Gitweb:
https://git.exim.org/exim.git/commitdiff/de517fd3061ee343cd36d05587c915f617318671
Commit: de517fd3061ee343cd36d05587c915f617318671
Parent: 21ee816d09865a5c5d85f86ae4d12b9995030806
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Fri May 24 16:39:05 2019 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Fri May 24 16:39:05 2019 +0100
TLS: introduce USE_OPENSSL as an explicit requirement for the build
---
doc/doc-txt/ChangeLog | 8 ++++----
src/src/EDITME | 12 +++++-------
src/src/config.h.defaults | 1 +
src/src/dane.c | 2 +-
src/src/exim.c | 7 +++----
src/src/exim.h | 2 ++
src/src/functions.h | 2 +-
src/src/pdkim/crypt_ver.h | 10 +++++-----
src/src/sha_ver.h | 3 ++-
src/src/tls.c | 13 +++++++++----
src/src/transports/smtp.c | 2 +-
11 files changed, 34 insertions(+), 28 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 73ed33e..9159d30 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -112,10 +112,10 @@ JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
- is replaced with DISABLE_TLS. You must still, unless you define
- DISABLE_TLS, manage the choice of TLS library and the include-dir and
- library-file requirements that go with that choice. Non-TLS builds
- are still supported.
+ is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL
+ must be defined and you must still, unless you define DISABLE_TLS, manage
+ the the include-dir and library-file requirements that go with that
+ choice. Non-TLS builds are still supported.
diff --git a/src/src/EDITME b/src/src/EDITME
index 264d2ea..e1bf812 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -202,12 +202,16 @@ SPOOL_DIRECTORY=/var/spool/exim
# pkg-config, then you have to specify the libraries, and you mmight
# need to specify the locations too.
-# no cryptographic code of its own. Uncomment the following lines if you want
+# Uncomment the following lines if you want
# to build Exim without any TLS support (either OpenSSL or GnuTLS):
# DISABLE_TLS=yes
+# Unless you do this, you must define one of USE_OPENSSL or USE_GNUTLS
+# below.
# If you are buliding with TLS, the library configuration must be done:
+# Uncomment this if you are using OpenSSL
+# USE_OPENSSL=yes
# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
# and an optional location.
# USE_OPENSSL_PC=openssl
@@ -223,12 +227,6 @@ SPOOL_DIRECTORY=/var/spool/exim
# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
-# Uncomment the first and either the second or the third of these if you
-# are using GnuTLS. If you have pkg-config, then the second, else the third.
-# USE_GNUTLS=yes
-# USE_GNUTLS_PC=gnutls
-# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
-
# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
# build process will require libgcrypt-config to exist in your $PATH. A
# version that old is likely to become unsupported by Exim in 2017.
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index f45a61a..27b8fb4 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -172,6 +172,7 @@ Do not put spaces between # and the 'define'.
#define USE_GDBM
#define USE_GNUTLS
#define AVOID_GNUTLS_PKCS11
+#define USE_OPENSSL
#define USE_READLINE
#define USE_TCP_WRAPPERS
#define USE_TDB
diff --git a/src/src/dane.c b/src/src/dane.c
index 5284a61..5ba6196 100644
--- a/src/src/dane.c
+++ b/src/src/dane.c
@@ -38,7 +38,7 @@ static void dummy(int x) { dummy(x-1); }
# error DANE support requires that the DNS resolver library supports DNSSEC
# endif
-# ifndef USE_GNUTLS
+# ifdef USE_OPENSSL
# include "dane-openssl.c"
# endif
diff --git a/src/src/exim.c b/src/src/exim.c
index b2894ae..abce9fc 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -857,12 +857,11 @@ fprintf(fp, "Support for:");
#ifdef USE_TCP_WRAPPERS
fprintf(fp, " TCPwrappers");
#endif
-#ifndef DISABLE_TLS
-# ifdef USE_GNUTLS
+#ifdef USE_GNUTLS
fprintf(fp, " GnuTLS");
-# else
+#endif
+#ifdef USE_OPENSSL
fprintf(fp, " OpenSSL");
-# endif
#endif
#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
fprintf(fp, " translate_ip_address");
diff --git a/src/src/exim.h b/src/src/exim.h
index 0638167..263c003 100644
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -541,9 +541,11 @@ union sockaddr_46 {
/* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined
so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set.
