From 520ad2ab5cabc33dbf989d47cbdbc233caa0d007 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Fri, 24 Jul 2020 00:00:00 -0500 Subject: [PATCH] postfix-3.5.5 --- postfix/HISTORY | 18 ++++++++++++++++++ postfix/src/global/mail_version.h | 4 ++-- postfix/src/tls/tls_client.c | 5 +++++ postfix/src/tls/tls_misc.c | 18 ++++++++++++++++++ postfix/src/tls/tls_server.c | 5 +++++ 5 files changed, 48 insertions(+), 2 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index d32f78adf..55ea702fa 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24791,3 +24791,21 @@ Apologies for any names omitted. for the expanded CNAME. Therefore, sending the correct SNI name should not break existing mail flows. Fixed by Viktor Dukhovni. File: src/tls/tls_client.c. + +20200710 + + Bugfix (introduced: Postfix 3.0): minor memory leaks in the + Postfix TLS library, found during tests. File: tls/tls_misc.c. + +20200712 + + Bugfix (introduced: Postfix 3.0): 4kbyte per session memory + leak in the Postfix TLS library, found during tests. File: + tls/tls_misc.c. + +20200724 + + Workaround for distros that override Postfix protocol + settings in a system-wide OpenSSL configuration file, causing + interoperability problems after an OS update. File: + tls/tls_client.c, tls/tls_server.c. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 102edce3c..d266de25a 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20200627" -#define MAIL_VERSION_NUMBER "3.5.4" +#define MAIL_RELEASE_DATE "20200724" +#define MAIL_VERSION_NUMBER "3.5.5" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 2ef055368..135cea4b2 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -409,6 +409,11 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props) off |= tls_bug_bits(); SSL_CTX_set_options(client_ctx, off); + /* Enable all supported protocols */ +#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL + SSL_CTX_set_min_proto_version(client_ctx, 0); +#endif + /* * Set the call-back routine for verbose logging. */ diff --git a/postfix/src/tls/tls_misc.c b/postfix/src/tls/tls_misc.c index 24d8be5c7..94e356b47 100644 --- a/postfix/src/tls/tls_misc.c +++ b/postfix/src/tls/tls_misc.c @@ -922,6 +922,8 @@ void tls_get_signature_params(TLS_SESS_STATE *TLScontext) */ if (SSL_get_signature_nid(ssl, &nid) && nid != NID_undef) locl_sig_dgst = OBJ_nid2sn(nid); + + X509_free(cert); } /* Signature algorithms for the peer end of the connection */ if ((cert = SSL_get_peer_certificate(ssl)) != 0) { @@ -1158,6 +1160,22 @@ void tls_free_context(TLS_SESS_STATE *TLScontext) myfree(TLScontext->peer_cert_fprint); if (TLScontext->peer_pkey_fprint) myfree(TLScontext->peer_pkey_fprint); + if (TLScontext->kex_name) + myfree((void *) TLScontext->kex_name); + if (TLScontext->kex_curve) + myfree((void *) TLScontext->kex_curve); + if (TLScontext->clnt_sig_name) + myfree((void *) TLScontext->clnt_sig_name); + if (TLScontext->clnt_sig_curve) + myfree((void *) TLScontext->clnt_sig_curve); + if (TLScontext->clnt_sig_dgst) + myfree((void *) TLScontext->clnt_sig_dgst); + if (TLScontext->srvr_sig_name) + myfree((void *) TLScontext->srvr_sig_name); + if (TLScontext->srvr_sig_curve) + myfree((void *) TLScontext->srvr_sig_curve); + if (TLScontext->srvr_sig_dgst) + myfree((void *) TLScontext->srvr_sig_dgst); if (TLScontext->errorcert) X509_free(TLScontext->errorcert); if (TLScontext->untrusted) diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index 0b81d2b64..6d709c8bf 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -527,6 +527,11 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) SSL_CTX_set_options(server_ctx, off); + /* Enable all supported protocols */ +#if OPENSSL_VERSION_NUMBER >= 0x1010000fUL + SSL_CTX_set_min_proto_version(server_ctx, 0); +#endif + /* * Global protocol selection. */ -- 2.47.3