[exim-dev] exim4 patch (fwd)

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: exim-dev
Subject: [exim-dev] exim4 patch (fwd)

---------- Forwarded message ----------
Date: Wed, 24 Oct 2007 11:29:26 +0300
From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@???>
To: ph10@???
Subject: exim4 patch

Hello,
I send you a patch to solve the following bug reports.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=338319
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=390712

This patch also adds support for TLS 1.1 and uses
gnutls_session_enable_compatibility_mode() to counter the first bug (in
mobile phones). The latter function is not yet added in a released gnutls and
will be available in gnutls 2.2, released on the first of november.

The second bug is eliminated by using static DH parameters if the file is not
found.

regards,
NikosCommon subdirectories: exim-4.68/src/auths and exim-4.68-new/src/auths


Common subdirectories: exim-4.68/src/lookups and exim-4.68-new/src/lookups


Common subdirectories: exim-4.68/src/pcre and exim-4.68-new/src/pcre


Common subdirectories: exim-4.68/src/routers and exim-4.68-new/src/routers


diff -u exim-4.68/src/tls-gnu.c exim-4.68-new/src/tls-gnu.c


--- exim-4.68/src/tls-gnu.c    2007-08-30 17:31:06.000000000 +0300



+++ exim-4.68-new/src/tls-gnu.c    2007-10-24 11:24:22.000000000 +0300



@@ -50,6 +50,7 @@


and space into which it can be copied and altered. */





static const int default_proto_priority[16] = {


+ GNUTLS_TLS1_1,


GNUTLS_TLS1,


GNUTLS_SSL3,


0 };


@@ -93,10 +94,12 @@


} pri_item;








+static int tls1_1_codes[] = { GNUTLS_TLS1_1, 0 };


static int tls1_codes[] = { GNUTLS_TLS1, 0 };


static int ssl3_codes[] = { GNUTLS_SSL3, 0 };





static pri_item proto_index[] = {


+ { US"TLS1.1", tls1_1_codes },


{ US"TLS1", tls1_codes },


{ US"SSL3", ssl3_codes }


};


@@ -118,7 +121,6 @@








static int arcfour_128_codes[] = { GNUTLS_CIPHER_ARCFOUR_128, 0 };


-static int arcfour_40_codes[] = { GNUTLS_CIPHER_ARCFOUR_40, 0 };


 static int arcfour_codes[]     = { GNUTLS_CIPHER_ARCFOUR_128,



                                    GNUTLS_CIPHER_ARCFOUR_40, 0 };



 static int aes_256_codes[]     = { GNUTLS_CIPHER_AES_256_CBC, 0 };



@@ -129,7 +131,6 @@





static pri_item cipher_index[] = {


{ US"ARCFOUR_128", arcfour_128_codes },


- { US"ARCFOUR_40", arcfour_40_codes },


{ US"ARCFOUR", arcfour_codes },


{ US"AES_256", aes_256_codes },


{ US"AES_128", aes_128_codes },


@@ -279,6 +280,15 @@


 *            Setup up DH parameters              *



*************************************************/





+/* The TLS-SRP-1024 parameters


+ */


+const static char pkcs3[] =


+"-----BEGIN DH PARAMETERS-----\n"


+"MIGGAoGA7q8Kua2zjdacM/gK+o/F6GByYYd1/zwLnqIxTJwlZXbWdN90luqB0zg7\n"


+"SBPWksbg4NXY4lC5i+SOSVwdYIna0V3H17RhVNa2zo70rWmxXUmCVZspe88YhcUp\n"


+"9WZmDlfsaO28PAVybMAv1Mv0l26qmv1ROP6DdkNbn8YdL8DrBuMCAQI=\n"


+"-----END DH PARAMETERS-----\n";


+


/* Generating the D-H parameters may take a long time. They only need to


be re-generated every so often, depending on security policy. What we do is to


keep these parameters in a file in the spool directory. If the file does not


@@ -294,7 +304,6 @@





 Returns:     OK/DEFER/FAIL



*/


-


static int


init_dh(host_item *host)


{


@@ -363,52 +372,10 @@





if (ret < 0)


{


- uschar tempfilename[sizeof(filename) + 10];


-


- DEBUG(D_tls) debug_printf("generating %d bit Diffie-Hellman key...\n",


-    DH_BITS);



- ret = gnutls_dh_params_generate2(dh_params, DH_BITS);


- if (ret < 0) return tls_error(US"D-H key generation", host, ret);


-


- /* Write the parameters to a file in the spool directory so that we


- can use them from other Exim processes. */


-


- sprintf(CS tempfilename, "%s-%d", filename, (int)getpid());


- fd = Uopen(tempfilename, O_WRONLY|O_CREAT, 0400);


- if (fd < 0)


-    return tls_error(string_open_failed(errno, "%s for writing", filename),



-      host, 0);



- (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */


-


- /* export the parameters in a format that can be generated using GNUTLS'


- * certtool or other programs.


- *


- * The commands for certtool are:


- * $ certtool --generate-dh-params --bits 1024 > params


- */


-


- m.size = PARAM_SIZE;


- m.data = malloc(m.size);


- if (m.data == NULL)


-    return tls_error(US"memory allocation failed", host, 0);



+ gnutls_datum dparams = { pkcs3, sizeof (pkcs3) };





- m.size = PARAM_SIZE;


- ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, m.data,


-    &m.size);



- if (ret < 0) return tls_error(US"DH params export", host, ret);


-


- m.size = Ustrlen(m.data);


- if (write(fd, m.data, m.size) != m.size || write(fd, "\n", 1) != 1)


-    return tls_error(US"TLS cache write failed", host, 0);



-


- free(m.data);


- (void)close(fd);


-


- if (rename(CS tempfilename, CS filename) < 0)


-    return tls_error(string_sprintf("failed to rename %s as %s: %s",



-      tempfilename, filename, strerror(errno)), host, 0);



-


- DEBUG(D_tls) debug_printf("wrote D-H parameters to file %s\n", filename);


+ ret = gnutls_dh_params_import_pkcs3(dh_params, &dparams, GNUTLS_X509_FMT_PEM);


+ if (ret < 0) return tls_error(US"DH params import", host, ret);


}





DEBUG(D_tls) debug_printf("initialized D-H parameters\n");


@@ -773,6 +740,8 @@


gnutls_protocol_set_priority(session, proto_priority);


gnutls_mac_set_priority(session, mac_priority);





+gnutls_session_enable_compatibility_mode( session);


+


gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);





gnutls_dh_set_prime_bits(session, DH_BITS);


Only in exim-4.68-new/src/: tls-gnu.c~


Only in exim-4.68-new/src/: tls-gnu.c.orig


Common subdirectories: exim-4.68/src/transports and exim-4.68-new/src/transports