X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/f2ed27cf5f913cc437401c7e005c2886b7dc1a55..1d28cc061677bd07d9bed48dd84bd5c590247043:/src/src/std-crypto.c diff --git a/src/src/std-crypto.c b/src/src/std-crypto.c index d41e2a195..29efa6997 100644 --- a/src/src/std-crypto.c +++ b/src/src/std-crypto.c @@ -3,9 +3,12 @@ *************************************************/ /* Copyright (c) Phil Pennock 2012, 2016 + * Copyright (c) The Exim Maintainers 2017 - 2021 * But almost everything here is fixed published constants from RFCs, so also: * Copyright (C) The Internet Society (2003) * Copyright (C) The IETF Trust (2008) + * SPDX-License-Identifier: GPL-2.0-or-later + * * Most of the text in RFC referencing comments is copy/paste from RFC, * as is undoubtedly the intention. * The constants are generated from that text using util/gen_pkcs3.c invoked @@ -16,7 +19,7 @@ #include "exim.h" -#ifndef SUPPORT_TLS +#ifdef DISABLE_TLS static void dummy(int x) { dummy(x-1); } #else @@ -349,12 +352,12 @@ static const char dh_ike_18_pem[] = */ static const char dh_ike_22_pem[] = "-----BEGIN DH PARAMETERS-----\n" -"MIIBCAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y\n" +"MIIBDAKBgQCxC4+WoIDgHd6S3l6uXVTsUsmfvPsGo8aaap3KUtI7YWBz4oZ1oj0Y\n" "mDjvHi7mUsAT7LSuqQYRIySXXDzUm4O/rMvdfZDEvXCYSI6cIZpzck7/1vrlZEc4\n" "+qMaT/VbzMChUa9fDci0vUW/N982XBpl5oz9p21NpwjfH7K8LkpDcQKBgQCk0cvV\n" "w/00EmdlpELvuZkF+BBN0lisUH/WQGz/FCZtMSZv6h5cQVZLd35pD1UE8hMWAhe0\n" "sBuIal6RVH+eJ0n01/vX07mpLuGQnQ0iY/gKdqaiTAh6CR9THb8KAWm2oorWYqTR\n" -"jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5Q==\n" +"jnOvoy13nVkY0IvIhY9Nzvl8KiSFXm7rIrOy5QICAKA=\n" "-----END DH PARAMETERS-----\n"; /* RFC 5114 IKE_id=23 @@ -395,7 +398,7 @@ static const char dh_ike_22_pem[] = */ static const char dh_ike_23_pem[] = "-----BEGIN DH PARAMETERS-----\n" -"MIICCgKCAQEArRB+HpEjqdDWYPqnlVnFH6INZOVoO5/RtUsVl7YdCnXm+hQd+VpW\n" +"MIICDgKCAQEArRB+HpEjqdDWYPqnlVnFH6INZOVoO5/RtUsVl7YdCnXm+hQd+VpW\n" "26+aPEB7od8V6z1oijCcGA4d5rhaEnSgpm0/gVKtasISkDfJ7e/aTfjZHo/vVbc5\n" "S3rVt9C2wSIHyfmNEe002/bGugssi7wnvmoA4KC5xJcIs7+KMXCRiDaBKGEwvImF\n" "2xYC5xRBXZMwJ4Jzx94x79xzEPcSH9WgdBWYfZrcCkhtzfk6zEQyg4cxXXXhmMZB\n" @@ -405,7 +408,8 @@ static const char dh_ike_23_pem[] = "kAGo1mrXwXZpEBmZAkr00CcnWsE0i7inYtBSG8mK4kcVBCLqHtQJk51U2nRgzbX2\n" "xrJQcXy+8YDrNBGOmNEZUppF1vg0Vm4wJeMWozDvu3eobwwasVsFGuPUKMj4rLcK\n" "gTcVC47rEOGD7dGZY93Z4mPkdwWJ72qiHn9fL/OBtTnM40CdE81Wavu0jWwBkYHh\n" -"vP6UswJp7f5y/ptqpL17Wg8ccc//TBnEGOH27AF5gbwIfypwZbOEuJDTGR8r+g==\n" +"vP6UswJp7f5y/ptqpL17Wg8ccc//TBnEGOH27AF5gbwIfypwZbOEuJDTGR8r+gIC\n" +"AOA=\n" "-----END DH PARAMETERS-----\n"; /* RFC 5114 IKE_id=24 @@ -446,7 +450,7 @@ static const char dh_ike_23_pem[] = */ static const char dh_ike_24_pem[] = "-----BEGIN DH