From: Wietse Venema <wietse@porcupine.org>
Date: Fri, 7 Jun 2013 17:01:40 +0000 (-0400)
Subject: postfix-2.11-20130607
X-Git-Tag: v2.11.0-RC1~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a371608e1e49ca70c4dcf1d9535dcc820efa064;p=thirdparty%2Fpostfix.git

postfix-2.11-20130607
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index f235f6c15..4d99e0985 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -18686,3 +18686,15 @@ Apologies for any names omitted.
 	certificates. Viktor Dukhovni. Files: proto/postconf.proto,
 	mantools/postlink, global/mail_params.h, tls/tls_client.c,
 	tls/tls_misc.c.
+
+20130607
+
+	Bugfix (DANE support): with multiple TLSA RR that carry "x
+	0 0" certificates or "x 1 0" keys, Postfix failed to reset
+	the cert/key pointer before calling d2i_mumble(), causing
+	OpenSSL to clobber the previous cert or key.  Viktor Dukhovni.
+	tls/tls_dane.c.
+
+	Robustness: check that TLSA-supplied certs have valid keys.
+	It is not clear whether that check is performed in d2i().
+	Viktor Dukhovni. tls/tls_dane.c.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 876475864..faa015ff4 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20130602"
+#define MAIL_RELEASE_DATE	"20130607"
 #define MAIL_VERSION_NUMBER	"2.11"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c
index e9c94daf8..7a8567bb1 100644
--- a/postfix/src/tls/tls_dane.c
+++ b/postfix/src/tls/tls_dane.c
@@ -499,8 +499,6 @@ static void parse_tlsa_rrs(TLS_DANE *dane, DNS_RR *rr)
     uint8_t mtype;
     int     mlen;
     const unsigned char *p;
-    X509   *x = 0;			/* OpenSSL tries to re-use *x if x!=0 */
-    EVP_PKEY *k = 0;			/* OpenSSL tries to re-use *k if k!=0 */
 
     if (rr == 0)
 	msg_panic("null TLSA rr");
@@ -511,6 +509,8 @@ static void parse_tlsa_rrs(TLS_DANE *dane, DNS_RR *rr)
 	char   *digest;
 	int     same = (strcasecmp(rr->rname, rr->qname) == 0);
 	uint8_t *ip = (uint8_t *) rr->data;
+	X509   *x = 0;			/* OpenSSL tries to re-use *x if x!=0 */
+	EVP_PKEY *k = 0;		/* OpenSSL tries to re-use *k if k!=0 */
 
 #define rcname(rr) (same ? "" : rr->qname)
 #define rarrow(rr) (same ? "" : " -> ")
@@ -611,6 +611,17 @@ static void parse_tlsa_rrs(TLS_DANE *dane, DNS_RR *rr)
 		    continue;
 		}
 
+		/* Also unusable if public key is malformed */
+		if ((k = X509_get_pubkey(x)) == 0) {
+		    msg_warn("%s public key malformed in RR: "
+			     "%s%s%s IN TLSA %u %u %u ...", "certificate",
+			     rcname(rr), rarrow(rr), rr->rname,
+			     usage, selector, mtype);
+		    X509_free(x);
+		    continue;
+		}
+		EVP_PKEY_free(k);
+
 		/*
 		 * When a full trust-anchor certificate is published via DNS,
 		 * we may need to use it to validate the server trust chain.