Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package postfix for openSUSE:Factory checked
in at 2023-03-07 16:49:00
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/postfix (Old)
and /work/SRC/openSUSE:Factory/.postfix.new.31432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix"
Tue Mar 7 16:49:00 2023 rev:224 rq:1069659 version:3.7.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/postfix/postfix-bdb.changes 2023-02-17
16:43:35.906387354 +0100
+++ /work/SRC/openSUSE:Factory/.postfix.new.31432/postfix-bdb.changes
2023-03-07 16:49:14.597240060 +0100
@@ -1,0 +2,26 @@
+Sat Feb 25 15:15:58 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com>
+
+- update to 3.7.4
+ * Workaround: with OpenSSL 3 and later always turn on
+ SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed
+ opportunities for TLS session reuse. This is safe because the SMTP protocol
+ implements application-level framing, and is therefore not affected by TLS
+ truncation attacks.
+ * Workaround: OpenSSL 3.x EVP_get_digestbyname() can return lazily-bound
+ handles for digest implementations. In sufficiently hostile configurations,
+ Postfix could mistakenly believe that a digest algorithm is available, and
+ fail when it is not. A similar workaround may be needed for
+ EVP_get_cipherbyname().
+ * Bugfix (bug introduced in Postfix 2.11): the checkok() macro in
+ tls/tls_fprint.c evaluated its argument unconditionally; it should evaluate
+ the argument only if there was no prior error.
+ * Bugfix (bug introduced in Postfix 2.8): postscreen died with a segmentation
+ violation when postscreen_dnsbl_threshold < 1. It should reject such input
+ with a fatal error instead.
+ * Bitrot: fixes for linker warnings from newer Darwin (MacOS) versions.
+ * Portability: Linux 6 support.
+ * Added missing documentation that cidr:, pcre: and regexp: tables support
+ inline specification only in Postfix 3.7 and later.
+ * Rebased postfix-linux45.patch
+
+-------------------------------------------------------------------
postfix.changes: same change
Old:
----
postfix-3.7.3.tar.gz
postfix-3.7.3.tar.gz.asc
New:
----
postfix-3.7.4.tar.gz
postfix-3.7.4.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ postfix-bdb.spec ++++++
--- /var/tmp/diff_new_pack.r7VKEw/_old 2023-03-07 16:49:15.709245913 +0100
+++ /var/tmp/diff_new_pack.r7VKEw/_new 2023-03-07 16:49:15.713245933 +0100
@@ -59,7 +59,7 @@
%endif
%bcond_without ldap
Name: postfix-bdb
-Version: 3.7.3
+Version: 3.7.4
Release: 0
Summary: A fast, secure, and flexible mailer
License: IPL-1.0 OR EPL-2.0
++++++ postfix.spec ++++++
--- /var/tmp/diff_new_pack.r7VKEw/_old 2023-03-07 16:49:15.749246123 +0100
+++ /var/tmp/diff_new_pack.r7VKEw/_new 2023-03-07 16:49:15.753246144 +0100
@@ -46,7 +46,7 @@
%endif
%bcond_without ldap
Name: postfix
-Version: 3.7.3
+Version: 3.7.4
Release: 0
Summary: A fast, secure, and flexible mailer
License: IPL-1.0 OR EPL-2.0
++++++ postfix-3.7.3.tar.gz -> postfix-3.7.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/HISTORY new/postfix-3.7.4/HISTORY
--- old/postfix-3.7.3/HISTORY 2022-10-07 23:00:33.000000000 +0200
+++ new/postfix-3.7.4/HISTORY 2023-01-21 22:05:10.000000000 +0100
@@ -26398,3 +26398,73 @@
If delivery of the file is still desired, the file can be
moved back to /var/spool/postfix/incoming after updating
Postfix and executing "postfix reload".
+
+20221125
+
+ Bugfix (introduced: Postfix 3.6): the Postfix TLS client
+ logged a TLS connection as 'Untrusted' instead of 'Trusted',
+ when a matching DANE record was found but the MX RRset was
+ insecure. Fix by Viktor Dukhovni. File: tls/tls_client.c.
+
+20221128
+
+ Bugfix (introduced: Postfix 2.2): the smtpd_proxy_client
+ code mis-parsed the last XFORWARD attribute name in the
+ SMTP server's EHLO response. The result was that the
+ smtpd_proxy_client code failed to forward the IDENT attribute.
