[exim-cvs] GnuTLS control constants exposed to Makefile.

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] GnuTLS control constants exposed to Makefile.
Gitweb: http://git.exim.org/exim.git/commitdiff/2c17bb02e213012d5d98ebac506a67b23b2cf693
Commit:     2c17bb02e213012d5d98ebac506a67b23b2cf693
Parent:     c4ceed07f17f67af7d96e7fd27c92eb374e62e19
Author:     Phil Pennock <pdp@???>
AuthorDate: Thu May 17 14:05:06 2012 -0400
Committer:  Phil Pennock <pdp@???>
CommitDate: Thu May 17 14:05:06 2012 -0400


    GnuTLS control constants exposed to Makefile.


    Mostly care about EXIM_GNUTLS_LIBRARY_LOG_LEVEL for debugging.
    If someone screams that we kept the default dh-bits at 1024 for old GnuTLS,
    we can point them at EXIM_SERVER_DH_BITS_PRE2_12.  The name itself will
    tell them to shut up and update their library if they care about security. :)
---
 src/src/buildconfig.c     |   43 ++++++++++++++++++++++++++++++++++++++++++-
 src/src/config.h.defaults |    3 +++
 src/src/tls-gnu.c         |    6 ++++++
 3 files changed, 51 insertions(+), 1 deletions(-)


diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c
index e1c7f75..c90d940 100644
--- a/src/src/buildconfig.c
+++ b/src/src/buildconfig.c
@@ -823,9 +823,50 @@ else if (isgroup)
       else if (strcmp(name, "TIMEZONE_DEFAULT") == 0||
                strcmp(name, "TCP_WRAPPERS_DAEMON_NAME") == 0||
                strcmp(name, "HEADERS_CHARSET") == 0||
-           strcmp(name, "WHITELIST_D_MACROS") == 0)
+               strcmp(name, "WHITELIST_D_MACROS") == 0)
         fprintf(new, "\"%s\"\n", value);


+      /* GnuTLS constants; first is for debugging, others are tuning */
+
+      /* less than 0 is not-active; 0-9 are normal, API suggests higher
+      taken without problems */
+      else if (strcmp(name, "EXIM_GNUTLS_LIBRARY_LOG_LEVEL") == 0)
+        {
+        long nv;
+        char *end;
+        nv = strtol(value, &end, 10);
+        if (end != value && *end == '\0' && nv >= -1 && nv <= 100)
+          {
+          fprintf(new, "%s\n", value);
+          }
+        else
+          {
+          printf("Value of %s should be -1..9\n", name);
+          return 1;
+          }
+        }
+
+      /* how many bits Exim, as a client, demands must be in D-H */
+      /* as of GnuTLS 2.12.x, we ask for "normal" for D-H PK; before that, we
+      specify the number of bits.  We've stuck with the historical value, but
+      it can be overriden. */
+      else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_BITS") == 0) ||
+               (strcmp(name, "EXIM_SERVER_DH_BITS_PRE2_12") == 0))
+        {
+        long nv;
+        char *end;
+        nv = strtol(value, &end, 10);
+        if (end != value && *end == '\0' && nv >= 1000 && nv < 50000)
+          {
+          fprintf(new, "%s\n", value);
+          }
+        else
+          {
+          printf("Unreasonable value (%s) of \"%s\".\n", value, name);
+          return 1;
+          }
+        }
+
       /* For others, quote any paths and don't quote anything else */


       else
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index 7badb8d..1e75a1e 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -49,6 +49,9 @@ it's a default value. */
 #define EXIMDB_LOCK_TIMEOUT          60
 #define EXIMDB_LOCKFILE_MODE       0640
 #define EXIMDB_MODE                0640
+#define EXIM_CLIENT_DH_MIN_BITS
+#define EXIM_GNUTLS_LIBRARY_LOG_LEVEL
+#define EXIM_SERVER_DH_BITS_PRE2_12
 #define EXIM_PERL
 /* Both uid and gid are triggered by this */
 #define EXIM_UID
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 2f50787..4e1e510 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -148,14 +148,20 @@ static BOOL exim_gnutls_base_init_done = FALSE;
 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
 the library logging; a value less than 0 disables the calls to set up logging
 callbacks. */
+#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
 #define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
+#endif


+#ifndef EXIM_CLIENT_DH_MIN_BITS
#define EXIM_CLIENT_DH_MIN_BITS 1024
+#endif

/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
can ask for a bit-strength. Without that, we stick to the constant we had
before, for now. */
+#ifndef EXIM_SERVER_DH_BITS_PRE2_12
#define EXIM_SERVER_DH_BITS_PRE2_12 1024
+#endif

#define exim_gnutls_err_check(Label) do { \
if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)