| Age | Commit message (Collapse) | Author |
|---|
|
Base text from Wolfgang Breyha.
I went over it as someone new to it, to make some obvious-to-experts-but-not-me fixes.
|
|
De-initialised "type" var in stack declaration, so a repeat of this mistake
would lead to an uninitialized variable usage warning which would have blocked
the previous incorrect fix from being committed.
|
|
(stack memory referenced, read-only, out of scope).
Patch from Wolfgang Breyha, report from Stuart Northfield.
|
|
Patch from Janne Snabb.
|
|
Fixed assumption that tls_certificate non-NULL in server when TLS
advertised.
Weakened an !S_ISREG() to an S_ISDIR() to keep the test-suite happy.
Using:
do { rc = gnutls_handshake(state->session);
} while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED));
is contra-indicated when you expect SIGALRM to be able to break you out
of the loop. A little _too_ robust there. Switching last part to:
(rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen)
is rather more productive.
Only test not passing is 2025, which makes major assumptions about
cipher suites and needs to be revisited to see what it's trying to
achieve. We fail the test because we successfully deliver the message
without expected errors, because other ciphersuites are available, since
we're no longer limited to a *very* short list embedded in the Exim
code. That sort of failure I can live with.
|
|
|
|
A couple more cert1/2 strings updated, plus some disambiguating rhubarb.
|
|
|
|
|
|
|
|
Some tests had not been updated for the new cert because they were missing an X= log-line.
Updated those tests now.
|
|
Decided "unknown (reason)" in tls_peerdn was wrong, stripped that, added
replacement guard.
Moved cipherbuf construction to where it makes more sense, where peerdn
is extracted, so that setting the exim vars gets back closer to just
some pointer switching.
Fix missing failure check after handshake in client.
Fix tls.c tls_ungetc() and friends by pointing watermark vars at state
content.
Regenerated test-suite D-H params so we don't have too small values,
which was causing connection rejections.
Test-suite output where new test cert info is logged (there will be a
couple more, when I fix a lingering problem with tls_peerdn being unset
in client log-lines).
Give test-suite client command some --help.
|
|
Mostly care about EXIM_GNUTLS_LIBRARY_LOG_LEVEL for debugging.
If someone screams that we kept the default dh-bits at 1024 for old GnuTLS,
we can point them at EXIM_SERVER_DH_BITS_PRE2_12. The name itself will
tell them to shut up and update their library if they care about security. :)
|
|
Updated all files modified in 2012 which contained a copyright year
already, unless the range was specified as open-ended.
vi $(git whatchanged --since=2012-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/)
|
|
|
|
|
|
Fix test-suite certs to not use MD5.
Document that we do not support MD5 certs any longer.
Make test-suite generate probably-correct gnutls-params filename for us.
|
|
Normalise TLSv1.2 to TLSv1.
Normalise AES256-GCM-SHA384 to AES256-SHA.
Make some test configs accept AES256-GCM-SHA384 in "encrypted =" ACLs.
Have test suite print final test id during abort, make it easier to track down.
|
|
Registering a cert/key in an x509 credentials *adds* them, and there's
no way to remove them, so we need a shiny new x509_cred each time the
key/cert change.
Since we avoid re-expanding unless tls_sni appears in tls_certificate,
we've mostly avoided the expense unless SNI is in use, and the extra
loading should be minimal, as everything should be in buffer/cache from
a few microseconds beforehand.
This code tested with GnuTLS and OpenSSL clients, without TLS
extensions, with servername, and verifying we do now get the correct
cert.
|
|
Failed to notice my test config on the GnuTLS box did nothing with SNI.
Fixed segfault. Better diagnostics.
Still not actually changing key/cert, need to investigate further
|
|
gnutls_sec_param_to_pk_bits() and gnutls_rnd() are both new as of
GnuTLS 2.12.x. Guard their usage on 2.12.0+ at compile time.
In older versions, the vaguely_random_number() function just immediately
calls the fallback, so it's the same as before this change (just one
extra indirection in the code-path).
Define a constant of 1024 for dh-bits for use in those old releases
where GnuTLS won't tell us how many we should use.
Change the on-disk filename for generated D-H params again, replacing
the -normal with -<bitcount>, so that it's 1024 or whatever, and as
the value changes, Exim will automatically start using the new value.
|
|
|
|
|
|
GnuTLS code re-done, using cut&paste for preservation where appropriate.
Stop using deprecated APIs. Stop hard-coding lists of ciphers.
Use gnutls_priority_init() instead.
Turns tls_require_ciphers into a string in the GnuTLS case, not just
OpenSSL case.
Deprecate three gnutls_require_* options; now ignored but not errors.
(No warnings yet).
Added TLS SNI support.
Made the channel binding integration theoretically actually work. I had
it guarded by an #ifdef but the value used was an enum instead. Oops.
Fixed.
New code much more amenable to future work permitting TLS in callouts.
DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's
suddenly a lot more bits, so the saved filename was changed too.
(GNUTLS_SEC_PARAM_NORMAL).
DH param setup only done for servers now, since clients don't need/use
it.
GnuTLS a lot more robust to library negotiation using stuff we don't
support, error-ing out quickly for other authentication systems (PGP,
etc).
Renamed pseudo_random_number() to vaguely_random_number() which makes
the nature clearer.
GnuTLS now provides a vaguely_random_number() implementation, to match
OpenSSL.
Pull in <inttypes.h> to make the recent arithmetic changes compile on
MacOS.
Nuke test 2011 which related to the gnutls_require_* options now
non-functional.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Was not sending trailing dot.
Added test case to catch this.
fixes bug 1246.
|
|
Remove a couple of stray references to PCRE_CFLAGS too (dating from when PCRE was bundled).
|
|
|
|
|
|
Also add Retry command to more runtest testcase-fail possibilities.
|
|
|
|
|
|
|
|
|
|
OpenSSL only.
|
|
|
|
Some discussion at http://bugs.exim.org/show_bug.cgi?id=817
Refer readers to Dan Bernstein's analysis of the issues.
Consensus seen from maintainers is that DJB is right on this point.
|
|
Also added gdb support.
This leaves us with a printf warning. We accept that as the cost of using PRINTF_FORMAT for strings that aren't libc formats.
|
|
rule.
Fixes case 1003 for me (having a trailing ::).
|
|
Solaris needs -lresolv, ie $(LIBRESOLV), for anything referencing DNS.
I added _res stuff to os.c.
os.c is used by multiple tools, but of those only Exim needs the DNS functionality.
So used a !defined(COMPILE_UTILITY) guard.
|
|
|
|
|
|
|
|
Having looked further at the ratelimit code, the new output looks reasonable. The obscure
values of "19" derive from testing "per-byte", being the size of the test message.
|
