range. Viktor Dukhovni. Files: proto/TLS_README.html,
proto/postconf.proto.
- Bugfix (DANE support): handle OpenSSL memory allocation
+ Bugfix: DANE support: handle OpenSSL memory allocation
error. Viktor Dukhovni. File: tls/tls_dane.c.
+
+ Cleanup: LMDB_README was not installed. File: conf/postfix-files.
+
+20131214
+
+ Portability: on some platforms posttls-finger now requires
+ explicitly linking libdl. File: posttls-finger/Makefile.in.
+
+ Cleanup: DANE support: extension gymnastics. Viktor Dukhovni.
+ File: tls/tls_dane.c.
+
+ Bugfix: DANE support: the wrap_cert() and wrap_key() calls
+ should never fail, but some callers ignored the return
+ value. The only failure is for lack of memory, so we use
+ msg_fatal() internally and change wrap_cert() and wrap_key()
+ to return void. Viktor Dukhovni. File: tls/tls_dane.c.
+
+ Bugfix: DANE support: avoid making DANE certificates with
+ replaced public-keys appear as if they were self-signed.
+ Viktor Dukhovni. File: tls/tls_dane.c.
+
+ Cleanup: DANE support: simplify grow_chain() to always apply
+ trust consistently. Viktor Dukhovni. File: tls/tls_dane.c.
+
+ Bugfix: DANE support: backport fixes from OpenSSL DANE
+ testing. Discard errors generated by raw TA key signature
+ checks. Record the tadepth as zero with self-signed depth
+ 0 TAs. Robustness: Though it should never happen, don't
+ update the tadepth if already set. Viktor Dukhovni. Files:
+ tls/tls_dane.c, tls/tls_server.c.
$readme_directory/IPV6_README:f:root:-:644
$readme_directory/LDAP_README:f:root:-:644
$readme_directory/LINUX_README:f:root:-:644
+$readme_directory/LMDB_README:f:root:-:644
$readme_directory/LOCAL_RECIPIENT_README:f:root:-:644
$readme_directory/MACOSX_README:f:root:-:644:o
$readme_directory/MAILDROP_README:f:root:-:644
$html_directory/IPV6_README.html:f:root:-:644
$html_directory/LDAP_README.html:f:root:-:644
$html_directory/LINUX_README.html:f:root:-:644
+$html_directory/LMDB_README.html:f:root:-:644
$html_directory/LOCAL_RECIPIENT_README.html:f:root:-:644
$html_directory/MAILDROP_README.html:f:root:-:644
$html_directory/MILTER_README.html:f:root:-:644
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
The set of characters that can separate a user name
- from its address extension (user+foo).
+ from its extension (example: user+foo), or a .for-
+ ward file name from its extension (example: .for-
+ ward+foo).
<b><a href="postconf.5.html#require_home_directory">require_home_directory</a> (no)</b>
Require that a <a href="local.8.html"><b>local</b>(8)</a> recipient's home directory
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
The set of characters that can separate a user name
- from its address extension (user+foo).
+ from its extension (example: user+foo), or a .for-
+ ward file name from its extension (example: .for-
+ ward+foo).
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
(default: empty)</b></DT><DD>
<p> The set of characters that can separate a user name from its
-address extension (user+foo). See <a href="canonical.5.html">canonical(5)</a>, <a href="local.8.html">local(8)</a>, <a href="relocated.5.html">relocated(5)</a>
-and <a href="virtual.5.html">virtual(5)</a> for the effects this has on aliases, canonical,
-virtual, and relocated lookups. Basically, the software tries
-user+foo and .forward+foo before trying user and .forward. </p>
-
-<p> This implementation recognizes one delimiter character per email
-address, and one address extension per email address. </p>
+extension (example: user+foo), or a .forward file name from its
+extension (example: .forward+foo). Basically, the software tries
+user+foo and .forward+foo before trying user and .forward. This
+implementation recognizes one delimiter character and one extension
+per email address or .forward file name. </p>
<p> When the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> set contains multiple characters
-(Postfix 2.11 and later), a user name is separated from its address
-extension by the first character that matches the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>
-set. </p>
+(Postfix 2.11 and later), a user name or .forward file name is
+separated from its extension by the first character that matches
+the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> set. </p>
+
+<p> See <a href="canonical.5.html">canonical(5)</a>, <a href="local.8.html">local(8)</a>, <a href="relocated.5.html">relocated(5)</a> and <a href="virtual.5.html">virtual(5)</a> for the
+effects of <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> on lookups in aliases, canonical,
+virtual, and relocated maps, and see the <a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a>
+parameter for propagating an extension from one email address to
+another. </p>
<p> When used in <a href="postconf.5.html#command_execution_directory">command_execution_directory</a>, <a href="postconf.5.html#forward_path">forward_path</a>, or
-<a href="postconf.5.html#luser_relay">luser_relay</a>, ${<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>} is replaced
-with the recipient delimiter that was found in the recipient email
-
address (Postfix 2.11 and later), or it is replaced with the <a href="postconf.5.html">main.cf</a>
+<a href="postconf.5.html#luser_relay">luser_relay</a>, ${<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>} is replaced with the actual
+recipient delimiter that was found in the recipient email address
+(Postfix 2.11 and later), or it is replaced with the <a href="postconf.5.html">main.cf</a>
<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> parameter value (Postfix 2.10 and earlier).
