AC_CHECK_LIB(md5, MD5Init, [CRYPTLIB="$CRYPTLIB -lmd5"])
AC_SUBST(CRYPTLIB)
-SSLLIB=""
-
SQUID_AUTO_LIB(gnutls,[GnuTLS crypto],[LIBGNUTLS])
-AH_TEMPLATE(USE_GNUTLS,[GnuTLS support is available])
SQUID_CHECK_LIB_WORKS(gnutls,[
SQUID_STATE_SAVE(squid_gnutls_state)
-
- # User may have provided a custom location for GnuTLS. Otherwise...
- CPPFLAGS="$LIBGNUTLS_CFLAGS $CPPFLAGS"
- LIBS="$LIBS $LIBGNUTLS_PATH"
-
- # auto-detect using pkg-config
PKG_CHECK_MODULES([LIBGNUTLS],[gnutls >= 3.4.0],[
- CPPFLAGS="$CPPFLAGS $LIBGNUTLS_CFLAGS"
- ],[
- ## find the package without pkg-config
- ## check that the library is actually new enough.
- ## by testing for a 3.4.0+ function which we use
- AC_CHECK_LIB(gnutls,gnutls_pcert_export_x509,[LIBGNUTLS_LIBS="-lgnutls"])
- ])
- # if any of the required headers is not found, signal we can't support gnutls
- AC_CHECK_HEADERS([gnutls/gnutls.h gnutls/x509.h gnutls/abstract.h], [], [LIBGNUTLS_LIBS=""])
-
- SQUID_STATE_ROLLBACK(squid_gnutls_state) #de-pollute LIBS
-
- AS_IF([test "x$LIBGNUTLS_LIBS" != "x"],[
- SSLLIB="$LIBGNUTLS_PATH $LIBGNUTLS_LIBS $SSLLIB"
- AC_DEFINE(USE_GNUTLS,1,[GnuTLS support is available])
- ])
+ CPPFLAGS="$LIBGNUTLS_CFLAGS $CPPFLAGS"
+ AC_CHECK_HEADERS(gnutls/gnutls.h gnutls/x509.h gnutls/abstract.h)
+ ],[:])
+ SQUID_STATE_ROLLBACK(squid_gnutls_state)
])
+SSLLIB=""
dnl User may specify OpenSSL is needed from a non-standard location
SQUID_OPTIONAL_LIB(openssl,[OpenSSL],[LIBOPENSSL])
AH_TEMPLATE(USE_OPENSSL,[OpenSSL support is available])
PREDEFINED = __cplusplus \
FOLLOW_X_FORWARDED_FOR \
FORW_VIA_DB \
+ HAVE_LIBGNUTLS \
ICAP_CLIENT \
HAVE_LIBHEIMDAL_KRB5 \
LINUX_NETFILTER \
USE_ECAP \
USE_ERR_LOCALES \
USE_EPOLL \
- USE_GNUTLS \
USE_HEXDUMP \
USE_HTCP \
USE_HTTP_VIOLATIONS \
$(top_builddir)/lib/libmiscencoding.la \
$(top_builddir)/lib/libmiscutil.la \
$(LIBCAP_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(LIBHEIMDAL_KRB5_LIBS) \
$(SSLLIB) \
$(EPOLL_LIBS) \
$(REGEXLIB) \
$(SSLLIB) \
$(LIBCPPUNIT_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(COMPAT_LIB) \
$(LIBNETTLE_LIBS) \
$(XTRA_LIBS)
$(REGEXLIB) \
$(SSLLIB) \
$(LIBCPPUNIT_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(COMPAT_LIB) \
$(LIBNETTLE_LIBS) \
$(XTRA_LIBS)
$(SSLLIB) \
CommCalls.o \
$(LIBCPPUNIT_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(COMPAT_LIB) \
$(LIBNETTLE_LIBS) \
$(XTRA_LIBS)
$(REGEXLIB) \
$(SSLLIB) \
$(LIBCPPUNIT_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(COMPAT_LIB) \
$(LIBNETTLE_LIBS) \
$(XTRA_LIBS)
base/libbase.la \
$(SSLLIB) \
$(LIBCPPUNIT_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(COMPAT_LIB) \
$(XTRA_LIBS)
tests_testACLMaxUserIP_LDFLAGS = $(LIBADD_DL)
$(top_builddir)/lib/libmiscencoding.la \
$(top_builddir)/lib/libmiscutil.la \
$(LIBCAP_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(LIBHEIMDAL_KRB5_LIBS) \
$(REGEXLIB) \
$(SSLLIB) \
$(top_builddir)/lib/libmiscutil.la \
$(SSLLIB) \
$(LIBCPPUNIT_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(COMPAT_LIB) \
$(XTRA_LIBS)
tests_testHttp1Parser_LDFLAGS = $(LIBADD_DL)
$(top_builddir)/lib/libmiscutil.la \
$(SSLLIB) \
$(LIBCPPUNIT_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(COMPAT_LIB) \
$(LIBNETTLE_LIBS) \
