postfix-2.11-20130608

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 4d99e0985fd2f870de91dcffc37f5b20e8950359..c8ee7e1dd3add86a6bb11abc94250081d6e49748 100644 (file)
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -18698,3 +18698,8 @@ Apologies for any names omitted.
        Robustness: check that TLSA-supplied certs have valid keys.
        It is not clear whether that check is performed in d2i().
        Viktor Dukhovni. tls/tls_dane.c.
+
+20130608
+
+       Cleanup (DANE support): be more explicit in the logging of
+       object digests.  Viktor Dukhovni. tls/tls_dane.c.

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index faa015ff478da441cfa8e0ac53c8dad5b1260914..27f63d0d279fdbbf9a824de154d78e1ac8d5bca9 100644 (file)
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20130607"
+#define MAIL_RELEASE_DATE      "20130608"
 #define MAIL_VERSION_NUMBER    "2.11"
 
 #ifdef SNAPSHOT

diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c
index 7a8567bb11d744d0981eb8b363c814fe6b58a672..47b106981bdf9b6db064a6f73fbaddf9792f0283 100644 (file)
--- a/postfix/src/tls/tls_dane.c
+++ b/postfix/src/tls/tls_dane.c
@@ -661,14 +661,27 @@ static void parse_tlsa_rrs(TLS_DANE *dane, DNS_RR *rr)
             * The cert or key was valid, just digest the raw object, and
             * encode the digest value.  We choose SHA256.
             */
-           dane_add(dane, usage, selector, sha256,
+           dane_add(dane, usage, selector, mdalg = sha256,
                     digest = tls_data_fprint((char *) ip, mlen, sha256));
            break;
        }
-       if (msg_verbose || dane_verbose)
-           msg_info("using DANE RR: %s%s%s IN TLSA %u %u %u %s",
-                    rcname(rr), rarrow(rr), rr->rname,
-                    usage, selector, mtype, digest);
+       if (msg_verbose || dane_verbose) {
+           switch (mtype) {
+           default:
+               msg_info("using DANE RR: %s%s%s IN TLSA %u %u %u %s",
+                        rcname(rr), rarrow(rr), rr->rname,
+                        usage, selector, mtype, digest);
+               break;
+           case DNS_TLSA_MATCHING_TYPE_NO_HASH_USED:
+               msg_info("using DANE RR: %s%s%s IN TLSA %u %u %u <%s>; "
+                        "%s digest %s",
+                        rcname(rr), rarrow(rr), rr->rname,
+                        usage, selector, mtype,
+                        (selector == DNS_TLSA_SELECTOR_FULL_CERTIFICATE) ?
+                        "certificate" : "public key", mdalg, digest);
+               break;
+           }
+       }
        myfree(digest);
     }