</p>
The Internet protocols Postfix will attempt to use
when making or accepting connections.
- <b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:unix:passwd.byname</b>
+ <b><a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> (<a href="proxymap.8.html">proxy</a>:<a href="DATABASE_README.html#types">unix</a>:passwd.byname</b>
<b>$<a href="postconf.5.html#alias_maps">alias_maps</a>)</b>
Lookup tables with all names or addresses of local
recipients: a recipient address is local when its
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
The set of characters that can separate a user name
- from its address extension (user+foo).
+ from its extension (example: user+foo), or a .for-
+ ward file name from its extension (example: .for-
+ ward+foo).
<b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
The text that follows the 220 status code in the
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
The set of characters that can separate a user name
- from its address extension (user+foo).
+ from its extension (example: user+foo), or a .for-
+ ward file name from its extension (example: .for-
+ ward+foo).
<b><a href="postconf.5.html#swap_bangpath">swap_bangpath</a> (yes)</b>
Enable the rewriting of "site!user" into
;;
SunOS.5*) SYSTYPE=SUNOS5
RANLIB=echo
- SYSLIBS="-lresolv -lsocket -lnsl"
+ SYSLIBS="-lresolv -lsocket -lnsl -ldl"
# Stock awk breaks with >10 files.
test -x /usr/xpg4/bin/awk && AWK=/usr/xpg4/bin/awk
# Solaris 2.5 added usleep(), POSIX regexp, POSIX getpwnam/uid_r
.ft R
.SH recipient_delimiter (default: empty)
The set of characters that can separate a user name from its
-address extension (user+foo). See \fBcanonical\fR(5), \fBlocal\fR(8), \fBrelocated\fR(5)
-and \fBvirtual\fR(5) for the effects this has on aliases, canonical,
-virtual, and relocated lookups. Basically, the software tries
-user+foo and .forward+foo before trying user and .forward.
-.PP
-This implementation recognizes one delimiter character per email
-address, and one address extension per email address.
+extension (example: user+foo), or a .forward file name from its
+extension (example: .forward+foo). Basically, the software tries
+user+foo and .forward+foo before trying user and .forward. This
+implementation recognizes one delimiter character and one extension
+per email address or .forward file name.
.PP
When the recipient_delimiter set contains multiple characters
-(Postfix 2.11 and later), a user name is separated from its address
-extension by the first character that matches the recipient_delimiter
-set.
+(Postfix 2.11 and later), a user name or .forward file name is
+separated from its extension by the first character that matches
+the recipient_delimiter set.
+.PP
+See \fBcanonical\fR(5), \fBlocal\fR(8), \fBrelocated\fR(5) and \fBvirtual\fR(5) for the
+effects of recipient_delimiter on lookups in aliases, canonical,
+virtual, and relocated maps, and see the propagate_unmatched_extensions
+parameter for propagating an extension from one email address to
+another.
.PP
When used in command_execution_directory, forward_path, or
-luser_relay, ${recipient_delimiter} is replaced
-with the recipient delimiter that was found in the recipient email
-address (Postfix 2.11 and later), or it is replaced with the main.cf
+luser_relay, ${recipient_delimiter} is replaced with the actual
+recipient delimiter that was found in the recipient email address
+(Postfix 2.11 and later), or it is replaced with the main.cf
recipient_delimiter parameter value (Postfix 2.10 and earlier).
