diff options
author | Phil Pennock <pdp@exim.org> | 2012-05-17 14:05:06 -0400 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2012-05-17 14:05:06 -0400 |
commit | 2c17bb02e213012d5d98ebac506a67b23b2cf693 (patch) | |
tree | a355260476b92533dca2d7b8f0a133fc15875ac4 | |
parent | c4ceed07f17f67af7d96e7fd27c92eb374e62e19 (diff) |
GnuTLS control constants exposed to Makefile.
Mostly care about EXIM_GNUTLS_LIBRARY_LOG_LEVEL for debugging.
If someone screams that we kept the default dh-bits at 1024 for old GnuTLS,
we can point them at EXIM_SERVER_DH_BITS_PRE2_12. The name itself will
tell them to shut up and update their library if they care about security. :)
-rw-r--r-- | src/src/buildconfig.c | 43 | ||||
-rw-r--r-- | src/src/config.h.defaults | 3 | ||||
-rw-r--r-- | src/src/tls-gnu.c | 6 |
3 files changed, 51 insertions, 1 deletions
diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c index e1c7f7504..c90d940aa 100644 --- a/src/src/buildconfig.c +++ b/src/src/buildconfig.c @@ -823,9 +823,50 @@ else if (isgroup) else if (strcmp(name, "TIMEZONE_DEFAULT") == 0|| strcmp(name, "TCP_WRAPPERS_DAEMON_NAME") == 0|| strcmp(name, "HEADERS_CHARSET") == 0|| - strcmp(name, "WHITELIST_D_MACROS") == 0) + strcmp(name, "WHITELIST_D_MACROS") == 0) fprintf(new, "\"%s\"\n", value); + /* GnuTLS constants; first is for debugging, others are tuning */ + + /* less than 0 is not-active; 0-9 are normal, API suggests higher + taken without problems */ + else if (strcmp(name, "EXIM_GNUTLS_LIBRARY_LOG_LEVEL") == 0) + { + long nv; + char *end; + nv = strtol(value, &end, 10); + if (end != value && *end == '\0' && nv >= -1 && nv <= 100) + { + fprintf(new, "%s\n", value); + } + else + { + printf("Value of %s should be -1..9\n", name); + return 1; + } + } + + /* how many bits Exim, as a client, demands must be in D-H */ + /* as of GnuTLS 2.12.x, we ask for "normal" for D-H PK; before that, we + specify the number of bits. We've stuck with the historical value, but + it can be overriden. */ + else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_BITS") == 0) || + (strcmp(name, "EXIM_SERVER_DH_BITS_PRE2_12") == 0)) + { + long nv; + char *end; + nv = strtol(value, &end, 10); + if (end != value && *end == '\0' && nv >= 1000 && nv < 50000) + { + fprintf(new, "%s\n", value); + } + else + { + printf("Unreasonable value (%s) of \"%s\".\n", value, name); + return 1; + } + } + /* For others, quote any paths and don't quote anything else */ else diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index 7badb8d34..1e75a1e21 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -49,6 +49,9 @@ it's a default value. */ #define EXIMDB_LOCK_TIMEOUT 60 #define EXIMDB_LOCKFILE_MODE 0640 #define EXIMDB_MODE 0640 +#define EXIM_CLIENT_DH_MIN_BITS +#define EXIM_GNUTLS_LIBRARY_LOG_LEVEL +#define EXIM_SERVER_DH_BITS_PRE2_12 #define EXIM_PERL /* Both uid and gid are triggered by this */ #define EXIM_UID diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 2f50787c2..4e1e5104b 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -148,14 +148,20 @@ static BOOL exim_gnutls_base_init_done = FALSE; /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup the library logging; a value less than 0 disables the calls to set up logging callbacks. */ +#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL #define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1 +#endif +#ifndef EXIM_CLIENT_DH_MIN_BITS #define EXIM_CLIENT_DH_MIN_BITS 1024 +#endif /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we can ask for a bit-strength. Without that, we stick to the constant we had before, for now. */ +#ifndef EXIM_SERVER_DH_BITS_PRE2_12 #define EXIM_SERVER_DH_BITS_PRE2_12 1024 +#endif #define exim_gnutls_err_check(Label) do { \ if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0) |