git://git.exim.org
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
2983e1a
)
Fix build with older GnuTLS
author
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 10 May 2020 14:57:39 +0000
(15:57 +0100)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Sun, 10 May 2020 17:58:11 +0000
(18:58 +0100)
Broken-by: 2983e1a616
doc/doc-docbook/spec.xfpt
patch
|
blob
|
history
src/src/tls-gnu.c
patch
|
blob
|
history
test/scripts/5890-Resume-GnuTLS/REQUIRES
patch
|
blob
|
history
test/scripts/5891-Resume-OpenSSL/REQUIRES
patch
|
blob
|
history
diff --git
a/doc/doc-docbook/spec.xfpt
b/doc/doc-docbook/spec.xfpt
index 5f5538e646dcb29d228a6e79b7469d799554870e..be3e7c925a23b8e5ee50dccb1a879d0afc4f53cd 100644
(file)
--- a/
doc/doc-docbook/spec.xfpt
+++ b/
doc/doc-docbook/spec.xfpt
@@
-29462,7
+29462,7
@@
Session resumption (this is the "stateless" variant) involves the server sending
a "session ticket" to the client on one connection, which can be stored by the
client and used for a later session. The ticket contains sufficient state for
the server to reconstruct the TLS session, avoiding some expensive crypto
a "session ticket" to the client on one connection, which can be stored by the
client and used for a later session. The ticket contains sufficient state for
the server to reconstruct the TLS session, avoiding some expensive crypto
-calculation and one full packet roundtrip time.
+calculation and
(on TLS1.2)
one full packet roundtrip time.
.ilist
Operational cost/benefit:
.ilist
Operational cost/benefit:
@@
-29509,7
+29509,7
@@
Observability:
server issued ticket, resume used. A suitable decode list is provided
in the builtin macro _RESUME_DECODE for in &%listextract%& expansions.
server issued ticket, resume used. A suitable decode list is provided
in the builtin macro _RESUME_DECODE for in &%listextract%& expansions.
-.next
:
+.next
Control:
The &%tls_resumption_hosts%& main option specifies a hostlist for which
Control:
The &%tls_resumption_hosts%& main option specifies a hostlist for which
diff --git
a/src/src/tls-gnu.c
b/src/src/tls-gnu.c
index c8017a7331ba6fb48721a4e48604740aa4dd252c..a351c34d671502076e2701c02f720b9b3b9addf4 100644
(file)
--- a/
src/src/tls-gnu.c
+++ b/
src/src/tls-gnu.c
@@
-112,8
+112,10
@@
require current GnuTLS, then we'll drop support for the ancient libraries).
#endif
#ifndef DISABLE_TLS_RESUME
#endif
#ifndef DISABLE_TLS_RESUME
-# if GNUTLS_VERSION_NUMBER < 0x030603
-# error GNUTLS version too early for session-resumption
+# if GNUTLS_VERSION_NUMBER >= 0x030603
+# define EXIM_HAVE_TLS_RESUME
+# else
+# warning "GnuTLS library version too old; resumption unsupported"
# endif
#endif
# endif
#endif
@@
-266,7
+268,7
@@
static BOOL gnutls_buggy_ocsp = FALSE;
static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
#endif
static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
#endif
-#if
ndef DISABL
E_TLS_RESUME
+#if
def EXIM_HAV
E_TLS_RESUME
static gnutls_datum_t server_sessticket_key;
#endif
static gnutls_datum_t server_sessticket_key;
#endif
@@
-326,7
+328,7
@@
static void exim_gnutls_logger_cb(int level, const char *message);
static int exim_sni_handling_cb(gnutls_session_t session);
static int exim_sni_handling_cb(gnutls_session_t session);
-#if
ndef DISABL
E_TLS_RESUME
+#if
def EXIM_HAV
E_TLS_RESUME
static int
tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
unsigned incoming, const gnutls_datum_t * msg);
static int
tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
unsigned incoming, const gnutls_datum_t * msg);
@@
-337,7
+339,7
@@
tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
void
tls_daemon_init(void)
{
void
tls_daemon_init(void)
{
-#if
ndef DISABL
E_TLS_RESUME
+#if
def EXIM_HAV
E_TLS_RESUME
/* We are dependent on the GnuTLS implementation of the Session Ticket
encryption; both the strength and the key rotation period. We hope that
the strength at least matches that of the ciphersuite (but GnuTLS does not
/* We are dependent on the GnuTLS implementation of the Session Ticket
encryption; both the strength and the key rotation period. We hope that
the strength at least matches that of the ciphersuite (but GnuTLS does not
@@
-1000,10
+1002,10
@@
return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
"Handshake Protocol: Certificate" record.
