Maintenance: update --with-gnutls detection (#1685)

Simplify the SQUID_CHECK_LIB_WORKS(gnutls,...) logic
to use all the latest abilities of that macro

diff --git a/configure.ac b/configure.ac
index 6fc9a541654d70ddbf45bb1a5f0f214cd481c5ab..1658fabf39419971460e18b6d87f89e9ac5228c4 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -1077,37 +1077,17 @@ dnl Solaris10 provides MD5 natively through libmd5
 AC_CHECK_LIB(md5, MD5Init, [CRYPTLIB="$CRYPTLIB -lmd5"])
 AC_SUBST(CRYPTLIB)
 
-SSLLIB=""
-
 SQUID_AUTO_LIB(gnutls,[GnuTLS crypto],[LIBGNUTLS])
-AH_TEMPLATE(USE_GNUTLS,[GnuTLS support is available])
 SQUID_CHECK_LIB_WORKS(gnutls,[
   SQUID_STATE_SAVE(squid_gnutls_state)
-
-  # User may have provided a custom location for GnuTLS. Otherwise...
-  CPPFLAGS="$LIBGNUTLS_CFLAGS $CPPFLAGS"
-  LIBS="$LIBS $LIBGNUTLS_PATH"
-
-  # auto-detect using pkg-config
   PKG_CHECK_MODULES([LIBGNUTLS],[gnutls >= 3.4.0],[
-    CPPFLAGS="$CPPFLAGS $LIBGNUTLS_CFLAGS"
-    ],[
-    ## find the package without pkg-config
-    ## check that the library is actually new enough.
-    ## by testing for a 3.4.0+ function which we use
-    AC_CHECK_LIB(gnutls,gnutls_pcert_export_x509,[LIBGNUTLS_LIBS="-lgnutls"])
-  ])
-  # if any of the required headers is not found, signal we can't support gnutls
-  AC_CHECK_HEADERS([gnutls/gnutls.h gnutls/x509.h gnutls/abstract.h], [], [LIBGNUTLS_LIBS=""])
-
-  SQUID_STATE_ROLLBACK(squid_gnutls_state) #de-pollute LIBS
-
-  AS_IF([test "x$LIBGNUTLS_LIBS" != "x"],[
-    SSLLIB="$LIBGNUTLS_PATH $LIBGNUTLS_LIBS $SSLLIB"
-    AC_DEFINE(USE_GNUTLS,1,[GnuTLS support is available])
-  ])
+    CPPFLAGS="$LIBGNUTLS_CFLAGS $CPPFLAGS"
+    AC_CHECK_HEADERS(gnutls/gnutls.h gnutls/x509.h gnutls/abstract.h)
+  ],[:])
+  SQUID_STATE_ROLLBACK(squid_gnutls_state)
 ])
 
+SSLLIB=""
 dnl User may specify OpenSSL is needed from a non-standard location
 SQUID_OPTIONAL_LIB(openssl,[OpenSSL],[LIBOPENSSL])
 AH_TEMPLATE(USE_OPENSSL,[OpenSSL support is available])

diff --git a/squid.dox b/squid.dox
index 1554bfda729a4cbfde57d1bbc7498b7367bf2253..465fe89b3413acf4821fd99d4dac9f1d4d95b108 100644 (file)
--- a/squid.dox
+++ b/squid.dox
@@ -2066,6 +2066,7 @@ INCLUDE_FILE_PATTERNS  =
 PREDEFINED             = __cplusplus \
                          FOLLOW_X_FORWARDED_FOR \
                          FORW_VIA_DB \
+                         HAVE_LIBGNUTLS \
                          ICAP_CLIENT \
                          HAVE_LIBHEIMDAL_KRB5 \
                          LINUX_NETFILTER \
@@ -2081,7 +2082,6 @@ PREDEFINED             = __cplusplus \
                          USE_ECAP \
                          USE_ERR_LOCALES \
                          USE_EPOLL \
-                         USE_GNUTLS \
                          USE_HEXDUMP \
                          USE_HTCP \
                          USE_HTTP_VIOLATIONS \

