Fix build with older GnuTLS

Broken-by: 2983e1a616

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5f5538e646dcb29d228a6e79b7469d799554870e..be3e7c925a23b8e5ee50dccb1a879d0afc4f53cd 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -29462,7 +29462,7 @@ Session resumption (this is the "stateless" variant) involves the server sending
 a "session ticket" to the client on one connection, which can be stored by the
 client and used for a later session.  The ticket contains sufficient state for
 the server to reconstruct the TLS session, avoiding some expensive crypto
-calculation and one full packet roundtrip time.
+calculation and (on TLS1.2) one full packet roundtrip time.
 
 .ilist
 Operational cost/benefit:
@@ -29509,7 +29509,7 @@ Observability:
  server issued ticket, resume used.  A suitable decode list is provided
  in the builtin macro _RESUME_DECODE for in &%listextract%& expansions.
 
-.next:
+.next
 Control:
 
 The &%tls_resumption_hosts%& main option specifies a hostlist for which

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index c8017a7331ba6fb48721a4e48604740aa4dd252c..a351c34d671502076e2701c02f720b9b3b9addf4 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -112,8 +112,10 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 #endif
 
 #ifndef DISABLE_TLS_RESUME
-# if GNUTLS_VERSION_NUMBER < 0x030603
-#  error GNUTLS version too early for session-resumption
+# if GNUTLS_VERSION_NUMBER >= 0x030603
+#  define EXIM_HAVE_TLS_RESUME
+# else
+#  warning "GnuTLS library version too old; resumption unsupported"
 # endif
 #endif
 
@@ -266,7 +268,7 @@ static BOOL gnutls_buggy_ocsp = FALSE;
 static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
 #endif
 
-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
 static gnutls_datum_t server_sessticket_key;
 #endif
 
@@ -326,7 +328,7 @@ static void exim_gnutls_logger_cb(int level, const char *message);
 
 static int exim_sni_handling_cb(gnutls_session_t session);
 
-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
 static int
 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
   unsigned incoming, const gnutls_datum_t * msg);
@@ -337,7 +339,7 @@ tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
 void
 tls_daemon_init(void)
 {
-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
 /* We are dependent on the GnuTLS implementation of the Session Ticket
 encryption; both the strength and the key rotation period.  We hope that
 the strength at least matches that of the ciphersuite (but GnuTLS does not
@@ -1000,10 +1002,10 @@ return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
  "Handshake Protocol: Certificate" record.
 So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
 
-This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
+This is different to tls1.2 - where it is a separate record (wireshark term) / handshake message (gnutls term).
 */
 
-#if !defined(DISABLE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+#if defined(EXIM_HAVE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
 /* Callback for certificate-status, on server. We sent stapled OCSP. */
 static int
 tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
@@ -1035,7 +1037,7 @@ switch (htype)
 # endif
   case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
     return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
-# ifndef DISABLE_TLS_RESUME
+# ifdef EXIM_HAVE_TLS_RESUME
   case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
     return tls_server_ticket_cb(sess, htype, when, incoming, msg);
 # endif
@@ -2328,7 +2330,7 @@ else
 }
 
 
-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
 static int
 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
   unsigned incoming, const gnutls_datum_t * msg)
@@ -2442,7 +2444,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
 #endif
   }
 
-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
 tls_server_resume_prehandshake(state);
 #endif
 
@@ -2550,7 +2552,7 @@ if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
   tls_in.ext_master_secret = TRUE;
 #endif
 
-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
 tls_server_resume_posthandshake(state);
 #endif
 
@@ -2683,7 +2685,7 @@ return TRUE;
 
 
 
-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
 /* On the client, get any stashed session for the given IP from hints db
 and apply it to the ssl-connection for attempted resumption.  Although
 there is a gnutls_session_ticket_enable_client() interface it is
@@ -2970,7 +2972,7 @@ if (request_ocsp)
   }
 #endif
 
-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
 tls_client_resume_prehandshake(state, tlsp, host, ob);
 #endif
 
@@ -3070,7 +3072,7 @@ if (request_ocsp)
   }
 #endif
 
-#ifndef DISABLE_TLS_RESUME
+#ifdef EXIM_HAVE_TLS_RESUME
 tls_client_resume_posthandshake(state, tlsp, host);
 #endif
 

diff --git a/test/scripts/5890-Resume-GnuTLS/REQUIRES b/test/scripts/5890-Resume-GnuTLS/REQUIRES
index 2f12f27427f3bc25abb461181ecccfd43ab0d8d2..7f34d4f81b0425e24a3c09634ab391e1b67cb78c 100644 (file)
--- a/test/scripts/5890-Resume-GnuTLS/REQUIRES
+++ b/test/scripts/5890-Resume-GnuTLS/REQUIRES
@@ -1,3 +1,3 @@
 support GnuTLS
 running IPv4
-support Experimental_TLS_resume
+support TLS_resume

diff --git a/test/scripts/5891-Resume-OpenSSL/REQUIRES b/test/scripts/5891-Resume-OpenSSL/REQUIRES
index 027b4dcab7442954bf753aa9cbbe7604db1eafbf..8e3a29f539918fcb01a0d9bc79c438d8acdbb063 100644 (file)
--- a/test/scripts/5891-Resume-OpenSSL/REQUIRES
+++ b/test/scripts/5891-Resume-OpenSSL/REQUIRES
@@ -1,3 +1,3 @@
 support OpenSSL
 running IPv4
-support Experimental_TLS_resume
+support TLS_resume