OpenSSL configuration of allowed TLS protocol versions, for
sessions where the remote SMTP client sends SNI. File:
tls/tls_server.c.
+
+20200726
+
+ Code health: the tls_get_signature_params() function reused
+ variable names for different objects that have up to three
+ different life-cycle management models. To avoid more
+ accidents we now use distinct names for distinct purposes.
+ File: tls/tls_misc.c.
+
+20200727
+
+ Code health: inet_proto_info() should return a const pointer.
+ This is global data that callers should not change. Files:
+ cleanup/cleanup_milter.c, global/haproxy_srvr.c,
+ global/mynetworks.c, global/normalize_mailhost_addr.c,
+ global/own_inet_addr.c, postscreen/postscreen_endpt.c,
+ posttls-finger/posttls-finger.c, qmqpd/qmqpd_peer.c,
+ smtpd/smtpd_check.c, smtpd/smtpd_peer.c, smtp/smtp_addr.c,
+ smtpstone/smtp-sink.c, util/inet_addr_host.c,
+ util/inet_addr_list.c, util/inet_addr_local.c, util/inet_connect.c,
+ util/inet_listen.c, util/inet_proto.c, util/inet_proto.h.
+
+20200728
+
+ Code health: deleted a mis-spelled macro from code and
+ documentation. Files: bounce/bounce_template.[hc].
/* int IS_FAILURE_TEMPLATE(template)
/* int IS_DELAY_TEMPLATE(template)
/* int IS_SUCCESS_TEMPLATE(template)
-/* int IS_VERIFY_TEMPLATE(template)
/* BOUNCE_TEMPLATE *template;
/* DESCRIPTION
/* This module implements the built-in and external bounce
#define IS_FAILURE_TEMPLATE(t) ((t)->class[0] == BOUNCE_TMPL_CLASS_FAILURE[0])
#define IS_DELAY_TEMPLATE(t) ((t)->class[0] == BOUNCE_TMPL_CLASS_DELAY[0])
#define IS_SUCCESS_TEMPLATE(t) ((t)->class[0] == BOUNCE_TMPL_CLASS_SUCCESS[0])
-#define IS_VERIFY_TEMPLATE(t) ((t)->class[0] == BOUNCE_TMPL_CLASS_verify[0])
#define bounce_template_encoding(t) ((t)->mime_encoding)
#define bounce_template_charset(t) ((t)->mime_charset)
static void cleanup_milter_client_init(CLEANUP_STATE *state)
{
- static INET_PROTO_INFO *proto_info;
+ static const INET_PROTO_INFO *proto_info;
const char *proto_attr;
/*
* End protocol v2 definitions from haproxy/include/types/connection.h.
*/
-static INET_PROTO_INFO *proto_info;
+static const INET_PROTO_INFO *proto_info;
#define STR_OR_NULL(str) ((str) ? (str) : "(null)")
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200725"
+#define MAIL_RELEASE_DATE "20200728"
#define MAIL_VERSION_NUMBER "3.6"
#ifdef SNAPSHOT
char **bare_addr, int *addr_family)
{
const char myname[] = "normalize_mailhost_addr";
- INET_PROTO_INFO *proto_info = inet_proto_info();
+ const INET_PROTO_INFO *proto_info = inet_proto_info();
struct addrinfo *res = 0;
MAI_HOSTADDR_STR hostaddr;
const char *valid_addr; /* IPv6:fc00::1 */
#include <postscreen.h>
#include <postscreen_haproxy.h>
-static INET_PROTO_INFO *proto_info;
+static const INET_PROTO_INFO *proto_info;
/* psc_sockaddr_to_hostaddr - transform endpoint address and port to string */
int aierr;
struct addrinfo *res0;
struct addrinfo *res;
- INET_PROTO_INFO *proto_info = inet_proto_info();
+ const INET_PROTO_INFO *proto_info = inet_proto_info();
int found;
if (msg_verbose)
struct sockaddr_storage ss;
struct sockaddr *sa;
SOCKADDR_SIZE sa_length;
- INET_PROTO_INFO *proto_info = inet_proto_info();
+ const INET_PROTO_INFO *proto_info = inet_proto_info();
sa = (struct sockaddr *) &ss;
sa_length = sizeof(ss);
int aierr;
struct addrinfo *res0;
struct addrinfo *res;
- INET_PROTO_INFO *proto_info = inet_proto_info();
+ const INET_PROTO_INFO *proto_info = inet_proto_info();
unsigned char *proto_family_list = proto_info->sa_family_list;
int found;
struct addrinfo *res0;
int aierr;
MAI_HOSTADDR_STR hostaddr;
- INET_PROTO_INFO *proto_info = inet_proto_info();
+ const INET_PROTO_INFO *proto_info = inet_proto_info();
if (msg_verbose)
msg_info("%s: host %s", myname, host);
struct addrinfo *res0;
struct addrinfo *res;
int status;
- INET_PROTO_INFO *proto_info;
+ const INET_PROTO_INFO *proto_info;
/*
* Sanity check.
