summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTodd Lyons <tlyons@exim.org>2013-10-22 05:11:33 -0700
committerTodd Lyons <tlyons@exim.org>2013-10-22 05:11:33 -0700
commitb79bf0ff013a1cbb22845ffa15411d5af30bf278 (patch)
tree42466bd6e68ca69fd608f451fd1c1dd4dd30d35f
parent112b6a936caca17b2520ad81d0374c8aae1e4350 (diff)
parent2519e60d2f6124589a6a5b922dd9ae6bcb6f6588 (diff)
Merge branch 'master' of git://git.exim.org/eximexim-4_82_RC5
-rw-r--r--doc/doc-docbook/spec.xfpt8
-rw-r--r--doc/doc-txt/ChangeLog14
-rw-r--r--doc/doc-txt/NewStuff9
-rw-r--r--doc/doc-txt/OptionLists.txt2
-rw-r--r--src/README.UPDATING2
-rwxr-xr-xsrc/scripts/Configure-Makefile6
-rw-r--r--src/src/EDITME7
-rw-r--r--src/src/config.h.defaults1
-rw-r--r--src/src/globals.c6
-rw-r--r--src/src/globals.h2
-rw-r--r--src/src/readconf.c2
-rw-r--r--src/src/tls-gnu.c12
-rw-r--r--test/README10
-rw-r--r--test/confs/05331
-rwxr-xr-xtest/runtest7
15 files changed, 67 insertions, 22 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 0393ec28a..ec01e1669 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -9892,12 +9892,12 @@ when &%length%& is used as an operator.
The string is interpreted as a list and the number of items is returned.
-.vitem &*${listnamed:*&<&'name'&>&*}*&&~and&~&*${list_*&<&'type'&>&*name*&>&*}*&
+.vitem &*${listnamed:*&<&'name'&>&*}*&&~and&~&*${listnamed_*&<&'type'&>&*:*&<&'name'&>&*}*&
.cindex "expansion" "named list"
.cindex "&%listnamed%& expansion item"
The name is interpreted as a named list and the content of the list is returned,
expanding any referenced lists, re-quoting as needed for colon-separation.
-If the optional type if given it must be one of "a", "d", "h" or "l"
+If the optional type is given it must be one of "a", "d", "h" or "l"
and selects address-, domain-, host- or localpart- lists to search among respectively.
Otherwise all types are searched in an undefined order and the first
matching list is returned.
@@ -13039,7 +13039,7 @@ listed in more than one group.
.section "TLS" "SECID108"
.table2
.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
-.row &%gnutls_enable_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
+.row &%gnutls_allow_auto_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
.row &%openssl_options%& "adjust OpenSSL compatibility options"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
@@ -14077,7 +14077,7 @@ implementations of TLS.
.new
-option gnutls_enable_pkcs11 main boolean unset
+option gnutls_allow_auto_pkcs11 main boolean unset
This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with
the p11-kit configuration files in &_/etc/pkcs11/modules/_&.
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 384cf9755..928f377b1 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -60,7 +60,9 @@ NM/01 Bugzilla 1197 - Spec typo
JH/03 Add expansion operators ${listnamed:name} and ${listcount:string}
-PP/09 Add gnutls_enable_pkcs11 option.
+PP/09 Add gnutls_allow_auto_pkcs11 option (was originally called
+ gnutls_enable_pkcs11, but renamed to more accurately indicate its
+ function.
PP/10 Let Linux makefile inherit CFLAGS/CFLAGS_DYNAMIC.
Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler.
@@ -252,6 +254,16 @@ TL/16 Bugzilla 1289 - Clarify host/ip processing when have errors looking up a
TL/17 Bugzilla 1057 - Multiple clamd TCP targets patch from Mark Zealey.
+TL/18 Had previously added a -CONTINUE option to runtest in the test suite.
+ Missed a few lines, added it to make the runtest require no keyboard
+ interaction.
