exim.git
12 years agoDSCP: document; hex print; -bI:dscp
Phil Pennock [Sat, 2 Jun 2012 13:10:44 +0000 (09:10 -0400)]
DSCP: document; hex print; -bI:dscp

12 years agoDSCP support, tentative
Phil Pennock [Fri, 1 Jun 2012 16:05:42 +0000 (12:05 -0400)]
DSCP support, tentative

12 years agoDNSSEC babystep: dns_use_dnssec & $sender_host_dnssec
Phil Pennock [Fri, 1 Jun 2012 14:15:14 +0000 (10:15 -0400)]
DNSSEC babystep: dns_use_dnssec & $sender_host_dnssec

12 years agoimprove PH entry, per Bill Hacker's suggestion
Phil Pennock [Fri, 1 Jun 2012 12:30:06 +0000 (08:30 -0400)]
improve PH entry, per Bill Hacker's suggestion

12 years agoACKNOWLEDGEMENTS update, covering a few years
Phil Pennock [Fri, 1 Jun 2012 11:49:05 +0000 (07:49 -0400)]
ACKNOWLEDGEMENTS update, covering a few years

12 years agotls_dh_min_bits smtp transport option
Phil Pennock [Fri, 1 Jun 2012 09:52:31 +0000 (05:52 -0400)]
tls_dh_min_bits smtp transport option

Could not find an API for use with OpenSSL, so GnuTLS only

12 years agoMake -n combine with -bP to inhibit names
Phil Pennock [Fri, 1 Jun 2012 08:29:39 +0000 (04:29 -0400)]
Make -n combine with -bP to inhibit names

12 years agoAdd -bI:help and -bI:sieve
Phil Pennock [Fri, 1 Jun 2012 07:37:26 +0000 (03:37 -0400)]
Add -bI:help and -bI:sieve

12 years agoDoc: drop .new/.wen, update previousversion.
Phil Pennock [Thu, 31 May 2012 10:29:28 +0000 (06:29 -0400)]
Doc: drop .new/.wen, update previousversion.

Also, drop fix one place which claimed TLS SNI support was OpenSSL only.

12 years agoRevert "Lower EXIM_CLIENT_DH_MIN_BITS 1024 -> 512." exim-4_80
Phil Pennock [Thu, 31 May 2012 00:40:15 +0000 (20:40 -0400)]
Revert "Lower EXIM_CLIENT_DH_MIN_BITS 1024 -> 512."

This reverts commit 83f4c7515f3eb06dc070e78edd2694c1d088e5fd.

This was not a new check!  The call to gnutls_dh_set_prime_bits() was
made with DH_BITS in Exim 4.77, so the only difference is that now an
administrator can choose at compile time to change the lower bound.

So keeping this at 1024 is not a regression and if we can't talk to them
now, we couldn't before, and we shouldn't lower security by default.
The reverted commit was only acceptable IF it was still better than what
we had in Exim 4.77.

12 years agoLower EXIM_CLIENT_DH_MIN_BITS 1024 -> 512.
Phil Pennock [Wed, 30 May 2012 23:38:20 +0000 (19:38 -0400)]
Lower EXIM_CLIENT_DH_MIN_BITS 1024 -> 512.

Wolfgang Breyha saw a real-world site using 768 bits.

12 years agoMerge openssl_disable_ssl2 branch exim-4_80_RC7
Phil Pennock [Mon, 28 May 2012 05:11:48 +0000 (01:11 -0400)]
Merge openssl_disable_ssl2 branch

12 years agotypo fix: "overriden" -> "overridden" from Andreas Metzler
Phil Pennock [Sun, 27 May 2012 16:21:37 +0000 (12:21 -0400)]
typo fix: "overriden" -> "overridden" from Andreas Metzler

12 years agorelease: don't try to sign .tar.lz files
Phil Pennock [Sun, 27 May 2012 16:12:31 +0000 (12:12 -0400)]
release: don't try to sign .tar.lz files

12 years agoTest: update for new tls_dhparam (suite used on Scientific Linux 6 test host).
Jeremy Harris [Sun, 27 May 2012 15:50:39 +0000 (16:50 +0100)]
Test: update for new tls_dhparam (suite used on Scientific Linux 6 test host).

