Bug 1400: Fix GnuTLS PKCS11 issues

Can disable PKCS11 in Makefile with AVOID_GNUTLS_PKCS11 build flag.
Rename gnutls_enable_pkcs11 option to gnutls_allow_auto_pkcs11.
Update Changelog

8 files changed, 27 insertions, 7 deletions

diff --git a/src/README.UPDATING b/src/README.UPDATING
index 8b39848b4..62652e700 100644
--- a/src/README.UPDATING
+++ b/src/README.UPDATING
@@ -29,7 +29,7 @@ that might affect a running system.
 Exim version 4.82
 -----------------
 
- * New option gnutls_enable_pkcs11 defaults false; if you have GnuTLS 2.12.0
+ * New option gnutls_allow_auto_pkcs11 defaults false; if you have GnuTLS 2.12.0
    or later and do want PKCS11 modules to be autoloaded, then set this option.
 
  * A per-transport wait-<name> database is no longer updated if the transport
diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
index 58b2b5770..5e8a72683 100755
--- a/src/scripts/Configure-Makefile
+++ b/src/scripts/Configure-Makefile
@@ -118,7 +118,7 @@ done >> $mft || exit 1
 egrep "^[$st]*(AUTH|LOOKUP)_[A-Z0-9_]*[$st]*=[$st]*" $mft | \
   sed "s/[$st]*=/='/" | \
   sed "s/\$/'/" > $mftt
-egrep "^[$st]*((USE_(OPENSSL|GNUTLS)_PC)|SUPPORT_TLS|USE_GNUTLS|PCRE_CONFIG)[$st]*=[$st]*" $mft | \
+egrep "^[$st]*((USE_(OPENSSL|GNUTLS)_PC)|SUPPORT_TLS|USE_GNUTLS|PCRE_CONFIG|AVOID_GNUTLS_PKCS11)[$st]*=[$st]*" $mft | \
   sed "s/[$st]*=/='/" | \
   sed "s/\$/'/" >> $mftt
 if test -s $mftt
@@ -187,6 +187,10 @@ then
         esac
         ;;
 
+      AVOID_GNUTLS_PKCS11)
+        echo "$var=yes"
+        ;;
+
     esac
   done
   echo "# End of pkg-config fixups"
diff --git a/src/src/EDITME b/src/src/EDITME
index f44a1e3a5..3f818f355 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -728,6 +728,13 @@ HEADERS_CHARSET="ISO-8859-1"
 # USE_GNUTLS_PC=gnutls
 # TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
 
+# The security fix we provide with the gnutls_allow_auto_pkcs11 option
+# (4.82 PP/09) introduces a compatibility regression.  The symbol is
+# not available if GnuTLS is build without p11-kit (--without-p11-kit
+# configure option).  In this case use AVOID_GNUTLS_PKCS11=yes when
+# building Exim.
+# AVOID_GNUTLS_PKCS11=yes
+
 # If you are running Exim as a server, note that just building it with TLS
 # support is not all you need to do. You also need to set up a suitable
 # certificate, and tell Exim about it by means of the tls_certificate
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index 19bc1b180..8c1e799da 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -152,6 +152,7 @@ it's a default value. */
 #define USE_DB
 #define USE_GDBM
 #define USE_GNUTLS
+#define AVOID_GNUTLS_PKCS11
 #define USE_READLINE
 #define USE_TCP_WRAPPERS
 #define USE_TDB
diff --git a/src/src/globals.c b/src/src/globals.c
index 5f3234902..133a7bf74 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -123,7 +123,7 @@ tls_support tls_out = {
 
 #ifdef SUPPORT_TLS
 BOOL    gnutls_compat_mode     = FALSE;
-BOOL    gnutls_enable_pkcs11   = FALSE;
+BOOL    gnutls_allow_auto_pkcs11 = FALSE;
 uschar *gnutls_require_mac     = NULL;
 uschar *gnutls_require_kx      = NULL;
 uschar *gnutls_require_proto   = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 4acc7f8c2..265f94e60 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -93,7 +93,7 @@ extern tls_support tls_out;
 
 #ifdef SUPPORT_TLS
 extern BOOL    gnutls_compat_mode;     /* Less security, more compatibility */
-extern BOOL    gnutls_enable_pkcs11;   /* Let GnuTLS autoload PKCS11 modules */
+extern BOOL    gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
 extern uschar *gnutls_require_mac;     /* So some can be avoided */
 extern uschar *gnutls_require_kx;      /* So some can be avoided */
 extern uschar *gnutls_require_proto;   /* So some can be avoided */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 6b0f3aaf7..77c798412 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -243,8 +243,8 @@ static optionlist optionlist_config[] = {
   { "gecos_name",               opt_stringptr,   &gecos_name },
   { "gecos_pattern",            opt_stringptr,   &gecos_pattern },
 #ifdef SUPPORT_TLS
+  { "gnutls_allow_auto_pkcs11", opt_bool,        &gnutls_allow_auto_pkcs11 },
   { "gnutls_compat_mode",       opt_bool,        &gnutls_compat_mode },
-  { "gnutls_enable_pkcs11",     opt_bool,        &gnutls_enable_pkcs11 },
   /* These three gnutls_require_* options stopped working in Exim 4.80 */
   { "gnutls_require_kx",        opt_stringptr,   &gnutls_require_kx },
   { "gnutls_require_mac",       opt_stringptr,   &gnutls_require_mac },
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index c90ae1411..5a37fae56 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -176,7 +176,15 @@ before, for now. */
 #define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
 #define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
 #define HAVE_GNUTLS_RND
+/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
+ * (4.82 PP/09) introduces a compatibility regression. The symbol simply
+ * isn't available sometimes, so this needs to become a conditional
+ * compilation; the sanest way to deal with this being a problem on
+ * older OSes is to block it in the Local/Makefile with this compiler
+ * definition  */
+#ifndef AVOID_GNUTLS_PKCS11
 #define HAVE_GNUTLS_PKCS11
+#endif /* AVOID_GNUTLS_PKCS11 */
 #endif
 
 
@@ -922,7 +930,7 @@ if (!exim_gnutls_base_init_done)
   by some sysadmin, but also means in common configurations that GNOME keyring
   environment variables are used and so breaks for users calling mailq.
   To prevent this, we init PKCS11 first, which is the documented approach. */
-  if (!gnutls_enable_pkcs11)
+  if (!gnutls_allow_auto_pkcs11)
     {
     rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
     exim_gnutls_err_check(US"gnutls_pkcs11_init");
@@ -1967,7 +1975,7 @@ if (exim_gnutls_base_init_done)
       "already initialised GnuTLS, Exim developer bug");
 
 #ifdef HAVE_GNUTLS_PKCS11
-if (!gnutls_enable_pkcs11)
+if (!gnutls_allow_auto_pkcs11)
   {
   rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
   validate_check_rc(US"gnutls_pkcs11_init");