[src/netbsd-6]: src/external/ibm-public/postfix/dist Apply patch, requested b...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/netbsd-6]: src/external/ibm-public/postfix/dist Apply patch, requested b...
From: bouyer <bouyer%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 22:41:17 +0000
details:   https://anonhg.NetBSD.org/src/rev/95d325f14f85
branches:  netbsd-6
changeset: 776475:95d325f14f85
user:      bouyer <bouyer%NetBSD.org@localhost>
date:      Sun Oct 20 12:58:25 2013 +0000

description:
Apply patch, requested by tron in ticket #961:
external/ibm-public/postfix/dist/HISTORY                        patch
external/ibm-public/postfix/dist/RELEASE_NOTES                  patch
external/ibm-public/postfix/dist/src/global/mail_version.h      patch
external/ibm-public/postfix/dist/src/local/forward.c            patch
external/ibm-public/postfix/dist/src/tls/tls_client.c           patch
external/ibm-public/postfix/dist/src/tls/tls_server.c           patch

        Update postfix to version 2.8.16:
        - TLS Interoperability workaround: turn on SHA-2 digests by
          force. This improves interoperability with clients and servers that
          deploy SHA-2 digests without the required support for TLSv1.2-style
          digest negotiation.
        - TLS Performance workaround: the Postfix SMTP server TLS session
          cache had become ineffective because recent OpenSSL versions enable
          session tickets by default, resulting in a different ticket
          encryption key for each smtpd(8) process. The workaround turns off
          session tickets. Postfix 2.11 will enable session tickets properly.
        - TLS Interoperability workaround: Debian Exim versions before 4.80-3
          may fail to communicate with Postfix and possibly other MTAs, with
          the following Exim SMTP client error message:
          TLS error on connection to server-name [server-address]
          (gnutls_handshake):

                The Diffie-Hellman prime sent by the server is not acceptable
                (not long  enough)

          See the RELEASE_NOTES file for a Postfix SMTP server configuration
          workaround.
        - Bugfix (defect introduced: 1997): memory leak while forwarding mail
          with the local(8) delivery agent, in code that handles a cleanup(8)
          server error.

diffstat:

 external/ibm-public/postfix/dist/HISTORY                   |  23 ++++++++++
 external/ibm-public/postfix/dist/RELEASE_NOTES             |  30 ++++++++++++++
 external/ibm-public/postfix/dist/src/global/mail_version.h |   6 +-
 external/ibm-public/postfix/dist/src/local/forward.c       |  14 ++++--
 external/ibm-public/postfix/dist/src/tls/tls_client.c      |  20 ++++++++-
 external/ibm-public/postfix/dist/src/tls/tls_server.c      |  23 ++++++++++-
 6 files changed, 106 insertions(+), 10 deletions(-)

diffs (215 lines):

diff -r eb7d70b05fe9 -r 95d325f14f85 external/ibm-public/postfix/dist/HISTORY
--- a/external/ibm-public/postfix/dist/HISTORY  Sun Oct 20 12:52:42 2013 +0000
+++ b/external/ibm-public/postfix/dist/HISTORY  Sun Oct 20 12:58:25 2013 +0000
@@ -16915,3 +16915,26 @@
        between different hostnames that resolve to the same IP
        address.  Found during Postfix 2.11 code maintenance.  File:
        smtp/smtp_connect.c.
+
+20130518
+
+       Bugfix (introduced: 1997): memory leak after error while
+       forwarding mail through the cleanup server. Viktor found
+       one, Wietse eliminated the rest.  File: local/forward.c.
+
+20130615
+
+       TLS Interoperability: turn on SHA-2 digests by force.  This
+       improves interoperability with clients and servers that
+       deploy SHA-2 digests without the required support for
+       TLSv1.2-style digest negotiation.  Based on patch by Viktor
+       Dukhovni.  Files: tls/tls_client.c, tls/tls_server.c.
+
+20130616
+
+       Workaround: The Postfix SMTP server TLS session cache was
+       broken because OpenSSL now enables session tickets by
+       default, resulting in a different ticket encryption key for
+       each smtpd(8) process.  The workaround turns off session
+       tickets. In 2.11 we'll enable session tickets properly.
+       Viktor Dukhovni. File: tls/tls_server.c.
diff -r eb7d70b05fe9 -r 95d325f14f85 external/ibm-public/postfix/dist/RELEASE_NOTES
--- a/external/ibm-public/postfix/dist/RELEASE_NOTES    Sun Oct 20 12:52:42 2013 +0000
+++ b/external/ibm-public/postfix/dist/RELEASE_NOTES    Sun Oct 20 12:58:25 2013 +0000
@@ -11,6 +11,36 @@
 The mail_release_date configuration parameter (format: yyyymmdd)
 specifies the release date of a stable release or snapshot release.
 
