Prereq: "3.1.1"
diff -cr --new-file /var/tmp/postfix-3.1.1/src/global/mail_version.h ./src/global/mail_version.h
*** /var/tmp/postfix-3.1.1/src/global/mail_version.h 2016-05-15 12:56:21.000000000 -0400
--- ./src/global/mail_version.h 2016-08-27 17:51:27.000000000 -0400
***************
*** 20,27 ****
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
! #define MAIL_RELEASE_DATE "20160515"
! #define MAIL_VERSION_NUMBER "3.1.1"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
--- 20,27 ----
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
! #define MAIL_RELEASE_DATE "20160828"
! #define MAIL_VERSION_NUMBER "3.1.2"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -cr --new-file /var/tmp/postfix-3.1.1/HISTORY ./HISTORY
*** /var/tmp/postfix-3.1.1/HISTORY 2016-05-15 13:10:24.000000000 -0400
--- ./HISTORY 2016-08-27 19:50:23.000000000 -0400
***************
*** 22216,22218 ****
--- 22216,22238 ----
20160515
Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h.
+
+ 20160819
+
+ Bugfix (introduced: Postfix 3.0): the makedefs script ignored
+ readme_directory=pathname overrides. Fix by Todd C. Olson.
+ File: makedefs.
+
+ 20160821
+
+ Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher
+ documentation says aes-256-cbc, but the implementation was
+ using aes-128-cbc (note that Postfix SMTP server and client
+ processes have a limited life time).
+
+ 20160828
+
+ Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes.
+ Viktor Dukhovni. Files: posttls-finger/posttls-finger.c,
+ tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c,
+ tls/tls_client.c.
diff -cr --new-file /var/tmp/postfix-3.1.1/makedefs ./makedefs
*** /var/tmp/postfix-3.1.1/makedefs 2016-05-15 12:39:11.000000000 -0400
--- ./makedefs 2016-08-19 20:08:42.000000000 -0400
***************
*** 962,968 ****
manpage_directory_macro=DEF_MANPAGE_DIR
readme_directory_macro=DEF_README_DIR
! for parm_name in html_directory manpage_directory
do
eval parm_val=\"\$$parm_name\"
eval parm_macro=\"\$${parm_name}_macro\"
--- 962,968 ----
manpage_directory_macro=DEF_MANPAGE_DIR
readme_directory_macro=DEF_README_DIR
! for parm_name in html_directory manpage_directory readme_directory
do
eval parm_val=\"\$$parm_name\"
eval parm_macro=\"\$${parm_name}_macro\"
diff -cr --new-file /var/tmp/postfix-3.1.1/src/global/mail_params.h ./src/global/mail_params.h
*** /var/tmp/postfix-3.1.1/src/global/mail_params.h 2016-01-31 16:05:46.000000000 -0500
--- ./src/global/mail_params.h 2016-08-20 09:17:27.000000000 -0400
***************
*** 3206,3212 ****
extern char *var_tls_ssl_options;
#define VAR_TLS_TKT_CIPHER "tls_session_ticket_cipher"
! #define DEF_TLS_TKT_CIPHER "aes-128-cbc"
extern char *var_tls_tkt_cipher;
#define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints"
--- 3206,3212 ----
extern char *var_tls_ssl_options;
#define VAR_TLS_TKT_CIPHER "tls_session_ticket_cipher"
! #define DEF_TLS_TKT_CIPHER "aes-256-cbc"
extern char *var_tls_tkt_cipher;
#define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints"
diff -cr --new-file /var/tmp/postfix-3.1.1/src/posttls-finger/posttls-finger.c ./src/posttls-finger/posttls-finger.c
*** /var/tmp/postfix-3.1.1/src/posttls-finger/posttls-finger.c 2016-01-04 07:26:16.000000000 -0500
--- ./src/posttls-finger/posttls-finger.c 2016-08-27 16:27:50.000000000 -0400
***************
*** 1511,1517 ****
return (0);
}
! #ifdef USE_TLS
/* ssl_cleanup - free memory allocated in the OpenSSL library */
--- 1511,1517 ----
return (0);
}
! #if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
/* ssl_cleanup - free memory allocated in the OpenSSL library */
***************
*** 1529,1535 ****
CRYPTO_cleanup_all_ex_data();
}
! #endif
/* run - do what we were asked to do. */
--- 1529,1536 ----
CRYPTO_cleanup_all_ex_data();
}
! #endif /* USE_TLS && OPENSSL_VERSION_NUMBER
! * < 0x10100000L */
/* run - do what we were asked to do. */
***************
*** 1955,1961 ****
/* Be valgrind friendly and clean-up */
cleanup(&state);
! #ifdef USE_TLS
ssl_cleanup();
#endif
--- 1956,1964 ----
/* Be valgrind friendly and clean-up */
cleanup(&state);
!
