Prereq: "3.5.6"
diff -ur --new-file /var/tmp/postfix-3.5.6/src/global/mail_version.h ./src/global/mail_version.h
--- /var/tmp/postfix-3.5.6/src/global/mail_version.h 2020-07-26 14:14:48.000000000 -0400
+++ ./src/global/mail_version.h 2020-08-30 09:53:35.000000000 -0400
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20200726"
-#define MAIL_VERSION_NUMBER "3.5.6"
+#define MAIL_RELEASE_DATE "20200830"
+#define MAIL_VERSION_NUMBER "3.5.7"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -ur --new-file /var/tmp/postfix-3.5.6/HISTORY ./HISTORY
--- /var/tmp/postfix-3.5.6/HISTORY 2020-07-26 14:28:09.000000000 -0400
+++ ./HISTORY 2020-08-30 10:15:56.000000000 -0400
@@ -24819,3 +24819,18 @@
the system-wide OpenSSL configuration of allowed TLS protocol
versions, for sessions where the remote SMTP client sends
SNI. It's better to be safe than sorry. File: tls/tls_server.c.
+
+20200821
+
+ Bugfix (introduced: Postfix 3.4, already fixed in Postfix
+ 3.6): tlsproxy(8) was using the wrong DANE macro for
+ connections with DANE trust anchors or with non-DANE trust
+ anchors (WTF: Thorsten Habich found this bug in the use
+ case that has nothing to do with DANE). This resulted in a
+ global certificate verify function pointer race, between
+ TLS handshakes that use TLS trust achors and handshakes
+ that use PKI. No memory was corrupted in the course of all
+ this. Viktor Dukhovni. File: tlsproxy/tlsproxy.c.
+
+ Cleanup: the posttls-finger '-X' option reported a false
+ conflict with '-r'. File: posttls-finger/posttls-finger.c.
diff -ur --new-file /var/tmp/postfix-3.5.6/src/posttls-finger/posttls-finger.c ./src/posttls-finger/posttls-finger.c
--- /var/tmp/postfix-3.5.6/src/posttls-finger/posttls-finger.c 2019-02-12 08:17:45.000000000 -0500
+++ ./src/posttls-finger/posttls-finger.c 2020-08-21 19:17:03.000000000 -0400
@@ -1988,7 +1988,7 @@
msg_fatal("bad '-a' option value: %s", state->options.addr_pref);
#ifdef USE_TLS
- if (state->tlsproxy_mode && state->reconnect)
+ if (state->tlsproxy_mode && state->reconnect >= 0)
msg_fatal("The -X and -r options are mutually exclusive");
#endif
diff -ur --new-file /var/tmp/postfix-3.5.6/src/tlsproxy/tlsproxy.c ./src/tlsproxy/tlsproxy.c
--- /var/tmp/postfix-3.5.6/src/tlsproxy/tlsproxy.c 2020-06-20 14:55:59.000000000 -0400
+++ ./src/tlsproxy/tlsproxy.c 2020-08-21 19:37:21.000000000 -0400
@@ -998,8 +998,17 @@
state->client_start_props->fd = state->ciphertext_fd;
/* These predicates and warning belong inside tls_client_start(). */
if (!tls_dane_avail() /* mandatory side effects!! */
- &&TLS_DANE_BASED(state->client_start_props->tls_level))
- msg_warn("%s: DANE requested, but not available",
+
+ /*
+ * Why not test for TLS_DANE_BASED()? Because the tlsproxy(8) client has
+ * already converted its DANE TLSA records into trust anchors, and
+ * therefore TLS_DANE_HASTA() will be true instead. That exercises the
+ * code path that updates the shared SSL_CTX with custom X.509
+ * verification callbacks for trust anchors.
+ */
+ &&TLS_DANE_HASTA(state->client_start_props->dane))
+ msg_warn("%s: DANE or local trust anchor based chain"
+ " verification requested, but not available",
state->client_start_props->namaddr);
else
state->tls_context = tls_client_start(state->client_start_props);
@@ -1427,7 +1436,15 @@
}
state->appl_state = tlsp_client_init(state->tls_params,
state->client_init_props,
- TLS_DANE_BASED(state->client_start_props->tls_level));
+
+ /*
+ * Why not test for TLS_DANE_BASED()? Because the tlsproxy(8) client
+ * has already converted its DANE TLSA records into trust anchors,
+ * and therefore TLS_DANE_HASTA() will be true instead. That
+ * exercises the code path that updates the shared SSL_CTX with
+ * custom X.509 verification callbacks for trust anchors.
+ */
+ TLS_DANE_HASTA(state->client_start_props->dane) != 0);
ready = state->appl_state != 0;
break;
case TLS_PROXY_FLAG_ROLE_SERVER: