TLS: introduce USE_OPENSSL as an explicit requirement for the build

author: Jeremy Harris <jgh146exb@wizmail.org> 2019-05-24 16:39:05 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2019-05-24 16:39:05 +0100
commit: de517fd3061ee343cd36d05587c915f617318671 (patch)
tree: f1dc93b3a501552aafc3bf723446b4acd3730895 /src
parent: 21ee816d09865a5c5d85f86ae4d12b9995030806 (diff)
10 files changed, 30 insertions, 24 deletions
diff --git a/src/src/EDITME b/src/src/EDITME
index 264d2eaff..e1bf812db 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -202,12 +202,16 @@ SPOOL_DIRECTORY=/var/spool/exim
 # pkg-config, then you have to specify the libraries, and you mmight
 # need to specify the locations too.
 
-# no cryptographic code of its own. Uncomment the following lines if you want
+# Uncomment the following lines if you want
 # to build Exim without any TLS support (either OpenSSL or GnuTLS):
 # DISABLE_TLS=yes
+# Unless you do this, you must define one of USE_OPENSSL or USE_GNUTLS
+# below.
 
 # If you are buliding with TLS, the library configuration must be done:
 
+# Uncomment this if you are using OpenSSL
+# USE_OPENSSL=yes
 # Uncomment one of these settings if you are using OpenSSL; pkg-config vs not
 # and an optional location.
 # USE_OPENSSL_PC=openssl
@@ -223,12 +227,6 @@ SPOOL_DIRECTORY=/var/spool/exim
 # TLS_LIBS=-lgnutls -ltasn1 -lgcrypt -lgnutls-dane
 # TLS_LIBS=-L/usr/local/gnu/lib -lgnutls -ltasn1 -lgcrypt -lgnutls-dane
 
-# Uncomment the first and either the second or the third of these if you
-# are using GnuTLS.  If you have pkg-config, then the second, else the third.
-# USE_GNUTLS=yes
-# USE_GNUTLS_PC=gnutls
-# TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
-
 # If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
 # build process will require libgcrypt-config to exist in your $PATH.  A
 # version that old is likely to become unsupported by Exim in 2017.
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index f45a61a9a..27b8fb409 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -172,6 +172,7 @@ Do not put spaces between # and the 'define'.
 #define USE_GDBM
 #define USE_GNUTLS
 #define AVOID_GNUTLS_PKCS11
+#define USE_OPENSSL
 #define USE_READLINE
 #define USE_TCP_WRAPPERS
 #define USE_TDB
diff --git a/src/src/dane.c b/src/src/dane.c
index 5284a61c3..5ba61961a 100644
--- a/src/src/dane.c
+++ b/src/src/dane.c
@@ -38,7 +38,7 @@ static void dummy(int x) { dummy(x-1); }
 #  error DANE support requires that the DNS resolver library supports DNSSEC
 # endif
 
-# ifndef USE_GNUTLS
+# ifdef USE_OPENSSL
 #  include "dane-openssl.c"
 # endif
 
diff --git a/src/src/exim.c b/src/src/exim.c
index b2894aeb9..abce9fc69 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -857,12 +857,11 @@ fprintf(fp, "Support for:");
 #ifdef USE_TCP_WRAPPERS
   fprintf(fp, " TCPwrappers");
 #endif
-#ifndef DISABLE_TLS
-# ifdef USE_GNUTLS
+#ifdef USE_GNUTLS
   fprintf(fp, " GnuTLS");
-# else
+#endif
+#ifdef USE_OPENSSL
   fprintf(fp, " OpenSSL");
-# endif
 #endif
 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
   fprintf(fp, " translate_ip_address");
diff --git a/src/src/exim.h b/src/src/exim.h
index 0638167aa..263c00321 100644
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -541,9 +541,11 @@ union sockaddr_46 {
 
 /* If DISABLE_TLS is defined, ensure that USE_GNUTLS is not defined
 so that if USE_GNUTLS *is* set, we can assume DISABLE_TLS is not set.
+Ditto USE_OPENSSL.
 Likewise, OSCP, AUTH_TLS and CERTNAMES cannot be supported. */
 