! /* OpenSSL 1.1.0 and later (de)initialization is implicit */
! #if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
ssl_cleanup();
#endif
diff -cr --new-file /var/tmp/postfix-3.1.1/src/tls/tls.h ./src/tls/tls.h
*** /var/tmp/postfix-3.1.1/src/tls/tls.h 2016-02-06 15:09:41.000000000 -0500
--- ./src/tls/tls.h 2016-08-27 16:27:50.000000000 -0400
***************
*** 93,99 ****
#define OpenSSL_version_num SSLeay
#define OpenSSL_version SSLeay_version
#define OPENSSL_VERSION SSLEAY_VERSION
! #define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
#endif
/* SSL_CIPHER_get_name() got constified in 0.9.7g */
--- 93,109 ----
#define OpenSSL_version_num SSLeay
#define OpenSSL_version SSLeay_version
#define OPENSSL_VERSION SSLEAY_VERSION
! #define X509_up_ref(x) \
! CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
! #define EVP_PKEY_up_ref(k) \
! CRYPTO_add(&((k)->references), 1, CRYPTO_LOCK_EVP_PKEY)
! #define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
! #define X509_STORE_CTX_get0_untrusted(ctx) ((ctx)->untrusted)
! #define X509_STORE_CTX_set0_untrusted X509_STORE_CTX_set_chain
! #define X509_STORE_CTX_set0_trusted_stack X509_STORE_CTX_trusted_stack
! #define ASN1_STRING_get0_data ASN1_STRING_data
! #define X509_getm_notBefore X509_get_notBefore
! #define X509_getm_notAfter X509_get_notAfter
#endif
/* SSL_CIPHER_get_name() got constified in 0.9.7g */
diff -cr --new-file /var/tmp/postfix-3.1.1/src/tls/tls_client.c ./src/tls/tls_client.c
*** /var/tmp/postfix-3.1.1/src/tls/tls_client.c 2016-01-31 16:05:46.000000000 -0500
--- ./src/tls/tls_client.c 2016-08-27 16:27:50.000000000 -0400
***************
*** 299,304 ****
--- 299,306 ----
*/
tls_check_version();
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+
/*
* Initialize the OpenSSL library by the book! To start with, we must
* initialize the algorithms. We want cleartext error messages instead of
***************
*** 306,311 ****
--- 308,314 ----
*/
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
+ #endif
/*
* Create an application data index for SSL objects, so that we can
***************
*** 363,369 ****
tls_print_errors();
return (0);
}
-
#ifdef SSL_SECOP_PEER
/* Backwards compatible security as a base for opportunistic TLS. */
SSL_CTX_set_security_level(client_ctx, 0);
--- 366,371 ----
diff -cr --new-file /var/tmp/postfix-3.1.1/src/tls/tls_dane.c ./src/tls/tls_dane.c
*** /var/tmp/postfix-3.1.1/src/tls/tls_dane.c 2015-10-31 20:24:04.000000000 -0400
--- ./src/tls/tls_dane.c 2016-08-27 16:27:50.000000000 -0400
***************
*** 573,579 ****
{
TLS_PKEYS *new = (TLS_PKEYS *) mymalloc(sizeof(*new));
! CRYPTO_add(&k->references, 1, CRYPTO_LOCK_EVP_PKEY);
new->pkey = k;
new->next = d->pkeys;
d->pkeys = new;
--- 573,579 ----
{
TLS_PKEYS *new = (TLS_PKEYS *) mymalloc(sizeof(*new));
! EVP_PKEY_up_ref(k);
new->pkey = k;
new->next = d->pkeys;
d->pkeys = new;
***************
*** 1465,1471 ****
* self-signature checks!