+ Fix by Andreas Weigel. File: smtpd/smtpd_proxy.c.
+
+20221201
+
+ Portability: LINUX6 support. Files: makedefs, util/sys_defs.h.
+
+20221207
+
+ Workaround: OpenSSL 3.x EVP_get_digestbyname() can return
+ lazily bound handles that may fail to work when one attempts
+ to use them, because no provider search happens until one
+ constructs an actual operation context. In sufficiently
+ hostile configurations, Postfix could mistakenly believe
+ that an algorithm is available, when in fact it is not. A
+ similar workaround may be needed for EVP_get_cipherbyname().
+ Fix by Viktor Dukhovni. Files: tls/tls.h, tls/tls_dane.c,
+ tls/tls_fprint.c, tls/tls_misc.c.
+
+ Bugfix (introduced: Postfix 2.11): the checkok() macro in
+ tls/tls_fprint.c evaluated its argument unconditionally;
+ it should evaluate the argument only if there was no prior
+ error. Found during code review. File: tls/tls_fprint.c.
+
+20221215
+
+ Foolproofing: postscreen segfault with postscreen_dnsbl_threshold
+ < 1. It should reject such input with a fatal error instead.
+ Discovered by Benny Pedersen. File: postscreen/postscreen.c.
+
+20230101
+
+ Documentation: add text that cidr:, pcre: and regexp: tables
+ support inline specification only in Postfix 3.7 and later.
+ Files: proto/cidr_table, proto/pcre_table, proto/regexp_table.
+
+20230103
+
+ Bugfix (introduced: Postfix 2.7): the verify daemon logged
+ a garbled cache name when terminating a cache scan in
+ progress. Reported by Phil Biggs, fix by Viktor Dukhovni.
+ File: util/dict_cache.c.
+
+20220104
+
+ Bitrot: fixes for linker warnings from newer Darwin (MacOS)
+ versions. Viktor Dukhovni. File: makedefs.
+
+20230115
+
+ Workaround for a breaking change in OpenSSL 3: always turn
+ on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages
+ and missed opportunities for TLS session reuse. This is
+ safe because the SMTP protocol implements application-level
+ framing, and is therefore not affected by TLS truncation
+ attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c,
+ tls/tls_server.c.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/html/cidr_table.5.html
new/postfix-3.7.4/html/cidr_table.5.html
--- old/postfix-3.7.3/html/cidr_table.5.html 2021-12-23 00:07:06.000000000
+0100
+++ new/postfix-3.7.4/html/cidr_table.5.html 2023-01-21 22:03:31.000000000
+0100
@@ -99,8 +99,8 @@
not required.
<b>INLINE SPECIFICATION</b>
- The contents of a table may be specified in the table name. The basic
- syntax is:
+ The contents of a table may be specified in the table name (Postfix 3.7
+ and later). The basic syntax is:
<a href="postconf.5.html">main.cf</a>:
<i>parameter</i> <b>= .. <a href="cidr_table.5.html">cidr</a>:{
{</b> <i>rule-1</i> <b>}, {</b> <i>rule-2</i> <b>} .. } ..</b>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/html/pcre_table.5.html
new/postfix-3.7.4/html/pcre_table.5.html
--- old/postfix-3.7.3/html/pcre_table.5.html 2021-11-27 18:41:48.000000000
+0100
+++ new/postfix-3.7.4/html/pcre_table.5.html 2023-01-21 22:03:31.000000000
+0100
@@ -171,8 +171,8 @@
negated patterns.
<b>INLINE SPECIFICATION</b>
- The contents of a table may be specified in the table name. The basic
- syntax is:
+ The contents of a table may be specified in the table name (Postfix 3.7
+ and later). The basic syntax is:
<a href="postconf.5.html">main.cf</a>:
<i>parameter</i> <b>= .. <a href="pcre_table.5.html">pcre</a>:{
{</b> <i>rule-1</i> <b>}, {</b> <i>rule-2</i> <b>} .. } ..</b>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/html/regexp_table.5.html
new/postfix-3.7.4/html/regexp_table.5.html
--- old/postfix-3.7.3/html/regexp_table.5.html 2021-06-13 02:34:29.000000000
+0200
+++ new/postfix-3.7.4/html/regexp_table.5.html 2023-01-21 22:03:31.000000000
+0100
@@ -128,8 +128,8 @@
negated patterns.
