))
+ ((params)->a16), ((params)->a17), ((params)->a18), ((params)->a19))
/*
* tls_proxy_client_param_misc.c, tls_proxy_client_param_print.c, and
void *, void *, void *);
#define TLS_PROXY_CLIENT_INIT_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
- a9, a10, a11, a12, a13, a14, a15, a16) \
+ a9, a10, a11, a12, a13, a14) \
(((props)->a1), ((props)->a2), ((props)->a3), \
((props)->a4), ((props)->a5), ((props)->a6), ((props)->a7), \
((props)->a8), ((props)->a9), ((props)->a10), ((props)->a11), \
- ((props)->a12), ((props)->a13), ((props)->a14), ((props)->a15), \
- ((props)->a16))
+ ((props)->a12), ((props)->a13), ((props)->a14))
#define TLS_PROXY_CLIENT_START_PROPS(props, a1, a2, a3, a4, a5, a6, a7, a8, \
a9, a10, a11, a12, a13, a14) \
TLS_CLIENT_PARAMS *tls_proxy_client_param_from_config(TLS_CLIENT_PARAMS *params)
{
TLS_PROXY_PARAMS(params,
+ tls_cnf_file = var_tls_cnf_file,
+ tls_cnf_name = var_tls_cnf_name,
tls_high_clist = var_tls_high_clist,
tls_medium_clist = var_tls_medium_clist,
tls_null_clist = var_tls_null_clist,
msg_info("begin tls_proxy_client_param_print");
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
+ SEND_ATTR_STR(TLS_ATTR_CNF_FILE, params->tls_cnf_file),
+ SEND_ATTR_STR(TLS_ATTR_CNF_NAME, params->tls_cnf_name),
SEND_ATTR_STR(VAR_TLS_HIGH_CLIST, params->tls_high_clist),
SEND_ATTR_STR(VAR_TLS_MEDIUM_CLIST,
params->tls_medium_clist),
#define STRING_OR_EMPTY(s) ((s) ? (s) : "")
ret = print_fn(fp, flags | ATTR_FLAG_MORE,
- SEND_ATTR_STR(TLS_ATTR_CNF_FILE,
- STRING_OR_EMPTY(props->cnf_file)),
- SEND_ATTR_STR(TLS_ATTR_CNF_NAME,
- STRING_OR_EMPTY(props->cnf_name)),
SEND_ATTR_STR(TLS_ATTR_LOG_PARAM,
STRING_OR_EMPTY(props->log_param)),
SEND_ATTR_STR(TLS_ATTR_LOG_LEVEL,
void tls_proxy_client_param_free(TLS_CLIENT_PARAMS *params)
{
+ myfree(params->tls_cnf_file);
+ myfree(params->tls_cnf_name);
myfree(params->tls_high_clist);
myfree(params->tls_medium_clist);
myfree(params->tls_null_clist);
TLS_CLIENT_PARAMS *params
= (TLS_CLIENT_PARAMS *) mymalloc(sizeof(*params));
int ret;
+ VSTRING *cnf_file = vstring_alloc(25);
+ VSTRING *cnf_name = vstring_alloc(25);
VSTRING *tls_high_clist = vstring_alloc(25);
VSTRING *tls_medium_clist = vstring_alloc(25);
VSTRING *tls_null_clist = vstring_alloc(25);
*/
memset(params, 0, sizeof(*params));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
+ RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
+ RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(VAR_TLS_HIGH_CLIST, tls_high_clist),
RECV_ATTR_STR(VAR_TLS_MEDIUM_CLIST, tls_medium_clist),
RECV_ATTR_STR(VAR_TLS_NULL_CLIST, tls_null_clist),
¶ms->tls_multi_wildcard),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
+ params->tls_cnf_file = vstring_export(cnf_file);
+ params->tls_cnf_name = vstring_export(cnf_name);
params->tls_high_clist = vstring_export(tls_high_clist);
params->tls_medium_clist = vstring_export(tls_medium_clist);
params->tls_null_clist = vstring_export(tls_null_clist);
params->tls_mgr_service = vstring_export(tls_mgr_service);
params->tls_tkt_cipher = vstring_export(tls_tkt_cipher);
- ret = (ret == 17 ? 1 : -1);
+ ret = (ret == 19 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_param_free(params);
params = 0;
void tls_proxy_client_init_free(TLS_CLIENT_INIT_PROPS *props)
{
- myfree((void *) props->cnf_file);
- myfree((void *) props->cnf_name);
myfree((void *) props->log_param);
myfree((void *) props->log_level);
myfree((void *) props->cache_type);
TLS_CLIENT_INIT_PROPS *props
= (TLS_CLIENT_INIT_PROPS *) mymalloc(sizeof(*props));
int ret;
- VSTRING *cnf_file = vstring_alloc(25);
- VSTRING *cnf_name = vstring_alloc(25);
VSTRING *log_param = vstring_alloc(25);
VSTRING *log_level = vstring_alloc(25);
VSTRING *cache_type = vstring_alloc(25);
*/
memset(props, 0, sizeof(*props));
ret = scan_fn(fp, flags | ATTR_FLAG_MORE,
- RECV_ATTR_STR(TLS_ATTR_CNF_FILE, cnf_file),
- RECV_ATTR_STR(TLS_ATTR_CNF_NAME, cnf_name),
RECV_ATTR_STR(TLS_ATTR_LOG_PARAM, log_param),
RECV_ATTR_STR(TLS_ATTR_LOG_LEVEL, log_level),
RECV_ATTR_INT(TLS_ATTR_VERIFYDEPTH, &props->verifydepth),
RECV_ATTR_STR(TLS_ATTR_MDALG, mdalg),
ATTR_TYPE_END);
/* Always construct a well-formed structure. */
- props->cnf_file = vstring_export(cnf_file);
- props->cnf_name = vstring_export(cnf_name);
props->log_param = vstring_export(log_param);
props->log_level = vstring_export(log_level);
props->cache_type = vstring_export(cache_type);
props->CAfile = vstring_export(CAfile);
props->CApath = vstring_export(CApath);
props->mdalg = vstring_export(mdalg);
- ret = (ret == 16 ? 1 : -1);
+ ret = (ret == 14 ? 1 : -1);
if (ret != 1) {
tls_proxy_client_init_free(props);
props = 0;
*/
(void) tls_proxy_client_param_from_config(&tls_params);
(void) TLS_CLIENT_INIT_ARGS(&init_props,
- cnf_file = var_tls_cnf_file,
- cnf_name = var_tls_cnf_name,
log_param = var_tlsp_clnt_logparam,
log_level = var_tlsp_clnt_loglevel,
verifydepth = var_tlsp_clnt_scert_vd,
projects / thirdparty / postfix.git / commitdiff
