From: Wietse Venema Date: Sun, 1 Sep 2013 13:30:00 +0000 (-0400) Subject: postfix-2.10.2-RC1 X-Git-Tag: v2.10.2-RC1^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=146523f2dd4db7dc4890e6c769bbf75890113ab7;p=thirdparty%2Fpostfix.git postfix-2.10.2-RC1 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index f67206198..ba23e20b6 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -18276,6 +18276,12 @@ Apologies for any names omitted. address. Found during Postfix 2.11 code maintenance. File: smtp/smtp_connect.c. +20130518 + + Bugfix (introduced: 1997): memory leak after error while + forwarding mail through the cleanup server. Viktor found + one, Wietse eliminated the rest. File: local/forward.c. + 20130613 Workaround: unhelpful down-stream maintainers fail to install @@ -18283,3 +18289,20 @@ Apologies for any names omitted. that could have been avoided. We now hard-code the safety net instead. Files: global/mail_params.h, conf/post-install, RELEASE_NOTES. + +20130615 + + Interoperability: turn on SHA-2XX digests by force. This + improves interoperability with clients and servers with + ancient OpenSSL versions that prematurely deploy SHA-2 + certificates. Based on patch by Viktor Dukhovni. Files: + tls/tls_client.c, tls/tls_server.c. + +20130616 + + Workaround: The Postfix SMTP server TLS session cache was + broken because OpenSSL now enables session tickets by + default, resulting in a different ticket encryption key for + each smtpd(8) process. The workaround turns off session + tickets. In 2.11 we'll enable session tickets properly. + Viktor Dukhovni. File: tls/tls_server.c. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index b1ebb9274..6eff8caf3 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20130622" -#define MAIL_VERSION_NUMBER "2.10.1" +#define MAIL_RELEASE_DATE "20130901" +#define MAIL_VERSION_NUMBER "2.10.2-RC1" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/local/forward.c b/postfix/src/local/forward.c index 6ebe74f18..fb7da4f2e 100644 --- a/postfix/src/local/forward.c +++ b/postfix/src/local/forward.c @@ -118,6 +118,11 @@ static FORWARD_INFO *forward_open(DELIVER_REQUEST *request, const char *sender) FORWARD_INFO *info; VSTREAM *cleanup; +#define FORWARD_OPEN_RETURN(res) do { \ + vstring_free(buffer); \ + return (res); \ + } while (0) + /* * Contact the cleanup service and save the new mail queue id. Request * that the cleanup service bounces bad messages to the sender so that we @@ -129,13 +134,13 @@ static FORWARD_INFO *forward_open(DELIVER_REQUEST *request, const char *sender) */ cleanup = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING); if (cleanup == 0) - return (0); + FORWARD_OPEN_RETURN(0); close_on_exec(vstream_fileno(cleanup), CLOSE_ON_EXEC); if (attr_scan(cleanup, ATTR_FLAG_STRICT, ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, buffer, ATTR_TYPE_END) != 1) { vstream_fclose(cleanup); - return (0); + FORWARD_OPEN_RETURN(0); } info = (FORWARD_INFO *) mymalloc(sizeof(FORWARD_INFO)); info->cleanup = cleanup; @@ -190,8 +195,7 @@ static FORWARD_INFO *forward_open(DELIVER_REQUEST *request, const char *sender) PASS_ATTR(cleanup, MAIL_ATTR_LOG_IDENT, request->log_ident); PASS_ATTR(cleanup, MAIL_ATTR_RWR_CONTEXT, request->rewrite_context); - vstring_free(buffer); - return (info); + FORWARD_OPEN_RETURN(info); } /* forward_append - append recipient to message envelope */ diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 2252b00fa..1a1e305cf 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -335,6 +335,24 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props) } } + /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. + */ +#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); +#endif +#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); +#endif + /* * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index f0ebf669c..441d24ca2 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -340,6 +340,24 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) } } + /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. + */ +#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); +#endif +#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); +#endif + /* * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. @@ -395,6 +413,9 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) /* * Protocol work-arounds, OpenSSL version dependent. */ +#ifdef SSL_OP_NO_TICKET + off |= SSL_OP_NO_TICKET; +#endif off |= tls_bug_bits(); SSL_CTX_set_options(server_ctx, off);