Merge branch 'master' into libtls

4 files changed, 67 insertions, 9 deletions

diff --git a/CHANGES.md b/CHANGES.md
new file mode 100644
index 00000000..ef87ca6f
--- /dev/null
+++ b/CHANGES.md
@@ -0,0 +1,52 @@
+# Release 6.6.1 (2019-11-06)
+
+## Changes in this release (since 6.6.0)
+
+This is a bugfix release. No new features were added.
+
+- Fixed crash on recipient expansion [#968](https://github.com/OpenSMTPD/OpenSMTPD/issues/968)
+- Fixed broken build with LibreSSL [#944](https://github.com/OpenSMTPD/OpenSMTPD/issues/944)
+- Fixed crash in `arc4random` caused by differences in OpenSSL vs LibreSSL compatibility layer plumbing [#958](https://github.com/OpenSMTPD/OpenSMTPD/issues/958)  
+- Fixed issue where `from any` rules never matched by IPv6 sources [#969](https://github.com/OpenSMTPD/OpenSMTPD/issues/969)
+- Fixed crash that happened during mail relay on musl distros [#929](https://github.com/OpenSMTPD/OpenSMTPD/issues/929)
+- Fixed multiple compilation warnings 
+[#965](https://github.com/OpenSMTPD/OpenSMTPD/issues/965)
+[#966](https://github.com/OpenSMTPD/OpenSMTPD/issues/966)
+[#967](https://github.com/OpenSMTPD/OpenSMTPD/issues/967)
+[#978](https://github.com/OpenSMTPD/OpenSMTPD/issues/978)
+[#977](https://github.com/OpenSMTPD/OpenSMTPD/issues/977)
+[#975](https://github.com/OpenSMTPD/OpenSMTPD/issues/975)
+
+
+
+# Release 6.6.0 (2019-10-26)
+
+## Dependencies note:
+
+This release builds with LibreSSL > 3.0.2 or OpenSSL > 1.1.0.
+
+It's preferable to depend on LibreSSL as OpenSMTPD is written and tested
+with that dependency. In addition, the features parity is not respected,
+some features will not be available with OpenSSL, like ECDSA server-side
+certificates support in this release. OpenSSL library is considered as a
+best effort target TLS library and provided as a commodity, LibreSSL has
+become our target TLS library.
+
+
+## Changes in this release (since 6.4.0):
+
+- various improvements to documentation and code
+- reverse dns session matching criteria added to smtpd.conf(5)
+- regex table lookup support added to smtpd.conf(5)
+- introduced support for ECDSA certificates with an ECDSA privsep engine
+- introduced builtin filters for basic filtering of incoming sessions
+- introduced option to deliver junk to a Junk folder in mail.maildir(8)
+- fixed the smtp(1) client so it uses correct default port for SMTPS
+- fixed an smtpd(8) crash on excessively large input
+- ensured mail rejected by an LMTP server stay queued
+
+
+## Experimental features:
+
+- introduced a filters API to allow writing standalone filters for smtpd
+- introduced proxy-v2 support allowing smtpd to operate behind a proxy
diff --git a/smtpd/ruleset.c b/smtpd/ruleset.c
index 2e282367..0468ddb3 100644
--- a/smtpd/ruleset.c
+++ b/smtpd/ruleset.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ruleset.c,v 1.44 2019/08/11 17:23:12 gilles Exp $ */
+/*	$OpenBSD: ruleset.c,v 1.45 2019/11/04 00:05:38 gilles Exp $ */
 
 /*
  * Copyright (c) 2009 Gilles Chehade <gilles@poolp.org>
@@ -66,8 +66,14 @@ ruleset_match_from(struct rule *r, const struct envelope *evp)
 	if (!r->flag_from)
 		return 1;
 
-	if (evp->flags & EF_INTERNAL)
+	if (evp->flags & EF_INTERNAL) {
+		/* if expanded from an empty table_from, skip rule
+		 * if no table 
+		 */
+		if (r->table_from == NULL)
+			return 0;
 		key = "local";
+	}
 	else if (r->flag_from_rdns) {
 		has_rdns = strcmp(evp->hostname, "<unknown>") != 0;
 		if (r->table_from == NULL)
diff --git a/smtpd/smtpd.h b/smtpd/smtpd.h
index c71b6264..6ce2ecf7 100644
--- a/smtpd/smtpd.h
+++ b/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.h,v 1.641 2019/09/30 08:31:41 martijn Exp $	*/
+/*	$OpenBSD: smtpd.h,v 1.642 2019/11/03 23:58:51 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -51,7 +51,7 @@
 #define SMTPD_QUEUE_EXPIRY	 (4 * 24 * 60 * 60)
 #define SMTPD_SOCKET		 "/var/run/smtpd.sock"
 #define	SMTPD_NAME		 "OpenSMTPD"
-#define	SMTPD_VERSION		 "6.6.0"
+#define	SMTPD_VERSION		 "6.6.1"
 #define SMTPD_SESSION_TIMEOUT	 300
 #define SMTPD_BACKLOG		 5
 
diff --git a/smtpd/ssl_verify.c b/smtpd/ssl_verify.c
index ebc79870..02148862 100644
--- a/smtpd/ssl_verify.c
+++ b/smtpd/ssl_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_verify.c,v 1.1 2019/09/18 11:26:30 eric Exp $ */
+/* $OpenBSD: ssl_verify.c,v 1.2 2019/11/02 03:16:45 gilles Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -142,12 +142,12 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 			continue;
 
 		if (type == GEN_DNS) {
-			unsigned char	*data;
+			const unsigned char	*data;
 			int		 format, len;
 
 			format = ASN1_STRING_type(altname->d.dNSName);
 			if (format == V_ASN1_IA5STRING) {
-				data = ASN1_STRING_data(altname->d.dNSName);
+				data = ASN1_STRING_get0_data(altname->d.dNSName);
 				len = ASN1_STRING_length(altname->d.dNSName);
 
 				if (len < 0 || (size_t)len != strlen(data)) {
@@ -187,11 +187,11 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 			}
 
 		} else if (type == GEN_IPADD) {
-			unsigned char	*data;
+			const unsigned char	*data;
 			int		 datalen;
 
 			datalen = ASN1_STRING_length(altname->d.iPAddress);
-			data = ASN1_STRING_data(altname->d.iPAddress);
+			data = ASN1_STRING_get0_data(altname->d.iPAddress);
 
 			if (datalen < 0) {
 				tls_set_errorx(ctx,