summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2012-05-17 14:05:06 -0400
committerPhil Pennock <pdp@exim.org>2012-05-17 14:05:06 -0400
commit2c17bb02e213012d5d98ebac506a67b23b2cf693 (patch)
treea355260476b92533dca2d7b8f0a133fc15875ac4
parentc4ceed07f17f67af7d96e7fd27c92eb374e62e19 (diff)
GnuTLS control constants exposed to Makefile.
Mostly care about EXIM_GNUTLS_LIBRARY_LOG_LEVEL for debugging. If someone screams that we kept the default dh-bits at 1024 for old GnuTLS, we can point them at EXIM_SERVER_DH_BITS_PRE2_12. The name itself will tell them to shut up and update their library if they care about security. :)
-rw-r--r--src/src/buildconfig.c43
-rw-r--r--src/src/config.h.defaults3
-rw-r--r--src/src/tls-gnu.c6
3 files changed, 51 insertions, 1 deletions
diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c
index e1c7f7504..c90d940aa 100644
--- a/src/src/buildconfig.c
+++ b/src/src/buildconfig.c
@@ -823,9 +823,50 @@ else if (isgroup)
else if (strcmp(name, "TIMEZONE_DEFAULT") == 0||
strcmp(name, "TCP_WRAPPERS_DAEMON_NAME") == 0||
strcmp(name, "HEADERS_CHARSET") == 0||
- strcmp(name, "WHITELIST_D_MACROS") == 0)
+ strcmp(name, "WHITELIST_D_MACROS") == 0)
fprintf(new, "\"%s\"\n", value);
+ /* GnuTLS constants; first is for debugging, others are tuning */
+
+ /* less than 0 is not-active; 0-9 are normal, API suggests higher
+ taken without problems */
+ else if (strcmp(name, "EXIM_GNUTLS_LIBRARY_LOG_LEVEL") == 0)
+ {
+ long nv;
+ char *end;
+ nv = strtol(value, &end, 10);
+ if (end != value && *end == '\0' && nv >= -1 && nv <= 100)
+ {
+ fprintf(new, "%s\n", value);
+ }
+ else
+ {
+ printf("Value of %s should be -1..9\n", name);
+ return 1;
+ }
+ }
+
+ /* how many bits Exim, as a client, demands must be in D-H */
+ /* as of GnuTLS 2.12.x, we ask for "normal" for D-H PK; before that, we
+ specify the number of bits. We've stuck with the historical value, but
+ it can be overriden. */
+ else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_BITS") == 0) ||
+ (strcmp(name, "EXIM_SERVER_DH_BITS_PRE2_12") == 0))
+ {
+ long nv;
+ char *end;
+ nv = strtol(value, &end, 10);
+ if (end != value && *end == '\0' && nv >= 1000 && nv < 50000)
+ {
+ fprintf(new, "%s\n", value);
+ }
+ else
+ {
+ printf("Unreasonable value (%s) of \"%s\".\n", value, name);
+ return 1;
+ }
+ }
+
/* For others, quote any paths and don't quote anything else */
else
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index 7badb8d34..1e75a1e21 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -49,6 +49,9 @@ it's a default value. */
#define EXIMDB_LOCK_TIMEOUT 60
#define EXIMDB_LOCKFILE_MODE 0640
#define EXIMDB_MODE 0640
+#define EXIM_CLIENT_DH_MIN_BITS
+#define EXIM_GNUTLS_LIBRARY_LOG_LEVEL
+#define EXIM_SERVER_DH_BITS_PRE2_12
#define EXIM_PERL
/* Both uid and gid are triggered by this */
#define EXIM_UID
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 2f50787c2..4e1e5104b 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -148,14 +148,20 @@ static BOOL exim_gnutls_base_init_done = FALSE;
/* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
the library logging; a value less than 0 disables the calls to set up logging
callbacks. */
+#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
#define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
+#endif
+#ifndef EXIM_CLIENT_DH_MIN_BITS
#define EXIM_CLIENT_DH_MIN_BITS 1024
+#endif
/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
can ask for a bit-strength. Without that, we stick to the constant we had
before, for now. */
+#ifndef EXIM_SERVER_DH_BITS_PRE2_12
#define EXIM_SERVER_DH_BITS_PRE2_12 1024
+#endif
#define exim_gnutls_err_check(Label) do { \
if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)