X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/66c014bb0d4972b7d5915795dec376535089740c..1d28cc061677bd07d9bed48dd84bd5c590247043:/src/src/std-crypto.c

diff --git a/src/src/std-crypto.c b/src/src/std-crypto.c
index b462908ea..29efa6997 100644
--- a/src/src/std-crypto.c
+++ b/src/src/std-crypto.c
@@ -3,10 +3,12 @@
 *************************************************/
 
 /* Copyright (c) Phil Pennock 2012, 2016
- * Copyright (c) The Exim Maintainers 2017 - 2018
+ * Copyright (c) The Exim Maintainers 2017 - 2021
  * But almost everything here is fixed published constants from RFCs, so also:
  * Copyright (C) The Internet Society (2003)
  * Copyright (C) The IETF Trust (2008)
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
  * Most of the text in RFC referencing comments is copy/paste from RFC,
  * as is undoubtedly the intention.
  * The constants are generated from that text using util/gen_pkcs3.c invoked
@@ -914,12 +916,11 @@ static const char dh_ffdhe8192_pem[] =
 
 /* ========================================================================= */
 
-/*
- * Generated by Phil as a non-standard option.
- * openssl dhparam -2 2048
- * No provenance to prove non-tampering available, beyond trusting that this
- * developer generated this as stated above.
- */
+/* Generated by Phil as a non-standard option.
+openssl dhparam -2 2048
+No provenance to prove non-tampering available, beyond trusting that this
+developer generated this as stated above. */
+
 
 /* MacOSX 10.10.5 invoking system OpenSSL 0.9.8zg */
 static const char dh_exim_20160529_1[] =
@@ -957,69 +958,75 @@ static const char dh_exim_20160529_3[] =
 /* ========================================================================= */
 
 struct dh_constant {
-  const char *label;
-  const char *pem;
+  const char *	label;
+  const char *	pem;
+  int		logging;
 };
 
 #define EXIM_DH_PRIME_DEFAULT dh_exim_20160529_3
 
 /* KEEP SORTED ALPHABETICALLY;
- * duplicate PEM are okay, if we want aliases, but names must be alphabetical */
+duplicate PEM are okay, if we want aliases, but names must be alphabetical */
+
 static struct dh_constant dh_constants[] = {
     /*  label			pem */
-    { "default",		EXIM_DH_PRIME_DEFAULT },
-    { "exim.dev.20160529.1",	dh_exim_20160529_1 },
-    { "exim.dev.20160529.2",	dh_exim_20160529_2 },
-    { "exim.dev.20160529.3",	dh_exim_20160529_3 },
-    { "ffdhe2048",		dh_ffdhe2048_pem },
-    { "ffdhe3072",		dh_ffdhe3072_pem },
-    { "ffdhe4096",		dh_ffdhe4096_pem },
-    { "ffdhe6144",		dh_ffdhe6144_pem },
-    { "ffdhe8192",		dh_ffdhe8192_pem },
-    { "ike1",			dh_ike_1_pem },
-    { "ike14",			dh_ike_14_pem },
-    { "ike15",			dh_ike_15_pem },
-    { "ike16",			dh_ike_16_pem },
-    { "ike17",			dh_ike_17_pem },
-    { "ike18",			dh_ike_18_pem },
-    { "ike2",			dh_ike_2_pem },
-    { "ike22",			dh_ike_22_pem },
-    { "ike23",			dh_ike_23_pem },
-    { "ike24",			dh_ike_24_pem },
-    { "ike5",			dh_ike_5_pem },
+    { "default",		EXIM_DH_PRIME_DEFAULT,	0 },
+    { "exim.dev.20160529.1",	dh_exim_20160529_1,	0 },
+    { "exim.dev.20160529.2",	dh_exim_20160529_2,	0 },
+    { "exim.dev.20160529.3",	dh_exim_20160529_3,	0 },
+    { "ffdhe2048",		dh_ffdhe2048_pem,	0 },
+    { "ffdhe3072",		dh_ffdhe3072_pem,	0 },
+    { "ffdhe4096",		dh_ffdhe4096_pem,	0 },
+    { "ffdhe6144",		dh_ffdhe6144_pem,	0 },
+    { "ffdhe8192",		dh_ffdhe8192_pem,	0 },
+    { "ike1",			dh_ike_1_pem,		LOG_MAIN | LOG_PANIC },
+    { "ike14",			dh_ike_14_pem,		0 },
+    { "ike15",			dh_ike_15_pem,		0 },
+    { "ike16",			dh_ike_16_pem,		0 },
+    { "ike17",			dh_ike_17_pem,		0 },
+    { "ike18",			dh_ike_18_pem,		0 },
+    { "ike2",			dh_ike_2_pem,		LOG_MAIN },
+    { "ike22",			dh_ike_22_pem,		LOG_MAIN | LOG_PANIC },
+    { "ike23",			dh_ike_23_pem,		LOG_MAIN },
+    { "ike24",			dh_ike_24_pem,		LOG_MAIN },
+    { "ike5",			dh_ike_5_pem,		0 },
 };
-static const int dh_constants_count =
-  sizeof(dh_constants) / sizeof(struct dh_constant);
+static const int dh_constants_count = nelem(dh_constants);
 
 
 /* A policy decision; in absence of any other data, use a 2048 bit prime,
- * pick the first one from the latest RFC providing such. */
+pick the first one from the latest RFC providing such. */
+
 const char *
 std_dh_prime_default(void)
 {
-  return EXIM_DH_PRIME_DEFAULT;
+return EXIM_DH_PRIME_DEFAULT;
 }
 
 
+/* Return PEM string for given name */
+
 const char *
-std_dh_prime_named(const uschar *name)
+std_dh_prime_named(const uschar * name)
 {
-  int first, last;
-  char *search_name = CS string_copylc(US name);
-
-  first = 0;
-  last = dh_constants_count;
-  while (last > first) {
-    int middle = (first + last)/2;
-    int c = strcmp(search_name, dh_constants[middle].label);
-    if (c == 0)
-      return dh_constants[middle].pem;
-    else if (c > 0)
-      first = middle + 1;
-    else
-      last = middle;
+for (int first = 0, last = dh_constants_count; last > first; )
+  {
+  int middle = (first + last)/2;
+  struct dh_constant * dp = &dh_constants[middle];
+  int c = Ustrcmp(name, dp->label);
+  if (c == 0)
+    {
+    if (dp->logging)
+      log_write(0, dp->logging,
+	"WARNING: deprecated Diffie-Hellman parameter '%s' used", dp->label);
+    return dp->pem;
+    }
+  else if (c > 0)
+    first = middle + 1;
+  else
+    last = middle;
   }
-  return NULL;
+return NULL;
 }
 
 #endif /*DISABLE_TLS*/