summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2019-05-24 15:57:02 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2019-05-24 15:57:02 +0100
commit01603eec64d42431f182b33008206facfc7f800e (patch)
tree2ad67cd6c3879a31582535f4446e4f080caf6d91
parentfeb5343a10a0c6526c3a9a08bb4d57cf6eafa289 (diff)
TLS: move from SUPPORT_TLS to DISABLE_TLS macro for the build
-rw-r--r--doc/doc-txt/ChangeLog10
-rw-r--r--doc/doc-txt/NewStuff2
-rw-r--r--src/OS/unsupported/Makefile-CYGWIN2
-rw-r--r--src/src/EDITME161
-rw-r--r--src/src/auths/gsasl_exim.c2
-rw-r--r--src/src/buildconfig.c6
-rw-r--r--src/src/config.h.defaults4
-rw-r--r--src/src/daemon.c4
-rw-r--r--src/src/dane.c2
-rw-r--r--src/src/deliver.c26
-rw-r--r--src/src/dkim_transport.c2
-rw-r--r--src/src/exim.c10
-rw-r--r--src/src/exim.h6
-rw-r--r--src/src/expand.c44
-rw-r--r--src/src/functions.h6
-rw-r--r--src/src/globals.c8
-rw-r--r--src/src/globals.h2
-rw-r--r--src/src/ip.c2
-rw-r--r--src/src/macro_predef.c4
-rw-r--r--src/src/macro_predef.h2
-rw-r--r--src/src/macros.h2
-rw-r--r--src/src/pdkim/pdkim.c4
-rw-r--r--src/src/pdkim/pdkim_hash.h4
-rw-r--r--src/src/pdkim/signing.c4
-rw-r--r--src/src/readconf.c16
-rw-r--r--src/src/receive.c2
-rw-r--r--src/src/sha_ver.h2
-rw-r--r--src/src/smtp_in.c34
-rw-r--r--src/src/smtp_out.c2
-rw-r--r--src/src/spool_in.c4
-rw-r--r--src/src/spool_out.c2
-rw-r--r--src/src/std-crypto.c4
-rw-r--r--src/src/structs.h4
-rw-r--r--src/src/tls.c12
-rw-r--r--src/src/transport.c6
-rw-r--r--src/src/transports/smtp.c68
-rw-r--r--src/src/transports/smtp.h6
-rw-r--r--src/src/verify.c14
38 files changed, 269 insertions, 226 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 789593ab3..73ed33e86 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -108,8 +108,14 @@ JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
not do so.
JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
- default. If built with the facility, DANE will be used. The facility is
- now enabled in the prototype build Makefile "EDITME".
+ default. If built with the facility, DANE will be used. The facility
+ SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
+
+JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
+ is replaced with DISABLE_TLS. You must still, unless you define
+ DISABLE_TLS, manage the choice of TLS library and the include-dir and
+ library-file requirements that go with that choice. Non-TLS builds
+ are still supported.
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index c437b38fd..b0ae9c132 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -28,8 +28,6 @@ Version 4.93
8. Expansion operator ${sha2_N:} for N=256, 384, 512.
- 9. Build options SUPPORT_DANE and SUPPORT_TLS default to yes
-
Version 4.92
--------------
diff --git a/src/OS/unsupported/Makefile-CYGWIN b/src/OS/unsupported/Makefile-CYGWIN
index 006e9feff..5e608fe9e 100644
--- a/src/OS/unsupported/Makefile-CYGWIN
+++ b/src/OS/unsupported/Makefile-CYGWIN
@@ -43,7 +43,7 @@ AUTH_CRAM_MD5=yes
AUTH_PLAINTEXT=yes
AUTH_SPA=yes
-SUPPORT_TLS=yes
+#DISABLE_TLS=yes
TLS_LIBS=-lssl -lcrypto
ROUTER_ACCEPT=yes
diff --git a/src/src/EDITME b/src/src/EDITME
index 58756e1bd..264d2eaff 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -180,6 +180,106 @@ SPOOL_DIRECTORY=/var/spool/exim
###############################################################################
+# TLS #
+###############################################################################
+# Exim is built by default to support the SMTP STARTTLS command, which implements
+# Transport Layer Security using SSL (Secure Sockets Layer). This requires you
+# must install the OpenSSL library package or the GnuTLS library. Exim contains
+# no cryptographic code of its own.
+
+# If you are running Exim as a (TLS) server, just building it with TLS support
+# is all you need to do, as tls_advertise_hosts is set to '*' by
+# default. But you are advised to create a suiteable certificate, and tell
+# Exim about it by means of the tls_certificate and tls_privatekey run
+# time options, otherwise Exim will create a self signed certificate on
+# the fly. If you are running Exim only as a (TLS) client, building it with
+# TLS support is all you need to do.
+#
+# If you are using pkg-config then you should not need to worry where
+# the libraries and headers are installed, as the pkg-config .pc
+# specification should include all -L/-I information necessary.
+# Enabling the USE_*_PC options should be sufficient. If not using
+# pkg-config, then you have to specify the libraries, and you mmight
+# need to specify the locations too.
+
+# no cryptographic code of its own. Uncomment the following lines if you want
+# to build Exim without any TLS support (either OpenSSL or GnuTLS):
+# DISABLE_TLS=yes
+
+# If you are buliding with TLS, the library configuration must be done:
+
+# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
+# and an optional location.
+# USE_OPENSSL_PC=openssl
+# TLS_LIBS=-lssl -lcrypto
+# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+
+# Uncomment this if you are using GnuTLS
+# USE_GNUTLS=yes
+# Uncomment one of these settings if you are using GnuTLS; pkg-config vs not
+# and an optional location. If you disable SUPPORT_DANE below, you
+# can remove the gnutls-dane references here.
+# USE_GNUTLS_PC=gnutls gnutls-dane
+# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+
+# Uncomment the first and either the second or the third of these if you
+# are using GnuTLS. If you have pkg-config, then the second, else the third.
+# USE_GNUTLS=yes
+# USE_GNUTLS_PC=gnutls
+# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
+
+# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
+# build process will require libgcrypt-config to exist in your $PATH. A
+# version that old is likely to become unsupported by Exim in 2017.
+
+# The security fix we provide with the gnutls_allow_auto_pkcs11 option
+# (4.82 PP/09) introduces a compatibility regression. The symbol is
+# not available if GnuTLS is build without p11-kit (--without-p11-kit
+# configure option). In this case use AVOID_GNUTLS_PKCS11=yes when
+# building Exim.
+# AVOID_GNUTLS_PKCS11=yes
+
+# If you are running Exim as a server, note that just building it with TLS
+# support is not all you need to do. You also need to set up a suitable
+# certificate, and tell Exim about it by means of the tls_certificate
+# and tls_privatekey run time options. You also need to set tls_advertise_hosts
+# to specify the hosts to which Exim advertises TLS support. On the other hand,
+# if you are running Exim only as a client, building it with TLS support
+# is all you need to do.
+
+# If you are using pkg-config then you should not need to worry where the
+# libraries and headers are installed, as the pkg-config .pc specification
+# should include all -L/-I information necessary. If not using pkg-config
+# then you might need to specify the locations too.
