commit postfix for openSUSE:Factory

h_root Thu, 07 Feb 2013 05:28:51 -0800

Hello community,

here is the log from the commit of package postfix for openSUSE:Factory checked 
in at 2013-02-07 14:28:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/postfix (Old)
 and      /work/SRC/openSUSE:Factory/.postfix.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "postfix", Maintainer is "vark...@suse.com"

Changes:
--------
--- /work/SRC/openSUSE:Factory/postfix/postfix.changes  2013-01-21 
17:44:44.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.postfix.new/postfix.changes     2013-02-07 
14:28:43.000000000 +0100
@@ -1,0 +2,13 @@
+Wed Feb  6 19:56:57 UTC 2013 - vark...@suse.com
+
+- update to 2,9.6 
+  Bugfix: the local(8) delivery agent dereferenced a null pointer
+   while delivering to null command (for example, "|" in a .forward file).
+  Bugfix: memory leak in program initialization. tls/tls_misc.c.
+  Bugfix: he undocumented OpenSSL X509_pubkey_digest() function is 
+   unsuitable for computing certificate PUBLIC KEY fingerprints. 
+   Postfix now provides a correct procedure that accounts for
+   the algorithm and parameters in addition to the key data.  Specify 
+   "tls_legacy_public_key_fingerprints = yes" if you need backwards 
compatibility. 
+
+-------------------------------------------------------------------

Old:
----
  postfix-2.9.5.tar.bz2

New:
----
  postfix-2.9.6.tar.bz2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ postfix.spec ++++++
--- /var/tmp/diff_new_pack.R9eY8K/_old  2013-02-07 14:28:45.000000000 +0100
+++ /var/tmp/diff_new_pack.R9eY8K/_new  2013-02-07 14:28:45.000000000 +0100
@@ -20,7 +20,7 @@
 Summary:        A fast, secure, and flexible mailer
 License:        IPL-1.0
 Group:          Productivity/Networking/Email/Servers
-Version:        2.9.5
+Version:        2.9.6
 Release:        0
 Url:            http://www.postfix.org/
 Source:         %{name}-%{version}.tar.bz2

++++++ postfix-2.9.5.tar.bz2 -> postfix-2.9.6.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/HISTORY new/postfix-2.9.6/HISTORY
--- old/postfix-2.9.5/HISTORY   2012-12-10 15:03:51.000000000 +0100
+++ new/postfix-2.9.6/HISTORY   2013-02-03 21:14:13.000000000 +0100
@@ -17756,3 +17756,30 @@
        This part of the code is not documented and had escaped
        testing.  Files: util/ip_match.c, util/ip_match.in,
        util/ip_match.ref.
+
+20121230
+
+       Bugfix (omission in feature 20111106): the postconf(1)
+       master.cf options parser didn't support "clusters" of
+       command-line option letters. File: postconf/postconf_master.c,
+       postconf/test40.ref.
+
+20130131
+
+       Bugfix: the local(8) delivery agent dereferenced a null
+       pointer while delivering to null command (for example, "|"
+       in a .forward file).  Reported by Gilles Chehade.
+
+20130203
+
+       Bugfix: the undocumented OpenSSL X509_pubkey_digest()
+       function is unsuitable for computing certificate PUBLIC KEY
+       fingerprints.  Postfix now provides a correct procedure
+       that accounts for the algorithm and parameters in addition
+       to the key data.  Specify "tls_legacy_public_key_fingerprints
+       = yes" if you need backwards compatibility. Fix by Victor
+       Duchovni, BC added by Wietse.  Files: tls/tls_verify.c,
+       tls/tls_misc.c, proto/TLS_README.html, global/mail_params.h.
+
+       Bugfix: the 20121010 fix for tls_misc.c was documented but
+       not included.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/README_FILES/TLS_README 
new/postfix-2.9.6/README_FILES/TLS_README
--- old/postfix-2.9.5/README_FILES/TLS_README   2012-04-24 21:20:56.000000000 
+0200
+++ new/postfix-2.9.6/README_FILES/TLS_README   2013-02-03 20:50:27.000000000 
+0100
@@ -462,6 +462,34 @@
     /etc/postfix/relay_clientcerts:
         D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
 