<b>INLINE SPECIFICATION</b>
- The contents of a table may be specified in the table name. The basic
- syntax is:
+ The contents of a table may be specified in the table name (Postfix 3.7
+ and later). The basic syntax is:
<a href="postconf.5.html">main.cf</a>:
<i>parameter</i> <b>= .. <a href="regexp_table.5.html">regexp</a>:{
{</b> <i>rule-1</i> <b>}, {</b> <i>rule-2</i> <b>} .. } ..</b>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/makedefs new/postfix-3.7.4/makedefs
--- old/postfix-3.7.3/makedefs 2022-01-23 21:53:41.000000000 +0100
+++ new/postfix-3.7.4/makedefs 2023-01-16 00:29:39.000000000 +0100
@@ -627,7 +627,7 @@
: ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
: ${PLUGIN_LD="${CC-gcc} -shared"}
;;
- Linux.[345].*) SYSTYPE=LINUX$RELEASE_MAJOR
+Linux.[3456].*) SYSTYPE=LINUX$RELEASE_MAJOR
case "$CCARGS" in
*-DNO_DB*) ;;
*-DHAS_DB*) ;;
@@ -769,6 +769,12 @@
?.*|10.*) ;;
*) SYSLIBS="$SYSLIBS -lresolv";;
esac
+ # Darwin 21 linker without additional coaxing complains about
+ # -Wl,-undefined,dynamic_lookup
+ case $RELEASE in
+ 2[1-9].*|[3-9]?.*) NOFIXUP="-Wl,-no_fixup_chains ";;
+ *) NOFIXUP="";;
+ esac
# kqueue and/or poll are broken in MacOS X 10.5 (Darwin 9).
# kqueue works in Mac OS X 10.8 (Darwin 12).
case $RELEASE in
@@ -776,12 +782,12 @@
esac
: ${SHLIB_CFLAGS=-fPIC}
: ${SHLIB_SUFFIX=.dylib}
- : ${SHLIB_LD='cc -shared -Wl,-flat_namespace
-Wl,-undefined,dynamic_lookup -Wl,-install_name,@rpath/${LIB}'}
+ : ${SHLIB_LD="cc -shared -Wl,-flat_namespace
${NOFIXUP}-Wl,-undefined,dynamic_lookup "'-Wl,-install_name,@rpath/${LIB}'}
: ${SHLIB_RPATH='-Wl,-rpath,${SHLIB_DIR}'}
# In MacOS/X 10.11.x /bin/sh unsets DYLD_LIBRARY_PATH, so we
# have export it into postfix-install indirectly!
: ${SHLIB_ENV="DYLD_LIBRARY_PATH=`pwd`/lib
SHLIB_ENV_VAR=DYLD_LIBRARY_PATH SHLIB_ENV_VAL=`pwd`/lib"}
- : ${PLUGIN_LD='cc -shared -Wl,-flat_namespace
-Wl,-undefined,dynamic_lookup'}
+ : ${PLUGIN_LD="cc -shared -Wl,-flat_namespace
${NOFIXUP}-Wl,-undefined,dynamic_lookup"}
;;
dcosx.1*) SYSTYPE=DCOSX1
RANLIB=echo
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/man/man5/cidr_table.5
new/postfix-3.7.4/man/man5/cidr_table.5
--- old/postfix-3.7.3/man/man5/cidr_table.5 2021-12-23 00:07:05.000000000
+0100
+++ new/postfix-3.7.4/man/man5/cidr_table.5 2023-01-21 22:03:30.000000000
+0100
@@ -115,7 +115,8 @@
.nf
.ad
.fi
-The contents of a table may be specified in the table name.
+The contents of a table may be specified in the table name
+(Postfix 3.7 and later).
The basic syntax is:
.nf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/man/man5/pcre_table.5
new/postfix-3.7.4/man/man5/pcre_table.5
--- old/postfix-3.7.3/man/man5/pcre_table.5 2021-11-27 18:41:47.000000000
+0100
+++ new/postfix-3.7.4/man/man5/pcre_table.5 2023-01-21 22:03:30.000000000
+0100
@@ -181,7 +181,8 @@
.nf
.ad
.fi
-The contents of a table may be specified in the table name.
+The contents of a table may be specified in the table name
+(Postfix 3.7 and later).