diff --git a/src/Makefile.am b/src/Makefile.am
index 2b15ee5fbcd4320e3fcdbc9091dbf954d4e86ec7..af55b7df7cbddedcc389628ecaaaf281743c3145 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -525,6 +525,7 @@ squid_LDADD = \
        $(top_builddir)/lib/libmiscencoding.la \
        $(top_builddir)/lib/libmiscutil.la \
        $(LIBCAP_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(LIBHEIMDAL_KRB5_LIBS) \
        $(SSLLIB) \
        $(EPOLL_LIBS) \
@@ -1160,6 +1161,7 @@ tests_testRock_LDADD = \
        $(REGEXLIB) \
        $(SSLLIB) \
        $(LIBCPPUNIT_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(COMPAT_LIB) \
        $(LIBNETTLE_LIBS) \
        $(XTRA_LIBS)
@@ -1336,6 +1338,7 @@ tests_testUfs_LDADD = \
        $(REGEXLIB) \
        $(SSLLIB) \
        $(LIBCPPUNIT_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(COMPAT_LIB) \
        $(LIBNETTLE_LIBS) \
        $(XTRA_LIBS)
@@ -1499,6 +1502,7 @@ tests_testStore_LDADD= \
        $(SSLLIB) \
        CommCalls.o \
        $(LIBCPPUNIT_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(COMPAT_LIB) \
        $(LIBNETTLE_LIBS) \
        $(XTRA_LIBS)
@@ -1674,6 +1678,7 @@ tests_testDiskIO_LDADD = \
        $(REGEXLIB) \
        $(SSLLIB) \
        $(LIBCPPUNIT_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(COMPAT_LIB) \
        $(LIBNETTLE_LIBS) \
        $(XTRA_LIBS)
@@ -1723,6 +1728,7 @@ tests_testACLMaxUserIP_LDADD = \
        base/libbase.la \
        $(SSLLIB) \
        $(LIBCPPUNIT_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(COMPAT_LIB) \
        $(XTRA_LIBS)
 tests_testACLMaxUserIP_LDFLAGS = $(LIBADD_DL)
@@ -1975,6 +1981,7 @@ tests_test_http_range_LDADD = \
        $(top_builddir)/lib/libmiscencoding.la \
        $(top_builddir)/lib/libmiscutil.la \
        $(LIBCAP_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(LIBHEIMDAL_KRB5_LIBS) \
        $(REGEXLIB) \
        $(SSLLIB) \
@@ -2029,6 +2036,7 @@ tests_testHttp1Parser_LDADD= \
        $(top_builddir)/lib/libmiscutil.la \
        $(SSLLIB) \
        $(LIBCPPUNIT_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(COMPAT_LIB) \
        $(XTRA_LIBS)
 tests_testHttp1Parser_LDFLAGS = $(LIBADD_DL)
@@ -2131,6 +2139,7 @@ tests_testHttpReply_LDADD=\
        $(top_builddir)/lib/libmiscutil.la \
        $(SSLLIB) \
        $(LIBCPPUNIT_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(COMPAT_LIB) \
        $(LIBNETTLE_LIBS) \
        $(XTRA_LIBS)
@@ -2360,6 +2369,7 @@ tests_testHttpRequest_LDADD = \
        $(top_builddir)/lib/libmiscencoding.la \
        $(top_builddir)/lib/libmiscutil.la \
        $(LIBCAP_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(LIBHEIMDAL_KRB5_LIBS) \
        $(REGEXLIB) \
        $(SSLLIB) \
@@ -2658,6 +2668,7 @@ tests_testCacheManager_LDADD = \
        $(top_builddir)/lib/libmiscencoding.la \
        $(top_builddir)/lib/libmiscutil.la \
        $(LIBCAP_LIBS) \
+       $(LIBGNUTLS_LIBS) \
        $(LIBHEIMDAL_KRB5_LIBS) \
        $(REGEXLIB) \
        $(SSLLIB) \

diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc
index aba1bab559369447ac1bf2de8e7e95c3287b76b7..590074491ddc882836091f5f6f5e007030998bcf 100644 (file)
--- a/src/anyp/Uri.cc
+++ b/src/anyp/Uri.cc
@@ -981,7 +981,7 @@ urlCheckRequest(const HttpRequest * r)
         return false;
 
     case AnyP::PROTO_HTTPS:
-#if USE_OPENSSL || USE_GNUTLS
+#if USE_OPENSSL || HAVE_LIBGNUTLS
         return true;
 #else
         /*

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 76123be77b40de9846cb19deb6d8ecea48c6770f..51bb2d5a85896b797bb66fde2a2e435f6d428e21 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -2561,7 +2561,7 @@ CONFIG_END
 DOC_END
 
 NAME: https_port
-IFDEF: USE_GNUTLS||USE_OPENSSL
+IFDEF: HAVE_LIBGNUTLS||USE_OPENSSL
 TYPE: PortCfg
 DEFAULT: none
 LOC: HttpPortList
@@ -3017,7 +3017,7 @@ COMMENT_START
 COMMENT_END
 
