*************************************************/
/* Copyright (c) Phil Pennock 2012, 2016
- * Copyright (c) The Exim Maintainers 2017 - 2018
+ * Copyright (c) The Exim Maintainers 2017 - 2021
* But almost everything here is fixed published constants from RFCs, so also:
* Copyright (C) The Internet Society (2003)
* Copyright (C) The IETF Trust (2008)
*/
static const char dh_ike_22_pem[] =
"-----BEGIN DH PARAMETERS-----\n"
-"MIIBCAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y\n"
+"MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y\n"
"mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4\n"
"+qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV\n"
"w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0\n"
"sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR\n"
-"jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5Q==\n"
+"jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=\n"
"-----END DH PARAMETERS-----\n";
/* RFC 5114 IKE_id=23
*/
static const char dh_ike_23_pem[] =
"-----BEGIN DH PARAMETERS-----\n"
-"MIICCgKCAQEArRB+HpEjqdDWYPqnlVnFH6INZOVoO5/RtUsVl7YdCnXm+hQd+VpW\n"
+"MIICDgKCAQEArRB+HpEjqdDWYPqnlVnFH6INZOVoO5/RtUsVl7YdCnXm+hQd+VpW\n"
"26+aPEB7od8V6z1oijCcGA4d5rhaEnSgpm0/gVKtasISkDfJ7e/aTfjZHo/vVbc5\n"
"S3rVt9C2wSIHyfmNEe002/bGugssi7wnvmoA4KC5xJcIs7+KMXCRiDaBKGEwvImF\n"
"2xYC5xRBXZMwJ4Jzx94x79xzEPcSH9WgdBWYfZrcCkhtzfk6zEQyg4cxXXXhmMZB\n"
"kAGo1mrXwXZpEBmZAkr00CcnWsE0i7inYtBSG8mK4kcVBCLqHtQJk51U2nRgzbX2\n"
"xrJQcXy+8YDrNBGOmNEZUppF1vg0Vm4wJeMWozDvu3eobwwasVsFGuPUKMj4rLcK\n"
"gTcVC47rEOGD7dGZY93Z4mPkdwWJ72qiHn9fL/OBtTnM40CdE81Wavu0jWwBkYHh\n"
-"vP6UswJp7f5y/ptqpL17Wg8ccc//TBnEGOH27AF5gbwIfypwZbOEuJDTGR8r+g==\n"
+"vP6UswJp7f5y/ptqpL17Wg8ccc//TBnEGOH27AF5gbwIfypwZbOEuJDTGR8r+gIC\n"
+"AOA=\n"
"-----END DH PARAMETERS-----\n";
/* RFC 5114 IKE_id=24
*/
static const char dh_ike_24_pem[] =
"-----BEGIN DH PARAMETERS-----\n"
-"MIICCQKCAQEAh6jmHbS2Zjz/u9GcZRlZmYzu9ghmDdDyXSzu1ENeOwDgDfjx1hlX\n"
+"MIICDQKCAQEAh6jmHbS2Zjz/u9GcZRlZmYzu9ghmDdDyXSzu1ENeOwDgDfjx1hlX\n"
"1Pr330VhsqowFsPZETQJb6o79Cltgw6afCCeDGSXUXq9WoqdMGvPZ+2R+eZyW0dY\n"
"wCLgse9Cdb97bFv8EdRfkIi5QfVOseWbuLw5oL8SMH9cT9twxYGyP3a2Osrhyqa3\n"
"kC1SUmc1SIoO8TxtmlG/pKs62DR3llJNjvahZ7WkGCXZZ+FE5RQFZCUcysuD5rSG\n"
"+MKMuxilWuMTQQAKZQGW+THHelfy3fRj5ensFEt3feYqqrioYorDdtKC1u04ZOZ5\n"
"gkKOvIMdFDSPby+Rk7UEWvJ2cWTh38lnwfs/LlWkvRv/6DucgNBSuYXRguoK2yo7\n"
"cxPT/hTISEseBSWIubfSu9LfAWGZ7NBuFVfNCRWzNTu7ZODsN3/QKDcN+StSx4kU\n"
-"KM3GfrYYS1I9HbJGwy9jB4SQ8A741kfRSNR5VFFeIyfP75jFgmZLTA9sxBZZ\n"
+"KM3GfrYYS1I9HbJGwy9jB4SQ8A741kfRSNR5VFFeIyfP75jFgmZLTA9sxBZZAgIB\n"
+"AA==\n"
"-----END DH PARAMETERS-----\n";
/* ------------------------------------------------------------------------- */
*/
static const char dh_ffdhe2048_pem[] =
"-----BEGIN DH PARAMETERS-----\n"
-"MIH+AoH4DfhUWKK7Spqv3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v\n"
-"42NjDHXY9oGyAq7EYXrT3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhP\n"
-"DHDg5ot34qaJ2vPv6HId8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq\n"
