[exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim…

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: exim-cvs
Subject: [exim-cvs] cvs commit: exim/exim-doc/doc-txt ChangeLog exim/exim-src ACKNOWLEDGMENTS exim/exim-src/src tls-gnu.c exim/exim-test/scripts/2000-GnuTLS 2000
ph10 2006/10/16 11:58:40 BST

  Modified files:
    exim-doc/doc-txt     ChangeLog 
    exim-src             ACKNOWLEDGMENTS 
    exim-src/src         tls-gnu.c 
    exim-test/scripts/2000-GnuTLS 2000 
  Log:
  Florian Weimer's patch to remove the unwanted and unused support for
  RSA_EXPORT from the GnuTLS code.


  Revision  Changes    Path
  1.408     +8 -0      exim/exim-doc/doc-txt/ChangeLog
  1.58      +3 -1      exim/exim-src/ACKNOWLEDGMENTS
  1.13      +6 -41     exim/exim-src/src/tls-gnu.c
  1.2       +1 -2      exim/exim-test/scripts/2000-GnuTLS/2000


  Index: ChangeLog
  ===================================================================
  RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
  retrieving revision 1.407
  retrieving revision 1.408
  diff -u -r1.407 -r1.408
  --- ChangeLog    16 Oct 2006 10:37:19 -0000    1.407
  +++ ChangeLog    16 Oct 2006 10:58:39 -0000    1.408
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.407 2006/10/16 10:37:19 ph10 Exp $
  +$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.408 2006/10/16 10:58:39 ph10 Exp $


   Change log file for Exim from version 4.21
   -------------------------------------------
  @@ -133,6 +133,14 @@
         came from elsewhere) had *some* tests for NULL when it wrote to *reply,
         but it didn't always do it. This confused somebody who was copying the
         code for some other use. I have removed all the tests.
  +
  +PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a
  +      feature that was used to support insecure browsers during the U.S. crypto
  +      embargo. It requires special client support, and Exim is probably the
  +      only MTA that supported it -- and would never use it because real RSA is
  +      always available. This code has been removed, because it had the bad
  +      effect of slowing Exim down by computing (never used) parameters for the
  +      RSA_EXPORT functionality.



Exim version 4.63

  Index: ACKNOWLEDGMENTS
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/ACKNOWLEDGMENTS,v
  retrieving revision 1.57
  retrieving revision 1.58
  diff -u -r1.57 -r1.58
  --- ACKNOWLEDGMENTS    3 Oct 2006 15:11:22 -0000    1.57
  +++ ACKNOWLEDGMENTS    16 Oct 2006 10:58:40 -0000    1.58
  @@ -1,4 +1,4 @@
  -$Cambridge: exim/exim-src/ACKNOWLEDGMENTS,v 1.57 2006/10/03 15:11:22 ph10 Exp $
  +$Cambridge: exim/exim-src/ACKNOWLEDGMENTS,v 1.58 2006/10/16 10:58:40 ph10 Exp $


EXIM ACKNOWLEDGEMENTS

@@ -20,7 +20,7 @@
Philip Hazel

Lists created: 20 November 2002
-Last updated: 03 October 2006
+Last updated: 16 October 2006


   THE OLD LIST
  @@ -252,6 +252,8 @@
   Norihisa Washitake        Suggested patch for RFC 2047 header decoding
   Chris Webb                Patch for support of an SPF lookup method.
   Florian Weimer            Patch for minor format string issue
  +                          Noticing the unwanted (and time-wasting) GnuTLS
  +                            RSA_EXPORT code, and supplying a patch to remove it
   Joachim Wieland           Patches for PostgreSQL socket support and other
                               PostgreSQL functionality
                             Patch for hosts_avoid_esmtp


  Index: tls-gnu.c
  ===================================================================
  RCS file: /home/cvs/exim/exim-src/src/tls-gnu.c,v
  retrieving revision 1.12
  retrieving revision 1.13
  diff -u -r1.12 -r1.13
  --- tls-gnu.c    14 Feb 2006 14:12:07 -0000    1.12
  +++ tls-gnu.c    16 Oct 2006 10:58:40 -0000    1.13
  @@ -1,4 +1,4 @@
  -/* $Cambridge: exim/exim-src/src/tls-gnu.c,v 1.12 2006/02/14 14:12:07 ph10 Exp $ */
  +/* $Cambridge: exim/exim-src/src/tls-gnu.c,v 1.13 2006/10/16 10:58:40 ph10 Exp $ */


   /*************************************************
   *     Exim - an Internet mail transport agent    *
  @@ -23,7 +23,6 @@


   #define UNKNOWN_NAME "unknown"
   #define DH_BITS      768
  -#define RSA_BITS     512
   #define PARAM_SIZE 2*1024



@@ -37,7 +36,6 @@
static BOOL initialized = INITIALIZED_NOT;
static host_item *client_host;

