Prereq: "3.1.1" diff -cr --new-file /var/tmp/postfix-3.1.1/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-3.1.1/src/global/mail_version.h 2016-05-15 12:56:21.000000000 -0400 --- ./src/global/mail_version.h 2016-08-27 17:51:27.000000000 -0400 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20160515" ! #define MAIL_VERSION_NUMBER "3.1.1" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20160828" ! #define MAIL_VERSION_NUMBER "3.1.2" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-3.1.1/HISTORY ./HISTORY *** /var/tmp/postfix-3.1.1/HISTORY 2016-05-15 13:10:24.000000000 -0400 --- ./HISTORY 2016-08-27 19:50:23.000000000 -0400 *************** *** 22216,22218 **** --- 22216,22238 ---- 20160515 Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h. + + 20160819 + + Bugfix (introduced: Postfix 3.0): the makedefs script ignored + readme_directory=pathname overrides. Fix by Todd C. Olson. + File: makedefs. + + 20160821 + + Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher + documentation says aes-256-cbc, but the implementation was + using aes-128-cbc (note that Postfix SMTP server and client + processes have a limited life time). + + 20160828 + + Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes. + Viktor Dukhovni. Files: posttls-finger/posttls-finger.c, + tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c, + tls/tls_client.c. diff -cr --new-file /var/tmp/postfix-3.1.1/makedefs ./makedefs *** /var/tmp/postfix-3.1.1/makedefs 2016-05-15 12:39:11.000000000 -0400 --- ./makedefs 2016-08-19 20:08:42.000000000 -0400 *************** *** 962,968 **** manpage_directory_macro=DEF_MANPAGE_DIR readme_directory_macro=DEF_README_DIR ! for parm_name in html_directory manpage_directory do eval parm_val=\"\$$parm_name\" eval parm_macro=\"\$${parm_name}_macro\" --- 962,968 ---- manpage_directory_macro=DEF_MANPAGE_DIR readme_directory_macro=DEF_README_DIR ! for parm_name in html_directory manpage_directory readme_directory do eval parm_val=\"\$$parm_name\" eval parm_macro=\"\$${parm_name}_macro\" diff -cr --new-file /var/tmp/postfix-3.1.1/src/global/mail_params.h ./src/global/mail_params.h *** /var/tmp/postfix-3.1.1/src/global/mail_params.h 2016-01-31 16:05:46.000000000 -0500 --- ./src/global/mail_params.h 2016-08-20 09:17:27.000000000 -0400 *************** *** 3206,3212 **** extern char *var_tls_ssl_options; #define VAR_TLS_TKT_CIPHER "tls_session_ticket_cipher" ! #define DEF_TLS_TKT_CIPHER "aes-128-cbc" extern char *var_tls_tkt_cipher; #define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints" --- 3206,3212 ---- extern char *var_tls_ssl_options; #define VAR_TLS_TKT_CIPHER "tls_session_ticket_cipher" ! #define DEF_TLS_TKT_CIPHER "aes-256-cbc" extern char *var_tls_tkt_cipher; #define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints" diff -cr --new-file /var/tmp/postfix-3.1.1/src/posttls-finger/posttls-finger.c ./src/posttls-finger/posttls-finger.c *** /var/tmp/postfix-3.1.1/src/posttls-finger/posttls-finger.c 2016-01-04 07:26:16.000000000 -0500 --- ./src/posttls-finger/posttls-finger.c 2016-08-27 16:27:50.000000000 -0400 *************** *** 1511,1517 **** return (0); } ! #ifdef USE_TLS /* ssl_cleanup - free memory allocated in the OpenSSL library */ --- 1511,1517 ---- return (0); } ! #if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L /* ssl_cleanup - free memory allocated in the OpenSSL library */ *************** *** 1529,1535 **** CRYPTO_cleanup_all_ex_data(); } ! #endif /* run - do what we were asked to do. */ --- 1529,1536 ---- CRYPTO_cleanup_all_ex_data(); } ! #endif /* USE_TLS && OPENSSL_VERSION_NUMBER ! * < 0x10100000L */ /* run - do what we were asked to do. */ *************** *** 1955,1961 **** /* Be valgrind friendly and clean-up */ cleanup(&state); ! #ifdef USE_TLS ssl_cleanup(); #endif --- 1956,1964 ---- /* Be valgrind friendly and clean-up */ cleanup(&state); ! ! /* OpenSSL 1.1.0 and later (de)initialization is implicit */ ! #if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L ssl_cleanup(); #endif diff -cr --new-file /var/tmp/postfix-3.1.1/src/tls/tls.h ./src/tls/tls.h *** /var/tmp/postfix-3.1.1/src/tls/tls.h 2016-02-06 15:09:41.000000000 -0500 --- ./src/tls/tls.h 2016-08-27 16:27:50.000000000 -0400 *************** *** 93,99 **** #define OpenSSL_version_num SSLeay #define OpenSSL_version SSLeay_version #define OPENSSL_VERSION SSLEAY_VERSION ! #define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509) #endif /* SSL_CIPHER_get_name() got constified in 0.9.7g */ --- 93,109 ---- #define OpenSSL_version_num SSLeay #define OpenSSL_version SSLeay_version #define OPENSSL_VERSION SSLEAY_VERSION ! #define X509_up_ref(x) \ ! CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509) ! #define EVP_PKEY_up_ref(k) \ ! CRYPTO_add(&((k)->references), 1, CRYPTO_LOCK_EVP_PKEY) ! #define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert) ! #define X509_STORE_CTX_get0_untrusted(ctx) ((ctx)->untrusted) ! #define X509_STORE_CTX_set0_untrusted X509_STORE_CTX_set_chain ! #define X509_STORE_CTX_set0_trusted_stack X509_STORE_CTX_trusted_stack ! #define ASN1_STRING_get0_data ASN1_STRING_data ! #define X509_getm_notBefore X509_get_notBefore ! #define X509_getm_notAfter X509_get_notAfter #endif /* SSL_CIPHER_get_name() got constified in 0.9.7g */ diff -cr --new-file /var/tmp/postfix-3.1.1/src/tls/tls_client.c ./src/tls/tls_client.c *** /var/tmp/postfix-3.1.1/src/tls/tls_client.c 2016-01-31 16:05:46.000000000 -0500 --- ./src/tls/tls_client.c 2016-08-27 16:27:50.000000000 -0400 *************** *** 299,304 **** --- 299,306 ---- */ tls_check_version(); + #if OPENSSL_VERSION_NUMBER < 0x10100000L + /* * Initialize the OpenSSL library by the book! To start with, we must * initialize the algorithms. We want cleartext error messages instead of *************** *** 306,311 **** --- 308,314 ---- */ SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); + #endif /* * Create an application data index for SSL objects, so that we can *************** *** 363,369 **** tls_print_errors(); return (0); } - #ifdef SSL_SECOP_PEER /* Backwards compatible security as a base for opportunistic TLS. */ SSL_CTX_set_security_level(client_ctx, 0); --- 366,371 ---- diff -cr --new-file /var/tmp/postfix-3.1.1/src/tls/tls_dane.c ./src/tls/tls_dane.c *** /var/tmp/postfix-3.1.1/src/tls/tls_dane.c 2015-10-31 20:24:04.000000000 -0400 --- ./src/tls/tls_dane.c 2016-08-27 16:27:50.000000000 -0400 *************** *** 573,579 **** { TLS_PKEYS *new = (TLS_PKEYS *) mymalloc(sizeof(*new)); ! CRYPTO_add(&k->references, 1, CRYPTO_LOCK_EVP_PKEY); new->pkey = k; new->next = d->pkeys; d->pkeys = new; --- 573,579 ---- { TLS_PKEYS *new = (TLS_PKEYS *) mymalloc(sizeof(*new)); ! EVP_PKEY_up_ref(k); new->pkey = k; new->next = d->pkeys; d->pkeys = new; *************** *** 1465,1471 **** * self-signature checks! */ id = ((akid && akid->keyid) ? akid->keyid : 0); ! if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c) c = 1; if ((akid = AUTHORITY_KEYID_new()) != 0 --- 1465,1471 ---- * self-signature checks! */ id = ((akid && akid->keyid) ? akid->keyid : 0); ! if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_get0_data(id) == c) c = 1; if ((akid = AUTHORITY_KEYID_new()) != 0 *************** *** 1583,1592 **** */ if (!X509_set_version(cert, 2) || !set_serial(cert, akid, subject) - || !X509_set_subject_name(cert, name) || !set_issuer_name(cert, akid) ! || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L) ! || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L) || !X509_set_pubkey(cert, key ? key : signkey) || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE") || (key && !add_akid(cert, akid)) --- 1583,1592 ---- */ if (!X509_set_version(cert, 2) || !set_serial(cert, akid, subject) || !set_issuer_name(cert, akid) ! || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L) ! || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L) ! || !X509_set_subject_name(cert, name) || !X509_set_pubkey(cert, key ? key : signkey) || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE") || (key && !add_akid(cert, akid)) *************** *** 1720,1727 **** int depth = 0; EVP_PKEY *takey; X509 *ca; ! X509 *cert = ctx->cert; /* XXX: Accessor? */ ! x509_stack_t *in = ctx->untrusted; /* XXX: Accessor? */ /* shallow copy */ if ((in = sk_X509_dup(in)) == 0) --- 1720,1727 ---- int depth = 0; EVP_PKEY *takey; X509 *ca; ! X509 *cert = X509_STORE_CTX_get0_cert(ctx); ! x509_stack_t *in = X509_STORE_CTX_get0_untrusted(ctx); /* shallow copy */ if ((in = sk_X509_dup(in)) == 0) *************** *** 1802,1808 **** { const char *myname = "dane_cb"; TLS_SESS_STATE *TLScontext = (TLS_SESS_STATE *) app_ctx; ! X509 *cert = ctx->cert; /* XXX: accessor? */ /* * Degenerate case: depth 0 self-signed cert. --- 1802,1808 ---- { const char *myname = "dane_cb"; TLS_SESS_STATE *TLScontext = (TLS_SESS_STATE *) app_ctx; ! X509 *cert = X509_STORE_CTX_get0_cert(ctx); /* * Degenerate case: depth 0 self-signed cert. *************** *** 1832,1840 **** * Check that setting the untrusted chain updates the expected structure * member at the expected offset. */ ! X509_STORE_CTX_trusted_stack(ctx, TLScontext->trusted); ! X509_STORE_CTX_set_chain(ctx, TLScontext->untrusted); ! if (ctx->untrusted != TLScontext->untrusted) msg_panic("%s: OpenSSL ABI change", myname); return X509_verify_cert(ctx); --- 1832,1840 ---- * Check that setting the untrusted chain updates the expected structure * member at the expected offset. */ ! X509_STORE_CTX_set0_trusted_stack(ctx, TLScontext->trusted); ! X509_STORE_CTX_set0_untrusted(ctx, TLScontext->untrusted); ! if (X509_STORE_CTX_get0_untrusted(ctx) != TLScontext->untrusted) msg_panic("%s: OpenSSL ABI change", myname); return X509_verify_cert(ctx); *************** *** 2163,2170 **** --- 2163,2172 ---- tls_param_init(); tls_check_version(); + #if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_load_error_strings(); SSL_library_init(); + #endif if (!tls_validate_digest(LN_sha1)) msg_fatal("%s digest algorithm not available", LN_sha1); diff -cr --new-file /var/tmp/postfix-3.1.1/src/tls/tls_server.c ./src/tls/tls_server.c *** /var/tmp/postfix-3.1.1/src/tls/tls_server.c 2016-01-31 16:05:46.000000000 -0500 --- ./src/tls/tls_server.c 2016-08-27 16:27:50.000000000 -0400 *************** *** 173,181 **** #endif /* OPENSSL_VERSION_NUMBER */ /* get_server_session_cb - callback to retrieve session from server cache */ ! static SSL_SESSION *get_server_session_cb(SSL *ssl, unsigned char *session_id, int session_id_length, int *unused_copy) { --- 173,190 ---- #endif /* OPENSSL_VERSION_NUMBER */ + /* OpenSSL 1.1.0 bitrot */ + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + typedef const unsigned char *session_id_t; + + #else + typedef unsigned char *session_id_t; + + #endif + /* get_server_session_cb - callback to retrieve session from server cache */ ! static SSL_SESSION *get_server_session_cb(SSL *ssl, session_id_t session_id, int session_id_length, int *unused_copy) { *************** *** 368,373 **** --- 377,384 ---- */ tls_check_version(); + #if OPENSSL_VERSION_NUMBER < 0x10100000L + /* * Initialize the OpenSSL library by the book! To start with, we must * initialize the algorithms. We want cleartext error messages instead of *************** *** 375,380 **** --- 386,392 ---- */ SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); + #endif /* * First validate the protocols. If these are invalid, we can't continue. *************** *** 445,451 **** tls_print_errors(); return (0); } - #ifdef SSL_SECOP_PEER /* Backwards compatible security as a base for opportunistic TLS. */ SSL_CTX_set_security_level(server_ctx, 0); --- 457,462 ---- *************** *** 758,764 **** tls_free_context(TLScontext); return (0); } - #ifdef SSL_SECOP_PEER /* When authenticating the peer, use 80-bit plus OpenSSL security level */ if (props->requirecert) --- 769,774 ---- *************** *** 896,905 **** X509_free(peer); /* ! * Give them a clue. Problems with trust chain verification are logged ! * when the session is first negotiated, before the session is stored ! * into the cache. We don't want mystery failures, so log the fact the ! * real problem is to be found in the past. */ if (!TLS_CERT_IS_TRUSTED(TLScontext) && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) { --- 906,915 ---- X509_free(peer); /* ! * Give them a clue. Problems with trust chain verification are ! * logged when the session is first negotiated, before the session is ! * stored into the cache. We don't want mystery failures, so log the ! * fact the real problem is to be found in the past. */ if (!TLS_CERT_IS_TRUSTED(TLScontext) && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) { diff -cr --new-file /var/tmp/postfix-3.1.1/src/tls/tls_verify.c ./src/tls/tls_verify.c *** /var/tmp/postfix-3.1.1/src/tls/tls_verify.c 2015-10-31 20:24:04.000000000 -0400 --- ./src/tls/tls_verify.c 2016-08-27 16:27:50.000000000 -0400 *************** *** 440,446 **** /* * Safe to treat as an ASCII string possibly holding a DNS name */ ! dnsname = (char *) ASN1_STRING_data(gn->d.ia5); len = ASN1_STRING_length(gn->d.ia5); TRIM0(dnsname, len); --- 440,446 ---- /* * Safe to treat as an ASCII string possibly holding a DNS name */ ! dnsname = (const char *) ASN1_STRING_get0_data(gn->d.ia5); len = ASN1_STRING_length(gn->d.ia5); TRIM0(dnsname, len);