+
+# Additional libraries and include files are required for both OpenSSL and
+# GnuTLS. The TLS_LIBS settings above assume that the libraries are installed
+# with all your other libraries. If they are in a special directory, you may
+# need something like
+
+# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
+
+# or
+
+# TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
+# If not using DANE under GnuTLS we can lose one library
+# TLS_LIBS=-L/opt/gnu/lib -lgnutls -ltasn1 -lgcrypt
+
+# TLS_LIBS is included only on the command for linking Exim itself, not on any
+# auxiliary programs. If the include files are not in a standard place, you can
+# set TLS_INCLUDE to specify where they are, for example:
+
+# TLS_INCLUDE=-I/usr/local/openssl/include/
+# or
+# TLS_INCLUDE=-I/opt/gnu/include
+
+# You don't need to set TLS_INCLUDE if the relevant directories are already
+# specified in INCLUDE.
+
+
+
+###############################################################################
# THESE ARE THINGS YOU PROBABLY WANT TO SPECIFY #
###############################################################################
@@ -758,67 +858,6 @@ HEADERS_CHARSET="ISO-8859-1"
#------------------------------------------------------------------------------
-# Exim can be built to support the SMTP STARTTLS command, which implements
-# Transport Layer Security using SSL (Secure Sockets Layer). To do this, you
-# must install the OpenSSL library package or the GnuTLS library. Exim contains
-# no cryptographic code of its own.
-#
-# If you are running Exim as a (TLS) server, just building it with TLS support
-# is all you need to do, as tls_advertise_hosts is set to '*' by
-# default. But you are advised to create a suiteable certificate, and tell
-# Exim about it by means of the tls_certificate and tls_privatekey run
-# time options, otherwise Exim will create a self signed certificate on
-# the fly. If you are running Exim only as a (TLS) client, building it with
-# TLS support is all you need to do.
-#
-# If you are using pkg-config then you should not need to worry where
-# the libraries and headers are installed, as the pkg-config .pc
-# specification should include all -L/-I information necessary.
-# Enabling the USE_*_PC options should be sufficient. If not using
-# pkg-config, then you have to specify the libraries, and you mmight
-# need to specify the locations too.
-
-# This setting is required for any TLS support (either OpenSSL or GnuTLS)
-SUPPORT_TLS=yes
-
-# Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
-# and an optional location.
-# USE_OPENSSL_PC=openssl
-# TLS_LIBS=-lssl -lcrypto
-# TLS_LIBS=-L/usr/local/openssl/lib -lssl -lcrypto
-
-# Uncomment one of these settings if you are using GnuTLS; pkg-config vs not
-# and an optional location. If you disabled SUPPORT_DANE above, you
-# can remove the gnutls-dane references here.
-# USE_GNUTLS=yes
-# USE_GNUTLS_PC=gnutls gnutls-dane
-# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
-# TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
-
-# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
-# build process will require libgcrypt-config to exist in your $PATH. A
-# version that old is likely to become unsupported by Exim in 2017.
-
-# The security fix we provide with the gnutls_allow_auto_pkcs11 option
-# (4.82 PP/09) introduces a compatibility regression. The symbol is
-# not available if GnuTLS is build without p11-kit (--without-p11-kit
-# configure option). In this case use AVOID_GNUTLS_PKCS11=yes when
-# building Exim.
-# AVOID_GNUTLS_PKCS11=yes
-
-# If the include files for your TLS libraries are not in a standard
-# place and you didn't use the pkg-config route, you you can set
-# TLS_INCLUDE to specify where they are, for example:
-
-# TLS_INCLUDE=-I/usr/local/openssl/include/
-# or
-# TLS_INCLUDE=-I/opt/gnu/include
-
-# You don't need to set TLS_INCLUDE if the relevant directories are already
-# specified in INCLUDE.
-
-
-#------------------------------------------------------------------------------
# The default distribution of Exim contains only the plain text form of the
# documentation. Other forms are available separately. If you want to install
# the documentation in "info" format, first fetch the Texinfo documentation
diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c
index 1c9c77d13..faf30bb8a 100644
--- a/src/src/auths/gsasl_exim.c
+++ b/src/src/auths/gsasl_exim.c
@@ -286,7 +286,7 @@ if (ob->server_realm)
}
/* We don't support protection layers. */
gsasl_property_set(sctx, GSASL_QOPS, "qop-auth");
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_channelbinding_b64)
{
/* Some auth mechanisms can ensure that both sides are talking withing the
diff --git a/src/src/buildconfig.c b/src/src/buildconfig.c
index 426714f91..71cf97b18 100644
--- a/src/src/buildconfig.c
+++ b/src/src/buildconfig.c
@@ -753,15 +753,15 @@ else if (isgroup)
continue;
}
- /* DISABLE_DKIM is special; must be forced if no SUPPORT_TLS */
+ /* DISABLE_DKIM is special; must be forced if DISABLE_TLS */
if (strcmp(name, "DISABLE_DKIM") == 0)
{
char *d_dkim = getenv("DISABLE_DKIM");
- char *tls = getenv("SUPPORT_TLS");
+ char *notls = getenv("DISABLE_TLS");
if (d_dkim)
fprintf(new, "#define DISABLE_DKIM yes\n");
- else if (!tls)
+ else if (notls)
fprintf(new, "#define DISABLE_DKIM yes /* forced by lack of TLS */\n");
else
fprintf(new, "/* DISABLE_DKIM not set */\n");
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index c5d5389ba..f45a61a9a 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -49,8 +49,9 @@ Do not put spaces between # and the 'define'.
#define DISABLE_DNSSEC
#define DISABLE_DKIM
#define DISABLE_EVENT
-#define DISABLE_PRDR
#define DISABLE_OCSP
+#define DISABLE_PRDR
+#define DISABLE_TLS
#define DISABLE_D_OPTION
#define ENABLE_DISABLE_FSYNC
@@ -152,7 +153,6 @@ Do not put spaces between # and the 'define'.
#define SUPPORT_PROXY
#define SUPPORT_SOCKS
#define SUPPORT_SPF
-#define SUPPORT_TLS
#define SUPPORT_TRANSLATE_IP_ADDRESS
#define SYSLOG_LOG_PID
diff --git a/src/src/daemon.c b/src/src/daemon.c
index cf5e09201..0b4d347b9 100644
--- a/src/src/daemon.c
+++ b/src/src/daemon.c
@@ -645,7 +645,7 @@ if (pid == 0)
/* Don't ever molest the parent's SSL connection, but do clean up
the data structures if necessary. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_close(NULL, TLS_NO_SHUTDOWN);
#endif
@@ -1985,7 +1985,7 @@ for (;;)
handle_ending_processes();
errno = select_errno;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/* Create or rotate any required keys */
tls_daemon_init();