12 years agoDoc: fix glitch exim-4_80_RC6
Phil Pennock [Sun, 27 May 2012 15:02:01 +0000 (11:02 -0400)]
Doc: fix glitch

12 years agoTest: update for new tls_dhparam
Phil Pennock [Sun, 27 May 2012 14:57:32 +0000 (10:57 -0400)]
Test: update for new tls_dhparam

12 years agoDoc: SECTgnutlsparam referencing tls_dhparam
Phil Pennock [Sun, 27 May 2012 14:02:12 +0000 (10:02 -0400)]
Doc: SECTgnutlsparam referencing tls_dhparam

12 years agoFor DH, use standard primes from RFCs
Phil Pennock [Sun, 27 May 2012 13:14:39 +0000 (09:14 -0400)]
For DH, use standard primes from RFCs

12 years ago">" -> ">=" for EXIM_CLIENT_DH_MIN_BITS+10
Phil Pennock [Sun, 27 May 2012 05:34:36 +0000 (01:34 -0400)]
">" -> ">=" for EXIM_CLIENT_DH_MIN_BITS+10

12 years agoDeal with GnuTLS DH generation overshoot
Phil Pennock [Sun, 27 May 2012 05:17:04 +0000 (01:17 -0400)]
Deal with GnuTLS DH generation overshoot

12 years agoFAQ for GnuTLS
Phil Pennock [Sun, 27 May 2012 03:42:50 +0000 (23:42 -0400)]
FAQ for GnuTLS

12 years agoteach sprint_vformat() size_t z modifier (jgh)
Phil Pennock [Sun, 27 May 2012 00:18:31 +0000 (20:18 -0400)]
teach sprint_vformat() size_t z modifier (jgh)

Jeremy wrote this, mostly; I just fixed up a comment and pedantically numbered the enum values

12 years agofix size param for gnutls_dh_params_export_pkcs3() again
Phil Pennock [Sun, 27 May 2012 00:10:40 +0000 (20:10 -0400)]
fix size param for gnutls_dh_params_export_pkcs3() again

12 years agoIgnore vim swap files and test/* temporary files/dirs
Todd Lyons [Fri, 25 May 2012 16:19:36 +0000 (09:19 -0700)]
Ignore vim swap files and test/* temporary files/dirs

12 years agorelease: no .lz by default for now
Phil Pennock [Fri, 25 May 2012 14:57:25 +0000 (10:57 -0400)]
release: no .lz by default for now

12 years agoDoc: Provide context for bare numbers from CHAP/SECT.
Phil Pennock [Fri, 25 May 2012 14:29:06 +0000 (10:29 -0400)]
Doc: Provide context for bare numbers from CHAP/SECT.

12 years agoCyrus SASL auth: SSF retrieval was incorrect.
Phil Pennock [Fri, 25 May 2012 09:01:39 +0000 (05:01 -0400)]
Cyrus SASL auth: SSF retrieval was incorrect.

Exim thought protection layer was required, which is not implemented.
Patch from Wolfgang Breyha.

Fixes bug 1254

12 years agoIt's 2012, not 1012. Noted by Jay Rouman
Phil Pennock [Fri, 25 May 2012 08:05:17 +0000 (04:05 -0400)]
It's 2012, not 1012. Noted by Jay Rouman

12 years agoAdded some more .gitignore entries
Nigel Metheringham [Thu, 24 May 2012 15:45:12 +0000 (16:45 +0100)]
Added some more .gitignore entries

Ignore more build side effects

12 years agoMoved pdkim declaration to satisfy older compilers
Nigel Metheringham [Thu, 24 May 2012 15:40:42 +0000 (16:40 +0100)]
Moved pdkim declaration to satisfy older compilers

