20160515
Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h.
+
+20160819
+
+ Bugfix (introduced: Postfix 3.0): the makedefs script ignored
+ readme_directory=pathname overrides. Fix by Todd C. Olson.
+ File: makedefs.
+
+20160821
+
+ Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher
+ documentation says aes-256-cbc, but the implementation was
+ using aes-128-cbc (note that Postfix SMTP server and client
+ processes have a limited life time).
+
+20160828
+
+ Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes.
+ Viktor Dukhovni. Files: posttls-finger/posttls-finger.c,
+ tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c,
+ tls/tls_client.c.
manpage_directory_macro=DEF_MANPAGE_DIR
readme_directory_macro=DEF_README_DIR
-for parm_name in html_directory manpage_directory
+for parm_name in html_directory manpage_directory readme_directory
do
eval parm_val=\"\$$parm_name\"
eval parm_macro=\"\$${parm_name}_macro\"
extern char *var_tls_ssl_options;
#define VAR_TLS_TKT_CIPHER "tls_session_ticket_cipher"
-#define DEF_TLS_TKT_CIPHER "aes-128-cbc"
+#define DEF_TLS_TKT_CIPHER "aes-256-cbc"
extern char *var_tls_tkt_cipher;
#define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20160515"
-#define MAIL_VERSION_NUMBER "3.1.1"
+#define MAIL_RELEASE_DATE "20160828"
+#define MAIL_VERSION_NUMBER "3.1.2"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
return (0);
}
-#ifdef USE_TLS
+#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
/* ssl_cleanup - free memory allocated in the OpenSSL library */
CRYPTO_cleanup_all_ex_data();
}
-#endif
+#endif /* USE_TLS && OPENSSL_VERSION_NUMBER
+ * < 0x10100000L */
/* run - do what we were asked to do. */
/* Be valgrind friendly and clean-up */
cleanup(&state);
-#ifdef USE_TLS
+
+ /* OpenSSL 1.1.0 and later (de)initialization is implicit */
+#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
ssl_cleanup();
#endif
#define OpenSSL_version_num SSLeay
#define OpenSSL_version SSLeay_version
#define OPENSSL_VERSION SSLEAY_VERSION
-#define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
+#define X509_up_ref(x) \
+ CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
+#define EVP_PKEY_up_ref(k) \
+ CRYPTO_add(&((k)->references), 1, CRYPTO_LOCK_EVP_PKEY)
+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
+#define X509_STORE_CTX_get0_untrusted(ctx) ((ctx)->untrusted)
+#define X509_STORE_CTX_set0_untrusted X509_STORE_CTX_set_chain
+#define X509_STORE_CTX_set0_trusted_stack X509_STORE_CTX_trusted_stack
+#define ASN1_STRING_get0_data ASN1_STRING_data
+#define X509_getm_notBefore X509_get_notBefore
+#define X509_getm_notAfter X509_get_notAfter
#endif
/* SSL_CIPHER_get_name() got constified in 0.9.7g */
*/
tls_check_version();
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
/*
* Initialize the OpenSSL library by the book! To start with, we must
* initialize the algorithms. We want cleartext error messages instead of
*/
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
+#endif
/*
* Create an application data index for SSL objects, so that we can
tls_print_errors();
return (0);
}
-
#ifdef SSL_SECOP_PEER
/* Backwards compatible security as a base for opportunistic TLS. */
SSL_CTX_set_security_level(client_ctx, 0);
{
TLS_PKEYS *new = (TLS_PKEYS *) mymalloc(sizeof(*new));
- CRYPTO_add(&k->references, 1, CRYPTO_LOCK_EVP_PKEY);
+ EVP_PKEY_up_ref(k);
new->pkey = k;
new->next = d->pkeys;
d->pkeys = new;
* self-signature checks!