#endif
diff --git a/src/src/dane.c b/src/src/dane.c
index 541e9cb02..5284a61c3 100644
--- a/src/src/dane.c
+++ b/src/src/dane.c
@@ -29,7 +29,7 @@ static void dummy(int x) { dummy(x-1); }
#else
/* Enabling DANE without enabling TLS cannot work. Abort the compilation. */
-# ifndef SUPPORT_TLS
+# ifdef DISABLE_TLS
# error DANE support requires that TLS support must be enabled. Abort build.
# endif
diff --git a/src/src/deliver.c b/src/src/deliver.c
index f79522d8e..dc7a7d5fb 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -801,7 +801,7 @@ return g;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
static gstring *
d_tlslog(gstring * g, address_item * addr)
{
@@ -1231,7 +1231,7 @@ else
#endif
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
g = d_tlslog(g, addr);
#endif
@@ -1435,7 +1435,7 @@ if (addr->transport)
if (addr->host_used)
g = d_hostlog(g, addr);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
g = d_tlslog(g, addr);
#endif
@@ -1635,7 +1635,7 @@ if (result == OK)
}
/* Certificates for logging (via events) */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_out.ourcert = addr->ourcert;
addr->ourcert = NULL;
tls_out.peercert = addr->peercert;
@@ -1651,7 +1651,7 @@ if (result == OK)
delivery_log(LOG_MAIN, addr, logchar, NULL);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_free_cert(&tls_out.ourcert);
tls_free_cert(&tls_out.peercert);
tls_out.cipher = NULL;
@@ -3505,7 +3505,7 @@ while (!done)
it in with the other info, in order to keep each message short enough to
guarantee it won't be split in the pipe. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case 'X':
if (!addr) goto ADDR_MISMATCH; /* Below, in 'A' handler */
switch (*subid)
@@ -3543,7 +3543,7 @@ while (!done)
}
while (*ptr++);
break;
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
case 'C': /* client authenticator information */
switch (*subid)
@@ -4805,7 +4805,7 @@ all pipes, so I do not see a reason to use non-blocking IO here
# endif
/* Use an X item only if there's something to send */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (addr->cipher)
{
ptr = big_buffer + sprintf(CS big_buffer, "%.128s", addr->cipher) + 1;
@@ -4848,7 +4848,7 @@ all pipes, so I do not see a reason to use non-blocking IO here
rmt_dlv_checked_write(fd, 'X', '4', big_buffer, ptr - big_buffer);
}
# endif
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
if (client_authenticator)
{
@@ -5012,7 +5012,7 @@ all pipes, so I do not see a reason to use non-blocking IO here
if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (cutthrough.is_tls)
tls_close(cutthrough.cctx.tls_ctx, TLS_NO_SHUTDOWN);
#endif
@@ -8513,7 +8513,7 @@ if (!regex_SIZE) regex_SIZE =
if (!regex_AUTH) regex_AUTH =
regex_must_compile(AUTHS_REGEX, FALSE, TRUE);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (!regex_STARTTLS) regex_STARTTLS =
regex_must_compile(US"\\n250[\\s\\-]STARTTLS(\\s|\\n|$)", FALSE, TRUE);
#endif
@@ -8603,7 +8603,7 @@ if (cutthrough.cctx.sock >= 0 && cutthrough.callout_hold_only)
smtp_peer_options = cutthrough.peer_options;
continue_sequence = 0;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (cutthrough.is_tls)
{
int pfd[2], pid;
@@ -8646,7 +8646,7 @@ else
}
return; /* compiler quietening; control does not reach here. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
fail:
log_write(0,
LOG_MAIN | (exec_type == CEE_EXEC_EXIT ? LOG_PANIC : LOG_PANIC_DIE),
diff --git a/src/src/dkim_transport.c b/src/src/dkim_transport.c
index 8ce18c818..6b643927c 100644
--- a/src/src/dkim_transport.c
+++ b/src/src/dkim_transport.c
@@ -83,7 +83,7 @@ else
while (sread)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
wwritten = tls_out.active.sock == out_fd
? tls_write(tls_out.active.tls_ctx, p, sread, FALSE)
: write(out_fd, CS p, sread);
diff --git a/src/src/exim.c b/src/src/exim.c
index 1aa32b269..b2894aeb9 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -553,7 +553,7 @@ close_unwanted(void)
{
if (smtp_input)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_close(NULL, TLS_NO_SHUTDOWN); /* Shut down the TLS library */
#endif
(void)close(fileno(smtp_in));
@@ -857,7 +857,7 @@ fprintf(fp, "Support for:");
#ifdef USE_TCP_WRAPPERS
fprintf(fp, " TCPwrappers");
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# ifdef USE_GNUTLS
fprintf(fp, " GnuTLS");
# else
@@ -1049,7 +1049,7 @@ DEBUG(D_any) do {
show_db_version(fp);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_version_report(fp);
#endif
#ifdef SUPPORT_I18N
@@ -2712,7 +2712,7 @@ for (i = 1; i < argc; i++)
case 'S': smtp_peer_options |= OPTION_SIZE; break;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/* -MCt: similar to -MCT below but the connection is still open
via a proxy process which handles the TLS context and coding.
Require three arguments for the proxied local address and port,
@@ -3313,7 +3313,7 @@ for (i = 1; i < argc; i++)
/* -tls-on-connect: don't wait for STARTTLS (for old clients) */
- #ifdef SUPPORT_TLS
+ #ifndef DISABLE_TLS
else if (Ustrcmp(argrest, "ls-on-connect") == 0) tls_in.on_connect = TRUE;
#endif
diff --git a/src/src/exim.h b/src/src/exim.h
index 79d1acf13..0638167aa 100644
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -539,11 +539,11 @@ union sockaddr_46 {
struct sockaddr v0;
};
-/* If SUPPORT_TLS is not defined, ensure that USE_GNUTLS is also not defined
-so that if USE_GNUTLS *is* set, we can assume SUPPORT_TLS is also set.
+/* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined
+so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set.
Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS
# undef USE_GNUTLS
# ifndef DISABLE_OCSP
# define DISABLE_OCSP
diff --git a/src/src/expand.c b/src/src/expand.c
index 41eadefd0..31059c432 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -756,7 +756,7 @@ static var_entry var_table[] = {
#ifdef EXPERIMENTAL_TLS_RESUME
{ "tls_in_resumption", vtype_int, &tls_in.resumption },
#endif
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
{ "tls_in_sni", vtype_stringptr, &tls_in.sni },
#endif
{ "tls_out_bits", vtype_int, &tls_out.bits },
@@ -773,7 +773,7 @@ static var_entry var_table[] = {
#ifdef EXPERIMENTAL_TLS_RESUME
{ "tls_out_resumption", vtype_int, &tls_out.resumption },
#endif
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
{ "tls_out_sni", vtype_stringptr, &tls_out.sni },
#endif
#ifdef SUPPORT_DANE
@@ -781,7 +781,7 @@ static var_entry var_table[] = {
#endif
{ "tls_peerdn", vtype_stringptr, &tls_in.peerdn }, /* mind the alphabetical order! */
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
{ "tls_sni", vtype_stringptr, &tls_in.sni }, /* mind the alphabetical order! */
#endif
@@ -967,7 +967,7 @@ weirdness they'll twist this into. The result should ideally handle fork().
However, if we're stuck unable to provide this, then we'll fall back to
appallingly bad randomness.
-If SUPPORT_TLS is defined then this will not be used except as an emergency
+If DISABLE_TLS is not defined then this will not be used except as an emergency
fallback.
