Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2013-02-07 14:28:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "postfix", Maintainer is "vark...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2013-01-21 17:44:44.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.postfix.new/postfix.changes 2013-02-07 14:28:43.000000000 +0100 @@ -1,0 +2,13 @@ +Wed Feb 6 19:56:57 UTC 2013 - vark...@suse.com + +- update to 2,9.6 + Bugfix: the local(8) delivery agent dereferenced a null pointer + while delivering to null command (for example, "|" in a .forward file). + Bugfix: memory leak in program initialization. tls/tls_misc.c. + Bugfix: he undocumented OpenSSL X509_pubkey_digest() function is + unsuitable for computing certificate PUBLIC KEY fingerprints. + Postfix now provides a correct procedure that accounts for + the algorithm and parameters in addition to the key data. Specify + "tls_legacy_public_key_fingerprints = yes" if you need backwards compatibility. + +------------------------------------------------------------------- Old: ---- postfix-2.9.5.tar.bz2 New: ---- postfix-2.9.6.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.R9eY8K/_old 2013-02-07 14:28:45.000000000 +0100 +++ /var/tmp/diff_new_pack.R9eY8K/_new 2013-02-07 14:28:45.000000000 +0100 @@ -20,7 +20,7 @@ Summary: A fast, secure, and flexible mailer License: IPL-1.0 Group: Productivity/Networking/Email/Servers -Version: 2.9.5 +Version: 2.9.6 Release: 0 Url: http://www.postfix.org/ Source: %{name}-%{version}.tar.bz2 ++++++ postfix-2.9.5.tar.bz2 -> postfix-2.9.6.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/HISTORY new/postfix-2.9.6/HISTORY --- old/postfix-2.9.5/HISTORY 2012-12-10 15:03:51.000000000 +0100 +++ new/postfix-2.9.6/HISTORY 2013-02-03 21:14:13.000000000 +0100 @@ -17756,3 +17756,30 @@ This part of the code is not documented and had escaped testing. Files: util/ip_match.c, util/ip_match.in, util/ip_match.ref. + +20121230 + + Bugfix (omission in feature 20111106): the postconf(1) + master.cf options parser didn't support "clusters" of + command-line option letters. File: postconf/postconf_master.c, + postconf/test40.ref. + +20130131 + + Bugfix: the local(8) delivery agent dereferenced a null + pointer while delivering to null command (for example, "|" + in a .forward file). Reported by Gilles Chehade. + +20130203 + + Bugfix: the undocumented OpenSSL X509_pubkey_digest() + function is unsuitable for computing certificate PUBLIC KEY + fingerprints. Postfix now provides a correct procedure + that accounts for the algorithm and parameters in addition + to the key data. Specify "tls_legacy_public_key_fingerprints + = yes" if you need backwards compatibility. Fix by Victor + Duchovni, BC added by Wietse. Files: tls/tls_verify.c, + tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h. + + Bugfix: the 20121010 fix for tls_misc.c was documented but + not included. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/README_FILES/TLS_README new/postfix-2.9.6/README_FILES/TLS_README --- old/postfix-2.9.5/README_FILES/TLS_README 2012-04-24 21:20:56.000000000 +0200 +++ new/postfix-2.9.6/README_FILES/TLS_README 2013-02-03 20:50:27.000000000 +0100 @@ -462,6 +462,34 @@ /etc/postfix/relay_clientcerts: D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home +To extract the public key fingerprint from an X.509 certificate, you need to +extract the public key from the certificate and compute the appropriate digest +of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509" +command extracts the public key always in "PEM" format. We pipe the result to +another OpenSSL command that converts the key to DER and then to the "dgst" +command to compute the fingerprint. + +The actual command to transform the key to DER format depends on the version of +OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" command supports all key +types. With OpenSSL 0.9.8 and earlier, the key type is always RSA (nobody uses +DSA, and EC keys are not fully supported by 0.9.8), so the "rsa" command is +used. + + # OpenSSL 1.0 with all certificates and SHA-1 fingerprints. + $ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c + (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 + + # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. + $ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c + (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 + +Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incorrectly. To +use public-key fingerprints, upgrade to Postfix 2.9.6 or later. + SSeerrvveerr--ssiiddee cciipphheerr