-"2rdg1/RoHU9Co945TfSuVu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy\n"
-"/pzphYP/jk8SMu7ygYPD/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohr\n"
-"QjhhKFyX//////////8CAQI=\n"
+"MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
+"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
+"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
+"7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n"
+"ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICB/8=\n"
"-----END DH PARAMETERS-----\n";
/*
*/
static const char dh_ffdhe3072_pem[] =
"-----BEGIN DH PARAMETERS-----\n"
-"MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+"MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
"ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n"
"7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n"
"nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu\n"
-"N///////////AgEC\n"
+"N///////////AgECAgIL/w==\n"
"-----END DH PARAMETERS-----\n";
/*
*/
static const char dh_ffdhe4096_pem[] =
"-----BEGIN DH PARAMETERS-----\n"
-"MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+"MIICDAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
"nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e\n"
"8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx\n"
"iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K\n"
-"zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=\n"
+"zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQICAg//\n"
"-----END DH PARAMETERS-----\n";
/*
*/
static const char dh_ffdhe6144_pem[] =
"-----BEGIN DH PARAMETERS-----\n"
-"MIIDCAKCAwEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+"MIIDDAKCAwEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
"w1h+ONoAd9m0dj5OS5Syu8GUxmUed8r5ku6qwCMqKBv2s6c5wSJhFoIK6NtYR6Z8\n"
"vvnJCRtGLVOM1ysDdGrnf15iKSwxFWKoRlBdyC24VDOK5J9SNclbkReMzy3Vys70\n"
"A+ydGBDGJysEWztx+dxrgNY/3UqOmtseaWKmlSbUMWHBpB1XDXk42tSkDjKc0OQO\n"
-"Zf//////////AgEC\n"
+"Zf//////////AgECAgIX/w==\n"
"-----END DH PARAMETERS-----\n";
/*
*/
static const char dh_ffdhe8192_pem[] =
"-----BEGIN DH PARAMETERS-----\n"
-"MIIECAKCBAEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
+"MIIEDAKCBAEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n"
"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n"
"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n"
"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n"
"UVQfxoychrAiu3CZh2pGDnRRqKkxCXA/7hwhfmw4JuUsUappHg5CPPyZ6eMWUMEh\n"
"e2JIFs2tmpX51bgBlIjZwKCh/jB1pXfiMYP4HUo/L6RXHvyM4LqKT+i2hV3+crCm\n"
"bt7S+6v75Yow+vq+HF1xqH4vdB74wf6G/qa7/eUwZ38Nl9EdSfeoRD0IIuUGqfRh\n"
-"TgEeKpSDj/iM1oyLt8XGQkz//////////wIBAg==\n"
+"TgEeKpSDj/iM1oyLt8XGQkz//////////wIBAgICH/8=\n"
"-----END DH PARAMETERS-----\n";
/* ========================================================================= */
-/*
- * Generated by Phil as a non-standard option.
- * openssl dhparam -2 2048
- * No provenance to prove non-tampering available, beyond trusting that this
- * developer generated this as stated above.
- */
+/* Generated by Phil as a non-standard option.