.PP
The recipient_delimiter is not applied to the mailer-daemon
The location of the Postfix top-level queue directory.
.IP "\fBrecipient_delimiter (empty)\fR"
The set of characters that can separate a user name from its
-address extension (user+foo).
+extension (example: user+foo), or a .forward file name from its
+extension (example: .forward+foo).
.IP "\fBrequire_home_directory (no)\fR"
Require that a \fBlocal\fR(8) recipient's home directory exists
before mail delivery is attempted.
The location of the Postfix top-level queue directory.
.IP "\fBrecipient_delimiter (empty)\fR"
The set of characters that can separate a user name from its
-address extension (user+foo).
+extension (example: user+foo), or a .forward file name from its
+extension (example: .forward+foo).
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
The location of the Postfix top-level queue directory.
.IP "\fBrecipient_delimiter (empty)\fR"
The set of characters that can separate a user name from its
-address extension (user+foo).
+extension (example: user+foo), or a .forward file name from its
+extension (example: .forward+foo).
.IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR"
The text that follows the 220 status code in the SMTP greeting
banner.
addresses that have no ".domain" information.
.IP "\fBrecipient_delimiter (empty)\fR"
The set of characters that can separate a user name from its
-address extension (user+foo).
+extension (example: user+foo), or a .forward file name from its
+extension (example: .forward+foo).
.IP "\fBswap_bangpath (yes)\fR"
Enable the rewriting of "site!user" into "user@site".
.PP
%PARAM recipient_delimiter
<p> The set of characters that can separate a user name from its
-address extension (user+foo). See canonical(5), local(8), relocated(5)
-and virtual(5) for the effects this has on aliases, canonical,
-virtual, and relocated lookups. Basically, the software tries
-user+foo and .forward+foo before trying user and .forward. </p>
-
-<p> This implementation recognizes one delimiter character per email
-address, and one address extension per email address. </p>
+extension (example: user+foo), or a .forward file name from its
+extension (example: .forward+foo). Basically, the software tries
+user+foo and .forward+foo before trying user and .forward. This
+implementation recognizes one delimiter character and one extension
+per email address or .forward file name. </p>
<p> When the recipient_delimiter set contains multiple characters
-(Postfix 2.11 and later), a user name is separated from its address
-extension by the first character that matches the recipient_delimiter
-set. </p>
+(Postfix 2.11 and later), a user name or .forward file name is
+separated from its extension by the first character that matches
+the recipient_delimiter set. </p>
+
+<p> See canonical(5), local(8), relocated(5) and virtual(5) for the
+effects of recipient_delimiter on lookups in aliases, canonical,
+virtual, and relocated maps, and see the propagate_unmatched_extensions
+parameter for propagating an extension from one email address to
+another. </p>
<p> When used in command_execution_directory, forward_path, or
-luser_relay, ${recipient_delimiter} is replaced
-with the recipient delimiter that was found in the recipient email
-address (Postfix 2.11 and later), or it is replaced with the main.cf
+luser_relay, ${recipient_delimiter} is replaced with the actual
+recipient delimiter that was found in the recipient email address
+(Postfix 2.11 and later), or it is replaced with the main.cf
recipient_delimiter parameter value (Postfix 2.10 and earlier).
</p>
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20131210"
+#define MAIL_RELEASE_DATE "20131214"
#define MAIL_VERSION_NUMBER "2.11"
#ifdef SNAPSHOT
/* The location of the Postfix top-level queue directory.
/* .IP "\fBrecipient_delimiter (empty)\fR"
/* The set of characters that can separate a user name from its
-/* address extension (user+foo).
+/* extension (example: user+foo), or a .forward file name from its
+/* extension (example: .forward+foo).
/* .IP "\fBrequire_home_directory (no)\fR"
/* Require that a \fBlocal\fR(8) recipient's home directory exists
/* before mail delivery is attempted.
/* The location of the Postfix top-level queue directory.
/* .IP "\fBrecipient_delimiter (empty)\fR"
/* The set of characters that can separate a user name from its
-/* address extension (user+foo).
+/* extension (example: user+foo), or a .forward file name from its
+/* extension (example: .forward+foo).
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* The location of the Postfix top-level queue directory.
/* .IP "\fBrecipient_delimiter (empty)\fR"
/* The set of characters that can separate a user name from its
-/* address extension (user+foo).
