From: Wietse Venema <wietse@porcupine.org>
Date: Sun, 26 Jul 2020 05:00:00 +0000 (-0500)
Subject: postfix-3.4.16
X-Git-Tag: v3.4.16^0
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=be0db5030ed76af323b62682b952fbbc5ccb1028;p=thirdparty%2Fpostfix.git

postfix-3.4.16
---

diff --git a/postfix/HISTORY b/postfix/HISTORY
index d532ee9d4..be605681c 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -24484,3 +24484,13 @@ Apologies for any names omitted.
 	settings in a system-wide OpenSSL configuration file, causing
 	interoperability problems after an OS update. File:
 	tls/tls_client.c, tls/tls_server.c.
+
+20200726
+
+	Bugfix (introduced: Postfix 3.4.15): part of a memory leak
+	fix was backported to the wrong place. File: tls/tls_misc.c.
+
+	The Postfix 3.4.15 workaround did not explictly override
+	the system-wide OpenSSL configuration of allowed TLS protocol
+	versions, for sessions where the remote SMTP client sends
+	SNI. It's better to be safe than sorry. File: tls/tls_server.c.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index 8fcc05351..00829b66f 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20200724"
-#define MAIL_VERSION_NUMBER	"3.4.15"
+#define MAIL_RELEASE_DATE	"20200726"
+#define MAIL_VERSION_NUMBER	"3.4.16"
 
 #ifdef SNAPSHOT
 #define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE
diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c
index 3ecaa0537..b313a3c24 100644
--- a/postfix/src/tls/tls_misc.c
+++ b/postfix/src/tls/tls_misc.c
@@ -923,8 +923,6 @@ void    tls_get_signature_params(TLS_SESS_STATE *TLScontext)
 	 */
 	if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef)
 	    locl_sig_dgst = OBJ_nid2sn(nid);
-
-	X509_free(cert);
     }
     /* Signature algorithms for the peer end of the connection */
     if ((cert = SSL_get_peer_certificate(ssl)) != 0) {
@@ -966,6 +964,8 @@ void    tls_get_signature_params(TLS_SESS_STATE *TLScontext)
 	 */
 	if (SSL_get_peer_signature_nid(ssl, &nid) && nid != NID_undef)
 	    peer_sig_dgst = OBJ_nid2sn(nid);
+
+	X509_free(cert);
     }
     if (kex_name) {
 	TLScontext->kex_name = mystrdup(kex_name);
diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c
index 3d814f9d4..236f7859d 100644
--- a/postfix/src/tls/tls_server.c
+++ b/postfix/src/tls/tls_server.c
@@ -530,6 +530,7 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
     /* Enable all supported protocols */
 #if OPENSSL_VERSION_NUMBER >= 0x1010000fUL
     SSL_CTX_set_min_proto_version(server_ctx, 0);
+    SSL_CTX_set_min_proto_version(sni_ctx, 0);
 #endif
 
     /*