+To extract the public key fingerprint from an X.509 certificate, you need to
+extract the public key from the certificate and compute the appropriate digest
+of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509"
+command extracts the public key always in "PEM" format. We pipe the result to
+another OpenSSL command that converts the key to DER and then to the "dgst"
+command to compute the fingerprint.
+
+The actual command to transform the key to DER format depends on the version of
+OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" command supports all key
+types. With OpenSSL 0.9.8 and earlier, the key type is always RSA (nobody uses
+DSA, and EC keys are not fully supported by 0.9.8), so the "rsa" command is
+used.
+
+    # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+    $ openssl x509 -in cert.pem -noout -pubkey |
+        openssl pkey -pubin -outform DER |
+        openssl dgst -sha1 -c
+    (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+    # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+    $ openssl x509 -in cert.pem -noout -pubkey |
+        openssl rsa -pubin -outform DER |
+        openssl dgst -md5 -c
+    (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+
+Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incorrectly. To
+use public-key fingerprints, upgrade to Postfix 2.9.6 or later.
+
 SSeerrvveerr--ssiiddee cciipphheerr ccoonnttrroollss
 
 The Postfix SMTP server supports 5 distinct cipher security levels as specified
@@ -823,6 +851,34 @@
             match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
             match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
 
+To extract the public key fingerprint from an X.509 certificate, you need to
+extract the public key from the certificate and compute the appropriate digest
+of its DER (ASN.1) encoding. With OpenSSL the "-pubkey" option of the "x509"
+command extracts the public key always in "PEM" format. We pipe the result to
+another OpenSSL command that converts the key to DER and then to the "dgst"
+command to compute the fingerprint.
+
+The actual command to transform the key to DER format depends on the version of
+OpenSSL used. With OpenSSL 1.0.0 and later, the "pkey" command supports all key
+types. With OpenSSL 0.9.8 and earlier, the key type is always RSA (nobody uses
+DSA, and EC keys are not fully supported by 0.9.8), so the "rsa" command is
+used.
+
+    # OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+    $ openssl x509 -in cert.pem -noout -pubkey |
+        openssl pkey -pubin -outform DER |
+        openssl dgst -sha1 -c
+    (stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+    # OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+    $ openssl x509 -in cert.pem -noout -pubkey |
+        openssl rsa -pubin -outform DER |
+        openssl dgst -md5 -c
+    (stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+
+Note: Postfix 2.9.0-2.9.5 computed the public key fingerprint incorrectly. To
+use public-key fingerprints, upgrade to Postfix 2.9.6 or later.
+
 MMaannddaattoorryy sseerrvveerr 
cceerrttiiffiiccaattee vveerriiffiiccaattiioonn
 
 At the "verify" TLS security level, messages are sent only over TLS encrypted
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/RELEASE_NOTES 
new/postfix-2.9.6/RELEASE_NOTES
--- old/postfix-2.9.5/RELEASE_NOTES     2012-04-24 21:58:33.000000000 +0200
+++ new/postfix-2.9.6/RELEASE_NOTES     2013-02-03 21:22:53.000000000 +0100
@@ -14,6 +14,36 @@
 If you upgrade from Postfix 2.7 or earlier, read RELEASE_NOTES-2.8
 before proceeding.
 
+Major changes with Postfix 2.9.6
+--------------------------------
+
+Thanks to OpenSSL documentation, the Postfix 2.9.0..2.9.5 SMTP
+client and server computed incorrect TLS certificate PUBLIC-KEY
+fingerprints.  Support for certificate PUBLIC-KEY finger prints
+was introduced with Postfix 2.9; there is no known problem with the
+certificate fingerprint algorithms available since Postfix 2.2.
+
+Certificate PUBLIC-KEY finger prints may be used in the Postfix
+SMTP server (with "check_ccert_access") and in the Postfix SMTP
+client (with the "fingerprint" security level).  
+
+Specify "tls_legacy_public_key_fingerprints = yes" temporarily, 
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate PUBLIC-KEY finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later.
+
+To compute the correct PUBLIC-KEY finger prints:
+
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+    openssl pkey -pubin -outform DER | \
+    openssl dgst -sha1 -c
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey | \
+    openssl rsa -pubin -outform DER | \
+    openssl dgst -md5 -c
+
 Major changes with Postfix 2.9.2
 --------------------------------
 
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/html/TLS_README.html 
new/postfix-2.9.6/html/TLS_README.html
--- old/postfix-2.9.5/html/TLS_README.html      2012-04-24 21:20:54.000000000 
+0200
+++ new/postfix-2.9.6/html/TLS_README.html      2013-02-03 20:50:24.000000000 
+0100
@@ -677,6 +677,39 @@
 </pre>
 </blockquote>
 
