From: Wietse Venema Date: Tue, 28 Jul 2020 05:00:00 +0000 (-0500) Subject: postfix-3.6-20200728 X-Git-Tag: v3.6.0-RC1~26 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9340f4f205342632f6198c56c6ba9b4064f021e;p=thirdparty%2Fpostfix.git postfix-3.6-20200728 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index e141ce9c8..b458e055d 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -25023,3 +25023,29 @@ Apologies for any names omitted. OpenSSL configuration of allowed TLS protocol versions, for sessions where the remote SMTP client sends SNI. File: tls/tls_server.c. + +20200726 + + Code health: the tls_get_signature_params() function reused + variable names for different objects that have up to three + different life-cycle management models. To avoid more + accidents we now use distinct names for distinct purposes. + File: tls/tls_misc.c. + +20200727 + + Code health: inet_proto_info() should return a const pointer. + This is global data that callers should not change. Files: + cleanup/cleanup_milter.c, global/haproxy_srvr.c, + global/mynetworks.c, global/normalize_mailhost_addr.c, + global/own_inet_addr.c, postscreen/postscreen_endpt.c, + posttls-finger/posttls-finger.c, qmqpd/qmqpd_peer.c, + smtpd/smtpd_check.c, smtpd/smtpd_peer.c, smtp/smtp_addr.c, + smtpstone/smtp-sink.c, util/inet_addr_host.c, + util/inet_addr_list.c, util/inet_addr_local.c, util/inet_connect.c, + util/inet_listen.c, util/inet_proto.c, util/inet_proto.h. + +20200728 + + Code health: deleted a mis-spelled macro from code and + documentation. Files: bounce/bounce_template.[hc]. diff --git a/postfix/src/bounce/bounce_template.c b/postfix/src/bounce/bounce_template.c index e54082dff..e7dc4968b 100644 --- a/postfix/src/bounce/bounce_template.c +++ b/postfix/src/bounce/bounce_template.c @@ -44,7 +44,6 @@ /* int IS_FAILURE_TEMPLATE(template) /* int IS_DELAY_TEMPLATE(template) /* int IS_SUCCESS_TEMPLATE(template) -/* int IS_VERIFY_TEMPLATE(template) /* BOUNCE_TEMPLATE *template; /* DESCRIPTION /* This module implements the built-in and external bounce diff --git a/postfix/src/bounce/bounce_template.h b/postfix/src/bounce/bounce_template.h index 9bec42973..10359d429 100644 --- a/postfix/src/bounce/bounce_template.h +++ b/postfix/src/bounce/bounce_template.h @@ -45,7 +45,6 @@ typedef struct BOUNCE_TEMPLATE { #define IS_FAILURE_TEMPLATE(t) ((t)->class[0] == BOUNCE_TMPL_CLASS_FAILURE[0]) #define IS_DELAY_TEMPLATE(t) ((t)->class[0] == BOUNCE_TMPL_CLASS_DELAY[0]) #define IS_SUCCESS_TEMPLATE(t) ((t)->class[0] == BOUNCE_TMPL_CLASS_SUCCESS[0]) -#define IS_VERIFY_TEMPLATE(t) ((t)->class[0] == BOUNCE_TMPL_CLASS_verify[0]) #define bounce_template_encoding(t) ((t)->mime_encoding) #define bounce_template_charset(t) ((t)->mime_charset) diff --git a/postfix/src/cleanup/cleanup_milter.c b/postfix/src/cleanup/cleanup_milter.c index 1424880e2..fb0fdaf5a 100644 --- a/postfix/src/cleanup/cleanup_milter.c +++ b/postfix/src/cleanup/cleanup_milter.c @@ -2077,7 +2077,7 @@ static const char *cleanup_milter_apply(CLEANUP_STATE *state, const char *event, static void cleanup_milter_client_init(CLEANUP_STATE *state) { - static INET_PROTO_INFO *proto_info; + static const INET_PROTO_INFO *proto_info; const char *proto_attr; /* diff --git a/postfix/src/global/haproxy_srvr.c b/postfix/src/global/haproxy_srvr.c index 2455835ca..2c849d76c 100644 --- a/postfix/src/global/haproxy_srvr.c +++ b/postfix/src/global/haproxy_srvr.c @@ -165,7 +165,7 @@ struct proxy_hdr_v2 { * End protocol v2 definitions from haproxy/include/types/connection.h. */ -static INET_PROTO_INFO *proto_info; +static const INET_PROTO_INFO *proto_info; #define STR_OR_NULL(str) ((str) ? (str) : "(null)") diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index b5d6870c5..c74927ffb 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200725" +#define MAIL_RELEASE_DATE "20200728" #define