ccoonnttrroollss The Postfix SMTP server supports 5 distinct cipher security levels as specified @@ -823,6 +851,34 @@ match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1 match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35 +To extract the public key fingerprint from an X.509 certificate, you need to +extract the public key from the certificate and compute the appropriate digest +of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509" +command extracts the public key always in "PEM" format. We pipe the result to +another OpenSSL command that converts the key to DER and then to the "dgst" +command to compute the fingerprint. + +The actual command to transform the key to DER format depends on the version of +OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" command supports all key +types. With OpenSSL 0.9.8 and earlier, the key type is always RSA (nobody uses +DSA, and EC keys are not fully supported by 0.9.8), so the "rsa" command is +used. + + # OpenSSL 1.0 with all certificates and SHA-1 fingerprints. + $ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c + (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 + + # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. + $ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c + (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 + +Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incorrectly. To +use public-key fingerprints, upgrade to Postfix 2.9.6 or later. + MMaannddaattoorryy sseerrvveerr cceerrttiiffiiccaattee vveerriiffiiccaattiioonn At the "verify" TLS security level, messages are sent only over TLS encrypted diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/RELEASE_NOTES new/postfix-2.9.6/RELEASE_NOTES --- old/postfix-2.9.5/RELEASE_NOTES 2012-04-24 21:58:33.000000000 +0200 +++ new/postfix-2.9.6/RELEASE_NOTES 2013-02-03 21:22:53.000000000 +0100 @@ -14,6 +14,36 @@ If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8 before proceeding. +Major changes with Postfix 2.9.6 +-------------------------------- + +Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP +client and server computed incorrect TLS certificate PUBLIC-KEY +fingerprints. Support for certificate PUBLIC-KEY finger prints +was introduced with Postfix 2.9; there is no known problem with the +certificate fingerprint algorithms available since Postfix 2.2. + +Certificate PUBLIC-KEY finger prints may be used in the Postfix +SMTP server (with "check_ccert_access") and in the Postfix SMTP +client (with the "fingerprint" security level). + +Specify "tls_legacy_public_key_fingerprints = yes" temporarily, +pending a migration from configuration files with incorrect Postfix +2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct +fingerprints used by Postfix 2.9.6 and later. + +To compute the correct PUBLIC-KEY finger prints: + +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | \ + openssl pkey -pubin -outform DER | \ + openssl dgst -sha1 -c + +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | \ + openssl rsa -pubin -outform DER | \ + openssl dgst -md5 -c + Major changes with Postfix 2.9.2 -------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/html/TLS_README.html new/postfix-2.9.6/html/TLS_README.html --- old/postfix-2.9.5/html/TLS_README.html 2012-04-24 21:20:54.000000000 +0200 +++ new/postfix-2.9.6/html/TLS_README.html 2013-02-03 20:50:24.000000000 +0100 @@ -677,6 +677,39 @@ </pre> </blockquote> +<p> To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint. </p> + +<p> The actual command to transform the key to DER format depends +on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the +"pkey" command supports all key types. With OpenSSL 0.9.8 and +earlier, the key type is always RSA (nobody uses DSA, and EC +keys are not fully supported by 0.9.8), so the "rsa" command is +used. </p> +<blockquote> +<pre> +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 + +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c +(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 +</pre> +</blockquote> +<p> Note: Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. </p> + <h3><a name="server_cipher">Server-side cipher controls</a> </h3> <p> The Postfix SMTP server supports 5 distinct cipher security levels @@ -1074,7 +1107,7 @@ not checked. Instead, the <a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a> parameter or the "match" attribute in the <a href="#client_tls_policy">policy</a> table lists the remote SMTP server certificate fingerprint or -public key fingerprint (Postfix 2.9 and later). +public key