#include "smtpd.h"
-static INET_PROTO_INFO *proto_info;
+static const INET_PROTO_INFO *proto_info;
/*
* XXX If we make local port information available via logging, then we must
static char *shared_template; /* shared template */
static VSTRING *start_string; /* dump content prefix */
-static INET_PROTO_INFO *proto_info;
+static const INET_PROTO_INFO *proto_info;
#define STR(x) vstring_str(x)
int nid;
SSL *ssl = TLScontext->con;
int srvr = SSL_is_server(ssl);
- X509 *cert;
- EVP_PKEY *pkey = 0;
+ EVP_PKEY *dh_pkey = 0;
+ X509 *local_cert;
+ EVP_PKEY *local_pkey = 0;
+ X509 *peer_cert;
+ EVP_PKEY *peer_pkey = 0;
#ifndef OPENSSL_NO_EC
EC_KEY *eckey;
if (SSL_version(ssl) < TLS1_3_VERSION)
return;
- if (tls_get_peer_dh_pubkey(ssl, &pkey)) {
- switch (nid = EVP_PKEY_id(pkey)) {
+ if (tls_get_peer_dh_pubkey(ssl, &dh_pkey)) {
+ switch (nid = EVP_PKEY_id(dh_pkey)) {
default:
kex_name = OBJ_nid2sn(EVP_PKEY_type(nid));
break;
case EVP_PKEY_DH:
kex_name = "DHE";
- TLScontext->kex_bits = EVP_PKEY_bits(pkey);
+ TLScontext->kex_bits = EVP_PKEY_bits(dh_pkey);
break;
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC:
kex_name = "ECDHE";
- eckey = EVP_PKEY_get0_EC_KEY(pkey);
+ eckey = EVP_PKEY_get0_EC_KEY(dh_pkey);
nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
kex_curve = EC_curve_nid2nist(nid);
if (!kex_curve)
break;
#endif
}
- EVP_PKEY_free(pkey);
+ EVP_PKEY_free(dh_pkey);
}
/*
* data on clients requires at least 1.1.1a.
*/
if (srvr || SSL_get_signature_nid(ssl, &nid))
- cert = SSL_get_certificate(ssl);
+ local_cert = SSL_get_certificate(ssl);
else
- cert = 0;
+ local_cert = 0;
/* Signature algorithms for the local end of the connection */
- if (cert) {
- pkey = X509_get0_pubkey(cert);
+ if (local_cert) {
+ local_pkey = X509_get0_pubkey(local_cert);
/*
* Override the built-in name for the "ECDSA" algorithms OID, with
* the more familiar name. For "RSA" keys report "RSA-PSS", which
* must be used with TLS 1.3.