PARAMETERS-----\n" -"MIICCQKCAQEAh6jmHbS2Zjz/u9GcZRlZmYzu9ghmDdDyXSzu1ENeOwDgDfjx1hlX\n" +"MIICDQKCAQEAh6jmHbS2Zjz/u9GcZRlZmYzu9ghmDdDyXSzu1ENeOwDgDfjx1hlX\n" "1Pr330VhsqowFsPZETQJb6o79Cltgw6afCCeDGSXUXq9WoqdMGvPZ+2R+eZyW0dY\n" "wCLgse9Cdb97bFv8EdRfkIi5QfVOseWbuLw5oL8SMH9cT9twxYGyP3a2Osrhyqa3\n" "kC1SUmc1SIoO8TxtmlG/pKs62DR3llJNjvahZ7WkGCXZZ+FE5RQFZCUcysuD5rSG\n" @@ -456,7 +460,8 @@ static const char dh_ike_24_pem[] = "+MKMuxilWuMTQQAKZQGW+THHelfy3fRj5ensFEt3feYqqrioYorDdtKC1u04ZOZ5\n" "gkKOvIMdFDSPby+Rk7UEWvJ2cWTh38lnwfs/LlWkvRv/6DucgNBSuYXRguoK2yo7\n" "cxPT/hTISEseBSWIubfSu9LfAWGZ7NBuFVfNCRWzNTu7ZODsN3/QKDcN+StSx4kU\n" -"KM3GfrYYS1I9HbJGwy9jB4SQ8A741kfRSNR5VFFeIyfP75jFgmZLTA9sxBZZ\n" +"KM3GfrYYS1I9HbJGwy9jB4SQ8A741kfRSNR5VFFeIyfP75jFgmZLTA9sxBZZAgIB\n" +"AA==\n" "-----END DH PARAMETERS-----\n"; /* ------------------------------------------------------------------------- */ @@ -508,12 +513,12 @@ A.1. ffdhe2048 */ static const char dh_ffdhe2048_pem[] = "-----BEGIN DH PARAMETERS-----\n" -"MIH+AoH4DfhUWKK7Spqv3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v\n" -"42NjDHXY9oGyAq7EYXrT3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhP\n" -"DHDg5ot34qaJ2vPv6HId8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq\n" -"2rdg1/RoHU9Co945TfSuVu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy\n" -"/pzphYP/jk8SMu7ygYPD/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohr\n" -"QjhhKFyX//////////8CAQI=\n" +"MIIBDAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" +"+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" +"87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" +"YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" +"7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD\n" +"ssbzSibBsu/6iGtCOGEoXJf//////////wIBAgICB/8=\n" "-----END DH PARAMETERS-----\n"; /* @@ -573,7 +578,7 @@ A.2. ffdhe3072 */ static const char dh_ffdhe3072_pem[] = "-----BEGIN DH PARAMETERS-----\n" -"MIIBiAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" +"MIIBjAKCAYEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" @@ -581,7 +586,7 @@ static const char dh_ffdhe3072_pem[] = "ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3\n" "7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32\n" "nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZsYu\n" -"N///////////AgEC\n" +"N///////////AgECAgIL/w==\n" "-----END DH PARAMETERS-----\n"; /* @@ -653,7 +658,7 @@ A.3. ffdhe4096 */ static const char dh_ffdhe4096_pem[] = "-----BEGIN DH PARAMETERS-----\n" -"MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" +"MIICDAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" @@ -663,7 +668,7 @@ static const char dh_ffdhe4096_pem[] = "nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e\n" "8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx\n" "iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K\n" -"zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=\n" +"zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQICAg//\n" "-----END