Unbreak build: crypto hdrs not in system includes

If using pkg-config to get the paths for various packages and the crypto
library headers are not in the system headers, then the hash work broke
the Exim build by requiring the CFLAGS manipulation for _all_ builds,
not just the TLS libraries.

Shows up on MacOS where there's a system OpenSSL but not system OpenSSL
headers (because only SecureTransport is supported) and using
brew-installed OpenSSL.

I've also coded the fix for GnuTLS on the same basis, but that's
untested.

Fixes bug 1906

4 files changed, 30 insertions, 0 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c68e45ce8..1267d75dc 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -117,6 +117,9 @@ JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
 PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
       by me.  Added RFC7919 DH primes as an alternative.
 
+PP/02 Unbreak build via pkg-config with new hash support when crypto headers
+      are not in the system include path.
+
 
 Exim version 4.87
 -----------------
diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
index 4aa7d76cd..3e486a6bb 100755
--- a/src/scripts/Configure-Makefile
+++ b/src/scripts/Configure-Makefile
@@ -136,13 +136,16 @@ then
       USE_*_PC)
         eval "pc_value=\"\$$var\""
         need_this=''
+        need_core=''
         if [ ".$SUPPORT_TLS" = "." ]; then
           # no TLS, not referencing
           true
         elif [ ".$var" = ".USE_GNUTLS_PC" ] && [ ".$USE_GNUTLS" != "." ]; then
           need_this=t
+          need_core="gnutls-special"
         elif [ ".$var" = ".USE_OPENSSL_PC" ] && [ ".$USE_GNUTLS" = "." ]; then
           need_this=t
+          need_core=t
         fi
         if [ ".$need_this" != "." ]; then
           tls_include=`pkg-config --cflags $pc_value`
@@ -153,6 +156,19 @@ then
           tls_libs=`pkg-config --libs $pc_value`
           echo "TLS_INCLUDE=$tls_include"
           echo "TLS_LIBS=$tls_libs"
+          # With hash.h pulling crypto into the core, we need to also handle that
+          if [ ".$need_this" = ".t" ]; then
+            echo "CFLAGS += $tls_include"
+            echo "LDFLAGS += $tls_libs"
+          elif [ ".$need_this" = ".gnutls-special" ]; then
+            if pkg-config --atleast-version=2.10 gnutls ; then
+              echo "CFLAGS += $tls_include"
+              echo "LDFLAGS += $tls_libs"
+            else
+              echo "CFLAGS += $(libgcrypt-config --cflags)"
+              echo "LDFLAGS += $(libgcrypt-config --libs)"
+            fi
+          fi
         fi
         ;;
 
diff --git a/src/src/EDITME b/src/src/EDITME
index e2d8cf921..69293467e 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -746,6 +746,10 @@ HEADERS_CHARSET="ISO-8859-1"
 # USE_GNUTLS_PC=gnutls
 # TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
 
+# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
+# build process will require libgcrypt-config to exist in your $PATH.  A
+# version that old is likely to become unsupported by Exim in 2017.
+
 # The security fix we provide with the gnutls_allow_auto_pkcs11 option
 # (4.82 PP/09) introduces a compatibility regression.  The symbol is
 # not available if GnuTLS is build without p11-kit (--without-p11-kit
diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index fd1a4d083..387ac52c1 100644
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -9,6 +9,13 @@
 
 #include "exim.h"
 
+/* Please be aware that pulling in extra headers which are not in the system
+ * includes may require careful juggling of CFLAGS in
+ * scripts/Configure-Makefile -- that logic should be kept in sync with this.
+ * In particular, building with just something like USE_OPENSSL_PC=openssl
+ * and not massaging CFLAGS in Local/Makefile is fully supported.
+ */
+
 #ifdef SUPPORT_TLS
 
 # define EXIM_HAVE_SHA2