fingerprint (Postfix 2.9 and later). </p> <p> If certificate fingerprints are exchanged securely, this is the strongest, and least scalable security level. The administrator needs @@ -1136,6 +1169,39 @@ </pre> </blockquote> +<p> To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint. </p> + +<p> The actual command to transform the key to DER format depends +on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the +"pkey" command supports all key types. With OpenSSL 0.9.8 and +earlier, the key type is always RSA (nobody uses DSA, and EC +keys are not fully supported by 0.9.8), so the "rsa" command is +used. </p> +<blockquote> +<pre> +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 + +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c +(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 +</pre> +</blockquote> +<p> Note: Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. </p> + <h4><a name="client_tls_verify"> Mandatory server certificate verification </a> </h4> <p> At the "verify" TLS security level, messages are sent only over diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/html/postconf.5.html new/postfix-2.9.6/html/postconf.5.html --- old/postfix-2.9.5/html/postconf.5.html 2012-04-24 21:20:56.000000000 +0200 +++ new/postfix-2.9.6/html/postconf.5.html 2013-02-03 21:53:45.000000000 +0100 @@ -8440,6 +8440,10 @@ an appropriate <a href="access.5.html">access(5)</a> policy for each client. See <a href="RESTRICTION_CLASS_README.html">RESTRICTION_CLASS_README</a>.</p> +<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. </p> + <p>This feature is available with Postfix version 2.2.</p> @@ -10895,11 +10899,47 @@ </pre> </blockquote> -<p> Public key fingerprints are more difficult to extract, however, -the SHA-1 public key fingerprint is often present as the value of the -"Subject Key Identifier" extension in X.509v3 certificates. The Postfix -SMTP server and client log the peer certificate fingerprint and public -key fingerprint when TLS loglevel is 1 or higher. </p> +<p> To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint. </p> + +<p> The actual command to transform the key to DER format depends +on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the +"pkey" command supports all key types. With OpenSSL 0.9.8 and +earlier, the key type is always RSA (nobody uses DSA, and EC +keys are not fully supported by 0.9.8), so the "rsa" command is +used. </p> +<blockquote> +<pre> +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 +</pre> +</blockquote> + +<blockquote> +<pre> +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c +(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 +</pre> +</blockquote> + +<p> The Postfix SMTP server and client log the peer (leaf) certificate +fingerprint and public key fingerprint when TLS loglevel is 1 or +higher. </p> + +<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. </p> <p> This feature is available in Postfix 2.5 and later. </p> @@ -14688,11 +14728,47 @@ </pre> </blockquote> -<p> Public key fingerprints are more difficult to extract, however, -the SHA-1 public key fingerprint is often present as the value of the -"Subject Key Identifier" extension in X.509v3 certificates. The Postfix -SMTP server and client log the peer certificate fingerprint and public -key fingerprint when TLS loglevel is 1 or higher. </p> +<p> To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint. </p> + +<p> The actual command to transform the key to DER format depends +on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the +"pkey" command supports all key types. With OpenSSL 0.9.8 and +earlier, the key type is always RSA (nobody uses DSA, and EC +keys are not fully supported by 0.9.8), so the "rsa" command is +used. </p> +<blockquote> +<pre> +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 +</pre> +</blockquote> + +<blockquote> +<pre> +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c +(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 +</pre> +</blockquote> + +<p> The Postfix SMTP server and client log the peer (leaf) certificate +fingerprint and public key fingerprint when TLS loglevel is 1 or +higher. </p> + +<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. </p> <p> Example: client-certificate access table, with sha1 fingerprints: </p> @@ -15586,6 +15662,25 @@ </DD> + +<DT><b><a name="tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a> +(default: no)</b></DT><DD> + +<p> A temporary migration aid for sites that use certificate +<i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use +an