The basic syntax is:
.nf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/man/man5/regexp_table.5
new/postfix-3.7.4/man/man5/regexp_table.5
--- old/postfix-3.7.3/man/man5/regexp_table.5 2021-06-13 02:34:28.000000000
+0200
+++ new/postfix-3.7.4/man/man5/regexp_table.5 2023-01-21 22:03:30.000000000
+0100
@@ -138,7 +138,8 @@
.nf
.ad
.fi
-The contents of a table may be specified in the table name.
+The contents of a table may be specified in the table name
+(Postfix 3.7 and later).
The basic syntax is:
.nf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/proto/cidr_table
new/postfix-3.7.4/proto/cidr_table
--- old/postfix-3.7.3/proto/cidr_table 2021-12-22 23:49:37.000000000 +0100
+++ new/postfix-3.7.4/proto/cidr_table 2023-01-16 00:29:39.000000000 +0100
@@ -101,7 +101,8 @@
# INLINE SPECIFICATION
# .ad
# .fi
-# The contents of a table may be specified in the table name.
+# The contents of a table may be specified in the table name
+# (Postfix 3.7 and later).
# The basic syntax is:
#
# .nf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/proto/pcre_table
new/postfix-3.7.4/proto/pcre_table
--- old/postfix-3.7.3/proto/pcre_table 2021-11-27 18:41:40.000000000 +0100
+++ new/postfix-3.7.4/proto/pcre_table 2023-01-16 00:29:39.000000000 +0100
@@ -165,7 +165,8 @@
# INLINE SPECIFICATION
# .ad
# .fi
-# The contents of a table may be specified in the table name.
+# The contents of a table may be specified in the table name
+# (Postfix 3.7 and later).
# The basic syntax is:
#
# .nf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/proto/regexp_table
new/postfix-3.7.4/proto/regexp_table
--- old/postfix-3.7.3/proto/regexp_table 2021-06-10 23:30:58.000000000
+0200
+++ new/postfix-3.7.4/proto/regexp_table 2023-01-16 00:29:39.000000000
+0100
@@ -122,7 +122,8 @@
# INLINE SPECIFICATION
# .ad
# .fi
-# The contents of a table may be specified in the table name.
+# The contents of a table may be specified in the table name
+# (Postfix 3.7 and later).
# The basic syntax is:
#
# .nf
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/global/mail_version.h
new/postfix-3.7.4/src/global/mail_version.h
--- old/postfix-3.7.3/src/global/mail_version.h 2022-10-07 23:02:17.000000000
+0200
+++ new/postfix-3.7.4/src/global/mail_version.h 2023-01-21 22:15:12.000000000
+0100
@@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20221007"
-#define MAIL_VERSION_NUMBER "3.7.3"
+#define MAIL_RELEASE_DATE "20230121"
+#define MAIL_VERSION_NUMBER "3.7.4"
#ifdef SNAPSHOT
#define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/postscreen/postscreen.c
new/postfix-3.7.4/src/postscreen/postscreen.c
--- old/postfix-3.7.3/src/postscreen/postscreen.c 2021-02-21
16:33:05.000000000 +0100
+++ new/postfix-3.7.4/src/postscreen/postscreen.c 2023-01-21
22:17:28.000000000 +0100
@@ -1174,7 +1174,7 @@
0,
};
static const CONFIG_INT_TABLE int_table[] = {
- VAR_PSC_DNSBL_THRESH, DEF_PSC_DNSBL_THRESH, &var_psc_dnsbl_thresh, 0, 0,
+ VAR_PSC_DNSBL_THRESH, DEF_PSC_DNSBL_THRESH, &var_psc_dnsbl_thresh, 1, 0,
VAR_PSC_CMD_COUNT, DEF_PSC_CMD_COUNT, &var_psc_cmd_count, 1, 0,
VAR_SMTPD_CCONN_LIMIT, DEF_SMTPD_CCONN_LIMIT, &var_smtpd_cconn_limit,
0, 0,
0,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/smtpd/smtpd_proxy.c
new/postfix-3.7.4/src/smtpd/smtpd_proxy.c
--- old/postfix-3.7.3/src/smtpd/smtpd_proxy.c 2015-01-29 14:40:49.000000000
+0100
+++ new/postfix-3.7.4/src/smtpd/smtpd_proxy.c 2022-12-11 22:43:50.000000000
+0100
@@ -388,7 +388,7 @@
*/
server_xforward_features = 0;
lines = STR(proxy->reply);
- while ((words = mystrtok(&lines, "\n")) != 0) {
+ while ((words = mystrtok(&lines, "\r\n")) != 0) {
if (mystrtok(&words, "- ") && (word = mystrtok(&words, " \t")) != 0) {
if (strcasecmp(word, XFORWARD_CMD) == 0)
while ((word = mystrtok(&words, " \t")) != 0)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/tls/tls.h
new/postfix-3.7.4/src/tls/tls.h
--- old/postfix-3.7.3/src/tls/tls.h 2021-09-26 22:09:33.000000000 +0200
+++ new/postfix-3.7.4/src/tls/tls.h 2023-01-21 22:00:03.000000000 +0100
@@ -387,6 +387,13 @@
#define SSL_OP_NO_TLSv1_3 0L /* Noop */
#endif
+/*
+ * Always used when defined, SMTP has no truncation attacks.
