diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/src/EDITME | 12 | ||||
-rw-r--r-- | src/src/config.h.defaults | 3 | ||||
-rw-r--r-- | src/src/deliver.c | 4 | ||||
-rw-r--r-- | src/src/exim.c | 6 | ||||
-rw-r--r-- | src/src/globals.c | 2 | ||||
-rw-r--r-- | src/src/globals.h | 2 | ||||
-rw-r--r-- | src/src/readconf.c | 2 | ||||
-rw-r--r-- | src/src/tls-gnu.c | 15 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 44 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 6 | ||||
-rw-r--r-- | src/src/transports/smtp.h | 2 |
11 files changed, 51 insertions, 47 deletions
diff --git a/src/src/EDITME b/src/src/EDITME index 0d31ba5c1..d576fd7a3 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -416,6 +416,13 @@ EXIM_MONITOR=eximon.bin # DISABLE_PRDR=yes #------------------------------------------------------------------------------ +# Uncomment the following line to remove OCSP stapling support in TLS, +# from Exim. Note it can only be supported when built with +# GnuTLS 3.1.3 or later, or OpenSSL + +# DISABLE_OCSP=yes + +#------------------------------------------------------------------------------ # By default, Exim has support for checking the AD bit in a DNS response, to # determine if DNSSEC validation was successful. If your system libraries # do not support that bit, then set DISABLE_DNSSEC to "yes" @@ -459,11 +466,6 @@ EXIM_MONITOR=eximon.bin # CFLAGS += -I/opt/brightmail/bsdk-6.0/include # LDFLAGS += -lxml2_single -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib -# Uncomment the following line to add OCSP stapling support in TLS, if Exim -# was built using OpenSSL, or with GnuTLS 3.1.3 or later. - -# EXPERIMENTAL_OCSP=yes - # Uncomment the following line to add DMARC checking capability, implemented # using libopendmarc libraries. # EXPERIMENTAL_DMARC=yes diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index 0bb97a231..ba4615c11 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -41,6 +41,8 @@ it's a default value. */ #define DELIVER_IN_BUFFER_SIZE 8192 #define DELIVER_OUT_BUFFER_SIZE 8192 #define DISABLE_DKIM +#define DISABLE_PRDR +#define DISABLE_OCSP #define DISABLE_DNSSEC #define DISABLE_D_OPTION @@ -169,7 +171,6 @@ it's a default value. */ #define EXPERIMENTAL_DCC #define EXPERIMENTAL_DMARC #define EXPERIMENTAL_DSN -#define EXPERIMENTAL_OCSP #define EXPERIMENTAL_PROXY #define EXPERIMENTAL_REDIS #define EXPERIMENTAL_SPF diff --git a/src/src/deliver.c b/src/src/deliver.c index 68c04877e..70f6a7a21 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -3019,7 +3019,7 @@ while (!done) (void) tls_import_cert(ptr, &addr->ourcert); break; - #ifdef EXPERIMENTAL_OCSP + #ifndef DISABLE_OCSP case '4': addr->ocsp = OCSP_NOT_REQ; if (*ptr) @@ -4167,7 +4167,7 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) *ptr++ = 0; rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); } - # ifdef EXPERIMENTAL_OCSP + #ifndef DISABLE_OCSP if (addr->ocsp > OCSP_NOT_REQ) { ptr = big_buffer; diff --git a/src/src/exim.c b/src/src/exim.c index 1435a0ac4..517b5435e 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -808,6 +808,9 @@ fprintf(f, "Support for:"); #ifndef DISABLE_PRDR fprintf(f, " PRDR"); #endif +#ifndef DISABLE_OCSP + fprintf(f, " OCSP"); +#endif #ifdef EXPERIMENTAL_SPF fprintf(f, " Experimental_SPF"); #endif @@ -823,9 +826,6 @@ fprintf(f, "Support for:"); #ifdef EXPERIMENTAL_DMARC fprintf(f, " Experimental_DMARC"); #endif -#ifdef EXPERIMENTAL_OCSP - fprintf(f, " Experimental_OCSP"); -#endif #ifdef EXPERIMENTAL_PROXY fprintf(f, " Experimental_Proxy"); #endif diff --git a/src/src/globals.c b/src/src/globals.c index f8166aadf..b3d2ab8c5 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -150,7 +150,7 @@ that's the interop problem which has been observed: GnuTLS suggesting a higher bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */ int tls_dh_max_bits = 2236; uschar *tls_dhparam = NULL; -#if defined(EXPERIMENTAL_OCSP) +#ifndef DISABLE_OCSP uschar *tls_ocsp_file = NULL; #endif BOOL tls_offered = FALSE; diff --git a/src/src/globals.h b/src/src/globals.h index c2ab99b9c..cf9b61eff 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -114,7 +114,7 @@ extern uschar *tls_channelbinding_b64; /* string of base64 channel binding */ extern uschar *tls_crl; /* CRL File */ extern int tls_dh_max_bits; /* don't accept higher lib suggestions */ extern uschar *tls_dhparam; /* DH param file */ -#if