From: Wietse Venema Date: Sat, 14 Dec 2013 05:00:00 +0000 (-0500) Subject: postfix-2.11-20131214-nonprod X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2F20131214-nonprod;p=thirdparty%2Fpostfix.git postfix-2.11-20131214-nonprod --- diff --git a/postfix/HISTORY b/postfix/HISTORY index 53f08e971..9d135a3b7 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -19332,5 +19332,35 @@ Apologies for any names omitted. range. Viktor Dukhovni. Files: proto/TLS_README.html, proto/postconf.proto. - Bugfix (DANE support): handle OpenSSL memory allocation + Bugfix: DANE support: handle OpenSSL memory allocation error. Viktor Dukhovni. File: tls/tls_dane.c. + + Cleanup: LMDB_README was not installed. File: conf/postfix-files. + +20131214 + + Portability: on some platforms posttls-finger now requires + explicitly linking libdl. File: posttls-finger/Makefile.in. + + Cleanup: DANE support: extension gymnastics. Viktor Dukhovni. + File: tls/tls_dane.c. + + Bugfix: DANE support: the wrap_cert() and wrap_key() calls + should never fail, but some callers ignored the return + value. The only failure is for lack of memory, so we use + msg_fatal() internally and change wrap_cert() and wrap_key() + to return void. Viktor Dukhovni. File: tls/tls_dane.c. + + Bugfix: DANE support: avoid making DANE certificates with + replaced public-keys appear as if they were self-signed. + Viktor Dukhovni. File: tls/tls_dane.c. + + Cleanup: DANE support: simplify grow_chain() to always apply + trust consistently. Viktor Dukhovni. File: tls/tls_dane.c. + + Bugfix: DANE support: backport fixes from OpenSSL DANE + testing. Discard errors generated by raw TA key signature + checks. Record the tadepth as zero with self-signed depth + 0 TAs. Robustness: Though it should never happen, don't + update the tadepth if already set. Viktor Dukhovni. Files: + tls/tls_dane.c, tls/tls_server.c. diff --git a/postfix/conf/postfix-files b/postfix/conf/postfix-files index 2da438efc..3304edf9d 100644 --- a/postfix/conf/postfix-files +++ b/postfix/conf/postfix-files @@ -264,6 +264,7 @@ $readme_directory/INSTALL:f:root:-:644 $readme_directory/IPV6_README:f:root:-:644 $readme_directory/LDAP_README:f:root:-:644 $readme_directory/LINUX_README:f:root:-:644 +$readme_directory/LMDB_README:f:root:-:644 $readme_directory/LOCAL_RECIPIENT_README:f:root:-:644 $readme_directory/MACOSX_README:f:root:-:644:o $readme_directory/MAILDROP_README:f:root:-:644 @@ -319,6 +320,7 @@ $html_directory/INSTALL.html:f:root:-:644 $html_directory/IPV6_README.html:f:root:-:644 $html_directory/LDAP_README.html:f:root:-:644 $html_directory/LINUX_README.html:f:root:-:644 +$html_directory/LMDB_README.html:f:root:-:644 $html_directory/LOCAL_RECIPIENT_README.html:f:root:-:644 $html_directory/MAILDROP_README.html:f:root:-:644 $html_directory/MILTER_README.html:f:root:-:644 diff --git a/postfix/html/local.8.html b/postfix/html/local.8.html index ee4dff4de..d88e556fc 100644 --- a/postfix/html/local.8.html +++ b/postfix/html/local.8.html @@ -609,7 +609,9 @@ LOCAL(8) LOCAL(8) recipient_delimiter (empty) The set of characters that can separate a user name - from its address extension (user+foo). + from its extension (example: user+foo), or a .for- + ward file name from its extension (example: .for- + ward+foo). require_home_directory (no) Require that a local(8) recipient's home directory diff --git a/postfix/html/pipe.8.html b/postfix/html/pipe.8.html index 9705d00e5..90e831fe2 100644 --- a/postfix/html/pipe.8.html +++ b/postfix/html/pipe.8.html @@ -488,7 +488,9 @@ PIPE(8) PIPE(8) recipient_delimiter (empty) The set of characters that can separate a user name - from its address extension (user+foo). + from its extension (example: user+foo), or a .for- + ward file name from its extension (example: .for- + ward+foo). syslog_facility (mail) The syslog facility of Postfix logging. diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 44edbb94f..565659f35 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -8558,23 +8558,27 @@ Example: (default: empty)

