[exim-cvs] Fix build with older GnuTLS

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Fix build with older GnuTLS
Gitweb: https://git.exim.org/exim.git/commitdiff/7dd52d1ff8cd5e8914172d3131412bf1c2ceaf92
Commit:     7dd52d1ff8cd5e8914172d3131412bf1c2ceaf92
Parent:     2983e1a616058c03b57f1ab32a691f8b8ff9764e
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun May 10 15:57:39 2020 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun May 10 18:58:11 2020 +0100


    Fix build with older GnuTLS


    Broken-by: 2983e1a616
---
 doc/doc-docbook/spec.xfpt                 |  4 ++--
 src/src/tls-gnu.c                         | 30 ++++++++++++++++--------------
 test/scripts/5890-Resume-GnuTLS/REQUIRES  |  2 +-
 test/scripts/5891-Resume-OpenSSL/REQUIRES |  2 +-
 4 files changed, 20 insertions(+), 18 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5f5538e..be3e7c9 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -29462,7 +29462,7 @@ Session resumption (this is the "stateless" variant) involves the server sending
a "session ticket" to the client on one connection, which can be stored by the
client and used for a later session. The ticket contains sufficient state for
the server to reconstruct the TLS session, avoiding some expensive crypto
-calculation and one full packet roundtrip time.
+calculation and (on TLS1.2) one full packet roundtrip time.

.ilist
Operational cost/benefit:
@@ -29509,7 +29509,7 @@ Observability:
server issued ticket, resume used. A suitable decode list is provided
in the builtin macro _RESUME_DECODE for in &%listextract%& expansions.

-.next:
+.next
Control:

The &%tls_resumption_hosts%& main option specifies a hostlist for which
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index c8017a7..a351c34 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -112,8 +112,10 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
#endif

#ifndef DISABLE_TLS_RESUME
-# if GNUTLS_VERSION_NUMBER < 0x030603
-# error GNUTLS version too early for session-resumption
+# if GNUTLS_VERSION_NUMBER >= 0x030603
+# define EXIM_HAVE_TLS_RESUME
+# else
+# warning "GnuTLS library version too old; resumption unsupported"
# endif
#endif

@@ -266,7 +268,7 @@ static BOOL gnutls_buggy_ocsp = FALSE;
static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
#endif

-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
static gnutls_datum_t server_sessticket_key;
#endif

@@ -326,7 +328,7 @@ static void exim_gnutls_logger_cb(int level, const char *message);

static int exim_sni_handling_cb(gnutls_session_t session);

-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
static int
tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
unsigned incoming, const gnutls_datum_t * msg);
@@ -337,7 +339,7 @@ tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
void
tls_daemon_init(void)
{
-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
/* We are dependent on the GnuTLS implementation of the Session Ticket
encryption; both the strength and the key rotation period. We hope that
the strength at least matches that of the ciphersuite (but GnuTLS does not
@@ -1000,10 +1002,10 @@ return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
"Handshake Protocol: Certificate" record.
So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)

-This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
+This is different to tls1.2 - where it is a separate record (wireshark term) / handshake message (gnutls term).
*/

-#if !defined(DISABLE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+#if defined(EXIM_HAVE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
 /* Callback for certificate-status, on server. We sent stapled OCSP. */
 static int
 tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
@@ -1035,7 +1037,7 @@ switch (htype)
 # endif
   case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
     return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
-# ifndef DISABLE_TLS_RESUME
+# ifdef EXIM_HAVE_TLS_RESUME
   case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
     return tls_server_ticket_cb(sess, htype, when, incoming, msg);
 # endif
@@ -2328,7 +2330,7 @@ else
 }



-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
static int
tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
unsigned incoming, const gnutls_datum_t * msg)
@@ -2442,7 +2444,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
#endif
}

-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
tls_server_resume_prehandshake(state);
#endif

@@ -2550,7 +2552,7 @@ if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
tls_in.ext_master_secret = TRUE;
#endif

-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
tls_server_resume_posthandshake(state);
#endif

@@ -2683,7 +2685,7 @@ return TRUE;



-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
/* On the client, get any stashed session for the given IP from hints db
and apply it to the ssl-connection for attempted resumption. Although
there is a gnutls_session_ticket_enable_client() interface it is
@@ -2970,7 +2972,7 @@ if (request_ocsp)
}
#endif

-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
tls_client_resume_prehandshake(state, tlsp, host, ob);
#endif

@@ -3070,7 +3072,7 @@ if (request_ocsp)
}
#endif

-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
tls_client_resume_posthandshake(state, tlsp, host);
#endif

diff --git a/test/scripts/5890-Resume-GnuTLS/REQUIRES b/test/scripts/5890-Resume-GnuTLS/REQUIRES
index 2f12f27..7f34d4f 100644
--- a/test/scripts/5890-Resume-GnuTLS/REQUIRES
+++ b/test/scripts/5890-Resume-GnuTLS/REQUIRES
@@ -1,3 +1,3 @@
support GnuTLS
running IPv4
-support Experimental_TLS_resume
+support TLS_resume
diff --git a/test/scripts/5891-Resume-OpenSSL/REQUIRES b/test/scripts/5891-Resume-OpenSSL/REQUIRES
index 027b4dc..8e3a29f 100644
--- a/test/scripts/5891-Resume-OpenSSL/REQUIRES
+++ b/test/scripts/5891-Resume-OpenSSL/REQUIRES
@@ -1,3 +1,3 @@
support OpenSSL
running IPv4
-support Experimental_TLS_resume
+support TLS_resume