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl pkey -pubin -outform DER |
+    openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl rsa -pubin -outform DER |
+    openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+<p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
 <h3><a name="server_cipher">Server-side cipher controls</a> </h3>
 
 <p> The Postfix SMTP server supports 5 distinct cipher security levels
@@ -1074,7 +1107,7 @@
 not checked. Instead, the <a 
href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a>
 parameter
 or the "match" attribute in the <a href="#client_tls_policy">policy</a>
 table lists the remote SMTP server certificate fingerprint or
-public key fingerprint (Postfix 2.9 and later).
+public key fingerprint (Postfix 2.9 and later). </p>
 
 <p> If certificate fingerprints are exchanged securely, this is the
 strongest, and least scalable security level. The administrator needs
@@ -1136,6 +1169,39 @@
 </pre>
 </blockquote>
 
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl pkey -pubin -outform DER |
+    openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl rsa -pubin -outform DER |
+    openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+<p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
 <h4><a name="client_tls_verify"> Mandatory server certificate verification 
</a> </h4>
 
 <p> At the "verify" TLS security level, messages are sent only over
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/html/postconf.5.html 
new/postfix-2.9.6/html/postconf.5.html
--- old/postfix-2.9.5/html/postconf.5.html      2012-04-24 21:20:56.000000000 
+0200
+++ new/postfix-2.9.6/html/postconf.5.html      2013-02-03 21:53:45.000000000 
+0100
@@ -8440,6 +8440,10 @@
 an appropriate <a href="access.5.html">access(5)</a> policy for each client.
 See <a href="RESTRICTION_CLASS_README.html">RESTRICTION_CLASS_README</a>.</p>
 
+<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
 <p>This feature is available with Postfix version 2.2.</p>
 
 
@@ -10895,11 +10899,47 @@
 </pre>
 </blockquote>
 
-<p> Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher. </p>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl pkey -pubin -outform DER |
+    openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl rsa -pubin -outform DER |
+    openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+
+<p> The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher. </p>
+
+<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
 
 <p> This feature is available in Postfix 2.5 and later. </p>
 
@@ -14688,11 +14728,47 @@
 </pre>
 </blockquote>
 
-<p> Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher. </p>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl pkey -pubin -outform DER |
+    openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl rsa -pubin -outform DER |
+    openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+
+<p> The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher. </p>
+
+<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
 
 <p> Example: client-certificate access table, with sha1 fingerprints: </p>
 
@@ -15586,6 +15662,25 @@
 
 
 </DD>
+
+<DT><b><a 
name="tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a>
+(default: no)</b></DT><DD>
+
+<p> A temporary migration aid for sites that use certificate
+<i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use
+an incorrect algorithm. This parameter has no effect on the certificate
+fingerprint support that is available since Postfix 2.2. </p>
+
+<p> Specify "<a 
href="postconf.5.html#tls_legacy_public_key_fingerprint">tls_legacy_public_key_fingerprints</a>
 = yes" temporarily,
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate public-key finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later.  To compute the correct
+certificate public-key fingerprints, see <a 
href="TLS_README.html">TLS_README</a>. </p>
+
+<p> This feature is available in Postfix 2.9.6 and later.  </p>
+
+
+</DD>
 
