From ae9ba12ff5acd7d55561b153cf051a2077e6921d Mon Sep 17 00:00:00 2001
From: Wietse Venema <wietse@porcupine.org>
Date: Sat, 8 Jun 2013 00:44:29 -0400
Subject: [PATCH] postfix-2.11-20130608

---
 postfix/HISTORY                   |  5 +++++
 postfix/src/global/mail_version.h |  2 +-
 postfix/src/tls/tls_dane.c        | 23 ++++++++++++++++++-----
 3 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/postfix/HISTORY b/postfix/HISTORY
index 4d99e0985..c8ee7e1dd 100644
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -18698,3 +18698,8 @@ Apologies for any names omitted.
 	Robustness: check that TLSA-supplied certs have valid keys.
 	It is not clear whether that check is performed in d2i().
 	Viktor Dukhovni. tls/tls_dane.c.
+
+20130608
+
+	Cleanup (DANE support): be more explicit in the logging of
+	object digests.  Viktor Dukhovni. tls/tls_dane.c.
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index faa015ff4..27f63d0d2 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20130607"
+#define MAIL_RELEASE_DATE	"20130608"
 #define MAIL_VERSION_NUMBER	"2.11"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/tls/tls_dane.c b/postfix/src/tls/tls_dane.c
index 7a8567bb1..47b106981 100644
--- a/postfix/src/tls/tls_dane.c
+++ b/postfix/src/tls/tls_dane.c
@@ -661,14 +661,27 @@ static void parse_tlsa_rrs(TLS_DANE *dane, DNS_RR *rr)
 	     * The cert or key was valid, just digest the raw object, and
 	     * encode the digest value.  We choose SHA256.
 	     */
-	    dane_add(dane, usage, selector, sha256,
+	    dane_add(dane, usage, selector, mdalg = sha256,
 		     digest = tls_data_fprint((char *) ip, mlen, sha256));
 	    break;
 	}
-	if (msg_verbose || dane_verbose)
-	    msg_info("using DANE RR: %s%s%s IN TLSA %u %u %u %s",
-		     rcname(rr), rarrow(rr), rr->rname,
-		     usage, selector, mtype, digest);
+	if (msg_verbose || dane_verbose) {
+	    switch (mtype) {
+	    default:
+		msg_info("using DANE RR: %s%s%s IN TLSA %u %u %u %s",
+			 rcname(rr), rarrow(rr), rr->rname,
+			 usage, selector, mtype, digest);
+		break;
+	    case DNS_TLSA_MATCHING_TYPE_NO_HASH_USED:
+		msg_info("using DANE RR: %s%s%s IN TLSA %u %u %u <%s>; "
+			 "%s digest %s",
+			 rcname(rr), rarrow(rr), rr->rname,
+			 usage, selector, mtype,
+			 (selector == DNS_TLSA_SELECTOR_FULL_CERTIFICATE) ?
+			 "certificate" : "public key", mdalg, digest);
+		break;
+	    }
+	}
 	myfree(digest);
     }