+Ditto USE_OPENSSL.
Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
#ifdef DISABLE_TLS
+# undef USE_OPENSSL
# undef USE_GNUTLS
# ifndef DISABLE_OCSP
# define DISABLE_OCSP
diff --git a/src/src/functions.h b/src/src/functions.h
index 11fb8b5..33e296c 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -67,7 +67,7 @@ extern int tls_ungetc(int);
extern int tls_write(void *, const uschar *, size_t, BOOL);
extern uschar *tls_validate_require_cipher(void);
extern void tls_version_report(FILE *);
-# ifndef USE_GNUTLS
+# ifdef USE_OPENSSL
extern BOOL tls_openssl_options_parse(uschar *, long *);
# endif
extern uschar * tls_field_from_dn(uschar *, const uschar *);
diff --git a/src/src/pdkim/crypt_ver.h b/src/src/pdkim/crypt_ver.h
index 564b66d..a6d7e36 100644
--- a/src/src/pdkim/crypt_ver.h
+++ b/src/src/pdkim/crypt_ver.h
@@ -22,12 +22,12 @@
# else
# define SIGN_GCRYPT
# endif
+#endif
-#else
+#ifdef USE_OPENSSL
# define SIGN_OPENSSL
-# if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L
-# define SIGN_HAVE_ED25519
-# endif
-
+# if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L
+# define SIGN_HAVE_ED25519
+# endif
#endif
diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index a7e99f5..bc2b2f8 100644
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -31,8 +31,9 @@
# else
# define SHA_GCRYPT
# endif
+# endif
-# else
+# ifdef USE_OPENSSL
# define SHA_OPENSSL
# include <openssl/ssl.h>
# if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
diff --git a/src/src/tls.c b/src/src/tls.c
index 1fd10d5..796bc6d 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -19,6 +19,11 @@ functions from the OpenSSL or GNU TLS libraries. */
#include "exim.h"
#include "transports/smtp.h"
+#if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS)
+# error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build
+#endif
+
+
#if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
# include "macro_predef.h"
# ifdef USE_GNUTLS
@@ -48,7 +53,7 @@ We're moving away from this; GnuTLS is already using a state, which
can switch, so we can do TLS callouts during ACLs. */
static const int ssl_xfer_buffer_size = 4096;
-#ifndef USE_GNUTLS
+#ifdef USE_OPENSSL
static uschar *ssl_xfer_buffer = NULL;
static int ssl_xfer_buffer_lwm = 0;
static int ssl_xfer_buffer_hwm = 0;
@@ -122,14 +127,14 @@ tzset();
#ifdef USE_GNUTLS
# include "tls-gnu.c"
# include "tlscert-gnu.c"
-
# define ssl_xfer_buffer (state_server.xfer_buffer)
# define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
# define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
# define ssl_xfer_eof (state_server.xfer_eof)
# define ssl_xfer_error (state_server.xfer_error)
+#endif
-#else
+#ifdef USE_OPENSSL
# include "tls-openssl.c"
# include "tlscert-openssl.c"
#endif
@@ -226,7 +231,7 @@ modify_variable(US"tls_bits", &dest_tsp->bits);
modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
modify_variable(US"tls_cipher", &dest_tsp->cipher);
modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
-#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
+#ifdef USE_OPENSSL
modify_variable(US"tls_sni", &dest_tsp->sni);
#endif
}
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 03095b7..5f61082 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2019,7 +2019,7 @@ tls_out.cipher = NULL; /* the one we may use for this transport */
tls_out.ourcert = NULL;
tls_out.peercert = NULL;
tls_out.peerdn = NULL;
-#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
+#ifdef USE_OPENSSL
tls_out.sni = NULL;
#endif
tls_out.ocsp = OCSP_NOT_REQ;
