Hello community, here is the log from the commit of package postfix for openSUSE:Factory checked in at 2016-09-09 10:16:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/postfix (Old) and /work/SRC/openSUSE:Factory/.postfix.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "postfix" Changes: -------- --- /work/SRC/openSUSE:Factory/postfix/postfix.changes 2016-06-29 15:02:49.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.postfix.new/postfix.changes 2016-09-09 10:16:20.000000000 +0200 @@ -1,0 +2,13 @@ +Sun Sep 4 15:33:27 UTC 2016 - michael@stroeder.com + +- update to 3.1.2: + * Changes to make Postfix build with OpenSSL 1.1.0. + * The makedefs script ignored readme_directory=pathname overrides. + Fix by Todd C. Olson. + * The tls_session_ticket_cipher documentation says that the default + cipher for TLS session tickets is aes-256-cbc, but the implemented + default was aes-128-cbc. Note that TLS session ticket keys are + rotated after 1/2 hour, to limit the impact of attacks on session + ticket keys. + +------------------------------------------------------------------- Old: ---- postfix-3.1.1.tar.gz New: ---- postfix-3.1.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ postfix.spec ++++++ --- /var/tmp/diff_new_pack.DKylIi/_old 2016-09-09 10:16:22.000000000 +0200 +++ /var/tmp/diff_new_pack.DKylIi/_new 2016-09-09 10:16:22.000000000 +0200 @@ -59,7 +59,7 @@ %define _unitdir /lib/systemd %endif Name: postfix -Version: 3.1.1 +Version: 3.1.2 Release: 0 Summary: A fast, secure, and flexible mailer License: IPL-1.0 ++++++ postfix-3.1.1.tar.gz -> postfix-3.1.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.1.1/HISTORY new/postfix-3.1.2/HISTORY --- old/postfix-3.1.1/HISTORY 2016-05-15 19:10:24.000000000 +0200 +++ new/postfix-3.1.2/HISTORY 2016-08-28 01:50:23.000000000 +0200 @@ -22216,3 +22216,23 @@ 20160515 Portability: OpenBSD 6.0. Files: makedefs, util/sys_defs.h. + +20160819 + + Bugfix (introduced: Postfix 3.0): the makedefs script ignored + readme_directory=pathname overrides. Fix by Todd C. Olson. + File: makedefs. + +20160821 + + Bugfix (introduced: Postfix 3.0): the tls_session_ticket_cipher + documentation says aes-256-cbc, but the implementation was + using aes-128-cbc (note that Postfix SMTP server and client + processes have a limited life time). + +20160828 + + Bitrot: fixes for incompatible OpenSSL 1.1.0 API changes. + Viktor Dukhovni. Files: posttls-finger/posttls-finger.c, + tls/tls.h, tls/tls_dane.c, tls/tls_verify.c, tls/tls_server.c, + tls/tls_client.c. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.1.1/makedefs new/postfix-3.1.2/makedefs --- old/postfix-3.1.1/makedefs 2016-05-15 18:39:11.000000000 +0200 +++ new/postfix-3.1.2/makedefs 2016-08-20 02:08:42.000000000 +0200 @@ -962,7 +962,7 @@ manpage_directory_macro=DEF_MANPAGE_DIR readme_directory_macro=DEF_README_DIR -for parm_name in html_directory manpage_directory +for parm_name in html_directory manpage_directory readme_directory do eval parm_val=\"\$$parm_name\" eval parm_macro=\"\$${parm_name}_macro\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.1.1/src/global/mail_params.h new/postfix-3.1.2/src/global/mail_params.h --- old/postfix-3.1.1/src/global/mail_params.h 2016-01-31 22:05:46.000000000 +0100 +++ new/postfix-3.1.2/src/global/mail_params.h 2016-08-20 15:17:27.000000000 +0200 @@ -3206,7 +3206,7 @@ extern char *var_tls_ssl_options; #define VAR_TLS_TKT_CIPHER "tls_session_ticket_cipher" -#define DEF_TLS_TKT_CIPHER "aes-128-cbc" +#define DEF_TLS_TKT_CIPHER "aes-256-cbc" extern char *var_tls_tkt_cipher; #define VAR_TLS_BC_PKEY_FPRINT "tls_legacy_public_key_fingerprints" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.1.1/src/global/mail_version.h new/postfix-3.1.2/src/global/mail_version.h --- old/postfix-3.1.1/src/global/mail_version.h 2016-05-15 18:56:21.000000000 +0200 +++ new/postfix-3.1.2/src/global/mail_version.h 2016-08-27 23:51:27.000000000 +0200 @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20160515" -#define MAIL_VERSION_NUMBER "3.1.1" +#define MAIL_RELEASE_DATE "20160828" +#define MAIL_VERSION_NUMBER "3.1.2" #ifdef SNAPSHOT #define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.1.1/src/posttls-finger/posttls-finger.c