 #ifdef DISABLE_TLS
+# undef USE_OPENSSL
 # undef USE_GNUTLS
 # ifndef DISABLE_OCSP
 #  define DISABLE_OCSP
diff --git a/src/src/functions.h b/src/src/functions.h
index 11fb8b59e..33e296c13 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -67,7 +67,7 @@ extern int     tls_ungetc(int);
 extern int     tls_write(void *, const uschar *, size_t, BOOL);
 extern uschar *tls_validate_require_cipher(void);
 extern void    tls_version_report(FILE *);
-# ifndef USE_GNUTLS
+# ifdef USE_OPENSSL
 extern BOOL    tls_openssl_options_parse(uschar *, long *);
 # endif
 extern uschar * tls_field_from_dn(uschar *, const uschar *);
diff --git a/src/src/pdkim/crypt_ver.h b/src/src/pdkim/crypt_ver.h
index 564b66db0..a6d7e36af 100644
--- a/src/src/pdkim/crypt_ver.h
+++ b/src/src/pdkim/crypt_ver.h
@@ -22,12 +22,12 @@
 # else
 #  define SIGN_GCRYPT
 # endif
+#endif
 
-#else
+#ifdef USE_OPENSSL
 # define SIGN_OPENSSL
-#  if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L
-#   define SIGN_HAVE_ED25519
-#  endif
-
+# if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10101000L
+#  define SIGN_HAVE_ED25519
+# endif
 #endif
 
diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index a7e99f506..bc2b2f89e 100644
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -31,8 +31,9 @@
 #  else
 #   define SHA_GCRYPT
 #  endif
+# endif
 
-# else
+# ifdef USE_OPENSSL
 #  define SHA_OPENSSL
 #  include <openssl/ssl.h>
 #  if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
diff --git a/src/src/tls.c b/src/src/tls.c
index 1fd10d52b..796bc6d61 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -19,6 +19,11 @@ functions from the OpenSSL or GNU TLS libraries. */
 #include "exim.h"
 #include "transports/smtp.h"
 
+#if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS)
+# error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build
+#endif
+
+
 #if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
 # include "macro_predef.h"
 # ifdef USE_GNUTLS
@@ -48,7 +53,7 @@ We're moving away from this; GnuTLS is already using a state, which
 can switch, so we can do TLS callouts during ACLs. */
 
 static const int ssl_xfer_buffer_size = 4096;
-#ifndef USE_GNUTLS
+#ifdef USE_OPENSSL
 static uschar *ssl_xfer_buffer = NULL;
 static int ssl_xfer_buffer_lwm = 0;
 static int ssl_xfer_buffer_hwm = 0;
@@ -122,14 +127,14 @@ tzset();
 #ifdef USE_GNUTLS
 # include "tls-gnu.c"
 # include "tlscert-gnu.c"
-
 # define ssl_xfer_buffer (state_server.xfer_buffer)
 # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
 # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
 # define ssl_xfer_eof (state_server.xfer_eof)
 # define ssl_xfer_error (state_server.xfer_error)
+#endif
 
-#else
+#ifdef USE_OPENSSL
 # include "tls-openssl.c"
 # include "tlscert-openssl.c"
 #endif
@@ -226,7 +231,7 @@ modify_variable(US"tls_bits",                 &dest_tsp->bits);
 modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
 modify_variable(US"tls_cipher",               &dest_tsp->cipher);
 modify_variable(US"tls_peerdn",               &dest_tsp->peerdn);
-#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
+#ifdef USE_OPENSSL
 modify_variable(US"tls_sni",                  &dest_tsp->sni);
 #endif
 }
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 03095b7c7..5f6108219 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2019,7 +2019,7 @@ tls_out.cipher = NULL;	/* the one we may use for this transport */
 tls_out.ourcert = NULL;
 tls_out.peercert = NULL;
 tls_out.peerdn = NULL;
-#if !defined(DISABLE_TLS) && !defined(USE_GNUTLS)
+#ifdef USE_OPENSSL
 tls_out.sni = NULL;
 #endif
 tls_out.ocsp = OCSP_NOT_REQ;
author	Jeremy Harris <jgh146exb@wizmail.org>	2019-05-24 16:39:05 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2019-05-24 16:39:05 +0100
commit	de517fd3061ee343cd36d05587c915f617318671 (patch)
tree	f1dc93b3a501552aafc3bf723446b4acd3730895 /src
parent	21ee816d09865a5c5d85f86ae4d12b9995030806 (diff)