SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
- is replaced with DISABLE_TLS. You must still, unless you define
- DISABLE_TLS, manage the choice of TLS library and the include-dir and
- library-file requirements that go with that choice. Non-TLS builds
- are still supported.
+ is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL
+ must be defined and you must still, unless you define DISABLE_TLS, manage
+ the the include-dir and library-file requirements that go with that
+ choice. Non-TLS builds are still supported.
# pkg-config, then you have to specify the libraries, and you mmight
# need to specify the locations too.
-# no cryptographic code of its own. Uncomment the following lines if you want
+# Uncomment the following lines if you want
# to build Exim without any TLS support (either OpenSSL or GnuTLS):
# DISABLE_TLS=yes
+# Unless you do this, you must define one of USE_OPENSSL or USE_GNUTLS
+# below.
# If you are buliding with TLS, the library configuration must be done:
+# Uncomment this if you are using OpenSSL
+# USE_OPENSSL=yes
# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
# and an optional location.
# USE_OPENSSL_PC=openssl
# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
-# Uncomment the first and either the second or the third of these if you
-# are using GnuTLS. If you have pkg-config, then the second, else the third.
-# USE_GNUTLS=yes
-# USE_GNUTLS_PC=gnutls
-# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
-
# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
# build process will require libgcrypt-config to exist in your $PATH. A
# version that old is likely to become unsupported by Exim in 2017.
#define USE_GDBM
#define USE_GNUTLS
#define AVOID_GNUTLS_PKCS11
+#define USE_OPENSSL
#define USE_READLINE
#define USE_TCP_WRAPPERS
#define USE_TDB
# error DANE support requires that the DNS resolver library supports DNSSEC
# endif
-# ifndef USE_GNUTLS
+# ifdef USE_OPENSSL
# include "dane-openssl.c"
# endif
#ifdef USE_TCP_WRAPPERS
fprintf(fp, " TCPwrappers");
#endif
-#ifndef DISABLE_TLS
-# ifdef USE_GNUTLS
+#ifdef USE_GNUTLS
fprintf(fp, " GnuTLS");
-# else
+#endif
+#ifdef USE_OPENSSL
fprintf(fp, " OpenSSL");
-# endif
#endif
#ifdef SUPPORT_TRANSLATE_IP_ADDRESS
fprintf(fp, " translate_ip_address");
/* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined
so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set.
+Ditto USE_OPENSSL.
Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
#ifdef DISABLE_TLS
+# undef USE_OPENSSL
# undef USE_GNUTLS
# ifndef DISABLE_OCSP
# define DISABLE_OCSP
extern int tls_write(void *, const uschar *, size_t, BOOL);
extern uschar *tls_validate_require_cipher(void);
extern void tls_version_report(FILE *);
-# ifndef USE_GNUTLS
+# ifdef USE_OPENSSL
extern BOOL tls_openssl_options_parse(uschar *, long *);
# endif
extern uschar * tls_field_from_dn(uschar *, const uschar *);
# else
# define SIGN_GCRYPT
# endif
+#endif
-#else
+#ifdef USE_OPENSSL
# define SIGN_OPENSSL
-# if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L
-# define SIGN_HAVE_ED25519
-# endif
-
+# if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L
+# define SIGN_HAVE_ED25519
+# endif
#endif
# else
# define SHA_GCRYPT
# endif
+# endif
-# else
+# ifdef USE_OPENSSL
# define SHA_OPENSSL
# include <openssl/ssl.h>
# if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
#include "exim.h"
#include "transports/smtp.h"
+#if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS)
+# error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build
+#endif
+
+
#if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
# include "macro_predef.h"
# ifdef USE_GNUTLS
can switch, so we can do TLS callouts during ACLs. */
static const int ssl_xfer_buffer_size = 4096;
-#ifndef USE_GNUTLS
+#ifdef USE_OPENSSL
static uschar *ssl_xfer_buffer = NULL;
static int ssl_xfer_buffer_lwm = 0;
static int ssl_xfer_buffer_hwm = 0;
#ifdef USE_GNUTLS
# include "tls-gnu.c"
# include "tlscert-gnu.c"
-
# define ssl_xfer_buffer (state_server.xfer_buffer)
# define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
# define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
# define ssl_xfer_eof (state_server.xfer_eof)
# define ssl_xfer_error (state_server.xfer_error)
+#endif
-#else
+#ifdef USE_OPENSSL
# include "tls-openssl.c"
# include "tlscert-openssl.c"
#endif
modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
modify_variable(US"tls_cipher", &dest_tsp->cipher);
modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
-#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
+#ifdef USE_OPENSSL
modify_variable(US"tls_sni", &dest_tsp->sni);
#endif
}
tls_out.ourcert = NULL;
tls_out.peercert = NULL;
tls_out.peerdn = NULL;
-#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
+#ifdef USE_OPENSSL
tls_out.sni = NULL;
#endif
tls_out.ocsp = OCSP_NOT_REQ;
git://git.exim.org / exim.git / commitdiff