As suggested by Dennis Davis to fix an error with gcc 2.95.2
which threw the following error:-

gcc pdkim.c
pdkim.c: In function `pdkim_feed_finish':
pdkim.c:1389: parse error before `*'
pdkim.c:1390: `hdrs' undeclared (first use in this function)
pdkim.c:1390: (Each undeclared identifier is reported only once
pdkim.c:1390: for each function it appears in.)
gmake[2]: *** [pdkim.o] Error 1

See https://lists.exim.org/lurker/message/20120524.094800.89928246.en.html

12 years agoReleaseTools: support .lz lzip archives
Phil Pennock [Thu, 24 May 2012 06:12:53 +0000 (02:12 -0400)]
ReleaseTools: support .lz lzip archives

12 years ago_ISOC99_SOURCE -> _GNU_SOURCE exim-4_80_RC5
Phil Pennock [Thu, 24 May 2012 03:43:20 +0000 (23:43 -0400)]
_ISOC99_SOURCE -> _GNU_SOURCE

_ISOC99_SOURCE broke build on Linux (Ubuntu 11.10) because it broke <resolv.h>, <arpa/nameser.h>, etc.
Their u_char and u_int usage relies upon BSD source being enabled too.  So use _GNU_SOURCE.

12 years agoDefine _ISOC99_SOURCE in exim.h
Phil Pennock [Thu, 24 May 2012 03:27:44 +0000 (23:27 -0400)]
Define _ISOC99_SOURCE in exim.h

Done before os.h is pulled in so an OS can override it.

12 years agoDoc: move -bmalware into alphabetic place
Phil Pennock [Wed, 23 May 2012 19:03:21 +0000 (15:03 -0400)]
Doc: move -bmalware into alphabetic place

12 years agoDoc: s/DNS/domains/ in new text
Phil Pennock [Wed, 23 May 2012 17:02:52 +0000 (13:02 -0400)]
Doc: s/DNS/domains/ in new text

12 years agoDoc: document when dnslookup will decline
Phil Pennock [Wed, 23 May 2012 16:58:18 +0000 (12:58 -0400)]
Doc: document when dnslookup will decline

12 years agoDoc: tls_require_ciphers examples
Phil Pennock [Wed, 23 May 2012 16:25:16 +0000 (12:25 -0400)]
Doc: tls_require_ciphers examples

Note how to test strings, provide examples which distinguish port 25 from other ports.
Carefully used short examples, but allows two different strings per implementation
and demonstrates how the strings are very different.

12 years agoManually control locale, setting to "C" in runtest script.
Todd Lyons [Wed, 23 May 2012 13:35:31 +0000 (06:35 -0700)]
Manually control locale, setting to "C" in runtest script.

Fixes the output of 'ls' command to a standard format (test 345).

12 years agoexpanded comment, noting size types and API issue
Phil Pennock [Wed, 23 May 2012 05:20:09 +0000 (01:20 -0400)]
expanded comment, noting size types and API issue

12 years agoREADME.UPDATING: emphasise more the LDAP issue
Phil Pennock [Wed, 23 May 2012 00:12:35 +0000 (20:12 -0400)]
README.UPDATING: emphasise more the LDAP issue

12 years agoOCSP description: minor nits
Phil Pennock [Tue, 22 May 2012 13:06:24 +0000 (09:06 -0400)]
OCSP description: minor nits

12 years agoEnable PCRE_CONFIG by default
Phil Pennock [Tue, 22 May 2012 02:14:18 +0000 (22:14 -0400)]
Enable PCRE_CONFIG by default

With this, src/EDITME as Local/Makefile *only* needs EXIM_USER to be
set and EXIM_MONITOR commented out for Exim to build on my box.

I think this is a reasonable default; if there are releases of PCRE which
do not include pcre-config, then on those boxes a slight change will be
needed, but only where the file was already having to be edited anyway.

