RSA_EXPORT from the GnuTLS code.
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.407 2006/10/16 10:37:19 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.408 2006/10/16 10:58:39 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
Change log file for Exim from version 4.21
-------------------------------------------
but it didn't always do it. This confused somebody who was copying the
code for some other use. I have removed all the tests.
but it didn't always do it. This confused somebody who was copying the
code for some other use. I have removed all the tests.
+PH/20 It was discovered that the GnuTLS code had support for RSA_EXPORT, a
+ feature that was used to support insecure browsers during the U.S. crypto
+ embargo. It requires special client support, and Exim is probably the
+ only MTA that supported it -- and would never use it because real RSA is
+ always available. This code has been removed, because it had the bad
+ effect of slowing Exim down by computing (never used) parameters for the
+ RSA_EXPORT functionality.
+
Exim version 4.63
-----------------
Exim version 4.63
-----------------
-$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.57 2006/10/03 15:11:22 ph10 Exp $
+$Cambridge: exim/src/ACKNOWLEDGMENTS,v 1.58 2006/10/16 10:58:40 ph10 Exp $
Philip Hazel
Lists created: 20 November 2002
Philip Hazel
Lists created: 20 November 2002
-Last updated: 03 October 2006
+Last updated: 16 October 2006
Norihisa Washitake Suggested patch for RFC 2047 header decoding
Chris Webb Patch for support of an SPF lookup method.
Florian Weimer Patch for minor format string issue
Norihisa Washitake Suggested patch for RFC 2047 header decoding
Chris Webb Patch for support of an SPF lookup method.
Florian Weimer Patch for minor format string issue
+ Noticing the unwanted (and time-wasting) GnuTLS
+ RSA_EXPORT code, and supplying a patch to remove it
Joachim Wieland Patches for PostgreSQL socket support and other
PostgreSQL functionality
Patch for hosts_avoid_esmtp
Joachim Wieland Patches for PostgreSQL socket support and other
PostgreSQL functionality
Patch for hosts_avoid_esmtp
-/* $Cambridge: exim/src/src/tls-gnu.c,v 1.12 2006/02/14 14:12:07 ph10 Exp $ */
+/* $Cambridge: exim/src/src/tls-gnu.c,v 1.13 2006/10/16 10:58:40 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
/*************************************************
* Exim - an Internet mail transport agent *
#define UNKNOWN_NAME "unknown"
#define DH_BITS 768
#define UNKNOWN_NAME "unknown"
#define DH_BITS 768
#define PARAM_SIZE 2*1024
#define PARAM_SIZE 2*1024
static BOOL initialized = INITIALIZED_NOT;
static host_item *client_host;
static BOOL initialized = INITIALIZED_NOT;
static host_item *client_host;
-static gnutls_rsa_params rsa_params = NULL;
static gnutls_dh_params dh_params = NULL;
static gnutls_certificate_server_credentials x509_cred = NULL;
static gnutls_dh_params dh_params = NULL;
static gnutls_certificate_server_credentials x509_cred = NULL;
GNUTLS_KX_RSA,
GNUTLS_KX_DHE_DSS,
GNUTLS_KX_DHE_RSA,
GNUTLS_KX_RSA,
GNUTLS_KX_DHE_DSS,
GNUTLS_KX_DHE_RSA,
0 };
static int default_cipher_priority[16] = {
0 };
static int default_cipher_priority[16] = {
/* Initialize the data structures for holding the parameters */
/* Initialize the data structures for holding the parameters */
-ret = gnutls_rsa_params_init(&rsa_params);
-if (ret < 0) return tls_error(US"init rsa_params", host, ret);
-
ret = gnutls_dh_params_init(&dh_params);
if (ret < 0) return tls_error(US"init dh_params", host, ret);
ret = gnutls_dh_params_init(&dh_params);
if (ret < 0) return tls_error(US"init dh_params", host, ret);
return tls_error(US"TLS cache read failed", host, 0);
(void)close(fd);
return tls_error(US"TLS cache read failed", host, 0);
(void)close(fd);
