Phil Pennock [Thu, 17 May 2012 15:17:20 +0000 (11:17 -0400)]
Handle absent tls_require_ciphers correctly.
Fix test-suite certs to not use MD5.
Document that we do not support MD5 certs any longer.
Make test-suite generate probably-correct gnutls-params filename for us.
Phil Pennock [Thu, 17 May 2012 06:53:44 +0000 (02:53 -0400)]
Get TLS SNI server-switching working with GnuTLS.
Registering a cert/key in an x509 credentials *adds* them, and there's
no way to remove them, so we need a shiny new x509_cred each time the
key/cert change.
Since we avoid re-expanding unless tls_sni appears in tls_certificate,
we've mostly avoided the expense unless SNI is in use, and the extra
loading should be minimal, as everything should be in buffer/cache from
a few microseconds beforehand.
This code tested with GnuTLS and OpenSSL clients, without TLS
extensions, with servername, and verifying we do now get the correct
cert.
Phil Pennock [Thu, 17 May 2012 05:32:13 +0000 (01:32 -0400)]
Guards for older releases of GnuTLS.
gnutls_sec_param_to_pk_bits() and gnutls_rnd() are both new as of
GnuTLS 2.12.x. Guard their usage on 2.12.0+ at compile time.
In older versions, the vaguely_random_number() function just immediately
calls the fallback, so it's the same as before this change (just one
extra indirection in the code-path).
Define a constant of 1024 for dh-bits for use in those old releases
where GnuTLS won't tell us how many we should use.
Change the on-disk filename for generated D-H params again, replacing
the -normal with -<bitcount>, so that it's 1024 or whatever, and as
the value changes, Exim will automatically start using the new value.
Phil Pennock [Wed, 16 May 2012 16:15:26 +0000 (12:15 -0400)]
Overhaul of GnuTLS code.
GnuTLS code re-done, using cut&paste for preservation where appropriate.
Stop using deprecated APIs. Stop hard-coding lists of ciphers.
Use gnutls_priority_init() instead.
Turns tls_require_ciphers into a string in the GnuTLS case, not just
OpenSSL case.
Deprecate three gnutls_require_* options; now ignored but not errors.
(No warnings yet).
Added TLS SNI support.
Made the channel binding integration theoretically actually work. I had
it guarded by an #ifdef but the value used was an enum instead. Oops.
Fixed.
New code much more amenable to future work permitting TLS in callouts.
DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's
suddenly a lot more bits, so the saved filename was changed too.
(GNUTLS_SEC_PARAM_NORMAL).
DH param setup only done for servers now, since clients don't need/use
it.
GnuTLS a lot more robust to library negotiation using stuff we don't
support, error-ing out quickly for other authentication systems (PGP,
etc).
Renamed pseudo_random_number() to vaguely_random_number() which makes
the nature clearer.
GnuTLS now provides a vaguely_random_number() implementation, to match
OpenSSL.
Pull in <inttypes.h> to make the recent arithmetic changes compile on
MacOS.
Nuke test 2011 which related to the gnutls_require_* options now
non-functional.
Phil Pennock [Sun, 6 May 2012 13:32:53 +0000 (06:32 -0700)]
Unbreak build on Solaris.
Solaris needs -lresolv, ie $(LIBRESOLV), for anything referencing DNS.
I added _res stuff to os.c.
os.c is used by multiple tools, but of those only Exim needs the DNS functionality.
So used a !defined(COMPILE_UTILITY) guard.
Jeremy Harris [Sat, 5 May 2012 19:52:41 +0000 (20:52 +0100)]
Fix bug 1225: Accept new testsuite case output.
Having looked further at the ratelimit code, the new output looks reasonable. The obscure
values of "19" derive from testing "per-byte", being the size of the test message.
Phil Pennock [Fri, 4 May 2012 15:27:09 +0000 (08:27 -0700)]
More tls_sni support: outbound, logging.
tls_sni as SMTP transport option.
Use correct storage pool for copying tls_sni, so survives for life of process.
Add +tls_sni log-selector, for inbound tls_sni.
Update exipick to handle -tls_sni in spool files.
Also reset tls_bits at start of outbound connection (was missing).
Jeremy Harris [Thu, 26 Apr 2012 22:00:15 +0000 (23:00 +0100)]
Fix testsuite case 0373.
The subtest does a readsocket (with 1s timeout) into a server
which closes immediately. The expected output in the testcase was null, the output
actually seen was the error-return expansion, which seems more correct.
Accepting the actual output.
Phil Pennock [Mon, 23 Apr 2012 03:20:16 +0000 (20:20 -0700)]
Better ls output fixing.
fixes bug 1226
Further investigation from Jeremy Harris showed the previous fix
left trailing whitespace on output which previously ended after
the permission bits (eg, test 0240).
Phil Pennock [Sat, 31 Mar 2012 10:10:54 +0000 (03:10 -0700)]
fix gsasl / cyrus claims
Point 1 for 4.78 said gsasl could *not* be used to replace cyrus.
This was obsoleted by point 5.
Remove claim from point 1, add additional note to point 5.
Phil Pennock [Fri, 30 Mar 2012 20:52:17 +0000 (13:52 -0700)]
Handle alternate access method flag in ls.
Jeremy Harris found ls output not parsing on SELinux systems. I
identified this as SUSv3's "optional alternate access method flag".
Jeremy wrote the patch, I adjusted a little.
Phil Pennock [Fri, 17 Feb 2012 13:01:10 +0000 (08:01 -0500)]
Use gsskrb5_register_acceptor_identity
Drop the OID and pseudo-standard GSSAPI extension mechanism.
Found Heimdal-specific API call I needed, works great.
gsskrb5_register_acceptor_identity(filename)