| Age | Commit message (Collapse) | Author |
|---|
|
Could not find an API for use with OpenSSL, so GnuTLS only
|
|
|
|
|
|
Also, drop fix one place which claimed TLS SNI support was OpenSSL only.
|
|
This reverts commit 83f4c7515f3eb06dc070e78edd2694c1d088e5fd.
This was not a new check! The call to gnutls_dh_set_prime_bits() was
made with DH_BITS in Exim 4.77, so the only difference is that now an
administrator can choose at compile time to change the lower bound.
So keeping this at 1024 is not a regression and if we can't talk to them
now, we couldn't before, and we shouldn't lower security by default.
The reverted commit was only acceptable IF it was still better than what
we had in Exim 4.77.
|
|
Wolfgang Breyha saw a real-world site using 768 bits.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exim thought protection layer was required, which is not implemented.
Patch from Wolfgang Breyha.
Fixes bug 1254
|
|
Ignore more build side effects
|
|
_ISOC99_SOURCE broke build on Linux (Ubuntu 11.10) because it broke <resolv.h>, <arpa/nameser.h>, etc.
Their u_char and u_int usage relies upon BSD source being enabled too. So use _GNU_SOURCE.
|
|
Done before os.h is pulled in so an OS can override it.
|
|
|
|
|
|
|
|
Note how to test strings, provide examples which distinguish port 25 from other ports.
Carefully used short examples, but allows two different strings per implementation
and demonstrates how the strings are very different.
|
|
|
|
|
|
|
|
Pull in <features.h> on Linux.
Switch readconf log from D_all (bug) to D_tls (though D_any would have
worked).
Modified runtest to handle clamped DH bits and
tls_validate_require_cipher added debug logging.
|
|
gnutls-params bits count no longer necessarily what GnuTLS says to use.
The OpenSSL-vs-GnuTLS text needed some updating.
Catches a ChangeLog addition made during the previous commit, so not picked up by it.
|
|
Janne Snabb tracked down the GnuTLS 2.12 vs NSS (Thunderbird) interop
problems to a hard-coded limit of 2236 bits for DH in NSS while GnuTLS
was suggesting 2432 bits as normal.
Added new global option tls_dh_max_bits to clamp all DH values (client
or server); unexpanded integer. Default value to 2236. Apply to both
GnuTLS and OpenSSL (which requires tls_dh_params for this).
Tired of debugging "SMTP fails TLS" error messages in mailing-lists
caused by OpenSSL library/include clashes, and of finding out I typo'd
in tls_require_ciphers only at the STARTTLS handshake. During readconf,
fork/drop-privs/initialise-TLS-library. In that, if tls_require_ciphers
is set, then validate it.
The validation child will panic if it can't initialise or if
tls_require_ciphers can't be parsed, else it exits 0. If the child
exits anything other than 0, the main Exim process will exit.
|
|
|
|
WANT_DEEPER_PRINTF_CHECKS guards ALMOST_PRINTF being PRINTF_FUNCTION.
Fix some actual issues exposed when I cut down on the spam.
|
|
|
|
Only crash-plausible issue would require the Cambridge-specific
iplookup router and a misconfiguration.
Report from Marcin Mirosław
|
|
Base text from Wolfgang Breyha.
I went over it as someone new to it, to make some obvious-to-experts-but-not-me fixes.
|
|
(stack memory referenced, read-only, out of scope).
Patch from Wolfgang Breyha, report from Stuart Northfield.
|
|
Patch from Janne Snabb.
|
|
|
|
|
|
Updated all files modified in 2012 which contained a copyright year
already, unless the range was specified as open-ended.
vi $(git whatchanged --since=2012-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/)
|
|
|
|
gnutls_sec_param_to_pk_bits() and gnutls_rnd() are both new as of
GnuTLS 2.12.x. Guard their usage on 2.12.0+ at compile time.
In older versions, the vaguely_random_number() function just immediately
calls the fallback, so it's the same as before this change (just one
extra indirection in the code-path).
Define a constant of 1024 for dh-bits for use in those old releases
where GnuTLS won't tell us how many we should use.
Change the on-disk filename for generated D-H params again, replacing
the -normal with -<bitcount>, so that it's 1024 or whatever, and as
the value changes, Exim will automatically start using the new value.
|
|
|
|
|
|
GnuTLS code re-done, using cut&paste for preservation where appropriate.
Stop using deprecated APIs. Stop hard-coding lists of ciphers.
Use gnutls_priority_init() instead.
Turns tls_require_ciphers into a string in the GnuTLS case, not just
OpenSSL case.
Deprecate three gnutls_require_* options; now ignored but not errors.
(No warnings yet).
Added TLS SNI support.
Made the channel binding integration theoretically actually work. I had
it guarded by an #ifdef but the value used was an enum instead. Oops.
Fixed.
New code much more amenable to future work permitting TLS in callouts.
DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's
suddenly a lot more bits, so the saved filename was changed too.
(GNUTLS_SEC_PARAM_NORMAL).
DH param setup only done for servers now, since clients don't need/use
it.
GnuTLS a lot more robust to library negotiation using stuff we don't
support, error-ing out quickly for other authentication systems (PGP,
etc).
Renamed pseudo_random_number() to vaguely_random_number() which makes
the nature clearer.
GnuTLS now provides a vaguely_random_number() implementation, to match
OpenSSL.
Pull in <inttypes.h> to make the recent arithmetic changes compile on
MacOS.
Nuke test 2011 which related to the gnutls_require_* options now
non-functional.
|
|
|
|
Was not sending trailing dot.
Added test case to catch this.
fixes bug 1246.
|
|
Remove a couple of stray references to PCRE_CFLAGS too (dating from when PCRE was bundled).
|
|
|
|
OpenSSL only.
|
|
Some discussion at http://bugs.exim.org/show_bug.cgi?id=817
Refer readers to Dan Bernstein's analysis of the issues.
Consensus seen from maintainers is that DJB is right on this point.
|
|
Also added gdb support.
This leaves us with a printf warning. We accept that as the cost of using PRINTF_FORMAT for strings that aren't libc formats.
|
|
|