+openssl dhparam -2 2048
+No provenance to prove non-tampering available, beyond trusting that this
+developer generated this as stated above. */
+
/* MacOSX 10.10.5 invoking system OpenSSL 0.9.8zg */
static const char dh_exim_20160529_1[] =
/* ========================================================================= */
struct dh_constant {
- const char *label;
- const char *pem;
+ const char * label;
+ const char * pem;
+ int logging;
};
+#define EXIM_DH_PRIME_DEFAULT dh_exim_20160529_3
+
/* KEEP SORTED ALPHABETICALLY;
- * duplicate PEM are okay, if we want aliases, but names must be alphabetical */
+duplicate PEM are okay, if we want aliases, but names must be alphabetical */
+
static struct dh_constant dh_constants[] = {
/* label pem */
- { "default", dh_exim_20160529_3 },
- { "exim.dev.20160529.1", dh_exim_20160529_1 },
- { "exim.dev.20160529.2", dh_exim_20160529_2 },
- { "exim.dev.20160529.3", dh_exim_20160529_3 },
- { "ffdhe2048", dh_ffdhe2048_pem },
- { "ffdhe3072", dh_ffdhe3072_pem },
- { "ffdhe4096", dh_ffdhe4096_pem },
- { "ffdhe6144", dh_ffdhe6144_pem },
- { "ffdhe8192", dh_ffdhe8192_pem },
- { "ike1", dh_ike_1_pem },
- { "ike14", dh_ike_14_pem },
- { "ike15", dh_ike_15_pem },
- { "ike16", dh_ike_16_pem },
- { "ike17", dh_ike_17_pem },
- { "ike18", dh_ike_18_pem },
- { "ike2", dh_ike_2_pem },
- { "ike22", dh_ike_22_pem },
- { "ike23", dh_ike_23_pem },
- { "ike24", dh_ike_24_pem },
- { "ike5", dh_ike_5_pem },
+ { "default", EXIM_DH_PRIME_DEFAULT, 0 },
+ { "exim.dev.20160529.1", dh_exim_20160529_1, 0 },
+ { "exim.dev.20160529.2", dh_exim_20160529_2, 0 },
+ { "exim.dev.20160529.3", dh_exim_20160529_3, 0 },
+ { "ffdhe2048", dh_ffdhe2048_pem, 0 },
+ { "ffdhe3072", dh_ffdhe3072_pem, 0 },
+ { "ffdhe4096", dh_ffdhe4096_pem, 0 },
+ { "ffdhe6144", dh_ffdhe6144_pem, 0 },
+ { "ffdhe8192", dh_ffdhe8192_pem, 0 },
+ { "ike1", dh_ike_1_pem, LOG_MAIN | LOG_PANIC },
+ { "ike14", dh_ike_14_pem, 0 },
+ { "ike15", dh_ike_15_pem, 0 },
+ { "ike16", dh_ike_16_pem, 0 },
+ { "ike17", dh_ike_17_pem, 0 },
+ { "ike18", dh_ike_18_pem, 0 },
+ { "ike2", dh_ike_2_pem, LOG_MAIN },
+ { "ike22", dh_ike_22_pem, LOG_MAIN | LOG_PANIC },
+ { "ike23", dh_ike_23_pem, LOG_MAIN },
+ { "ike24", dh_ike_24_pem, LOG_MAIN },
+ { "ike5", dh_ike_5_pem, 0 },
};
-static const int dh_constants_count =
- sizeof(dh_constants) / sizeof(struct dh_constant);
+static const int dh_constants_count = nelem(dh_constants);
/* A policy decision; in absence of any other data, use a 2048 bit prime,
- * pick the first one from the latest RFC providing such. */
+pick the first one from the latest RFC providing such. */
+
const char *
std_dh_prime_default(void)
{
- return dh_ike_23_pem;
+return EXIM_DH_PRIME_DEFAULT;
}
+/* Return PEM string for given name */
+
const char *
-std_dh_prime_named(const uschar *name)
+std_dh_prime_named(const uschar * name)
{
- int first, last;
- char *search_name = CS string_copylc(US name);
-
- first = 0;
- last = dh_constants_count;
- while (last > first) {
- int middle = (first + last)/2;
- int c = strcmp(search_name, dh_constants[middle].label);
- if (c == 0)
- return dh_constants[middle].pem;
- else if (c > 0)
- first = middle + 1;
- else
- last = middle;
+for (int first = 0, last = dh_constants_count; last > first; )
+ {
+ int middle = (first + last)/2;
+ struct dh_constant * dp = &dh_constants[middle];
+ int c = Ustrcmp(name, dp->label);
+ if (c == 0)
+ {
+ if (dp->logging)
+ log_write(0, dp->logging,
+ "WARNING: deprecated Diffie-Hellman parameter '%s' used", dp->label);
+ return dp->pem;
+ }
+ else if (c > 0)
+ first = middle + 1;
+ else
+ last = middle;
}
- return NULL;
+return NULL;
}
#endif /*DISABLE_TLS*/