TLS: introduce USE_OPENSSL as an explicit requirement for the build

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 73ed33e86b37722f3f67684a128e2adeb5e57dbe..9159d30219dd5efe13f8faeb4fa152705ed4a376 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -112,10 +112,10 @@ JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
       SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
 
 JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
       SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
 
 JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define

-      is replaced with DISABLE_TLS.  You must still, unless you define
-      DISABLE_TLS, manage the choice of TLS library and the include-dir and
-      library-file requirements that go with that choice.  Non-TLS builds
-      are still supported.
+      is replaced with DISABLE_TLS.  Either USE_GNUTLS or (the new) USE_OPENSSL
+      must be defined and you must still, unless you define DISABLE_TLS, manage
+      the the include-dir and library-file requirements that go with that
+      choice.  Non-TLS builds are still supported.

 
 
 
 
 
 

diff --git a/src/src/EDITME b/src/src/EDITME
index 264d2eaffc8976106c7879b0d8603196e69cb6c0..e1bf812db1f7b23bbd08ff9caabd0cffc66db504 100644 (file)
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -202,12 +202,16 @@ SPOOL_DIRECTORY=/var/spool/exim
 # pkg-config, then you have to specify the libraries, and you mmight
 # need to specify the locations too.
 
 # pkg-config, then you have to specify the libraries, and you mmight
 # need to specify the locations too.
 

-# no cryptographic code of its own. Uncomment the following lines if you want
+# Uncomment the following lines if you want

 # to build Exim without any TLS support (either OpenSSL or GnuTLS):
 # DISABLE_TLS=yes
 # to build Exim without any TLS support (either OpenSSL or GnuTLS):
 # DISABLE_TLS=yes

+# Unless you do this, you must define one of USE_OPENSSL or USE_GNUTLS
+# below.

 
 # If you are buliding with TLS, the library configuration must be done:
 
 
 # If you are buliding with TLS, the library configuration must be done:
 

+# Uncomment this if you are using OpenSSL
+# USE_OPENSSL=yes

 # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
 # and an optional location.
 # USE_OPENSSL_PC=openssl
 # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
 # and an optional location.
 # USE_OPENSSL_PC=openssl


@@ -223,12 +227,6 @@ SPOOL_DIRECTORY=/var/spool/exim
 # TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
 # TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
 
 # TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
 # TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
 

-# Uncomment the first and either the second or the third of these if you
-# are using GnuTLS.  If you have pkg-config, then the second, else the third.
-# USE_GNUTLS=yes
-# USE_GNUTLS_PC=gnutls
-# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
-

 # If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
 # build process will require libgcrypt-config to exist in your $PATH.  A
 # version that old is likely to become unsupported by Exim in 2017.
 # If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
 # build process will require libgcrypt-config to exist in your $PATH.  A
 # version that old is likely to become unsupported by Exim in 2017.

diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index f45a61a9a96d63ef5123f0a1524b8b8b7dde7bc2..27b8fb40941694c5830a880949341d7f19af1125 100644 (file)
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -172,6 +172,7 @@ Do not put spaces between # and the 'define'.
 #define USE_GDBM
 #define USE_GNUTLS
 #define AVOID_GNUTLS_PKCS11
 #define USE_GDBM
 #define USE_GNUTLS
 #define AVOID_GNUTLS_PKCS11

+#define USE_OPENSSL

 #define USE_READLINE
 #define USE_TCP_WRAPPERS
 #define USE_TDB
 #define USE_READLINE
 #define USE_TCP_WRAPPERS
 #define USE_TDB

diff --git a/src/src/dane.c b/src/src/dane.c
index 5284a61c3266108d8044c0977ae873adc8d7b53e..5ba61961a7dac24fc2cf017192743c04dd2ed84d 100644 (file)
--- a/src/src/dane.c
+++ b/src/src/dane.c
@@ -38,7 +38,7 @@ static void dummy(int x) { dummy(x-1); }
 #  error DANE support requires that the DNS resolver library supports DNSSEC
 # endif
 