So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
"Handshake Protocol: Certificate" record.
So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
-This is different to tls1.2 - where it is a separate record (wiresha
ke
term) / handshake message (gnutls term).
+This is different to tls1.2 - where it is a separate record (wiresha
rk
term) / handshake message (gnutls term).
*/
*/
-#if
!defined(DISABL
E_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+#if
defined(EXIM_HAV
E_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
/* Callback for certificate-status, on server. We sent stapled OCSP. */
static int
tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
/* Callback for certificate-status, on server. We sent stapled OCSP. */
static int
tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
@@
-1035,7
+1037,7
@@
switch (htype)
# endif
case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
# endif
case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
-# if
ndef DISABL
E_TLS_RESUME
+# if
def EXIM_HAV
E_TLS_RESUME
case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
return tls_server_ticket_cb(sess, htype, when, incoming, msg);
# endif
case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
return tls_server_ticket_cb(sess, htype, when, incoming, msg);
# endif
@@
-2328,7
+2330,7
@@
else
}
}
-#if
ndef DISABL
E_TLS_RESUME
+#if
def EXIM_HAV
E_TLS_RESUME
static int
tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
unsigned incoming, const gnutls_datum_t * msg)
static int
tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
unsigned incoming, const gnutls_datum_t * msg)
@@
-2442,7
+2444,7
@@
DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
#endif
}
#endif
}
-#if
ndef DISABL
E_TLS_RESUME
+#if
def EXIM_HAV
E_TLS_RESUME
tls_server_resume_prehandshake(state);
#endif
tls_server_resume_prehandshake(state);
#endif
@@
-2550,7
+2552,7
@@
if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
tls_in.ext_master_secret = TRUE;
#endif
tls_in.ext_master_secret = TRUE;
#endif
-#if
ndef DISABL
E_TLS_RESUME
+#if
def EXIM_HAV
E_TLS_RESUME
tls_server_resume_posthandshake(state);
#endif
tls_server_resume_posthandshake(state);
#endif
@@
-2683,7
+2685,7
@@
return TRUE;
-#if
ndef DISABL
E_TLS_RESUME
+#if
def EXIM_HAV
E_TLS_RESUME
/* On the client, get any stashed session for the given IP from hints db
and apply it to the ssl-connection for attempted resumption. Although
there is a gnutls_session_ticket_enable_client() interface it is
/* On the client, get any stashed session for the given IP from hints db
and apply it to the ssl-connection for attempted resumption. Although
there is a gnutls_session_ticket_enable_client() interface it is
@@
-2970,7
+2972,7
@@
if (request_ocsp)
}
#endif
}
#endif
-#if
ndef DISABL
E_TLS_RESUME
+#if
def EXIM_HAV
E_TLS_RESUME
tls_client_resume_prehandshake(state, tlsp, host, ob);
#endif
tls_client_resume_prehandshake(state, tlsp, host, ob);
#endif
@@
-3070,7
+3072,7
@@
if (request_ocsp)
}
#endif
}
#endif
-#if
ndef DISABL
E_TLS_RESUME
+#if
def EXIM_HAV
E_TLS_RESUME
tls_client_resume_posthandshake(state, tlsp, host);
#endif
tls_client_resume_posthandshake(state, tlsp, host);
#endif
diff --git
a/test/scripts/5890-Resume-GnuTLS/REQUIRES
b/test/scripts/5890-Resume-GnuTLS/REQUIRES
index 2f12f27427f3bc25abb461181ecccfd43ab0d8d2..7f34d4f81b0425e24a3c09634ab391e1b67cb78c 100644
(file)
--- a/
test/scripts/5890-Resume-GnuTLS/REQUIRES
+++ b/
test/scripts/5890-Resume-GnuTLS/REQUIRES
@@
-1,3
+1,3
@@
support GnuTLS
running IPv4
support GnuTLS
running IPv4
-support
Experimental_
TLS_resume
+support TLS_resume
diff --git
a/test/scripts/5891-Resume-OpenSSL/REQUIRES
b/test/scripts/5891-Resume-OpenSSL/REQUIRES
index 027b4dcab7442954bf753aa9cbbe7604db1eafbf..8e3a29f539918fcb01a0d9bc79c438d8acdbb063 100644
(file)
--- a/
test/scripts/5891-Resume-OpenSSL/REQUIRES
+++ b/
test/scripts/5891-Resume-OpenSSL/REQUIRES
@@
-1,3
+1,3
@@
support OpenSSL
running IPv4
support OpenSSL
running IPv4
-support
Experimental_
TLS_resume
+support TLS_resume