[dovecot-cvs] dovecot/src/master master-settings.c, 1.99, 1.100 ssl-init-openssl.c, 1.5, 1.6 ssl-init.c, 1.14, 1.15

[cras at dovecot.org]

Update of /var/lib/cvs/dovecot/src/master
In directory talvi:/tmp/cvs-serv2829/src/master

Modified Files:
	master-settings.c ssl-init-openssl.c ssl-init.c 
Log Message:
Generate DH parameters and use them. Changed default regeneration time to 1
week.



Index: master-settings.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/master/master-settings.c,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -d -r1.99 -r1.100
--- master-settings.c	13 Jan 2006 20:26:40 -0000	1.99
+++ master-settings.c	15 Jan 2006 12:35:03 -0000	1.100
@@ -257,7 +257,7 @@
 	MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
 	MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
 	MEMBER(ssl_parameters_file) "ssl-parameters.dat",
-	MEMBER(ssl_parameters_regenerate) 24,
+	MEMBER(ssl_parameters_regenerate) 168,
 	MEMBER(ssl_cipher_list) NULL,
 	MEMBER(ssl_verify_client_cert) FALSE,
 	MEMBER(disable_plaintext_auth) TRUE,

Index: ssl-init-openssl.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/master/ssl-init-openssl.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- ssl-init-openssl.c	30 May 2003 11:56:25 -0000	1.5
+++ ssl-init-openssl.c	15 Jan 2006 12:35:04 -0000	1.6
@@ -1,13 +1,50 @@
 /* Copyright (C) 2002 Timo Sirainen */
 
 #include "common.h"
+#include "write-full.h"
 #include "ssl-init.h"
 
 #ifdef HAVE_OPENSSL
 
-void _ssl_generate_parameters(int fd __attr_unused__,
-			      const char *fname __attr_unused__)
+#include <openssl/ssl.h>
+
+/* 2 or 5. Haven't seen their difference explained anywhere, but 2 is the
+   default.. */
+#define DH_GENERATOR 2
+
+static int dh_param_bitsizes[] = { 512, 1024 };
+#define DH_PARAM_BITSIZE_COUNT \
+        (sizeof(dh_param_bitsizes)/sizeof(dh_param_bitsizes[0]))
+
+static void generate_dh_parameters(int bitsize, int fd, const char *fname)
 {
+        DH *dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL);
+	unsigned char *buf, *p;
+	int len;
+
+	len = i2d_DHparams(dh, NULL);
+	if (len < 0)
+		i_fatal("i2d_DHparams() failed");
+
+	buf = p = i_malloc(len);
+	len = i2d_DHparams(dh, &p);
+
+	if (write_full(fd, &bitsize, sizeof(bitsize)) < 0 ||
+	    write_full(fd, &len, sizeof(len)) < 0 ||
+	    write_full(fd, buf, len) < 0)
+		i_fatal("write_full() failed for file %s: %m", fname);
+	i_free(buf);
+}
+
+void _ssl_generate_parameters(int fd, const char *fname)
+{
+	unsigned int i;
+	int bits;
+
+	for (i = 0; i < DH_PARAM_BITSIZE_COUNT; i++)
+		generate_dh_parameters(dh_param_bitsizes[i], fd, fname);
+	bits = 0;
+	write_full(fd, &bits, sizeof(bits));
 }
 
 #endif

Index: ssl-init.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/master/ssl-init.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- ssl-init.c	14 Jan 2006 18:48:02 -0000	1.14
+++ ssl-init.c	15 Jan 2006 12:35:04 -0000	1.15
@@ -18,12 +18,16 @@
 static void generate_parameters_file(const char *fname)
 {
 	const char *temp_fname;
+	mode_t old_mask;
 	int fd;
 
 	temp_fname = t_strconcat(fname, ".tmp", NULL);
 	(void)unlink(temp_fname);
 
-	fd = open(temp_fname, O_WRONLY | O_CREAT | O_EXCL, 0600);
+	old_mask = umask(0);
+	fd = open(temp_fname, O_WRONLY | O_CREAT | O_EXCL, 0644);
+	umask(old_mask);
+
 	if (fd == -1) {
 		i_fatal("Can't create temporary SSL parameters file %s: %m",
 			temp_fname);
@@ -82,10 +86,11 @@
 		st.st_mtime = 0;
 	}
 
-	/* make sure it's new enough and the permissions are correct */
+	/* make sure it's new enough, it's not 0 sized, and the permissions
+	   are correct */
 	regen_time = st.st_mtime +
 		(time_t)(set->ssl_parameters_regenerate*3600);
-	if (regen_time < ioloop_time || (st.st_mode & 077) != 0 ||
+	if (regen_time < ioloop_time || st.st_size == 0 ||
 	    st.st_uid != master_uid || st.st_gid != getegid()) {
 		start_generate_process(set);
 		return FALSE;