 <DT><b><a name="tls_low_cipherlist">tls_low_cipherlist</a>
 (default: ALL:!EXPORT:+RC4:@STRENGTH)</b></DT><DD>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/man/man5/postconf.5 
new/postfix-2.9.6/man/man5/postconf.5
--- old/postfix-2.9.5/man/man5/postconf.5       2012-04-24 21:20:56.000000000 
+0200
+++ new/postfix-2.9.6/man/man5/postconf.5       2013-02-03 21:53:46.000000000 
+0100
@@ -4887,6 +4887,10 @@
 an appropriate \fBaccess\fR(5) policy for each client.
 See RESTRICTION_CLASS_README.
 .PP
+\fBNote:\fR Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later.
+.PP
 This feature is available with Postfix version 2.2.
 .SH relay_destination_concurrency_limit (default: 
$default_destination_concurrency_limit)
 The maximal number of parallel deliveries to the same destination
@@ -6534,11 +6538,56 @@
 .ft R
 .in -4
 .PP
-Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher.
+To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint.
+.PP
+The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used.
+.sp
+.in +4
+.nf
+.na
+.ft C
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl pkey -pubin -outform DER |
+    openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+.fi
+.ad
+.ft R
+.in -4
+.sp
+.in +4
+.nf
+.na
+.ft C
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl rsa -pubin -outform DER |
+    openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+.fi
+.ad
+.ft R
+.in -4
+.PP
+The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher.
+.PP
+\fBNote:\fR Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later.
 .PP
 This feature is available in Postfix 2.5 and later.
 .SH smtp_tls_key_file (default: $smtp_tls_cert_file)
@@ -9426,11 +9475,56 @@
 .ft R
 .in -4
 .PP
-Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher.
+To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint.
+.PP
+The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used.
+.sp
+.in +4
+.nf
+.na
+.ft C
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl pkey -pubin -outform DER |
+    openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+.fi
+.ad
+.ft R
+.in -4
+.sp
+.in +4
+.nf
+.na
+.ft C
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl rsa -pubin -outform DER |
+    openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+.fi
+.ad
+.ft R
+.in -4
+.PP
+The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher.
+.PP
+\fBNote:\fR Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later.
 .PP
 Example: client-certificate access table, with sha1 fingerprints:
 .sp
@@ -10075,6 +10169,19 @@
 OpenSSL releases.
 .PP
 This feature is available in Postfix 2.3 and later.
+.SH tls_legacy_public_key_fingerprints (default: no)
+A temporary migration aid for sites that use certificate
+\fIpublic-key\fR fingerprints with Postfix 2.9.0..2.9.5, which use
+an incorrect algorithm. This parameter has no effect on the certificate
+fingerprint support that is available since Postfix 2.2.
+.PP
+Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate public-key finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later.  To compute the correct
+certificate public-key fingerprints, see TLS_README.
+.PP
+This feature is available in Postfix 2.9.6 and later.
 .SH tls_low_cipherlist (default: ALL:!EXPORT:+RC4:@STRENGTH)
 The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines
 the meaning of the "low" setting in smtpd_tls_mandatory_ciphers,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/mantools/postlink 
new/postfix-2.9.6/mantools/postlink
--- old/postfix-2.9.5/mantools/postlink 2011-12-09 19:43:40.000000000 +0100
+++ new/postfix-2.9.6/mantools/postlink 2013-02-03 20:49:54.000000000 +0100
@@ -689,6 +689,7 @@
     s;\btls_preempt_cipherlist\b;<a 
href="postconf.5.html#tls_preempt_cipherlist">$&</a>;g;
     s;\btls_disable_workarounds\b;<a 
href="postconf.5.html#tls_disable_workarounds">$&</a>;g;
     s;\btls_append_default_CA\b;<a 
href="postconf.5.html#tls_append_default_CA">$&</a>;g;
+    s;\btls_legacy_public_key_fingerprints\b;<a 
href="postconf.5.html#tls_legacy_public_key_fingerprint">$&</a>;g;
  
     s;\bfrozen_delivered_to\b;<a 
href="postconf.5.html#frozen_delivered_to">$&</a>;g;
     s;\breset_owner_alias\b;<a 
href="postconf.5.html#reset_owner_alias">$&</a>;g;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/proto/TLS_README.html 
new/postfix-2.9.6/proto/TLS_README.html
--- old/postfix-2.9.5/proto/TLS_README.html     2012-04-24 19:07:22.000000000 
+0200
+++ new/postfix-2.9.6/proto/TLS_README.html     2013-02-03 20:49:54.000000000 
+0100
@@ -677,6 +677,39 @@
 </pre>
 </blockquote>
 
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl pkey -pubin -outform DER |
+    openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl rsa -pubin -outform DER |
+    openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+<p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
 <h3><a name="server_cipher">Server-side cipher controls</a> </h3>
 
 <p> The Postfix SMTP server supports 5 distinct cipher security levels
@@ -1074,7 +1107,7 @@
 not checked. Instead, the smtp_tls_fingerprint_cert_match parameter
 or the "match" attribute in the <a href="#client_tls_policy">policy</a>
 table lists the remote SMTP server certificate fingerprint or
-public key fingerprint (Postfix 2.9 and later).
+public key fingerprint (Postfix 2.9 and later). </p>
 
 <p> If certificate fingerprints are exchanged securely, this is the
 strongest, and least scalable security level. The administrator needs
@@ -1136,6 +1169,39 @@
 </pre>
 </blockquote>
 
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl pkey -pubin -outform DER |
+    openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl rsa -pubin -outform DER |
+    openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+<p> Note: Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
 <h4><a name="client_tls_verify"> Mandatory server certificate verification 
</a> </h4>
 