+Debian Exim before 4.80-3 interoperability workaround
+-----------------------------------------------------
+
+Debian Exim versions before 4.80-3 may fail to communicate with
+Postfix and possibly other MTAs, with the following Exim SMTP client
+error message:
+
+    TLS error on connection to server-name [server-address]
+    (gnutls_handshake): The Diffie-Hellman prime sent by the server
+    is not acceptable (not long enough)
+
+This problem may affect Debian Exim versions before 4.80-3 that use
+TLS with EDH (Ephemeral Diffie-Hellman) key exchanges. For details
+see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563
+
+To restore Postfix SMTP server interoperability with affected Exim
+SMTP clients, configure the Postfix SMTP server to use a 2048-bit
+prime number instead of 1024:
+
+    # cd /etc/postfix
+    # openssl dhparam -out dh2048.pem 2048
+    # postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
+
+This change increases the CPU cost of EDH key exchanges (rarely a
+problem for SMTP servers) and is unlikely to cause problems with
+other SMTP client implementations.
+
+This problem should not affect EECDH (Ephemeral Elliptic Curve
+Diffie-Hellman) key exchanges.
+
 Major changes with Postfix 2.8.10
 ---------------------------------
 
diff -r eb7d70b05fe9 -r 95d325f14f85 external/ibm-public/postfix/dist/src/global/mail_version.h
--- a/external/ibm-public/postfix/dist/src/global/mail_version.h        Sun Oct 20 12:52:42 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/global/mail_version.h        Sun Oct 20 12:58:25 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: mail_version.h,v 1.1.1.12.2.5 2013/09/07 16:28:34 bouyer Exp $ */
+/*     $NetBSD: mail_version.h,v 1.1.1.12.2.6 2013/10/20 12:58:25 bouyer Exp $ */
 
 #ifndef _MAIL_VERSION_H_INCLUDED_
 #define _MAIL_VERSION_H_INCLUDED_
@@ -22,8 +22,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE      "20130622"
-#define MAIL_VERSION_NUMBER    "2.8.15"
+#define MAIL_RELEASE_DATE      "20130905"
+#define MAIL_VERSION_NUMBER    "2.8.16"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE     "-" MAIL_RELEASE_DATE
diff -r eb7d70b05fe9 -r 95d325f14f85 external/ibm-public/postfix/dist/src/local/forward.c
--- a/external/ibm-public/postfix/dist/src/local/forward.c      Sun Oct 20 12:52:42 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/local/forward.c      Sun Oct 20 12:58:25 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: forward.c,v 1.1.1.2 2011/03/02 19:32:19 tron Exp $     */
+/*     $NetBSD: forward.c,v 1.1.1.2.6.1 2013/10/20 12:58:25 bouyer Exp $       */
 
 /*++
 /* NAME
@@ -120,6 +120,11 @@
     FORWARD_INFO *info;
     VSTREAM *cleanup;
 
+#define FORWARD_OPEN_RETURN(res) do { \
+       vstring_free(buffer); \
+       return (res); \
+    } while (0)
+
     /*
      * Contact the cleanup service and save the new mail queue id. Request
      * that the cleanup service bounces bad messages to the sender so that we
@@ -131,13 +136,13 @@
      */
     cleanup = mail_connect(MAIL_CLASS_PUBLIC, var_cleanup_service, BLOCKING);
     if (cleanup == 0)
-       return (0);
+       FORWARD_OPEN_RETURN(0);
     close_on_exec(vstream_fileno(cleanup), CLOSE_ON_EXEC);
     if (attr_scan(cleanup, ATTR_FLAG_STRICT,
                  ATTR_TYPE_STR, MAIL_ATTR_QUEUEID, buffer,
                  ATTR_TYPE_END) != 1) {
        vstream_fclose(cleanup);
-       return (0);
+       FORWARD_OPEN_RETURN(0);
     }
     info = (FORWARD_INFO *) mymalloc(sizeof(FORWARD_INFO));
     info->cleanup = cleanup;
@@ -192,8 +197,7 @@
     PASS_ATTR(cleanup, MAIL_ATTR_LOG_IDENT, request->log_ident);
     PASS_ATTR(cleanup, MAIL_ATTR_RWR_CONTEXT, request->rewrite_context);
 
-    vstring_free(buffer);
-    return (info);
+    FORWARD_OPEN_RETURN(info);
 }
 
 /* forward_append - append recipient to message envelope */
diff -r eb7d70b05fe9 -r 95d325f14f85 external/ibm-public/postfix/dist/src/tls/tls_client.c
--- a/external/ibm-public/postfix/dist/src/tls/tls_client.c     Sun Oct 20 12:52:42 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/tls/tls_client.c     Sun Oct 20 12:58:25 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: tls_client.c,v 1.4.6.1 2012/06/13 19:29:04 riz Exp $   */
+/*     $NetBSD: tls_client.c,v 1.4.6.2 2013/10/20 12:58:26 bouyer Exp $        */
 
 /*++
 /* NAME
@@ -328,6 +328,24 @@
     }
 
     /*
+     * Register SHA-2 digests, if implemented and not already registered.
+     * Improves interoperability with clients and servers that prematurely
+     * deploy SHA-2 certificates.
+     */
+#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
+    if (!EVP_get_digestbyname(LN_sha224))
+       EVP_add_digest(EVP_sha224());
+    if (!EVP_get_digestbyname(LN_sha256))
+       EVP_add_digest(EVP_sha256());
+#endif
+#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
+    if (!EVP_get_digestbyname(LN_sha384))
+       EVP_add_digest(EVP_sha384());
+    if (!EVP_get_digestbyname(LN_sha512))
+       EVP_add_digest(EVP_sha512());
+#endif
+
+    /*
      * If the administrator specifies an unsupported digest algorithm, fail
      * now, rather than in the middle of a TLS handshake.
      */
diff -r eb7d70b05fe9 -r 95d325f14f85 external/ibm-public/postfix/dist/src/tls/tls_server.c
--- a/external/ibm-public/postfix/dist/src/tls/tls_server.c     Sun Oct 20 12:52:42 2013 +0000
+++ b/external/ibm-public/postfix/dist/src/tls/tls_server.c     Sun Oct 20 12:58:25 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: tls_server.c,v 1.4.6.1 2012/06/13 19:29:05 riz Exp $   */
+/*     $NetBSD: tls_server.c,v 1.4.6.2 2013/10/20 12:58:26 bouyer Exp $        */
 
 /*++
 /* NAME
@@ -337,6 +337,24 @@
     }
 
     /*
+     * Register SHA-2 digests, if implemented and not already registered.
+     * Improves interoperability with clients and servers that prematurely
+     * deploy SHA-2 certificates.
+     */
+#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
+    if (!EVP_get_digestbyname(LN_sha224))
+       EVP_add_digest(EVP_sha224());
+    if (!EVP_get_digestbyname(LN_sha256))
+       EVP_add_digest(EVP_sha256());
+#endif
+#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
+    if (!EVP_get_digestbyname(LN_sha384))
+       EVP_add_digest(EVP_sha384());
+    if (!EVP_get_digestbyname(LN_sha512))
+       EVP_add_digest(EVP_sha512());
+#endif
+
+    /*
      * If the administrator specifies an unsupported digest algorithm, fail
      * now, rather than in the middle of a TLS handshake.
      */
@@ -391,6 +409,9 @@
     /*
      * Protocol work-arounds, OpenSSL version dependent.
      */
+#ifdef SSL_OP_NO_TICKET
+    off |= SSL_OP_NO_TICKET;
+#endif
     off |= tls_bug_bits();
     SSL_CTX_set_options(server_ctx, off);
Prev by Date: [src/netbsd-6]: src/gnu/dist/texinfo/util Pull up following revision(s) (requ...
Next by Date: [src/netbsd-6]: src/usr.sbin/eeprom Pull up following revision(s) (requested ...
Previous by Thread: [src/netbsd-6]: src/gnu/dist/texinfo/util Pull up following revision(s) (requ...
Next by Thread: [src/netbsd-6]: src/usr.sbin/eeprom Pull up following revision(s) (requested ...
Indexes:
Home | Main Index | Thread Index | Old Index