12 years agoGuard SNI usage better (client-side)
Phil Pennock [Tue, 22 May 2012 01:58:00 +0000 (21:58 -0400)]
Guard SNI usage better (client-side)

12 years agoTestsuite: more robust fix for SHELL vs /bin/sh, take two.
Jeremy Harris [Mon, 21 May 2012 21:16:00 +0000 (22:16 +0100)]
Testsuite: more robust fix for SHELL vs /bin/sh, take two.

12 years agoRevert "Testsuite: more robust fix for SHELL vs /bin/sh"
Jeremy Harris [Mon, 21 May 2012 19:36:42 +0000 (20:36 +0100)]
Revert "Testsuite: more robust fix for SHELL vs /bin/sh"

This reverts commit 8dedb69a41c30fd82ab6e084fe567f7ee7aaa562.
Kills testcase 0137.

12 years agoTestsuite: more robust fix for SHELL vs /bin/sh
Jeremy Harris [Mon, 21 May 2012 18:51:21 +0000 (19:51 +0100)]
Testsuite: more robust fix for SHELL vs /bin/sh

12 years agoOpenBSD compat, DNS resolver library
Phil Pennock [Mon, 21 May 2012 10:49:54 +0000 (06:49 -0400)]
OpenBSD compat, DNS resolver library

Report and point to fix from Dennis Davis.

12 years agoUpdate binary's copyright message.
Phil Pennock [Mon, 21 May 2012 10:33:08 +0000 (06:33 -0400)]
Update binary's copyright message.

Rough text per suggestion from Tony.
Amended ACKNOWLEDGEMENTS briefly, but need to actually add people.  Like, er, me.

12 years agoavoid NUL in dh params file
Phil Pennock [Mon, 21 May 2012 09:54:50 +0000 (05:54 -0400)]
avoid NUL in dh params file

gnutls_dh_params_export_pkcs3() returns 2 different sizes.
NUL observed by Janne Snabb

12 years ago.end -> .wen exim-4_80_RC4
Phil Pennock [Mon, 21 May 2012 04:32:11 +0000 (00:32 -0400)]
.end -> .wen

12 years agoAdd tls_dh_max_bits to OptionLists.txt
Phil Pennock [Mon, 21 May 2012 04:29:25 +0000 (00:29 -0400)]
Add tls_dh_max_bits to OptionLists.txt

12 years agofeatures.h; tls_validate_require_cipher: log flag & tests exim-4_80_RC3
Phil Pennock [Mon, 21 May 2012 04:20:37 +0000 (00:20 -0400)]
features.h; tls_validate_require_cipher: log flag & tests

Pull in <features.h> on Linux.
Switch readconf log from D_all (bug) to D_tls (though D_any would have
worked).
Modified runtest to handle clamped DH bits and
tls_validate_require_cipher added debug logging.

12 years agoonly drop privs for TLS if still root
Phil Pennock [Mon, 21 May 2012 02:58:18 +0000 (22:58 -0400)]
only drop privs for TLS if still root

12 years agoUpdate docs for latest state of TLS affairs.
Phil Pennock [Mon, 21 May 2012 02:15:48 +0000 (22:15 -0400)]
Update docs for latest state of TLS affairs.

gnutls-params bits count no longer necessarily what GnuTLS says to use.
The OpenSSL-vs-GnuTLS text needed some updating.
Catches a ChangeLog addition made during the previous commit, so not picked up by it.

12 years agoAdded tls_dh_max_bits & check tls_require_ciphers early.
Phil Pennock [Mon, 21 May 2012 01:49:40 +0000 (21:49 -0400)]
Added tls_dh_max_bits & check tls_require_ciphers early.

Janne Snabb tracked down the GnuTLS 2.12 vs NSS (Thunderbird) interop
problems to a hard-coded limit of 2236 bits for DH in NSS while GnuTLS
was suggesting 2432 bits as normal.

Added new global option tls_dh_max_bits to clamp all DH values (client
or server); unexpanded integer.  Default value to 2236.  Apply to both
GnuTLS and OpenSSL (which requires tls_dh_params for this).