$(XTRA_LIBS)
$(top_builddir)/lib/libmiscencoding.la \
$(top_builddir)/lib/libmiscutil.la \
$(LIBCAP_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(LIBHEIMDAL_KRB5_LIBS) \
$(REGEXLIB) \
$(SSLLIB) \
$(top_builddir)/lib/libmiscencoding.la \
$(top_builddir)/lib/libmiscutil.la \
$(LIBCAP_LIBS) \
+ $(LIBGNUTLS_LIBS) \
$(LIBHEIMDAL_KRB5_LIBS) \
$(REGEXLIB) \
$(SSLLIB) \
return false;
case AnyP::PROTO_HTTPS:
-#if USE_OPENSSL || USE_GNUTLS
+#if USE_OPENSSL || HAVE_LIBGNUTLS
return true;
#else
/*
DOC_END
NAME: https_port
-IFDEF: USE_GNUTLS||USE_OPENSSL
+IFDEF: HAVE_LIBGNUTLS||USE_OPENSSL
TYPE: PortCfg
DEFAULT: none
LOC: HttpPortList
COMMENT_END
NAME: tls_outgoing_options
-IFDEF: USE_GNUTLS||USE_OPENSSL
+IFDEF: HAVE_LIBGNUTLS||USE_OPENSSL
TYPE: securePeerOptions
DEFAULT: min-version=1.0
LOC: Security::ProxyOutgoingConfig
define["FOLLOW_X_FORWARDED_FOR&&USE_DELAY_POOLS"]="--enable-follow-x-forwarded-for and --enable-delay-pools"
define["HAVE_AUTH_MODULE_BASIC"]="--enable-auth-basic"
define["HAVE_AUTH_MODULE_DIGEST"]="--enable-auth-digest"
+ define["HAVE_LIBGNUTLS||USE_OPENSSL"]="--with-gnutls or --with-openssl"
define["HAVE_MSTATS&&HAVE_GNUMALLOC_H"]="GNU Malloc with mstats()"
define["ICAP_CLIENT"]="--enable-icap-client"
define["SO_MARK&&USE_LIBCAP"]="Packet MARK (Linux)"
define["USE_DELAY_POOLS"]="--enable-delay-pools"
define["USE_ECAP"]="--enable-ecap"
define["USE_ERR_LOCALES"]="--enable-auto-locale"
- define["USE_GNUTLS||USE_OPENSSL"]="--with-gnutls or --with-openssl"
define["USE_HTCP"]="--enable-htcp"
define["USE_HTTP_VIOLATIONS"]="--enable-http-violations"
define["USE_ICMP"]="--enable-icmp"
}
out.append(name.get());
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
gnutls_x509_dn_t issuer;
auto x = gnutls_x509_crt_get_issuer(&cert, &issuer);
if (x != GNUTLS_E_SUCCESS) {
}
out.append(name.get());
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
gnutls_x509_dn_t subject;
auto x = gnutls_x509_crt_get_subject(&cert, &subject);
if (x != GNUTLS_E_SUCCESS) {
debugs(83, DBG_PARSE_NOTE(3), issuer << " did not sign " << cert << ":" <<
Debug::Extra << "X509_check_issued() result: " << X509_verify_cert_error_string(result) << " (" << result << ")" <<
Ssl::ReportAndForgetErrors);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
const auto result = gnutls_x509_crt_check_issuer(&cert, &issuer);
if (result == 1)
return true;
#include <openssl/ssl.h>
#endif
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
#if HAVE_GNUTLS_GNUTLS_H
#include <gnutls/gnutls.h>
#endif
#if USE_OPENSSL
typedef std::shared_ptr<SSL_CTX> ContextPointer;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
typedef std::shared_ptr<struct gnutls_certificate_credentials_st> ContextPointer;
#else
#if USE_OPENSSL
#include "ssl/ErrorDetailManager.h"
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
#if HAVE_GNUTLS_GNUTLS_H
#include <gnutls/gnutls.h>
#endif
ioErrorNo = anIoErrorNo;
}
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
Security::ErrorDetail::ErrorDetail(const ErrorCode anErrorCode, const LibErrorCode aLibErrorNo, const int aSysErrorNo):
ErrorDetail(anErrorCode, aSysErrorNo)
{
// TODO: Log ERR_error_string_n() instead, despite length, whitespace?