*/
id = ((akid && akid->keyid) ? akid->keyid : 0);
! if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c)
c = 1;
if ((akid = AUTHORITY_KEYID_new()) != 0
--- 1465,1471 ----
* self-signature checks!
*/
id = ((akid && akid->keyid) ? akid->keyid : 0);
! if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_get0_data(id) == c)
c = 1;
if ((akid = AUTHORITY_KEYID_new()) != 0
***************
*** 1583,1592 ****
*/
if (!X509_set_version(cert, 2)
|| !set_serial(cert, akid, subject)
- || !X509_set_subject_name(cert, name)
|| !set_issuer_name(cert, akid)
! || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L)
! || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L)
|| !X509_set_pubkey(cert, key ? key : signkey)
|| !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
|| (key && !add_akid(cert, akid))
--- 1583,1592 ----
*/
if (!X509_set_version(cert, 2)
|| !set_serial(cert, akid, subject)
|| !set_issuer_name(cert, akid)
! || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
! || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
! || !X509_set_subject_name(cert, name)
|| !X509_set_pubkey(cert, key ? key : signkey)
|| !add_ext(0, cert, NID_basic_constraints, "CA:TRUE")
|| (key && !add_akid(cert, akid))
***************
*** 1720,1727 ****
int depth = 0;
EVP_PKEY *takey;
X509 *ca;
! X509 *cert = ctx->cert; /* XXX: Accessor? */
! x509_stack_t *in = ctx->untrusted; /* XXX: Accessor? */
/* shallow copy */
if ((in = sk_X509_dup(in)) == 0)
--- 1720,1727 ----
int depth = 0;
EVP_PKEY *takey;
X509 *ca;
! X509 *cert = X509_STORE_CTX_get0_cert(ctx);
! x509_stack_t *in = X509_STORE_CTX_get0_untrusted(ctx);
/* shallow copy */
if ((in = sk_X509_dup(in)) == 0)
***************
*** 1802,1808 ****
{
const char *myname = "dane_cb";
TLS_SESS_STATE *TLScontext = (TLS_SESS_STATE *) app_ctx;
! X509 *cert = ctx->cert; /* XXX: accessor? */
/*
* Degenerate case: depth 0 self-signed cert.
--- 1802,1808 ----
{
const char *myname = "dane_cb";
TLS_SESS_STATE *TLScontext = (TLS_SESS_STATE *) app_ctx;
! X509 *cert = X509_STORE_CTX_get0_cert(ctx);
/*
* Degenerate case: depth 0 self-signed cert.
***************
*** 1832,1840 ****
* Check that setting the untrusted chain updates the expected structure
* member at the expected offset.
*/
! X509_STORE_CTX_trusted_stack(ctx, TLScontext->trusted);
! X509_STORE_CTX_set_chain(ctx, TLScontext->untrusted);
! if (ctx->untrusted != TLScontext->untrusted)
msg_panic("%s: OpenSSL ABI change", myname);
return X509_verify_cert(ctx);
--- 1832,1840 ----
* Check that setting the untrusted chain updates the expected structure
* member at the expected offset.