 <p> At the "verify" TLS security level, messages are sent only over
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/proto/postconf.proto 
new/postfix-2.9.6/proto/postconf.proto
--- old/postfix-2.9.5/proto/postconf.proto      2012-04-24 19:07:22.000000000 
+0200
+++ new/postfix-2.9.6/proto/postconf.proto      2013-02-03 21:53:34.000000000 
+0100
@@ -9065,6 +9065,10 @@
 an appropriate access(5) policy for each client.
 See RESTRICTION_CLASS_README.</p>
 
+<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
+
 <p>This feature is available with Postfix version 2.2.</p>
 
 %PARAM smtpd_tls_cipherlist
@@ -11489,11 +11493,47 @@
 </pre>
 </blockquote>
 
-<p> Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher. </p>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl pkey -pubin -outform DER |
+    openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl rsa -pubin -outform DER |
+    openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+
+<p> The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher. </p>
+
+<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
 
 <p> This feature is available in Postfix 2.5 and later. </p>
 
@@ -11607,11 +11647,47 @@
 </pre>
 </blockquote>
 
-<p> Public key fingerprints are more difficult to extract, however,
-the SHA-1 public key fingerprint is often present as the value of the
-"Subject Key Identifier" extension in X.509v3 certificates. The Postfix
-SMTP server and client log the peer certificate fingerprint and public
-key fingerprint when TLS loglevel is 1 or higher. </p>
+<p> To extract the public key fingerprint from an X.509 certificate,
+you need to extract the public key from the certificate and compute
+the appropriate digest of its DER (ASN.1) encoding. With OpenSSL
+the "-pubkey" option of the "x509" command extracts the public
+key always in "PEM" format. We pipe the result to another OpenSSL
+command that converts the key to DER and then to the "dgst" command
+to compute the fingerprint. </p>
+
+<p> The actual command to transform the key to DER format depends
+on the version of OpenSSL used. With OpenSSL 1.0.0 and later, the
+"pkey" command supports all key types. With OpenSSL 0.9.8 and
+earlier, the key type is always RSA (nobody uses DSA, and EC
+keys are not fully supported by 0.9.8), so the "rsa" command is
+used. </p>
+<blockquote>
+<pre>
+# OpenSSL 1.0 with all certificates and SHA-1 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl pkey -pubin -outform DER |
+    openssl dgst -sha1 -c
+(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+# OpenSSL 0.9.8 with RSA certificates and MD5 fingerprints.
+$ openssl x509 -in cert.pem -noout -pubkey |
+    openssl rsa -pubin -outform DER |
+    openssl dgst -md5 -c
+(stdin)= f4:62:60:f6:12:8f:d5:8d:28:4d:13:a7:db:b2:ff:50
+</pre>
+</blockquote>
+
+<p> The Postfix SMTP server and client log the peer (leaf) certificate
+fingerprint and public key fingerprint when TLS loglevel is 1 or
+higher. </p>
+
+<p> <b>Note:</b> Postfix 2.9.0&ndash;2.9.5 computed the public key
+fingerprint incorrectly. To use public-key fingerprints, upgrade
+to Postfix 2.9.6 or later. </p>
 
 <p> Example: client-certificate access table, with sha1 fingerprints: </p>
 
@@ -13869,6 +13945,21 @@
 
 <p> This feature is available in Postfix 2.8 and later.  </p>
 
+%PARAM tls_legacy_public_key_fingerprints no
+
+<p> A temporary migration aid for sites that use certificate
+<i>public-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use
+an incorrect algorithm. This parameter has no effect on the certificate
+fingerprint support that is available since Postfix 2.2. </p>
+
+<p> Specify "tls_legacy_public_key_fingerprints = yes" temporarily,
+pending a migration from configuration files with incorrect Postfix
+2.9.0..2.9.5 certificate public-key finger prints, to the correct
+fingerprints used by Postfix 2.9.6 and later.  To compute the correct
+certificate public-key fingerprints, see TLS_README. </p>
+
+<p> This feature is available in Postfix 2.9.6 and later.  </p>
+
 %PARAM tlsproxy_watchdog_timeout 10s
 
 <p> How much time a tlsproxy(8) process may take to process local
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/src/global/mail_params.h 
new/postfix-2.9.6/src/global/mail_params.h
--- old/postfix-2.9.5/src/global/mail_params.h  2012-04-24 19:07:22.000000000 
+0200
+++ new/postfix-2.9.6/src/global/mail_params.h  2013-02-03 20:49:54.000000000 
+0100
@@ -3035,6 +3035,10 @@
 #define DEF_TLS_BUG_TWEAKS     TLS_BUG_TWEAKS
 extern char *var_tls_bug_tweaks;
 