Arguments:
@@ -975,13 +975,13 @@ Arguments:
Returns a random number in range [0, max-1]
*/
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# define vaguely_random_number vaguely_random_number_fallback
#endif
int
vaguely_random_number(int max)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# undef vaguely_random_number
#endif
static pid_t pid = 0;
@@ -1289,7 +1289,7 @@ return string_nextinlist(&list, &sep, NULL, 0);
/* Certificate fields, by name. Worry about by-OID later */
/* Names are chosen to not have common prefixes */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
typedef struct
{
uschar * name;
@@ -1350,7 +1350,7 @@ expand_string_message =
string_sprintf("bad field selector \"%s\" for certextract", field);
return NULL;
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
/*************************************************
* Extract a substring from a string *
@@ -3660,7 +3660,7 @@ return yield;
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
static gstring *
cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol)
{
@@ -4947,7 +4947,7 @@ while (*s != 0)
uschar * server_name = NULL;
host_item host;
BOOL do_shutdown = TRUE;
- BOOL do_tls = FALSE; /* Only set under SUPPORT_TLS */
+ BOOL do_tls = FALSE; /* Only set under ! DISABLE_TLS */
blob reqstr;
if (expand_forbid & RDO_READSOCK)
@@ -4991,7 +4991,7 @@ while (*s != 0)
while ((item = string_nextinlist(&list, &sep, NULL, 0)))
if (Ustrncmp(item, US"shutdown=", 9) == 0)
{ if (Ustrcmp(item + 9, US"no") == 0) do_shutdown = FALSE; }
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
else if (Ustrncmp(item, US"tls=", 4) == 0)
{ if (Ustrcmp(item + 9, US"no") != 0) do_tls = TRUE; }
#endif
@@ -5098,7 +5098,7 @@ while (*s != 0)
DEBUG(D_expand) debug_printf_indent("connected to socket %s\n", sub_arg[0]);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (do_tls)
{
smtp_connect_args conn_args = {.host = &host };
@@ -5123,7 +5123,7 @@ while (*s != 0)
DEBUG(D_expand) debug_printf_indent("writing \"%s\" to socket\n",
reqstr.data);
if ( (
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
do_tls ? tls_write(cctx.tls_ctx, reqstr.data, reqstr.len, FALSE) :
#endif
write(cctx.sock, reqstr.data, reqstr.len)) != reqstr.len)
@@ -5152,13 +5152,13 @@ while (*s != 0)
sigalrm_seen = FALSE;
ALARM(timeout);
yield =
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
do_tls ? cat_file_tls(cctx.tls_ctx, yield, sub_arg[3]) :
#endif
cat_file(fp, yield, sub_arg[3]);
ALARM_CLR(0);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (do_tls)
{
tls_close(cctx.tls_ctx, TRUE);
@@ -5992,7 +5992,7 @@ while (*s != 0)
continue;
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case EITEM_CERTEXTRACT:
{
uschar *save_lookup_value = lookup_value;
@@ -6072,7 +6072,7 @@ while (*s != 0)
save_expand_nlength);
continue;
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
/* Handle list operations */
@@ -6584,7 +6584,7 @@ while (*s != 0)
int c;
uschar *arg = NULL;
uschar *sub;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
var_entry *vp = NULL;
#endif
@@ -6607,7 +6607,7 @@ while (*s != 0)
as we do not want to do the usual expansion. For most, expand the string.*/
switch(c)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case EOP_MD5:
case EOP_SHA1:
case EOP_SHA256:
@@ -6762,7 +6762,7 @@ while (*s != 0)
}
case EOP_MD5:
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (vp && *(void **)vp->value)
{
uschar * cp = tls_cert_fprt_md5(*(void **)vp->value);
@@ -6781,7 +6781,7 @@ while (*s != 0)
continue;
case EOP_SHA1:
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (vp && *(void **)vp->value)
{
uschar * cp = tls_cert_fprt_sha1(*(void **)vp->value);
@@ -7564,7 +7564,7 @@ while (*s != 0)
case EOP_STR2B64:
case EOP_BASE64:
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar * s = vp && *(void **)vp->value
? tls_cert_der_b64(*(void **)vp->value)
: b64encode(CUS sub, Ustrlen(sub));
diff --git a/src/src/functions.h b/src/src/functions.h
index 87953c413..11fb8b59e 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -22,7 +22,7 @@ extern uschar *init_perl(uschar *);
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
extern const char *
std_dh_prime_default(void);
extern const char *
@@ -77,7 +77,7 @@ extern BOOL tls_is_name_for_cert(const uschar *, void *);
extern int tlsa_lookup(const host_item *, dns_answer *, BOOL);
# endif
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
/* Everything else... */
@@ -350,7 +350,7 @@ extern uschar *parse_message_id(uschar *, uschar **, uschar **);
extern const uschar *parse_quote_2047(const uschar *, int, uschar *, uschar *, int, BOOL);
extern uschar *parse_date_time(uschar *str, time_t *t);
extern int vaguely_random_number(int);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
extern int vaguely_random_number_fallback(int);
#endif
diff --git a/src/src/globals.c b/src/src/globals.c
index a2fa032bc..5ce04a6ed 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -115,7 +115,7 @@ int dsn_ret = 0;
const pcre *regex_DSN = NULL;
uschar *dsn_advertise_hosts = NULL;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
BOOL gnutls_compat_mode = FALSE;
BOOL gnutls_allow_auto_pkcs11 = FALSE;
uschar *openssl_options = NULL;
@@ -141,7 +141,7 @@ uschar *tls_resumption_hosts = NULL;
uschar *tls_try_verify_hosts = NULL;
uschar *tls_verify_certificates= US"system";
uschar *tls_verify_hosts = NULL;
-#else /*!SUPPORT_TLS*/
+#else /*DISABLE_TLS*/
uschar *tls_advertise_hosts = NULL;
#endif
@@ -548,7 +548,7 @@ address_item address_defaults = {
.return_filename = NULL,
.self_hostname = NULL,
.shadow_message = NULL,
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
.cipher = NULL,
.ourcert = NULL,
.peercert = NULL,
@@ -1227,7 +1227,7 @@ uschar *received_header_text = US
"${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}"
"by $primary_hostname "
"${if def:received_protocol {with $received_protocol }}"
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
"${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}"
#endif
"(Exim $version_number)\n\t"
diff --git a/src/src/globals.h b/src/src/globals.h
index e98ff7fe1..d29fcc4e1 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -113,7 +113,7 @@ typedef struct {
extern tls_support tls_in;
extern tls_support tls_out;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
extern BOOL gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
extern uschar *openssl_options; /* OpenSSL compatibility options */
diff --git a/src/src/ip.c b/src/src/ip.c
index 8b506109e..fb42f0051 100644
--- a/src/src/ip.c
+++ b/src/src/ip.c
@@ -653,7 +653,7 @@ if (!fd_ready(cctx->sock, timeout))
/* The socket is ready, read from it (via TLS if it's active). On EOF (i.e.