+
+TL/19 Bugzilla 1402 - Test 533 fails if any part of the path to the test suite
+ contains upper case chars. Make router use caseful_local_part.
+
+TL/20 Bugzilla 1400 - Add AVOID_GNUTLS_PKCS11 build option. Allows GnuTLS
+ support when GnuTLS has been built with p11-kit.
+
Exim version 4.80.1
-------------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 7f54b8f6c..d308f0485 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -88,7 +88,7 @@ Version 4.82
8. New expansion operators ${listnamed:name} to get the content of a named list
and ${listcount:string} to count the items in a list.
- 9. New global option "gnutls_enable_pkcs11", defaults false. The GnuTLS
+ 9. New global option "gnutls_allow_auto_pkcs11", defaults false. The GnuTLS
rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
modules. For some situations this is desirable, but we expect admin in
those situations to know they want the feature. More commonly, it means
@@ -97,6 +97,13 @@ Version 4.82
through, thus breakage. So we explicitly inhibit the PKCS11 initialisation
unless this new option is set.
+ Some older OS's with earlier versions of GnuTLS might not have pkcs11 ability,
+ so have also added a build option which can be used to build Exim with GnuTLS
+ but without trying to use any kind of PKCS11 support. Uncomment this in the
+ Local/Makefile:
+
+ AVOID_GNUTLS_PKCS11=yes
+
10. The "acl = name" condition on an ACL now supports optional arguments.
New expansion item "${acl {name}{arg}...}" and expansion condition
"acl {{name}{arg}...}" are added. In all cases up to nine arguments
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 8787d4888..9c909f2f8 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -248,8 +248,8 @@ from string* unset autoreply
gecos_name string* unset main
gecos_pattern string unset main
gethostbyname boolean false smtp
+gnutls_allow_auto_pkcs11 boolean false main 4.82
gnutls_compat_mode boolean unset main 4.70
-gnutls_enable_pkcs11 boolean false main 4.82
gnutls_require_kx string* unset main 4.67 deprecated, warns
string* unset smtp 4.67 deprecated, warns
gnutls_require_mac string* unset main 4.67 deprecated, warns
diff --git a/src/README.UPDATING b/src/README.UPDATING
index 8b39848b4..62652e700 100644
--- a/src/README.UPDATING
+++ b/src/README.UPDATING
@@ -29,7 +29,7 @@ that might affect a running system.
Exim version 4.82
-----------------
- * New option gnutls_enable_pkcs11 defaults false; if you have GnuTLS 2.12.0
+ * New option gnutls_allow_auto_pkcs11 defaults false; if you have GnuTLS 2.12.0
or later and do want PKCS11 modules to be autoloaded, then set this option.
* A per-transport wait-<name> database is no longer updated if the transport
diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
index 58b2b5770..5e8a72683 100755
--- a/src/scripts/Configure-Makefile
+++ b/src/scripts/Configure-Makefile
@@ -118,7 +118,7 @@ done >> $mft || exit 1
egrep "^[$st]*(AUTH|LOOKUP)_[A-Z0-9_]*[$st]*=[$st]*" $mft | \
sed "s/[$st]*=/='/" | \
sed "s/\$/'/" > $mftt
-egrep "^[$st]*((USE_(OPENSSL|GNUTLS)_PC)|SUPPORT_TLS|USE_GNUTLS|PCRE_CONFIG)[$st]*=[$st]*" $mft | \
+egrep "^[$st]*((USE_(OPENSSL|GNUTLS)_PC)|SUPPORT_TLS|USE_GNUTLS|PCRE_CONFIG|AVOID_GNUTLS_PKCS11)[$st]*=[$st]*" $mft | \
sed "s/[$st]*=/='/" | \
sed "s/\$/'/" >> $mftt
if test -s $mftt
@@ -187,6 +187,10 @@ then
esac
;;
+ AVOID_GNUTLS_PKCS11)
+ echo "$var=yes"
+ ;;
+
esac
done
echo "# End of pkg-config fixups"
diff --git a/src/src/EDITME b/src/src/EDITME
index f44a1e3a5..3f818f355 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -728,6 +728,13 @@ HEADERS_CHARSET="ISO-8859-1"
# USE_GNUTLS_PC=gnutls
# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
+# The security fix we provide with the gnutls_allow_auto_pkcs11 option
+# (4.82 PP/09) introduces a compatibility regression. The symbol is
+# not available if GnuTLS is build without p11-kit (--without-p11-kit
+# configure option). In this case use AVOID_GNUTLS_PKCS11=yes when
+# building Exim.