// Example: `error:1408F09C:SSL routines:ssl3_get_record:http request`.
os << "+TLS_LIB_ERR=" << asHex(lib_error_no).upperCase();
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
os << '+' << gnutls_strerror_name(lib_error_no);
#endif
}
/// \param anIoErrorNo TLS I/O function outcome; \see ErrorDetail::ioErrorNo
/// \param aSysErrorNo saved errno(3); \see ErrorDetail::sysErrorNo
ErrorDetail(ErrorCode anErrorCode, int anIoErrorNo, int aSysErrorNo);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
/// Details (or starts detailing) a non-validation failure.
/// \param anLibErrorNo TLS function outcome; \see ErrorDetail::lib_error_no
/// \param aSysErrorNo saved errno(3); \see ErrorDetail::sysErrorNo
return ioResult;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
if (callResult == GNUTLS_E_SUCCESS) {
// TODO: Avoid gnutls_*() calls if debugging is off.
const auto desc = gnutls_session_get_desc(connection);
return Handshake(transport, SQUID_TLS_ERR_ACCEPT, [] (ConnectionPointer tlsConn) {
#if USE_OPENSSL
return SSL_accept(tlsConn);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
return gnutls_handshake(tlsConn);
#else
return sizeof(tlsConn); // the value is unused; should be unreachable
return Handshake(transport, SQUID_TLS_ERR_CONNECT, [] (ConnectionPointer tlsConn) {
#if USE_OPENSSL
return SSL_connect(tlsConn);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
return gnutls_handshake(tlsConn);
#else
return sizeof(tlsConn); // the value is unused; should be unreachable
Debug::Extra << "problem: " << CurrentException);
}
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
const char *certFilename = certFile.c_str();
gnutls_datum_t data;
Security::LibErrorCode x = gnutls_load_file(certFilename, &data);
pkey.reset();
}
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
const char *keyFilename = privateKeyFile.c_str();
gnutls_datum_t data;
if (gnutls_load_file(keyFilename, &data) == GNUTLS_E_SUCCESS) {
add.append(":NO_TLSv1_1");
if (v > 2)
add.append(":NO_TLSv1_2");
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
if (v > 0)
add.append(":-VERS-TLS1.0");
if (v > 1)
case 3:
#if USE_OPENSSL
add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
#endif
break;
case 4:
#if USE_OPENSSL
add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
#endif
break;
case 5:
#if USE_OPENSSL
add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2:NO_TLSv1_3";
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
#endif
break;
case 6:
#if USE_OPENSSL
add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1:NO_TLSv1_3";
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3";
#endif
break;
}
ctx = convertContextFromRawPtr(t);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
// Initialize for X.509 certificate exchange
gnutls_certificate_credentials_t t;
if (const auto x = gnutls_certificate_allocate_credentials(&t)) {
#endif
parsedOptions = op;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
if (str.isEmpty()) {
parsedOptions.reset();
return;
parseOptions();
#if USE_OPENSSL
SSL_CTX_set_options(ctx.get(), parsedOptions);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
// NP: GnuTLS uses 'priorities' which are set only per-session instead.
(void)ctx;
#else
if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0)
return Security::ErrorString(ERR_get_error());
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
auto x = gnutls_certificate_set_x509_system_trust(ctx.get());
if (x < 0)
return Security::ErrorString(x);
debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " <<
i << ": " << Security::ErrorString(x));
}
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
const auto x = gnutls_certificate_set_x509_trust_file(ctx.get(), i.c_str(), GNUTLS_X509_FMT_PEM);
if (x < 0) {
debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " <<
Security::ErrorString(ERR_get_error()));
}
#endif
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
// Modern GnuTLS versions trust intermediate CA certificates by default.
