| Age | Commit message (Collapse) | Author |
|---|
|
WANT_DEEPER_PRINTF_CHECKS guards ALMOST_PRINTF being PRINTF_FUNCTION.
Fix some actual issues exposed when I cut down on the spam.
|
|
|
|
Only crash-plausible issue would require the Cambridge-specific
iplookup router and a misconfiguration.
Report from Marcin Mirosław
|
|
Base text from Wolfgang Breyha.
I went over it as someone new to it, to make some obvious-to-experts-but-not-me fixes.
|
|
(stack memory referenced, read-only, out of scope).
Patch from Wolfgang Breyha, report from Stuart Northfield.
|
|
Patch from Janne Snabb.
|
|
|
|
|
|
Updated all files modified in 2012 which contained a copyright year
already, unless the range was specified as open-ended.
vi $(git whatchanged --since=2012-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/)
|
|
|
|
gnutls_sec_param_to_pk_bits() and gnutls_rnd() are both new as of
GnuTLS 2.12.x. Guard their usage on 2.12.0+ at compile time.
In older versions, the vaguely_random_number() function just immediately
calls the fallback, so it's the same as before this change (just one
extra indirection in the code-path).
Define a constant of 1024 for dh-bits for use in those old releases
where GnuTLS won't tell us how many we should use.
Change the on-disk filename for generated D-H params again, replacing
the -normal with -<bitcount>, so that it's 1024 or whatever, and as
the value changes, Exim will automatically start using the new value.
|
|
|
|
|
|
GnuTLS code re-done, using cut&paste for preservation where appropriate.
Stop using deprecated APIs. Stop hard-coding lists of ciphers.
Use gnutls_priority_init() instead.
Turns tls_require_ciphers into a string in the GnuTLS case, not just
OpenSSL case.
Deprecate three gnutls_require_* options; now ignored but not errors.
(No warnings yet).
Added TLS SNI support.
Made the channel binding integration theoretically actually work. I had
it guarded by an #ifdef but the value used was an enum instead. Oops.
Fixed.
New code much more amenable to future work permitting TLS in callouts.
DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's
suddenly a lot more bits, so the saved filename was changed too.
(GNUTLS_SEC_PARAM_NORMAL).
DH param setup only done for servers now, since clients don't need/use
it.
GnuTLS a lot more robust to library negotiation using stuff we don't
support, error-ing out quickly for other authentication systems (PGP,
etc).
Renamed pseudo_random_number() to vaguely_random_number() which makes
the nature clearer.
GnuTLS now provides a vaguely_random_number() implementation, to match
OpenSSL.
Pull in <inttypes.h> to make the recent arithmetic changes compile on
MacOS.
Nuke test 2011 which related to the gnutls_require_* options now
non-functional.
|
|
|
|
Was not sending trailing dot.
Added test case to catch this.
fixes bug 1246.
|
|
Remove a couple of stray references to PCRE_CFLAGS too (dating from when PCRE was bundled).
|
|
|
|
OpenSSL only.
|
|
Some discussion at http://bugs.exim.org/show_bug.cgi?id=817
Refer readers to Dan Bernstein's analysis of the issues.
Consensus seen from maintainers is that DJB is right on this point.
|
|
Also added gdb support.
This leaves us with a printf warning. We accept that as the cost of using PRINTF_FORMAT for strings that aren't libc formats.
|
|
|
|
Avoids NULL dereference.
Report and patch from Alun Jones.
Also a couple of SIZE_T_FMT sizeof() printf string fixes while I was in there.
fixes bug 1122
|
|
|
|
|
|
|
|
|
|
Had repeated .ilist instead of .next in the openssl_options value list.
Old sdop: segfault. New sdop: memory exhaustion.
Oops!
|
|
tls_sni as SMTP transport option.
Use correct storage pool for copying tls_sni, so survives for life of process.
Add +tls_sni log-selector, for inbound tls_sni.
Update exipick to handle -tls_sni in spool files.
Also reset tls_bits at start of outbound connection (was missing).
|
|
|
|
Drop SSL_clear() after SSL_new() which causes protocol negotiation failures for TLS1.0 vs TLS1.1/1.2 in OpenSSL 1.0.1b.
Remove SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (+dont_insert_empty_fragments) from default of openssl_options.
|
|
Report and patch from Dmitry Banschikov.
|
|
|
|
|
|
Support TLS 1.1 & 1.2
New "openssl_options" values (all now documented).
Set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read or write after
TLS renegotiation, which otherwise led to messages "Got SSL error 2".
|
|
|
|
Bug report from Lars Müller <lars@samba.org> (via SUSE),
Patch from Dirk Mueller <dmueller@suse.com>
|
|
Analysis, diagnosis and variant patch by Todd Lyons.
|
|
Also maildir_use_size_file is now expanded
|
|
String expansion, draw more attention to † marking.
Document the order in which parameters are supplied to relative comparators.
|
|
Point 1 for 4.78 said gsasl could *not* be used to replace cyrus.
This was obsoleted by point 5.
Remove claim from point 1, add additional note to point 5.
|
|
|
|
Saw this happening with Apple Mail; accept it, dup the GSS Display Name
|
|
|
|
http://bugs.exim.org/attachment.cgi?id=547&action=edit
fixes bug: 1214
Patch by Jeremy Harris
|
|
|
|
|
|
|
|
|
|
|
