From: Wietse Venema Date: Sun, 28 Aug 2016 05:00:00 +0000 (-0500) Subject: postfix-3.1.2 X-Git-Tag: v3.1.2^0 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3aa6f4221404e6481d735a2b8f64736ecf970f9f;p=thirdparty%2Fpostfix.git postfix-3.1.2 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 67b856e32..d7fcb5ad3 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -22216,3 +22216,23 @@ Apologies for any names omitted. 20160515 Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h. + +20160819 + + Bugfix (introduced: Postfix 3.0): the makedefs script ignored + readme_directory=pathname overrides. Fix by Todd C. Olson. + File: makedefs. + +20160821 + + Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher + documentation says aes-256-cbc, but the implementation was + using aes-128-cbc (note that Postfix SMTP server and client + processes have a limited life time). + +20160828 + + Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes. + Viktor Dukhovni. Files: posttls-finger/posttls-finger.c, + tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c, + tls/tls_client.c. diff --git a/postfix/makedefs b/postfix/makedefs index a21cd9f7f..8f7860110 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -962,7 +962,7 @@ html_directory_macro=DEF_HTML_DIR manpage_directory_macro=DEF_MANPAGE_DIR readme_directory_macro=DEF_README_DIR -for parm_name in html_directory manpage_directory +for parm_name in html_directory manpage_directory readme_directory do eval parm_val=\"\$$parm_name\" eval parm_macro=\"\$${parm_name}_macro\" diff --git a/postfix/src/global/mail_params.h b/postfix/src/global/mail_params.h index a9e48b319..fa31c5918 100644 --- a/postfix/src/global/mail_params.h +++ b/postfix/src/global/mail_params.h @@ -3206,7 +3206,7 @@ extern char *var_tls_bug_tweaks; extern char *var_tls_ssl_options; #define VAR_TLS_TKT_CIPHER "tls_session_ticket_cipher" -#define DEF_TLS_TKT_CIPHER "aes-128-cbc" +#define DEF_TLS_TKT_CIPHER "aes-256-cbc" extern char *var_tls_tkt_cipher; #define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints" diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 1c74fb5d1..846f0c78a 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20160515" -#define MAIL_VERSION_NUMBER "3.1.1" +#define MAIL_RELEASE_DATE "20160828" +#define MAIL_VERSION_NUMBER "3.1.2" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c index fc24c3b2e..ea532f296 100644 --- a/postfix/src/posttls-finger/posttls-finger.c +++ b/postfix/src/posttls-finger/posttls-finger.c @@ -1511,7 +1511,7 @@ static int finger(STATE *state) return (0); } -#ifdef USE_TLS +#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L /* ssl_cleanup - free memory allocated in the OpenSSL library */ @@ -1529,7 +1529,8 @@ static void ssl_cleanup(void) CRYPTO_cleanup_all_ex_data(); } -#endif +#endif /* USE_TLS && OPENSSL_VERSION_NUMBER + * < 0x10100000L */ /* run - do what we were asked to do. */ @@ -1955,7 +1956,9 @@ int main(int argc, char *argv[]) /* Be valgrind friendly and clean-up */ cleanup(&state); -#ifdef USE_TLS + + /* OpenSSL 1.1.0 and later (de)initialization is implicit */ +#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L ssl_cleanup(); #endif diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index 346f4e850..1e2901702 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -93,7 +93,17 @@ extern const char *str_tls_level(int); #define OpenSSL_version_num SSLeay #define OpenSSL_version SSLeay_version #define OPENSSL_VERSION SSLEAY_VERSION -#define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509) +#define X509_up_ref(x) \ + CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509) +#define EVP_PKEY_up_ref(k) \ + CRYPTO_add(&((k)->references), 1, CRYPTO_LOCK_EVP_PKEY) +#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert) +#define X509_STORE_CTX_get0_untrusted(ctx) ((ctx)->untrusted) +#define X509_STORE_CTX_set0_untrusted X509_STORE_CTX_set_chain +#define X509_STORE_CTX_set0_trusted_stack X509_STORE_CTX_trusted_stack +#define ASN1_STRING_get0_data ASN1_STRING_data +#define X509_getm_notBefore X509_get_notBefore +#define X509_getm_notAfter X509_get_notAfter #endif /* SSL_CIPHER_get_name() got constified in 0.9.7g */ diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 24a4fc558..deb24f5ee 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -299,6 +299,8 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props) */ tls_check_version(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* * Initialize the OpenSSL library by the book! To start with, we must * initialize the algorithms. We want cleartext error messages instead of @@ -306,6 +308,7 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props) */ SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); +#endif /* * Create an application data index for SSL objects, so that we can @@ -363,7 +366,6 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props) tls_print_errors(); return (0); } - #ifdef SSL_SECOP_PEER /* Backwards compatible security as a base for opportunistic TLS. */ SSL_CTX_set_security_level(client_ctx, 0); diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c index bb882f206..4308108a4 100644 --- a/postfix/src/tls/tls_dane.c +++ b/postfix/src/tls/tls_dane.c @@ -573,7 +573,7 @@ static void ta_pkey_insert(TLS_DANE *d, EVP_PKEY *k) { TLS_PKEYS *new = (TLS_PKEYS *) mymalloc(sizeof(*new)); - CRYPTO_add(&k->references, 1, CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_up_ref(k); new->pkey = k; new->next = d->pkeys; d->pkeys = new; @@ -1465,7 +1465,7 @@ static int add_akid(X509 *cert, AUTHORITY_KEYID *akid) * self-signature checks! */ id = ((akid && akid->keyid) ? akid->keyid : 0); - if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c) + if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_get0_data(id) == c) c = 1; if ((akid = AUTHORITY_KEYID_new()) != 0 @@ -1583,10 +1583,10 @@ static void wrap_key(TLS_SESS_STATE *TLScontext, int depth, */ if (!X509_set_version(cert, 2) || !set_serial(cert, akid, subject) - || !X509_set_subject_name(cert, name) || !set_issuer_name(cert, akid) - || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L) - || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L) + || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L) + || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L) + || !X509_set_subject_name(cert, name) || !X509_set_pubkey(cert, key ? key : signkey) || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE") || (key && !add_akid(cert, akid)) @@ -1720,8 +1720,8 @@ static void set_trust(TLS_SESS_STATE *TLScontext, X509_STORE_CTX *ctx) int depth = 0; EVP_PKEY *takey; X509 *ca; - X509 *cert = ctx->cert; /* XXX: Accessor? */ - x509_stack_t *in = ctx->untrusted; /* XXX: Accessor? */ + X509 *cert = X509_STORE_CTX_get0_cert(ctx); + x509_stack_t *in = X509_STORE_CTX_get0_untrusted(ctx); /* shallow copy */ if ((in = sk_X509_dup(in)) == 0) @@ -1802,7 +1802,7 @@ static int dane_cb(X509_STORE_CTX *ctx, void *app_ctx) { const char *myname = "dane_cb"; TLS_SESS_STATE *TLScontext = (TLS_SESS_STATE *) app_ctx; - X509 *cert = ctx->cert; /* XXX: accessor? */ + X509 *cert = X509_STORE_CTX_get0_cert(ctx); /* * Degenerate case: depth 0 self-signed cert. @@ -1832,9 +1832,9 @@ static int dane_cb(X509_STORE_CTX *ctx, void *app_ctx) * Check that setting the untrusted chain updates the expected structure * member at the expected offset. */ - X509_STORE_CTX_trusted_stack(ctx, TLScontext->trusted); - X509_STORE_CTX_set_chain(ctx, TLScontext->untrusted); - if (ctx->untrusted != TLScontext->untrusted) + X509_STORE_CTX_set0_trusted_stack(ctx, TLScontext->trusted); + X509_STORE_CTX_set0_untrusted(ctx, TLScontext->untrusted); + if (X509_STORE_CTX_get0_untrusted(ctx) != TLScontext->untrusted) msg_panic("%s: OpenSSL ABI change", myname); return X509_verify_cert(ctx); @@ -2163,8 +2163,10 @@ static SSL_CTX *ctx_init(const char *CAfile) tls_param_init(); tls_check_version(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_load_error_strings(); SSL_library_init(); +#endif if (!tls_validate_digest(LN_sha1)) msg_fatal("%s digest algorithm not available", LN_sha1); diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index 44146bbbc..d12574606 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -173,9 +173,18 @@ static const char server_session_id_context[] = "Postfix/TLS"; #endif /* OPENSSL_VERSION_NUMBER */ + /* OpenSSL 1.1.0 bitrot */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +typedef const unsigned char *session_id_t; + +#else +typedef unsigned char *session_id_t; + +#endif + /* get_server_session_cb - callback to retrieve session from server cache */ -static SSL_SESSION *get_server_session_cb(SSL *ssl, unsigned char *session_id, +static SSL_SESSION *get_server_session_cb(SSL *ssl, session_id_t session_id, int session_id_length, int *unused_copy) { @@ -368,6 +377,8 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) */ tls_check_version(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* * Initialize the OpenSSL library by the book! To start with, we must * initialize the algorithms. We want cleartext error messages instead of @@ -375,6 +386,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) */ SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); +#endif /* * First validate the protocols. If these are invalid, we can't continue. @@ -445,7 +457,6 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) tls_print_errors(); return (0); } - #ifdef SSL_SECOP_PEER /* Backwards compatible security as a base for opportunistic TLS. */ SSL_CTX_set_security_level(server_ctx, 0); @@ -758,7 +769,6 @@ TLS_SESS_STATE *tls_server_start(const TLS_SERVER_START_PROPS *props) tls_free_context(TLScontext); return (0); } - #ifdef SSL_SECOP_PEER /* When authenticating the peer, use 80-bit plus OpenSSL security level */ if (props->requirecert) @@ -896,10 +906,10 @@ TLS_SESS_STATE *tls_server_post_accept(TLS_SESS_STATE *TLScontext) X509_free(peer); /* - * Give them a clue. Problems with trust chain verification are logged - * when the session is first negotiated, before the session is stored - * into the cache. We don't want mystery failures, so log the fact the - * real problem is to be found in the past. + * Give them a clue. Problems with trust chain verification are + * logged when the session is first negotiated, before the session is + * stored into the cache. We don't want mystery failures, so log the + * fact the real problem is to be found in the past. */ if (!TLS_CERT_IS_TRUSTED(TLScontext) && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) { diff --git a/postfix/src/tls/tls_verify.c b/postfix/src/tls/tls_verify.c index 42bfc1033..87af0c6f7 100644 --- a/postfix/src/tls/tls_verify.c +++ b/postfix/src/tls/tls_verify.c @@ -440,7 +440,7 @@ const char *tls_dns_name(const GENERAL_NAME * gn, /* * Safe to treat as an ASCII string possibly holding a DNS name */ - dnsname = (char *) ASN1_STRING_data(gn->d.ia5); + dnsname = (const char *) ASN1_STRING_get0_data(gn->d.ia5); len = ASN1_STRING_length(gn->d.ia5); TRIM0(dnsname, len);