(void)ctx;
#else
// XXX: Options already set before (via the context) are not cleared!
SSL_set_options(s.get(), parsedOptions);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
LibErrorCode x;
SBuf errMsg;
if (!parsedOptions) {
debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p);
SSL_CTX_free(p);
});
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx);
return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p);
}
ctx = convertContextFromRawPtr(t);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
// Initialize for X.509 certificate exchange
gnutls_certificate_credentials_t t;
if (const auto x = gnutls_certificate_allocate_credentials(&t)) {
}
}
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
for (auto &keys : certs) {
gnutls_x509_crt_t crt = keys.cert.get();
gnutls_x509_privkey_t xkey = keys.pkey.get();
#if USE_OPENSSL
Ssl::generateUntrustedCert(untrustedSigningCa.cert, untrustedSigningCa.pkey, signingCa.cert, signingCa.pkey);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
// TODO: implement for GnuTLS. Just a warning for now since generate is implicitly on for all crypto builds.
signingCa.cert.reset();
signingCa.pkey.reset();
#if USE_OPENSSL
bool generateHostCertificates = true; ///< dynamically make host cert
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
// TODO: GnuTLS does implement TLS server connections so the cert
// generate vs static choice can be reached in the code now.
// But this feature is not fully working implemented so must not
static const char *SessionCacheName = "tls_session_cache";
#endif
-#if USE_OPENSSL || USE_GNUTLS
+#if USE_OPENSSL || HAVE_LIBGNUTLS
static int
tls_read_method(int fd, char *buf, int len)
{
#if USE_OPENSSL
int i = SSL_read(session, buf, len);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
int i = gnutls_record_recv(session, buf, len);
#endif
#if USE_OPENSSL
if (i > 0 && SSL_pending(session) > 0) {
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
if (i > 0 && gnutls_record_check_pending(session) > 0) {
#endif
debugs(83, 2, "TLS FD " << fd << " is pending");
#if USE_OPENSSL
int i = SSL_write(session, buf, len);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
int i = gnutls_record_send(session, buf, len);
#endif
return false;
}
-#if USE_OPENSSL || USE_GNUTLS
+#if USE_OPENSSL || HAVE_LIBGNUTLS
const char *errAction = "with no TLS/SSL library";
Security::LibErrorCode errCode = 0;
errAction = "failed to allocate handle";
debugs(83, DBG_IMPORTANT, "ERROR: TLS failure: " << errAction << ": " << Security::ErrorString(errCode));
}
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
gnutls_session_t tmp;
errCode = gnutls_init(&tmp, static_cast<unsigned int>(type) | GNUTLS_NONBLOCK);
Security::SessionPointer session(tmp, [](gnutls_session_t p) {
errAction = "failed to initialize session";
debugs(83, DBG_IMPORTANT, "ERROR: TLS failure: " << errAction << ": " << Security::ErrorString(errCode));
}
-#endif /* USE_GNUTLS */
+#endif /* HAVE_LIBGNUTLS */
if (session) {
const int fd = conn->fd;
// without BIO, we would call SSL_set_fd(ssl.get(), fd) instead
if (BIO *bio = Ssl::Bio::Create(fd, type)) {
Ssl::Bio::Link(session.get(), bio); // cannot fail
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
errCode = gnutls_credentials_set(session.get(), GNUTLS_CRD_CERTIFICATE, ctx.get());
if (errCode == GNUTLS_E_SUCCESS) {
// this does the equivalent of SSL_set_fd() for now.
gnutls_transport_set_int(session.get(), fd);
gnutls_handshake_set_timeout(session.get(), GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
-#endif /* USE_GNUTLS */
+#endif /* HAVE_LIBGNUTLS */
debugs(83, 5, "link FD " << fd << " to TLS session=" << (void*)session.get());
errCode = ERR_get_error();
errAction = "failed to initialize I/O";
(void)opts;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
errAction = "failed to assign credentials";
#endif
}
(void)opts;
(void)type;
(void)squidCtx;
-#endif /* USE_OPENSSL || USE_GNUTLS */
+#endif /* USE_OPENSSL || HAVE_LIBGNUTLS */
return false;
}
if (s) {
#if USE_OPENSSL
SSL_shutdown(s.get());
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
gnutls_bye(s.get(), GNUTLS_SHUT_RDWR);
#endif
}
bool result = false;
#if USE_OPENSSL
result = SSL_session_reused(s.get()) == 1;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
result = gnutls_session_is_resumed(s.get()) != 0;
#endif
debugs(83, 7, "session=" << (void*)s.get() << ", query? answer: " << (result ? 'T' : 'F') );
#if USE_OPENSSL
// nil is valid for SSL_get1_session(), it cannot fail.