Tired of debugging "SMTP fails TLS" error messages in mailing-lists
caused by OpenSSL library/include clashes, and of finding out I typo'd
in tls_require_ciphers only at the STARTTLS handshake.  During readconf,
fork/drop-privs/initialise-TLS-library.  In that, if tls_require_ciphers
is set, then validate it.

The validation child will panic if it can't initialise or if
tls_require_ciphers can't be parsed, else it exits 0.  If the child
exits anything other than 0, the main Exim process will exit.

12 years agoGuard TLS SNI callback define better.
Phil Pennock [Sun, 20 May 2012 23:35:34 +0000 (19:35 -0400)]
Guard TLS SNI callback define better.

Guarded the callback invocation on OpenSSL having TLS extension support.
Failed to guard the callback definition.  Fixed.
Problem spotted by Todd Lyons.

12 years agotls_require_ciphers must be assigned to state copy
Phil Pennock [Sun, 20 May 2012 22:22:06 +0000 (18:22 -0400)]
tls_require_ciphers must be assigned to state copy

12 years agoMerge branch 'master_testsuite_faq'
Todd Lyons [Sun, 20 May 2012 15:11:23 +0000 (08:11 -0700)]
Merge branch 'master_testsuite_faq'

12 years agoFAQ of running test suite
Todd Lyons [Sun, 20 May 2012 15:08:59 +0000 (08:08 -0700)]
FAQ of running test suite

12 years agoTestsuite: more guidance in README
Jeremy Harris [Sun, 20 May 2012 14:32:34 +0000 (15:32 +0100)]
Testsuite: more guidance in README

12 years agoTypo: PRE_PRERELEASE -> PCRE_PRERELEASE
Phil Pennock [Sun, 20 May 2012 09:34:57 +0000 (05:34 -0400)]
Typo: PRE_PRERELEASE -> PCRE_PRERELEASE

Noted by Moritz Wilhelmy.

12 years agoGnuTLS debug callback: check for existing \n
Phil Pennock [Sun, 20 May 2012 09:33:22 +0000 (05:33 -0400)]
GnuTLS debug callback: check for existing \n

12 years ago"make makfile" -> "make makefile".
Phil Pennock [Sun, 20 May 2012 07:48:53 +0000 (03:48 -0400)]
"make makfile" -> "make makefile".

Confirmed typo, rather than QNXism, by grepping tree and finding no
other instances.

Reported by René Berber.

12 years agoCipher munging continues.
Phil Pennock [Sun, 20 May 2012 02:22:06 +0000 (22:22 -0400)]
Cipher munging continues.

I omitted log/2025 pending further investigation.

12 years agoHAVE_IPV6=yes in comment; need value!
Phil Pennock [Sun, 20 May 2012 01:29:45 +0000 (21:29 -0400)]
HAVE_IPV6=yes in comment; need value!

12 years agoTestsuite: munge recorded TLS version &c in output to permit awkward test-host instal...
Jeremy Harris [Sun, 20 May 2012 00:04:24 +0000 (01:04 +0100)]
Testsuite: munge recorded TLS version &c in output to permit awkward test-host installations.

12 years agoPRINTF_FUNCTION -> ALMOST_PRINTF.
Phil Pennock [Sat, 19 May 2012 23:55:15 +0000 (19:55 -0400)]
PRINTF_FUNCTION -> ALMOST_PRINTF.

WANT_DEEPER_PRINTF_CHECKS guards ALMOST_PRINTF being PRINTF_FUNCTION.
Fix some actual issues exposed when I cut down on the spam.

12 years agoPortability to HP-UX.
Phil Pennock [Sat, 19 May 2012 23:13:51 +0000 (19:13 -0400)]
Portability to HP-UX.

Report and fix from Michael Haardt.

The resolver library change's assumed typedef was absent, but the
underlying struct __res_state is present.  Long type issues for the
arithmetic changes.

