From e50dd20ed36e3031a049e1fdb99894d2a974adfa Mon Sep 17 00:00:00 2001
From: Alejandro Soto <alejandro@34project.org>
Date: Sat, 27 Jul 2024 14:42:37 -0600
Subject: [PATCH] smtpd: implement CCERTS action for access(5) tables

Permits access if a valid TLS client certificate is present and matches
any item from a space or comma-separated list of certificate
fingerprints given as argument. Otherwise, behaves as DUNNO.

Example usage:

/etc/postfix/sender_ccerts:
    user@example.com CCERTS AA:BB:CC:DD:EE:FF:12:34:56:67:2E:FB:3F:34:99:90:AB:CD:EF:4C
---
 postfix/src/smtpd/smtpd_check.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/smtpd/smtpd_check.c b/src/smtpd/smtpd_check.c
index 6aeda7475..b4232194d 100644
--- a/src/smtpd/smtpd_check.c
+++ b/src/smtpd/smtpd_check.c
@@ -2677,6 +2677,30 @@ static int check_table_result(SMTPD_STATE *state, const char *table,
 	}
     }
 
+    // Advertencia: buf para value usa un límite de 10 chars (ver inicio de esta función)
+    // FIXME: Posible timing attack, solo determinaría fingerprint
+    if (STREQUAL(value, "CCERTS", cmd_len)) {
+#ifdef USE_TLS
+	if (TLS_CERT_IS_PRESENT(state->tls_context)) {
+	    const char *fprint = state->tls_context->peer_cert_fprint;
+	    if (fprint && *fprint) {
+		size_t fprint_len = strlen(fprint);
+
+		const char *ccerts = cmd_text;
+		while (*ccerts) {
+		    size_t ccert_len = strcspn(ccerts, ", \t");
+		    if (ccert_len == fprint_len && strncmp(ccerts, fprint, fprint_len) == 0)
+			return (smtpd_acl_permit(state, STR(buf), reply_class, reply_name,
+						 "from %s", table));
+
+		    ccerts += ccert_len + strspn(ccerts + ccert_len, ", \t");
+		}
+	    }
+	}
+#endif
+	return (SMTPD_CHECK_DUNNO);
+    }
+
     /*
      * All-numeric result probably means OK - some out-of-band authentication
      * mechanism uses this as time stamp.
-- 
2.44.1