+/* extension (example: user+foo), or a .forward file name from its
+/* extension (example: .forward+foo).
/* .IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR"
/* The text that follows the 220 status code in the SMTP greeting
/* banner.
return (matched);
}
+/* push_ext - push extension onto certificate's stack, else free it */
+
+static int push_ext(X509 *cert, X509_EXTENSION *ext)
+{
+ x509_extension_stack_t *exts;
+
+ if (ext) {
+ if ((exts = cert->cert_info->extensions) == 0)
+ exts = cert->cert_info->extensions = sk_X509_EXTENSION_new_null();
+ if (exts && sk_X509_EXTENSION_push(exts, ext))
+ return 1;
+ X509_EXTENSION_free(ext);
+ }
+ return 0;
+}
+
/* add_ext - add simple extension (no config section references) */
static int add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val)
{
X509V3_CTX v3ctx;
- X509_EXTENSION *ext;
- x509_extension_stack_t *exts;
X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0);
- if ((exts = subject->cert_info->extensions) == 0)
- exts = subject->cert_info->extensions = sk_X509_EXTENSION_new_null();
- if (!exts)
- return (0);
-
- if ((ext = X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val)) != 0
- && sk_X509_EXTENSION_push(exts, ext))
- return (1);
- if (ext)
- X509_EXTENSION_free(ext);
- return (0);
+ return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val));
}
/* set_serial - set serial number to match akid or use subject's plus 1 */
{
ASN1_STRING *id;
unsigned char c = 0;
+ int nid = NID_authority_key_identifier;
int ret = 0;
/*
if ((akid = AUTHORITY_KEYID_new()) != 0
&& (akid->keyid = ASN1_OCTET_STRING_new()) != 0
&& M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1)
- && X509_add1_ext_i2d(cert, NID_authority_key_identifier, akid, 0, 0))
+ && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_DEFAULT) > 0)
ret = 1;
if (akid)
AUTHORITY_KEYID_free(akid);
static int add_skid(X509 *cert, AUTHORITY_KEYID *akid)
{
- int ret;
+ int nid = NID_subject_key_identifier;
- if (akid && akid->keyid) {
- VSTRING *hexid = vstring_alloc(2 * EVP_MAX_MD_SIZE);
- ASN1_STRING *id = (ASN1_STRING *) (akid->keyid);
-
- hex_encode(hexid, (char *) M_ASN1_STRING_data(id),
- M_ASN1_STRING_length(id));
- ret = add_ext(0, cert, NID_subject_key_identifier, STR(hexid));
- vstring_free(hexid);
- } else {
- ret = add_ext(0, cert, NID_subject_key_identifier, "hash");
- }
- return (ret);
+ if (!akid || !akid->keyid)
+ return add_ext(0, cert, nid, "hash");
+ else
+ return X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_DEFAULT) > 0;
}
/* akid_issuer_name - get akid issuer directory name */
return (X509_set_issuer_name(cert, X509_get_subject_name(cert)));
}
-/* grow_chain - add certificate to chain */
+/* grow_chain - add certificate to trusted or untrusted chain */
-static void grow_chain(x509_stack_t **skptr, X509 *cert, ASN1_OBJECT *trust)
+static void grow_chain(TLS_SESS_STATE *TLScontext, int trusted, X509 *cert)
{
- if (!*skptr && (*skptr = sk_X509_new_null()) == 0)
+ x509_stack_t **xs = trusted ? &TLScontext->trusted : &TLScontext->untrusted;
+
+#define UNTRUSTED 0
+#define TRUSTED 1
+
+ if (!*xs && (*xs = sk_X509_new_null()) == 0)
msg_fatal("out of memory");
if (cert) {
- if (trust && !X509_add1_trust_object(cert, trust))
+ if (trusted && !X509_add1_trust_object(cert, serverAuth))
msg_fatal("out of memory");
CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
- if (!sk_X509_push(*skptr, cert))
+ if (!sk_X509_push(*xs, cert))
msg_fatal("out of memory");
}
}
/* wrap_key - wrap TA "key" as issuer of "subject" */
-static int wrap_key(TLS_SESS_STATE *TLScontext, int depth,
- EVP_PKEY *key, X509 *subject)
+static void wrap_key(TLS_SESS_STATE *TLScontext, int depth,
+ EVP_PKEY *key, X509 *subject)
{
- int ret = 1;
- int selfsigned = 0;
X509 *cert = 0;
AUTHORITY_KEYID *akid;
X509_NAME *name = X509_get_issuer_name(subject);
X509_NAME *akid_name;
+ /*
+ * The subject name is never a NULL object unless we run out of memory.