incorrect algorithm. This parameter has no effect on the certificate +fingerprint support that is available since Postfix 2.2. </p> + +<p> Specify "<a href="postconf.5.html#tls_legacy_public_key_fingerprint">tls_legacy_public_key_fingerprints</a> = yes" temporarily, +pending a migration from configuration files with incorrect Postfix +2.9.0..2.9.5 certificate public-key finger prints, to the correct +fingerprints used by Postfix 2.9.6 and later. To compute the correct +certificate public-key fingerprints, see <a href="TLS_README.html">TLS_README</a>. </p> + +<p> This feature is available in Postfix 2.9.6 and later. </p> + + +</DD> <DT><b><a name="tls_low_cipherlist">tls_low_cipherlist</a> (default: ALL:!EXPORT:+RC4:@STRENGTH)</b></DT><DD> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/man/man5/postconf.5 new/postfix-2.9.6/man/man5/postconf.5 --- old/postfix-2.9.5/man/man5/postconf.5 2012-04-24 21:20:56.000000000 +0200 +++ new/postfix-2.9.6/man/man5/postconf.5 2013-02-03 21:53:46.000000000 +0100 @@ -4887,6 +4887,10 @@ an appropriate \fBaccess\fR(5) policy for each client. See RESTRICTION_CLASS_README. .PP +\fBNote:\fR Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. +.PP This feature is available with Postfix version 2.2. .SH relay_destination_concurrency_limit (default: $default_destination_concurrency_limit) The maximal number of parallel deliveries to the same destination @@ -6534,11 +6538,56 @@ .ft R .in -4 .PP -Public key fingerprints are more difficult to extract, however, -the SHA-1 public key fingerprint is often present as the value of the -"Subject Key Identifier" extension in X.509v3 certificates. The Postfix -SMTP server and client log the peer certificate fingerprint and public -key fingerprint when TLS loglevel is 1 or higher. +To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint. +.PP +The actual command to transform the key to DER format depends +on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the +"pkey" command supports all key types. With OpenSSL 0.9.8 and +earlier, the key type is always RSA (nobody uses DSA, and EC +keys are not fully supported by 0.9.8), so the "rsa" command is +used. +.sp +.in +4 +.nf +.na +.ft C +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 +.fi +.ad +.ft R +.in -4 +.sp +.in +4 +.nf +.na +.ft C +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c +(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 +.fi +.ad +.ft R +.in -4 +.PP +The Postfix SMTP server and client log the peer (leaf) certificate +fingerprint and public key fingerprint when TLS loglevel is 1 or +higher. +.PP +\fBNote:\fR Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. .PP This feature is available in Postfix 2.5 and later. .SH smtp_tls_key_file (default: $smtp_tls_cert_file) @@ -9426,11 +9475,56 @@ .ft R .in -4 .PP -Public key fingerprints are more difficult to extract, however, -the SHA-1 public key fingerprint is often present as the value of the -"Subject Key Identifier" extension in X.509v3 certificates. The Postfix -SMTP server and client log the peer certificate fingerprint and public -key fingerprint when TLS loglevel is 1 or higher. +To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint. +.PP +The actual command to transform the key to DER format depends +on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the +"pkey" command supports all key types. With OpenSSL 0.9.8 and +earlier, the key type is always RSA (nobody uses DSA, and EC +keys are not fully supported by 0.9.8), so the "rsa" command is +used. +.sp +.in +4 +.nf +.na +.ft C +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 +.fi +.ad +.ft R +.in -4 +.sp +.in +4 +.nf +.na +.ft C +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c +(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 +.fi +.ad +.ft R +.in -4 +.PP +The Postfix SMTP server and client log the peer (leaf) certificate +fingerprint and public key fingerprint when TLS loglevel is 1 or +higher. +.PP +\fBNote:\fR Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. .PP Example: client-certificate access table, with sha1 fingerprints: .sp @@ -10075,6 +10169,19 @@ OpenSSL releases. .PP This feature is available in Postfix 2.3 and later. +.SH tls_legacy_public_key_fingerprints (default: no) +A temporary migration aid for sites that use certificate +\fIpublic-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use +an incorrect algorithm. This parameter has no effect on the certificate +fingerprint support that is available since Postfix 2.2. +.PP +Specify "tls_legacy_public_key_fingerprints = yes" temporarily, +pending a migration from configuration files with incorrect Postfix +2.9.0..2.9.5 certificate public-key finger prints, to the correct +fingerprints used by Postfix 2.9.6 and later. To compute the correct +certificate public-key fingerprints, see TLS_README. +.PP +This feature is available in Postfix 2.9.6 and later. .SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH) The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/mantools/postlink new/postfix-2.9.6/mantools/postlink --- old/postfix-2.9.5/mantools/postlink 2011-12-09 19:43:40.000000000 +0100 +++ new/postfix-2.9.6/mantools/postlink 2013-02-03 20:49:54.000000000 +0100 @@ -689,6 +689,7 @@ s;\btls_preempt_cipherlist\b;<a href="postconf.5.html#tls_preempt_cipherlist">$&</a>;g; s;\btls_disable_workarounds\b;<a href="postconf.5.html#tls_disable_workarounds">$&</a>;g; s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g; + s;\btls_legacy_public_key_fingerprints\b;<a href="postconf.5.html#tls_legacy_public_key_fingerprint">$&</a>;g; s;\bfrozen_delivered_to\b;<a href="postconf.5.html#frozen_delivered_to">$&</a>;g; s;\breset_owner_alias\b;<a href="postconf.5.html#reset_owner_alias">$&</a>;g; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/proto/TLS_README.html new/postfix-2.9.6/proto/TLS_README.html --- old/postfix-2.9.5/proto/TLS_README.html 2012-04-24 19:07:22.000000000 +0200 +++ new/postfix-2.9.6/proto/TLS_README.html 2013-02-03 20:49:54.000000000 +0100 @@ -677,6 +677,39 @@ </pre> </blockquote> +<p> To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint. </p> + +<p> The actual command to transform the key to DER format depends +on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the +"pkey" command supports all key types. With OpenSSL 0.9.8 and +earlier, the key type is always RSA (nobody uses DSA, and EC +keys are not fully supported by 0.9.8), so the "rsa" command is +used. </p> +<blockquote> +<pre> +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 + +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c +(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 +</pre> +</blockquote> +<p> Note: Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. </p> + <h3><a name="server_cipher">Server-side cipher controls</a> </h3> <p> The Postfix SMTP server supports 5 distinct cipher security levels @@ -1074,7 +1107,7 @@ not checked. Instead, the smtp_tls_fingerprint_cert_match parameter or the "match" attribute in the <a href="#client_tls_policy">policy</a> table lists the remote SMTP server certificate fingerprint or -public key fingerprint (Postfix 2.9 and later). +public key fingerprint (Postfix 2.9 and later). </p> <p> If certificate fingerprints are exchanged securely, this is the strongest, and least scalable security level. The administrator needs @@ -1136,6 +1169,39 @@ </pre> </blockquote> +<p> To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint. </p> + +<p> The actual command to transform the key to DER format depends +on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the +"pkey" command supports all key types. With OpenSSL 0.9.8 and +earlier, the key type is always RSA (nobody uses DSA, and EC +keys are not fully supported by 0.9.8), so the "rsa" command is +used. </p> +<blockquote> +<pre> +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 + +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c +(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 +</pre> +</blockquote> +<p> Note: Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. </p> + <h4><a name="client_tls_verify"> Mandatory server certificate verification </a> </h4> <p> At the "verify" TLS security level, messages are sent only over diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/proto/postconf.proto new/postfix-2.9.6/proto/postconf.proto --- old/postfix-2.9.5/proto/postconf.proto 2012-04-24 19:07:22.000000000 +0200 +++ new/postfix-2.9.6/proto/postconf.proto 2013-02-03 21:53:34.000000000 +0100 @@ -9065,6 +9065,10 @@ an appropriate access(5) policy for each client. See RESTRICTION_CLASS_README.</p> +<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. </p> + <p>This feature is available with Postfix version 2.2.