GnuTLS control constants exposed to Makefile.

Mostly care about EXIM_GNUTLS_LIBRARY_LOG_LEVEL for debugging.
If someone screams that we kept the default dh-bits at 1024 for old GnuTLS,
we can point them at EXIM_SERVER_DH_BITS_PRE2_12.  The name itself will
tell them to shut up and update their library if they care about security. :)

diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c
index e1c7f7504fa4a0e2b3450648f2d6ce6e50ba8252..c90d940aa8fcc0b881af69a3bf6fdf1c17b67f79 100644 (file)
--- a/src/src/buildconfig.c
+++ b/src/src/buildconfig.c
@@ -823,9 +823,50 @@ else if (isgroup)
       else if (strcmp(name, "TIMEZONE_DEFAULT") == 0||
                strcmp(name, "TCP_WRAPPERS_DAEMON_NAME") == 0||
                strcmp(name, "HEADERS_CHARSET") == 0||
-              strcmp(name, "WHITELIST_D_MACROS") == 0)
+               strcmp(name, "WHITELIST_D_MACROS") == 0)
         fprintf(new, "\"%s\"\n", value);
 
+      /* GnuTLS constants; first is for debugging, others are tuning */
+
+      /* less than 0 is not-active; 0-9 are normal, API suggests higher
+      taken without problems */
+      else if (strcmp(name, "EXIM_GNUTLS_LIBRARY_LOG_LEVEL") == 0)
+        {
+        long nv;
+        char *end;
+        nv = strtol(value, &end, 10);
+        if (end != value && *end == '\0' && nv >= -1 && nv <= 100)
+          {
+          fprintf(new, "%s\n", value);
+          }
+        else
+          {
+          printf("Value of %s should be -1..9\n", name);
+          return 1;
+          }
+        }
+
+      /* how many bits Exim, as a client, demands must be in D-H */
+      /* as of GnuTLS 2.12.x, we ask for "normal" for D-H PK; before that, we
+      specify the number of bits.  We've stuck with the historical value, but
+      it can be overriden. */
+      else if ((strcmp(name, "EXIM_CLIENT_DH_MIN_BITS") == 0) ||
+               (strcmp(name, "EXIM_SERVER_DH_BITS_PRE2_12") == 0))
+        {
+        long nv;
+        char *end;
+        nv = strtol(value, &end, 10);
+        if (end != value && *end == '\0' && nv >= 1000 && nv < 50000)
+          {
+          fprintf(new, "%s\n", value);
+          }
+        else
+          {
+          printf("Unreasonable value (%s) of \"%s\".\n", value, name);
+          return 1;
+          }
+        }
+
       /* For others, quote any paths and don't quote anything else */
 
       else

diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index 7badb8d3450241d0e409df89b795d3ae68777924..1e75a1e217a39ca7a7797fc81443c415a1c8a199 100644 (file)
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -49,6 +49,9 @@ it's a default value. */
 #define EXIMDB_LOCK_TIMEOUT          60
 #define EXIMDB_LOCKFILE_MODE       0640
 #define EXIMDB_MODE                0640
+#define EXIM_CLIENT_DH_MIN_BITS
+#define EXIM_GNUTLS_LIBRARY_LOG_LEVEL
+#define EXIM_SERVER_DH_BITS_PRE2_12
 #define EXIM_PERL
 /* Both uid and gid are triggered by this */
 #define EXIM_UID

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 2f50787c22ce77a2faae135b3086b9122e1fa6a7..4e1e5104ba034eb379662f0204be25799886814f 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -148,14 +148,20 @@ static BOOL exim_gnutls_base_init_done = FALSE;
 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
 the library logging; a value less than 0 disables the calls to set up logging
 callbacks. */
+#ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
 #define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
+#endif
 
+#ifndef EXIM_CLIENT_DH_MIN_BITS
 #define EXIM_CLIENT_DH_MIN_BITS 1024
+#endif
 
 /* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
 can ask for a bit-strength.  Without that, we stick to the constant we had
 before, for now. */
+#ifndef EXIM_SERVER_DH_BITS_PRE2_12
 #define EXIM_SERVER_DH_BITS_PRE2_12 1024
+#endif
 
 #define exim_gnutls_err_check(Label) do { \
   if (rc != GNUTLS_E_SUCCESS) { return tls_error((Label), gnutls_strerror(rc), host); } } while (0)