12 years agoPCRE_PRERELEASE fix, again
Phil Pennock [Sat, 19 May 2012 21:59:09 +0000 (17:59 -0400)]
PCRE_PRERELEASE fix, again

12 years agoTorture the English language slightly less exim-4_80_RC2
Phil Pennock [Fri, 18 May 2012 23:17:38 +0000 (19:17 -0400)]
Torture the English language slightly less

12 years agoFix three issues highlighted by clang analyser.
Phil Pennock [Fri, 18 May 2012 22:22:30 +0000 (18:22 -0400)]
Fix three issues highlighted by clang analyser.

Only crash-plausible issue would require the Cambridge-specific
iplookup router and a misconfiguration.

Report from Marcin Mirosław

12 years agoTest suite fixes, mostly for new certs.
Phil Pennock [Fri, 18 May 2012 22:07:55 +0000 (18:07 -0400)]
Test suite fixes, mostly for new certs.

New cert1 and cert2 but I'd only updated the GnuTLS tests.
This fixes OpenSSL ones too.

The SHELL vs /bin/sh one also fixed, finally realised that
the test output just hadn't been updated to match the munging.

12 years agoDocument DCC in experimental-spec.txt
Phil Pennock [Fri, 18 May 2012 20:22:04 +0000 (16:22 -0400)]
Document DCC in experimental-spec.txt

Base text from Wolfgang Breyha.
I went over it as someone new to it, to make some obvious-to-experts-but-not-me fixes.

12 years agoSecond SPF fix, moved to where type is correct.
Phil Pennock [Fri, 18 May 2012 19:52:08 +0000 (15:52 -0400)]
Second SPF fix, moved to where type is correct.

De-initialised "type" var in stack declaration, so a repeat of this mistake
would lead to an uninitialized variable usage warning which would have blocked
the previous incorrect fix from being committed.

12 years agoFix dcc_header content corruption.
Phil Pennock [Fri, 18 May 2012 19:46:06 +0000 (15:46 -0400)]
Fix dcc_header content corruption.

(stack memory referenced, read-only, out of scope).

Patch from Wolfgang Breyha, report from Stuart Northfield.

12 years agoSPF multiple strings join on "".
Phil Pennock [Fri, 18 May 2012 19:35:32 +0000 (15:35 -0400)]
SPF multiple strings join on "".

Patch from Janne Snabb.

12 years agoGnuTLS pretty much passes test suite. exim-4_80_RC1
Phil Pennock [Fri, 18 May 2012 03:04:36 +0000 (23:04 -0400)]
GnuTLS pretty much passes test suite.

Fixed assumption that tls_certificate non-NULL in server when TLS
advertised.
Weakened an !S_ISREG() to an S_ISDIR() to keep the test-suite happy.

Using:
  do { rc = gnutls_handshake(state->session);
  } while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED));
is contra-indicated when you expect SIGALRM to be able to break you out
of the loop.  A little _too_ robust there.  Switching last part to:
  (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen)
is rather more productive.

Only test not passing is 2025, which makes major assumptions about
cipher suites and needs to be revisited to see what it's trying to
achieve.  We fail the test because we successfully deliver the message
without expected errors, because other ciphersuites are available, since
we're no longer limited to a *very* short list embedded in the Exim
code.  That sort of failure I can live with.

12 years agoMake test-suite client cmd -t<timeout> actually work
Phil Pennock [Fri, 18 May 2012 02:12:59 +0000 (22:12 -0400)]
Make test-suite client cmd -t<timeout> actually work

12 years agoCRL addition returns count of CRLs added
Phil Pennock [Fri, 18 May 2012 00:07:04 +0000 (20:07 -0400)]
CRL addition returns count of CRLs added

A couple more cert1/2 strings updated, plus some disambiguating rhubarb.

12 years agoInsert new JH/02 entry for the ACL clean-up
Phil Pennock [Thu, 17 May 2012 23:37:49 +0000 (19:37 -0400)]
Insert new JH/02 entry for the ACL clean-up

12 years agoDocumentation update for bug 1172.
root [Thu, 17 May 2012 23:08:30 +0000 (00:08 +0100)]
Documentation update for bug 1172.