</p> %PARAM smtpd_tls_cipherlist @@ -11489,11 +11493,47 @@ </pre> </blockquote> -<p> Public key fingerprints are more difficult to extract, however, -the SHA-1 public key fingerprint is often present as the value of the -"Subject Key Identifier" extension in X.509v3 certificates. The Postfix -SMTP server and client log the peer certificate fingerprint and public -key fingerprint when TLS loglevel is 1 or higher. </p> +<p> To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint. </p> + +<p> The actual command to transform the key to DER format depends +on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the +"pkey" command supports all key types. With OpenSSL 0.9.8 and +earlier, the key type is always RSA (nobody uses DSA, and EC +keys are not fully supported by 0.9.8), so the "rsa" command is +used. </p> +<blockquote> +<pre> +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 +</pre> +</blockquote> + +<blockquote> +<pre> +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c +(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 +</pre> +</blockquote> + +<p> The Postfix SMTP server and client log the peer (leaf) certificate +fingerprint and public key fingerprint when TLS loglevel is 1 or +higher. </p> + +<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. </p> <p> This feature is available in Postfix 2.5 and later. </p> @@ -11607,11 +11647,47 @@ </pre> </blockquote> -<p> Public key fingerprints are more difficult to extract, however, -the SHA-1 public key fingerprint is often present as the value of the -"Subject Key Identifier" extension in X.509v3 certificates. The Postfix -SMTP server and client log the peer certificate fingerprint and public -key fingerprint when TLS loglevel is 1 or higher. </p> +<p> To extract the public key fingerprint from an X.509 certificate, +you need to extract the public key from the certificate and compute +the appropriate digest of its DER (ASN.1) encoding. With OpenSSL +the "-pubkey" option of the "x509" command extracts the public +key always in "PEM" format. We pipe the result to another OpenSSL +command that converts the key to DER and then to the "dgst" command +to compute the fingerprint. </p> + +<p> The actual command to transform the key to DER format depends +on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the +"pkey" command supports all key types. With OpenSSL 0.9.8 and +earlier, the key type is always RSA (nobody uses DSA, and EC +keys are not fully supported by 0.9.8), so the "rsa" command is +used. </p> +<blockquote> +<pre> +# OpenSSL 1.0 with all certificates and SHA-1 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl pkey -pubin -outform DER | + openssl dgst -sha1 -c +(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58 +</pre> +</blockquote> + +<blockquote> +<pre> +# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints. +$ openssl x509 -in cert.pem -noout -pubkey | + openssl rsa -pubin -outform DER | + openssl dgst -md5 -c +(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50 +</pre> +</blockquote> + +<p> The Postfix SMTP server and client log the peer (leaf) certificate +fingerprint and public key fingerprint when TLS loglevel is 1 or +higher. </p> + +<p> <b>Note:</b> Postfix 2.9.0–2.9.5 computed the public key +fingerprint incorrectly. To use public-key fingerprints, upgrade +to Postfix 2.9.6 or later. </p> <p> Example: client-certificate access table, with sha1 fingerprints: </p> @@ -13869,6 +13945,21 @@ <p> This feature is available in Postfix 2.8 and later. </p> +%PARAM tls_legacy_public_key_fingerprints no + +<p> A temporary migration aid for sites that use certificate +<i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use +an incorrect algorithm. This parameter has no effect on the certificate +fingerprint support that is available since Postfix 2.2. </p> + +<p> Specify "tls_legacy_public_key_fingerprints = yes" temporarily, +pending a migration from configuration files with incorrect Postfix +2.9.0..2.9.5 certificate public-key finger prints, to the correct +fingerprints used by Postfix 2.9.6 and later. To compute the correct +certificate public-key fingerprints, see TLS_README. </p> + +<p> This feature is available in Postfix 2.9.6 and later. </p> + %PARAM tlsproxy_watchdog_timeout 10s <p> How much time a tlsproxy(8) process may take to process local diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/src/global/mail_params.h new/postfix-2.9.6/src/global/mail_params.h --- old/postfix-2.9.5/src/global/mail_params.h 2012-04-24 19:07:22.000000000 +0200 +++ new/postfix-2.9.6/src/global/mail_params.h 2013-02-03 20:49:54.000000000 +0100 @@ -3035,6 +3035,10 @@ #define DEF_TLS_BUG_TWEAKS TLS_BUG_TWEAKS extern char *var_tls_bug_tweaks; +#define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints" +#define DEF_TLS_BC_PKEY_FPRINT 0 +extern bool var_tls_bc_pkey_fprint; + /* * Sendmail-style mail filter support. */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/src/global/mail_version.h