From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 1 Jul 2012 15:01:29 +0000 (+0100)
Subject: Merge branch 'acl'
X-Git-Tag: exim-4_81_RC1~50
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/3e8abda0fa92b78c4a3dfbad940b12fc90c241e3?hp=bef3ea7f5de507f4eda7f32ac767ec6ac0441d57

Merge branch 'acl'
---

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index eb5bd4cba..eb359d088 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -12857,6 +12857,9 @@ listed in more than one group.
 .section "TLS" "SECID108"
 .table2
 .row &%gnutls_compat_mode%&          "use GnuTLS compatibility mode"
+.new
+.row &%gnutls_enable_pkcs11%&        "allow GnuTLS to autoload PKCS11 modules"
+.wen
 .row &%openssl_options%&             "adjust OpenSSL compatibility options"
 .row &%tls_advertise_hosts%&         "advertise TLS to these hosts"
 .row &%tls_certificate%&             "location of server certificate"
@@ -13885,6 +13888,19 @@ This option controls whether GnuTLS is used in compatibility mode in an Exim
 server. This reduces security slightly, but improves interworking with older
 implementations of TLS.
 
+
+.new
+option gnutls_enable_pkcs11 main boolean unset
+This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with
+the p11-kit configuration files in &_/etc/pkcs11/modules/_&.
+
+See
+&url(http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs)
+for documentation.
+.wen
+
+
+
 .option headers_charset main string "see below"
 This option sets a default character set for translating from encoded MIME
 &"words"& in header lines, when referenced by an &$h_xxx$& expansion item. The
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9dbc65c09..a9c9abed8 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -44,6 +44,11 @@ NM/01 Bugzilla 1197 - Spec typo
 
 JH/03 Add expansion operators ${listnamed:name} and ${listcount:string}
 
+PP/09 Add gnutls_enable_pkcs11 option.
+
+PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC.
+      Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler.
+
 JH/04 Add expansion item ${acl {name}{arg}...}, expansion condition
       "acl {{name}{arg}...}", and optional args on acl condition
       "acl = name arg..."
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index df2ede807..53d533dea 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -87,7 +87,16 @@ Version 4.81
  8. New expansion operators ${listnamed:name} to get the content of a named list
     and ${listcount:string} to count the items in a list.
 
- 9. The "acl = name" condition on an ACL now supports optional arguments.
+ 9. New global option "gnutls_enable_pkcs11", defaults false.  The GnuTLS
+    rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
+    modules.  For some situations this is desirable, but we expect admin in
+    those situations to know they want the feature.  More commonly, it means
+    that GUI user modules get loaded and are broken by the setuid Exim being
+    unable to access files specified in environment variables and passed
+    through, thus breakage.  So we explicitly inhibit the PKCS11 initialisation
+    unless this new option is set.
+
+10. The "acl = name" condition on an ACL now supports optional arguments.
     New expansion item "${acl {name}{arg}...}" and expansion condition
     "acl {{name}{arg}...}" are added.  In all cases up to nine arguments
     can be used, appearing in $acl_arg1 to $acl_arg9 for the called ACL.
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 1c7881e76..05074bba7 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -243,6 +243,7 @@ gecos_name                           string*         unset         main
 gecos_pattern                        string          unset         main
 gethostbyname                        boolean         false         smtp
 gnutls_compat_mode                   boolean         unset         main              4.70
+gnutls_enable_pkcs11                 boolean         false         main              4.81
 gnutls_require_kx                    string*         unset         main              4.67 deprecated, warns
                                      string*         unset         smtp              4.67 deprecated, warns
 gnutls_require_mac                   string*         unset         main              4.67 deprecated, warns
diff --git a/src/.gitattributes b/src/.gitattributes
new file mode 100644
index 000000000..554385cf9
--- /dev/null
+++ b/src/.gitattributes
@@ -0,0 +1 @@
+ACKNOWLEDGMENTS         encoding=utf-8
diff --git a/src/OS/Makefile-Linux b/src/OS/Makefile-Linux
index 8b721410e..990f884e9 100644
--- a/src/OS/Makefile-Linux
+++ b/src/OS/Makefile-Linux
@@ -1,5 +1,9 @@
 # Exim: OS-specific make file for Linux. This is for modern Linuxes,
 # which use libc6.
+#
+# For Linux, we assume GNU Make; at time of writing, the only extension
+# used is ?= which is actually portable to other maintained Make variants,
+# just is not POSIX.
 
 HAVE_ICONV=yes
 
@@ -8,8 +12,9 @@ CHOWN_COMMAND=look_for_it
 CHGRP_COMMAND=look_for_it
 CHMOD_COMMAND=look_for_it
 
-CFLAGS=-O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
-CFLAGS_DYNAMIC=-shared -rdynamic
+# Preserve CFLAGS and CFLAGS_DYNAMIC from the caller/environment
+CFLAGS ?= -O -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
+CFLAGS_DYNAMIC ?= -shared -rdynamic
 
 DBMLIB = -ldb
 USE_DB = yes
diff --git a/src/README.UPDATING b/src/README.UPDATING
index d34dec1e1..b7406f43c 100644
--- a/src/README.UPDATING
+++ b/src/README.UPDATING
@@ -26,6 +26,13 @@ The rest of this document contains information about changes in 4.xx releases
 that might affect a running system.
 
