Gitweb:
https://git.exim.org/exim.git/commitdiff/97277c1f835e749bf06aea2e16922fc234470034
Commit: 97277c1f835e749bf06aea2e16922fc234470034
Parent: e98566e5a394a1e480676cef74892bc213b39936
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Oct 20 16:36:49 2019 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Oct 20 16:36:49 2019 +0100
TLS: Feature macros
---
doc/doc-docbook/spec.xfpt | 15 ++++++++++++---
src/src/tls-gnu.c | 12 ++++++++++++
src/src/tls-openssl.c | 12 ++++++++++++
3 files changed, 36 insertions(+), 3 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5ca6032..1133ddf 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13354,6 +13354,9 @@ or a &%def%& condition.
&*Note*&: Under versions of OpenSSL preceding 1.1.1,
when a list of more than one
file is used for &%tls_certificate%&, this variable is not reliable.
+.new
+The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.
+.wen
.vitem &$tls_in_peercert$&
.vindex "&$tls_in_peercert$&"
@@ -17686,9 +17689,9 @@ separator in the usual way (&<<SECTlistsepchange>>&) to avoid confusion under IP
&*Note*&: Under versions of OpenSSL preceding 1.1.1,
when a list of more than one
file is used, the &$tls_in_ourcert$& variable is unreliable.
-
-&*Note*&: OCSP stapling is not usable under OpenSSL
-when a list of more than one file is used.
+.new
+The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.
+.wen
If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
if the OpenSSL build supports TLS extensions and the TLS client sends the
@@ -17841,6 +17844,9 @@ status proof for the server's certificate, as obtained from the
Certificate Authority.
Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
+.new
+The macro "_HAVE_TLS_OCSP" will be defined for those versions.
+.wen
.new
For OpenSSL 1.1.0 or later, and
@@ -17848,6 +17854,9 @@ For OpenSSL 1.1.0 or later, and
for GnuTLS 3.5.6 or later the expanded value of this option can be a list
of files, to match a list given for the &%tls_certificate%& option.
The ordering of the two lists must match.
+.new
+The macro "_HAVE_TLS_OCSP_LIST" will be defined for those versions.
+.wen
.new
The file(s) should be in DER format,
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 03e704e..f18c244 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -74,6 +74,12 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
# define GNUTLS_AUTO_GLOBAL_INIT
# define GNUTLS_AUTO_PKCS11_MANUAL
#endif
+#if (GNUTLS_VERSION_NUMBER >= 0x030404) \
+ || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
+# ifndef DISABLE_OCSP
+# define EXIM_HAVE_OCSP
+# endif
+#endif
#if GNUTLS_VERSION_NUMBER >= 0x030500
# define SUPPORT_GNUTLS_KEYLOG
#endif
@@ -127,6 +133,12 @@ builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
# ifdef EXIM_HAVE_TLS1_3
builtin_macro_create(US"_HAVE_TLS1_3");
# endif
+# ifdef EXIM_HAVE_OCSP
+builtin_macro_create(US"_HAVE_TLS_OCSP");
+# endif
+# ifdef SUPPORT_SRV_OCSP_STACK
+builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
+# endif
}
#else
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 1e3be6e..bd97969 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -76,6 +76,9 @@ change this guard and punt the issue for a while longer. */
# define EXIM_HAVE_SESSION_TICKET
# define EXIM_HAVE_OPESSL_TRACE
# define EXIM_HAVE_OPESSL_GET0_SERIAL
+# ifndef DISABLE_OCSP
+# define EXIM_HAVE_OCSP
+# endif
# else
# define EXIM_NEED_OPENSSL_INIT
# endif
@@ -102,6 +105,8 @@ change this guard and punt the issue for a while longer. */
# define OPENSSL_HAVE_KEYLOG_CB
# define OPENSSL_HAVE_NUM_TICKETS
# define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+# else
+# define OPENSSL_BAD_SRVR_OURCERT
# endif
#endif
@@ -266,6 +271,13 @@ builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
# ifdef SSL_OP_NO_TLSv1_3
builtin_macro_create(US"_HAVE_TLS1_3");
# endif
+# ifdef OPENSSL_BAD_SRVR_OURCERT
+builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
+# endif
+# ifdef EXIM_HAVE_OCSP
+builtin_macro_create(US"_HAVE_TLS_OCSP");
+builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
+# endif
}
#else