+#define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints"
+#define DEF_TLS_BC_PKEY_FPRINT 0
+extern bool var_tls_bc_pkey_fprint;
+
  /*
   * Sendmail-style mail filter support.
   */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/src/global/mail_version.h 
new/postfix-2.9.6/src/global/mail_version.h
--- old/postfix-2.9.5/src/global/mail_version.h 2012-12-13 01:38:59.000000000 
+0100
+++ new/postfix-2.9.6/src/global/mail_version.h 2013-02-03 21:46:53.000000000 
+0100
@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20121213"
-#define MAIL_VERSION_NUMBER    "2.9.5"
+#define MAIL_RELEASE_DATE      "20130203"
+#define MAIL_VERSION_NUMBER    "2.9.6"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE     "-" MAIL_RELEASE_DATE
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/src/postconf/Makefile.in 
new/postfix-2.9.6/src/postconf/Makefile.in
--- old/postfix-2.9.5/src/postconf/Makefile.in  2012-01-22 16:55:21.000000000 
+0100
+++ new/postfix-2.9.6/src/postconf/Makefile.in  2013-01-05 20:59:51.000000000 
+0100
@@ -42,7 +42,7 @@
 
 tests: test1 test2 test3 test4 test5 test6 test7 test8 test9 test10 test11 \
        test12 test13 test14 test15 test16 test17 test18 test19 test20 test21 \
-       test22 test23 test24 test25 test26 test27 test28 test29 test30
+       test22 test23 test24 test25 test26 test27 test28 test29 test30 test40
 
 root_tests:
 
@@ -414,6 +414,17 @@
        diff test30.ref test30.tmp
        rm -f main.cf master.cf test30.tmp
 
+test40:        $(PROG) test40.ref
+       rm -f main.cf master.cf
+       touch main.cf master.cf
+       echo foo unix - n n - 0 other >> master.cf
+       echo ' -voaaa=bbb' >> master.cf
+       echo ' -vo ccc=$$aaa' >> master.cf
+       echo ' -v -oddd=$$ccc' >> master.cf
+       ./$(PROG) -Mfc . unix >test40.tmp 2>&1
+       diff test40.ref test40.tmp
+       rm -f main.cf master.cf test40.tmp
+
 printfck: $(OBJS) $(PROG)
        rm -rf printfck
        mkdir printfck
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/src/postconf/postconf_master.c 
new/postfix-2.9.6/src/postconf/postconf_master.c
--- old/postfix-2.9.5/src/postconf/postconf_master.c    2012-01-21 
22:11:38.000000000 +0100
+++ new/postfix-2.9.6/src/postconf/postconf_master.c    2012-12-31 
22:23:52.000000000 +0100
@@ -74,6 +74,8 @@
 {
     int     field;
     char   *arg;
+    char   *cp;
+    char   *junk;
 
