From de517fd3061ee343cd36d05587c915f617318671 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 24 May 2019 16:39:05 +0100 Subject: [PATCH] TLS: introduce USE_OPENSSL as an explicit requirement for the build --- doc/doc-txt/ChangeLog | 8 ++++---- src/src/EDITME | 12 +++++------- src/src/config.h.defaults | 1 + src/src/dane.c | 2 +- src/src/exim.c | 7 +++---- src/src/exim.h | 2 ++ src/src/functions.h | 2 +- src/src/pdkim/crypt_ver.h | 10 +++++----- src/src/sha_ver.h | 3 ++- src/src/tls.c | 13 +++++++++---- src/src/transports/smtp.c | 2 +- 11 files changed, 34 insertions(+), 28 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 73ed33e86..9159d3021 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -112,10 +112,10 @@ JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME". JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define - is replaced with DISABLE_TLS. You must still, unless you define - DISABLE_TLS, manage the choice of TLS library and the include-dir and - library-file requirements that go with that choice. Non-TLS builds - are still supported. + is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL + must be defined and you must still, unless you define DISABLE_TLS, manage + the the include-dir and library-file requirements that go with that + choice. Non-TLS builds are still supported. diff --git a/src/src/EDITME b/src/src/EDITME index 264d2eaff..e1bf812db 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -202,12 +202,16 @@ SPOOL_DIRECTORY=/var/spool/exim # pkg-config, then you have to specify the libraries, and you mmight # need to specify the locations too. -# no cryptographic code of its own. Uncomment the following lines if you want +# Uncomment the following lines if you want # to build Exim without any TLS support (either OpenSSL or GnuTLS): # DISABLE_TLS=yes +# Unless you do this, you must define one of USE_OPENSSL or USE_GNUTLS +# below. # If you are buliding with TLS, the library configuration must be done: +# Uncomment this if you are using OpenSSL +# USE_OPENSSL=yes # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not # and an optional location. # USE_OPENSSL_PC=openssl @@ -223,12 +227,6 @@ SPOOL_DIRECTORY=/var/spool/exim # TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane # TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane -# Uncomment the first and either the second or the third of these if you -# are using GnuTLS. If you have pkg-config, then the second, else the third. -# USE_GNUTLS=yes -# USE_GNUTLS_PC=gnutls -# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt - # If using GnuTLS older than 2.10 and using pkg-config then note that Exim's # build process will require libgcrypt-config to exist in your $PATH. A # version that old is likely to become unsupported by Exim in 2017. diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index f45a61a9a..27b8fb409 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -172,6 +172,7 @@ Do not put spaces between # and the 'define'. #define USE_GDBM #define USE_GNUTLS #define AVOID_GNUTLS_PKCS11 +#define USE_OPENSSL #define USE_READLINE #define USE_TCP_WRAPPERS #define USE_TDB diff --git a/src/src/dane.c b/src/src/dane.c index 5284a61c3..5ba61961a 100644 --- a/src/src/dane.c +++ b/src/src/dane.c @@ -38,7 +38,7 @@ static void dummy(int x) { dummy(x-1); } # error DANE support requires that the DNS resolver library supports DNSSEC # endif -# ifndef USE_GNUTLS +# ifdef USE_OPENSSL # include "dane-openssl.c" # endif diff --git a/src/src/exim.c b/src/src/exim.c index b2894aeb9..abce9fc69 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -857,12 +857,11 @@ fprintf(fp, "Support for:"); #ifdef USE_TCP_WRAPPERS fprintf(fp, " TCPwrappers"); #endif -#ifndef DISABLE_TLS -# ifdef USE_GNUTLS +#ifdef USE_GNUTLS fprintf(fp, " GnuTLS"); -# else +#endif +#ifdef USE_OPENSSL fprintf(fp, " OpenSSL"); -# endif #endif #ifdef SUPPORT_TRANSLATE_IP_ADDRESS fprintf(fp, " translate_ip_address"); diff --git a/src/src/exim.h b/src/src/exim.h index 0638167aa..263c00321 100644 --- a/src/src/exim.h +++ b/src/src/exim.h @@ -541,9 +541,11 @@ union sockaddr_46 { /* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set. +Ditto USE_OPENSSL. Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */ #ifdef DISABLE_TLS +# undef USE_OPENSSL # undef USE_GNUTLS # ifndef DISABLE_OCSP # define DISABLE_OCSP diff --git a/src/src/functions.h b/src/src/functions.h index 11fb8b59e..33e296c13 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -67,7 +67,7 @@ extern int tls_ungetc(int); extern int tls_write(void *, const uschar *, size_t, BOOL); extern uschar *tls_validate_require_cipher(void); extern void tls_version_report(FILE *); -# ifndef USE_GNUTLS +# ifdef USE_OPENSSL extern BOOL tls_openssl_options_parse(uschar *, long *); # endif extern uschar * tls_field_from_dn(uschar *, const uschar *); diff --git a/src/src/pdkim/crypt_ver.h b/src/src/pdkim/crypt_ver.h index 564b66db0..a6d7e36af 100644 --- a/src/src/pdkim/crypt_ver.h +++ b/src/src/pdkim/crypt_ver.h @@ -22,12 +22,12 @@ # else # define SIGN_GCRYPT # endif +#endif -#else +#ifdef USE_OPENSSL # define SIGN_OPENSSL -# if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L -# define SIGN_HAVE_ED25519 -# endif - +# if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L +# define SIGN_HAVE_ED25519 +# endif #endif diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h index a7e99f506..bc2b2f89e 100644 --- a/src/src/sha_ver.h +++ b/src/src/sha_ver.h @@ -31,8 +31,9 @@ # else # define SHA_GCRYPT # endif +# endif -# else +# ifdef USE_OPENSSL # define SHA_OPENSSL # include # if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER) diff --git a/src/src/tls.c b/src/src/tls.c index 1fd10d52b..796bc6d61 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -19,6 +19,11 @@ functions from the OpenSSL or GNU TLS libraries. */ #include "exim.h" #include "transports/smtp.h" +#if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS) +# error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build +#endif + + #if defined(MACRO_PREDEF) && !defined(DISABLE_TLS) # include "macro_predef.h" # ifdef USE_GNUTLS @@ -48,7 +53,7 @@ We're moving away from this; GnuTLS is already using a state, which can switch, so we can do TLS callouts during ACLs. */ static const int ssl_xfer_buffer_size = 4096; -#ifndef USE_GNUTLS +#ifdef USE_OPENSSL static uschar *ssl_xfer_buffer = NULL; static int ssl_xfer_buffer_lwm = 0; static int ssl_xfer_buffer_hwm = 0; @@ -122,14 +127,14 @@ tzset(); #ifdef USE_GNUTLS # include "tls-gnu.c" # include "tlscert-gnu.c" - # define ssl_xfer_buffer (state_server.xfer_buffer) # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm) # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm) # define ssl_xfer_eof (state_server.xfer_eof) # define ssl_xfer_error (state_server.xfer_error) +#endif -#else +#ifdef USE_OPENSSL # include "tls-openssl.c" # include "tlscert-openssl.c" #endif @@ -226,7 +231,7 @@ modify_variable(US"tls_bits", &dest_tsp->bits); modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified); modify_variable(US"tls_cipher", &dest_tsp->cipher); modify_variable(US"tls_peerdn", &dest_tsp->peerdn); -#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS) +#ifdef USE_OPENSSL modify_variable(US"tls_sni", &dest_tsp->sni); #endif } diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 03095b7c7..5f6108219 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2019,7 +2019,7 @@ tls_out.cipher = NULL; /* the one we may use for this transport */ tls_out.ourcert = NULL; tls_out.peercert = NULL; tls_out.peerdn = NULL; -#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS) +#ifdef USE_OPENSSL tls_out.sni = NULL; #endif tls_out.ocsp = OCSP_NOT_REQ; -- 2.30.2