defined(EXPERIMENTAL_OCSP) +#ifndef DISABLE_OCSP extern uschar *tls_ocsp_file; /* OCSP stapling proof file */ #endif extern BOOL tls_offered; /* Server offered TLS */ diff --git a/src/src/readconf.c b/src/src/readconf.c index 11f7184a6..fb1476365 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -439,7 +439,7 @@ static optionlist optionlist_config[] = { { "tls_crl", opt_stringptr, &tls_crl }, { "tls_dh_max_bits", opt_int, &tls_dh_max_bits }, { "tls_dhparam", opt_stringptr, &tls_dhparam }, -# if defined(EXPERIMENTAL_OCSP) +# ifndef DISABLE_OCSP { "tls_ocsp_file", opt_stringptr, &tls_ocsp_file }, # endif { "tls_on_connect_ports", opt_stringptr, &tls_in.on_connect_ports }, diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index af43686e4..e85095d65 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -43,7 +43,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #if GNUTLS_VERSION_NUMBER >= 0x020c00 # include <gnutls/pkcs11.h> #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP # include <gnutls/ocsp.h> #endif @@ -216,7 +216,7 @@ static void exim_gnutls_logger_cb(int level, const char *message); static int exim_sni_handling_cb(gnutls_session_t session); -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, gnutls_datum_t * ocsp_response); #endif @@ -809,7 +809,7 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) /* Set the OCSP stapling server info */ -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if ( !host /* server */ && tls_ocsp_file ) @@ -1485,7 +1485,7 @@ return 0; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, @@ -1705,7 +1705,7 @@ smtp_transport_options_block *ob = v_ob; int rc; const char *error; exim_gnutls_state_st *state = NULL; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, NULL, host->name, host->address, NULL) == OK; BOOL request_ocsp = require_ocsp ? TRUE @@ -1787,7 +1787,8 @@ else gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE); } -#ifdef EXPERIMENTAL_OCSP /* since GnuTLS 3.1.3 */ +#ifndef DISABLE_OCSP + /* supported since GnuTLS 3.1.3 */ if (request_ocsp) { DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n"); @@ -1827,7 +1828,7 @@ if (state->verify_requirement != VERIFY_NONE && !verify_certificate(state, &error)) return tls_error(US"certificate verification failed", error, state->host); -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if (require_ocsp) { DEBUG(D_tls) diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 1d6b91470..05af3db88 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -22,13 +22,13 @@ functions from the OpenSSL library. */ #include <openssl/ssl.h> #include <openssl/err.h> #include <openssl/rand.h> -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP # include <openssl/ocsp.h> #endif -#ifdef EXPERIMENTAL_OCSP -#define EXIM_OCSP_SKEW_SECONDS (300L) -#define EXIM_OCSP_MAX_AGE (-1L) +#ifndef DISABLE_OCSP +# define EXIM_OCSP_SKEW_SECONDS (300L) +# define EXIM_OCSP_MAX_AGE (-1L) #endif #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) @@ -88,7 +88,7 @@ static BOOL reexpand_tls_files_for_sni = FALSE; typedef struct tls_ext_ctx_cb { uschar *certificate; uschar *privatekey; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP BOOL is_server; union { struct { @@ -127,7 +127,7 @@ setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL opt #ifdef EXIM_HAVE_OPENSSL_TLSEXT static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg); #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP static int tls_server_stapling_cb(SSL *s, void *arg); #endif @@ -213,7 +213,7 @@ return rsa_key; /* Extreme debug -#if defined(EXPERIMENTAL_OCSP) +#ifndef DISABLE_OCSP void x509_store_dump_cert_s_names(X509_STORE * store) { @@ -295,7 +295,7 @@ else if (X509_STORE_CTX_get_error_depth(x509ctx) != 0) { DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", X509_STORE_CTX_get_error_depth(x509ctx), txt); -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store) { /* client, wanting stapling */ /* Add the server cert's signing chain as the one @@ -486,7 +486,7 @@ return TRUE; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP /************************************************* * Load OCSP information into state * *************************************************/ @@ -620,7 +620,7 @@ bad: } return; } -#endif /*EXPERIMENTAL_OCSP*/ +#endif /*!DISABLE_OCSP*/ @@ -682,7 +682,7 @@ if (expanded != NULL && *expanded != 