[Exim] CRL support for exim 4.30 with gnutls 1.0.4 (patch)

Top Page
Delete this message
Reply to this message
Author: Vivek
Date:  
To: exim-users
Subject: [Exim] CRL support for exim 4.30 with gnutls 1.0.4 (patch)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@??? for more info.
--
Hi there: I needed CRL support for exim 4, and I noted that gnutls had
added CRL support at some point, so I cobbled together this patch
(for the debian package) and sent it to the maintainer, who suggested I
post it here.

I also have a patch against openssl that I ported from one that someone
at work did, but it's more complicated and I haven't tested that one yet,
and it needs a little work anyway to make it work in a similar manner
to the gnutls patch.

Anyway, in addition to tweaking tls-gnu.c, the patch adds a config
variable, tls_crl, which should be a file containing all the PEM
encoded CRLs you want to use. [ cf tls_verify_certificates, which
should contain the PEM encoded CA certificates you want to use to
check client certs. ]

I have tried it with two different CA certs and CRLs simultaneously,
and it worked for me - hopefully it will be of some use to other people
too. If people are interested, I can supply the openssl patch too.
[ which will work slightly differently, in that tls_crl, like
tls_verify_certificates, will be allowed to be a directory name ]

--
vivek

--
Content-Description:

diff -ur exim4-4.30/src/globals.c exim4-4.30/src/globals.c
--- exim4-4.30/src/globals.c    Mon Dec  1 10:15:41 2003
+++ exim4-4.30/src/globals.c    Thu Jan 22 15:52:10 2004
@@ -98,6 +98,7 @@
 const pcre *regex_STARTTLS     = NULL;
 uschar *tls_advertise_hosts    = NULL;    /* This is deliberate */
 uschar *tls_certificate        = NULL;
+uschar *tls_crl                = NULL;
 uschar *tls_dhparam            = NULL;
 BOOL    tls_offered            = FALSE;
 BOOL    tls_on_connect         = FALSE;
diff -ur exim4-4.30/src/globals.h exim4-4.30/src/globals.h
--- exim4-4.30/src/globals.h    Mon Dec  1 10:15:41 2003
+++ exim4-4.30/src/globals.h    Thu Jan 22 15:52:10 2004
@@ -62,6 +62,7 @@
 extern const pcre *regex_STARTTLS;     /* For recognizing STARTTLS settings */
 extern uschar *tls_advertise_hosts;    /* host for which TLS is advertised */
 extern uschar *tls_certificate;        /* Certificate file */
+extern uschar *tls_crl;                /* CRL File */
 extern uschar *tls_dhparam;            /* DH param file */
 extern BOOL    tls_offered;            /* Server offered TLS */
 extern BOOL    tls_on_connect;         /* For older MTAs that don't STARTTLS */
diff -ur exim4-4.30/src/readconf.c exim4-4.30/src/readconf.c
--- exim4-4.30/src/readconf.c    Mon Dec  1 10:15:41 2003
+++ exim4-4.30/src/readconf.c    Thu Jan 22 15:52:10 2004
@@ -332,6 +332,7 @@
 #ifdef SUPPORT_TLS
   { "tls_advertise_hosts",      opt_stringptr,   &tls_advertise_hosts },
   { "tls_certificate",          opt_stringptr,   &tls_certificate },
+  { "tls_crl",                  opt_stringptr,   &tls_crl },
   { "tls_dhparam",              opt_stringptr,   &tls_dhparam },
   { "tls_privatekey",           opt_stringptr,   &tls_privatekey },
   { "tls_remember_esmtp",       opt_bool,        &tls_remember_esmtp },
Only in exim4-4.30/src: sieve.c.orig
diff -ur exim4-4.30/src/tls-gnu.c exim4-4.30/src/tls-gnu.c
--- exim4-4.30/src/tls-gnu.c    Mon Dec  1 10:15:41 2003
+++ exim4-4.30/src/tls-gnu.c    Thu Jan 22 15:51:24 2004
@@ -203,9 +203,9 @@
 /* Handle the result of verification. */

 if ((verify & GNUTLS_CERT_NOT_TRUSTED) != 0 ||
-    (verify & GNUTLS_CERT_INVALID) != 0 ||
-    (verify & GNUTLS_CERT_CORRUPTED) != 0 ||
-    (verify & GNUTLS_CERT_REVOKED) != 0)
+    (verify & GNUTLS_CERT_INVALID)     != 0 ||
+ // (verify & GNUTLS_CERT_CORRUPTED)   != 0 ||
+    (verify & GNUTLS_CERT_REVOKED)     != 0 )
   {
   tls_certificate_verified = FALSE;
   if (verify_requirement == VERIFY_REQUIRED)
@@ -426,7 +426,7 @@
 tls_init(host_item *host, uschar *certificate, uschar *privatekey, uschar *cas)
 {
 int rc;
-uschar *cert_expanded, *key_expanded, *cas_expanded;
+uschar *cert_expanded, *key_expanded, *cas_expanded, *crl_expanded;

 initialized = (host == NULL)? INITIALIZED_SERVER : INITIALIZED_CLIENT;

@@ -487,6 +487,18 @@
   rc = gnutls_certificate_set_x509_trust_file(x509_cred, CS cas_expanded,
     GNUTLS_X509_FMT_PEM);
   if (rc < 0) return tls_error(US"setup_certs", host, rc);
+
+  /* +CRL support */
+  if ( tls_crl != NULL )
+    {
+    if (!expand_check(tls_crl, US"tls_crl", &crl_expanded))
+      return DEFER;
+    DEBUG(D_tls) debug_printf("Loading CRL file = %s\n", crl_expanded);
+    rc = gnutls_certificate_set_x509_crl_file(x509_cred, CS crl_expanded,
+                                              GNUTLS_X509_FMT_PEM       );
+    if (rc < 0) return tls_error(US"CRL setup", host, rc);
+    }
+  /* -CRL support */
   }

 /* Associate the parameters with the x509 credentials structure. */
@@ -653,7 +665,7 @@
 /* Now negotiate the TLS session. We put our own timer on it, since it seems
 that the GnuTLS library doesn't. */

-gnutls_transport_set_ptr(tls_session, fileno(smtp_out));
+gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)fileno(smtp_out));

 sigalrm_seen = FALSE;
 if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
@@ -750,7 +762,7 @@
 if (tls_session == NULL)
   return tls_error(US "tls_session_init", host, GNUTLS_E_MEMORY_ERROR);

-gnutls_transport_set_ptr(tls_session, fd);
+gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)fd);

 /* There doesn't seem to be a built-in timeout on connection. */

--