new/postfix-2.9.6/src/global/mail_version.h --- old/postfix-2.9.5/src/global/mail_version.h 2012-12-13 01:38:59.000000000 +0100 +++ new/postfix-2.9.6/src/global/mail_version.h 2013-02-03 21:46:53.000000000 +0100 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20121213" -#define MAIL_VERSION_NUMBER "2.9.5" +#define MAIL_RELEASE_DATE "20130203" +#define MAIL_VERSION_NUMBER "2.9.6" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/src/postconf/Makefile.in new/postfix-2.9.6/src/postconf/Makefile.in --- old/postfix-2.9.5/src/postconf/Makefile.in 2012-01-22 16:55:21.000000000 +0100 +++ new/postfix-2.9.6/src/postconf/Makefile.in 2013-01-05 20:59:51.000000000 +0100 @@ -42,7 +42,7 @@ tests: test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 test11 \ test12 test13 test14 test15 test16 test17 test18 test19 test20 test21 \ - test22 test23 test24 test25 test26 test27 test28 test29 test30 + test22 test23 test24 test25 test26 test27 test28 test29 test30 test40 root_tests: @@ -414,6 +414,17 @@ diff test30.ref test30.tmp rm -f main.cf master.cf test30.tmp +test40: $(PROG) test40.ref + rm -f main.cf master.cf + touch main.cf master.cf + echo foo unix - n n - 0 other >> master.cf + echo ' -voaaa=bbb' >> master.cf + echo ' -vo ccc=$$aaa' >> master.cf + echo ' -v -oddd=$$ccc' >> master.cf + ./$(PROG) -Mfc . unix >test40.tmp 2>&1 + diff test40.ref test40.tmp + rm -f main.cf master.cf test40.tmp + printfck: $(OBJS) $(PROG) rm -rf printfck mkdir printfck diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/src/postconf/postconf_master.c new/postfix-2.9.6/src/postconf/postconf_master.c --- old/postfix-2.9.5/src/postconf/postconf_master.c 2012-01-21 22:11:38.000000000 +0100 +++ new/postfix-2.9.6/src/postconf/postconf_master.c 2012-12-31 22:23:52.000000000 +0100 @@ -74,6 +74,8 @@ { int field; char *arg; + char *cp; + char *junk; /* * Normalize options to simplify later processing. @@ -82,6 +84,16 @@ arg = argv->argv[field]; if (arg[0] != '-' || strcmp(arg, "--") == 0) break; + for (cp = arg + 1; *cp; cp++) { + if (*cp == 'o' && cp > arg + 1) { + /* Split "-stuffo" into "-stuff" and "-o". */ + junk = concatenate("-", cp, (char *) 0); + argv_insert_one(argv, field + 1, junk); + myfree(junk); + *cp = 0; + break; + } + } if (strncmp(arg, "-o", 2) == 0) { if (arg[2] != 0) { /* Split "-oname=value" into "-o" "name=value". */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/src/postconf/test40.ref new/postfix-2.9.6/src/postconf/test40.ref --- old/postfix-2.9.5/src/postconf/test40.ref 1970-01-01 01:00:00.000000000 +0100 +++ new/postfix-2.9.6/src/postconf/test40.ref 2012-12-31 22:32:31.000000000 +0100 @@ -0,0 +1,4 @@ +foo unix - n n - 0 other -v + -o aaa=bbb -v + -o ccc=$aaa -v + -o ddd=$ccc diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/src/tls/Makefile.in new/postfix-2.9.6/src/tls/Makefile.in --- old/postfix-2.9.5/src/tls/Makefile.in 2012-01-22 16:55:15.000000000 +0100 +++ new/postfix-2.9.6/src/tls/Makefile.in 2013-02-03 21:17:01.000000000 +0100 @@ -319,6 +319,7 @@ tls_stream.o: tls.h tls_stream.o: tls_stream.c tls_verify.o: ../../include/argv.h +tls_verify.o: ../../include/mail_params.h tls_verify.o: ../../include/msg.h tls_verify.o: ../../include/mymalloc.h tls_verify.o: ../../include/name_code.h diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/src/tls/tls_misc.c new/postfix-2.9.6/src/tls/tls_misc.c --- old/postfix-2.9.5/src/tls/tls_misc.c 2012-04-23 00:08:04.000000000 +0200 +++ new/postfix-2.9.6/src/tls/tls_misc.c 2013-02-03 20:58:42.000000000 +0100 @@ -17,6 +17,7 @@ /* int var_tls_daemon_rand_bytes; /* bool var_tls_append_def_CA; /* bool var_tls_preempt_clist; +/* bool var_tls_bc_pkey_fprint; /* /* TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask) /* SSL_CTX *ssl_ctx; @@ -205,6 +206,7 @@ char *var_tls_eecdh_ultra; bool var_tls_append_def_CA; char *var_tls_bug_tweaks; +bool var_tls_bc_pkey_fprint; #ifdef VAR_TLS_PREEMPT_CLIST bool var_tls_preempt_clist; @@ -510,8 +512,10 @@ else include |= code = name_code(protocol_table, NAME_CODE_FLAG_NONE, tok); - if (code == TLS_PROTOCOL_INVALID) + if (code == TLS_PROTOCOL_INVALID) { + myfree(save); return TLS_PROTOCOL_INVALID; + } } myfree(save); @@ -546,6 +550,7 @@ }; static const CONFIG_BOOL_TABLE bool_table[] = { VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA, + VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint, #if OPENSSL_VERSION_NUMBER >= 0x0090700fL /* OpenSSL 0.9.7 and later */ VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist, #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/src/tls/tls_verify.c