close down of the connection), set errno to zero; otherwise leave it alone. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (cctx->tls_ctx) /* client TLS */
rc = tls_read(cctx->tls_ctx, buffer, buffsize);
else if (tls_in.active.sock == cctx->sock) /* server TLS */
diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c
index 33249133a..ebb4cb98a 100644
--- a/src/src/macro_predef.c
+++ b/src/src/macro_predef.c
@@ -126,7 +126,7 @@ due to conflicts with other common macros. */
#ifdef USE_TCP_WRAPPERS
builtin_macro_create(US"_HAVE_TCPWRAPPERS");
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
builtin_macro_create(US"_HAVE_TLS");
# ifdef USE_GNUTLS
builtin_macro_create(US"_HAVE_GNUTLS");
@@ -290,7 +290,7 @@ options_routers();
options_transports();
options_auths();
options_logging();
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
options_tls();
#endif
}
diff --git a/src/src/macro_predef.h b/src/src/macro_predef.h
index 79a8d6f15..4bc98e0df 100644
--- a/src/src/macro_predef.h
+++ b/src/src/macro_predef.h
@@ -20,7 +20,7 @@ extern void options_transports(void);
extern void options_auths(void);
extern void options_logging(void);
extern void params_dkim(void);
-#if defined(SUPPORT_TLS)
+#ifndef DISABLE_TLS
extern void options_tls(void);
#endif
diff --git a/src/src/macros.h b/src/src/macros.h
index e3f1f4c28..4189b6bd7 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -84,7 +84,7 @@ as unsigned. */
/* When built with TLS support, the act of flushing SMTP output becomes
a no-op once an SSL session is in progress. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
#define mac_smtp_fflush() if (tls_in.active.sock < 0) fflush(smtp_out);
#else
#define mac_smtp_fflush() fflush(smtp_out);
diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c
index 6e154f5ef..9ebcfc1b6 100644
--- a/src/src/pdkim/pdkim.c
+++ b/src/src/pdkim/pdkim.c
@@ -26,8 +26,8 @@
#ifndef DISABLE_DKIM /* entire file */
-#ifndef SUPPORT_TLS
-# error Need SUPPORT_TLS for DKIM
+#ifdef DISABLE_TLS
+# error Must not DISABLE_TLS, for DKIM
#endif
#include "crypt_ver.h"
diff --git a/src/src/pdkim/pdkim_hash.h b/src/src/pdkim/pdkim_hash.h
index 6299ae28a..8f9a12628 100644
--- a/src/src/pdkim/pdkim_hash.h
+++ b/src/src/pdkim/pdkim_hash.h
@@ -11,8 +11,8 @@
#if !defined(HASH_H) /* entire file */
#define HASH_H
-#ifndef SUPPORT_TLS
-# error Need SUPPORT_TLS for DKIM
+#ifdef DISABLE_TLS
+# error Must not DISABLE_TLS, for DKIM
#endif
#include "crypt_ver.h"
diff --git a/src/src/pdkim/signing.c b/src/src/pdkim/signing.c
index a47f824b8..53a8a7b45 100644
--- a/src/src/pdkim/signing.c
+++ b/src/src/pdkim/signing.c
@@ -28,8 +28,8 @@ features_crypto(void)
#ifndef DISABLE_DKIM /* rest of file */
-#ifndef SUPPORT_TLS
-# error Need SUPPORT_TLS for DKIM
+#ifdef DISABLE_TLS
+# error Must no DISABLE_TLS, for DKIM
#endif
diff --git a/src/src/readconf.c b/src/src/readconf.c
index b6c41bc65..cffee4a08 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -60,7 +60,7 @@ static optionlist optionlist_config[] = {
{ "acl_smtp_predata", opt_stringptr, &acl_smtp_predata },
{ "acl_smtp_quit", opt_stringptr, &acl_smtp_quit },
{ "acl_smtp_rcpt", opt_stringptr, &acl_smtp_rcpt },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "acl_smtp_starttls", opt_stringptr, &acl_smtp_starttls },
#endif
{ "acl_smtp_vrfy", opt_stringptr, &acl_smtp_vrfy },
@@ -156,7 +156,7 @@ static optionlist optionlist_config[] = {
{ "freeze_tell", opt_stringptr, &freeze_tell },
{ "gecos_name", opt_stringptr, &gecos_name },
{ "gecos_pattern", opt_stringptr, &gecos_pattern },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "gnutls_allow_auto_pkcs11", opt_bool, &gnutls_allow_auto_pkcs11 },
{ "gnutls_compat_mode", opt_bool, &gnutls_compat_mode },
#endif
@@ -224,7 +224,7 @@ static optionlist optionlist_config[] = {
{ "mysql_servers", opt_stringptr, &mysql_servers },
#endif
{ "never_users", opt_uidlist, &never_users },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "openssl_options", opt_stringptr, &openssl_options },
#endif
#ifdef LOOKUP_ORACLE
@@ -355,7 +355,7 @@ static optionlist optionlist_config[] = {
{ "timeout_frozen_after", opt_time, &timeout_frozen_after },
{ "timezone", opt_stringptr, &timezone_string },
{ "tls_advertise_hosts", opt_stringptr, &tls_advertise_hosts },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "tls_certificate", opt_stringptr, &tls_certificate },
{ "tls_crl", opt_stringptr, &tls_crl },
{ "tls_dh_max_bits", opt_int, &tls_dh_max_bits },
@@ -3082,7 +3082,7 @@ Assumes: tls_require_ciphers has been set, if it will be
Returns: bool for "okay"; false will cause caller to immediately exit.
*/
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
static BOOL
tls_dropprivs_validate_require_cipher(BOOL nowarn)
{
@@ -3135,7 +3135,7 @@ signal(SIGCHLD, oldsignal);
return status == 0;
}
-#endif /* SUPPORT_TLS */
+#endif /*DISABLE_TLS*/
@@ -3622,7 +3622,7 @@ if (host_number_string)
host_number = n;
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/* If tls_verify_hosts is set, tls_verify_certificates must also be set */
if ((tls_verify_hosts || tls_try_verify_hosts) && !tls_verify_certificates)
@@ -3655,7 +3655,7 @@ if (openssl_options)
"openssl_options parse error: %s", openssl_options);
# endif
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
if (!nowarn && !keep_environment && environ && *environ)
log_write(0, LOG_MAIN,
diff --git a/src/src/receive.c b/src/src/receive.c
index fbd32c8fa..9769e8893 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -3978,7 +3978,7 @@ if (message_reference)
g = add_host_info_for_log(g);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (LOGGING(tls_cipher) && tls_in.cipher)
{
g = string_append(g, 2, US" X=", tls_in.cipher);
diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index 61408788b..a7e99f506 100644
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -16,7 +16,7 @@
* and not massaging CFLAGS in Local/Makefile is fully supported.
