diff --git a/postfix/HISTORY b/postfix/HISTORY index 45d3ca07c..c5437ab1c 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -20360,7 +20360,7 @@ Apologies for any names omitted. value was specified, i.e. print the entire string. This was not harmful, it just looked weird. File: util/vbuf_print.c. -20120917 +20140917 Feature: RFC 7372 enhanced status code for unknown SMTP client hostnames. File: smtpd/smtpd_check.c @@ -22140,14 +22140,14 @@ Apologies for any names omitted. Portability: added a tls_random_source default setting for MacOS X. Viktor Dukhovni. File: util/sys_defs.h. -20150118 +20160118 Bitrot: OpenSSL 1.1.0-dev (aka the "master" branch) has new security levels ranging from 0 to 5. Level "0" is backwards compatible, and other levels are increasingly restrictive. Viktor Dukhovni. Files: tls/tls_server.c, tls/tls_client.c. -20161205 +20160205 Portability: Postfix TLS support uses /dev/urandom if available and no system-specific setting exists in sys_defs.h. @@ -22368,7 +22368,7 @@ Apologies for any names omitted. milter/milter.h, smtpd/smtpd.c, smtpd/smtpd.h, smtpd/smtpd_check.c, smtpd/smtpd_haproxy.c, smtpd/smtpd_milter.c, smtpd/smtpd_peer.c. -20140612 +20160612 Bugfix (introduced: 20090211): missing server address conversion for non-proxy, non-postscreen connections. File: @@ -22605,7 +22605,7 @@ Apologies for any names omitted. passing arbitrary options. Files: makedefs, Makefile.in, proto/INSTALL.html. -20121201 +20161201 Documentation: add 'smtpd_tls_auth_only=yes' to the master.cf submission service example. File: conf/master.cf. @@ -22615,7 +22615,7 @@ Apologies for any names omitted. Documentation: typos in postconf(1) manpage. File: postconf/postconf.c. -20121204 +20161204 Cleanup: properly report numerical conversion errors in ${{number} relational-operator ${number}}, and wordsmithing. @@ -22737,3 +22737,15 @@ Apologies for any names omitted. cidr, pcre, and regexp table when an input does not match an ENDIF-less IF operator. Found during code maintenance. File: util/cidr_map.c, util/dict_regexp.c, util/dict_pcre.c. + +20170101 + + Portability; SunOS5 builds broke after moving the sys/types.h + include statement to the top of sys_defs.h. + + Portability: declaration after code is GNU dialect. File: + util/vbuf_print.c. + + Portability: compatibility macros for SSLv23_client_method() + etc. deprecation. Files: tls/tls.h, tls/tls_client.c, + tls/tls_dane.c, tls_server.c. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 07abf4893..14d547d5a 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20161231" +#define MAIL_RELEASE_DATE "20170101" #define MAIL_VERSION_NUMBER "3.2" #ifdef SNAPSHOT diff --git a/postfix/src/tls/tls.h b/postfix/src/tls/tls.h index dcb61f6f1..79b8d73a3 100644 --- a/postfix/src/tls/tls.h +++ b/postfix/src/tls/tls.h @@ -104,6 +104,9 @@ extern const char *str_tls_level(int); #define ASN1_STRING_get0_data ASN1_STRING_data #define X509_getm_notBefore X509_get_notBefore #define X509_getm_notAfter X509_get_notAfter +#define TLS_method SSLv23_method +#define TLS_client_method SSLv23_client_method +#define TLS_server_method SSLv23_server_method #endif /* SSL_CIPHER_get_name() got constified in 0.9.7g */ diff --git a/postfix/src/tls/tls_client.c b/postfix/src/tls/tls_client.c index 117a60751..bbe18f905 100644 --- a/postfix/src/tls/tls_client.c +++ b/postfix/src/tls/tls_client.c @@ -350,17 +350,9 @@ TLS_APPL_STATE *tls_client_init(const TLS_CLIENT_INIT_PROPS *props) * we want to be as compatible as possible, so we will start off with a * SSLv2 greeting allowing the best we can offer: TLSv1. We can restrict * this with the options setting later, anyhow. - * - * OpenSSL 1.1.0-dev deprecates SSLv23_client_method() in favour of - * TLS_client_method(), with the change in question signalled via a new - * TLS_ANY_VERSION macro. */ ERR_clear_error(); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && defined(TLS_ANY_VERSION) client_ctx = SSL_CTX_new(TLS_client_method()); -#else - client_ctx = SSL_CTX_new(SSLv23_client_method()); -#endif if (client_ctx == 0) { msg_warn("cannot allocate client SSL_CTX: disabling TLS support"); tls_print_errors(); diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c index 10e14b711..53fac90be 100644 --- a/postfix/src/tls/tls_dane.c +++ b/postfix/src/tls/tls_dane.c @@ -2138,7 +2138,7 @@ static SSL_CTX *ctx_init(const char *CAfile) msg_fatal("Cannot allocate SSL application data index"); ERR_clear_error(); - if ((client_ctx = SSL_CTX_new(SSLv23_client_method())) == 0) + if ((client_ctx = SSL_CTX_new(TLS_client_method())) == 0) msg_fatal("cannot allocate client SSL_CTX"); SSL_CTX_set_verify_depth(client_ctx, 5); diff --git a/postfix/src/tls/tls_server.c b/postfix/src/tls/tls_server.c index d68a11913..84426a639 100644 --- a/postfix/src/tls/tls_server.c +++ b/postfix/src/tls/tls_server.c @@ -441,17 +441,9 @@ TLS_APPL_STATE *tls_server_init(const TLS_SERVER_INIT_PROPS *props) * SSLv2), so we need to have the SSLv23 server here. If we want to limit * the protocol level, we can add an option to not use SSLv2/v3/TLSv1 * later. - * - * OpenSSL 1.1.0-dev deprecates SSLv23_server_method() in favour of - * TLS_client_method(), with the change in question signalled via a new - * TLS_ANY_VERSION macro. */ ERR_clear_error(); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && defined(TLS_ANY_VERSION) server_ctx = SSL_CTX_new(TLS_server_method()); -#else - server_ctx = SSL_CTX_new(SSLv23_server_method()); -#endif if (server_ctx == 0) { msg_warn("cannot allocate server SSL_CTX: disabling TLS support"); tls_print_errors(); diff --git a/postfix/src/util/sys_defs.h b/postfix/src/util/sys_defs.h index e01b45ecd..6d9a074e6 100644 --- a/postfix/src/util/sys_defs.h +++ b/postfix/src/util/sys_defs.h @@ -19,6 +19,9 @@ * directory. Adding support for a new system type means updating the * makedefs script, and adding a section below for the new system. */ +#ifdef SUNOS5 +#define _SVID_GETTOD /* Solaris 2.5, XSH4.2 versus SVID */ +#endif #include /* @@ -412,7 +415,6 @@ extern int opterr; */ #ifdef SUNOS5 #define SUPPORTED -#define _SVID_GETTOD /* Solaris 2.5, XSH4.2 versus SVID */ #define UINT32_TYPE unsigned int #define UINT16_TYPE unsigned short #define MISSING_SETENV diff --git a/postfix/src/util/vbuf_print.c b/postfix/src/util/vbuf_print.c index b7dcaa45c..63718ad62 100644 --- a/postfix/src/util/vbuf_print.c +++ b/postfix/src/util/vbuf_print.c @@ -105,8 +105,9 @@ */ #ifndef NO_SNPRINTF #define VBUF_SNPRINTF(bp, sz, fmt, arg) do { \ + ssize_t _ret; \ VBUF_SPACE((bp), (sz)); \ - ssize_t _ret = snprintf((char *) (bp)->ptr, (bp)->cnt, (fmt), (arg)); \ + _ret = snprintf((char *) (bp)->ptr, (bp)->cnt, (fmt), (arg)); \ if (_ret < 0) \ msg_panic("%s: output error for '%s'", myname, (fmt)); \ if (_ret >= (bp)->cnt) \