pool/exim
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
exim/exim-enable_ecdh_openssl.patch
Lars Müller 4040bfe97f - update to 4.85 
See doc/ChangeLog from the main tar ball or the exim file for
  more details.

OBS-URL: https://build.opensuse.org/package/show/server:mail/exim?expand=0&rev=157
2015-01-24 19:56:27 +00:00

117 lines
3.5 KiB
Diff
Raw Blame History

# Taken from:
# http://bugs.exim.org/show_bug.cgi?id=1397
# http://bugs.exim.org/attachment.cgi?id=661
Index: exim-4.83/src/globals.c
===================================================================
--- exim-4.83.orig/src/globals.c
+++ exim-4.83/src/globals.c
@@ -158,6 +158,7 @@ that's the interop problem which has bee
bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */
int tls_dh_max_bits = 2236;
uschar *tls_dhparam = NULL;
+uschar *tls_eccurve = NULL;
#ifndef DISABLE_OCSP
uschar *tls_ocsp_file = NULL;
#endif
Index: exim-4.83/src/globals.h
===================================================================
--- exim-4.83.orig/src/globals.h
+++ exim-4.83/src/globals.h
@@ -118,6 +118,7 @@ extern uschar *tls_channelbinding_b64; /
extern uschar *tls_crl; /* CRL File */
extern int tls_dh_max_bits; /* don't accept higher lib suggestions */
extern uschar *tls_dhparam; /* DH param file */
+extern uschar *tls_eccurve; /* EC curve */
#ifndef DISABLE_OCSP
extern uschar *tls_ocsp_file; /* OCSP stapling proof file */
#endif
Index: exim-4.83/src/readconf.c
===================================================================
--- exim-4.83.orig/src/readconf.c
+++ exim-4.83/src/readconf.c
@@ -443,6 +443,7 @@ static optionlist optionlist_config[] =
{ "tls_crl", opt_stringptr, &tls_crl },
{ "tls_dh_max_bits", opt_int, &tls_dh_max_bits },
{ "tls_dhparam", opt_stringptr, &tls_dhparam },
+ { "tls_eccurve", opt_stringptr, &tls_eccurve },
# ifndef DISABLE_OCSP
{ "tls_ocsp_file", opt_stringptr, &tls_ocsp_file },
# endif
Index: exim-4.83/src/tls-openssl.c
===================================================================
--- exim-4.83.orig/src/tls-openssl.c
+++ exim-4.83/src/tls-openssl.c
@@ -612,6 +612,59 @@ return TRUE;
+#if !defined(OPENSSL_NO_ECDH)
+static BOOL
+init_ecdh(SSL_CTX *sctx, host_item *host)
+{
+EC_KEY *ecdh;
+int nid;
+
+# if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10002000L
+/* check if OpenSSL >= 1.0.2 auto ECDH temp key parameter selection should be used */
+if (Ustrcmp(tls_eccurve, "auto") == 0)
+ {
+ DEBUG(D_tls) debug_printf("ECDH temp key parameter settings: OpenSSL 1.2+ autoselection\n");
+ SSL_CTX_set_ecdh_auto(sctx, 1);
+ return TRUE;
+ }
+# endif
+
+if (tls_eccurve == NULL)
+ {
+ DEBUG(D_tls)
+ debug_printf("ECDH curve (default): prime256v1\n", tls_eccurve);
+ nid = NID_X9_62_prime256v1;
+ }
+else
+ {
+ /* search curve name */
+ DEBUG(D_tls)
+ debug_printf("ECDH curve: %s\n", tls_eccurve);
+ nid = OBJ_sn2nid((uschar *)tls_eccurve);
+ if (nid == 0)
+ {
+ tls_error(string_sprintf("Unkown curve name tls_eccurve \"%s\"", tls_eccurve),
+ host, NULL);
+ return FALSE;
+ }
+ }
+
+ecdh = EC_KEY_new_by_curve_name(nid);
+if (ecdh == NULL)
+ {
+ tls_error("Unable to create ec curve",
+ host, NULL);
+ return FALSE;
+ }
+
+SSL_CTX_set_tmp_ecdh(sctx, ecdh);
+EC_KEY_free(ecdh);
+
+return TRUE;
+}
+#endif
+
+
#ifndef DISABLE_OCSP
/*************************************************
@@ -1254,6 +1307,11 @@ if (!init_dh(*ctxp, dhparam, host)) retu
rc = tls_expand_session_files(*ctxp, cbinfo);
if (rc != OK) return rc;
+#if !defined(OPENSSL_NO_ECDH)
+/* Initialize ECDH temp key parameter selection */
+if (!init_ecdh(*ctxp, host)) return DEFER;
+#endif
+
/* If we need to handle SNI, do so */
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
if (host == NULL) /* server */
Reference in New Issue View Git Blame Copy Permalink