[dovecot-cvs] dovecot/src/master master-settings.c, 1.99,
1.100 ssl-init-openssl.c, 1.5, 1.6 ssl-init.c, 1.14, 1.15
cras at dovecot.org
cras at dovecot.org
Sun Jan 15 14:35:06 EET 2006
Update of /var/lib/cvs/dovecot/src/master
In directory talvi:/tmp/cvs-serv2829/src/master
Modified Files:
master-settings.c ssl-init-openssl.c ssl-init.c
Log Message:
Generate DH parameters and use them. Changed default regeneration time to 1
week.
Index: master-settings.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/master/master-settings.c,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -d -r1.99 -r1.100
--- master-settings.c 13 Jan 2006 20:26:40 -0000 1.99
+++ master-settings.c 15 Jan 2006 12:35:03 -0000 1.100
@@ -257,7 +257,7 @@
MEMBER(ssl_cert_file) SSLDIR"/certs/dovecot.pem",
MEMBER(ssl_key_file) SSLDIR"/private/dovecot.pem",
MEMBER(ssl_parameters_file) "ssl-parameters.dat",
- MEMBER(ssl_parameters_regenerate) 24,
+ MEMBER(ssl_parameters_regenerate) 168,
MEMBER(ssl_cipher_list) NULL,
MEMBER(ssl_verify_client_cert) FALSE,
MEMBER(disable_plaintext_auth) TRUE,
Index: ssl-init-openssl.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/master/ssl-init-openssl.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -d -r1.5 -r1.6
--- ssl-init-openssl.c 30 May 2003 11:56:25 -0000 1.5
+++ ssl-init-openssl.c 15 Jan 2006 12:35:04 -0000 1.6
@@ -1,13 +1,50 @@
/* Copyright (C) 2002 Timo Sirainen */
#include "common.h"
+#include "write-full.h"
#include "ssl-init.h"
#ifdef HAVE_OPENSSL
-void _ssl_generate_parameters(int fd __attr_unused__,
- const char *fname __attr_unused__)
+#include <openssl/ssl.h>
+
+/* 2 or 5. Haven't seen their difference explained anywhere, but 2 is the
+ default.. */
+#define DH_GENERATOR 2
+
+static int dh_param_bitsizes[] = { 512, 1024 };
+#define DH_PARAM_BITSIZE_COUNT \
+ (sizeof(dh_param_bitsizes)/sizeof(dh_param_bitsizes[0]))
+
+static void generate_dh_parameters(int bitsize, int fd, const char *fname)
{
+ DH *dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL);
+ unsigned char *buf, *p;
+ int len;
+
+ len = i2d_DHparams(dh, NULL);
+ if (len < 0)
+ i_fatal("i2d_DHparams() failed");
+
+ buf = p = i_malloc(len);
+ len = i2d_DHparams(dh, &p);
+
+ if (write_full(fd, &bitsize, sizeof(bitsize)) < 0 ||
+ write_full(fd, &len, sizeof(len)) < 0 ||
+ write_full(fd, buf, len) < 0)
+ i_fatal("write_full() failed for file %s: %m", fname);
+ i_free(buf);
+}
+
+void _ssl_generate_parameters(int fd, const char *fname)
+{
+ unsigned int i;
+ int bits;
+
+ for (i = 0; i < DH_PARAM_BITSIZE_COUNT; i++)
+ generate_dh_parameters(dh_param_bitsizes[i], fd, fname);
+ bits = 0;
+ write_full(fd, &bits, sizeof(bits));
}
#endif
Index: ssl-init.c
===================================================================
RCS file: /var/lib/cvs/dovecot/src/master/ssl-init.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -d -r1.14 -r1.15
--- ssl-init.c 14 Jan 2006 18:48:02 -0000 1.14
+++ ssl-init.c 15 Jan 2006 12:35:04 -0000 1.15
@@ -18,12 +18,16 @@
static void generate_parameters_file(const char *fname)
{
const char *temp_fname;
+ mode_t old_mask;
int fd;
temp_fname = t_strconcat(fname, ".tmp", NULL);
(void)unlink(temp_fname);
- fd = open(temp_fname, O_WRONLY | O_CREAT | O_EXCL, 0600);
+ old_mask = umask(0);
+ fd = open(temp_fname, O_WRONLY | O_CREAT | O_EXCL, 0644);
+ umask(old_mask);
+
if (fd == -1) {
i_fatal("Can't create temporary SSL parameters file %s: %m",
temp_fname);
@@ -82,10 +86,11 @@
st.st_mtime = 0;
}
- /* make sure it's new enough and the permissions are correct */
+ /* make sure it's new enough, it's not 0 sized, and the permissions
+ are correct */
regen_time = st.st_mtime +
(time_t)(set->ssl_parameters_regenerate*3600);
- if (regen_time < ioloop_time || (st.st_mode & 077) != 0 ||
+ if (regen_time < ioloop_time || st.st_size == 0 ||
st.st_uid != master_uid || st.st_gid != getegid()) {
start_generate_process(set);
return FALSE;
More information about the dovecot-cvs
mailing list