From f0be4dfa19120173aa76001d31b2cd90284ecd07 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 16 Jan 2019 16:52:33 +0000 Subject: [PATCH] Fix build with older TLS library versions --- src/src/tls-gnu.c | 28 ++++++++++++++++++++++------ src/src/tls-openssl.c | 22 +++++++++++++++------- 2 files changed, 37 insertions(+), 13 deletions(-) diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 199b90d94..beb439eba 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -67,6 +67,12 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #if GNUTLS_VERSION_NUMBER >= 0x030109 # define SUPPORT_CORK #endif +#if GNUTLS_VERSION_NUMBER >= 0x03010a +# define SUPPORT_GNUTLS_SESS_DESC +#endif +#if GNUTLS_VERSION_NUMBER >= 0x030500 +# define SUPPORT_GNUTLS_KEYLOG +#endif #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP) # define SUPPORT_SRV_OCSP_STACK #endif @@ -2152,17 +2158,22 @@ if (rc != GNUTLS_E_SUCCESS) DEBUG(D_tls) { - gnutls_datum_t c, s; - gstring * gc, * gs; debug_printf("gnutls_handshake was successful\n"); +#ifdef SUPPORT_GNUTLS_SESS_DESC debug_printf("%s\n", gnutls_session_get_desc(state->session)); - +#endif +#ifdef SUPPORT_GNUTLS_KEYLOG + { + gnutls_datum_t c, s; + gstring * gc, * gs; gnutls_session_get_random(state->session, &c, &s); gnutls_session_get_master_secret(state->session, &s); gc = ddump(&c); gs = ddump(&s); debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s); } +#endif + } /* Verify after the fact */ @@ -2473,17 +2484,22 @@ if (rc != GNUTLS_E_SUCCESS) DEBUG(D_tls) { - gnutls_datum_t c, s; - gstring * gc, * gs; debug_printf("gnutls_handshake was successful\n"); +#ifdef SUPPORT_GNUTLS_SESS_DESC debug_printf("%s\n", gnutls_session_get_desc(state->session)); - +#endif +#ifdef SUPPORT_GNUTLS_KEYLOG + { + gnutls_datum_t c, s; + gstring * gc, * gs; gnutls_session_get_random(state->session, &c, &s); gnutls_session_get_master_secret(state->session, &s); gc = ddump(&c); gs = ddump(&s); debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s); } +#endif + } /* Verify late */ diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 5353d2ce7..689af87b1 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -70,6 +70,7 @@ change this guard and punt the issue for a while longer. */ # define EXIM_HAVE_OPENSSL_CHECKHOST # define EXIM_HAVE_OPENSSL_DH_BITS # define EXIM_HAVE_OPENSSL_TLS_METHOD +# define EXIM_HAVE_OPENSSL_KEYLOG # else # define EXIM_NEED_OPENSSL_INIT # endif @@ -2305,18 +2306,21 @@ peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn)); DEBUG(D_tls) { uschar buf[2048]; - BIO * bp = BIO_new(BIO_s_mem()); - uschar * s; - int len; - if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL) debug_printf("Shared ciphers: %s\n", buf); +#ifdef EXIM_HAVE_OPENSSL_KEYLOG + { + BIO * bp = BIO_new(BIO_s_mem()); + uschar * s; + int len; SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl)); len = (int) BIO_get_mem_data(bp, CSS &s); debug_printf("%.*s", len, s); BIO_free(bp); } +#endif + } construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits); tls_in.cipher = cipherbuf; @@ -2689,15 +2693,19 @@ if (rc <= 0) DEBUG(D_tls) { - BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE); + debug_printf("SSL_connect succeeded\n"); +#ifdef EXIM_HAVE_OPENSSL_KEYLOG + { + BIO * bp = BIO_new(BIO_s_mem()); uschar * s; int len; - debug_printf("SSL_connect succeeded\n"); - SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl)); + SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl)); len = (int) BIO_get_mem_data(bp, CSS &s); debug_printf("%.*s", len, s); BIO_free(bp); } +#endif + } peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn)); -- 2.25.1