TLS: Feature macros

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5ca60327e034b90c5ad1d4ba871571f14677977d..1133ddf18f813f3e8eab9a423b682175b6e05363 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13354,6 +13354,9 @@ or a &%def%& condition.
 &*Note*&: Under versions of OpenSSL preceding 1.1.1,
 when a list of more than one
 file is used for &%tls_certificate%&, this variable is not reliable.
 &*Note*&: Under versions of OpenSSL preceding 1.1.1,
 when a list of more than one
 file is used for &%tls_certificate%&, this variable is not reliable.

+.new
+The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.
+.wen

 
 .vitem &$tls_in_peercert$&
 .vindex "&$tls_in_peercert$&"
 
 .vitem &$tls_in_peercert$&
 .vindex "&$tls_in_peercert$&"


@@ -17686,9 +17689,9 @@ separator in the usual way (&<<SECTlistsepchange>>&) to avoid confusion under IP
 &*Note*&: Under versions of OpenSSL preceding 1.1.1,
 when a list of more than one
 file is used, the &$tls_in_ourcert$& variable is unreliable.
 &*Note*&: Under versions of OpenSSL preceding 1.1.1,
 when a list of more than one
 file is used, the &$tls_in_ourcert$& variable is unreliable.

-
-&*Note*&: OCSP stapling is not usable under OpenSSL
-when a list of more than one file is used.
+.new
+The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.
+.wen

 
 If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
 if the OpenSSL build supports TLS extensions and the TLS client sends the
 
 If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
 if the OpenSSL build supports TLS extensions and the TLS client sends the


@@ -17841,6 +17844,9 @@ status proof for the server's certificate, as obtained from the
 Certificate Authority.
 
 Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
 Certificate Authority.
 
 Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).

+.new
+The macro "_HAVE_TLS_OCSP" will be defined for those versions.
+.wen

 
 .new
 For OpenSSL 1.1.0 or later, and
 
 .new
 For OpenSSL 1.1.0 or later, and


@@ -17848,6 +17854,9 @@ For OpenSSL 1.1.0 or later, and
 for GnuTLS 3.5.6 or later the expanded value of this option can be a list
 of files, to match a list given for the &%tls_certificate%& option.
 The ordering of the two lists must match.
 for GnuTLS 3.5.6 or later the expanded value of this option can be a list
 of files, to match a list given for the &%tls_certificate%& option.
 The ordering of the two lists must match.

+.new
+The macro "_HAVE_TLS_OCSP_LIST" will be defined for those versions.
+.wen

 
 .new
 The file(s) should be in DER format,
 
 .new
 The file(s) should be in DER format,

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 03e704e39e6fcf275ab68d07762004b04a3d961a..f18c244eeba90e8ddee00ff7578f61bdd5d41acb 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -74,6 +74,12 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 # define GNUTLS_AUTO_GLOBAL_INIT
 # define GNUTLS_AUTO_PKCS11_MANUAL
 #endif
 # define GNUTLS_AUTO_GLOBAL_INIT
 # define GNUTLS_AUTO_PKCS11_MANUAL
 #endif

+#if (GNUTLS_VERSION_NUMBER >= 0x030404) \
+  || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
+# ifndef DISABLE_OCSP
+#  define EXIM_HAVE_OCSP
+# endif
+#endif

 #if GNUTLS_VERSION_NUMBER >= 0x030500
 # define SUPPORT_GNUTLS_KEYLOG
 #endif
 #if GNUTLS_VERSION_NUMBER >= 0x030500
 # define SUPPORT_GNUTLS_KEYLOG
 #endif


@@ -127,6 +133,12 @@ builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
 # ifdef EXIM_HAVE_TLS1_3
 builtin_macro_create(US"_HAVE_TLS1_3");
 # endif
 # ifdef EXIM_HAVE_TLS1_3
 builtin_macro_create(US"_HAVE_TLS1_3");
 # endif

+# ifdef EXIM_HAVE_OCSP
+builtin_macro_create(US"_HAVE_TLS_OCSP");
+# endif
+# ifdef SUPPORT_SRV_OCSP_STACK
+builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
+# endif

 }
 #else
 
 }
 #else
 

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 1e3be6e32052a0b4bb707eb437e9acba49ec9ac8..bd9796971a5854c23322bcda4d07b7148043ed4c 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -76,6 +76,9 @@ change this guard and punt the issue for a while longer. */
 #  define EXIM_HAVE_SESSION_TICKET
 #  define EXIM_HAVE_OPESSL_TRACE
 #  define EXIM_HAVE_OPESSL_GET0_SERIAL
 #  define EXIM_HAVE_SESSION_TICKET
 #  define EXIM_HAVE_OPESSL_TRACE
 #  define EXIM_HAVE_OPESSL_GET0_SERIAL

+#  ifndef DISABLE_OCSP
+#   define EXIM_HAVE_OCSP
+#  endif

 # else
 #  define EXIM_NEED_OPENSSL_INIT
 # endif
 # else
 #  define EXIM_NEED_OPENSSL_INIT
 # endif


@@ -102,6 +105,8 @@ change this guard and punt the issue for a while longer. */
 #  define OPENSSL_HAVE_KEYLOG_CB
 #  define OPENSSL_HAVE_NUM_TICKETS
 #  define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
 #  define OPENSSL_HAVE_KEYLOG_CB
 #  define OPENSSL_HAVE_NUM_TICKETS
 #  define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME

+# else
+#  define OPENSSL_BAD_SRVR_OURCERT

 # endif
 #endif
 
 # endif
 #endif
 


@@ -266,6 +271,13 @@ builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
 # ifdef SSL_OP_NO_TLSv1_3
 builtin_macro_create(US"_HAVE_TLS1_3");
 # endif
 # ifdef SSL_OP_NO_TLSv1_3
 builtin_macro_create(US"_HAVE_TLS1_3");
 # endif

+# ifdef OPENSSL_BAD_SRVR_OURCERT
+builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
+# endif
+# ifdef EXIM_HAVE_OCSP
+builtin_macro_create(US"_HAVE_TLS_OCSP");
+builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
+# endif

 }
 #else
 
 }
 #else