*/
! X509_STORE_CTX_set0_trusted_stack(ctx, TLScontext->trusted);
! X509_STORE_CTX_set0_untrusted(ctx, TLScontext->untrusted);
! if (X509_STORE_CTX_get0_untrusted(ctx) != TLScontext->untrusted)
msg_panic("%s: OpenSSL ABI change", myname);
return X509_verify_cert(ctx);
***************
*** 2163,2170 ****
--- 2163,2172 ----
tls_param_init();
tls_check_version();
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_load_error_strings();
SSL_library_init();
+ #endif
if (!tls_validate_digest(LN_sha1))
msg_fatal("%s digest algorithm not available", LN_sha1);
diff -cr --new-file /var/tmp/postfix-3.1.1/src/tls/tls_server.c ./src/tls/tls_server.c
*** /var/tmp/postfix-3.1.1/src/tls/tls_server.c 2016-01-31 16:05:46.000000000 -0500
--- ./src/tls/tls_server.c 2016-08-27 16:27:50.000000000 -0400
***************
*** 173,181 ****
#endif /* OPENSSL_VERSION_NUMBER */
/* get_server_session_cb - callback to retrieve session from server cache */
! static SSL_SESSION *get_server_session_cb(SSL *ssl, unsigned char *session_id,
int session_id_length,
int *unused_copy)
{
--- 173,190 ----
#endif /* OPENSSL_VERSION_NUMBER */
+ /* OpenSSL 1.1.0 bitrot */
+ #if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ typedef const unsigned char *session_id_t;
+
+ #else
+ typedef unsigned char *session_id_t;
+
+ #endif
+
/* get_server_session_cb - callback to retrieve session from server cache */
! static SSL_SESSION *get_server_session_cb(SSL *ssl, session_id_t session_id,
int session_id_length,
int *unused_copy)
{
***************
*** 368,373 ****
--- 377,384 ----
*/
tls_check_version();
+ #if OPENSSL_VERSION_NUMBER < 0x10100000L
+
/*
* Initialize the OpenSSL library by the book! To start with, we must
* initialize the algorithms. We want cleartext error messages instead of
***************
*** 375,380 ****
--- 386,392 ----
*/
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
+ #endif
/*
* First validate the protocols. If these are invalid, we can't continue.
***************
*** 445,451 ****
tls_print_errors();
return (0);
}
-
#ifdef SSL_SECOP_PEER
/* Backwards compatible security as a base for opportunistic TLS. */
SSL_CTX_set_security_level(server_ctx, 0);
--- 457,462 ----
***************
*** 758,764 ****
tls_free_context(TLScontext);
return (0);
}
-
#ifdef SSL_SECOP_PEER
/* When authenticating the peer, use 80-bit plus OpenSSL security level */
if (props->requirecert)
--- 769,774 ----
***************
*** 896,905 ****
X509_free(peer);
/*
! * Give them a clue. Problems with trust chain verification are logged
! * when the session is first negotiated, before the session is stored
! * into the cache. We don't want mystery failures, so log the fact the
! * real problem is to be found in the past.
*/
if (!TLS_CERT_IS_TRUSTED(TLScontext)
&& (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) {
--- 906,915 ----
X509_free(peer);
/*
! * Give them a clue. Problems with trust chain verification are
! * logged when the session is first negotiated, before the session is
! * stored into the cache. We don't want mystery failures, so log the
! * fact the real problem is to be found in the past.
*/
if (!TLS_CERT_IS_TRUSTED(TLScontext)
&& (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) {
diff -cr --new-file /var/tmp/postfix-3.1.1/src/tls/tls_verify.c ./src/tls/tls_verify.c
*** /var/tmp/postfix-3.1.1/src/tls/tls_verify.c 2015-10-31 20:24:04.000000000 -0400
--- ./src/tls/tls_verify.c 2016-08-27 16:27:50.000000000 -0400
***************
*** 440,446 ****
/*
* Safe to treat as an ASCII string possibly holding a DNS name
*/
! dnsname = (char *) ASN1_STRING_data(gn->d.ia5);
len = ASN1_STRING_length(gn->d.ia5);
TRIM0(dnsname, len);
--- 440,446 ----
/*
* Safe to treat as an ASCII string possibly holding a DNS name
*/
! dnsname = (const char *) ASN1_STRING_get0_data(gn->d.ia5);
len = ASN1_STRING_length(gn->d.ia5);
TRIM0(dnsname, len);