     /*
      * Normalize options to simplify later processing.
@@ -82,6 +84,16 @@
        arg = argv->argv[field];
        if (arg[0] != '-' || strcmp(arg, "--") == 0)
            break;
+       for (cp = arg + 1; *cp; cp++) {
+           if (*cp == 'o' && cp > arg + 1) {
+               /* Split "-stuffo" into "-stuff" and "-o". */
+               junk = concatenate("-", cp, (char *) 0);
+               argv_insert_one(argv, field + 1, junk);
+               myfree(junk);
+               *cp = 0;
+               break;
+           }
+       }
        if (strncmp(arg, "-o", 2) == 0) {
            if (arg[2] != 0) {
                /* Split "-oname=value" into "-o" "name=value". */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/src/postconf/test40.ref 
new/postfix-2.9.6/src/postconf/test40.ref
--- old/postfix-2.9.5/src/postconf/test40.ref   1970-01-01 01:00:00.000000000 
+0100
+++ new/postfix-2.9.6/src/postconf/test40.ref   2012-12-31 22:32:31.000000000 
+0100
@@ -0,0 +1,4 @@
+foo        unix  -       n       n       -       0       other -v
+    -o aaa=bbb -v
+    -o ccc=$aaa -v
+    -o ddd=$ccc
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/src/tls/Makefile.in 
new/postfix-2.9.6/src/tls/Makefile.in
--- old/postfix-2.9.5/src/tls/Makefile.in       2012-01-22 16:55:15.000000000 
+0100
+++ new/postfix-2.9.6/src/tls/Makefile.in       2013-02-03 21:17:01.000000000 
+0100
@@ -319,6 +319,7 @@
 tls_stream.o: tls.h
 tls_stream.o: tls_stream.c
 tls_verify.o: ../../include/argv.h
+tls_verify.o: ../../include/mail_params.h
 tls_verify.o: ../../include/msg.h
 tls_verify.o: ../../include/mymalloc.h
 tls_verify.o: ../../include/name_code.h
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/src/tls/tls_misc.c 
new/postfix-2.9.6/src/tls/tls_misc.c
--- old/postfix-2.9.5/src/tls/tls_misc.c        2012-04-23 00:08:04.000000000 
+0200
+++ new/postfix-2.9.6/src/tls/tls_misc.c        2013-02-03 20:58:42.000000000 
+0100
@@ -17,6 +17,7 @@
 /*     int     var_tls_daemon_rand_bytes;
 /*     bool    var_tls_append_def_CA;
 /*     bool    var_tls_preempt_clist;
+/*     bool    var_tls_bc_pkey_fprint;
 /*
 /*     TLS_APPL_STATE *tls_alloc_app_context(ssl_ctx, log_mask)
 /*     SSL_CTX *ssl_ctx;
@@ -205,6 +206,7 @@
 char   *var_tls_eecdh_ultra;
 bool    var_tls_append_def_CA;
 char   *var_tls_bug_tweaks;
+bool    var_tls_bc_pkey_fprint;
 
 #ifdef VAR_TLS_PREEMPT_CLIST
 bool    var_tls_preempt_clist;
@@ -510,8 +512,10 @@
        else
            include |= code =
                name_code(protocol_table, NAME_CODE_FLAG_NONE, tok);
-       if (code == TLS_PROTOCOL_INVALID)
+       if (code == TLS_PROTOCOL_INVALID) {
+           myfree(save);
            return TLS_PROTOCOL_INVALID;
+       }
     }
     myfree(save);
 
@@ -546,6 +550,7 @@
     };
     static const CONFIG_BOOL_TABLE bool_table[] = {
        VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
+       VAR_TLS_BC_PKEY_FPRINT, DEF_TLS_BC_PKEY_FPRINT, &var_tls_bc_pkey_fprint,
 #if OPENSSL_VERSION_NUMBER >= 0x0090700fL      /* OpenSSL 0.9.7 and later */
        VAR_TLS_PREEMPT_CLIST, DEF_TLS_PREEMPT_CLIST, &var_tls_preempt_clist,
 #endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/src/tls/tls_verify.c 
new/postfix-2.9.6/src/tls/tls_verify.c
--- old/postfix-2.9.5/src/tls/tls_verify.c      2011-12-05 22:03:07.000000000 
+0100
+++ new/postfix-2.9.6/src/tls/tls_verify.c      2013-02-03 20:49:54.000000000 
+0100
@@ -23,6 +23,10 @@
 /*     X509   *peercert;
 /*     const char *dgst;
 /*
+/*     char *tls_pkey_fprint(peercert, dgst)
+/*     X509   *peercert;
+/*     const char *dgst;
+/*
 /*     int     tls_verify_certificate_callback(ok, ctx)
 /*     int     ok;
 /*     X509_STORE_CTX *ctx;
@@ -50,6 +54,11 @@
 /*     value is dynamically allocated with mymalloc(), and the caller
 /*     must eventually free it with myfree().
 /*
+/*     tls_pkey_fprint() returns a public-key fingerprint; in all
+/*     other respects the function behaves as tls_fingerprint().
+/*     The var_tls_bc_pkey_fprint variable enables an incorrect
+/*     algorithm that was used in Postfix versions 2.9.[0-5].
+/*     
 /*     tls_verify_callback() is called several times (directly or
 /*     indirectly) from crypto/x509/x509_vfy.c. It is called as
 /*     a final check, and if it returns "0", the handshake is
@@ -140,6 +149,10 @@
 #include <mymalloc.h>
 #include <stringops.h>
 
+/* Global library. */
+
+#include <mail_params.h>
+
 /* TLS library. */
 
 #define TLS_INTERNAL
@@ -490,14 +503,12 @@
     return (cn ? cn : mystrdup(""));
 }
 