*/
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# define EXIM_HAVE_SHA2
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 40fd3083b..049f5b542 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -133,7 +133,7 @@ to the circular buffer that holds a list of the last n received. */
static struct {
BOOL auth_advertised :1;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
BOOL tls_advertised :1;
#endif
BOOL dsn_advertised :1;
@@ -194,7 +194,7 @@ static smtp_cmd_list cmd_list[] = {
{ "helo", sizeof("helo")-1, HELO_CMD, TRUE, FALSE },
{ "ehlo", sizeof("ehlo")-1, EHLO_CMD, TRUE, FALSE },
{ "auth", sizeof("auth")-1, AUTH_CMD, TRUE, TRUE },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "starttls", sizeof("starttls")-1, STARTTLS_CMD, FALSE, FALSE },
{ "tls_auth", 0, TLS_AUTH_CMD, FALSE, FALSE },
#endif
@@ -348,7 +348,7 @@ int fd, rc;
fd_set fds;
struct timeval tzero;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.active.sock >= 0)
return !tls_could_read();
#endif
@@ -945,7 +945,7 @@ if (fl.rcpt_in_progress)
/* Now write the string */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.active.sock >= 0)
{
if (tls_write(NULL, gs.s, gs.ptr, more) < 0)
@@ -1774,7 +1774,7 @@ return string_sprintf("SMTP connection from %s", hostname);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/* Append TLS-related information to a log line
Arguments:
@@ -1830,7 +1830,7 @@ if (sender_host_authenticated)
if (authenticated_id) g = string_append(g, 2, US":", authenticated_id);
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
g = s_tlslog(g);
#endif
@@ -2375,7 +2375,7 @@ return done - 2; /* Convert yield values */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
static BOOL
smtp_log_tls_fail(uschar * errstr)
{
@@ -2466,7 +2466,7 @@ if (!host_checking && !f.sender_host_notsocket)
sender_host_auth_pubname = sender_host_authenticated = NULL;
authenticated_by = NULL;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_in.cipher = tls_in.peerdn = NULL;
tls_in.ourcert = tls_in.peercert = NULL;
tls_in.sni = NULL;
@@ -2903,7 +2903,7 @@ if (check_proxy_protocol_host())
/* Start up TLS if tls_on_connect is set. This is for supporting the legacy
smtps port for use with older style SSL MTAs. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.on_connect)
{
if (tls_server_start(tls_require_ciphers, &user_msg) != OK)
@@ -3404,7 +3404,7 @@ is closing if required and return 2. */
if (log_reject_target != 0)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
gstring * g = s_tlslog(NULL);
uschar * tls = string_from_gstring(g);
if (!tls) tls = US"";
@@ -3825,7 +3825,7 @@ if (*user_msgp)
else
smtp_printf("221 %s closing connection\r\n", FALSE, smtp_active_hostname);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_close(NULL, TLS_SHUTDOWN_NOWAIT);
#endif
@@ -3896,7 +3896,7 @@ chunking_state = f.chunking_offered ? CHUNKING_OFFERED : CHUNKING_NOT_OFFERED;
cmd_list[CMD_LIST_RSET].is_mail_cmd = TRUE;
cmd_list[CMD_LIST_HELO].is_mail_cmd = TRUE;
cmd_list[CMD_LIST_EHLO].is_mail_cmd = TRUE;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = TRUE;
#endif
@@ -4228,7 +4228,7 @@ while (done <= 0)
fl.auth_advertised = FALSE;
f.smtp_in_pipelining_advertised = FALSE;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
fl.tls_advertised = FALSE;
#endif
fl.dsn_advertised = FALSE;
@@ -4421,7 +4421,7 @@ while (done <= 0)
tls_advertise_hosts. We must *not* advertise if we are already in a
secure connection. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.active.sock < 0 &&
verify_check_host(&tls_advertise_hosts) != FAIL)
{
@@ -4459,7 +4459,7 @@ while (done <= 0)
/* Terminate the string (for debug), write it, and note that HELO/EHLO
has been seen. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.active.sock >= 0)
(void)tls_write(NULL, g->s, g->ptr,
# ifdef EXPERIMENTAL_PIPE_CONNECT
@@ -5395,7 +5395,7 @@ while (done <= 0)
break;
- #ifdef SUPPORT_TLS
+ #ifndef DISABLE_TLS
case STARTTLS_CMD:
HAD(SCH_STARTTLS);
@@ -5586,7 +5586,7 @@ while (done <= 0)
uschar buffer[256];
buffer[0] = 0;
Ustrcat(buffer, " AUTH");
- #ifdef SUPPORT_TLS
+ #ifndef DISABLE_TLS
if (tls_in.active.sock < 0 &&
verify_check_host(&tls_advertise_hosts) != FAIL)
Ustrcat(buffer, " STARTTLS");
diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c
index 4be7b9c17..d8cb42e01 100644
--- a/src/src/smtp_out.c
+++ b/src/src/smtp_out.c
@@ -444,7 +444,7 @@ BOOL more = mode == SCMD_MORE;
HDEBUG(D_transport|D_acl) debug_printf_indent("cmd buf flush %d bytes%s\n", n,
more ? " (more expected)" : "");
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (outblock->cctx->tls_ctx)
rc = tls_write(outblock->cctx->tls_ctx, outblock->buffer, n, more);
else
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index 95004c103..c46689506 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -273,7 +273,7 @@ f.dkim_disable_verify = FALSE;
dkim_collect_input = 0;
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_in.certificate_verified = FALSE;
# ifdef SUPPORT_DANE
tls_in.dane_verified = FALSE;
@@ -646,7 +646,7 @@ for (;;)
#endif
break;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
case 't':
if (Ustrncmp(p, "ls_", 3) == 0)
{
diff --git a/src/src/spool_out.c b/src/src/spool_out.c
index d14914f94..508e68cea 100644
--- a/src/src/spool_out.c
+++ b/src/src/spool_out.c
@@ -233,7 +233,7 @@ if (f.sender_set_untrusted) fprintf(fp, "-sender_set_untrusted\n");
if (bmi_verdicts) fprintf(fp, "-bmi_verdicts %s\n", bmi_verdicts);
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n");
if (tls_in.cipher) fprintf(fp, "-tls_cipher %s\n", tls_in.cipher);
if (tls_in.peercert)
diff --git a/src/src/std-crypto.c b/src/src/std-crypto.c
index 161052c14..a045f6cc6 100644
--- a/src/src/std-crypto.c
+++ b/src/src/std-crypto.c
@@ -17,7 +17,7 @@
#include "exim.h"
-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS
static void dummy(int x) { dummy(x-1); }
#else
@@ -1018,5 +1018,5 @@ std_dh_prime_named(const uschar *name)
return NULL;
}
-#endif /* SUPPORT_TLS */
+#endif /*DISABLE_TLS*/
/* EOF */
diff --git a/src/src/structs.h b/src/src/structs.h
index 349aa38e8..da61df24f 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -567,7 +567,7 @@ typedef struct address_item {
uschar *self_hostname; /* after self=pass */
uschar *shadow_message; /* info about shadow transporting */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar *cipher; /* Cipher used for transport */
void *ourcert; /* Certificate offered to peer, binary */
void *peercert; /* Certificate from peer, binary */
@@ -805,7 +805,7 @@ typedef struct {
int host_af;
uschar * interface;
-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
BOOL dane:1; /* connection must do dane */
dns_answer tlsa_dnsa;
#endif
diff --git a/src/src/tls.c b/src/src/tls.c
index 7b8d7a2a3..1fd10d52b 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -19,7 +19,7 @@ functions from the OpenSSL or GNU TLS libraries. */
#include "exim.h"
#include "transports/smtp.h"
-#if defined(MACRO_PREDEF) && defined(SUPPORT_TLS)
+#if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