12 years agoSupport expansion variable for hi-res timestamp (bug 1172).
Jeremy Harris [Mon, 23 Apr 2012 20:03:46 +0000 (21:03 +0100)]
Support expansion variable for hi-res timestamp (bug 1172).

12 years agofix tls_cipher memory lifetime.
Phil Pennock [Thu, 17 May 2012 21:24:36 +0000 (17:24 -0400)]
fix tls_cipher memory lifetime.

Some tests had not been updated for the new cert because they were missing an X= log-line.
Updated those tests now.

12 years agoMore GnuTLS cleanups/fixes.
Phil Pennock [Thu, 17 May 2012 20:18:34 +0000 (16:18 -0400)]
More GnuTLS cleanups/fixes.

Decided "unknown (reason)" in tls_peerdn was wrong, stripped that, added
replacement guard.

Moved cipherbuf construction to where it makes more sense, where peerdn
is extracted, so that setting the exim vars gets back closer to just
some pointer switching.

Fix missing failure check after handshake in client.

Fix tls.c tls_ungetc() and friends by pointing watermark vars at state
content.

Regenerated test-suite D-H params so we don't have too small values,
which was causing connection rejections.

Test-suite output where new test cert info is logged (there will be a
couple more, when I fix a lingering problem with tls_peerdn being unset
in client log-lines).

Give test-suite client command some --help.

12 years agoGnuTLS control constants exposed to Makefile.
Phil Pennock [Thu, 17 May 2012 18:05:06 +0000 (14:05 -0400)]
GnuTLS control constants exposed to Makefile.

Mostly care about EXIM_GNUTLS_LIBRARY_LOG_LEVEL for debugging.
If someone screams that we kept the default dh-bits at 1024 for old GnuTLS,
we can point them at EXIM_SERVER_DH_BITS_PRE2_12.  The name itself will
tell them to shut up and update their library if they care about security. :)

12 years agoCopyright year updates.
Phil Pennock [Thu, 17 May 2012 16:19:52 +0000 (12:19 -0400)]
Copyright year updates.

Updated all files modified in 2012 which contained a copyright year
already, unless the range was specified as open-ended.

vi $(git whatchanged --since=2012-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/)

12 years agognutls_require_protocols comment on 4.77 notes.
Phil Pennock [Thu, 17 May 2012 15:37:13 +0000 (11:37 -0400)]
gnutls_require_protocols comment on 4.77 notes.

12 years ago4.78 -> 4.80
Phil Pennock [Thu, 17 May 2012 15:21:54 +0000 (11:21 -0400)]
4.78 -> 4.80

12 years agoHandle absent tls_require_ciphers correctly.
Phil Pennock [Thu, 17 May 2012 15:17:20 +0000 (11:17 -0400)]
Handle absent tls_require_ciphers correctly.

Fix test-suite certs to not use MD5.
Document that we do not support MD5 certs any longer.
Make test-suite generate probably-correct gnutls-params filename for us.

12 years agoHandle TLSv1.2 in test suite.
Phil Pennock [Thu, 17 May 2012 12:16:11 +0000 (08:16 -0400)]
Handle TLSv1.2 in test suite.

Normalise TLSv1.2 to TLSv1.
Normalise AES256-GCM-SHA384 to AES256-SHA.
Make some test configs accept AES256-GCM-SHA384 in "encrypted =" ACLs.

Have test suite print final test id during abort, make it easier to track down.

12 years agoGet TLS SNI server-switching working with GnuTLS.
Phil Pennock [Thu, 17 May 2012 06:53:44 +0000 (02:53 -0400)]
Get TLS SNI server-switching working with GnuTLS.

Registering a cert/key in an x509 credentials *adds* them, and there's
no way to remove them, so we need a shiny new x509_cred each time the
key/cert change.