data.reset(SSL_get1_session(s.get()));
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
gnutls_datum_t *tmp = nullptr;
const auto x = gnutls_session_get_data2(s.get(), tmp);
if (x != GNUTLS_E_SUCCESS) {
debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() <<
" resume error: " << Security::ErrorString(ssl_error));
}
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
const auto x = gnutls_session_set_data(s.get(), data->data, data->size);
if (x != GNUTLS_E_SUCCESS) {
debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() <<
#endif
#endif
-#if USE_GNUTLS
+#if HAVE_LIBGNUTLS
#if HAVE_GNUTLS_GNUTLS_H
#include <gnutls/gnutls.h>
#endif
typedef std::unique_ptr<SSL_SESSION, HardFun<void, SSL_SESSION*, &SSL_SESSION_free>> SessionStatePointer;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
// to be finalized when it is actually needed/used
struct Connection {};
#include "base/ToCpp.h"
#include "security/LockingPointer.h"
-#if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
+#if HAVE_LIBGNUTLS
+#if HAVE_GNUTLS_ABSTRACT_H
#include <gnutls/abstract.h>
#endif
+#endif /* HAVE_LIBGNUTLS */
#include <list>
#include <limits>
#include <memory>
#define SSL_FLAG_VERIFY_CRL_ALL (1<<6)
#define SSL_FLAG_CONDITIONAL_AUTH (1<<7)
-#if !USE_OPENSSL && !USE_GNUTLS
+#if !USE_OPENSSL && !HAVE_LIBGNUTLS
/// A helper type to keep all three possible underlying types of the
/// Security::Certificate typedef below inside global namespace, so that
/// argument-dependent lookup for operator "<<" (Certificate) works inside
#if USE_OPENSSL
typedef X509 Certificate;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
typedef struct gnutls_x509_crt_int Certificate;
#else
typedef struct notls_x509 Certificate;
#if USE_OPENSSL
CtoCpp1(X509_free, X509 *);
typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
#else
typedef std::shared_ptr<Certificate> CertPointer;
#if USE_OPENSSL
CtoCpp1(X509_CRL_free, X509_CRL *);
typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer;
#else
#if USE_OPENSSL
CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>;
#else
using PrivateKeyPointer = std::shared_ptr<void>;
#else
using DhePointer = PrivateKeyPointer;
#endif
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
using DhePointer = void *;
#else
using DhePointer = void *;
/// `openssl errstr` expands these numbers into human-friendlier strings like
/// `error:1408F09C:SSL routines:ssl3_get_record:http request`
typedef unsigned long LibErrorCode;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
/// the result of an API function like gnutls_handshake() (e.g.,
/// GNUTLS_E_WARNING_ALERT_RECEIVED)
typedef int LibErrorCode;
inline const char *ErrorString(const LibErrorCode code) {
#if USE_OPENSSL
return ERR_error_string(code, nullptr);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
return gnutls_strerror(code);
#else
(void)code;
#if USE_OPENSSL
BIO_TO_CLIENT = 6000,
BIO_TO_SERVER
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
// NP: this is odd looking but correct.
// 'to-client' means we are a server, and vice versa.
BIO_TO_CLIENT = GNUTLS_SERVER,
#if USE_OPENSSL
using ParsedOptions = uint64_t;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
#else
class ParsedOptions {}; // we never parse/use TLS options in this case
Security::ErrorDetail::ErrorDetail(ErrorCode, const CertPointer &, const CertPointer &, const char *) STUB
#if USE_OPENSSL
Security::ErrorDetail::ErrorDetail(ErrorCode, int, int) STUB
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
Security::ErrorDetail::ErrorDetail(ErrorCode, LibErrorCode, int) STUB
#endif
void Security::ErrorDetail::setPeerCertificate(const CertPointer &) STUB