# include "macro_predef.h"
# ifdef USE_GNUTLS
# include "tls-gnu.c"
@@ -37,7 +37,7 @@ reference itself to stop picky compilers complaining that it is unused, and put
in a dummy argument to stop even pickier compilers complaining about infinite
loops. */
-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS
static void dummy(int x) { dummy(x-1); }
#else
@@ -217,7 +217,7 @@ return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
}
-#endif /* SUPPORT_TLS */
+#endif /*DISABLE_TLS*/
void
tls_modify_variables(tls_support * dest_tsp)
@@ -226,13 +226,13 @@ modify_variable(US"tls_bits", &dest_tsp->bits);
modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
modify_variable(US"tls_cipher", &dest_tsp->cipher);
modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
modify_variable(US"tls_sni", &dest_tsp->sni);
#endif
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/************************************************
* TLS certificate name operations *
************************************************/
@@ -364,7 +364,7 @@ else if ((subjdn = tls_cert_subject(cert, NULL)))
}
return FALSE;
}
-#endif /*SUPPORT_TLS*/
+#endif /*!DISABLE_TLS*/
#endif /*!MACRO_PREDEF*/
/* vi: aw ai sw=2
diff --git a/src/src/transport.c b/src/src/transport.c
index fb74dfdcd..d745ef15f 100644
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -238,7 +238,7 @@ for (int i = 0; i < 100; i++)
if (transport_write_timeout <= 0) /* No timeout wanted */
{
rc =
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) :
#endif
#ifdef MSG_MORE
@@ -256,7 +256,7 @@ for (int i = 0; i < 100; i++)
ALARM(local_timeout);
rc =
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_out.active.sock == fd ? tls_write(tls_out.active.tls_ctx, block, len, more) :
#endif
#ifdef MSG_MORE
@@ -1867,7 +1867,7 @@ if (smtp_peer_options & OPTION_CHUNKING) argv[i++] = US"-MCK";
if (smtp_peer_options & OPTION_DSN) argv[i++] = US"-MCD";
if (smtp_peer_options & OPTION_PIPE) argv[i++] = US"-MCP";
if (smtp_peer_options & OPTION_SIZE) argv[i++] = US"-MCS";
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (smtp_peer_options & OPTION_TLS)
if (tls_out.active.sock >= 0 || continue_proxy_cipher)
{
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 3d7aaae6b..42517400b 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -90,7 +90,7 @@ optionlist smtp_transport_options[] = {
(void *)offsetof(smtp_transport_options_block, hosts_avoid_esmtp) },
{ "hosts_avoid_pipelining", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_avoid_pipelining) },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "hosts_avoid_tls", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_avoid_tls) },
#endif
@@ -98,7 +98,7 @@ optionlist smtp_transport_options[] = {
(void *)offsetof(smtp_transport_options_block, hosts_max_try) },
{ "hosts_max_try_hardlimit", opt_int,
(void *)offsetof(smtp_transport_options_block, hosts_max_try_hardlimit) },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "hosts_nopass_tls", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_nopass_tls) },
{ "hosts_noproxy_tls", opt_stringptr,
@@ -112,13 +112,13 @@ optionlist smtp_transport_options[] = {
#endif
{ "hosts_randomize", opt_bool,
(void *)offsetof(smtp_transport_options_block, hosts_randomize) },
-#if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP)
+#if !defined(DISABLE_TLS) && !defined(DISABLE_OCSP)
{ "hosts_request_ocsp", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) },
#endif
{ "hosts_require_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
# ifdef SUPPORT_DANE
{ "hosts_require_dane", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_dane) },
@@ -134,7 +134,7 @@ optionlist smtp_transport_options[] = {
(void *)offsetof(smtp_transport_options_block, hosts_try_auth) },
{ "hosts_try_chunking", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_chunking) },
-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
{ "hosts_try_dane", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_dane) },
#endif
@@ -144,7 +144,7 @@ optionlist smtp_transport_options[] = {
{ "hosts_try_prdr", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_try_prdr) },
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "hosts_verify_avoid_tls", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_verify_avoid_tls) },
#endif
@@ -172,7 +172,7 @@ optionlist smtp_transport_options[] = {
{ "socks_proxy", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, socks_proxy) },
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
{ "tls_certificate", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, tls_certificate) },
{ "tls_crl", opt_stringptr,
@@ -260,7 +260,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
.hosts_pipe_connect = NULL,
#endif
.hosts_avoid_esmtp = NULL,
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
.hosts_nopass_tls = NULL,
.hosts_noproxy_tls = NULL,
#endif
@@ -288,7 +288,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
#ifdef SUPPORT_SOCKS
.socks_proxy = NULL,
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
.tls_certificate = NULL,
.tls_crl = NULL,
.tls_privatekey = NULL,
@@ -1687,7 +1687,7 @@ smtp_local_identity(uschar * sender, struct transport_instance * tblock)
address_item * addr1;
uschar * if1 = US"";
uschar * helo1 = US"";
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar * tlsc1 = US"";
#endif
uschar * save_sender_address = sender_address;
@@ -1705,7 +1705,7 @@ if (ob->interface)
if (ob->helo_data)
helo1 = expand_string(ob->helo_data);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (ob->tls_certificate)
tlsc1 = expand_string(ob->tls_certificate);
local_identity = string_sprintf ("%s^%s^%s", if1, helo1, tlsc1);
@@ -1754,7 +1754,7 @@ size_t bsize = Ustrlen(buf);
/* debug_printf("%s: check for 0x%04x\n", __FUNCTION__, checks); */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if ( checks & OPTION_TLS
&& pcre_exec(regex_STARTTLS, NULL, CS buf, bsize, 0, PCRE_EOPT, NULL, 0) < 0)
#endif
@@ -1954,7 +1954,7 @@ BOOL pass_message = FALSE;
uschar * message = NULL;
int yield = OK;
int rc;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar * tls_errstr;
#endif
@@ -1972,7 +1972,7 @@ sx->esmtp_sent = FALSE;
sx->utf8_needed = FALSE;
#endif
sx->dsn_all_lasthop = TRUE;
-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
sx->conn_args.dane = FALSE;
sx->dane_required =
verify_check_given_host(CUSS &ob->hosts_require_dane, sx->conn_args.host) == OK;
@@ -2019,7 +2019,7 @@ tls_out.cipher = NULL; /* the one we may use for this transport */
tls_out.ourcert = NULL;
tls_out.peercert = NULL;
tls_out.peerdn = NULL;
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
tls_out.sni = NULL;
#endif
tls_out.ocsp = OCSP_NOT_REQ;
@@ -2034,7 +2034,7 @@ For verify, unflipped once the callout is dealt with */
tls_modify_variables(&tls_out);
-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS
if (sx->smtps)
{
set_errno_nohost(sx->addrlist, ERRNO_TLSFAILURE, US"TLS support not available",
@@ -2056,7 +2056,7 @@ if (!continue_hostname)
smtp_port_for_connect(sx->conn_args.host, sx->port);
-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
/* Do TLSA lookup for DANE */
{
