---------- Forwarded message ----------
Date: Wed, 24 Oct 2007 11:29:26 +0300
From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@???>
To: ph10@???
Subject: exim4 patch
Hello,
I send you a patch to solve the following bug reports.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338319
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=390712
This patch also adds support for TLS 1.1 and uses
gnutls_session_enable_compatibility_mode() to counter the first bug (in
mobile phones). The latter function is not yet added in a released gnutls and
will be available in gnutls 2.2, released on the first of november.
The second bug is eliminated by using static DH parameters if the file is not
found.
regards,
NikosCommon subdirectories: exim-4.68/src/auths and exim-4.68-new/src/auths
Common subdirectories: exim-4.68/src/lookups and exim-4.68-new/src/lookups
Common subdirectories: exim-4.68/src/pcre and exim-4.68-new/src/pcre
Common subdirectories: exim-4.68/src/routers and exim-4.68-new/src/routers
diff -u exim-4.68/src/tls-gnu.c exim-4.68-new/src/tls-gnu.c
--- exim-4.68/src/tls-gnu.c 2007-08-30 17:31:06.000000000 +0300
+++ exim-4.68-new/src/tls-gnu.c 2007-10-24 11:24:22.000000000 +0300
@@ -50,6 +50,7 @@
and space into which it can be copied and altered. */
static const int default_proto_priority[16] = {
+ GNUTLS_TLS1_1,
GNUTLS_TLS1,
GNUTLS_SSL3,
0 };
@@ -93,10 +94,12 @@
} pri_item;
+static int tls1_1_codes[] = { GNUTLS_TLS1_1, 0 };
static int tls1_codes[] = { GNUTLS_TLS1, 0 };
static int ssl3_codes[] = { GNUTLS_SSL3, 0 };
static pri_item proto_index[] = {
+ { US"TLS1.1", tls1_1_codes },
{ US"TLS1", tls1_codes },
{ US"SSL3", ssl3_codes }
};
@@ -118,7 +121,6 @@
static int arcfour_128_codes[] = { GNUTLS_CIPHER_ARCFOUR_128, 0 };
-static int arcfour_40_codes[] = { GNUTLS_CIPHER_ARCFOUR_40, 0 };
static int arcfour_codes[] = { GNUTLS_CIPHER_ARCFOUR_128,
GNUTLS_CIPHER_ARCFOUR_40, 0 };
static int aes_256_codes[] = { GNUTLS_CIPHER_AES_256_CBC, 0 };
@@ -129,7 +131,6 @@
static pri_item cipher_index[] = {
{ US"ARCFOUR_128", arcfour_128_codes },
- { US"ARCFOUR_40", arcfour_40_codes },
{ US"ARCFOUR", arcfour_codes },
{ US"AES_256", aes_256_codes },
{ US"AES_128", aes_128_codes },
@@ -279,6 +280,15 @@
* Setup up DH parameters *
*************************************************/
+/* The TLS-SRP-1024 parameters
+ */
+const static char pkcs3[] =
+"-----BEGIN DH PARAMETERS-----\n"
+"MIGGAoGA7q8Kua2zjdacM/gK+o/F6GByYYd1/zwLnqIxTJwlZXbWdN90luqB0zg7\n"
+"SBPWksbg4NXY4lC5i+SOSVwdYIna0V3H17RhVNa2zo70rWmxXUmCVZspe88YhcUp\n"
+"9WZmDlfsaO28PAVybMAv1Mv0l26qmv1ROP6DdkNbn8YdL8DrBuMCAQI=\n"
+"-----END DH PARAMETERS-----\n";
+
/* Generating the D-H parameters may take a long time. They only need to
be re-generated every so often, depending on security policy. What we do is to
keep these parameters in a file in the spool directory. If the file does not
@@ -294,7 +304,6 @@
Returns: OK/DEFER/FAIL
*/
-
static int
init_dh(host_item *host)
{
@@ -363,52 +372,10 @@
if (ret < 0)
{
- uschar tempfilename[sizeof(filename) + 10];
-
- DEBUG(D_tls) debug_printf("generating %d bit Diffie-Hellman key...\n",
- DH_BITS);
- ret = gnutls_dh_params_generate2(dh_params, DH_BITS);
- if (ret < 0) return tls_error(US"D-H key generation", host, ret);
-
- /* Write the parameters to a file in the spool directory so that we
- can use them from other Exim processes. */
-
- sprintf(CS tempfilename, "%s-%d", filename, (int)getpid());
- fd = Uopen(tempfilename, O_WRONLY|O_CREAT, 0400);
- if (fd < 0)
- return tls_error(string_open_failed(errno, "%s for writing", filename),
- host, 0);
- (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
-
- /* export the parameters in a format that can be generated using GNUTLS'
- * certtool or other programs.
- *
- * The commands for certtool are:
- * $ certtool --generate-dh-params --bits 1024 > params
- */
-
- m.size = PARAM_SIZE;
- m.data = malloc(m.size);
- if (m.data == NULL)
- return tls_error(US"memory allocation failed", host, 0);
+ gnutls_datum dparams = { pkcs3, sizeof (pkcs3) };
- m.size = PARAM_SIZE;
- ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, m.data,
- &m.size);
- if (ret < 0) return tls_error(US"DH params export", host, ret);
-
- m.size = Ustrlen(m.data);
- if (write(fd, m.data, m.size) != m.size || write(fd, "\n", 1) != 1)
- return tls_error(US"TLS cache write failed", host, 0);
-
- free(m.data);
- (void)close(fd);
-
- if (rename(CS tempfilename, CS filename) < 0)
- return tls_error(string_sprintf("failed to rename %s as %s: %s",
- tempfilename, filename, strerror(errno)), host, 0);
-
- DEBUG(D_tls) debug_printf("wrote D-H parameters to file %s\n", filename);
+ ret = gnutls_dh_params_import_pkcs3(dh_params, &dparams, GNUTLS_X509_FMT_PEM);
+ if (ret < 0) return tls_error(US"DH params import", host, ret);
}
DEBUG(D_tls) debug_printf("initialized D-H parameters\n");
@@ -773,6 +740,8 @@
gnutls_protocol_set_priority(session, proto_priority);
gnutls_mac_set_priority(session, mac_priority);
+gnutls_session_enable_compatibility_mode( session);
+
gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
gnutls_dh_set_prime_bits(session, DH_BITS);
Only in exim-4.68-new/src/: tls-gnu.c~
Only in exim-4.68-new/src/: tls-gnu.c.orig
Common subdirectories: exim-4.68/src/transports and exim-4.68-new/src/transports
