From 01603eec64d42431f182b33008206facfc7f800e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 24 May 2019 15:57:02 +0100 Subject: [PATCH] TLS: move from SUPPORT_TLS to DISABLE_TLS macro for the build --- doc/doc-txt/ChangeLog | 10 +- doc/doc-txt/NewStuff | 2 - src/OS/unsupported/Makefile-CYGWIN | 2 +- src/src/EDITME | 161 ++++++++++++++++++----------- src/src/auths/gsasl_exim.c | 2 +- src/src/buildconfig.c | 6 +- src/src/config.h.defaults | 4 +- src/src/daemon.c | 4 +- src/src/dane.c | 2 +- src/src/deliver.c | 26 ++--- src/src/dkim_transport.c | 2 +- src/src/exim.c | 10 +- src/src/exim.h | 6 +- src/src/expand.c | 44 ++++---- src/src/functions.h | 6 +- src/src/globals.c | 8 +- src/src/globals.h | 2 +- src/src/ip.c | 2 +- src/src/macro_predef.c | 4 +- src/src/macro_predef.h | 2 +- src/src/macros.h | 2 +- src/src/pdkim/pdkim.c | 4 +- src/src/pdkim/pdkim_hash.h | 4 +- src/src/pdkim/signing.c | 4 +- src/src/readconf.c | 16 +-- src/src/receive.c | 2 +- src/src/sha_ver.h | 2 +- src/src/smtp_in.c | 34 +++--- src/src/smtp_out.c | 2 +- src/src/spool_in.c | 4 +- src/src/spool_out.c | 2 +- src/src/std-crypto.c | 4 +- src/src/structs.h | 4 +- src/src/tls.c | 12 +-- src/src/transport.c | 6 +- src/src/transports/smtp.c | 68 ++++++------ src/src/transports/smtp.h | 6 +- src/src/verify.c | 14 +-- 38 files changed, 269 insertions(+), 226 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 789593ab3..73ed33e86 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -108,8 +108,14 @@ JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default. not do so. JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by - default. If built with the facility, DANE will be used. The facility is - now enabled in the prototype build Makefile "EDITME". + default. If built with the facility, DANE will be used. The facility + SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME". + +JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define + is replaced with DISABLE_TLS. You must still, unless you define + DISABLE_TLS, manage the choice of TLS library and the include-dir and + library-file requirements that go with that choice. Non-TLS builds + are still supported. diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index c437b38fd..b0ae9c132 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -28,8 +28,6 @@ Version 4.93 8. Expansion operator ${sha2_N:} for N=256, 384, 512. - 9. Build options SUPPORT_DANE and SUPPORT_TLS default to yes - Version 4.92 -------------- diff --git a/src/OS/unsupported/Makefile-CYGWIN b/src/OS/unsupported/Makefile-CYGWIN index 006e9feff..5e608fe9e 100644 --- a/src/OS/unsupported/Makefile-CYGWIN +++ b/src/OS/unsupported/Makefile-CYGWIN @@ -43,7 +43,7 @@ AUTH_CRAM_MD5=yes AUTH_PLAINTEXT=yes AUTH_SPA=yes -SUPPORT_TLS=yes +#DISABLE_TLS=yes TLS_LIBS=-lssl -lcrypto ROUTER_ACCEPT=yes diff --git a/src/src/EDITME b/src/src/EDITME index 58756e1bd..264d2eaff 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -179,6 +179,106 @@ SPOOL_DIRECTORY=/var/spool/exim +############################################################################### +# TLS # +############################################################################### +# Exim is built by default to support the SMTP STARTTLS command, which implements +# Transport Layer Security using SSL (Secure Sockets Layer). This requires you +# must install the OpenSSL library package or the GnuTLS library. Exim contains +# no cryptographic code of its own. + +# If you are running Exim as a (TLS) server, just building it with TLS support +# is all you need to do, as tls_advertise_hosts is set to '*' by +# default. But you are advised to create a suiteable certificate, and tell +# Exim about it by means of the tls_certificate and tls_privatekey run +# time options, otherwise Exim will create a self signed certificate on +# the fly. If you are running Exim only as a (TLS) client, building it with +# TLS support is all you need to do. +# +# If you are using pkg-config then you should not need to worry where +# the libraries and headers are installed, as the pkg-config .pc +# specification should include all -L/-I information necessary. +# Enabling the USE_*_PC options should be sufficient. If not using +# pkg-config, then you have to specify the libraries, and you mmight +# need to specify the locations too. + +# no cryptographic code of its own. Uncomment the following lines if you want +# to build Exim without any TLS support (either OpenSSL or GnuTLS): +# DISABLE_TLS=yes + +# If you are buliding with TLS, the library configuration must be done: + +# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not +# and an optional location. +# USE_OPENSSL_PC=openssl +# TLS_LIBS=-lssl -lcrypto +# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto + +# Uncomment this if you are using GnuTLS +# USE_GNUTLS=yes +# Uncomment one of these settings if you are using GnuTLS; pkg-config vs not +# and an optional location. If you disable SUPPORT_DANE below, you +# can remove the gnutls-dane references here. +# USE_GNUTLS_PC=gnutls gnutls-dane +# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane +# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane + +# Uncomment the first and either the second or the third of these if you +# are using GnuTLS. If you have pkg-config, then the second, else the third. +# USE_GNUTLS=yes +# USE_GNUTLS_PC=gnutls +# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt + +# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's +# build process will require libgcrypt-config to exist in your $PATH. A +# version that old is likely to become unsupported by Exim in 2017. + +# The security fix we provide with the gnutls_allow_auto_pkcs11 option +# (4.82 PP/09) introduces a compatibility regression. The symbol is +# not available if GnuTLS is build without p11-kit (--without-p11-kit +# configure option). In this case use AVOID_GNUTLS_PKCS11=yes when +# building Exim. +# AVOID_GNUTLS_PKCS11=yes + +# If you are running Exim as a server, note that just building it with TLS +# support is not all you need to do. You also need to set up a suitable +# certificate, and tell Exim about it by means of the tls_certificate +# and tls_privatekey run time options. You also need to set tls_advertise_hosts +# to specify the hosts to which Exim advertises TLS support. On the other hand, +# if you are running Exim only as a client, building it with TLS support +# is all you need to do. + +# If you are using pkg-config then you should not need to worry where the +# libraries and headers are installed, as the pkg-config .pc specification +# should include all -L/-I information necessary. If not using pkg-config +# then you might need to specify the locations too. + +# Additional libraries and include files are required for both OpenSSL and +# GnuTLS. The TLS_LIBS settings above assume that the libraries are installed +# with all your other libraries. If they are in a special directory, you may +# need something like + +# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto + +# or + +# TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane +# If not using DANE under GnuTLS we can lose one library +# TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt + +# TLS_LIBS is included only on the command for linking Exim itself, not on any +# auxiliary programs. If the include files are not in a standard place, you can +# set TLS_INCLUDE to specify where they are, for example: + +# TLS_INCLUDE=-I/usr/local/openssl/include/ +# or +# TLS_INCLUDE=-I/opt/gnu/include + +# You don't need to set TLS_INCLUDE if the relevant directories are already +# specified in INCLUDE. + + + ############################################################################### # THESE ARE THINGS YOU PROBABLY WANT TO SPECIFY # ############################################################################### @@ -757,67 +857,6 @@ HEADERS_CHARSET="ISO-8859-1" # *** WARNING *** WARNING *** WARNING *** WARNING *** WARNING *** -#------------------------------------------------------------------------------ -# Exim can be built to support the SMTP STARTTLS command, which implements -# Transport Layer Security using SSL (Secure Sockets Layer). To do this, you -# must install the OpenSSL library package or the GnuTLS library. Exim contains -# no cryptographic code of its own. -# -# If you are running Exim as a (TLS) server, just building it with TLS support -# is all you need to do, as tls_advertise_hosts is set to '*' by -# default. But you are advised to create a suiteable certificate, and tell -# Exim about it by means of the tls_certificate and tls_privatekey run -# time options, otherwise Exim will create a self signed certificate on -# the fly. If you are running Exim only as a (TLS) client, building it with -# TLS support is all you need to do. -# -# If you are using pkg-config then you should not need to worry where -# the libraries and headers are installed, as the pkg-config .pc -# specification should include all -L/-I information necessary. -# Enabling the USE_*_PC options should be sufficient. If not using -# pkg-config, then you have to specify the libraries, and you mmight -# need to specify the locations too. - -# This setting is required for any TLS support (either OpenSSL or GnuTLS) -SUPPORT_TLS=yes - -# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not -# and an optional location. -# USE_OPENSSL_PC=openssl -# TLS_LIBS=-lssl -lcrypto -# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto - -# Uncomment one of these settings if you are using GnuTLS; pkg-config vs not -# and an optional location. If you disabled SUPPORT_DANE above, you -# can remove the gnutls-dane references here. -# USE_GNUTLS=yes -# USE_GNUTLS_PC=gnutls gnutls-dane -# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane -# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane - -# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's -# build process will require libgcrypt-config to exist in your $PATH. A -# version that old is likely to become unsupported by Exim in 2017. - -# The security fix we provide with the gnutls_allow_auto_pkcs11 option -# (4.82 PP/09) introduces a compatibility regression. The symbol is -# not available if GnuTLS is build without p11-kit (--without-p11-kit -# configure option). In this case use AVOID_GNUTLS_PKCS11=yes when -# building Exim. -# AVOID_GNUTLS_PKCS11=yes - -# If the include files for your TLS libraries are not in a standard -# place and you didn't use the pkg-config route, you you can set -# TLS_INCLUDE to specify where they are, for example: - -# TLS_INCLUDE=-I/usr/local/openssl/include/ -# or -# TLS_INCLUDE=-I/opt/gnu/include - -# You don't need to set TLS_INCLUDE if the relevant directories are already -# specified in INCLUDE. - - #------------------------------------------------------------------------------ # The default distribution of Exim contains only the plain text form of the # documentation. Other forms are available separately. If you want to install diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c index 1c9c77d13..faf30bb8a 100644 --- a/src/src/auths/gsasl_exim.c +++ b/src/src/auths/gsasl_exim.c @@ -286,7 +286,7 @@ if (ob->server_realm) } /* We don't support protection layers. */ gsasl_property_set(sctx, GSASL_QOPS, "qop-auth"); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_channelbinding_b64) { /* Some auth mechanisms can ensure that both sides are talking withing the diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c index 426714f91..71cf97b18 100644 --- a/src/src/buildconfig.c +++ b/src/src/buildconfig.c @@ -753,15 +753,15 @@ else if (isgroup) continue; } - /* DISABLE_DKIM is special; must be forced if no SUPPORT_TLS */ + /* DISABLE_DKIM is special; must be forced if DISABLE_TLS */ if (strcmp(name, "DISABLE_DKIM") == 0) { char *d_dkim = getenv("DISABLE_DKIM"); - char *tls = getenv("SUPPORT_TLS"); + char *notls = getenv("DISABLE_TLS"); if (d_dkim) fprintf(new, "#define DISABLE_DKIM yes\n"); - else if (!tls) + else if (notls) fprintf(new, "#define DISABLE_DKIM yes /* forced by lack of TLS */\n"); else fprintf(new, "/* DISABLE_DKIM not set */\n"); diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index c5d5389ba..f45a61a9a 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -49,8 +49,9 @@ Do not put spaces between # and the 'define'. #define DISABLE_DNSSEC #define DISABLE_DKIM #define DISABLE_EVENT -#define DISABLE_PRDR #define DISABLE_OCSP +#define DISABLE_PRDR +#define DISABLE_TLS #define DISABLE_D_OPTION #define ENABLE_DISABLE_FSYNC @@ -152,7 +153,6 @@ Do not put spaces between # and the 'define'. #define SUPPORT_PROXY #define SUPPORT_SOCKS #define SUPPORT_SPF -#define SUPPORT_TLS #define SUPPORT_TRANSLATE_IP_ADDRESS #define SYSLOG_LOG_PID diff --git a/src/src/daemon.c b/src/src/daemon.c index cf5e09201..0b4d347b9 100644 --- a/src/src/daemon.c +++ b/src/src/daemon.c @@ -645,7 +645,7 @@ if (pid == 0) /* Don't ever molest the parent's SSL connection, but do clean up the data structures if necessary. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_close(NULL, TLS_NO_SHUTDOWN); #endif @@ -1985,7 +1985,7 @@ for (;;) handle_ending_processes(); errno = select_errno; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS /* Create or rotate any required keys */ tls_daemon_init(); #endif diff --git a/src/src/dane.c b/src/src/dane.c index 541e9cb02..5284a61c3 100644 --- a/src/src/dane.c +++ b/src/src/dane.c @@ -29,7 +29,7 @@ static void dummy(int x) { dummy(x-1); } #else /* Enabling DANE without enabling TLS cannot work. Abort the compilation. */ -# ifndef SUPPORT_TLS +# ifdef DISABLE_TLS # error DANE support requires that TLS support must be enabled. Abort build. # endif diff --git a/src/src/deliver.c b/src/src/deliver.c index f79522d8e..dc7a7d5fb 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -801,7 +801,7 @@ return g; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS static gstring * d_tlslog(gstring * g, address_item * addr) { @@ -1231,7 +1231,7 @@ else #endif } -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS g = d_tlslog(g, addr); #endif @@ -1435,7 +1435,7 @@ if (addr->transport) if (addr->host_used) g = d_hostlog(g, addr); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS g = d_tlslog(g, addr); #endif @@ -1635,7 +1635,7 @@ if (result == OK) } /* Certificates for logging (via events) */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_out.ourcert = addr->ourcert; addr->ourcert = NULL; tls_out.peercert = addr->peercert; @@ -1651,7 +1651,7 @@ if (result == OK) delivery_log(LOG_MAIN, addr, logchar, NULL); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_free_cert(&tls_out.ourcert); tls_free_cert(&tls_out.peercert); tls_out.cipher = NULL; @@ -3505,7 +3505,7 @@ while (!done) it in with the other info, in order to keep each message short enough to guarantee it won't be split in the pipe. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS case 'X': if (!addr) goto ADDR_MISMATCH; /* Below, in 'A' handler */ switch (*subid) @@ -3543,7 +3543,7 @@ while (!done) } while (*ptr++); break; -#endif /*SUPPORT_TLS*/ +#endif /*DISABLE_TLS*/ case 'C': /* client authenticator information */ switch (*subid) @@ -4805,7 +4805,7 @@ all pipes, so I do not see a reason to use non-blocking IO here # endif /* Use an X item only if there's something to send */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (addr->cipher) { ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->cipher) + 1; @@ -4848,7 +4848,7 @@ all pipes, so I do not see a reason to use non-blocking IO here rmt_dlv_checked_write(fd, 'X', '4', big_buffer, ptr - big_buffer); } # endif -#endif /*SUPPORT_TLS*/ +#endif /*DISABLE_TLS*/ if (client_authenticator) { @@ -5012,7 +5012,7 @@ all pipes, so I do not see a reason to use non-blocking IO here if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only) { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (cutthrough.is_tls) tls_close(cutthrough.cctx.tls_ctx, TLS_NO_SHUTDOWN); #endif @@ -8513,7 +8513,7 @@ if (!regex_SIZE) regex_SIZE = if (!regex_AUTH) regex_AUTH = regex_must_compile(AUTHS_REGEX, FALSE, TRUE); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (!regex_STARTTLS) regex_STARTTLS = regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE); #endif @@ -8603,7 +8603,7 @@ if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only) smtp_peer_options = cutthrough.peer_options; continue_sequence = 0; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (cutthrough.is_tls) { int pfd[2], pid; @@ -8646,7 +8646,7 @@ else } return; /* compiler quietening; control does not reach here. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS fail: log_write(0, LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE), diff --git a/src/src/dkim_transport.c b/src/src/dkim_transport.c index 8ce18c818..6b643927c 100644 --- a/src/src/dkim_transport.c +++ b/src/src/dkim_transport.c @@ -83,7 +83,7 @@ else while (sread) { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS wwritten = tls_out.active.sock == out_fd ? tls_write(tls_out.active.tls_ctx, p, sread, FALSE) : write(out_fd, CS p, sread); diff --git a/src/src/exim.c b/src/src/exim.c index 1aa32b269..b2894aeb9 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -553,7 +553,7 @@ close_unwanted(void) { if (smtp_input) { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */ #endif (void)close(fileno(smtp_in)); @@ -857,7 +857,7 @@ fprintf(fp, "Support for:"); #ifdef USE_TCP_WRAPPERS fprintf(fp, " TCPwrappers"); #endif -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS # ifdef USE_GNUTLS fprintf(fp, " GnuTLS"); # else @@ -1049,7 +1049,7 @@ DEBUG(D_any) do { show_db_version(fp); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_version_report(fp); #endif #ifdef SUPPORT_I18N @@ -2712,7 +2712,7 @@ for (i = 1; i < argc; i++) case 'S': smtp_peer_options |= OPTION_SIZE; break; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS /* -MCt: similar to -MCT below but the connection is still open via a proxy process which handles the TLS context and coding. Require three arguments for the proxied local address and port, @@ -3313,7 +3313,7 @@ for (i = 1; i < argc; i++) /* -tls-on-connect: don't wait for STARTTLS (for old clients) */ - #ifdef SUPPORT_TLS + #ifndef DISABLE_TLS else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE; #endif diff --git a/src/src/exim.h b/src/src/exim.h index 79d1acf13..0638167aa 100644 --- a/src/src/exim.h +++ b/src/src/exim.h @@ -539,11 +539,11 @@ union sockaddr_46 { struct sockaddr v0; }; -/* If SUPPORT_TLS is not defined, ensure that USE_GNUTLS is also not defined -so that if USE_GNUTLS *is* set, we can assume SUPPORT_TLS is also set. +/* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined +so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set. Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */ -#ifndef SUPPORT_TLS +#ifdef DISABLE_TLS # undef USE_GNUTLS # ifndef DISABLE_OCSP # define DISABLE_OCSP diff --git a/src/src/expand.c b/src/src/expand.c index 41eadefd0..31059c432 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -756,7 +756,7 @@ static var_entry var_table[] = { #ifdef EXPERIMENTAL_TLS_RESUME { "tls_in_resumption", vtype_int, &tls_in.resumption }, #endif -#if defined(SUPPORT_TLS) +#ifndef DISABLE_TLS { "tls_in_sni", vtype_stringptr, &tls_in.sni }, #endif { "tls_out_bits", vtype_int, &tls_out.bits }, @@ -773,7 +773,7 @@ static var_entry var_table[] = { #ifdef EXPERIMENTAL_TLS_RESUME { "tls_out_resumption", vtype_int, &tls_out.resumption }, #endif -#if defined(SUPPORT_TLS) +#ifndef DISABLE_TLS { "tls_out_sni", vtype_stringptr, &tls_out.sni }, #endif #ifdef SUPPORT_DANE @@ -781,7 +781,7 @@ static var_entry var_table[] = { #endif { "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */ -#if defined(SUPPORT_TLS) +#ifndef DISABLE_TLS { "tls_sni", vtype_stringptr, &tls_in.sni }, /* mind the alphabetical order! */ #endif @@ -967,7 +967,7 @@ weirdness they'll twist this into. The result should ideally handle fork(). However, if we're stuck unable to provide this, then we'll fall back to appallingly bad randomness. -If SUPPORT_TLS is defined then this will not be used except as an emergency +If DISABLE_TLS is not defined then this will not be used except as an emergency fallback. Arguments: @@ -975,13 +975,13 @@ Arguments: Returns a random number in range [0, max-1] */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS # define vaguely_random_number