From 3aba8691924c7d2cb6c18cbdccd82af5e22cdc12 Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sun, 9 Nov 2008 00:00:00 -0500
Subject: [PATCH] postfix-2.6-20081109

---
 postfix/HISTORY                   |  4 ++++
 postfix/src/dns/dns.h             |  6 ++----
 postfix/src/global/mail_version.h |  2 +-
 postfix/src/smtpd/smtpd.c         | 26 ++++++++++++++------------
 postfix/src/tls/tls_dh.c          | 10 +++++-----
 5 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 888e3d956..8fbc67cfe 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -14753,3 +14753,7 @@ Apologies for any names omitted.
 	Bugfix (introduced Postfix 2.5): the Postfix SMTP server
 	did not ask for a client certificate with "smtpd_tls_req_ccert
 	= yes". Reported by Rob Foehl. File: smtpd/smtpd.c.
+
+20081109
+
+	Cleanup: confusing names of variables. File: smtpd/smtpd.c.
diff --git a/postfix/src/dns/dns.h b/postfix/src/dns/dns.h
index ca3916090..e95fa67c0 100644
--- a/postfix/src/dns/dns.h
+++ b/postfix/src/dns/dns.h
@@ -179,11 +179,9 @@ extern int dns_lookup_v(const char *, unsigned, DNS_RR **, VSTRING *,
 #define DNS_OK		0		/* query succeeded */
 
  /*
-  * How long can a DNS name be?
-  * 
-  * XXX This currently also limits the combined length of data in TXT records.
+  * How long can a DNS name or single text value be?
   */
-#define DNS_NAME_LEN	4096
+#define DNS_NAME_LEN	1024
 
 /* LICENSE
 /* .ad
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index b2167971d..6af2aa16a 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20081108"
+#define MAIL_RELEASE_DATE	"20081109"
 #define MAIL_VERSION_NUMBER	"2.6"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index e483eb4fa..9b844ae52 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -1266,7 +1266,7 @@ MILTERS *smtpd_milters;
   * TLS initialization status.
   */
 static TLS_APPL_STATE *smtpd_tls_ctx;
-static int wantcert;
+static int require_server_cert;
 
 #endif
 
@@ -3857,7 +3857,7 @@ static void smtpd_start_tls(SMTPD_STATE *state)
 	ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_excl_ciph);
 	if (enforce_tls)
 	    ADD_EXCLUDE(cipher_exclusions, var_smtpd_tls_mand_excl);
-	if (wantcert)
+	if (require_server_cert)
 	    ADD_EXCLUDE(cipher_exclusions, "aNULL");
     }
 
@@ -4643,8 +4643,9 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 #ifdef USE_TLS
 	    TLS_SERVER_INIT_PROPS props;
 	    const char *cert_file;
-	    int     havecert;
-	    int     oknocert;
+	    int     have_server_cert;
+	    int     no_server_cert_ok;
+	    int     ask_client_cert;
 
 	    /*
 	     * Can't use anonymous ciphers if we want client certificates.
@@ -4652,25 +4653,26 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 	     * 
 	     * XXX: Ugh! Too many booleans!
 	     */
-	    wantcert = (var_smtpd_tls_ask_ccert
-			|| (enforce_tls && var_smtpd_tls_req_ccert));
+	    ask_client_cert = require_server_cert =
+		(var_smtpd_tls_ask_ccert
+		 || (enforce_tls && var_smtpd_tls_req_ccert));
 	    if (strcasecmp(var_smtpd_tls_cert_file, "none") == 0) {
-		oknocert = 1;
+		no_server_cert_ok = 1;
 		cert_file = "";
 	    } else {
-		oknocert = 0;
+		no_server_cert_ok = 0;
 		cert_file = var_smtpd_tls_cert_file;
 	    }
-	    havecert =
+	    have_server_cert =
 		(*cert_file || *var_smtpd_tls_dcert_file || *var_smtpd_tls_eccert_file);
 
 	    /* Some TLS configuration errors are not show stoppers. */
-	    if (!havecert && wantcert)
+	    if (!have_server_cert && require_server_cert)
 		msg_warn("Need a server cert to request client certs");
 	    if (!enforce_tls && var_smtpd_tls_req_ccert)
 		msg_warn("Can't require client certs unless TLS is required");
 	    /* After a show-stopper error, reply with 454 to STARTTLS. */
-	    if (havecert || (oknocert && !wantcert))
+	    if (have_server_cert || (no_server_cert_ok && !require_server_cert))
 
 		/*
 		 * Large parameter lists are error-prone, so we emulate a
@@ -4701,7 +4703,7 @@ static void pre_jail_init(char *unused_name, char **unused_argv)
 				    protocols = enforce_tls ?
 				    var_smtpd_tls_mand_proto :
 				    var_smtpd_tls_proto,
-				    ask_ccert = wantcert,
+				    ask_ccert = ask_client_cert,
 				    fpt_dgst = var_smtpd_tls_fpt_dgst);
 	    else
 		msg_warn("No server certs available. TLS won't be enabled");
diff --git a/postfix/src/tls/tls_dh.c b/postfix/src/tls/tls_dh.c
index f4efe57f9..bc5db4f0d 100644
--- a/postfix/src/tls/tls_dh.c
+++ b/postfix/src/tls/tls_dh.c
@@ -192,13 +192,13 @@ DH     *tls_tmp_dh_cb(SSL *unused_ssl, int export, int keylength)
     DH     *dh_tmp;
 
     if (export && keylength == 512) {		/* 40-bit export cipher */
-	if (dh_1024 == 0)
-	    dh_1024 = tls_get_dh(dh512_p, (int) sizeof(dh512_p));
-	dh_tmp = dh_1024;
-    } else {					/* ADH, DHE-RSA or DSA */
 	if (dh_512 == 0)
-	    dh_512 = tls_get_dh(dh1024_p, (int) sizeof(dh1024_p));
+	    dh_512 = tls_get_dh(dh512_p, (int) sizeof(dh512_p));
 	dh_tmp = dh_512;
+    } else {					/* ADH, DHE-RSA or DSA */
+	if (dh_1024 == 0)
+	    dh_1024 = tls_get_dh(dh1024_p, (int) sizeof(dh1024_p));
+	dh_tmp = dh_1024;
     }
     return (dh_tmp);
 }