On 2012-06-23 Phil Pennock <pdp@???> wrote:
> On 2012-06-23 at 09:07 +0200, Andreas Metzler wrote:
> > After the the GnuTLS revamp it loooks like PKCS#11 modules are
> > suddenly (unnecessarily) autoloaded and fail due to SUID:
> Note: the problem here isn't suid itself, but that environment variables
> passed through are no longer valid.
> If you find the two calls to gnutls_global_init() in tls-gnu.c and
> before them insert:
> rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
> and one of:
> exim_gnutls_err_check(US"gnutls_pkcs11_init");
> validate_check_rc(US"gnutls_pkcs11_init");
> (it should be obvious which goes where, just stay consistent)
> then does that fix the problem?
[...]
It does, thank you for the fix and explanation.
cu andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
Description: Disable autoloading of PKCS#11 modules.
Author: Phil Pennock <pdp@???>
Origin: upstream
Bug-Debian:
http://bugs.debian.org/678238
Forwarded:
http://article.gmane.org/gmane.mail.exim.devel/5732
Last-Update: 2012-06-23
Index: b/src/tls-gnu.c
===================================================================
--- a/src/tls-gnu.c 2012-06-23 18:17:41.000000000 +0200
+++ b/src/tls-gnu.c 2012-06-23 18:18:31.000000000 +0200
@@ -39,6 +39,8 @@ require current GnuTLS, then we'll drop
#include <gnutls/x509.h>
/* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
#include <gnutls/crypto.h>
+/* needed for gnutls_pkcs11_init */
+#include <gnutls/pkcs11.h>
/* GnuTLS 2 vs 3
@@ -910,6 +912,8 @@ if (!exim_gnutls_base_init_done)
{
DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
+ rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+ exim_gnutls_err_check(US"gnutls_pkcs11_init");
rc = gnutls_global_init();
exim_gnutls_err_check(US"gnutls_global_init");
@@ -1942,6 +1946,8 @@ if (exim_gnutls_base_init_done)
log_write(0, LOG_MAIN|LOG_PANIC,
"already initialised GnuTLS, Exim developer bug");
+rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+validate_check_rc(US"gnutls_pkcs11_init");
rc = gnutls_global_init();
validate_check_rc(US"gnutls_global_init()");
exim_gnutls_base_init_done = TRUE;