tls_out.dane_verified = FALSE;
@@ -2262,7 +2262,7 @@ goto SEND_QUIT;
/* Alas; be careful, since this goto is not an error-out, so conceivably
we might set data between here and the target which we assume to exist
and be usable. I can see this coming back to bite us. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (sx->smtps)
{
smtp_peer_options |= OPTION_TLS;
@@ -2388,7 +2388,7 @@ goto SEND_QUIT;
/* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
smtp_peer_options |= sx->peer_offered & OPTION_TLS;
#endif
}
@@ -2450,7 +2450,7 @@ negative, the original EHLO data is available for subsequent analysis, should
the client not be required to use TLS. If the response is bad, copy the buffer
for error analysis. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if ( smtp_peer_options & OPTION_TLS
&& !suppress_tls
&& verify_check_given_host(CUSS &ob->hosts_avoid_tls, sx->conn_args.host) != OK
@@ -2665,7 +2665,7 @@ else if ( sx->smtps
# endif
goto TLS_FAILED;
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
/* If TLS is active, we have just started it up and re-done the EHLO command,
so its response needs to be analyzed. If TLS is not active and this is a
@@ -2673,7 +2673,7 @@ continued session down a previously-used socket, we haven't just done EHLO, so
we skip this. */
if (continue_hostname == NULL
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
|| tls_out.active.sock >= 0
#endif
)
@@ -2874,7 +2874,7 @@ return OK;
in message and errno, and setting_up will always be true. Treat as
a temporary error. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
TLS_FAILED:
code = '4', yield = DEFER;
goto FAILED;
@@ -2917,7 +2917,7 @@ SEND_QUIT:
if (sx->send_quit)
(void)smtp_write_command(sx, SCMD_FLUSH, "QUIT\r\n");
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (sx->cctx.tls_ctx)
{
tls_close(sx->cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
@@ -3261,7 +3261,7 @@ return 0;
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/*****************************************************
* Proxy TLS connection for another transport process *
******************************************************/
@@ -4148,7 +4148,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit)
if ( sx.first_addr != NULL
|| f.continue_more
|| (
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
( tls_out.active.sock < 0 && !continue_proxy_cipher
|| verify_check_given_host(CUSS &ob->hosts_nopass_tls, host) != OK
)
@@ -4186,7 +4186,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit)
if (sx.ok)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
int pfd[2];
#endif
int socket_fd = sx.cctx.sock;
@@ -4203,7 +4203,7 @@ if (sx.completed_addr && sx.ok && sx.send_quit)
transport_pass_socket). If the caller has more ready, just return with
the connection still open. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_out.active.sock >= 0)
if ( f.continue_more
|| verify_check_given_host(CUSS &ob->hosts_noproxy_tls, host) == OK)
@@ -4262,7 +4262,7 @@ propagate it from the initial
just passed the baton to. Fork a child to to do it, and return to
get logging done asap. Which way to place the work makes assumptions
about post-fork prioritisation which may not hold on all platforms. */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (tls_out.active.sock >= 0)
{
int pid = fork();
@@ -4330,7 +4330,7 @@ if (sx.send_quit) (void)smtp_write_command(&sx, SCMD_FLUSH, "QUIT\r\n");
END_OFF:
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
sx.cctx.tls_ctx = NULL;
#endif
@@ -4449,7 +4449,7 @@ for (address_item * addr = addrlist; addr; addr = addr->next)
addr->basic_errno = 0;
addr->more_errno = (host->mx >= 0)? 'M' : 'A';
addr->message = NULL;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
addr->cipher = NULL;
addr->ourcert = NULL;
addr->peercert = NULL;
@@ -5112,7 +5112,7 @@ retry_non_continued:
session, so the in-clear transmission after those errors, if permitted,
happens inside smtp_deliver().] */
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if ( rc == DEFER
&& first_addr->basic_errno == ERRNO_TLSFAILURE
&& ob->tls_tempfail_tryclear
@@ -5132,7 +5132,7 @@ retry_non_continued:
deferred_event_raise(first_addr, host);
# endif
}
-#endif /*SUPPORT_TLS*/
+#endif /*DISABLE_TLS*/
}
/* Delivery attempt finished */
@@ -5305,7 +5305,7 @@ retry_non_continued:
int fd = cutthrough.cctx.sock >= 0 ? cutthrough.cctx.sock : 0;
DEBUG(D_transport) debug_printf("no hosts match already-open connection\n");
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/* A TLS conn could be open for a cutthrough, but not for a plain continued-
transport */
/*XXX doublecheck that! */
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index ab0e93ff8..5200fcb74 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -50,7 +50,7 @@ typedef struct {
uschar *hosts_pipe_connect;
#endif
uschar *hosts_avoid_esmtp;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar *hosts_nopass_tls;
uschar *hosts_noproxy_tls;
#endif
@@ -78,7 +78,7 @@ typedef struct {
#ifdef SUPPORT_SOCKS
uschar *socks_proxy;
#endif
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
uschar *tls_certificate;
uschar *tls_crl;
uschar *tls_privatekey;
@@ -135,7 +135,7 @@ typedef struct {
BOOL utf8_needed:1;
#endif
BOOL dsn_all_lasthop:1;
-#if defined(SUPPORT_TLS) && defined(SUPPORT_DANE)
+#if !defined(DISABLE_TLS) && defined(SUPPORT_DANE)
BOOL dane_required:1;
#endif
#ifdef EXPERIMENTAL_PIPE_CONNECT
diff --git a/src/src/verify.c b/src/src/verify.c
index 184809fb5..7125a6da1 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -687,7 +687,7 @@ tls_retry_connection:
if permitted */
yield = smtp_setup_conn(&sx, FALSE);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if ( yield == DEFER
&& addr->basic_errno == ERRNO_TLSFAILURE
&& ob->tls_tempfail_tryclear
@@ -819,7 +819,7 @@ tls_retry_connection:
HDEBUG(D_acl|D_v)
debug_printf_indent("problem after random/rset/mfrom; reopen conn\n");
random_local_part = NULL;
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
#endif
HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" SMTP(close)>>\n");
@@ -1109,7 +1109,7 @@ no_conn:
if (sx.cctx.sock >= 0)
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (sx.cctx.tls_ctx)
{
tls_close(sx.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
@@ -1215,7 +1215,7 @@ if(cutthrough.cctx.sock < 0)
return TRUE;
if(
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
cutthrough.is_tls
? tls_write(cutthrough.cctx.tls_ctx, ctctx.outblock.buffer, n, FALSE)
:
@@ -1416,7 +1416,7 @@ if(fd >= 0)
/* Wait a short time for response, and discard it */
cutthrough_response(&tmp_ctx, '2', NULL, 1);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
if (cutthrough.is_tls)
{
tls_close(cutthrough.cctx.tls_ctx, TLS_SHUTDOWN_NOWAIT);
@@ -1924,12 +1924,12 @@ while (addr_new)
}
else
{
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
deliver_set_expansions(addr);
#endif
rc = do_callout(addr, host_list, &tf, callout, callout_overall,
callout_connect, options, se_mailfrom, pm_mailfrom);
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
deliver_set_expansions(NULL);
#endif
}