+ * It may be an empty sequence, but the containing object always exists
+ * and its storage is owned by the certificate itself.
+ */
+ if (name == 0 || (cert = X509_new()) == 0)
+ msg_fatal("Out of memory");
+
/*
* Record the depth of the intermediate wrapper certificate, logged in
* the verify callback.
msg_info("%s: depth=%d chain is trust-anchor signed",
TLScontext->namaddr, depth);
}
+ akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
+
+ ERR_clear_error();
/*
* If key is NULL generate a self-signed root CA, with key "danekey",
* otherwise an intermediate CA signed by above.
+ *
+ * CA cert valid for +/- 30 days.
*/
- if ((cert = X509_new()) == 0)
- return (0);
-
- akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
- if ((akid_name = akid_issuer_name(akid)) == 0
- || X509_NAME_cmp(name, akid_name) == 0)
- selfsigned = 1;
-
- ERR_clear_error();
-
- /* CA cert valid for +/- 30 days */
if (!X509_set_version(cert, 2)
|| !set_serial(cert, akid, subject)
|| !X509_set_subject_name(cert, name)
|| !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
|| !X509_set_pubkey(cert, key ? key : danekey)
|| !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
- || (key && !selfsigned && !add_akid(cert, akid))
+ || (key && !add_akid(cert, akid))
|| !add_skid(cert, akid)
- || (wrap_signed
- && (!X509_sign(cert, danekey, signmd)
- || (key && !selfsigned
- && !wrap_key(TLScontext, depth + 1, 0, cert))))) {
- msg_warn("error generating DANE wrapper certificate");
+ || (wrap_signed && !X509_sign(cert, danekey, signmd))) {
tls_print_errors();
- ret = 0;
+ msg_fatal("error generating DANE wrapper certificate");
}
if (akid)
AUTHORITY_KEYID_free(akid);
- if (ret) {
- if (key && !selfsigned && wrap_signed)
- grow_chain(&TLScontext->untrusted, cert, 0);
- else
- grow_chain(&TLScontext->trusted, cert, serverAuth);
- }
+ if (key && wrap_signed) {
+ wrap_key(TLScontext, depth + 1, 0, cert);
+ grow_chain(TLScontext, UNTRUSTED, cert);
+ } else
+ grow_chain(TLScontext, TRUSTED, cert);
if (cert)
X509_free(cert);
- return (ret);
}
-/* wrap_cert - wrap "tacert" as issuer of "subject" */
+/* wrap_cert - wrap "tacert" as trust-anchor. */
-static int wrap_cert(TLS_SESS_STATE *TLScontext, int depth,
- X509 *tacert, X509 *subject)
+static void wrap_cert(TLS_SESS_STATE *TLScontext, X509 *tacert, int depth)
{
- int ret = 1;
X509 *cert;
int len;
unsigned char *asn1;
unsigned char *buf;
- TLScontext->tadepth = depth;
+ if (TLScontext->tadepth < 0)
+ TLScontext->tadepth = depth + 1;
+
if (TLScontext->log_mask & (TLS_LOG_VERBOSE | TLS_LOG_CERTMATCH))
msg_info("%s: depth=%d trust-anchor certificate",
TLScontext->namaddr, depth);
/*
* If the TA certificate is self-issued, use it directly.