Since we avoid re-expanding unless tls_sni appears in tls_certificate,
we've mostly avoided the expense unless SNI is in use, and the extra
loading should be minimal, as everything should be in buffer/cache from
a few microseconds beforehand.

This code tested with GnuTLS and OpenSSL clients, without TLS
extensions, with servername, and verifying we do now get the correct
cert.

12 years agofix TLS SNI segfault case
Phil Pennock [Thu, 17 May 2012 06:15:27 +0000 (02:15 -0400)]
fix TLS SNI segfault case

Failed to notice my test config on the GnuTLS box did nothing with SNI.
Fixed segfault.  Better diagnostics.

Still not actually changing key/cert, need to investigate further

12 years agoGuards for older releases of GnuTLS.
Phil Pennock [Thu, 17 May 2012 05:32:13 +0000 (01:32 -0400)]
Guards for older releases of GnuTLS.

gnutls_sec_param_to_pk_bits() and gnutls_rnd() are both new as of
GnuTLS 2.12.x.  Guard their usage on 2.12.0+ at compile time.

In older versions, the vaguely_random_number() function just immediately
calls the fallback, so it's the same as before this change (just one
extra indirection in the code-path).

Define a constant of 1024 for dh-bits for use in those old releases
where GnuTLS won't tell us how many we should use.

Change the on-disk filename for generated D-H params again, replacing
the -normal with -<bitcount>, so that it's 1024 or whatever, and as
the value changes, Exim will automatically start using the new value.

12 years agodnsdb SPF support, from Janne Snabb
Phil Pennock [Thu, 17 May 2012 04:39:38 +0000 (00:39 -0400)]
dnsdb SPF support, from Janne Snabb

12 years agoMerge branch 'experimental_ocsp'
Phil Pennock [Wed, 16 May 2012 16:35:40 +0000 (12:35 -0400)]
Merge branch 'experimental_ocsp'

12 years agoOverhaul of GnuTLS code.
Phil Pennock [Wed, 16 May 2012 16:15:26 +0000 (12:15 -0400)]
Overhaul of GnuTLS code.

GnuTLS code re-done, using cut&paste for preservation where appropriate.

Stop using deprecated APIs.  Stop hard-coding lists of ciphers.
Use gnutls_priority_init() instead.
Turns tls_require_ciphers into a string in the GnuTLS case, not just
OpenSSL case.

Deprecate three gnutls_require_* options; now ignored but not errors.
(No warnings yet).

Added TLS SNI support.

Made the channel binding integration theoretically actually work.  I had
it guarded by an #ifdef but the value used was an enum instead.  Oops.
Fixed.

New code much more amenable to future work permitting TLS in callouts.

DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's
suddenly a lot more bits, so the saved filename was changed too.
(GNUTLS_SEC_PARAM_NORMAL).

DH param setup only done for servers now, since clients don't need/use
it.

GnuTLS a lot more robust to library negotiation using stuff we don't
support, error-ing out quickly for other authentication systems (PGP,
etc).

Renamed pseudo_random_number() to vaguely_random_number() which makes
the nature clearer.

GnuTLS now provides a vaguely_random_number() implementation, to match
OpenSSL.

Pull in <inttypes.h> to make the recent arithmetic changes compile on
MacOS.

Nuke test 2011 which related to the gnutls_require_* options now
non-functional.

12 years agoTestsuite: fix problem with parsing retry records spanning midnight.
Jeremy Harris [Mon, 14 May 2012 23:06:18 +0000 (00:06 +0100)]
Testsuite: fix problem with parsing retry records spanning midnight.

12 years agoMerge branch '64bitint'
Jeremy Harris [Sun, 13 May 2012 21:39:47 +0000 (22:39 +0100)]
Merge branch '64bitint'

12 years agoUse defines in config.h for type & scanf-patterns for eval. Update docs.
Jeremy Harris [Sun, 13 May 2012 20:04:45 +0000 (21:04 +0100)]
Use defines in config.h for type & scanf-patterns for eval.  Update docs.