mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-22 01:49:47 +00:00
Code Issues Releases Wiki Activity

postfix-3.10-20240924

Browse Source
This commit is contained in:
Wietse Z Venema 2024-09-24 00:00:00 -05:00 committed by Viktor Dukhovni
parent a34efb8d7d
commit 67b02e7393
7 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
postfix/HISTORY
View File

@ -28236,3 +28236,8 @@ Apologies for any names omitted.
"peer" key, and may need to fall back on the (new with "peer" key, and may need to fall back on the (new with
OpenSSL 3.2) SSL_get0_group_name() function. Viktor Dukhovni. OpenSSL 3.2) SSL_get0_group_name() function. Viktor Dukhovni.
Files: src/tls/tls.h, src/tls/tls_dh.c, src/tls/tls_misc.c. Files: src/tls/tls.h, src/tls/tls_dh.c, src/tls/tls_misc.c.
20240924
Misc. cleanups. Viktor Dukhovni. Files: src/tls/tls_dh.c,
proto/postconf.proto, src/global/mail_params.h.

2
postfix/html/postconf.5.html
View File

@ -20299,7 +20299,7 @@ EC key agreement in OpenSSL 3.0 and later. Note that at least one of
this is required by OpenSSL 3.0. If both are inadvertently set empty, this is required by OpenSSL 3.0. If both are inadvertently set empty,
Postfix will fall back to the compiled-in defaults. </p> Postfix will fall back to the compiled-in defaults. </p>
<p> All the default groups and EC curves should sufficiently strong to make <p> All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the "pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
OpenSSL name for "secp256r1", a.k.a. "P-256") should be among the enabled EC OpenSSL name for "secp256r1", a.k.a. "P-256") should be among the enabled EC
curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups. </p> curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups. </p>

2
postfix/man/man5/postconf.5
View File

@ -14121,7 +14121,7 @@ EC key agreement in OpenSSL 3.0 and later. Note that at least one of
this is required by OpenSSL 3.0. If both are inadvertently set empty, this is required by OpenSSL 3.0. If both are inadvertently set empty,
Postfix will fall back to the compiled\-in defaults. Postfix will fall back to the compiled\-in defaults.
.PP .PP
All the default groups and EC curves should sufficiently strong to make All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the "pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
OpenSSL name for "secp256r1", a.k.a. "P\-256") should be among the enabled EC OpenSSL name for "secp256r1", a.k.a. "P\-256") should be among the enabled EC
curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups. curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups.

2
postfix/proto/postconf.proto
View File

@ -13426,7 +13426,7 @@ EC key agreement in OpenSSL 3.0 and later. Note that at least one of
this is required by OpenSSL 3.0. If both are inadvertently set empty, this is required by OpenSSL 3.0. If both are inadvertently set empty,
Postfix will fall back to the compiled-in defaults. </p> Postfix will fall back to the compiled-in defaults. </p>
<p> All the default groups and EC curves should sufficiently strong to make <p> All the default groups and EC curves should be sufficiently strong to make
"pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the "pruning" the defaults unwise. At a minimum, "x25519" and "prime256v1" (the
OpenSSL name for "secp256r1", a.k.a. "P-256") should be among the enabled EC OpenSSL name for "secp256r1", a.k.a. "P-256") should be among the enabled EC
curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups. </p> curves, while "dhe2048" and "dhe3072" should be among the FFDHE groups. </p>

