From bc7be0f7d4fb7f5b94b4aaeaa7c23a7837edbae5 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Tue, 19 Feb 2019 00:00:00 -0500 Subject: [PATCH] postfix-3.5-20190219 --- postfix/HISTORY | 11 +++++-- postfix/src/global/mail_version.h | 2 +- postfix/src/smtp/smtp_proto.c | 2 ++ postfix/src/tlsproxy/tlsproxy.c | 48 ++++++++++++++----------------- 4 files changed, 33 insertions(+), 30 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index 8be813a44..4540a81da 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -24142,8 +24142,8 @@ Apologies for any names omitted. libtls seems to have to accreted multiple init functions instead of reusing the tls_client_init() and tls_client_start() API. And some functions that do initialization don't even - have init in their name! Viktor Dukhovni. Files: tls/tls_misc.c, - tlsproxy/tlsproxy.c. + have init in their name! Problem report by Andreas Schulze. + Viktor Dukhovni. Files: tls/tls_misc.c, tlsproxy/tlsproxy.c. Workaround: Postfix libtls makes DANE-specific changes to the shared SSL_CTX. To avoid false sharing, tlsproxy needs @@ -24155,3 +24155,10 @@ Apologies for any names omitted. avoid false sharing in tlsproxy, the changes are now made to the SSL handle. Viktor Dukhovni. Files: tls/tls.h, tls/tls_client.c, tls/tls_misc.c, tls/tls_server.c. + +20190219 + + Bugfix: in the Postfix SMTP client, TLS wrappermode was not + tested in tlsproxy mode. It needed some setup for buffering + and timeouts. Problem report by Andreas Schulze. File: + smtp/smtp_proto.c. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 2bb8bcb70..1479c9423 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20190218" +#define MAIL_RELEASE_DATE "20190219" #define MAIL_VERSION_NUMBER "3.5" #ifdef SNAPSHOT diff --git a/postfix/src/smtp/smtp_proto.c b/postfix/src/smtp/smtp_proto.c index ce2352bc9..a43a326af 100644 --- a/postfix/src/smtp/smtp_proto.c +++ b/postfix/src/smtp/smtp_proto.c @@ -337,6 +337,8 @@ int smtp_helo(SMTP_STATE *state) && (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) == 0) { /* XXX Mix-up of per-session and per-request flags. */ state->misc_flags |= SMTP_MISC_FLAG_IN_STARTTLS; + smtp_stream_setup(state->session->stream, var_smtp_starttls_tmout, + var_smtp_rec_deadline); tls_helo_status = smtp_start_tls(state); state->misc_flags &= ~SMTP_MISC_FLAG_IN_STARTTLS; return (tls_helo_status); diff --git a/postfix/src/tlsproxy/tlsproxy.c b/postfix/src/tlsproxy/tlsproxy.c index 8d07d6663..f30c0d0db 100644 --- a/postfix/src/tlsproxy/tlsproxy.c +++ b/postfix/src/tlsproxy/tlsproxy.c @@ -1140,14 +1140,6 @@ static void tlsp_log_config_diff(const char *server_cfg, const char *client_cfg) myfree(saved_server); } - /* - * Macro for readability. - */ -#define TLSP_CLIENT_INIT(params, props, a1, a2, a3, a4, a5, a6, a7, a8, a9, \ - a10, a11, a12, a13, a14, dane_based) \ - tlsp_client_init((params), TLS_CLIENT_INIT_ARGS((props), a1, a2, a3, a4, \ - a5, a6, a7, a8, a9, a10, a11, a12, a13, a14), (dane_based)) - /* tlsp_client_init - initialize a TLS client engine */ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params, @@ -1173,9 +1165,10 @@ static TLS_APPL_STATE *tlsp_client_init(TLS_CLIENT_PARAMS *tls_params, * pre-jail request TLS_CLIENT_PARAMS and TLSPROXY_CLIENT_INIT_PROPS * settings, so that we can detect post-jail requests that do not match. * - * Workaround: salt the hash-table key with DANE on/off info. This is needed - * because Postfix DANE support modifies SSL_CTX to override certificate - * verification. This should no longer be needed as of OpenSSL 1.0.2. + * Workaround: salt the hash-table key with DANE on/off info. This avoids + * cross-talk between DANE and non-DANE sessions. Postfix DANE support + * modifies SSL_CTX to override certificate verification because there is + * no other way to do this before OpenSSL 1.1.0. */ param_buf = vstring_alloc(100); param_key = tls_proxy_client_param_with_names_to_string( @@ -1675,23 +1668,24 @@ static void pre_jail_init(char *unused_name, char **unused_argv) * Large parameter lists are error-prone, so we emulate a language * feature that C does not have natively: named parameter lists. */ + (void) tls_proxy_client_param_from_config(&tls_params); + (void) TLS_CLIENT_INIT_ARGS(&init_props, + log_param = var_tlsp_clnt_logparam, + log_level = var_tlsp_clnt_loglevel, + verifydepth = var_tlsp_clnt_scert_vd, + cache_type = TLS_MGR_SCACHE_SMTP, + chain_files = var_tlsp_clnt_chain_files, + cert_file = var_tlsp_clnt_cert_file, + key_file = var_tlsp_clnt_key_file, + dcert_file = var_tlsp_clnt_dcert_file, + dkey_file = var_tlsp_clnt_dkey_file, + eccert_file = var_tlsp_clnt_eccert_file, + eckey_file = var_tlsp_clnt_eckey_file, + CAfile = var_tlsp_clnt_CAfile, + CApath = var_tlsp_clnt_CApath, + mdalg = var_tlsp_clnt_fpt_dgst); for (dane_based_mode = 0; dane_based_mode < 2; dane_based_mode++) { - if (TLSP_CLIENT_INIT(tls_proxy_client_param_from_config(&tls_params), - &init_props, - log_param = var_tlsp_clnt_logparam, - log_level = var_tlsp_clnt_loglevel, - verifydepth = var_tlsp_clnt_scert_vd, - cache_type = TLS_MGR_SCACHE_SMTP, - chain_files = var_tlsp_clnt_chain_files, - cert_file = var_tlsp_clnt_cert_file, - key_file = var_tlsp_clnt_key_file, - dcert_file = var_tlsp_clnt_dcert_file, - dkey_file = var_tlsp_clnt_dkey_file, - eccert_file = var_tlsp_clnt_eccert_file, - eckey_file = var_tlsp_clnt_eckey_file, - CAfile = var_tlsp_clnt_CAfile, - CApath = var_tlsp_clnt_CApath, - mdalg = var_tlsp_clnt_fpt_dgst, + if (tlsp_client_init(&tls_params, &init_props, dane_based_mode) == 0) msg_warn("TLS client initialization failed"); }