Can disable PKCS11 in Makefile with AVOID_GNUTLS_PKCS11 build flag.
Rename gnutls_enable_pkcs11 option to gnutls_allow_auto_pkcs11.
Update Changelog
.section "TLS" "SECID108"
.table2
.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
-.row &%gnutls_enable_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
+.row &%gnutls_allow_auto_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
.row &%openssl_options%& "adjust OpenSSL compatibility options"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
.new
-option gnutls_enable_pkcs11 main boolean unset
+option gnutls_allow_auto_pkcs11 main boolean unset
This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with
the p11-kit configuration files in &_/etc/pkcs11/modules/_&.
JH/03 Add expansion operators ${listnamed:name} and ${listcount:string}
-PP/09 Add gnutls_enable_pkcs11 option.
+PP/09 Add gnutls_allow_auto_pkcs11 option (was originally called
+ gnutls_enable_pkcs11, but renamed to more accurately indicate its
+ function.
PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC.
Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler.
TL/19 Bugzilla 1402 - Test 533 fails if any part of the path to the test suite
contains upper case chars. Make router use caseful_local_part.
+TL/20 Bugzilla 1400 - Add AVOID_GNUTLS_PKCS11 build option. Allows GnuTLS
+ support when GnuTLS has been built with p11-kit.
+
Exim version 4.80.1
-------------------
8. New expansion operators ${listnamed:name} to get the content of a named list
and ${listcount:string} to count the items in a list.
- 9. New global option "gnutls_enable_pkcs11", defaults false. The GnuTLS
+ 9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS
rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
modules. For some situations this is desirable, but we expect admin in
those situations to know they want the feature. More commonly, it means
through, thus breakage. So we explicitly inhibit the PKCS11 initialisation
unless this new option is set.
+ Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability,
+ so have also added a build option which can be used to build Exim with GnuTLS
+ but without trying to use any kind of PKCS11 support. Uncomment this in the
+ Local/Makefile:
+
+ AVOID_GNUTLS_PKCS11=yes
+
10. The "acl = name" condition on an ACL now supports optional arguments.
New expansion item "${acl {name}{arg}...}" and expansion condition
"acl {{name}{arg}...}" are added. In all cases up to nine arguments
gecos_name string* unset main
gecos_pattern string unset main
gethostbyname boolean false smtp
+gnutls_allow_auto_pkcs11 boolean false main 4.82
gnutls_compat_mode boolean unset main 4.70
-gnutls_enable_pkcs11 boolean false main 4.82
gnutls_require_kx string* unset main 4.67 deprecated, warns
string* unset smtp 4.67 deprecated, warns
gnutls_require_mac string* unset main 4.67 deprecated, warns
Exim version 4.82
-----------------
- * New option gnutls_enable_pkcs11 defaults false; if you have GnuTLS 2.12.0
+ * New option gnutls_allow_auto_pkcs11 defaults false; if you have GnuTLS 2.12.0
or later and do want PKCS11 modules to be autoloaded, then set this option.
* A per-transport wait-<name> database is no longer updated if the transport
egrep "^[$st]*(AUTH|LOOKUP)_[A-Z0-9_]*[$st]*=[$st]*" $mft | \
sed "s/[$st]*=/='/" | \
sed "s/\$/'/" > $mftt
-egrep "^[$st]*((USE_(OPENSSL|GNUTLS)_PC)|SUPPORT_TLS|USE_GNUTLS|PCRE_CONFIG)[$st]*=[$st]*" $mft | \
+egrep "^[$st]*((USE_(OPENSSL|GNUTLS)_PC)|SUPPORT_TLS|USE_GNUTLS|PCRE_CONFIG|AVOID_GNUTLS_PKCS11)[$st]*=[$st]*" $mft | \
sed "s/[$st]*=/='/" | \
sed "s/\$/'/" >> $mftt
if test -s $mftt
esac
;;
+ AVOID_GNUTLS_PKCS11)
+ echo "$var=yes"
+ ;;
+
esac
done
echo "# End of pkg-config fixups"
# USE_GNUTLS_PC=gnutls
# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
+# The security fix we provide with the gnutls_allow_auto_pkcs11 option
+# (4.82 PP/09) introduces a compatibility regression. The symbol is
+# not available if GnuTLS is build without p11-kit (--without-p11-kit
+# configure option). In this case use AVOID_GNUTLS_PKCS11=yes when
+# building Exim.
+# AVOID_GNUTLS_PKCS11=yes
+
# If you are running Exim as a server, note that just building it with TLS
# support is not all you need to do. You also need to set up a suitable
# certificate, and tell Exim about it by means of the tls_certificate
#define USE_DB
#define USE_GDBM
#define USE_GNUTLS
+#define AVOID_GNUTLS_PKCS11
#define USE_READLINE
#define USE_TCP_WRAPPERS
#define USE_TDB
#ifdef SUPPORT_TLS
BOOL gnutls_compat_mode = FALSE;
-BOOL gnutls_enable_pkcs11 = FALSE;
+BOOL gnutls_allow_auto_pkcs11 = FALSE;
uschar *gnutls_require_mac = NULL;
uschar *gnutls_require_kx = NULL;
uschar *gnutls_require_proto = NULL;
#ifdef SUPPORT_TLS
extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
-extern BOOL gnutls_enable_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
+extern BOOL gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
extern uschar *gnutls_require_mac; /* So some can be avoided */
extern uschar *gnutls_require_kx; /* So some can be avoided */
extern uschar *gnutls_require_proto; /* So some can be avoided */
{ "gecos_name", opt_stringptr, &gecos_name },
{ "gecos_pattern", opt_stringptr, &gecos_pattern },
#ifdef SUPPORT_TLS
+ { "gnutls_allow_auto_pkcs11", opt_bool, &gnutls_allow_auto_pkcs11 },
{ "gnutls_compat_mode", opt_bool, &gnutls_compat_mode },
- { "gnutls_enable_pkcs11", opt_bool, &gnutls_enable_pkcs11 },
/* These three gnutls_require_* options stopped working in Exim 4.80 */
{ "gnutls_require_kx", opt_stringptr, &gnutls_require_kx },
{ "gnutls_require_mac", opt_stringptr, &gnutls_require_mac },
#define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
#define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
#define HAVE_GNUTLS_RND
+/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
+ * (4.82 PP/09) introduces a compatibility regression. The symbol simply
+ * isn't available sometimes, so this needs to become a conditional
+ * compilation; the sanest way to deal with this being a problem on
+ * older OSes is to block it in the Local/Makefile with this compiler
+ * definition */
+#ifndef AVOID_GNUTLS_PKCS11
#define HAVE_GNUTLS_PKCS11
+#endif /* AVOID_GNUTLS_PKCS11 */
#endif
by some sysadmin, but also means in common configurations that GNOME keyring
environment variables are used and so breaks for users calling mailq.
To prevent this, we init PKCS11 first, which is the documented approach. */
- if (!gnutls_enable_pkcs11)
+ if (!gnutls_allow_auto_pkcs11)
{
rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
exim_gnutls_err_check(US"gnutls_pkcs11_init");
"already initialised GnuTLS, Exim developer bug");
#ifdef HAVE_GNUTLS_PKCS11
-if (!gnutls_enable_pkcs11)
+if (!gnutls_allow_auto_pkcs11)
{
rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
validate_check_rc(US"gnutls_pkcs11_init");