Hello everyone,
This adds a cipher grade (TLS_CIPHER_SYSTEM/"system")
that by default uses the "PROFILE=SYSTEM" cipher list for
OpenSSL. Allows to optionally make postfix use the system-wide
crypto-policies profile via changing the *_tls_ciphers
config parameters.
Tried to make it as non-invasive as I could. Would love
to hear some opinions, as I'm not that familiar with the
postfix codebase. :)
Patch is for postfix-3.10.7.
Thanks beforehand for any responses.
- Fedor Vorobev
diff --git a/src/global/mail_params.h b/src/global/mail_params.h
index 799c61e..51ecb03 100644
--- a/src/global/mail_params.h
+++ b/src/global/mail_params.h
@@ -3394,6 +3394,10 @@ extern char *var_tls_export_ignored;
#define DEF_TLS_NULL_CLIST "eNULL" TLS_EXCL_REST ":!aNULL"
extern char *var_tls_null_clist;
+#define VAR_TLS_SYSTEM_CLIST "tls_system_cipherlist"
+#define DEF_TLS_SYSTEM_CLIST "PROFILE=SYSTEM"
+extern char *var_tls_system_clist;
+
#if defined(SN_X25519) && defined(NID_X25519)
#define DEF_TLS_EECDH_AUTO_1 SN_X25519 " "
#else
diff --git a/src/tls/tls.h b/src/tls/tls.h
index 96eb5a4..0f2455a 100644
--- a/src/tls/tls.h
+++ b/src/tls/tls.h
@@ -444,6 +444,7 @@ extern int tls_proto_mask_lims(const char *, int *, int *);
#define TLS_CIPHER_LOW 3
#define TLS_CIPHER_MEDIUM 4
#define TLS_CIPHER_HIGH 5
+#define TLS_CIPHER_SYSTEM 6
extern const NAME_CODE tls_cipher_grade_table[];
diff --git a/src/tls/tls_misc.c b/src/tls/tls_misc.c
index 8245a5e..11fdcf7 100644
--- a/src/tls/tls_misc.c
+++ b/src/tls/tls_misc.c
@@ -302,6 +302,7 @@ char *var_tls_medium_clist;
char *var_tls_low_ignored;
char *var_tls_export_ignored;
char *var_tls_null_clist;
+char *var_tls_system_clist;
int var_tls_daemon_rand_bytes;
char *var_tls_eecdh_auto;
char *var_tls_eecdh_strong;
@@ -520,6 +521,7 @@ const NAME_CODE tls_cipher_grade_table[] = {
"medium", TLS_CIPHER_MEDIUM,
"low", TLS_CIPHER_MEDIUM,
"export", TLS_CIPHER_MEDIUM,
+ "system", TLS_CIPHER_SYSTEM,
"null", TLS_CIPHER_NULL,
"invalid", TLS_CIPHER_NONE,
0, TLS_CIPHER_NONE,
@@ -673,6 +675,7 @@ void tls_param_init(void)
VAR_TLS_LOW_CLIST, DEF_TLS_LOW_CLIST, &var_tls_low_ignored, 0, 0,
VAR_TLS_EXPORT_CLIST, DEF_TLS_EXPORT_CLIST, &var_tls_export_ignored, 0,
0,
VAR_TLS_NULL_CLIST, DEF_TLS_NULL_CLIST, &var_tls_null_clist, 1, 0,
+ VAR_TLS_SYSTEM_CLIST, DEF_TLS_SYSTEM_CLIST, &var_tls_system_clist, 1, 0,
VAR_TLS_EECDH_AUTO, DEF_TLS_EECDH_AUTO, &var_tls_eecdh_auto, 0, 0,
VAR_TLS_EECDH_STRONG, DEF_TLS_EECDH_STRONG, &var_tls_eecdh_strong, 0, 0,
VAR_TLS_EECDH_ULTRA, DEF_TLS_EECDH_ULTRA, &var_tls_eecdh_ultra, 0, 0,
@@ -953,6 +956,9 @@ const char *tls_set_ciphers(TLS_SESS_STATE *TLScontext,
const char *grade,
case TLS_CIPHER_NULL:
vstring_strcpy(buf, var_tls_null_clist);
break;
+ case TLS_CIPHER_SYSTEM:
+ vstring_strcpy(buf, var_tls_system_clist);
+ break;
default:
/* Internal error, valid grade, but missing case label. */
msg_panic("%s: unexpected cipher grade: %s", myname, grade);
--
2.52.0
_______________________________________________
Postfix-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