+ */
+#ifndef SSL_OP_IGNORE_UNEXPECTED_EOF
+#define SSL_OP_IGNORE_UNEXPECTED_EOF 0L
+#endif
+
#define TLS_KNOWN_PROTOCOLS \
( TLS_PROTOCOL_SSLv2 | TLS_PROTOCOL_SSLv3 | TLS_PROTOCOL_TLSv1 \
| TLS_PROTOCOL_TLSv1_1 | TLS_PROTOCOL_TLSv1_2 | TLS_PROTOCOL_TLSv1_3
)
@@ -403,7 +410,8 @@
* just exposed via hex codes or named elements of tls_ssl_options.
*/
#define TLS_SSL_OP_MANAGED_BITS \
- (SSL_OP_CIPHER_SERVER_PREFERENCE | TLS_SSL_OP_PROTOMASK(~0))
+ (SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_IGNORE_UNEXPECTED_EOF | \
+ TLS_SSL_OP_PROTOMASK(~0))
extern int tls_proto_mask_lims(const char *, int *, int *);
@@ -647,6 +655,7 @@
/*
* tls_fprint.c
*/
+extern const EVP_MD *tls_digest_byname(const char *, EVP_MD_CTX **);
extern char *tls_digest_encode(const unsigned char *, int);
extern char *tls_cert_fprint(X509 *, const char *);
extern char *tls_pkey_fprint(X509 *, const char *);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/tls/tls_client.c
new/postfix-3.7.4/src/tls/tls_client.c
--- old/postfix-3.7.3/src/tls/tls_client.c 2021-12-19 16:13:01.000000000
+0100
+++ new/postfix-3.7.4/src/tls/tls_client.c 2023-01-21 22:00:03.000000000
+0100
@@ -324,6 +324,7 @@
* checks are now performed internally in OpenSSL.
*/
if (SSL_get_verify_result(TLScontext->con) == X509_V_OK) {
+ TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
if (TLScontext->must_fail) {
msg_panic("%s: cert valid despite trust init failure",
TLScontext->namaddr);
@@ -352,8 +353,7 @@
TLScontext->namaddr, peername);
tls_dane_log(TLScontext);
}
- } else
- TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
+ }
}
/*
@@ -714,6 +714,15 @@
tls_dane_digest_init(client_ctx, fpt_alg);
/*
+ * Presently we use TLS only with SMTP where truncation attacks are not
+ * possible as a result of application framing. If we ever use TLS in
+ * some other application protocol where truncation could be relevant,
+ * we'd need to disable truncation detection conditionally, or explicitly
+ * clear the option in that code path.
+ */
+ off |= SSL_OP_IGNORE_UNEXPECTED_EOF;
+
+ /*
* Protocol selection is destination dependent, so we delay the protocol
* selection options to the per-session SSL object.