- ret = gnutls_rsa_params_import_pkcs1(rsa_params, &m, GNUTLS_X509_FMT_PEM);
-
- if (ret < 0)
- {
- DEBUG(D_tls)
- debug_printf("RSA params import failed: assume old-style cache file\n");
- }
- else
- {
- ret = gnutls_dh_params_import_pkcs3(dh_params, &m, GNUTLS_X509_FMT_PEM);
- if (ret < 0)
- return tls_error(US"DH params import", host, ret);
- DEBUG(D_tls) debug_printf("read RSA and D-H parameters from file\n");
- }
+ ret = gnutls_dh_params_import_pkcs3(dh_params, &m, GNUTLS_X509_FMT_PEM);
+ if (ret < 0) return tls_error(US"DH params import", host, ret);
+ DEBUG(D_tls) debug_printf("read RSA and D-H parameters from file\n");
{
uschar tempfilename[sizeof(filename) + 10];
{
uschar tempfilename[sizeof(filename) + 10];
- DEBUG(D_tls) debug_printf("generating %d bit RSA key...\n", RSA_BITS);
- ret = gnutls_rsa_params_generate2(rsa_params, RSA_BITS);
- if (ret < 0) return tls_error(US"RSA key generation", host, ret);
-
DEBUG(D_tls) debug_printf("generating %d bit Diffie-Hellman key...\n",
DH_BITS);
ret = gnutls_dh_params_generate2(dh_params, DH_BITS);
DEBUG(D_tls) debug_printf("generating %d bit Diffie-Hellman key...\n",
DH_BITS);
ret = gnutls_dh_params_generate2(dh_params, DH_BITS);
* certtool or other programs.
*
* The commands for certtool are:
* certtool or other programs.
*
* The commands for certtool are:
- * $ certtool --generate-privkey --bits 512 >params
- * $ echo "" >>params
- * $ certtool --generate-dh-params --bits 1024 >> params
+ * $ certtool --generate-dh-params --bits 1024 > params
if (m.data == NULL)
return tls_error(US"memory allocation failed", host, 0);
if (m.data == NULL)
return tls_error(US"memory allocation failed", host, 0);
- ret = gnutls_rsa_params_export_pkcs1(rsa_params, GNUTLS_X509_FMT_PEM,
- m.data, &m.size);
- if (ret < 0) return tls_error(US"RSA params export", host, ret);
-
- /* Do not write the null termination byte. */
-
- m.size = Ustrlen(m.data);
- if (write(fd, m.data, m.size) != m.size || write(fd, "\n", 1) != 1)
- return tls_error(US"TLS cache write failed", host, 0);
-
m.size = PARAM_SIZE;
ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, m.data,
&m.size);
m.size = PARAM_SIZE;
ret = gnutls_dh_params_export_pkcs3(dh_params, GNUTLS_X509_FMT_PEM, m.data,
&m.size);
return tls_error(string_sprintf("failed to rename %s as %s: %s",
tempfilename, filename, strerror(errno)), host, 0);
return tls_error(string_sprintf("failed to rename %s as %s: %s",
tempfilename, filename, strerror(errno)), host, 0);
- DEBUG(D_tls) debug_printf("wrote RSA and D-H parameters to file %s\n",
- filename);
+ DEBUG(D_tls) debug_printf("wrote D-H parameters to file %s\n", filename);
-DEBUG(D_tls) debug_printf("initialized RSA and D-H parameters\n");
+DEBUG(D_tls) debug_printf("initialized D-H parameters\n");
/* Associate the parameters with the x509 credentials structure. */
gnutls_certificate_set_dh_params(x509_cred, dh_params);
/* Associate the parameters with the x509 credentials structure. */
gnutls_certificate_set_dh_params(x509_cred, dh_params);
-gnutls_certificate_set_rsa_export_params(x509_cred, rsa_params);
DEBUG(D_tls) debug_printf("initialized certificate stuff\n");
return OK;
DEBUG(D_tls) debug_printf("initialized certificate stuff\n");
return OK;
# For this first GnuTLS test, we do not obey "gnutls", so that Exim has to
# create the GnuTLS paramter data for itself.
#
# For this first GnuTLS test, we do not obey "gnutls", so that Exim has to
# create the GnuTLS paramter data for itself.
#
-echo ==> Creating GnuTLS parameter data ... may take some time ...
-echo ==> Moving the mouse about may help ...
+echo ==> Creating GnuTLS parameter data ...
exim -DSERVER=server -bd -oX PORT_D
****
exim CALLER@test.ex
exim -DSERVER=server -bd -oX PORT_D
****
exim CALLER@test.ex