*/
- if (!wrap_signed
- || X509_check_issued(tacert, tacert) == X509_V_OK) {
- grow_chain(&TLScontext->trusted, tacert, serverAuth);
- return (ret);
+ if (!wrap_signed || X509_check_issued(tacert, tacert) == X509_V_OK) {
+ grow_chain(TLScontext, TRUSTED, tacert);
+ return;
}
/* Deep-copy tacert by converting to ASN.1 and back */
len = i2d_X509(tacert, NULL);
msg_panic("d2i_X509 failed to decode TA certificate");
myfree((char *) asn1);
- grow_chain(&TLScontext->untrusted, cert, 0);
+ grow_chain(TLScontext, UNTRUSTED, cert);
/* Sign and wrap TA cert with internal "danekey" */
- if (!X509_sign(cert, danekey, signmd)
- || !wrap_key(TLScontext, depth + 1, danekey, cert)) {
- msg_warn("error generating DANE wrapper certificate");
+ if (!X509_sign(cert, danekey, signmd)) {
tls_print_errors();
- ret = 0;
+ msg_fatal("error generating DANE wrapper certificate");
}
+ wrap_key(TLScontext, depth + 1, danekey, cert);
X509_free(cert);
- return (ret);
}
/* ta_signed - is certificate signed by a TLSA cert or pkey */
if ((pk = X509_get_pubkey(x->cert)) == 0)
continue;
/* Check signature, since some other TA may work if not this. */
- if (X509_verify(cert, pk) > 0)
- done = wrap_cert(TLScontext, depth + 1, x->cert, cert);
+ if ((done = (X509_verify(cert, pk) > 0)) != 0)
+ wrap_cert(TLScontext, x->cert, depth);
EVP_PKEY_free(pk);
}
}
* ASN1 tag and length thus also excluding the unused bits field that is
* logically part of the length). However, some CAs have a non-standard
* authority keyid, so we lose. Too bad.
+ *
+ * This may push errors onto the stack when the certificate signature is not
+ * of the right type or length, throw these away.
*/
for (k = dane->pkeys; !done && k; k = k->next)
- if (X509_verify(cert, k->pkey) > 0)
- done = wrap_key(TLScontext, depth, k->pkey, cert);
+ if ((done = (X509_verify(cert, k->pkey) > 0)) != 0)
+ wrap_key(TLScontext, depth, k->pkey, cert);
+ else
+ ERR_clear_error();
return (done);
}
if (match) {
switch (match) {
case MATCHED_CERT:
- wrap_cert(TLScontext, depth, ca, cert);
+ wrap_cert(TLScontext, ca, depth);
break;
case MATCHED_PKEY:
if ((takey = X509_get_pubkey(ca)) == 0)
break;
}
/* Add untrusted ca. */
- grow_chain(&TLScontext->untrusted, ca, 0);
+ grow_chain(TLScontext, UNTRUSTED, ca);
/* Final untrusted self-signed element? */
if (X509_check_issued(ca, ca) == X509_V_OK) {
*/
if (!cert || !ta_signed(TLScontext, cert, depth)) {
/* Create empty trust list if null, else NOP */
- grow_chain(&TLScontext->trusted, 0, 0);
+ grow_chain(TLScontext, TRUSTED, 0);
}
/* shallow free */
if (in)
* Empty untrusted chain, could be NULL, but then ABI check less
* reliable, we may zero some other field, ...
*/
- grow_chain(&TLScontext->untrusted, 0, 0);
- if (tls_dane_match(TLScontext, TLS_DANE_TA, cert, 0))
- grow_chain(&TLScontext->trusted, cert, serverAuth);
- else
- grow_chain(&TLScontext->trusted, 0, 0);
+ grow_chain(TLScontext, UNTRUSTED, 0);
+ if (tls_dane_match(TLScontext, TLS_DANE_TA, cert, 0)) {
+ TLScontext->tadepth = 0;
+ grow_chain(TLScontext, TRUSTED, cert);
+ } else
+ grow_chain(TLScontext, TRUSTED, 0);
} else {
set_trust(TLScontext, ctx);
}
do { \
buf = vstring_alloc(2 * (len + strlen(service))); \
hex_encode(buf, (char *) (id), (len)); \
- vstring_sprintf_append(buf, "&s=%s", (service)); \
- vstring_sprintf_append(buf, "&l=%ld", (long) SSLeay()); \
+ vstring_sprintf_append(buf, "&s=%s", (service)); \
+ vstring_sprintf_append(buf, "&l=%ld", (long) SSLeay()); \
} while (0)
/* addresses that have no ".domain" information.
/* .IP "\fBrecipient_delimiter (empty)\fR"
/* The set of characters that can separate a user name from its
-/* address extension (user+foo).
+/* extension (example: user+foo), or a .forward file name from its
+/* extension (example: .forward+foo).
/* .IP "\fBswap_bangpath (yes)\fR"
/* Enable the rewriting of "site!user" into "user@site".
/* .PP
projects / thirdparty / postfix.git / commitdiff