 
+Exim version 4.81
+-----------------
+
+ * New option gnutls_enable_pkcs11 defaults false; if you have GnuTLS 2.12.0
+   or later and do want PKCS11 modules to be autoloaded, then set this option.
+
+
 Exim version 4.80
 -----------------
 
diff --git a/src/src/globals.c b/src/src/globals.c
index b6db9251d..21122f0f9 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -117,6 +117,7 @@ tls_support tls_out = {
 
 #ifdef SUPPORT_TLS
 BOOL    gnutls_compat_mode     = FALSE;
+BOOL    gnutls_enable_pkcs11   = FALSE;
 uschar *gnutls_require_mac     = NULL;
 uschar *gnutls_require_kx      = NULL;
 uschar *gnutls_require_proto   = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 639d88f31..783eb7ba3 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -89,6 +89,7 @@ extern tls_support tls_out;
 
 #ifdef SUPPORT_TLS
 extern BOOL    gnutls_compat_mode;     /* Less security, more compatibility */
+extern BOOL    gnutls_enable_pkcs11;   /* Let GnuTLS autoload PKCS11 modules */
 extern uschar *gnutls_require_mac;     /* So some can be avoided */
 extern uschar *gnutls_require_kx;      /* So some can be avoided */
 extern uschar *gnutls_require_proto;   /* So some can be avoided */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 750e0d316..087ab5b9b 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -236,6 +236,7 @@ static optionlist optionlist_config[] = {
   { "gecos_pattern",            opt_stringptr,   &gecos_pattern },
 #ifdef SUPPORT_TLS
   { "gnutls_compat_mode",       opt_bool,        &gnutls_compat_mode },
+  { "gnutls_enable_pkcs11",     opt_bool,        &gnutls_enable_pkcs11 },
   /* These three gnutls_require_* options stopped working in Exim 4.80 */
   { "gnutls_require_kx",        opt_stringptr,   &gnutls_require_kx },
   { "gnutls_require_mac",       opt_stringptr,   &gnutls_require_mac },
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index c582af79f..239985767 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -39,6 +39,10 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 #include <gnutls/x509.h>
 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
 #include <gnutls/crypto.h>
+/* needed to disable PKCS11 autoload unless requested */
+#if GNUTLS_VERSION_NUMBER >= 0x020c00
+# include <gnutls/pkcs11.h>
+#endif
 
 /* GnuTLS 2 vs 3
 
@@ -172,6 +176,7 @@ before, for now. */
 #define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
 #define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
 #define HAVE_GNUTLS_RND
+#define HAVE_GNUTLS_PKCS11
 #endif
 
 
@@ -911,6 +916,19 @@ if (!exim_gnutls_base_init_done)
   {
   DEBUG(D_tls) debug_printf("GnuTLS global init required.\n");
 
+#ifdef HAVE_GNUTLS_PKCS11
+  /* By default, gnutls_global_init will init PKCS11 support in auto mode,
+  which loads modules from a config file, which sounds good and may be wanted
+  by some sysadmin, but also means in common configurations that GNOME keyring
+  environment variables are used and so breaks for users calling mailq.
+  To prevent this, we init PKCS11 first, which is the documented approach. */
+  if (!gnutls_enable_pkcs11)
+    {
+    rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+    exim_gnutls_err_check(US"gnutls_pkcs11_init");
+    }
+#endif
+
   rc = gnutls_global_init();
   exim_gnutls_err_check(US"gnutls_global_init");
 
@@ -970,7 +988,7 @@ if (rc != OK) return rc;
 /* set SNI in client, only */
 if (host)
   {
-  if (!expand_check(state->tlsp->sni, "tls_out_sni", &state->exp_tls_sni))
+  if (!expand_check(state->tlsp->sni, US"tls_out_sni", &state->exp_tls_sni))
     return DEFER;
   if (state->exp_tls_sni && *state->exp_tls_sni)
     {
@@ -1945,6 +1963,13 @@ if (exim_gnutls_base_init_done)
   log_write(0, LOG_MAIN|LOG_PANIC,
       "already initialised GnuTLS, Exim developer bug");
 
+#ifdef HAVE_GNUTLS_PKCS11
+if (!gnutls_enable_pkcs11)
+  {
+  rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
+  validate_check_rc(US"gnutls_pkcs11_init");
+  }
+#endif
 rc = gnutls_global_init();
 validate_check_rc(US"gnutls_global_init()");
 exim_gnutls_base_init_done = TRUE;