*/
- if ((nid = EVP_PKEY_type(EVP_PKEY_id(pkey))) != NID_undef) {
+ if ((nid = EVP_PKEY_type(EVP_PKEY_id(local_pkey))) != NID_undef) {
switch (nid) {
default:
locl_sig_name = OBJ_nid2sn(nid);
case EVP_PKEY_RSA:
/* For RSA, TLS 1.3 mandates PSS signatures */
locl_sig_name = "RSA-PSS";
- SIG_PROP(TLScontext, srvr, bits) = EVP_PKEY_bits(pkey);
+ SIG_PROP(TLScontext, srvr, bits) = EVP_PKEY_bits(local_pkey);
break;
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC:
locl_sig_name = "ECDSA";
- eckey = EVP_PKEY_get0_EC_KEY(pkey);
+ eckey = EVP_PKEY_get0_EC_KEY(local_pkey);
nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
locl_sig_curve = EC_curve_nid2nist(nid);
if (!locl_sig_curve)
break;
#endif
}
+ /* No X509_free(local_cert) */
}
/*
locl_sig_dgst = OBJ_nid2sn(nid);
}
/* Signature algorithms for the peer end of the connection */
- if ((cert = SSL_get_peer_certificate(ssl)) != 0) {
- pkey = X509_get0_pubkey(cert);
+ if ((peer_cert = SSL_get_peer_certificate(ssl)) != 0) {
+ peer_pkey = X509_get0_pubkey(peer_cert);
/*
* Override the built-in name for the "ECDSA" algorithms OID, with
* the more familiar name. For "RSA" keys report "RSA-PSS", which
* must be used with TLS 1.3.
*/
- if ((nid = EVP_PKEY_type(EVP_PKEY_id(pkey))) != NID_undef) {
+ if ((nid = EVP_PKEY_type(EVP_PKEY_id(peer_pkey))) != NID_undef) {
switch (nid) {
default:
peer_sig_name = OBJ_nid2sn(nid);
case EVP_PKEY_RSA:
/* For RSA, TLS 1.3 mandates PSS signatures */
peer_sig_name = "RSA-PSS";
- SIG_PROP(TLScontext, !srvr, bits) = EVP_PKEY_bits(pkey);
+ SIG_PROP(TLScontext, !srvr, bits) = EVP_PKEY_bits(peer_pkey);
break;
#ifndef OPENSSL_NO_EC
case EVP_PKEY_EC:
peer_sig_name = "ECDSA";
- eckey = EVP_PKEY_get0_EC_KEY(pkey);
+ eckey = EVP_PKEY_get0_EC_KEY(peer_pkey);
nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey));
peer_sig_curve = EC_curve_nid2nist(nid);
if (!peer_sig_curve)
if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
peer_sig_dgst = OBJ_nid2sn(nid);
- X509_free(cert);
+ X509_free(peer_cert);
}
if (kex_name) {
TLScontext->kex_name = mystrdup(kex_name);
const char *hname;
const char *serv;
int initial_count = addr_list->used;
- INET_PROTO_INFO *proto_info;
+ const INET_PROTO_INFO *proto_info;
/*
* The use of square brackets around an IPv6 addresses is required, even
int aierr;
int sock;
MAI_HOSTADDR_STR hostaddr;
- INET_PROTO_INFO *proto_info;
+ const INET_PROTO_INFO *proto_info;
int found;
/*
const char *parse_err;
MAI_HOSTADDR_STR hostaddr;
MAI_SERVPORT_STR portnum;
- INET_PROTO_INFO *proto_info;
+ const INET_PROTO_INFO *proto_info;
/*
* Translate address information to internal form.
/* .in -4
/* } INET_PROTO_INFO;
/*
-/* INET_PROTO_INFO *inet_proto_init(context, protocols)
+/* const INET_PROTO_INFO *inet_proto_init(context, protocols)
/*
-/* INET_PROTO_INFO *inet_proto_info()
+/* const INET_PROTO_INFO *inet_proto_info()
/* DESCRIPTION
/* inet_proto_init() converts a string with protocol names
/* into null-terminated lists of appropriate constants used
/* inet_proto_init - convert protocol names to library inputs */
-INET_PROTO_INFO *inet_proto_init(const char *context, const char *protocols)
+const INET_PROTO_INFO *inet_proto_init(const char *context, const char *protocols)
{
const char *myname = "inet_proto";
INET_PROTO_INFO *pf;
* of a global variable.
*/
#define inet_proto_info() \
- (inet_proto_table ? inet_proto_table : \
+ (inet_proto_table ? (const INET_PROTO_INFO*) inet_proto_table : \
inet_proto_init("default protocol setting", DEF_INET_PROTOCOLS))
-extern INET_PROTO_INFO *inet_proto_init(const char *, const char *);
+extern const INET_PROTO_INFO *inet_proto_init(const char *, const char *);
extern INET_PROTO_INFO *inet_proto_table;
#define INET_PROTO_NAME_IPV6 "ipv6"
projects / thirdparty / postfix.git / commitdiff