*/
id = ((akid && akid->keyid) ? akid->keyid : 0);
- if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c)
+ if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_get0_data(id) == c)
c = 1;
if ((akid = AUTHORITY_KEYID_new()) != 0
*/
if (!X509_set_version(cert, 2)
|| !set_serial(cert, akid, subject)
- || !X509_set_subject_name(cert, name)
|| !set_issuer_name(cert, akid)
- || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
- || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
+ || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
+ || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
+ || !X509_set_subject_name(cert, name)
|| !X509_set_pubkey(cert, key ? key : signkey)
|| !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
|| (key && !add_akid(cert, akid))
int depth = 0;
EVP_PKEY *takey;
X509 *ca;
- X509 *cert = ctx->cert; /* XXX: Accessor? */
- x509_stack_t *in = ctx->untrusted; /* XXX: Accessor? */
+ X509 *cert = X509_STORE_CTX_get0_cert(ctx);
+ x509_stack_t *in = X509_STORE_CTX_get0_untrusted(ctx);
/* shallow copy */
if ((in = sk_X509_dup(in)) == 0)
{
const char *myname = "dane_cb";
TLS_SESS_STATE *TLScontext = (TLS_SESS_STATE *) app_ctx;
- X509 *cert = ctx->cert; /* XXX: accessor? */
+ X509 *cert = X509_STORE_CTX_get0_cert(ctx);
/*
* Degenerate case: depth 0 self-signed cert.
* Check that setting the untrusted chain updates the expected structure
* member at the expected offset.
*/
- X509_STORE_CTX_trusted_stack(ctx, TLScontext->trusted);
- X509_STORE_CTX_set_chain(ctx, TLScontext->untrusted);
- if (ctx->untrusted != TLScontext->untrusted)
+ X509_STORE_CTX_set0_trusted_stack(ctx, TLScontext->trusted);
+ X509_STORE_CTX_set0_untrusted(ctx, TLScontext->untrusted);
+ if (X509_STORE_CTX_get0_untrusted(ctx) != TLScontext->untrusted)
msg_panic("%s: OpenSSL ABI change", myname);
return X509_verify_cert(ctx);
tls_param_init();
tls_check_version();
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_load_error_strings();
SSL_library_init();
+#endif
if (!tls_validate_digest(LN_sha1))
msg_fatal("%s digest algorithm not available", LN_sha1);
#endif /* OPENSSL_VERSION_NUMBER */
+ /* OpenSSL 1.1.0 bitrot */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+typedef const unsigned char *session_id_t;
+
+#else
+typedef unsigned char *session_id_t;
+
+#endif
+
/* get_server_session_cb - callback to retrieve session from server cache */
-static SSL_SESSION *get_server_session_cb(SSL *ssl, unsigned char *session_id,
+static SSL_SESSION *get_server_session_cb(SSL *ssl, session_id_t session_id,
int session_id_length,
int *unused_copy)
{
*/
tls_check_version();
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
/*
* Initialize the OpenSSL library by the book! To start with, we must
* initialize the algorithms. We want cleartext error messages instead of
*/
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
+#endif
/*
* First validate the protocols. If these are invalid, we can't continue.
tls_print_errors();
return (0);
}
-
#ifdef SSL_SECOP_PEER
/* Backwards compatible security as a base for opportunistic TLS. */
SSL_CTX_set_security_level(server_ctx, 0);
tls_free_context(TLScontext);
return (0);
}
-
#ifdef SSL_SECOP_PEER
/* When authenticating the peer, use 80-bit plus OpenSSL security level */
if (props->requirecert)
X509_free(peer);
/*
- * Give them a clue. Problems with trust chain verification are logged
- * when the session is first negotiated, before the session is stored
- * into the cache. We don't want mystery failures, so log the fact the
- * real problem is to be found in the past.
+ * Give them a clue. Problems with trust chain verification are
+ * logged when the session is first negotiated, before the session is
+ * stored into the cache. We don't want mystery failures, so log the
+ * fact the real problem is to be found in the past.
*/
if (!TLS_CERT_IS_TRUSTED(TLScontext)
&& (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) {
/*
* Safe to treat as an ASCII string possibly holding a DNS name
*/
- dnsname = (char *) ASN1_STRING_data(gn->d.ia5);
+ dnsname = (const char *) ASN1_STRING_get0_data(gn->d.ia5);
len = ASN1_STRING_length(gn->d.ia5);
TRIM0(dnsname, len);
projects / thirdparty / postfix.git / commitdiff
