For DH, use standard primes from RFCs

4 files changed, 76 insertions, 19 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 9c2bf199f..beb0522be 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15706,14 +15706,43 @@ larger prime than requested.
 
 .option tls_dhparam main string&!! unset
 .cindex "TLS" "D-H parameters for server"
-The value of this option is expanded, and must then be the absolute path to
-a file which contains the server's DH parameter values.
-This is used only for OpenSSL. When Exim is linked with GnuTLS, this option is
-ignored. See section &<<SECTopenvsgnu>>& for further details.
-
 .new
-If the DH bit-count from loading the file is greater than &%tls_dh_max_bits$&
-then it will be ignored.
+The value of this option is expanded and indicates the source of DH parameters
+to be used by Exim.
+
+If it is a filename starting with a &`/`&, then it names a file from which DH
+parameters should be loaded.  If the file exists, it should hold a PEM-encoded
+PKCS#3 representation of the DH prime.  If the file does not exist, for
+OpenSSL it is an error.  For GnuTLS, Exim will attempt to create the file and
+fill it with a generated DH prime.  For OpenSSL, if the DH bit-count from
+loading the file is greater than &%tls_dh_max_bits$& then it will be ignored,
+and treated as though the &%tls_dhparam%& were set to "none".
+
+If this option expands to the string "none", then no DH parameters will be
+loaded by Exim.
+
+If this option expands to the string "historic" and Exim is using GnuTLS, then
+Exim will attempt to load a file from inside the spool directory.  If the file
+does not exist, Exim will attempt to create it.
+See section &<<SECTgnutlsparam>>& for further details.
+
+If Exim is using OpenSSL and this option is empty or unset, then Exim will load
+a default DH prime; the default is the 2048 bit prime described in section
+2.2 of RFC 5114, "2048-bit MODP Group with 224-bit Prime Order Subgroup", which
+in IKE is assigned number 23.
+
+Otherwise, the option must expand to the name used by Exim for any of a number
+of DH primes specified in RFC 2409, RFC 3526 and RFC 5114.  As names, Exim uses
+"ike" followed by the number used by IKE, of "default" which corresponds to
+"ike23".
+
+The available primes are:
+&`ike1`&, &`ike2`&, &`ike5`&,
+&`ike14`&, &`ike15`&, &`ike16`&, &`ike17`&, &`ike18`&,
+&`ike22`&, &`ike23`& (aka &`default`&) and &`ike24`&.
+
+Some of these will be too small to be accepted by clients.
+Some may be too large to be accepted by clients.
 .wen
 
 
@@ -25000,12 +25029,8 @@ There are some differences in usage when using GnuTLS instead of OpenSSL:
 The &%tls_verify_certificates%& option must contain the name of a file, not the
 name of a directory (for OpenSSL it can be either).
 .next
-The &%tls_dhparam%& option is ignored, because early versions of GnuTLS had no
-facility for varying its Diffie-Hellman parameters.
 .new
-Since then, the GnuTLS support has been updated to generate parameters upon
-demand, keeping them in the spool directory.  See &<<SECTgnutlsparam>>& for
-details.
+The default value for &%tls_dhparam%& differs for historical reasons.
 .wen
 .next
 .vindex "&$tls_peerdn$&"
@@ -25284,13 +25309,24 @@ this). There is one other option that may be needed in other situations. If
 tls_dhparam = /some/file/name
 .endd
 is set, the SSL library is initialized for the use of Diffie-Hellman ciphers
-with the parameters contained in the file. This increases the set of cipher
-suites that the server supports. See the command
+with the parameters contained in the file.
+.new
+Set this to &`none`& to disable use of DH entirely, by making no prime
+available:
+.code
+tls_dhparam = none
+.endd
+This may also be set to a string identifying a standard prime to be used for
+DH; if it is set to &`default`& or, for OpenSSL, is unset, then the prime
+used is &`ike23`&.  There are a few standard primes available, see the
+documetnation for &%tls_dhparam%& for the complete list.
+
+See the command
 .code
 openssl dhparam
 .endd
-for a way of generating this data. At present, &%tls_dhparam%& is used only
-when Exim is linked with OpenSSL. It is ignored if GnuTLS is being used.
+for a way of generating file data.
+.wen
 
 The strings supplied for these three options are expanded every time a client
 host connects. It is therefore possible to use different certificates and keys
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e7b807e3c..4f8154c7e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -158,6 +158,11 @@ PP/37 Unbreak Cyrus SASL auth: SSF retrieval was incorrect, Exim thought
       protection layer was required, which is not implemented.
       Bugzilla 1254, patch from Wolfgang Breyha.
 
+PP/38 Overhaul DH prime handling, supply RFC-specified DH primes as built
+      into Exim, default to IKE id 23 from RFC 5114 (2048 bit).  Make
+      tls_dhparam take prime identifiers.  Also unbreak combination of
+      OpenSSL+DH_params+TLSSNI.
+
 
 Exim version 4.77
 -----------------
diff --git a/doc/doc-txt/GnuTLS-FAQ.txt b/doc/doc-txt/GnuTLS-FAQ.txt
index 4339becac..8d5887bac 100644
--- a/doc/doc-txt/GnuTLS-FAQ.txt
+++ b/doc/doc-txt/GnuTLS-FAQ.txt
@@ -143,6 +143,10 @@ connections.
 (6): What's the deal with tls_dh_max_bits?  What's DH?
 ------------------------------------------------------
 
+You can avoid all of the tls_dh_max_bits issues if you leave "tls_dhparam"
+unset, so that you get one of the standard built-in primes used for DH.
+
+
 DH, Diffie-Hellman (or Diffie-Hellman-Merkle, or something naming Williamson)
 is the common name for a way for two parties to a communication stream to
 exchange some private random data so that both end up with a shared secret
@@ -258,9 +262,15 @@ Ideally, the first line will read "PKCS#3 DH Parameters: (2236 bit)".  If the
 count is more than 2236, then remove the file and let Exim regenerate it, or
 generate one yourself and move it into place.  Ideally use "openssl dhparam"
 to generate it, and then wait a very long time; at least this way, the size
-will be correct.  (This developer is now convinced that Exim 4.81 should
-bundle the suggested primes from a few RFCs and let the administrator choose
-those.)
+will be correct.
+
+The use of "hope" as a strategy was felt to be unacceptable as a default, so
+late in the RC series for 4.80, the whole issue was side-stepped.  The primes
+used for DH are publicly revealed; moreover, there are selection criteria for
+what makes a "good" DH prime.  As it happens, there are *standard* primes
+which can be used, and are specified to be used for certain protocols.  So
+these primes were built into Exim, and by default exim now uses a 2048 bit
+prime from section 2.2 of RFC 5114.
 
 
 A TLS client does not get to choose the DH prime used, but can choose a
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 59994448f..0c3fccb74 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -100,6 +100,12 @@ Version 4.80
     hard-coded limit of DH ephemeral bits, to fix interop problems caused by
     GnuTLS 2.12 library recommending a bit count higher than NSS supports.
 
+16. tls_dhparam now used by both OpenSSL and GnuTLS, can be path or identifier.
+    Option can now be a path or an identifier for a standard prime.
+    If unset, we use the DH prime from section 2.2 of RFC 5114, "ike23".
+    Set to "historic" to get the old GnuTLS behaviour of auto-generated DH
+    primes.
+
 
 Version 4.77
 ------------