*/
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/tls/tls_dane.c
new/postfix-3.7.4/src/tls/tls_dane.c
--- old/postfix-3.7.3/src/tls/tls_dane.c 2021-10-25 15:35:24.000000000
+0200
+++ new/postfix-3.7.4/src/tls/tls_dane.c 2023-01-16 00:16:48.000000000
+0100
@@ -823,7 +823,7 @@
/* tls_dane_digest_init - configure supported DANE digests */
-void tls_dane_digest_init(SSL_CTX *ctx, const EVP_MD * fpt_alg)
+void tls_dane_digest_init(SSL_CTX *ctx, const EVP_MD *fpt_alg)
{
dane_mtype mtypes[256];
char *cp;
@@ -930,7 +930,7 @@
}
mtypes[codepoint].ord = ++ord;
- if ((mtypes[codepoint].alg = EVP_get_digestbyname(algname)) == 0) {
+ if ((mtypes[codepoint].alg = tls_digest_byname(algname, NULL)) == 0) {
msg_warn("%s: digest algorithm \"%s\"(%d) unknown",
VAR_TLS_DANE_DIGESTS, algname, codepoint);
continue;
@@ -1132,11 +1132,11 @@
case 0:
break;
case 1:
- if ((md = EVP_get_digestbyname(LN_sha256)) == 0)
+ if ((md = tls_digest_byname(LN_sha256, NULL)) == 0)
msg_fatal("Digest %s not found", LN_sha256);
break;
case 2:
- if ((md = EVP_get_digestbyname(LN_sha512)) == 0)
+ if ((md = tls_digest_byname(LN_sha512, NULL)) == 0)
msg_fatal("Digest %s not found", LN_sha512);
break;
default:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/tls/tls_fprint.c
new/postfix-3.7.4/src/tls/tls_fprint.c
--- old/postfix-3.7.3/src/tls/tls_fprint.c 2021-12-20 00:26:44.000000000
+0100
+++ new/postfix-3.7.4/src/tls/tls_fprint.c 2023-01-16 00:27:50.000000000
+0100
@@ -6,6 +6,10 @@
/* SYNOPSIS
/* #include <tls.h>
/*
+/* EVP_MD *tls_digest_byname(const char *mdalg, EVP_MD_CTX **mdctxPtr)
+/* const char *mdalg;
+/* EVP_MD_CTX **mdctxPtr;
+/*
/* char *tls_serverid_digest(TLScontext, props, ciphers)
/* TLS_SESS_STATE *TLScontext;
/* const TLS_CLIENT_START_PROPS *props;
@@ -23,6 +27,13 @@
/* X509 *peercert;
/* const char *mdalg;
/* DESCRIPTION
+/* tls_digest_byname() constructs, and optionally returns, an EVP_MD_CTX
+/* handle for performing digest operations with the algorithm named by the
+/* mdalg parameter. The return value is non-null on success, and holds a
+/* digest algorithm handle. If the mdctxPtr argument is non-null the
+/* created context is returned to the caller, who is then responsible for
+/* deleting it by calling EVP_MD_ctx_free() once it is no longer needed.
+/*
/* tls_digest_encode() converts a binary message digest to a hex ASCII
/* format with ':' separators between each pair of hex digits.
/* The return value is dynamically allocated with mymalloc(),
@@ -50,6 +61,8 @@
/* free it with myfree().
/*
/* Arguments:
+/* .IP mdalg
+/* A digest algorithm name, such as "sha256".
/* .IP peercert
/* Server or client X.509 certificate.
/* .IP md_buf
@@ -60,6 +73,9 @@
/* Name of a message digest algorithm suitable for computing secure
/* (1st pre-image resistant) message digests of certificates. For now,
/* md5, sha1, or member of SHA-2 family if supported by OpenSSL.
+/* .IP mdctxPtr
+/* Pointer to an (EVP_MD_CTX *) handle, or NULL if only probing for
+/* algorithm support without immediate use in mind.
/* .IP buf
/* Input data for the message digest algorithm mdalg.
/* .IP len
@@ -114,7 +130,7 @@
static const char hexcodes[] = "0123456789ABCDEF";
-#define checkok(ret) (ok &= ((ret) ? 1 : 0))
+#define checkok(stillok) (ok = ok && (stillok))
#define digest_object(p) digest_data((unsigned char *)(p), sizeof(*(p)))
#define digest_data(p, l) checkok(digest_bytes(mdctx, (p), (l)))
#define digest_string(s) checkok(digest_chars(mdctx, (s)))
@@ -182,6 +198,44 @@
return (ok);
}
+/* tls_digest_byname - test availability or prepare to use digest */
+
+const EVP_MD *tls_digest_byname(const char *mdalg, EVP_MD_CTX **mdctxPtr)
+{
+ const EVP_MD *md;
+ EVP_MD_CTX *mdctx = NULL;
+ int ok = 1;
+
+ /*
+ * In OpenSSL 3.0, because of dynamically variable algorithm providers,
+ * there is a time-of-check/time-of-use issue that means that abstract
+ * algorithm handles returned by EVP_get_digestbyname() can (and not
+ * infrequently do) return ultimately unusable algorithms, to check for
+ * actual availability, one needs to use the new EVP_MD_fetch() API, or
+ * indirectly check usability by creating a concrete context. We take the
+ * latter approach here (works for 1.1.1 without #ifdef).