-static gnutls_rsa_params rsa_params = NULL;
static gnutls_dh_params dh_params = NULL;

   static gnutls_certificate_server_credentials x509_cred = NULL;
  @@ -57,7 +55,6 @@
     GNUTLS_KX_RSA,
     GNUTLS_KX_DHE_DSS,
     GNUTLS_KX_DHE_RSA,
  -  GNUTLS_KX_RSA_EXPORT,
     0 };


static int default_cipher_priority[16] = {
@@ -262,9 +259,6 @@

/* Initialize the data structures for holding the parameters */

-ret = gnutls_rsa_params_init(&rsa_params);
-if (ret < 0) return tls_error(US"init rsa_params", host, ret);
-
ret = gnutls_dh_params_init(&dh_params);
if (ret < 0) return tls_error(US"init dh_params", host, ret);

  @@ -298,20 +292,9 @@
       return tls_error(US"TLS cache read failed", host, 0);
     (void)close(fd);


  -  ret = gnutls_rsa_params_import_pkcs1(rsa_params, &m, GNUTLS_X509_FMT_PEM);
  -
  -  if (ret < 0)
  -    {
  -    DEBUG(D_tls)
  -      debug_printf("RSA params import failed: assume old-style cache file\n");
  -    }
  -  else
  -    {
  -    ret = gnutls_dh_params_import_pkcs3(dh_params, &m, GNUTLS_X509_FMT_PEM);
  -    if (ret < 0)
  -      return tls_error(US"DH params import", host, ret);
  -    DEBUG(D_tls) debug_printf("read RSA and D-H parameters from file\n");
  -    }
  +  ret = gnutls_dh_params_import_pkcs3(dh_params, &m, GNUTLS_X509_FMT_PEM);
  +  if (ret < 0) return tls_error(US"DH params import", host, ret);
  +  DEBUG(D_tls) debug_printf("read RSA and D-H parameters from file\n");


     free(m.data);
     }
  @@ -339,10 +322,6 @@
     {
     uschar tempfilename[sizeof(filename) + 10];


  -  DEBUG(D_tls) debug_printf("generating %d bit RSA key...\n", RSA_BITS);
  -  ret = gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
  -  if (ret < 0) return tls_error(US"RSA key generation", host, ret);
  -
     DEBUG(D_tls) debug_printf("generating %d bit Diffie-Hellman key...\n",
       DH_BITS);
     ret = gnutls_dh_params_generate2(dh_params, DH_BITS);
  @@ -362,9 +341,7 @@
      * certtool or other programs.
      *
      * The commands for certtool are:
  -   * $ certtool --generate-privkey --bits 512 >params
  -   * $ echo "" >>params
  -   * $ certtool --generate-dh-params --bits 1024 >> params
  +   * $ certtool --generate-dh-params --bits 1024 > params
      */


     m.size = PARAM_SIZE;
  @@ -372,16 +349,6 @@
     if (m.data == NULL)
       return tls_error(US"memory allocation failed", host, 0);


  -  ret = gnutls_rsa_params_export_pkcs1(rsa_params, GNUTLS_X509_FMT_PEM,
  -    m.data, &m.size);
  -  if (ret < 0) return tls_error(US"RSA params export", host, ret);
  -
  -  /* Do not write the null termination byte. */
  -
  -  m.size = Ustrlen(m.data);
  -  if (write(fd, m.data, m.size) != m.size || write(fd, "\n", 1) != 1)
  -    return tls_error(US"TLS cache write failed", host, 0);
  -
     m.size = PARAM_SIZE;
     ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, m.data,
       &m.size);
  @@ -398,11 +365,10 @@
       return tls_error(string_sprintf("failed to rename %s as %s: %s",
         tempfilename, filename, strerror(errno)), host, 0);


  -  DEBUG(D_tls) debug_printf("wrote RSA and D-H parameters to file %s\n",
  -    filename);
  +  DEBUG(D_tls) debug_printf("wrote D-H parameters to file %s\n", filename);
     }


-DEBUG(D_tls) debug_printf("initialized RSA and D-H parameters\n");
+DEBUG(D_tls) debug_printf("initialized D-H parameters\n");
return OK;
}

@@ -540,7 +506,6 @@
/* Associate the parameters with the x509 credentials structure. */

gnutls_certificate_set_dh_params(x509_cred, dh_params);
-gnutls_certificate_set_rsa_export_params(x509_cred, rsa_params);

DEBUG(D_tls) debug_printf("initialized certificate stuff\n");
return OK;

  Index: 2000
  ===================================================================
  RCS file: /home/cvs/exim/exim-test/scripts/2000-GnuTLS/2000,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- 2000    7 Feb 2006 10:54:47 -0000    1.1
  +++ 2000    16 Oct 2006 10:58:40 -0000    1.2
  @@ -3,8 +3,7 @@
   # For this first GnuTLS test, we do not obey "gnutls", so that Exim has to
   # create the GnuTLS paramter data for itself.
   #
  -echo ==> Creating GnuTLS parameter data ... may take some time ... 
  -echo ==> Moving the mouse about may help ...
  +echo ==> Creating GnuTLS parameter data ...
   exim -DSERVER=server -bd -oX PORT_D
   ****
   exim CALLER@???