0) "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL); } -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL) { if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded)) @@ -772,7 +772,7 @@ SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb); SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo); if (cbinfo->server_cipher_list) SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list); -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if (cbinfo->u_ocsp.server.file) { SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb); @@ -801,7 +801,7 @@ return SSL_TLSEXT_ERR_OK; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP /************************************************* * Callback to handle OCSP Stapling * @@ -985,7 +985,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) OCSP_RESPONSE_free(rsp); return i; } -#endif /*EXPERIMENTAL_OCSP*/ +#endif /*!DISABLE_OCSP*/ @@ -1011,7 +1011,7 @@ Returns: OK/DEFER/FAIL static int tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate, uschar *privatekey, -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP uschar *ocsp_file, #endif address_item *addr, tls_ext_ctx_cb ** cbp) @@ -1024,7 +1024,7 @@ tls_ext_ctx_cb *cbinfo; cbinfo = store_malloc(sizeof(tls_ext_ctx_cb)); cbinfo->certificate = certificate; cbinfo->privatekey = privatekey; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if ((cbinfo->is_server = host==NULL)) { cbinfo->u_ocsp.server.file = ocsp_file; @@ -1126,7 +1126,7 @@ if (rc != OK) return rc; #ifdef EXIM_HAVE_OPENSSL_TLSEXT if (host == NULL) /* server */ { -# ifdef EXPERIMENTAL_OCSP +# ifndef DISABLE_OCSP /* We check u_ocsp.server.file, not server.response, because we care about if the option exists, not what the current expansion might be, as SNI might change the certificate and OCSP file in use between now and the time the @@ -1142,7 +1142,7 @@ if (host == NULL) /* server */ SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb); SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo); } -# ifdef EXPERIMENTAL_OCSP +# ifndef DISABLE_OCSP else /* client */ if(ocsp_file) /* wanting stapling */ { @@ -1379,7 +1379,7 @@ if (tls_in.active >= 0) the error. */ rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey, -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP tls_ocsp_file, #endif NULL, &server_static_cbinfo); @@ -1549,7 +1549,7 @@ uschar *expciphers; X509* server_cert; int rc; static uschar cipherbuf[256]; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, NULL, host->name, host->address, NULL) == OK; BOOL request_ocsp = require_ocsp ? TRUE @@ -1559,7 +1559,7 @@ BOOL request_ocsp = require_ocsp ? TRUE rc = tls_init(&client_ctx, host, NULL, ob->tls_certificate, ob->tls_privatekey, -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP (void *)(long)request_ocsp, #endif addr, &client_static_cbinfo); @@ -1647,7 +1647,7 @@ if (ob->tls_sni) } } -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP /* Request certificate status at connection-time. If the server does OCSP stapling we will get the callback (set in tls_init()) */ if (request_ocsp) diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 38dcfa080..db424fa61 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -102,14 +102,14 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, hosts_override) }, { "hosts_randomize", opt_bool, (void *)offsetof(smtp_transport_options_block, hosts_randomize) }, -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_OCSP) +#if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP) { "hosts_request_ocsp", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) }, #endif { "hosts_require_auth", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_auth) }, #ifdef SUPPORT_TLS -# if defined EXPERIMENTAL_OCSP +# ifndef DISABLE_OCSP { "hosts_require_ocsp", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) }, # endif @@ -203,7 +203,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { #ifndef DISABLE_PRDR NULL, /* hosts_try_prdr */ #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP US"*", /* hosts_request_ocsp */ NULL, /* hosts_require_ocsp */ #endif diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index a481943bb..dd41e1f15 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -24,7 +24,7 @@ typedef struct { #ifndef DISABLE_PRDR uschar *hosts_try_prdr; #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP uschar *hosts_request_ocsp; uschar *hosts_require_ocsp; #endif |