 #  error DANE support requires that the DNS resolver library supports DNSSEC
 # endif
 

-# ifndef USE_GNUTLS
+# ifdef USE_OPENSSL

 #  include "dane-openssl.c"
 # endif
 
 #  include "dane-openssl.c"
 # endif
 

diff --git a/src/src/exim.c b/src/src/exim.c
index b2894aeb9fbd7f14378906543f060281ebd0ef16..abce9fc696f1ca80f4d855c05613fa3379c91551 100644 (file)
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -857,12 +857,11 @@ fprintf(fp, "Support for:");
 #ifdef USE_TCP_WRAPPERS
   fprintf(fp, " TCPwrappers");
 #endif
 #ifdef USE_TCP_WRAPPERS
   fprintf(fp, " TCPwrappers");
 #endif

-#ifndef DISABLE_TLS
-# ifdef USE_GNUTLS
+#ifdef USE_GNUTLS

   fprintf(fp, " GnuTLS");
   fprintf(fp, " GnuTLS");

-# else
+#endif
+#ifdef USE_OPENSSL

   fprintf(fp, " OpenSSL");
   fprintf(fp, " OpenSSL");

-# endif

 #endif
 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
   fprintf(fp, " translate_ip_address");
 #endif
 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
   fprintf(fp, " translate_ip_address");

diff --git a/src/src/exim.h b/src/src/exim.h
index 0638167aad2c2e69016c77f0efa5c45cd51764bd..263c003214ce1809f33974d653531dc9cd1a5645 100644 (file)
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -541,9 +541,11 @@ union sockaddr_46 {
 
 /* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined
 so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set.
 
 /* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined
 so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set.

+Ditto USE_OPENSSL.

 Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
 
 #ifdef DISABLE_TLS
 Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
 
 #ifdef DISABLE_TLS

+# undef USE_OPENSSL

 # undef USE_GNUTLS
 # ifndef DISABLE_OCSP
 #  define DISABLE_OCSP
 # undef USE_GNUTLS
 # ifndef DISABLE_OCSP
 #  define DISABLE_OCSP

diff --git a/src/src/functions.h b/src/src/functions.h
index 11fb8b59e7a33a098d6fde1b8364e9b4b3e654ea..33e296c13d62b2960265b326f30d0bd1e44652b0 100644 (file)
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -67,7 +67,7 @@ extern int     tls_ungetc(int);
 extern int     tls_write(void *, const uschar *, size_t, BOOL);
 extern uschar *tls_validate_require_cipher(void);
 extern void    tls_version_report(FILE *);
 extern int     tls_write(void *, const uschar *, size_t, BOOL);
 extern uschar *tls_validate_require_cipher(void);
 extern void    tls_version_report(FILE *);

-# ifndef USE_GNUTLS
+# ifdef USE_OPENSSL

 extern BOOL    tls_openssl_options_parse(uschar *, long *);
 # endif
 extern uschar * tls_field_from_dn(uschar *, const uschar *);
 extern BOOL    tls_openssl_options_parse(uschar *, long *);
 # endif
 extern uschar * tls_field_from_dn(uschar *, const uschar *);

diff --git a/src/src/pdkim/crypt_ver.h b/src/src/pdkim/crypt_ver.h
index 564b66db0b0dd0e0817436c1c72562a729718e94..a6d7e36af61867e62ba24e0eb27d3918c830265e 100644 (file)
--- a/src/src/pdkim/crypt_ver.h
+++ b/src/src/pdkim/crypt_ver.h
@@ -22,12 +22,12 @@
 # else
 #  define SIGN_GCRYPT
 # endif
 # else
 #  define SIGN_GCRYPT
 # endif

+#endif

 
 

-#else
+#ifdef USE_OPENSSL

 # define SIGN_OPENSSL
 # define SIGN_OPENSSL

-#  if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L
-#   define SIGN_HAVE_ED25519
-#  endif
-
+# if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L
+#  define SIGN_HAVE_ED25519
+# endif

 #endif
 
 #endif
 

diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index a7e99f5068f69e628665c684344cfe186bac14ca..bc2b2f89e6294e0820b7ea2f143c2a46f42c4cec 100644 (file)
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -31,8 +31,9 @@
 #  else
 #   define SHA_GCRYPT
 #  endif
 #  else
 #   define SHA_GCRYPT
 #  endif