6
postfix/src/global/mail_params.h
View File

@ -3399,21 +3399,25 @@ extern char *var_tls_null_clist;
#else #else
#define DEF_TLS_EECDH_AUTO_1 "" #define DEF_TLS_EECDH_AUTO_1 ""
#endif #endif
#if defined(SN_X448) && defined(NID_X448) #if defined(SN_X448) && defined(NID_X448)
#define DEF_TLS_EECDH_AUTO_2 SN_X448 " " #define DEF_TLS_EECDH_AUTO_2 SN_X448 " "
#else #else
#define DEF_TLS_EECDH_AUTO_2 "" #define DEF_TLS_EECDH_AUTO_2 ""
#endif #endif
#if defined(SN_X9_62_prime256v1) && defined(NID_X9_62_prime256v1) #if defined(SN_X9_62_prime256v1) && defined(NID_X9_62_prime256v1)
#define DEF_TLS_EECDH_AUTO_3 SN_X9_62_prime256v1 " " #define DEF_TLS_EECDH_AUTO_3 SN_X9_62_prime256v1 " "
#else #else
#define DEF_TLS_EECDH_AUTO_3 "" #define DEF_TLS_EECDH_AUTO_3 ""
#endif #endif
#if defined(SN_secp384r1) && defined(NID_secp384r1) #if defined(SN_secp384r1) && defined(NID_secp384r1)
#define DEF_TLS_EECDH_AUTO_4 SN_secp384r1 #define DEF_TLS_EECDH_AUTO_4 SN_secp384r1 " "
#else #else
#define DEF_TLS_EECDH_AUTO_4 "" #define DEF_TLS_EECDH_AUTO_4 ""
#endif #endif
#if defined(SN_secp521r1) && defined(NID_secp521r1) #if defined(SN_secp521r1) && defined(NID_secp521r1)
#define DEF_TLS_EECDH_AUTO_5 SN_secp521r1 " " #define DEF_TLS_EECDH_AUTO_5 SN_secp521r1 " "
#else #else

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20240923" #define MAIL_RELEASE_DATE "20240924"
#define MAIL_VERSION_NUMBER "3.10" #define MAIL_VERSION_NUMBER "3.10"
#ifdef SNAPSHOT #ifdef SNAPSHOT

9
postfix/src/tls/tls_dh.c
View File

@ -333,8 +333,8 @@ static int setup_auto_groups(SSL_CTX *ctx, const char *origin,
/* /*
* OpenSSL does not tolerate duplicate groups in the requested list. * OpenSSL does not tolerate duplicate groups in the requested list.
* Deduplicate case-insensitively, just in case OpenSSL some day supports * Deduplicate case-insensitively, just in case OpenSSL some day supports
* case-insensitive group lookup. Users who specify the group name twice * case-insensitive group lookup. Deduplicate only verified extant groups
* and get the case wrong the first time deserve to be unhappy. :-) * we're going to ask OpenSSL to use.
* *
* OpenSSL 3.3 supports "?<name>" as a syntax for optionally ignoring * OpenSSL 3.3 supports "?<name>" as a syntax for optionally ignoring
* unsupported groups, so we could skip checking against the throw-away * unsupported groups, so we could skip checking against the throw-away
@ -358,8 +358,6 @@ static int setup_auto_groups(SSL_CTX *ctx, const char *origin,
SETUP_AG_RETURN(AG_STAT_NO_GROUP); SETUP_AG_RETURN(AG_STAT_NO_GROUP);
} }
for (; group != 0; group = mystrtok(&groups, GROUPS_SEP)) { for (; group != 0; group = mystrtok(&groups, GROUPS_SEP)) {
if (been_here_fixed(seen, group))
continue;
/* /*
* Validate the group name by trying it as the group for a throw-away * Validate the group name by trying it as the group for a throw-away
* SSL context. This way, we can ask for new groups that may not yet be * SSL context. This way, we can ask for new groups that may not yet be
@ -367,7 +365,8 @@ static int setup_auto_groups(SSL_CTX *ctx, const char *origin,
* silently ignored. * silently ignored.
*/ */
ERR_set_mark(); ERR_set_mark();
if (SSL_CTX_set1_curves_list(tmpctx, group) > 0) { if (SSL_CTX_set1_curves_list(tmpctx, group) > 0 &&
!been_here_fixed(seen, group)) {
if (VSTRING_LEN(names) > 0) if (VSTRING_LEN(names) > 0)
VSTRING_ADDCH(names, ':'); VSTRING_ADDCH(names, ':');
vstring_strcat(names, group); vstring_strcat(names, group);