+# AVOID_GNUTLS_PKCS11=yes
+
# If you are running Exim as a server, note that just building it with TLS
# support is not all you need to do. You also need to set up a suitable
# certificate, and tell Exim about it by means of the tls_certificate
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index 19bc1b180..8c1e799da 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -152,6 +152,7 @@ it's a default value. */
#define USE_DB
#define USE_GDBM
#define USE_GNUTLS
+#define AVOID_GNUTLS_PKCS11
#define USE_READLINE
#define USE_TCP_WRAPPERS
#define USE_TDB
diff --git a/src/src/globals.c b/src/src/globals.c
index 1dfd23ce2..133a7bf74 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -123,7 +123,7 @@ tls_support tls_out = {
#ifdef SUPPORT_TLS
BOOL gnutls_compat_mode = FALSE;
-BOOL gnutls_enable_pkcs11 = FALSE;
+BOOL gnutls_allow_auto_pkcs11 = FALSE;
uschar *gnutls_require_mac = NULL;
uschar *gnutls_require_kx = NULL;
uschar *gnutls_require_proto = NULL;
@@ -1403,8 +1403,8 @@ uschar *warnmsg_recipients = NULL;
BOOL write_rejectlog = TRUE;
uschar *version_copyright =
- US"Copyright (c) University of Cambridge, 1995 - 2012\n"
- "(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012";
+ US"Copyright (c) University of Cambridge, 1995 - 2013\n"
+ "(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2013";
uschar *version_date = US"?";
uschar *version_cnumber = US"????";
uschar *version_string = US"?";
diff --git a/src/src/globals.h b/src/src/globals.h
index 4acc7f8c2..265f94e60 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -93,7 +93,7 @@ extern tls_support tls_out;
#ifdef SUPPORT_TLS
extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
-extern BOOL gnutls_enable_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
+extern BOOL gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
extern uschar *gnutls_require_mac; /* So some can be avoided */
extern uschar *gnutls_require_kx; /* So some can be avoided */
extern uschar *gnutls_require_proto; /* So some can be avoided */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 6b0f3aaf7..77c798412 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -243,8 +243,8 @@ static optionlist optionlist_config[] = {
{ "gecos_name", opt_stringptr, &gecos_name },
{ "gecos_pattern", opt_stringptr, &gecos_pattern },
#ifdef SUPPORT_TLS
+ { "gnutls_allow_auto_pkcs11", opt_bool, &gnutls_allow_auto_pkcs11 },
{ "gnutls_compat_mode", opt_bool, &gnutls_compat_mode },
- { "gnutls_enable_pkcs11", opt_bool, &gnutls_enable_pkcs11 },
/* These three gnutls_require_* options stopped working in Exim 4.80 */
{ "gnutls_require_kx", opt_stringptr, &gnutls_require_kx },
{ "gnutls_require_mac", opt_stringptr, &gnutls_require_mac },
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index c90ae1411..5a37fae56 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -176,7 +176,15 @@ before, for now. */
#define HAVE_GNUTLS_SESSION_CHANNEL_BINDING
#define HAVE_GNUTLS_SEC_PARAM_CONSTANTS
#define HAVE_GNUTLS_RND
+/* The security fix we provide with the gnutls_allow_auto_pkcs11 option
+ * (4.82 PP/09) introduces a compatibility regression. The symbol simply
+ * isn't available sometimes, so this needs to become a conditional
+ * compilation; the sanest way to deal with this being a problem on
+ * older OSes is to block it in the Local/Makefile with this compiler
+ * definition */
+#ifndef AVOID_GNUTLS_PKCS11
#define HAVE_GNUTLS_PKCS11
+#endif /* AVOID_GNUTLS_PKCS11 */
#endif
@@ -922,7 +930,7 @@ if (!exim_gnutls_base_init_done)
by some sysadmin, but also means in common configurations that GNOME keyring
environment variables are used and so breaks for users calling mailq.
