X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/9196d5bf543d75a81ae0825a352920d27241c325..0cbf2b821bb13da0268556d0e30ea627d5592c60:/src/src/tls-gnu.c diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 8aabc5c6c..28ae46d9d 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -47,16 +47,16 @@ require current GnuTLS, then we'll drop support for the ancient libraries). # warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile" # define DISABLE_OCSP #endif -#if GNUTLS_VERSION_NUMBER < 0x020a00 && defined(EXPERIMENTAL_EVENT) +#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT) # warning "GnuTLS library version too old; tls:cert event unsupported" -# undef EXPERIMENTAL_EVENT +# define DISABLE_EVENT #endif #if GNUTLS_VERSION_NUMBER >= 0x030306 # define SUPPORT_CA_DIR #else # undef SUPPORT_CA_DIR #endif -#if GNUTLS_VERSION_NUMBER >= 0x030314 +#if GNUTLS_VERSION_NUMBER >= 0x030014 # define SUPPORT_SYSDEFAULT_CABUNDLE #endif @@ -121,7 +121,7 @@ typedef struct exim_gnutls_state { uschar *exp_tls_require_ciphers; uschar *exp_tls_ocsp_file; const uschar *exp_tls_verify_cert_hostnames; -#ifdef EXPERIMENTAL_EVENT +#ifndef DISABLE_EVENT uschar *event_action; #endif @@ -140,7 +140,7 @@ static const exim_gnutls_state_st exim_gnutls_state_init = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -#ifdef EXPERIMENTAL_EVENT +#ifndef DISABLE_EVENT NULL, #endif NULL, @@ -176,7 +176,9 @@ static const char * const exim_default_gnutls_priority = "NORMAL"; static BOOL exim_gnutls_base_init_done = FALSE; +#ifndef DISABLE_OCSP static BOOL gnutls_buggy_ocsp = FALSE; +#endif /* ------------------------------------------------------------------------ */ @@ -1021,6 +1023,8 @@ return OK; *************************************************/ +#ifndef DISABLE_OCSP + static BOOL tls_is_buggy_ocsp(void) { @@ -1047,6 +1051,7 @@ if (maj == 3) return FALSE; } +#endif /* Called from both server and client code. In the case of a server, errors @@ -1112,8 +1117,10 @@ if (!exim_gnutls_base_init_done) } #endif - if ((gnutls_buggy_ocsp = tls_is_buggy_ocsp())) +#ifndef DISABLE_OCSP + if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp())) log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version"); +#endif exim_gnutls_base_init_done = TRUE; } @@ -1591,7 +1598,7 @@ return 0; #endif -#ifdef EXPERIMENTAL_EVENT +#ifndef DISABLE_EVENT /* We use this callback to get observability and detail-level control for an exim TLS connection (either direction), raising a tls:cert event @@ -1715,7 +1722,7 @@ else gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE); } -#ifdef EXPERIMENTAL_EVENT +#ifndef DISABLE_EVENT if (event_action) { state->event_action = event_action; @@ -1827,7 +1834,7 @@ tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state, if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) { state->exp_tls_verify_cert_hostnames = -#ifdef EXPERIMENTAL_INTERNATIONAL +#ifdef SUPPORT_I18N string_domain_utf8_to_alabel(host->name, NULL); #else host->name; @@ -1900,7 +1907,7 @@ if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey, gnutls_dh_set_prime_bits(state->session, dh_min_bits); } -/* Stick to the old behaviour for compatibility if tls_verify_certificates is +/* Stick to the old behaviour for compatibility if tls_verify_certificates is set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only the specified host patterns if one of them is defined */ @@ -1946,7 +1953,7 @@ if (request_ocsp) } #endif -#ifdef EXPERIMENTAL_EVENT +#ifndef DISABLE_EVENT if (tb->event_action) { state->event_action = tb->event_action;