-/* $Cambridge: exim/src/src/tls-gnu.c,v 1.13 2006/10/16 10:58:40 ph10 Exp $ */
+/* $Cambridge: exim/src/src/tls-gnu.c,v 1.17 2007/01/08 10:50:18 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2006 */
+/* Copyright (c) University of Cambridge 1995 - 2007 */
/* See the file NOTICE for conditions of use and distribution. */
/* This module provides TLS (aka SSL) support for Exim using the GnuTLS
#define UNKNOWN_NAME "unknown"
-#define DH_BITS 768
+#define DH_BITS 1024
#define PARAM_SIZE 2*1024
/*************************************************
-* Setup up RSA and DH parameters *
+* Setup up DH parameters *
*************************************************/
-/* Generating the RSA and D-H parameters takes a long time. They only need to
+/* Generating the D-H parameters may take a long time. They only need to
be re-generated every so often, depending on security policy. What we do is to
keep these parameters in a file in the spool directory. If the file does not
exist, we generate them. This means that it is easy to cause a regeneration.
*/
static int
-init_rsa_dh(host_item *host)
+init_dh(host_item *host)
{
int fd;
int ret;
return tls_error(US"overlong filename", host, 0);
/* Open the cache file for reading and if successful, read it and set up the
-parameters. If we can't set up the RSA parameters, assume that we are dealing
-with an old-style cache file that is in another format, and fall through to
-compute new values. However, if we correctly get RSA parameters, a failure to
-set up D-H parameters is treated as an error. */
+parameters. */
fd = Uopen(filename, O_RDONLY, 0);
if (fd >= 0)
ret = gnutls_dh_params_import_pkcs3(dh_params, &m, GNUTLS_X509_FMT_PEM);
if (ret < 0) return tls_error(US"DH params import", host, ret);
- DEBUG(D_tls) debug_printf("read RSA and D-H parameters from file\n");
+ DEBUG(D_tls) debug_printf("read D-H parameters from file\n");
free(m.data);
}
rc = gnutls_global_init();
if (rc < 0) return tls_error(US"tls-init", host, rc);
-/* Create RSA and D-H parameters, or read them from the cache file. This
-function does its own SMTP error messaging. */
+/* Create D-H parameters, or read them from the cache file. This function does
+its own SMTP error messaging. */
-rc = init_rsa_dh(host);
+rc = init_dh(host);
if (rc != OK) return rc;
/* Create the credentials structure */
/* Now negotiate the TLS session. We put our own timer on it, since it seems
that the GnuTLS library doesn't. */
-gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)fileno(smtp_out));
+gnutls_transport_set_ptr2(tls_session, (gnutls_transport_ptr)fileno(smtp_in),
+ (gnutls_transport_ptr)fileno(smtp_out));
sigalrm_seen = FALSE;
if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);