vaguely_random_number_fallback #endif int vaguely_random_number(int max) { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS # undef vaguely_random_number #endif static pid_t pid = 0; @@ -1289,7 +1289,7 @@ return string_nextinlist(&list, &sep, NULL, 0); /* Certificate fields, by name. Worry about by-OID later */ /* Names are chosen to not have common prefixes */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS typedef struct { uschar * name; @@ -1350,7 +1350,7 @@ expand_string_message = string_sprintf("bad field selector \"%s\" for certextract", field); return NULL; } -#endif /*SUPPORT_TLS*/ +#endif /*DISABLE_TLS*/ /************************************************* * Extract a substring from a string * @@ -3660,7 +3660,7 @@ return yield; } -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS static gstring * cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol) { @@ -4947,7 +4947,7 @@ while (*s != 0) uschar * server_name = NULL; host_item host; BOOL do_shutdown = TRUE; - BOOL do_tls = FALSE; /* Only set under SUPPORT_TLS */ + BOOL do_tls = FALSE; /* Only set under ! DISABLE_TLS */ blob reqstr; if (expand_forbid & RDO_READSOCK) @@ -4991,7 +4991,7 @@ while (*s != 0) while ((item = string_nextinlist(&list, &sep, NULL, 0))) if (Ustrncmp(item, US"shutdown=", 9) == 0) { if (Ustrcmp(item + 9, US"no") == 0) do_shutdown = FALSE; } -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS else if (Ustrncmp(item, US"tls=", 4) == 0) { if (Ustrcmp(item + 9, US"no") != 0) do_tls = TRUE; } #endif @@ -5098,7 +5098,7 @@ while (*s != 0) DEBUG(D_expand) debug_printf_indent("connected to socket %s\n", sub_arg[0]); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (do_tls) { smtp_connect_args conn_args = {.host = &host }; @@ -5123,7 +5123,7 @@ while (*s != 0) DEBUG(D_expand) debug_printf_indent("writing \"%s\" to socket\n", reqstr.data); if ( ( -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS do_tls ? tls_write(cctx.tls_ctx, reqstr.data, reqstr.len, FALSE) : #endif write(cctx.sock, reqstr.data, reqstr.len)) != reqstr.len) @@ -5152,13 +5152,13 @@ while (*s != 0) sigalrm_seen = FALSE; ALARM(timeout); yield = -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS do_tls ? cat_file_tls(cctx.tls_ctx, yield, sub_arg[3]) : #endif cat_file(fp, yield, sub_arg[3]); ALARM_CLR(0); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (do_tls) { tls_close(cctx.tls_ctx, TRUE); @@ -5992,7 +5992,7 @@ while (*s != 0) continue; } -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS case EITEM_CERTEXTRACT: { uschar *save_lookup_value = lookup_value; @@ -6072,7 +6072,7 @@ while (*s != 0) save_expand_nlength); continue; } -#endif /*SUPPORT_TLS*/ +#endif /*DISABLE_TLS*/ /* Handle list operations */ @@ -6584,7 +6584,7 @@ while (*s != 0) int c; uschar *arg = NULL; uschar *sub; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS var_entry *vp = NULL; #endif @@ -6607,7 +6607,7 @@ while (*s != 0) as we do not want to do the usual expansion. For most, expand the string.*/ switch(c) { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS case EOP_MD5: case EOP_SHA1: case EOP_SHA256: @@ -6762,7 +6762,7 @@ while (*s != 0) } case EOP_MD5: -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (vp && *(void **)vp->value) { uschar * cp = tls_cert_fprt_md5(*(void **)vp->value); @@ -6781,7 +6781,7 @@ while (*s != 0) continue; case EOP_SHA1: -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (vp && *(void **)vp->value) { uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value); @@ -7564,7 +7564,7 @@ while (*s != 0) case EOP_STR2B64: case EOP_BASE64: { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS uschar * s = vp && *(void **)vp->value ? tls_cert_der_b64(*(void **)vp->value) : b64encode(CUS sub, Ustrlen(sub)); diff --git a/src/src/functions.h b/src/src/functions.h index 87953c413..11fb8b59e 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -22,7 +22,7 @@ extern uschar *init_perl(uschar *); #endif -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS extern const char * std_dh_prime_default(void); extern const char * @@ -77,7 +77,7 @@ extern BOOL tls_is_name_for_cert(const uschar *, void *); extern int tlsa_lookup(const host_item *, dns_answer *, BOOL); # endif -#endif /*SUPPORT_TLS*/ +#endif /*DISABLE_TLS*/ /* Everything else... */ @@ -350,7 +350,7 @@ extern uschar *parse_message_id(uschar *, uschar **, uschar **); extern const uschar *parse_quote_2047(const uschar *, int, uschar *, uschar *, int, BOOL); extern uschar *parse_date_time(uschar *str, time_t *t); extern int vaguely_random_number(int); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS extern int vaguely_random_number_fallback(int); #endif diff --git a/src/src/globals.c b/src/src/globals.c index a2fa032bc..5ce04a6ed 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -115,7 +115,7 @@ int dsn_ret = 0; const pcre *regex_DSN = NULL; uschar *dsn_advertise_hosts = NULL; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS BOOL gnutls_compat_mode = FALSE; BOOL gnutls_allow_auto_pkcs11 = FALSE; uschar *openssl_options = NULL; @@ -141,7 +141,7 @@ uschar *tls_resumption_hosts = NULL; uschar *tls_try_verify_hosts = NULL; uschar *tls_verify_certificates= US"system"; uschar *tls_verify_hosts = NULL; -#else /*!SUPPORT_TLS*/ +#else /*DISABLE_TLS*/ uschar *tls_advertise_hosts = NULL; #endif @@ -548,7 +548,7 @@ address_item address_defaults = { .return_filename = NULL, .self_hostname = NULL, .shadow_message = NULL, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS .cipher = NULL, .ourcert = NULL, .peercert = NULL, @@ -1227,7 +1227,7 @@ uschar *received_header_text = US "${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}" "by $primary_hostname " "${if def:received_protocol {with $received_protocol }}" -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS "${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}" #endif "(Exim $version_number)\n\t" diff --git a/src/src/globals.h b/src/src/globals.h index e98ff7fe1..d29fcc4e1 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -113,7 +113,7 @@ typedef struct { extern tls_support tls_in; extern tls_support tls_out; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS extern BOOL gnutls_compat_mode; /* Less security, more compatibility */ extern BOOL gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */ extern uschar *openssl_options; /* OpenSSL compatibility options */ diff --git a/src/src/ip.c b/src/src/ip.c index 8b506109e..fb42f0051 100644 --- a/src/src/ip.c +++ b/src/src/ip.c @@ -653,7 +653,7 @@ if (!fd_ready(cctx->sock, timeout)) /* The socket is ready, read from it (via TLS if it's active). On EOF (i.e. close down of the connection), set errno to zero; otherwise leave it alone. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (cctx->tls_ctx) /* client TLS */ rc = tls_read(cctx->tls_ctx, buffer, buffsize); else if (tls_in.active.sock == cctx->sock) /* server TLS */ diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c index 33249133a..ebb4cb98a 100644 --- a/src/src/macro_predef.c +++ b/src/src/macro_predef.c @@ -126,7 +126,7 @@ due to conflicts with other common macros. */ #ifdef USE_TCP_WRAPPERS builtin_macro_create(US"_HAVE_TCPWRAPPERS"); #endif -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS builtin_macro_create(US"_HAVE_TLS"); # ifdef USE_GNUTLS builtin_macro_create(US"_HAVE_GNUTLS"); @@ -290,7 +290,7 @@ options_routers(); options_transports(); options_auths(); options_logging(); -#if defined(SUPPORT_TLS) +#ifndef DISABLE_TLS options_tls(); #endif } diff --git a/src/src/macro_predef.h b/src/src/macro_predef.h index 79a8d6f15..4bc98e0df 100644 --- a/src/src/macro_predef.h +++ b/src/src/macro_predef.h @@ -20,7 +20,7 @@ extern void options_transports(void); extern void options_auths(void); extern void options_logging(void); extern void params_dkim(void); -#if defined(SUPPORT_TLS) +#ifndef DISABLE_TLS extern void options_tls(void); #endif diff --git a/src/src/macros.h b/src/src/macros.h index e3f1f4c28..4189b6bd7 100644 --- a/src/src/macros.h +++ b/src/src/macros.h @@ -84,7 +84,7 @@ as unsigned. */ /* When built with TLS support, the act of flushing SMTP output becomes a no-op once an SSL session is in progress. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS #define mac_smtp_fflush() if (tls_in.active.sock < 0) fflush(smtp_out); #else #define mac_smtp_fflush() fflush(smtp_out); diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c index 6e154f5ef..9ebcfc1b6 100644 --- a/src/src/pdkim/pdkim.c +++ b/src/src/pdkim/pdkim.c @@ -26,8 +26,8 @@ #ifndef DISABLE_DKIM /* entire file */ -#ifndef SUPPORT_TLS -# error Need SUPPORT_TLS for DKIM +#ifdef DISABLE_TLS +# error Must not DISABLE_TLS, for DKIM #endif #include "crypt_ver.h" diff --git a/src/src/pdkim/pdkim_hash.h b/src/src/pdkim/pdkim_hash.h index 6299ae28a..8f9a12628 100644 --- a/src/src/pdkim/pdkim_hash.h +++ b/src/src/pdkim/pdkim_hash.h @@ -11,8 +11,8 @@ #if !defined(HASH_H) /* entire file */ #define HASH_H -#ifndef SUPPORT_TLS -# error Need SUPPORT_TLS for DKIM +#ifdef DISABLE_TLS +# error Must not DISABLE_TLS, for DKIM #endif #include "crypt_ver.h" diff --git a/src/src/pdkim/signing.c b/src/src/pdkim/signing.c index a47f824b8..53a8a7b45 100644 --- a/src/src/pdkim/signing.c +++ b/src/src/pdkim/signing.c @@ -28,8 +28,8 @@ features_crypto(void) #ifndef DISABLE_DKIM /* rest of file */ -#ifndef SUPPORT_TLS -# error Need SUPPORT_TLS for DKIM +#ifdef DISABLE_TLS +# error Must no DISABLE_TLS, for DKIM #endif diff --git a/src/src/readconf.c b/src/src/readconf.c index b6c41bc65..cffee4a08 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -60,7 +60,7 @@ static optionlist optionlist_config[] = { { "acl_smtp_predata", opt_stringptr, &acl_smtp_predata }, { "acl_smtp_quit", opt_stringptr, &acl_smtp_quit }, { "acl_smtp_rcpt", opt_stringptr, &acl_smtp_rcpt }, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS { "acl_smtp_starttls", opt_stringptr, &acl_smtp_starttls }, #endif { "acl_smtp_vrfy", opt_stringptr, &acl_smtp_vrfy }, @@ -156,7 +156,7 @@ static optionlist optionlist_config[] = { { "freeze_tell", opt_stringptr, &freeze_tell }, { "gecos_name", opt_stringptr, &gecos_name }, { "gecos_pattern", opt_stringptr, &gecos_pattern }, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS { "gnutls_allow_auto_pkcs11", opt_bool, &gnutls_allow_auto_pkcs11 }, { "gnutls_compat_mode", opt_bool, &gnutls_compat_mode }, #endif @@ -224,7 +224,7 @@ static optionlist optionlist_config[] = { { "mysql_servers", opt_stringptr, &mysql_servers }, #endif { "never_users", opt_uidlist, &never_users }, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS { "openssl_options", opt_stringptr, &openssl_options }, #endif #ifdef LOOKUP_ORACLE @@ -355,7 +355,7 @@ static optionlist optionlist_config[] = { { "timeout_frozen_after", opt_time, &timeout_frozen_after }, { "timezone", opt_stringptr, &timezone_string }, { "tls_advertise_hosts", opt_stringptr, &tls_advertise_hosts }, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS { "tls_certificate", opt_stringptr, &tls_certificate }, { "tls_crl", opt_stringptr, &tls_crl }, { "tls_dh_max_bits", opt_int, &tls_dh_max_bits }, @@ -3082,7 +3082,7 @@ Assumes: tls_require_ciphers has been set, if it will be Returns: bool for "okay"; false will cause caller to immediately exit. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS static BOOL tls_dropprivs_validate_require_cipher(BOOL nowarn) { @@ -3135,7 +3135,7 @@ signal(SIGCHLD, oldsignal); return status == 0; } -#endif /* SUPPORT_TLS */ +#endif /*DISABLE_TLS*/ @@ -3622,7 +3622,7 @@ if (host_number_string) host_number = n; } -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS /* If tls_verify_hosts is set, tls_verify_certificates must also be set */ if ((tls_verify_hosts || tls_try_verify_hosts) && !tls_verify_certificates) @@ -3655,7 +3655,7 @@ if (openssl_options) "openssl_options parse error: %s", openssl_options); # endif } -#endif /*SUPPORT_TLS*/ +#endif /*DISABLE_TLS*/ if (!nowarn && !keep_environment && environ && *environ) log_write(0, LOG_MAIN, diff --git a/src/src/receive.c b/src/src/receive.c index fbd32c8fa..9769e8893 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -3978,7 +3978,7 @@ if (message_reference) g = add_host_info_for_log(g); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (LOGGING(tls_cipher) && tls_in.cipher) { g = string_append(g, 2, US" X=", tls_in.cipher); diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h index 61408788b..a7e99f506 100644 --- a/src/src/sha_ver.h +++ b/src/src/sha_ver.h @@ -16,7 +16,7 @@ * and not massaging CFLAGS in Local/Makefile is fully supported. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS # define EXIM_HAVE_SHA2 diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 40fd3083b..049f5b542 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -133,7 +133,7 @@ to the circular buffer that holds a list of the last n received. */ static struct { BOOL auth_advertised :1; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS BOOL tls_advertised :1; #endif BOOL dsn_advertised :1; @@ -194,7 +194,7 @@ static smtp_cmd_list cmd_list[] = { { "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE }, { "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE }, { "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE }, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS { "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE }, { "tls_auth", 0, TLS_AUTH_CMD, FALSE, FALSE }, #endif @@ -348,7 +348,7 @@ int fd, rc; fd_set fds; struct timeval tzero; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.active.sock >= 0) return !tls_could_read(); #endif @@ -945,7 +945,7 @@ if (fl.rcpt_in_progress) /* Now write the string */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.active.sock >= 0) { if (tls_write(NULL, gs.s, gs.ptr, more) < 0) @@ -1774,7 +1774,7 @@ return string_sprintf("SMTP connection from %s", hostname); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS /* Append TLS-related information to a log line Arguments: @@ -1830,7 +1830,7 @@ if (sender_host_authenticated) if (authenticated_id) g = string_append(g, 2, US":", authenticated_id); } -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS g = s_tlslog(g); #endif @@ -2375,7 +2375,7 @@ return done - 2; /* Convert yield values */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS static BOOL smtp_log_tls_fail(uschar * errstr) { @@ -2466,7 +2466,7 @@ if (!host_checking && !f.sender_host_notsocket) sender_host_auth_pubname = sender_host_authenticated = NULL; authenticated_by = NULL; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_in.cipher = tls_in.peerdn = NULL; tls_in.ourcert = tls_in.peercert = NULL; tls_in.sni = NULL; @@ -2903,7 +2903,7 @@ if (check_proxy_protocol_host()) /* Start up TLS if tls_on_connect is set. This is for supporting the legacy smtps port for use with older style SSL MTAs. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.on_connect) { if (tls_server_start(tls_require_ciphers, &user_msg) != OK) @@ -3404,7 +3404,7 @@ is closing if required and return 2. */ if (log_reject_target != 0) { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS gstring * g = s_tlslog(NULL); uschar * tls = string_from_gstring(g); if (!tls) tls = US""; @@ -3825,7 +3825,7 @@ if (*user_msgp) else smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_close(NULL, TLS_SHUTDOWN_NOWAIT); #endif @@ -3896,7 +3896,7 @@ chunking_state = f.chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED; cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE; cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE; cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE; #endif @@ -4228,7 +4228,7 @@ while (done <= 0) fl.auth_advertised = FALSE; f.smtp_in_pipelining_advertised = FALSE; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS fl.tls_advertised = FALSE; #endif fl.dsn_advertised = FALSE; @@ -4421,7 +4421,7 @@ while (done <= 0) tls_advertise_hosts. We must *not* advertise if we are already in a secure connection. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.active.sock < 0 && verify_check_host(&tls_advertise_hosts) != FAIL) { @@ -4459,7 +4459,7 @@ while (done <= 0) /* Terminate the string (for debug), write it, and note that HELO/EHLO has been seen. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.active.sock >= 0) (void)tls_write(NULL, g->s, g->ptr, # ifdef EXPERIMENTAL_PIPE_CONNECT @@ -5395,7 +5395,7 @@ while (done <= 0) break; - #ifdef SUPPORT_TLS + #ifndef DISABLE_TLS case STARTTLS_CMD: HAD(SCH_STARTTLS); @@ -5586,7 +5586,7 @@ while (done <= 0) uschar buffer[256]; buffer[0] = 0; Ustrcat(buffer, " AUTH"); - #ifdef SUPPORT_TLS + #ifndef DISABLE_TLS if (tls_in.active.sock < 0 && verify_check_host(&tls_advertise_hosts) != FAIL) Ustrcat(buffer, " STARTTLS"); diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c index 4be7b9c17..d8cb42e01 100644 --- a/src/src/smtp_out.c +++ b/src/src/smtp_out.c @@ -444,7 +444,7 @@ BOOL more = mode == SCMD_MORE; HDEBUG(D_transport|D_acl) debug_printf_indent("cmd buf flush %d bytes%s\n", n, more ? " (more expected)" : ""); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (outblock->cctx->tls_ctx) rc = tls_write(outblock->cctx->tls_ctx, outblock->buffer, n, more); else diff --git a/src/src/spool_in.c b/src/src/spool_in.c index 95004c103..c46689506 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -273,7 +273,7 @@ f.dkim_disable_verify = FALSE; dkim_collect_input = 0; #endif -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_in.certificate_verified = FALSE; # ifdef SUPPORT_DANE tls_in.dane_verified = FALSE; @@ -646,7 +646,7 @@ for (;;) #endif break; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS case 't': if (Ustrncmp(p, "ls_", 3) == 0) { diff --git a/src/src/spool_out.c b/src/src/spool_out.c index d14914f94..508e68cea 100644 --- a/src/src/spool_out.c +++ b/src/src/spool_out.c @@ -233,7 +233,7 @@ if (f.sender_set_untrusted) fprintf(fp, "-sender_set_untrusted\n"); if (bmi_verdicts) fprintf(fp, "-bmi_verdicts %s\n", bmi_verdicts); #endif -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n"); if (tls_in.cipher) fprintf(fp, "-tls_cipher %s\n", tls_in.cipher); if (tls_in.peercert) diff --git a/src/src/std-crypto.c b/src/src/std-crypto.c index 161052c14..a045f6cc6 100644 --- a/src/src/std-crypto.c +++ b/src/src/std-crypto.c @@ -17,7 +17,7 @@ #include "exim.h" -#ifndef SUPPORT_TLS +#ifdef DISABLE_TLS static void dummy(int x) { dummy(x-1); } #else @@ -1018,5 +1018,5 @@ std_dh_prime_named(const uschar *name) return NULL; } -#endif /* SUPPORT_TLS */ +#endif /*DISABLE_TLS*/ /* EOF */ diff --git a/src/src/structs.h b/src/src/structs.h index 349aa38e8..da61df24f 100644 --- a/src/src/structs.h +++ b/src/src/structs.h @@ -567,7 +567,7 @@ typedef struct address_item { uschar *self_hostname; /* after self=pass */ uschar *shadow_message; /* info about shadow transporting */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS uschar *cipher; /* Cipher used for transport */ void *ourcert; /* Certificate offered to peer, binary */ void *peercert; /* Certificate from peer, binary */ @@ -805,7 +805,7 @@ typedef struct { int host_af; uschar * interface; -#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE) +#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) BOOL dane:1; /* connection must do dane */ dns_answer tlsa_dnsa; #endif diff --git a/src/src/tls.c b/src/src/tls.c index 7b8d7a2a3..1fd10d52b 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -19,7 +19,7 @@ functions from the OpenSSL or GNU TLS libraries. */ #include "exim.h" #include "transports/smtp.h" -#if defined(MACRO_PREDEF) && defined(SUPPORT_TLS) +#if defined(MACRO_PREDEF) && !defined(DISABLE_TLS) # include "macro_predef.h" # ifdef USE_GNUTLS # include "tls-gnu.c" @@ -37,7 +37,7 @@ reference itself to stop picky compilers complaining that it is unused, and put in a dummy argument to stop even pickier compilers complaining about infinite loops. */ -#ifndef SUPPORT_TLS +#ifdef DISABLE_TLS static void dummy(int x) { dummy(x-1); } #else @@ -217,7 +217,7 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm; } -#endif /* SUPPORT_TLS */ +#endif /*DISABLE_TLS*/ void tls_modify_variables(tls_support * dest_tsp) @@ -226,13 +226,13 @@ modify_variable(US"tls_bits", &dest_tsp->bits); modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified); modify_variable(US"tls_cipher", &dest_tsp->cipher); modify_variable(US"tls_peerdn", &dest_tsp->peerdn); -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS) modify_variable(US"tls_sni", &dest_tsp->sni); #endif } -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS /************************************************ * TLS certificate name operations * ************************************************/ @@ -364,7 +364,7 @@ else if ((subjdn = tls_cert_subject(cert, NULL))) } return FALSE; } -#endif /*SUPPORT_TLS*/ +#endif /*!DISABLE_TLS*/ #endif /*!MACRO_PREDEF*/ /* vi: aw ai sw=2 diff --git a/src/src/transport.c b/src/src/transport.c index fb74dfdcd..d745ef15f 100644 --- a/src/src/transport.c +++ b/src/src/transport.c @@ -238,7 +238,7 @@ for (int i = 0; i < 100; i++) if (transport_write_timeout <= 0) /* No timeout wanted */ { rc = -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) : #endif #ifdef MSG_MORE @@ -256,7 +256,7 @@ for (int i = 0; i < 100; i++) ALARM(local_timeout); rc = -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) : #endif #ifdef MSG_MORE @@ -1867,7 +1867,7 @@ if (smtp_peer_options & OPTION_CHUNKING) argv[i++] = US"-MCK"; if (smtp_peer_options & OPTION_DSN) argv[i++] = US"-MCD"; if (smtp_peer_options & OPTION_PIPE) argv[i++] = US"-MCP"; if (smtp_peer_options & OPTION_SIZE) argv[i++] = US"-MCS"; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (smtp_peer_options & OPTION_TLS) if (tls_out.active.sock >= 0 || continue_proxy_cipher) { diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 3d7aaae6b..42517400b 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -90,7 +90,7 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, hosts_avoid_esmtp) }, { "hosts_avoid_pipelining", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_avoid_pipelining) }, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS { "hosts_avoid_tls", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_avoid_tls) }, #endif @@ -98,7 +98,7 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, hosts_max_try) }, { "hosts_max_try_hardlimit", opt_int, (void *)offsetof(smtp_transport_options_block, hosts_max_try_hardlimit) }, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS { "hosts_nopass_tls", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_nopass_tls) }, { "hosts_noproxy_tls", opt_stringptr, @@ -112,13 +112,13 @@ optionlist smtp_transport_options[] = { #endif { "hosts_randomize", opt_bool, (void *)offsetof(smtp_transport_options_block, hosts_randomize) }, -#if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP) +#if !defined(DISABLE_TLS) && !defined(DISABLE_OCSP) { "hosts_request_ocsp", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) }, #endif { "hosts_require_auth", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_auth) }, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS # ifdef SUPPORT_DANE { "hosts_require_dane", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_dane) }, @@ -134,7 +134,7 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, hosts_try_auth) }, { "hosts_try_chunking", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_try_chunking) }, -#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE) +#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) { "hosts_try_dane", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_try_dane) }, #endif @@ -144,7 +144,7 @@ optionlist smtp_transport_options[] = { { "hosts_try_prdr", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_try_prdr) }, #endif -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS { "hosts_verify_avoid_tls", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_verify_avoid_tls) }, #endif @@ -172,7 +172,7 @@ optionlist smtp_transport_options[] = { { "socks_proxy", opt_stringptr, (void *)offsetof(smtp_transport_options_block, socks_proxy) }, #endif -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS { "tls_certificate", opt_stringptr, (void *)offsetof(smtp_transport_options_block, tls_certificate) }, { "tls_crl", opt_stringptr, @@ -260,7 +260,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { .hosts_pipe_connect = NULL, #endif .hosts_avoid_esmtp = NULL, -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS .hosts_nopass_tls = NULL, .hosts_noproxy_tls = NULL, #endif @@ -288,7 +288,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { #ifdef SUPPORT_SOCKS .socks_proxy = NULL, #endif -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS .tls_certificate = NULL, .tls_crl = NULL, .tls_privatekey = NULL, @@ -1687,7 +1687,7 @@ smtp_local_identity(uschar * sender, struct transport_instance * tblock) address_item * addr1; uschar * if1 = US""; uschar * helo1 = US""; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS uschar * tlsc1 = US""; #endif uschar * save_sender_address = sender_address; @@ -1705,7 +1705,7 @@ if (ob->interface) if (ob->helo_data) helo1 = expand_string(ob->helo_data); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (ob->tls_certificate) tlsc1 = expand_string(ob->tls_certificate); local_identity = string_sprintf ("%s^%s^%s", if1, helo1, tlsc1); @@ -1754,7 +1754,7 @@ size_t bsize = Ustrlen(buf); /* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if ( checks & OPTION_TLS && pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0) #endif @@ -1954,7 +1954,7 @@ BOOL pass_message = FALSE; uschar * message = NULL; int yield = OK; int rc; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS uschar * tls_errstr; #endif @@ -1972,7 +1972,7 @@ sx->esmtp_sent = FALSE; sx->utf8_needed = FALSE; #endif sx->dsn_all_lasthop = TRUE; -#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE) +#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) sx->conn_args.dane = FALSE; sx->dane_required = verify_check_given_host(CUSS &ob->hosts_require_dane, sx->conn_args.host) == OK; @@ -2019,7 +2019,7 @@ tls_out.cipher = NULL; /* the one we may use for this transport */ tls_out.ourcert = NULL; tls_out.peercert = NULL; tls_out.peerdn = NULL; -#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS) +#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS) tls_out.sni = NULL; #endif tls_out.ocsp = OCSP_NOT_REQ; @@ -2034,7 +2034,7 @@ For verify, unflipped once the callout is dealt with */ tls_modify_variables(&tls_out); -#ifndef SUPPORT_TLS +#ifdef DISABLE_TLS if (sx->smtps) { set_errno_nohost(sx->addrlist, ERRNO_TLSFAILURE, US"TLS support not available", @@ -2056,7 +2056,7 @@ if (!continue_hostname) smtp_port_for_connect(sx->conn_args.host, sx->port); -#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE) +#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) /* Do TLSA lookup for DANE */ { tls_out.dane_verified = FALSE; @@ -2262,7 +2262,7 @@ goto SEND_QUIT; /* Alas; be careful, since this goto is not an error-out, so conceivably we might set data between here and the target which we assume to exist and be usable. I can see this coming back to bite us. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (sx->smtps) { smtp_peer_options |= OPTION_TLS; @@ -2388,7 +2388,7 @@ goto SEND_QUIT; /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS smtp_peer_options |= sx->peer_offered & OPTION_TLS; #endif } @@ -2450,7 +2450,7 @@ negative, the original EHLO data is available for subsequent analysis, should the client not be required to use TLS. If the response is bad, copy the buffer for error analysis. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if ( smtp_peer_options & OPTION_TLS && !suppress_tls && verify_check_given_host(CUSS &ob->hosts_avoid_tls, sx->conn_args.host) != OK @@ -2665,7 +2665,7 @@ else if ( sx->smtps # endif goto TLS_FAILED; } -#endif /*SUPPORT_TLS*/ +#endif /*DISABLE_TLS*/ /* If TLS is active, we have just started it up and re-done the EHLO command, so its response needs to be analyzed. If TLS is not active and this is a @@ -2673,7 +2673,7 @@ continued session down a previously-used socket, we haven't just done EHLO, so we skip this. */ if (continue_hostname == NULL -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS || tls_out.active.sock >= 0 #endif ) @@ -2874,7 +2874,7 @@ return OK; in message and errno, and setting_up will always be true. Treat as a temporary error. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS TLS_FAILED: code = '4', yield = DEFER; goto FAILED; @@ -2917,7 +2917,7 @@ SEND_QUIT: if (sx->send_quit) (void)smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n"); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (sx->cctx.tls_ctx) { tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT); @@ -3261,7 +3261,7 @@ return 0; } -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS /***************************************************** * Proxy TLS connection for another transport process * ******************************************************/ @@ -4148,7 +4148,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit) if ( sx.first_addr != NULL || f.continue_more || ( -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS ( tls_out.active.sock < 0 && !continue_proxy_cipher || verify_check_given_host(CUSS &ob->hosts_nopass_tls, host) != OK ) @@ -4186,7 +4186,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit) if (sx.ok) { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS int pfd[2]; #endif int socket_fd = sx.cctx.sock; @@ -4203,7 +4203,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit) transport_pass_socket). If the caller has more ready, just return with the connection still open. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_out.active.sock >= 0) if ( f.continue_more || verify_check_given_host(CUSS &ob->hosts_noproxy_tls, host) == OK) @@ -4262,7 +4262,7 @@ propagate it from the initial just passed the baton to. Fork a child to to do it, and return to get logging done asap. Which way to place the work makes assumptions about post-fork prioritisation which may not hold on all platforms. */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (tls_out.active.sock >= 0) { int pid = fork(); @@ -4330,7 +4330,7 @@ if (sx.send_quit) (void)smtp_write_command(&sx, SCMD_FLUSH, "QUIT\r\n"); END_OFF: -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT); sx.cctx.tls_ctx = NULL; #endif @@ -4449,7 +4449,7 @@ for (address_item * addr = addrlist; addr; addr = addr->next) addr->basic_errno = 0; addr->more_errno = (host->mx >= 0)? 'M' : 'A'; addr->message = NULL; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS addr->cipher = NULL; addr->ourcert = NULL; addr->peercert = NULL; @@ -5112,7 +5112,7 @@ retry_non_continued: session, so the in-clear transmission after those errors, if permitted, happens inside smtp_deliver().] */ -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if ( rc == DEFER && first_addr->basic_errno == ERRNO_TLSFAILURE && ob->tls_tempfail_tryclear @@ -5132,7 +5132,7 @@ retry_non_continued: deferred_event_raise(first_addr, host); # endif } -#endif /*SUPPORT_TLS*/ +#endif /*DISABLE_TLS*/ } /* Delivery attempt finished */ @@ -5305,7 +5305,7 @@ retry_non_continued: int fd = cutthrough.cctx.sock >= 0 ? cutthrough.cctx.sock : 0; DEBUG(D_transport) debug_printf("no hosts match already-open connection\n"); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS /* A TLS conn could be open for a cutthrough, but not for a plain continued- transport */ /*XXX doublecheck that! */ diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index ab0e93ff8..5200fcb74 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -50,7 +50,7 @@ typedef struct { uschar *hosts_pipe_connect; #endif uschar *hosts_avoid_esmtp; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS uschar *hosts_nopass_tls; uschar *hosts_noproxy_tls; #endif @@ -78,7 +78,7 @@ typedef struct { #ifdef SUPPORT_SOCKS uschar *socks_proxy; #endif -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS uschar *tls_certificate; uschar *tls_crl; uschar *tls_privatekey; @@ -135,7 +135,7 @@ typedef struct { BOOL utf8_needed:1; #endif BOOL dsn_all_lasthop:1; -#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE) +#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE) BOOL dane_required:1; #endif #ifdef EXPERIMENTAL_PIPE_CONNECT diff --git a/src/src/verify.c b/src/src/verify.c index 184809fb5..7125a6da1 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -687,7 +687,7 @@ tls_retry_connection: if permitted */ yield = smtp_setup_conn(&sx, FALSE); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if ( yield == DEFER && addr->basic_errno == ERRNO_TLSFAILURE && ob->tls_tempfail_tryclear @@ -819,7 +819,7 @@ tls_retry_connection: HDEBUG(D_acl|D_v) debug_printf_indent("problem after random/rset/mfrom; reopen conn\n"); random_local_part = NULL; -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT); #endif HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n"); @@ -1109,7 +1109,7 @@ no_conn: if (sx.cctx.sock >= 0) { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (sx.cctx.tls_ctx) { tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT); @@ -1215,7 +1215,7 @@ if(cutthrough.cctx.sock < 0) return TRUE; if( -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS cutthrough.is_tls ? tls_write(cutthrough.cctx.tls_ctx, ctctx.outblock.buffer, n, FALSE) : @@ -1416,7 +1416,7 @@ if(fd >= 0) /* Wait a short time for response, and discard it */ cutthrough_response(&tmp_ctx, '2', NULL, 1); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS if (cutthrough.is_tls) { tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT); @@ -1924,12 +1924,12 @@ while (addr_new) } else { -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS deliver_set_expansions(addr); #endif rc = do_callout(addr, host_list, &tf, callout, callout_overall, callout_connect, options, se_mailfrom, pm_mailfrom); -#ifdef SUPPORT_TLS +#ifndef DISABLE_TLS deliver_set_expansions(NULL); #endif } -- 2.30.2