postfix-3.2-20170101

postfix/HISTORY

@@ -20360,7 +20360,7 @@ Apologies for any names omitted.
 	value was specified, i.e. print the entire string. This was
 	not harmful, it just looked weird.  File: util/vbuf_print.c.
 
-20120917
+20140917
 
 	Feature: RFC 7372 enhanced status code for unknown SMTP
 	client hostnames.  File: smtpd/smtpd_check.c
@@ -22140,14 +22140,14 @@ Apologies for any names omitted.
 	Portability: added a tls_random_source default setting for
 	MacOS X. Viktor Dukhovni. File: util/sys_defs.h.
 
-20150118
+20160118
 
 	Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new
 	security levels ranging from 0 to 5. Level "0" is backwards
 	compatible, and other levels are increasingly restrictive.
 	Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c.
 
-20161205
+20160205
 
 	Portability: Postfix TLS support uses /dev/urandom if
 	available and no system-specific setting exists in sys_defs.h.
@@ -22368,7 +22368,7 @@ Apologies for any names omitted.
 	milter/milter.h, smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_check.c,
 	smtpd/smtpd_haproxy.c, smtpd/smtpd_milter.c, smtpd/smtpd_peer.c.
 
-20140612
+20160612
 
 	Bugfix (introduced: 20090211): missing server address
 	conversion for non-proxy, non-postscreen connections.  File:
@@ -22605,7 +22605,7 @@ Apologies for any names omitted.
 	passing arbitrary options.  Files: makedefs, Makefile.in,
 	proto/INSTALL.html.
 
-20121201
+20161201
 
 	Documentation: add 'smtpd_tls_auth_only=yes' to the master.cf
 	submission service example. File: conf/master.cf.
@@ -22615,7 +22615,7 @@ Apologies for any names omitted.
 	Documentation: typos in postconf(1) manpage. File:
 	postconf/postconf.c.
 
-20121204
+20161204
 
 	Cleanup: properly report numerical conversion errors in
 	${{number} relational-operator ${number}}, and wordsmithing.
@@ -22737,3 +22737,15 @@ Apologies for any names omitted.
 	cidr, pcre, and regexp table when an input does not match
 	an ENDIF-less IF operator.  Found during code maintenance.
 	File: util/cidr_map.c, util/dict_regexp.c, util/dict_pcre.c.
+
+20170101
+
+	Portability; SunOS5 builds broke after moving the sys/types.h
+	include statement to the top of sys_defs.h.
+
+	Portability: declaration after code is GNU dialect. File:
+	util/vbuf_print.c.
+
+	Portability: compatibility macros for SSLv23_client_method()
+	etc.  deprecation. Files: tls/tls.h, tls/tls_client.c,
+	tls/tls_dane.c, tls_server.c.

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20161231"
+#define MAIL_RELEASE_DATE	"20170101"
 #define MAIL_VERSION_NUMBER	"3.2"
 
 #ifdef SNAPSHOT

postfix/src/tls/tls.h

@@ -104,6 +104,9 @@ extern const char *str_tls_level(int);
 #define ASN1_STRING_get0_data ASN1_STRING_data
 #define X509_getm_notBefore X509_get_notBefore
 #define X509_getm_notAfter X509_get_notAfter
+#define TLS_method SSLv23_method
+#define TLS_client_method SSLv23_client_method
+#define TLS_server_method SSLv23_server_method
 #endif
 
 /* SSL_CIPHER_get_name() got constified in 0.9.7g */

postfix/src/tls/tls_client.c

@@ -350,17 +350,9 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props)
      * we want to be as compatible as possible, so we will start off with a
      * SSLv2 greeting allowing the best we can offer: TLSv1. We can restrict
      * this with the options setting later, anyhow.
-     * 
-     * OpenSSL 1.1.0-dev deprecates SSLv23_client_method() in favour of
-     * TLS_client_method(), with the change in question signalled via a new
-     * TLS_ANY_VERSION macro.
      */
     ERR_clear_error();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && defined(TLS_ANY_VERSION)
     client_ctx = SSL_CTX_new(TLS_client_method());
-#else
-    client_ctx = SSL_CTX_new(SSLv23_client_method());
-#endif
     if (client_ctx == 0) {
 	msg_warn("cannot allocate client SSL_CTX: disabling TLS support");
 	tls_print_errors();

postfix/src/tls/tls_dane.c

@@ -2138,7 +2138,7 @@ static SSL_CTX *ctx_init(const char *CAfile)
 	    msg_fatal("Cannot allocate SSL application data index");
 
     ERR_clear_error();
-    if ((client_ctx = SSL_CTX_new(SSLv23_client_method())) == 0)
+    if ((client_ctx = SSL_CTX_new(TLS_client_method())) == 0)
 	msg_fatal("cannot allocate client SSL_CTX");
     SSL_CTX_set_verify_depth(client_ctx, 5);
 

postfix/src/tls/tls_server.c

@@ -441,17 +441,9 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props)
      * SSLv2), so we need to have the SSLv23 server here. If we want to limit
      * the protocol level, we can add an option to not use SSLv2/v3/TLSv1
      * later.
-     * 
-     * OpenSSL 1.1.0-dev deprecates SSLv23_server_method() in favour of
-     * TLS_client_method(), with the change in question signalled via a new
-     * TLS_ANY_VERSION macro.
      */
     ERR_clear_error();
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && defined(TLS_ANY_VERSION)
     server_ctx = SSL_CTX_new(TLS_server_method());
-#else
-    server_ctx = SSL_CTX_new(SSLv23_server_method());
-#endif
     if (server_ctx == 0) {
 	msg_warn("cannot allocate server SSL_CTX: disabling TLS support");
 	tls_print_errors();

postfix/src/util/sys_defs.h

@@ -19,6 +19,9 @@
   * directory. Adding support for a new system type means updating the
   * makedefs script, and adding a section below for the new system.
   */
+#ifdef SUNOS5
+#define _SVID_GETTOD			/* Solaris 2.5, XSH4.2 versus SVID */
+#endif
 #include <sys/types.h>
 
  /*
@@ -412,7 +415,6 @@ extern int opterr;
   */
 #ifdef SUNOS5
 #define SUPPORTED
-#define _SVID_GETTOD			/* Solaris 2.5, XSH4.2 versus SVID */
 #define UINT32_TYPE	unsigned int
 #define UINT16_TYPE	unsigned short
 #define MISSING_SETENV

postfix/src/util/vbuf_print.c

@@ -105,8 +105,9 @@
   */
 #ifndef NO_SNPRINTF
 #define VBUF_SNPRINTF(bp, sz, fmt, arg) do { \
+	ssize_t _ret; \
 	VBUF_SPACE((bp), (sz)); \
-	ssize_t _ret = snprintf((char *) (bp)->ptr, (bp)->cnt, (fmt), (arg)); \
+	_ret = snprintf((char *) (bp)->ptr, (bp)->cnt, (fmt), (arg)); \
 	if (_ret < 0) \
 	    msg_panic("%s: output error for '%s'", myname, (fmt)); \
 	if (_ret >= (bp)->cnt) \