-typedef int (*x509_dgst_cb) (const X509 *, const EVP_MD *, unsigned char *, 
unsigned int *);
-
-/* tls_fprint - extract cert or pkey fingerprint from certificate */
+/* tls_fprint - compute and encode digest of DER-encoded object */
 
-static char *tls_fprint(X509 *peercert, x509_dgst_cb x509_dgst,
-                               const char *dgst)
+static char *tls_fprint(const char *buf, int len, const char *dgst)
 {
-    const char *myname = "tls_fingerprint";
+    const char *myname = "tls_fprint";
+    EVP_MD_CTX *mdctx;
     const EVP_MD *md_alg;
     unsigned char md_buf[EVP_MAX_MD_SIZE];
     unsigned int md_len;
@@ -508,10 +519,12 @@
     if ((md_alg = EVP_get_digestbyname(dgst)) == 0)
        msg_panic("%s: digest algorithm \"%s\" not found", myname, dgst);
 
-    /* Fails when serialization to ASN.1 runs out of memory */
-    if (x509_dgst(peercert, md_alg, md_buf, &md_len) == 0)
-       msg_fatal("%s: error computing certificate %s digest (out of memory?)",
-                 myname, dgst);
+    mdctx = EVP_MD_CTX_create();
+    if (EVP_DigestInit_ex(mdctx, md_alg, NULL) == 0
+        || EVP_DigestUpdate(mdctx, buf, len) == 0
+        || EVP_DigestFinal_ex(mdctx, md_buf, &md_len) == 0)
+        msg_fatal("%s: error computing %s message digest", myname, dgst);
+    EVP_MD_CTX_destroy(mdctx);
 
     /* Check for OpenSSL contract violation */
     if (md_len > EVP_MAX_MD_SIZE || md_len >= INT_MAX / 3)
@@ -531,14 +544,55 @@
 
 char   *tls_fingerprint(X509 *peercert, const char *dgst)
 {
-    return (tls_fprint(peercert, X509_digest, dgst));
+    int     len;
+    char   *buf;
+    char   *buf2;
+    char   *result;
+
+    len = i2d_X509(peercert, NULL);
+    buf2 = buf = mymalloc(len);
+    i2d_X509(peercert, (unsigned char **)&buf2);
+    if (buf2 - buf != len)
+        msg_panic("i2d_X509 invalid result length");
+
+    result = tls_fprint(buf, len, dgst);
+    myfree(buf);
+
+    return (result);
 }
 
 /* tls_pkey_fprint - extract public key fingerprint from certificate */
 
 char   *tls_pkey_fprint(X509 *peercert, const char *dgst)
 {
-    return (tls_fprint(peercert, X509_pubkey_digest, dgst));
+    if (var_tls_bc_pkey_fprint) {
+       const char *myname = "tls_pkey_fprint";
+       ASN1_BIT_STRING *key;
+       char   *result;
+
+       key = X509_get0_pubkey_bitstr(peercert);
+       if (key == 0)
+           msg_fatal("%s: error extracting legacy public-key fingerprint: %m",
+                     myname);
+
+       result = tls_fprint((char *) key->data, key->length, dgst);
+       return (result);
+    } else {
+       int     len;
+       char   *buf;
+       char   *buf2;
+       char   *result;
+
+       len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(peercert), NULL);
+       buf2 = buf = mymalloc(len);
+       i2d_X509_PUBKEY(X509_get_X509_PUBKEY(peercert), (unsigned char **) 
&buf2);
+       if (buf2 - buf != len)
+           msg_panic("i2d_X509_PUBKEY invalid result length");
+
+       result = tls_fprint(buf, len, dgst);
+       myfree(buf);
+       return (result);
+    }
 }
 
 #endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/postfix-2.9.5/src/util/exec_command.c 
new/postfix-2.9.6/src/util/exec_command.c
--- old/postfix-2.9.5/src/util/exec_command.c   2005-01-19 02:22:18.000000000 
+0100
+++ new/postfix-2.9.6/src/util/exec_command.c   2013-02-01 22:52:30.000000000 
+0100
@@ -63,7 +63,8 @@
     /*
      * See if this command contains any shell magic characters.
      */
-    if (command[strspn(command, ok_chars)] == 0) {
+    if (command[strspn(command, ok_chars)] == 0
+       && command[strspn(command, SPACE_TAB)] != 0) {
 
        /*
         * No shell meta characters found, so we can try to avoid the overhead

-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

commit postfix for openSUSE:Factory

Reply via email to