new/postfix-3.1.2/src/posttls-finger/posttls-finger.c --- old/postfix-3.1.1/src/posttls-finger/posttls-finger.c 2016-01-04 13:26:16.000000000 +0100 +++ new/postfix-3.1.2/src/posttls-finger/posttls-finger.c 2016-08-27 22:27:50.000000000 +0200 @@ -1511,7 +1511,7 @@ return (0); } -#ifdef USE_TLS +#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L /* ssl_cleanup - free memory allocated in the OpenSSL library */ @@ -1529,7 +1529,8 @@ CRYPTO_cleanup_all_ex_data(); } -#endif +#endif /* USE_TLS && OPENSSL_VERSION_NUMBER + * < 0x10100000L */ /* run - do what we were asked to do. */ @@ -1955,7 +1956,9 @@ /* Be valgrind friendly and clean-up */ cleanup(&state); -#ifdef USE_TLS + + /* OpenSSL 1.1.0 and later (de)initialization is implicit */ +#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L ssl_cleanup(); #endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.1.1/src/tls/tls.h new/postfix-3.1.2/src/tls/tls.h --- old/postfix-3.1.1/src/tls/tls.h 2016-02-06 21:09:41.000000000 +0100 +++ new/postfix-3.1.2/src/tls/tls.h 2016-08-27 22:27:50.000000000 +0200 @@ -93,7 +93,17 @@ #define OpenSSL_version_num SSLeay #define OpenSSL_version SSLeay_version #define OPENSSL_VERSION SSLEAY_VERSION -#define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509) +#define X509_up_ref(x) \ + CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509) +#define EVP_PKEY_up_ref(k) \ + CRYPTO_add(&((k)->references), 1, CRYPTO_LOCK_EVP_PKEY) +#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert) +#define X509_STORE_CTX_get0_untrusted(ctx) ((ctx)->untrusted) +#define X509_STORE_CTX_set0_untrusted X509_STORE_CTX_set_chain +#define X509_STORE_CTX_set0_trusted_stack X509_STORE_CTX_trusted_stack +#define ASN1_STRING_get0_data ASN1_STRING_data +#define X509_getm_notBefore X509_get_notBefore +#define X509_getm_notAfter X509_get_notAfter #endif /* SSL_CIPHER_get_name() got constified in 0.9.7g */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.1.1/src/tls/tls_client.c new/postfix-3.1.2/src/tls/tls_client.c --- old/postfix-3.1.1/src/tls/tls_client.c 2016-01-31 22:05:46.000000000 +0100 +++ new/postfix-3.1.2/src/tls/tls_client.c 2016-08-27 22:27:50.000000000 +0200 @@ -299,6 +299,8 @@ */ tls_check_version(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* * Initialize the OpenSSL library by the book! To start with, we must * initialize the algorithms. We want cleartext error messages instead of @@ -306,6 +308,7 @@ */ SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); +#endif /* * Create an application data index for SSL objects, so that we can @@ -363,7 +366,6 @@ tls_print_errors(); return (0); } - #ifdef SSL_SECOP_PEER /* Backwards compatible security as a base for opportunistic TLS. */ SSL_CTX_set_security_level(client_ctx, 0); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.1.1/src/tls/tls_dane.c new/postfix-3.1.2/src/tls/tls_dane.c --- old/postfix-3.1.1/src/tls/tls_dane.c 2015-11-01 01:24:04.000000000 +0100 +++ new/postfix-3.1.2/src/tls/tls_dane.c 2016-08-27 22:27:50.000000000 +0200 @@ -573,7 +573,7 @@ { TLS_PKEYS *new = (TLS_PKEYS *) mymalloc(sizeof(*new)); - CRYPTO_add(&k->references, 1, CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_up_ref(k); new->pkey = k; new->next = d->pkeys; d->pkeys = new; @@ -1465,7 +1465,7 @@ * self-signature checks! */ id = ((akid && akid->keyid) ? akid->keyid : 0); - if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_data(id) == c) + if (id && ASN1_STRING_length(id) == 1 && *ASN1_STRING_get0_data(id) == c) c = 1; if ((akid = AUTHORITY_KEYID_new()) != 0 @@ -1583,10 +1583,10 @@ */ if (!X509_set_version(cert, 2) || !set_serial(cert, akid, subject) - || !X509_set_subject_name(cert, name) || !set_issuer_name(cert, akid) - || !X509_gmtime_adj(X509_get_notBefore(cert), -30 * 86400L) - || !X509_gmtime_adj(X509_get_notAfter(cert), 30 * 86400L) + || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L) + || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L) + || !X509_set_subject_name(cert, name) || !X509_set_pubkey(cert, key ? key : signkey) || !add_ext(0, cert, NID_basic_constraints, "CA:TRUE") || (key && !add_akid(cert, akid)) @@ -1720,8 +1720,8 @@ int depth = 0; EVP_PKEY *takey; X509 *ca; - X509 *cert = ctx->cert; /* XXX: Accessor? */ - x509_stack_t *in = ctx->untrusted; /* XXX: Accessor? */ + X509 *cert = X509_STORE_CTX_get0_cert(ctx); + x509_stack_t *in = X509_STORE_CTX_get0_untrusted(ctx); /* shallow copy */ if ((in = sk_X509_dup(in)) == 0) @@ -1802,7 +1802,7 @@ { const char *myname = "dane_cb"; TLS_SESS_STATE *TLScontext = (TLS_SESS_STATE *) app_ctx; - X509 *cert = ctx->cert; /* XXX: accessor? */ + X509 *cert = X509_STORE_CTX_get0_cert(ctx); /* * Degenerate case: depth 0 self-signed cert. @@ -1832,9 +1832,9 @@ * Check that setting the untrusted chain updates the expected structure * member at the expected offset. */ - X509_STORE_CTX_trusted_stack(ctx, TLScontext->trusted); - X509_STORE_CTX_set_chain(ctx, TLScontext->untrusted); - if (ctx->untrusted != TLScontext->untrusted) + X509_STORE_CTX_set0_trusted_stack(ctx, TLScontext->trusted); + X509_STORE_CTX_set0_untrusted(ctx, TLScontext->untrusted); + if (X509_STORE_CTX_get0_untrusted(ctx) != TLScontext->untrusted) msg_panic("%s: OpenSSL ABI change", myname); return X509_verify_cert(ctx); @@ -2163,8 +2163,10 @@ tls_param_init(); tls_check_version(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_load_error_strings(); SSL_library_init(); +#endif if (!tls_validate_digest(LN_sha1)) msg_fatal("%s digest algorithm not available", LN_sha1); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.1.1/src/tls/tls_server.c new/postfix-3.1.2/src/tls/tls_server.c --- old/postfix-3.1.1/src/tls/tls_server.c 2016-01-31 22:05:46.000000000 +0100 +++ new/postfix-3.1.2/src/tls/tls_server.c 2016-08-27 22:27:50.000000000 +0200 @@ -173,9 +173,18 @@ #endif /* OPENSSL_VERSION_NUMBER */ + /* OpenSSL 1.1.0 bitrot */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +typedef const unsigned char *session_id_t; + +#else +typedef unsigned char *session_id_t; + +#endif + /* get_server_session_cb - callback to retrieve session from server cache */ -static SSL_SESSION *get_server_session_cb(SSL *ssl, unsigned char *session_id, +static SSL_SESSION *get_server_session_cb(SSL *ssl, session_id_t session_id, int session_id_length, int *unused_copy) { @@ -368,6 +377,8 @@ */ tls_check_version(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* * Initialize the OpenSSL library by the book! To start with, we must * initialize the algorithms. We want cleartext error messages instead of @@ -375,6 +386,7 @@ */ SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); +#endif /* * First validate the protocols. If these are invalid, we can't continue. @@ -445,7 +457,6 @@ tls_print_errors(); return (0); } - #ifdef SSL_SECOP_PEER /* Backwards compatible security as a base for opportunistic TLS. */ SSL_CTX_set_security_level(server_ctx, 0); @@ -758,7 +769,6 @@ tls_free_context(TLScontext); return (0); } - #ifdef SSL_SECOP_PEER /* When authenticating the peer, use 80-bit plus OpenSSL security level */ if (props->requirecert) @@ -896,10 +906,10 @@ X509_free(peer); /* - * Give them a clue. Problems with trust chain verification are logged - * when the session is first negotiated, before the session is stored - * into the cache. We don't want mystery failures, so log the fact the - * real problem is to be found in the past. + * Give them a clue. Problems with trust chain verification are + * logged when the session is first negotiated, before the session is + * stored into the cache. We don't want mystery failures, so log the + * fact the real problem is to be found in the past. */ if (!TLS_CERT_IS_TRUSTED(TLScontext) && (TLScontext->log_mask & TLS_LOG_UNTRUSTED)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/postfix-3.1.1/src/tls/tls_verify.c new/postfix-3.1.2/src/tls/tls_verify.c --- old/postfix-3.1.1/src/tls/tls_verify.c 2015-11-01 01:24:04.000000000 +0100 +++ new/postfix-3.1.2/src/tls/tls_verify.c 2016-08-27 22:27:50.000000000 +0200 @@ -440,7 +440,7 @@ /* * Safe to treat as an ASCII string possibly holding a DNS name */ - dnsname = (char *) ASN1_STRING_data(gn->d.ia5); + dnsname = (const char *) ASN1_STRING_get0_data(gn->d.ia5); len = ASN1_STRING_length(gn->d.ia5); TRIM0(dnsname, len);