DH PARAMETERS-----\n"; /* @@ -755,7 +760,7 @@ A.4. ffdhe6144 */ static const char dh_ffdhe6144_pem[] = "-----BEGIN DH PARAMETERS-----\n" -"MIIDCAKCAwEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" +"MIIDDAKCAwEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" @@ -771,7 +776,7 @@ static const char dh_ffdhe6144_pem[] = "w1h+ONoAd9m0dj5OS5Syu8GUxmUed8r5ku6qwCMqKBv2s6c5wSJhFoIK6NtYR6Z8\n" "vvnJCRtGLVOM1ysDdGrnf15iKSwxFWKoRlBdyC24VDOK5J9SNclbkReMzy3Vys70\n" "A+ydGBDGJysEWztx+dxrgNY/3UqOmtseaWKmlSbUMWHBpB1XDXk42tSkDjKc0OQO\n" -"Zf//////////AgEC\n" +"Zf//////////AgECAgIX/w==\n" "-----END DH PARAMETERS-----\n"; /* @@ -885,7 +890,7 @@ A.5. ffdhe8192 */ static const char dh_ffdhe8192_pem[] = "-----BEGIN DH PARAMETERS-----\n" -"MIIECAKCBAEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" +"MIIEDAKCBAEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz\n" "+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a\n" "87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7\n" "YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi\n" @@ -906,17 +911,16 @@ static const char dh_ffdhe8192_pem[] = "UVQfxoychrAiu3CZh2pGDnRRqKkxCXA/7hwhfmw4JuUsUappHg5CPPyZ6eMWUMEh\n" "e2JIFs2tmpX51bgBlIjZwKCh/jB1pXfiMYP4HUo/L6RXHvyM4LqKT+i2hV3+crCm\n" "bt7S+6v75Yow+vq+HF1xqH4vdB74wf6G/qa7/eUwZ38Nl9EdSfeoRD0IIuUGqfRh\n" -"TgEeKpSDj/iM1oyLt8XGQkz//////////wIBAg==\n" +"TgEeKpSDj/iM1oyLt8XGQkz//////////wIBAgICH/8=\n" "-----END DH PARAMETERS-----\n"; /* ========================================================================= */ -/* - * Generated by Phil as a non-standard option. - * openssl dhparam -2 2048 - * No provenance to prove non-tampering available, beyond trusting that this - * developer generated this as stated above. - */ +/* Generated by Phil as a non-standard option. +openssl dhparam -2 2048 +No provenance to prove non-tampering available, beyond trusting that this +developer generated this as stated above. */ + /* MacOSX 10.10.5 invoking system OpenSSL 0.9.8zg */ static const char dh_exim_20160529_1[] = @@ -954,68 +958,76 @@ static const char dh_exim_20160529_3[] = /* ========================================================================= */ struct dh_constant { - const char *label; - const char *pem; + const char * label; + const char * pem; + int logging; }; +#define EXIM_DH_PRIME_DEFAULT dh_exim_20160529_3 + /* KEEP SORTED ALPHABETICALLY; - * duplicate PEM are okay, if we want aliases, but names must be alphabetical */ +duplicate PEM are okay, if we want aliases, but names must be alphabetical */ + static struct dh_constant dh_constants[] = { /* label pem */ - { "default", dh_exim_20160529_3 }, - { "exim.dev.20160529.1", dh_exim_20160529_1 }, - { "exim.dev.20160529.2", dh_exim_20160529_2 }, - { "exim.dev.20160529.3", dh_exim_20160529_3 }, - { "ffdhe2048", dh_ffdhe2048_pem }, - { "ffdhe3072", dh_ffdhe3072_pem }, - { "ffdhe4096", dh_ffdhe4096_pem }, - { "ffdhe6144", dh_ffdhe6144_pem }, - { "ffdhe8192", dh_ffdhe8192_pem }, - { "ike1", dh_ike_1_pem }, - { "ike14", dh_ike_14_pem }, - { "ike15", dh_ike_15_pem }, - { "ike16", dh_ike_16_pem }, - { "ike17", dh_ike_17_pem }, - { "ike18", dh_ike_18_pem }, - { "ike2", dh_ike_2_pem }, - { "ike22", dh_ike_22_pem }, - { "ike23", dh_ike_23_pem }, - { "ike24", dh_ike_24_pem }, - { "ike5", dh_ike_5_pem }, + { "default", EXIM_DH_PRIME_DEFAULT, 0 }, + { "exim.dev.20160529.1", dh_exim_20160529_1, 0 }, + { "exim.dev.20160529.2", dh_exim_20160529_2, 0 }, + { "exim.dev.20160529.3", dh_exim_20160529_3, 0 }, + { "ffdhe2048", dh_ffdhe2048_pem, 0 }, + { "ffdhe3072", dh_ffdhe3072_pem, 0 }, + { "ffdhe4096", dh_ffdhe4096_pem, 0 }, + { "ffdhe6144", dh_ffdhe6144_pem, 0 }, + { "ffdhe8192", dh_ffdhe8192_pem, 0 }, + { "ike1", dh_ike_1_pem, LOG_MAIN | LOG_PANIC }, + { "ike14", dh_ike_14_pem, 0 }, + { "ike15", dh_ike_15_pem, 0 }, + { "ike16", dh_ike_16_pem, 0 }, + { "ike17", dh_ike_17_pem, 0 }, + { "ike18", dh_ike_18_pem, 0 }, + { "ike2", dh_ike_2_pem, LOG_MAIN }, + { "ike22", dh_ike_22_pem, LOG_MAIN | LOG_PANIC }, + { "ike23", dh_ike_23_pem, LOG_MAIN }, + { "ike24", dh_ike_24_pem, LOG_MAIN }, + { "ike5", dh_ike_5_pem, 0 }, }; -static const int dh_constants_count = - sizeof(dh_constants) / sizeof(struct dh_constant); +static const int dh_constants_count = nelem(dh_constants); /* A policy decision; in absence of any other data, use a 2048 bit prime, - * pick the first one from the latest RFC providing such. */ +pick the first one from the latest RFC providing such. */ + const char * std_dh_prime_default(void) { - return dh_ike_23_pem; +return EXIM_DH_PRIME_DEFAULT; } +/* Return PEM string for given name */ + const char * -std_dh_prime_named(const uschar *name) +std_dh_prime_named(const uschar * name) { - int first, last; - char *search_name = CS string_copylc(US name); - - first = 0; - last = dh_constants_count; - while (last > first) { - int middle = (first + last)/2; - int c = strcmp(search_name, dh_constants[middle].label); - if (c == 0) - return dh_constants[middle].pem; - else if (c > 0) - first = middle + 1; - else - last = middle; +for (int first = 0, last = dh_constants_count; last > first; ) + { + int middle = (first + last)/2; + struct dh_constant * dp = &dh_constants[middle]; + int c = Ustrcmp(name, dp->label); + if (c == 0) + { + if (dp->logging) + log_write(0, dp->logging, + "WARNING: deprecated Diffie-Hellman parameter '%s' used", dp->label); + return dp->pem; + } + else if (c > 0) + first = middle + 1; + else + last = middle; } - return NULL; +return NULL; } -#endif /* SUPPORT_TLS */ +#endif /*DISABLE_TLS*/ /* EOF */