+# endif

 
 

-# else
+# ifdef USE_OPENSSL

 #  define SHA_OPENSSL
 #  include <openssl/ssl.h>
 #  if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
 #  define SHA_OPENSSL
 #  include <openssl/ssl.h>
 #  if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)

diff --git a/src/src/tls.c b/src/src/tls.c
index 1fd10d52b374000a425166f90804a88482076aea..796bc6d61649c482fa7846d8831a36a27311f31d 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -19,6 +19,11 @@ functions from the OpenSSL or GNU TLS libraries. */
 #include "exim.h"
 #include "transports/smtp.h"
 
 #include "exim.h"
 #include "transports/smtp.h"
 

+#if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS)
+# error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build
+#endif
+
+

 #if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
 # include "macro_predef.h"
 # ifdef USE_GNUTLS
 #if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
 # include "macro_predef.h"
 # ifdef USE_GNUTLS


@@ -48,7 +53,7 @@ We're moving away from this; GnuTLS is already using a state, which
 can switch, so we can do TLS callouts during ACLs. */
 
 static const int ssl_xfer_buffer_size = 4096;
 can switch, so we can do TLS callouts during ACLs. */
 
 static const int ssl_xfer_buffer_size = 4096;

-#ifndef USE_GNUTLS
+#ifdef USE_OPENSSL

 static uschar *ssl_xfer_buffer = NULL;
 static int ssl_xfer_buffer_lwm = 0;
 static int ssl_xfer_buffer_hwm = 0;
 static uschar *ssl_xfer_buffer = NULL;
 static int ssl_xfer_buffer_lwm = 0;
 static int ssl_xfer_buffer_hwm = 0;


@@ -122,14 +127,14 @@ tzset();
 #ifdef USE_GNUTLS
 # include "tls-gnu.c"
 # include "tlscert-gnu.c"
 #ifdef USE_GNUTLS
 # include "tls-gnu.c"
 # include "tlscert-gnu.c"

-

 # define ssl_xfer_buffer (state_server.xfer_buffer)
 # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
 # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
 # define ssl_xfer_eof (state_server.xfer_eof)
 # define ssl_xfer_error (state_server.xfer_error)
 # define ssl_xfer_buffer (state_server.xfer_buffer)
 # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
 # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
 # define ssl_xfer_eof (state_server.xfer_eof)
 # define ssl_xfer_error (state_server.xfer_error)

+#endif

 
 

-#else
+#ifdef USE_OPENSSL

 # include "tls-openssl.c"
 # include "tlscert-openssl.c"
 #endif
 # include "tls-openssl.c"
 # include "tlscert-openssl.c"
 #endif


@@ -226,7 +231,7 @@ modify_variable(US"tls_bits",                 &dest_tsp->bits);
 modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
 modify_variable(US"tls_cipher",               &dest_tsp->cipher);
 modify_variable(US"tls_peerdn",               &dest_tsp->peerdn);
 modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
 modify_variable(US"tls_cipher",               &dest_tsp->cipher);
 modify_variable(US"tls_peerdn",               &dest_tsp->peerdn);

-#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
+#ifdef USE_OPENSSL

 modify_variable(US"tls_sni",                  &dest_tsp->sni);
 #endif
 }
 modify_variable(US"tls_sni",                  &dest_tsp->sni);
 #endif
 }

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 03095b7c79fea36d9409cb5422cda3f71e8537c3..5f610821981d1cb5a08065e46552b80242a74c7e 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2019,7 +2019,7 @@ tls_out.cipher = NULL;    /* the one we may use for this transport */
 tls_out.ourcert = NULL;
 tls_out.peercert = NULL;
 tls_out.peerdn = NULL;
 tls_out.ourcert = NULL;
 tls_out.peercert = NULL;
 tls_out.peerdn = NULL;

-#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
+#ifdef USE_OPENSSL

 tls_out.sni = NULL;
 #endif
 tls_out.ocsp = OCSP_NOT_REQ;
 tls_out.sni = NULL;
 #endif
 tls_out.ocsp = OCSP_NOT_REQ;