+ *
+ * Note that EVP_MD_CTX_{create,destroy} were renamed to, respectively,
+ * EVP_MD_CTX_{new,free} in OpenSSL 1.1.0.
+ */
+ checkok(md = EVP_get_digestbyname(mdalg));
+
+ /*
+ * Sanity check: Newer shared libraries could (hypothetical ABI break)
+ * allow larger digests, we avoid such poison algorithms.
+ */
+ checkok(EVP_MD_size(md) <= EVP_MAX_MD_SIZE);
+ checkok(mdctx = EVP_MD_CTX_new());
+ checkok(EVP_DigestInit_ex(mdctx, md, NULL));
+
+
+ if (ok && mdctxPtr != 0)
+ *mdctxPtr = mdctx;
+ else
+ EVP_MD_CTX_free(mdctx);
+ return (ok ? md : 0);
+}
+
/* tls_serverid_digest - suffix props->serverid with parameter digest */
char *tls_serverid_digest(TLS_SESS_STATE *TLScontext,
@@ -189,7 +243,6 @@
const char *ciphers)
{
EVP_MD_CTX *mdctx;
- const EVP_MD *md;
const char *mdalg;
unsigned char md_buf[EVP_MAX_MD_SIZE];
unsigned int md_len;
@@ -205,17 +258,17 @@
* default digest, but DANE requires sha256 and sha512, so if we must
* fall back to our default digest, DANE support won't be available. We
* panic if the fallback algorithm is not available, as it was verified
- * available in tls_client_init() and must not simply vanish.
+ * available in tls_client_init() and must not simply vanish. Our
+ * provider set is not expected to change once the OpenSSL library is
+ * initialized.
*/
- if ((md = EVP_get_digestbyname(mdalg = "sha256")) == 0
- && (md = EVP_get_digestbyname(mdalg = props->mdalg)) == 0)
- msg_panic("digest algorithm \"%s\" not found", mdalg);
+ if (tls_digest_byname(mdalg = LN_sha256, &mdctx) == 0
+ && tls_digest_byname(mdalg = props->mdalg, &mdctx) == 0)
+ msg_panic("digest algorithm \"%s\" not found", props->mdalg);
/* Salt the session lookup key with the OpenSSL runtime version. */
sslversion = OpenSSL_version_num();
- mdctx = EVP_MD_CTX_create();
- checkok(EVP_DigestInit_ex(mdctx, md, NULL));
digest_string(props->helo ? props->helo : "");
digest_object(&sslversion);
digest_string(props->protocols);
@@ -306,18 +359,15 @@
static char *tls_data_fprint(const unsigned char *buf, int len, const char
*mdalg)
{
- EVP_MD_CTX *mdctx;
- const EVP_MD *md;
+ EVP_MD_CTX *mdctx = NULL;
unsigned char md_buf[EVP_MAX_MD_SIZE];
unsigned int md_len;
int ok = 1;
/* Previously available in "init" routine. */
- if ((md = EVP_get_digestbyname(mdalg)) == 0)
+ if (tls_digest_byname(mdalg, &mdctx) == 0)
msg_panic("digest algorithm \"%s\" not found", mdalg);
- mdctx = EVP_MD_CTX_create();
- checkok(EVP_DigestInit_ex(mdctx, md, NULL));
digest_data(buf, len);
checkok(EVP_DigestFinal_ex(mdctx, md_buf, &md_len));
EVP_MD_CTX_destroy(mdctx);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/tls/tls_misc.c
new/postfix-3.7.4/src/tls/tls_misc.c
--- old/postfix-3.7.3/src/tls/tls_misc.c 2021-12-19 15:49:34.000000000
+0100
+++ new/postfix-3.7.4/src/tls/tls_misc.c 2023-01-16 00:16:48.000000000
+0100
@@ -1569,25 +1569,13 @@
const EVP_MD *tls_validate_digest(const char *dgst)
{
const EVP_MD *md_alg;
- unsigned int md_len;
/*
* If the administrator specifies an unsupported digest algorithm, fail
* now, rather than in the middle of a TLS handshake.