MAIL_VERSION_NUMBER "3.6" #ifdef SNAPSHOT diff --git a/postfix/src/global/normalize_mailhost_addr.c b/postfix/src/global/normalize_mailhost_addr.c index d60135f2e..640b4f377 100644 --- a/postfix/src/global/normalize_mailhost_addr.c +++ b/postfix/src/global/normalize_mailhost_addr.c @@ -79,7 +79,7 @@ int normalize_mailhost_addr(const char *string, char **mailhost_addr, char **bare_addr, int *addr_family) { const char myname[] = "normalize_mailhost_addr"; - INET_PROTO_INFO *proto_info = inet_proto_info(); + const INET_PROTO_INFO *proto_info = inet_proto_info(); struct addrinfo *res = 0; MAI_HOSTADDR_STR hostaddr; const char *valid_addr; /* IPv6:fc00::1 */ diff --git a/postfix/src/postscreen/postscreen_endpt.c b/postfix/src/postscreen/postscreen_endpt.c index 335c511d0..36949e32f 100644 --- a/postfix/src/postscreen/postscreen_endpt.c +++ b/postfix/src/postscreen/postscreen_endpt.c @@ -108,7 +108,7 @@ #include #include -static INET_PROTO_INFO *proto_info; +static const INET_PROTO_INFO *proto_info; /* psc_sockaddr_to_hostaddr - transform endpoint address and port to string */ diff --git a/postfix/src/posttls-finger/posttls-finger.c b/postfix/src/posttls-finger/posttls-finger.c index c8d4cc46b..c6041f428 100644 --- a/postfix/src/posttls-finger/posttls-finger.c +++ b/postfix/src/posttls-finger/posttls-finger.c @@ -1164,7 +1164,7 @@ static DNS_RR *addr_one(STATE *state, DNS_RR *addr_list, const char *host, int aierr; struct addrinfo *res0; struct addrinfo *res; - INET_PROTO_INFO *proto_info = inet_proto_info(); + const INET_PROTO_INFO *proto_info = inet_proto_info(); int found; if (msg_verbose) diff --git a/postfix/src/qmqpd/qmqpd_peer.c b/postfix/src/qmqpd/qmqpd_peer.c index 384988d3d..07d4792b4 100644 --- a/postfix/src/qmqpd/qmqpd_peer.c +++ b/postfix/src/qmqpd/qmqpd_peer.c @@ -77,7 +77,7 @@ void qmqpd_peer_init(QMQPD_STATE *state) struct sockaddr_storage ss; struct sockaddr *sa; SOCKADDR_SIZE sa_length; - INET_PROTO_INFO *proto_info = inet_proto_info(); + const INET_PROTO_INFO *proto_info = inet_proto_info(); sa = (struct sockaddr *) &ss; sa_length = sizeof(ss); diff --git a/postfix/src/smtp/smtp_addr.c b/postfix/src/smtp/smtp_addr.c index 7111fe433..2b5c126e5 100644 --- a/postfix/src/smtp/smtp_addr.c +++ b/postfix/src/smtp/smtp_addr.c @@ -138,7 +138,7 @@ static DNS_RR *smtp_addr_one(DNS_RR *addr_list, const char *host, int res_opt, int aierr; struct addrinfo *res0; struct addrinfo *res; - INET_PROTO_INFO *proto_info = inet_proto_info(); + const INET_PROTO_INFO *proto_info = inet_proto_info(); unsigned char *proto_family_list = proto_info->sa_family_list; int found; diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 019518258..73b8357c7 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -1869,7 +1869,7 @@ static int has_my_addr(SMTPD_STATE *state, const char *host, struct addrinfo *res0; int aierr; MAI_HOSTADDR_STR hostaddr; - INET_PROTO_INFO *proto_info = inet_proto_info(); + const INET_PROTO_INFO *proto_info = inet_proto_info(); if (msg_verbose) msg_info("%s: host %s", myname, host); @@ -2982,7 +2982,7 @@ static int check_server_access(SMTPD_STATE *state, const char *table, struct addrinfo *res0; struct addrinfo *res; int status; - INET_PROTO_INFO *proto_info; + const INET_PROTO_INFO *proto_info; /* * Sanity check. diff --git a/postfix/src/smtpd/smtpd_peer.c b/postfix/src/smtpd/smtpd_peer.c index 7a48f8537..b6708afc5 100644 --- a/postfix/src/smtpd/smtpd_peer.c +++ b/postfix/src/smtpd/smtpd_peer.c @@ -152,7 +152,7 @@ #include "smtpd.h" -static INET_PROTO_INFO *proto_info; +static const INET_PROTO_INFO *proto_info; /* * XXX If we make local port information available via logging, then we must diff --git a/postfix/src/smtpstone/smtp-sink.c b/postfix/src/smtpstone/smtp-sink.c index cd228b621..2ebff92c9 100644 --- a/postfix/src/smtpstone/smtp-sink.c +++ b/postfix/src/smtpstone/smtp-sink.c @@ -392,7 +392,7 @@ static char *single_template; /* individual template */ static char *shared_template; /* shared template */ static VSTRING *start_string; /* dump content prefix */ -static INET_PROTO_INFO *proto_info; +static const INET_PROTO_INFO *proto_info; #define STR(x) vstring_str(x) diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index 190ae600e..55af34d3c 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -876,8 +876,11 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext) int nid; SSL *ssl = TLScontext->con; int srvr = SSL_is_server(ssl); - X509 *cert; - EVP_PKEY *pkey = 0; + EVP_PKEY *dh_pkey = 0; + X509 *local_cert; + EVP_PKEY *local_pkey = 0; + X509 *peer_cert; + EVP_PKEY *peer_pkey = 0; #ifndef OPENSSL_NO_EC EC_KEY *eckey; @@ -889,21 +892,21 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext) if (SSL_version(ssl) < TLS1_3_VERSION) return; - if (tls_get_peer_dh_pubkey(ssl, &pkey)) { - switch (nid = EVP_PKEY_id(pkey)) { + if (tls_get_peer_dh_pubkey(ssl, &dh_pkey)) { + switch (nid = EVP_PKEY_id(dh_pkey)) { default: kex_name = OBJ_nid2sn(EVP_PKEY_type(nid)); break; case EVP_PKEY_DH: kex_name = "DHE"; - TLScontext->kex_bits = EVP_PKEY_bits(pkey); + TLScontext->kex_bits = EVP_PKEY_bits(dh_pkey); break; #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: kex_name = "ECDHE"; - eckey = EVP_PKEY_get0_EC_KEY(pkey); + eckey = EVP_PKEY_get0_EC_KEY(dh_pkey); nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); kex_curve = EC_curve_nid2nist(nid); if (!kex_curve) @@ -911,7 +914,7 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext) break; #endif } - EVP_PKEY_free(pkey); + EVP_PKEY_free(dh_pkey); } /* @@ -920,20 +923,20 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext) * data on clients requires at least 1.1.1a. */ if (srvr || SSL_get_signature_nid(ssl, &nid)) - cert = SSL_get_certificate(ssl); + local_cert = SSL_get_certificate(ssl); else - cert = 0; + local_cert = 0; /* Signature algorithms for the local end of the connection */ - if (cert) { - pkey = X509_get0_pubkey(cert); + if (local_cert) { + local_pkey = X509_get0_pubkey(local_cert); /* * Override the built-in name for the "ECDSA" algorithms OID, with * the more familiar name. For "RSA" keys report "RSA-PSS", which * must be used with TLS 1.3. */ - if ((nid = EVP_PKEY_type(EVP_PKEY_id(pkey))) != NID_undef) { + if ((nid = EVP_PKEY_type(EVP_PKEY_id(local_pkey))) != NID_undef) { switch (nid) { default: locl_sig_name = OBJ_nid2sn(nid); @@ -942,13 +945,13 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext) case EVP_PKEY_RSA: /* For RSA, TLS 1.3 mandates PSS signatures */ locl_sig_name = "RSA-PSS"; - SIG_PROP(TLScontext, srvr, bits) = EVP_PKEY_bits(pkey); + SIG_PROP(TLScontext, srvr, bits) = EVP_PKEY_bits(local_pkey); break; #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: locl_sig_name = "ECDSA"; - eckey = EVP_PKEY_get0_EC_KEY(pkey); + eckey = EVP_PKEY_get0_EC_KEY(local_pkey); nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); locl_sig_curve = EC_curve_nid2nist(nid); if (!locl_sig_curve) @@ -956,6 +959,7 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext) break; #endif } + /* No X509_free(local_cert) */ } /* @@ -966,15 +970,15 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext) locl_sig_dgst = OBJ_nid2sn(nid); } /* Signature algorithms for the peer end of the connection */ - if ((cert = SSL_get_peer_certificate(ssl)) != 0) { - pkey = X509_get0_pubkey(cert); + if ((peer_cert = SSL_get_peer_certificate(ssl)) != 0) { + peer_pkey = X509_get0_pubkey(peer_cert); /* * Override the built-in name for the "ECDSA" algorithms OID, with * the more familiar name. For "RSA" keys report "RSA-PSS", which * must be used with TLS 1.3. */ - if ((nid = EVP_PKEY_type(EVP_PKEY_id(pkey))) != NID_undef) { + if ((nid = EVP_PKEY_type(EVP_PKEY_id(peer_pkey))) != NID_undef) { switch (nid) { default: peer_sig_name = OBJ_nid2sn(nid); @@ -983,13 +987,13 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext) case EVP_PKEY_RSA: /* For RSA, TLS 1.3 mandates PSS signatures */ peer_sig_name = "RSA-PSS"; - SIG_PROP(TLScontext, !srvr, bits) = EVP_PKEY_bits(pkey); + SIG_PROP(TLScontext, !srvr, bits) = EVP_PKEY_bits(peer_pkey); break; #ifndef OPENSSL_NO_EC case EVP_PKEY_EC: peer_sig_name = "ECDSA"; - eckey = EVP_PKEY_get0_EC_KEY(pkey); + eckey = EVP_PKEY_get0_EC_KEY(peer_pkey); nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)); peer_sig_curve = EC_curve_nid2nist(nid); if (!peer_sig_curve) @@ -1006,7 +1010,7 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext) if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef) peer_sig_dgst = OBJ_nid2sn(nid); - X509_free(cert); + X509_free(peer_cert); } if (kex_name) { TLScontext->kex_name = mystrdup(kex_name); diff --git a/postfix/src/util/inet_addr_host.c b/postfix/src/util/inet_addr_host.c index ea363852e..317ae8595 100644 --- a/postfix/src/util/inet_addr_host.c +++ b/postfix/src/util/inet_addr_host.c @@ -68,7 +68,7 @@ int inet_addr_host(INET_ADDR_LIST *addr_list, const char *hostname) const char *hname; const char *serv; int initial_count = addr_list->used; - INET_PROTO_INFO *proto_info; + const INET_PROTO_INFO *proto_info; /* * The use of square brackets around an IPv6 addresses is required, even diff --git a/postfix/src/util/inet_connect.c b/postfix/src/util/inet_connect.c index 51bd13930..eaa272a43 100644 --- a/postfix/src/util/inet_connect.c +++ b/postfix/src/util/inet_connect.c @@ -85,7 +85,7 @@ int inet_connect(const char *addr, int block_mode, int timeout) int aierr; int sock; MAI_HOSTADDR_STR hostaddr; - INET_PROTO_INFO *proto_info; + const INET_PROTO_INFO *proto_info; int found; /* diff --git a/postfix/src/util/inet_listen.c b/postfix/src/util/inet_listen.c index 258f41014..a87497274 100644 --- a/postfix/src/util/inet_listen.c +++ b/postfix/src/util/inet_listen.c @@ -92,7 +92,7 @@ int inet_listen(const char *addr, int backlog, int block_mode) const char *parse_err; MAI_HOSTADDR_STR hostaddr; MAI_SERVPORT_STR portnum; - INET_PROTO_INFO *proto_info; + const INET_PROTO_INFO *proto_info; /* * Translate address information to internal form. diff --git a/postfix/src/util/inet_proto.c b/postfix/src/util/inet_proto.c index d3bf15d70..d4ad47ffa 100644 --- a/postfix/src/util/inet_proto.c +++ b/postfix/src/util/inet_proto.c @@ -15,9 +15,9 @@ /* .in -4 /* } INET_PROTO_INFO; /* -/* INET_PROTO_INFO *inet_proto_init(context, protocols) +/* const INET_PROTO_INFO *inet_proto_init(context, protocols) /* -/* INET_PROTO_INFO *inet_proto_info() +/* const INET_PROTO_INFO *inet_proto_info() /* DESCRIPTION /* inet_proto_init() converts a string with protocol names /* into null-terminated lists of appropriate constants used @@ -177,7 +177,7 @@ static void inet_proto_free(INET_PROTO_INFO *pf) /* inet_proto_init - convert protocol names to library inputs */ -INET_PROTO_INFO *inet_proto_init(const char *context, const char *protocols) +const INET_PROTO_INFO *inet_proto_init(const char *context, const char *protocols) { const char *myname = "inet_proto"; INET_PROTO_INFO *pf; diff --git a/postfix/src/util/inet_proto.h b/postfix/src/util/inet_proto.h index 1fcc9db48..68ecce510 100644 --- a/postfix/src/util/inet_proto.h +++ b/postfix/src/util/inet_proto.h @@ -27,10 +27,10 @@ typedef struct { * of a global variable. */ #define inet_proto_info() \ - (inet_proto_table ? inet_proto_table : \ + (inet_proto_table ? (const INET_PROTO_INFO*) inet_proto_table : \ inet_proto_init("default protocol setting", DEF_INET_PROTOCOLS)) -extern INET_PROTO_INFO *inet_proto_init(const char *, const char *); +extern const INET_PROTO_INFO *inet_proto_init(const char *, const char *); extern INET_PROTO_INFO *inet_proto_table; #define INET_PROTO_NAME_IPV6 "ipv6"