new/postfix-2.9.6/src/tls/tls_verify.c --- old/postfix-2.9.5/src/tls/tls_verify.c 2011-12-05 22:03:07.000000000 +0100 +++ new/postfix-2.9.6/src/tls/tls_verify.c 2013-02-03 20:49:54.000000000 +0100 @@ -23,6 +23,10 @@ /* X509 *peercert; /* const char *dgst; /* +/* char *tls_pkey_fprint(peercert, dgst) +/* X509 *peercert; +/* const char *dgst; +/* /* int tls_verify_certificate_callback(ok, ctx) /* int ok; /* X509_STORE_CTX *ctx; @@ -50,6 +54,11 @@ /* value is dynamically allocated with mymalloc(), and the caller /* must eventually free it with myfree(). /* +/* tls_pkey_fprint() returns a public-key fingerprint; in all +/* other respects the function behaves as tls_fingerprint(). +/* The var_tls_bc_pkey_fprint variable enables an incorrect +/* algorithm that was used in Postfix versions 2.9.[0-5]. +/* /* tls_verify_callback() is called several times (directly or /* indirectly) from crypto/x509/x509_vfy.c. It is called as /* a final check, and if it returns "0", the handshake is @@ -140,6 +149,10 @@ #include <mymalloc.h> #include <stringops.h> +/* Global library. */ + +#include <mail_params.h> + /* TLS library. */ #define TLS_INTERNAL @@ -490,14 +503,12 @@ return (cn ? cn : mystrdup("")); } -typedef int (*x509_dgst_cb) (const X509 *, const EVP_MD *, unsigned char *, unsigned int *); - -/* tls_fprint - extract cert or pkey fingerprint from certificate */ +/* tls_fprint - compute and encode digest of DER-encoded object */ -static char *tls_fprint(X509 *peercert, x509_dgst_cb x509_dgst, - const char *dgst) +static char *tls_fprint(const char *buf, int len, const char *dgst) { - const char *myname = "tls_fingerprint"; + const char *myname = "tls_fprint"; + EVP_MD_CTX *mdctx; const EVP_MD *md_alg; unsigned char md_buf[EVP_MAX_MD_SIZE]; unsigned int md_len; @@ -508,10 +519,12 @@ if ((md_alg = EVP_get_digestbyname(dgst)) == 0) msg_panic("%s: digest algorithm \"%s\" not found", myname, dgst); - /* Fails when serialization to ASN.1 runs out of memory */ - if (x509_dgst(peercert, md_alg, md_buf, &md_len) == 0) - msg_fatal("%s: error computing certificate %s digest (out of memory?)", - myname, dgst); + mdctx = EVP_MD_CTX_create(); + if (EVP_DigestInit_ex(mdctx, md_alg, NULL) == 0 + || EVP_DigestUpdate(mdctx, buf, len) == 0 + || EVP_DigestFinal_ex(mdctx, md_buf, &md_len) == 0) + msg_fatal("%s: error computing %s message digest", myname, dgst); + EVP_MD_CTX_destroy(mdctx); /* Check for OpenSSL contract violation */ if (md_len > EVP_MAX_MD_SIZE || md_len >= INT_MAX / 3) @@ -531,14 +544,55 @@ char *tls_fingerprint(X509 *peercert, const char *dgst) { - return (tls_fprint(peercert, X509_digest, dgst)); + int len; + char *buf; + char *buf2; + char *result; + + len = i2d_X509(peercert, NULL); + buf2 = buf = mymalloc(len); + i2d_X509(peercert, (unsigned char **)&buf2); + if (buf2 - buf != len) + msg_panic("i2d_X509 invalid result length"); + + result = tls_fprint(buf, len, dgst); + myfree(buf); + + return (result); } /* tls_pkey_fprint - extract public key fingerprint from certificate */ char *tls_pkey_fprint(X509 *peercert, const char *dgst) { - return (tls_fprint(peercert, X509_pubkey_digest, dgst)); + if (var_tls_bc_pkey_fprint) { + const char *myname = "tls_pkey_fprint"; + ASN1_BIT_STRING *key; + char *result; + + key = X509_get0_pubkey_bitstr(peercert); + if (key == 0) + msg_fatal("%s: error extracting legacy public-key fingerprint: %m", + myname); + + result = tls_fprint((char *) key->data, key->length, dgst); + return (result); + } else { + int len; + char *buf; + char *buf2; + char *result; + + len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(peercert), NULL); + buf2 = buf = mymalloc(len); + i2d_X509_PUBKEY(X509_get_X509_PUBKEY(peercert), (unsigned char **) &buf2); + if (buf2 - buf != len) + msg_panic("i2d_X509_PUBKEY invalid result length"); + + result = tls_fprint(buf, len, dgst); + myfree(buf); + return (result); + } } #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-2.9.5/src/util/exec_command.c new/postfix-2.9.6/src/util/exec_command.c --- old/postfix-2.9.5/src/util/exec_command.c 2005-01-19 02:22:18.000000000 +0100 +++ new/postfix-2.9.6/src/util/exec_command.c 2013-02-01 22:52:30.000000000 +0100 @@ -63,7 +63,8 @@ /* * See if this command contains any shell magic characters. */ - if (command[strspn(command, ok_chars)] == 0) { + if (command[strspn(command, ok_chars)] == 0 + && command[strspn(command, SPACE_TAB)] != 0) { /* * No shell meta characters found, so we can try to avoid the overhead -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org