*/
- if ((md_alg = EVP_get_digestbyname(dgst)) == 0) {
+ if ((md_alg = tls_digest_byname(dgst, NULL)) == 0)
msg_warn("Digest algorithm \"%s\" not found", dgst);
- return (0);
- }
-
- /*
- * Sanity check: Newer shared libraries may use larger digests.
- */
- if ((md_len = EVP_MD_size(md_alg)) > EVP_MAX_MD_SIZE) {
- msg_warn("Digest algorithm \"%s\" output size %u too large",
- dgst, md_len);
- return (0);
- }
return md_alg;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/tls/tls_server.c
new/postfix-3.7.4/src/tls/tls_server.c
--- old/postfix-3.7.3/src/tls/tls_server.c 2022-10-07 21:48:11.000000000
+0200
+++ new/postfix-3.7.4/src/tls/tls_server.c 2023-01-21 22:00:03.000000000
+0100
@@ -513,6 +513,15 @@
cachable = 0;
/*
+ * Presently we use TLS only with SMTP where truncation attacks are not
+ * possible as a result of application framing. If we ever use TLS in
+ * some other application protocol where truncation could be relevant,
+ * we'd need to disable truncation detection conditionally, or explicitly
+ * clear the option in that code path.
+ */
+ off |= SSL_OP_IGNORE_UNEXPECTED_EOF;
+
+ /*
* Protocol work-arounds, OpenSSL version dependent.
*/
off |= tls_bug_bits();
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/util/dict_cache.c
new/postfix-3.7.4/src/util/dict_cache.c
--- old/postfix-3.7.3/src/util/dict_cache.c 2021-12-19 15:48:41.000000000
+0100
+++ new/postfix-3.7.4/src/util/dict_cache.c 2023-01-03 14:07:54.000000000
+0100
@@ -659,8 +659,8 @@
/*
* Destroy the DICT_CACHE object.
*/
- myfree(cp->name);
dict_cache_control(cp, DICT_CACHE_CTL_INTERVAL, 0, DICT_CACHE_CTL_END);
+ myfree(cp->name);
dict_close(cp->db);
if (cp->saved_curr_key)
myfree(cp->saved_curr_key);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/postfix-3.7.3/src/util/sys_defs.h
new/postfix-3.7.4/src/util/sys_defs.h
--- old/postfix-3.7.3/src/util/sys_defs.h 2021-12-05 19:59:27.000000000
+0100
+++ new/postfix-3.7.4/src/util/sys_defs.h 2022-12-02 01:27:27.000000000
+0100
@@ -751,7 +751,8 @@
/*
* LINUX.
*/
-#if defined(LINUX2) || defined(LINUX3) || defined(LINUX4) || defined(LINUX5)
+#if defined(LINUX2) || defined(LINUX3) || defined(LINUX4) || defined(LINUX5) \
+ || defined(LINUX6)
#define SUPPORTED
#define UINT32_TYPE unsigned int
#define UINT16_TYPE unsigned short
++++++ postfix-linux45.patch ++++++
--- /var/tmp/diff_new_pack.r7VKEw/_old 2023-03-07 16:49:17.705256417 +0100
+++ /var/tmp/diff_new_pack.r7VKEw/_new 2023-03-07 16:49:17.709256438 +0100
@@ -1,16 +1,16 @@
-Index: makedefs
-===================================================================
+---
+ makedefs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
--- makedefs.orig
+++ makedefs
-@@ -627,8 +627,8 @@ EOF
+@@ -627,7 +627,7 @@ EOF
: ${SHLIB_ENV="LD_LIBRARY_PATH=`pwd`/lib"}
: ${PLUGIN_LD="${CC-gcc} -shared"}
;;
-- Linux.[345].*) SYSTYPE=LINUX$RELEASE_MAJOR
-- case "$CCARGS" in
-+ Linux.[3-9].*|Linux.[1-9][0-9].*) SYSTYPE=LINUX3
-+ case "$CCARGS" in
+-Linux.[3456].*) SYSTYPE=LINUX$RELEASE_MAJOR
++Linux.[3-9].*|Linux.[1-9][0-9].*) SYSTYPE=LINUX3
+ case "$CCARGS" in
*-DNO_DB*) ;;
*-DHAS_DB*) ;;
- *) if [ -f /usr/include/db.h ]
