Hello, Is there a policy for or against patching external modules for new features? I've been using the attached patch under NetBSD 5.x for a long time and it's been working fine. However, I upgraded to NetBSD 6 and I've come to the realization that think it's a pain to maintain custom patches. (Specifically, due to CVS, but that's a separate discussion). I found this patch floating around on the Internet a long time ago which solved an itch I had. I contacted the original author of it and asked if he had sent it upstream and I essentially got the reply "Don't know, don't care". I have sent the patch upstream myself, but until it (or an identical feature) gets incorporated, is it possible to get it into NetBSD? (...and then pulled up into netbsd-6 ..?). -- Kind regards, Jan Danielsson
Added support for valid-client-cert to postfix's sasl/dovecot.
Index: src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_glue.c
===================================================================
--- src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_glue.c
+++ src/external/ibm-public/postfix/dist/src/smtpd/smtpd_sasl_glue.c
@@ -165,11 +165,11 @@
void smtpd_sasl_activate(SMTPD_STATE *state, const char *sasl_opts_name,
const char *sasl_opts_val)
{
const char *mechanism_list;
XSASL_SERVER_CREATE_ARGS create_args;
- int tls_flag;
+ int tls_flag, tls_valid;
/*
* Sanity check.
*/
if (smtpd_sasl_is_active(state))
@@ -191,12 +191,14 @@
* Set up a new server context for this connection.
*/
#define SMTPD_SASL_SERVICE "smtp"
#ifdef USE_TLS
tls_flag = state->tls_context != 0;
+ tls_valid = TLS_CERT_IS_TRUSTED(state->tls_context);
#else
tls_flag = 0;
+ tls_valid = 0;
#endif
#define ADDR_OR_EMPTY(addr, unknown) (strcmp(addr, unknown) ? addr : "")
#define REALM_OR_NULL(realm) (*(realm) ? (realm) : (char *) 0)
if ((state->sasl_server =
@@ -206,11 +208,12 @@
client_addr = ADDR_OR_EMPTY(state->addr,
CLIENT_ADDR_UNKNOWN),
service = SMTPD_SASL_SERVICE,
user_realm = REALM_OR_NULL(var_smtpd_sasl_realm),
security_options = sasl_opts_val,
- tls_flag = tls_flag)) == 0)
+ tls_flag = tls_flag,
+ tls_valid = tls_valid)) == 0)
msg_fatal("SASL per-connection initialization failed");
/*
* Get the list of authentication mechanisms.
*/
Index: src/external/ibm-public/postfix/dist/src/xsasl/xsasl.h
===================================================================
--- src/external/ibm-public/postfix/dist/src/xsasl/xsasl.h
+++ src/external/ibm-public/postfix/dist/src/xsasl/xsasl.h
@@ -52,10 +52,11 @@
const char *client_addr;
const char *service;
const char *user_realm;
const char *security_options;
int tls_flag;
+ int tls_valid;
} XSASL_SERVER_CREATE_ARGS;
typedef struct XSASL_SERVER_IMPL {
XSASL_SERVER *(*create) (struct XSASL_SERVER_IMPL *,
XSASL_SERVER_CREATE_ARGS *);
void (*done) (struct XSASL_SERVER_IMPL *);
@@ -64,13 +65,14 @@
extern XSASL_SERVER_IMPL *xsasl_server_init(const char *, const char *);
extern ARGV *xsasl_server_types(void);
#define xsasl_server_create(impl, args) \
(impl)->create((impl), (args))
-#define XSASL_SERVER_CREATE(impl, args, a1, a2, a3, a4, a5, a6, a7) \
+#define XSASL_SERVER_CREATE(impl, args, a1, a2, a3, a4, a5, a6, a7, a8) \
xsasl_server_create((impl), (((args)->a1), ((args)->a2), ((args)->a3), \
- ((args)->a4), ((args)->a5), ((args)->a6), ((args)->a7), (args)))
+ ((args)->a4), ((args)->a5), ((args)->a6), ((args)->a7), ((args)->a8), \
+ (args)))
#define xsasl_server_done(impl) (impl)->done((impl));
/*
* Generic client object. Specific instances extend this with their own
* private data.
Index: src/external/ibm-public/postfix/dist/src/xsasl/xsasl_dovecot_server.c
===================================================================
--- src/external/ibm-public/postfix/dist/src/xsasl/xsasl_dovecot_server.c
+++ src/external/ibm-public/postfix/dist/src/xsasl/xsasl_dovecot_server.c
@@ -162,10 +162,11 @@
char *service;
char *username; /* authenticated user */
VSTRING *sasl_line;
unsigned int sec_props; /* Postfix mechanism filter */
int tls_flag; /* TLS enabled in this session */
+ int tls_valid; /* Client presented valid certificate */
char *mechanism_list; /* filtered mechanism list */
ARGV *mechanism_argv; /* ditto */
char *client_addr; /* remote IP address */
char *server_addr; /* remote IP address */
} XSASL_DOVECOT_SERVER;
@@ -427,10 +428,11 @@
server->service = mystrdup(args->service);
server->last_request_id = 0;
server->mechanism_list = 0;
server->mechanism_argv = 0;
server->tls_flag = args->tls_flag;
+ server->tls_valid = args->tls_valid;
server->sec_props =
name_mask_opt(myname, xsasl_dovecot_conf_sec_props,
args->security_options,
NAME_MASK_ANY_CASE | NAME_MASK_FATAL);
server->client_addr = mystrdup(args->client_addr);
@@ -649,10 +651,12 @@
server->service, server->server_addr,
server->client_addr);
if (server->tls_flag)
/* XXX Encapsulate for logging. */
vstream_fputs("\tsecured", server->impl->sasl_stream);
+ if (server->tls_valid)
+ vstream_fputs("\tvalid-client-cert", server->impl->sasl_stream);
if (init_response) {
/*
* initial response is already base64 encoded, so we can send it
* directly.
Attachment:
signature.asc
Description: OpenPGP digital signature