The set of characters that can separate a user name from its -address extension (user+foo). See canonical(5), local(8), relocated(5) -and virtual(5) for the effects this has on aliases, canonical, -virtual, and relocated lookups. Basically, the software tries -user+foo and .forward+foo before trying user and .forward.

- -

This implementation recognizes one delimiter character per email -address, and one address extension per email address.

+extension (example: user+foo), or a .forward file name from its +extension (example: .forward+foo). Basically, the software tries +user+foo and .forward+foo before trying user and .forward. This +implementation recognizes one delimiter character and one extension +per email address or .forward file name.

When the recipient_delimiter set contains multiple characters -(Postfix 2.11 and later), a user name is separated from its address -extension by the first character that matches the recipient_delimiter -set.

+(Postfix 2.11 and later), a user name or .forward file name is +separated from its extension by the first character that matches +the recipient_delimiter set.

+ +

See canonical(5), local(8), relocated(5) and virtual(5) for the +effects of recipient_delimiter on lookups in aliases, canonical, +virtual, and relocated maps, and see the propagate_unmatched_extensions +parameter for propagating an extension from one email address to +another.

When used in command_execution_directory, forward_path, or -luser_relay, ${recipient_delimiter} is replaced -with the recipient delimiter that was found in the recipient email -address (Postfix 2.11 and later), or it is replaced with the main.cf +luser_relay, ${recipient_delimiter} is replaced with the actual +recipient delimiter that was found in the recipient email address +(Postfix 2.11 and later), or it is replaced with the main.cf recipient_delimiter parameter value (Postfix 2.10 and earlier).

diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index fe7f16152..c44cbe969 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -725,7 +725,7 @@ SMTPD(8) SMTPD(8) The Internet protocols Postfix will attempt to use when making or accepting connections. - local_recipient_maps (proxy:unix:passwd.byname + local_recipient_maps (proxy:unix:passwd.byname $alias_maps) Lookup tables with all names or addresses of local recipients: a recipient address is local when its @@ -1287,7 +1287,9 @@ SMTPD(8) SMTPD(8) recipient_delimiter (empty) The set of characters that can separate a user name - from its address extension (user+foo). + from its extension (example: user+foo), or a .for- + ward file name from its extension (example: .for- + ward+foo). smtpd_banner ($myhostname ESMTP $mail_name) The text that follows the 220 status code in the diff --git a/postfix/html/trivial-rewrite.8.html b/postfix/html/trivial-rewrite.8.html index e417e9d08..4d2fdac3d 100644 --- a/postfix/html/trivial-rewrite.8.html +++ b/postfix/html/trivial-rewrite.8.html @@ -138,7 +138,9 @@ TRIVIAL-REWRITE(8) TRIVIAL-REWRITE(8) recipient_delimiter (empty) The set of characters that can separate a user name - from its address extension (user+foo). + from its extension (example: user+foo), or a .for- + ward file name from its extension (example: .for- + ward+foo). swap_bangpath (yes) Enable the rewriting of "site!user" into diff --git a/postfix/makedefs b/postfix/makedefs index ad82b1193..8cf414f87 100644 --- a/postfix/makedefs +++ b/postfix/makedefs @@ -201,7 +201,7 @@ case "$SYSTEM.$RELEASE" in ;; SunOS.5*) SYSTYPE=SUNOS5 RANLIB=echo - SYSLIBS="-lresolv -lsocket -lnsl" + SYSLIBS="-lresolv -lsocket -lnsl -ldl" # Stock awk breaks with >10 files. test -x /usr/xpg4/bin/awk && AWK=/usr/xpg4/bin/awk # Solaris 2.5 added usleep(), POSIX regexp, POSIX getpwnam/uid_r diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index b989d556a..a46106d64 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -5131,23 +5131,27 @@ recipient_canonical_maps = hash:/etc/postfix/recipient_canonical .ft R .SH recipient_delimiter (default: empty) The set of characters that can separate a user name from its -address extension (user+foo). See \fBcanonical\fR(5), \fBlocal\fR(8), \fBrelocated\fR(5) -and \fBvirtual\fR(5) for the effects this has on aliases, canonical, -virtual, and relocated lookups. Basically, the software tries -user+foo and .forward+foo before trying user and .forward. -.PP -This implementation recognizes one delimiter character per email -address, and one address extension per email address. +extension (example: user+foo), or a .forward file name from its +extension (example: .forward+foo). Basically, the software tries +user+foo and .forward+foo before trying user and .forward. This +implementation recognizes one delimiter character and one extension +per email address or .forward file name. .PP When the recipient_delimiter set contains multiple characters -(Postfix 2.11 and later), a user name is separated from its address -extension by the first character that matches the recipient_delimiter -set. +(Postfix 2.11 and later), a user name or .forward file name is +separated from its extension by the first character that matches +the recipient_delimiter set. +.PP +See \fBcanonical\fR(5), \fBlocal\fR(8), \fBrelocated\fR(5) and \fBvirtual\fR(5) for the +effects of recipient_delimiter on lookups in aliases, canonical, +virtual, and relocated maps, and see the propagate_unmatched_extensions +parameter for propagating an extension from one email address to +another. .PP When used in command_execution_directory, forward_path, or -luser_relay, ${recipient_delimiter} is replaced -with the recipient delimiter that was found in the recipient email -address (Postfix 2.11 and later), or it is replaced with the main.cf +luser_relay, ${recipient_delimiter} is replaced with the actual +recipient delimiter that was found in the recipient email address +(Postfix 2.11 and later), or it is replaced with the main.cf recipient_delimiter parameter value (Postfix 2.10 and earlier). .PP The recipient_delimiter is not applied to the mailer-daemon diff --git a/postfix/man/man8/local.8 b/postfix/man/man8/local.8 index b872ce6fe..fb50757e3 100644 --- a/postfix/man/man8/local.8 +++ b/postfix/man/man8/local.8 @@ -576,7 +576,8 @@ key to the lookup result. The location of the Postfix top-level queue directory. .IP "\fBrecipient_delimiter (empty)\fR" The set of characters that can separate a user name from its -address extension (user+foo). +extension (example: user+foo), or a .forward file name from its +extension (example: .forward+foo). .IP "\fBrequire_home_directory (no)\fR" Require that a \fBlocal\fR(8) recipient's home directory exists before mail delivery is attempted. diff --git a/postfix/man/man8/pipe.8 b/postfix/man/man8/pipe.8 index dc594a814..41d515964 100644 --- a/postfix/man/man8/pipe.8 +++ b/postfix/man/man8/pipe.8 @@ -417,7 +417,8 @@ The process name of a Postfix command or daemon process. The location of the Postfix top-level queue directory. .IP "\fBrecipient_delimiter (empty)\fR" The set of characters that can separate a user name from its -address extension (user+foo). +extension (example: user+foo), or a .forward file name from its +extension (example: .forward+foo). .IP "\fBsyslog_facility (mail)\fR" The syslog facility of Postfix logging. .IP "\fBsyslog_name (see 'postconf -d' output)\fR" diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 3651a0538..ec95a4bca 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -1009,7 +1009,8 @@ The process name of a Postfix command or daemon process. The location of the Postfix top-level queue directory. .IP "\fBrecipient_delimiter (empty)\fR" The set of characters that can separate a user name from its -address extension (user+foo). +extension (example: user+foo), or a .forward file name from its +extension (example: .forward+foo). .IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR" The text that follows the 220 status code in the SMTP greeting banner. diff --git a/postfix/man/man8/trivial-rewrite.8 b/postfix/man/man8/trivial-rewrite.8 index ff0b25a99..27a7bb3f8 100644 --- a/postfix/man/man8/trivial-rewrite.8 +++ b/postfix/man/man8/trivial-rewrite.8 @@ -135,7 +135,8 @@ With locally submitted mail, append the string ".$mydomain" to addresses that have no ".domain" information. .IP "\fBrecipient_delimiter (empty)\fR" The set of characters that can separate a user name from its -address extension (user+foo). +extension (example: user+foo), or a .forward file name from its +extension (example: .forward+foo). .IP "\fBswap_bangpath (yes)\fR" Enable the rewriting of "site!user" into "user@site". .PP diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index faebacf63..b4204fc6c 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -3505,23 +3505,27 @@ recipient_canonical_maps = hash:/etc/postfix/recipient_canonical %PARAM recipient_delimiter