To prevent this, we init PKCS11 first, which is the documented approach. */
- if (!gnutls_enable_pkcs11)
+ if (!gnutls_allow_auto_pkcs11)
{
rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
exim_gnutls_err_check(US"gnutls_pkcs11_init");
@@ -1967,7 +1975,7 @@ if (exim_gnutls_base_init_done)
"already initialised GnuTLS, Exim developer bug");
#ifdef HAVE_GNUTLS_PKCS11
-if (!gnutls_enable_pkcs11)
+if (!gnutls_allow_auto_pkcs11)
{
rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
validate_check_rc(US"gnutls_pkcs11_init");
diff --git a/test/README b/test/README
index c64b02206..903c8abee 100644
--- a/test/README
+++ b/test/README
@@ -91,9 +91,10 @@ In order to run this test suite, the following requirements must be met:
(5) Exim must be built with its user and group specified at build time, and
with certain minimum facilities, namely:
- Routers: accept, dnslookup, manualroute, redirect
- Transports: appendfile, autoreply, pipe, smtp
- Lookups: lsearch
+ Routers: accept, dnslookup, manualroute, redirect
+ Transports: appendfile, autoreply, pipe, smtp
+ Lookups: lsearch
+ Authenticators: plaintext
Most Exim binaries will have these included.
@@ -457,6 +458,9 @@ OTHER ISSUES
be on by default and you'll see this problem, so make sure your umask is
022 and re-checkout the test/ subdirectory.
+. Some tests will fail if the username and group name are different. It does
+ not have to be the primary group, a secondary group is sufficient.
+
OTHER SCRIPTS AND PROGRAMS
--------------------------
diff --git a/test/confs/0533 b/test/confs/0533
index 941994396..c43b628ee 100644
--- a/test/confs/0533
+++ b/test/confs/0533
@@ -28,6 +28,7 @@ r2:
driver = redirect
local_part_prefix = pipe-
local_part_suffix = =*
+ caseful_local_part = true
data = |${substr_1:$local_part_suffix}
pipe_transport = t2
diff --git a/test/runtest b/test/runtest
index 6623d3b4b..443d7fcf4 100755
--- a/test/runtest
+++ b/test/runtest
@@ -193,7 +193,8 @@ close(T);
system("sudo /bin/rm -rf ./spool test-* ./dnszones/*")
if ($rc == 0 && !$save_output);
-system("sudo /bin/rm -rf ./eximdir/*");
+system("sudo /bin/rm -rf ./eximdir/*")
+ if (!$save_output);
print "\nYou were in test $test at the end there.\n\n" if defined $test;
exit $rc if ($rc >= 0);
@@ -1083,7 +1084,7 @@ if (! -e $sf)
for (;;)
{
print "Continue, Show, or Quit? [Q] ";
- $_ = <T>;
+ $_ = $force_continue ? "c" : <T>;
tests_exit(1) if /^q?$/i;
log_failure($log_failed_filename, $testno, $rf) if (/^c$/i && $force_continue);
return 0 if /^c$/i;
@@ -3252,7 +3253,7 @@ closedir(DIR);
open(T, "/dev/tty") || tests_exit(-1, "Failed to open /dev/tty: $!");
print "\nPress RETURN to run the tests: ";
-$_ = <T>;
+$_ = $force_continue ? "c" : <T>;
print "\n";
$lasttestdir = "";