The set of characters that can separate a user name from its -address extension (user+foo). See canonical(5), local(8), relocated(5) -and virtual(5) for the effects this has on aliases, canonical, -virtual, and relocated lookups. Basically, the software tries -user+foo and .forward+foo before trying user and .forward.

- -

This implementation recognizes one delimiter character per email -address, and one address extension per email address.

+extension (example: user+foo), or a .forward file name from its +extension (example: .forward+foo). Basically, the software tries +user+foo and .forward+foo before trying user and .forward. This +implementation recognizes one delimiter character and one extension +per email address or .forward file name.

When the recipient_delimiter set contains multiple characters -(Postfix 2.11 and later), a user name is separated from its address -extension by the first character that matches the recipient_delimiter -set.

+(Postfix 2.11 and later), a user name or .forward file name is +separated from its extension by the first character that matches +the recipient_delimiter set.

+ +

See canonical(5), local(8), relocated(5) and virtual(5) for the +effects of recipient_delimiter on lookups in aliases, canonical, +virtual, and relocated maps, and see the propagate_unmatched_extensions +parameter for propagating an extension from one email address to +another.

When used in command_execution_directory, forward_path, or -luser_relay, ${recipient_delimiter} is replaced -with the recipient delimiter that was found in the recipient email -address (Postfix 2.11 and later), or it is replaced with the main.cf +luser_relay, ${recipient_delimiter} is replaced with the actual +recipient delimiter that was found in the recipient email address +(Postfix 2.11 and later), or it is replaced with the main.cf recipient_delimiter parameter value (Postfix 2.10 and earlier).

diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 32071c698..c0bd20eef 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20131210" +#define MAIL_RELEASE_DATE "20131214" #define MAIL_VERSION_NUMBER "2.11" #ifdef SNAPSHOT diff --git a/postfix/src/local/local.c b/postfix/src/local/local.c index 32da88bca..4b69a3032 100644 --- a/postfix/src/local/local.c +++ b/postfix/src/local/local.c @@ -532,7 +532,8 @@ /* The location of the Postfix top-level queue directory. /* .IP "\fBrecipient_delimiter (empty)\fR" /* The set of characters that can separate a user name from its -/* address extension (user+foo). +/* extension (example: user+foo), or a .forward file name from its +/* extension (example: .forward+foo). /* .IP "\fBrequire_home_directory (no)\fR" /* Require that a \fBlocal\fR(8) recipient's home directory exists /* before mail delivery is attempted. diff --git a/postfix/src/pipe/pipe.c b/postfix/src/pipe/pipe.c index 6c4da668c..b2e59e105 100644 --- a/postfix/src/pipe/pipe.c +++ b/postfix/src/pipe/pipe.c @@ -395,7 +395,8 @@ /* The location of the Postfix top-level queue directory. /* .IP "\fBrecipient_delimiter (empty)\fR" /* The set of characters that can separate a user name from its -/* address extension (user+foo). +/* extension (example: user+foo), or a .forward file name from its +/* extension (example: .forward+foo). /* .IP "\fBsyslog_facility (mail)\fR" /* The syslog facility of Postfix logging. /* .IP "\fBsyslog_name (see 'postconf -d' output)\fR" diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c index c3cc37c68..08aa2e2b4 100644 --- a/postfix/src/smtpd/smtpd.c +++ b/postfix/src/smtpd/smtpd.c @@ -953,7 +953,8 @@ /* The location of the Postfix top-level queue directory. /* .IP "\fBrecipient_delimiter (empty)\fR" /* The set of characters that can separate a user name from its -/* address extension (user+foo). +/* extension (example: user+foo), or a .forward file name from its +/* extension (example: .forward+foo). /* .IP "\fBsmtpd_banner ($myhostname ESMTP $mail_name)\fR" /* The text that follows the 220 status code in the SMTP greeting /* banner. diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c index b6a78e92f..199b06c0c 100644 --- a/postfix/src/tls/tls_dane.c +++ b/postfix/src/tls/tls_dane.c @@ -1345,26 +1345,30 @@ int tls_dane_match(TLS_SESS_STATE *TLScontext, int usage, return (matched); } +/* push_ext - push extension onto certificate's stack, else free it */ + +static int push_ext(X509 *cert, X509_EXTENSION *ext) +{ + x509_extension_stack_t *exts; + + if (ext) { + if ((exts = cert->cert_info->extensions) == 0) + exts = cert->cert_info->extensions = sk_X509_EXTENSION_new_null(); + if (exts && sk_X509_EXTENSION_push(exts, ext)) + return 1; + X509_EXTENSION_free(ext); + } + return 0; +} + /* add_ext - add simple extension (no config section references) */ static int add_ext(X509 *issuer, X509 *subject, int ext_nid, char *ext_val) { X509V3_CTX v3ctx; - X509_EXTENSION *ext; - x509_extension_stack_t *exts; X509V3_set_ctx(&v3ctx, issuer, subject, 0, 0, 0); - if ((exts = subject->cert_info->extensions) == 0) - exts = subject->cert_info->extensions = sk_X509_EXTENSION_new_null(); - if (!exts) - return (0); - - if ((ext = X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val)) != 0 - && sk_X509_EXTENSION_push(exts, ext)) - return (1); - if (ext) - X509_EXTENSION_free(ext); - return (0); + return push_ext(subject, X509V3_EXT_conf_nid(0, &v3ctx, ext_nid, ext_val)); } /* set_serial - set serial number to match akid or use subject's plus 1 */ @@ -1397,6 +1401,7 @@ static int add_akid(X509 *cert, AUTHORITY_KEYID *akid) { ASN1_STRING *id; unsigned char c = 0; + int nid = NID_authority_key_identifier; int ret = 0; /* @@ -1413,7 +1418,7 @@ static int add_akid(X509 *cert, AUTHORITY_KEYID *akid) if ((akid = AUTHORITY_KEYID_new()) != 0 && (akid->keyid = ASN1_OCTET_STRING_new()) != 0 && M_ASN1_OCTET_STRING_set(akid->keyid, (void *) &c, 1) - && X509_add1_ext_i2d(cert, NID_authority_key_identifier, akid, 0, 0)) + && X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_DEFAULT) > 0) ret = 1; if (akid) AUTHORITY_KEYID_free(akid); @@ -1424,20 +1429,12 @@ static int add_akid(X509 *cert, AUTHORITY_KEYID *akid) static int add_skid(X509 *cert, AUTHORITY_KEYID *akid) { - int ret; + int nid = NID_subject_key_identifier; - if (akid && akid->keyid) { - VSTRING *hexid = vstring_alloc(2 * EVP_MAX_MD_SIZE); - ASN1_STRING *id = (ASN1_STRING *) (akid->keyid); - - hex_encode(hexid, (char *) M_ASN1_STRING_data(id), - M_ASN1_STRING_length(id)); - ret = add_ext(0, cert, NID_subject_key_identifier, STR(hexid)); - vstring_free(hexid); - } else { - ret = add_ext(0, cert, NID_subject_key_identifier, "hash"); - } - return (ret); + if (!akid || !akid->keyid) + return add_ext(0, cert, nid, "hash"); + else + return X509_add1_ext_i2d(cert, nid, akid, 0, X509V3_ADD_DEFAULT) > 0; } /* akid_issuer_name - get akid issuer directory name */ @@ -1473,33 +1470,44 @@ static int set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid) return (X509_set_issuer_name(cert, X509_get_subject_name(cert))); } -/* grow_chain - add certificate to chain */ +/* grow_chain - add certificate to trusted or untrusted chain */ -static void grow_chain(x509_stack_t **skptr, X509 *cert, ASN1_OBJECT *trust) +static void grow_chain(TLS_SESS_STATE *TLScontext, int trusted, X509 *cert) { - if (!*skptr && (*skptr = sk_X509_new_null()) == 0) + x509_stack_t **xs = trusted ? &TLScontext->trusted : &TLScontext->untrusted; + +#define UNTRUSTED 0 +#define TRUSTED 1 + + if (!*xs && (*xs = sk_X509_new_null()) == 0) msg_fatal("out of memory"); if (cert) { - if (trust && !X509_add1_trust_object(cert, trust)) + if (trusted && !X509_add1_trust_object(cert, serverAuth)) msg_fatal("out of memory"); CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); - if (!sk_X509_push(*skptr, cert)) + if (!sk_X509_push(*xs, cert)) msg_fatal("out of memory"); } } /* wrap_key - wrap TA "key" as issuer of "subject" */ -static int wrap_key(TLS_SESS_STATE *TLScontext, int depth, - EVP_PKEY *key, X509 *subject) +static void wrap_key(TLS_SESS_STATE *TLScontext, int depth, + EVP_PKEY *key, X509 *subject) { - int ret = 1; - int selfsigned = 0; X509 *cert = 0; AUTHORITY_KEYID *akid; X509_NAME *name = X509_get_issuer_name(subject); X509_NAME *akid_name; + /* + * The subject name is never a NULL object unless we run out of memory. + * It may be an empty sequence, but the containing object always exists + * and its storage is owned by the certificate itself. + */ + if (name == 0 || (cert = X509_new()) == 0) + msg_fatal("Out of memory"); + /* * Record the depth of the intermediate wrapper certificate, logged in * the verify callback. @@ -1510,22 +1518,16 @@ static int wrap_key(TLS_SESS_STATE *TLScontext, int depth, msg_info("%s: depth=%d chain is trust-anchor signed", TLScontext->namaddr, depth); } + akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0); + + ERR_clear_error(); /* * If key is NULL generate a self-signed root CA, with key "danekey", * otherwise an intermediate CA signed by above. + * + * CA cert valid for +/- 30 days. */ - if ((cert = X509_new()) == 0) - return (0); - - akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0); - if ((akid_name = akid_issuer_name(akid)) == 0 - || X509_NAME_cmp(name, akid_name) == 0) - selfsigned = 1; - - ERR_clear_error(); - - /* CA cert valid for +/- 30 days */ if (!X509_set_version(cert, 2) || !set_serial(cert, akid, subject) || !X509_set_subject_name(cert, name) @@ -1534,41 +1536,35 @@ static int wrap_key(TLS_SESS_STATE *TLScontext, int depth, || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L) || !X509_set_pubkey(cert, key ? key : danekey) || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE") - || (key && !selfsigned && !add_akid(cert, akid)) + || (key && !add_akid(cert, akid)) || !add_skid(cert, akid) - || (wrap_signed - && (!X509_sign(cert, danekey, signmd) - || (key && !selfsigned - && !wrap_key(TLScontext, depth + 1, 0, cert))))) { - msg_warn("error generating DANE wrapper certificate"); + || (wrap_signed && !X509_sign(cert, danekey, signmd))) { tls_print_errors(); - ret = 0; + msg_fatal("error generating DANE wrapper certificate"); } if (akid) AUTHORITY_KEYID_free(akid); - if (ret) { - if (key && !selfsigned && wrap_signed) - grow_chain(&TLScontext->untrusted, cert, 0); - else - grow_chain(&TLScontext->trusted, cert, serverAuth); - } + if (key && wrap_signed) { + wrap_key(TLScontext, depth + 1, 0, cert); + grow_chain(TLScontext, UNTRUSTED, cert); + } else + grow_chain(TLScontext, TRUSTED, cert); if (cert) X509_free(cert); - return (ret); } -/* wrap_cert - wrap "tacert" as issuer of "subject" */ +/* wrap_cert - wrap "tacert" as trust-anchor. */ -static int wrap_cert(TLS_SESS_STATE *TLScontext, int depth, - X509 *tacert, X509 *subject) +static void wrap_cert(TLS_SESS_STATE *TLScontext, X509 *tacert, int depth) { - int ret = 1; X509 *cert; int len; unsigned char *asn1; unsigned char *buf; - TLScontext->tadepth = depth; + if (TLScontext->tadepth < 0) + TLScontext->tadepth = depth + 1; + if (TLScontext->log_mask & (TLS_LOG_VERBOSE | TLS_LOG_CERTMATCH)) msg_info("%s: depth=%d trust-anchor certificate", TLScontext->namaddr, depth); @@ -1576,10 +1572,9 @@ static int wrap_cert(TLS_SESS_STATE *TLScontext, int depth, /* * If the TA certificate is self-issued, use it directly. */ - if (!wrap_signed - || X509_check_issued(tacert, tacert) == X509_V_OK) { - grow_chain(&TLScontext->trusted, tacert, serverAuth); - return (ret); + if (!wrap_signed || X509_check_issued(tacert, tacert) == X509_V_OK) { + grow_chain(TLScontext, TRUSTED, tacert); + return; } /* Deep-copy tacert by converting to ASN.1 and back */ len = i2d_X509(tacert, NULL); @@ -1594,17 +1589,15 @@ static int wrap_cert(TLS_SESS_STATE *TLScontext, int depth, msg_panic("d2i_X509 failed to decode TA certificate"); myfree((char *) asn1); - grow_chain(&TLScontext->untrusted, cert, 0); + grow_chain(TLScontext, UNTRUSTED, cert); /* Sign and wrap TA cert with internal "danekey" */ - if (!X509_sign(cert, danekey, signmd) - || !wrap_key(TLScontext, depth + 1, danekey, cert)) { - msg_warn("error generating DANE wrapper certificate"); + if (!X509_sign(cert, danekey, signmd)) { tls_print_errors(); - ret = 0; + msg_fatal("error generating DANE wrapper certificate"); } + wrap_key(TLScontext, depth + 1, danekey, cert); X509_free(cert); - return (ret); } /* ta_signed - is certificate signed by a TLSA cert or pkey */ @@ -1629,8 +1622,8 @@ static int ta_signed(TLS_SESS_STATE *TLScontext, X509 *cert, int depth) if ((pk = X509_get_pubkey(x->cert)) == 0) continue; /* Check signature, since some other TA may work if not this. */ - if (X509_verify(cert, pk) > 0) - done = wrap_cert(TLScontext, depth + 1, x->cert, cert); + if ((done = (X509_verify(cert, pk) > 0)) != 0) + wrap_cert(TLScontext, x->cert, depth); EVP_PKEY_free(pk); } } @@ -1651,10 +1644,15 @@ static int ta_signed(TLS_SESS_STATE *TLScontext, X509 *cert, int depth) * ASN1 tag and length thus also excluding the unused bits field that is * logically part of the length). However, some CAs have a non-standard * authority keyid, so we lose. Too bad. + * + * This may push errors onto the stack when the certificate signature is not + * of the right type or length, throw these away. */ for (k = dane->pkeys; !done && k; k = k->next) - if (X509_verify(cert, k->pkey) > 0) - done = wrap_key(TLScontext, depth, k->pkey, cert); + if ((done = (X509_verify(cert, k->pkey) > 0)) != 0) + wrap_key(TLScontext, depth, k->pkey, cert); + else + ERR_clear_error(); return (done); } @@ -1704,7 +1702,7 @@ static void set_trust(TLS_SESS_STATE *TLScontext, X509_STORE_CTX *ctx) if (match) { switch (match) { case MATCHED_CERT: - wrap_cert(TLScontext, depth, ca, cert); + wrap_cert(TLScontext, ca, depth); break; case MATCHED_PKEY: if ((takey = X509_get_pubkey(ca)) == 0) @@ -1719,7 +1717,7 @@ static void set_trust(TLS_SESS_STATE *TLScontext, X509_STORE_CTX *ctx) break; } /* Add untrusted ca. */ - grow_chain(&TLScontext->untrusted, ca, 0); + grow_chain(TLScontext, UNTRUSTED, ca); /* Final untrusted self-signed element? */ if (X509_check_issued(ca, ca) == X509_V_OK) { @@ -1738,7 +1736,7 @@ static void set_trust(TLS_SESS_STATE *TLScontext, X509_STORE_CTX *ctx) */ if (!cert || !ta_signed(TLScontext, cert, depth)) { /* Create empty trust list if null, else NOP */ - grow_chain(&TLScontext->trusted, 0, 0); + grow_chain(TLScontext, TRUSTED, 0); } /* shallow free */ if (in) @@ -1767,11 +1765,12 @@ static int dane_cb(X509_STORE_CTX *ctx, void *app_ctx) * Empty untrusted chain, could be NULL, but then ABI check less * reliable, we may zero some other field, ... */ - grow_chain(&TLScontext->untrusted, 0, 0); - if (tls_dane_match(TLScontext, TLS_DANE_TA, cert, 0)) - grow_chain(&TLScontext->trusted, cert, serverAuth); - else - grow_chain(&TLScontext->trusted, 0, 0); + grow_chain(TLScontext, UNTRUSTED, 0); + if (tls_dane_match(TLScontext, TLS_DANE_TA, cert, 0)) { + TLScontext->tadepth = 0; + grow_chain(TLScontext, TRUSTED, cert); + } else + grow_chain(TLScontext, TRUSTED, 0); } else { set_trust(TLScontext, ctx); } diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index f6de965c2..2e74132b8 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -183,8 +183,8 @@ static SSL_SESSION *get_server_session_cb(SSL *ssl, unsigned char *session_id, do { \ buf = vstring_alloc(2 * (len + strlen(service))); \ hex_encode(buf, (char *) (id), (len)); \ - vstring_sprintf_append(buf, "&s=%s", (service)); \ - vstring_sprintf_append(buf, "&l=%ld", (long) SSLeay()); \ + vstring_sprintf_append(buf, "&s=%s", (service)); \ + vstring_sprintf_append(buf, "&l=%ld", (long) SSLeay()); \ } while (0) diff --git a/postfix/src/trivial-rewrite/trivial-rewrite.c b/postfix/src/trivial-rewrite/trivial-rewrite.c index c5dbe0663..e3889ac24 100644 --- a/postfix/src/trivial-rewrite/trivial-rewrite.c +++ b/postfix/src/trivial-rewrite/trivial-rewrite.c @@ -115,7 +115,8 @@ /* addresses that have no ".domain" information. /* .IP "\fBrecipient_delimiter (empty)\fR" /* The set of characters that can separate a user name from its -/* address extension (user+foo). +/* extension (example: user+foo), or a .forward file name from its +/* extension (example: .forward+foo). /* .IP "\fBswap_bangpath (yes)\fR" /* Enable the rewriting of "site!user" into "user@site". /* .PP