 NAME: tls_outgoing_options
-IFDEF: USE_GNUTLS||USE_OPENSSL
+IFDEF: HAVE_LIBGNUTLS||USE_OPENSSL
 TYPE: securePeerOptions
 DEFAULT: min-version=1.0
 LOC: Security::ProxyOutgoingConfig

diff --git a/src/cf_gen_defines b/src/cf_gen_defines
index 5b070eef1c5e4039af3d0d9705981da98a3771a1..283c3e6ecc65e01d033083baa9f2b3e048cfa2d1 100644 (file)
--- a/src/cf_gen_defines
+++ b/src/cf_gen_defines
@@ -26,6 +26,7 @@ BEGIN {
        define["FOLLOW_X_FORWARDED_FOR&&USE_DELAY_POOLS"]="--enable-follow-x-forwarded-for and --enable-delay-pools"
        define["HAVE_AUTH_MODULE_BASIC"]="--enable-auth-basic"
        define["HAVE_AUTH_MODULE_DIGEST"]="--enable-auth-digest"
+       define["HAVE_LIBGNUTLS||USE_OPENSSL"]="--with-gnutls or --with-openssl"
        define["HAVE_MSTATS&&HAVE_GNUMALLOC_H"]="GNU Malloc with mstats()"
        define["ICAP_CLIENT"]="--enable-icap-client"
        define["SO_MARK&&USE_LIBCAP"]="Packet MARK (Linux)"
@@ -36,7 +37,6 @@ BEGIN {
        define["USE_DELAY_POOLS"]="--enable-delay-pools"
        define["USE_ECAP"]="--enable-ecap"
        define["USE_ERR_LOCALES"]="--enable-auto-locale"
-       define["USE_GNUTLS||USE_OPENSSL"]="--with-gnutls or --with-openssl"
        define["USE_HTCP"]="--enable-htcp"
        define["USE_HTTP_VIOLATIONS"]="--enable-http-violations"
        define["USE_ICMP"]="--enable-icmp"

diff --git a/src/security/Certificate.cc b/src/security/Certificate.cc
index cdd80c6d8ef4d20118bd2581b8e54d1a36dc7eb3..5e97fd940d43e49b44c3c276bec9de38cbf25270 100644 (file)
--- a/src/security/Certificate.cc
+++ b/src/security/Certificate.cc
@@ -39,7 +39,7 @@ Security::IssuerName(Certificate &cert)
     }
     out.append(name.get());
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     gnutls_x509_dn_t issuer;
     auto x = gnutls_x509_crt_get_issuer(&cert, &issuer);
     if (x != GNUTLS_E_SUCCESS) {
@@ -79,7 +79,7 @@ Security::SubjectName(Certificate &cert)
     }
     out.append(name.get());
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     gnutls_x509_dn_t subject;
     auto x = gnutls_x509_crt_get_subject(&cert, &subject);
     if (x != GNUTLS_E_SUCCESS) {
@@ -115,7 +115,7 @@ Security::IssuedBy(Certificate &cert, Certificate &issuer)
     debugs(83, DBG_PARSE_NOTE(3), issuer << " did not sign " << cert << ":" <<
            Debug::Extra << "X509_check_issued() result: " << X509_verify_cert_error_string(result) << " (" << result << ")" <<
            Ssl::ReportAndForgetErrors);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     const auto result = gnutls_x509_crt_check_issuer(&cert, &issuer);
     if (result == 1)
         return true;

diff --git a/src/security/Context.h b/src/security/Context.h
index 5f879e8a321c53bcfa0e8347a30870e7741e9b7e..8ef6343cf0cc76c6038ee558770e33035934a7e0 100644 (file)
--- a/src/security/Context.h
+++ b/src/security/Context.h
@@ -17,7 +17,7 @@
 #include <openssl/ssl.h>
 #endif
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 #if HAVE_GNUTLS_GNUTLS_H
 #include <gnutls/gnutls.h>
 #endif
@@ -28,7 +28,7 @@ namespace Security {
 #if USE_OPENSSL
 typedef std::shared_ptr<SSL_CTX> ContextPointer;
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 typedef std::shared_ptr<struct gnutls_certificate_credentials_st> ContextPointer;
 
 #else

diff --git a/src/security/ErrorDetail.cc b/src/security/ErrorDetail.cc
index 2884abb4928876b1c8476a99e83b432cd043eec6..66fbb5b4d1ec33695ab24c5c25cea3fa46140a32 100644 (file)
--- a/src/security/ErrorDetail.cc
+++ b/src/security/ErrorDetail.cc
@@ -20,7 +20,7 @@
 
 #if USE_OPENSSL
 #include "ssl/ErrorDetailManager.h"
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 #if HAVE_GNUTLS_GNUTLS_H
 #include <gnutls/gnutls.h>
 #endif
@@ -478,7 +478,7 @@ Security::ErrorDetail::ErrorDetail(const ErrorCode anErrorCode, const int anIoEr
     ioErrorNo = anIoErrorNo;
 }
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 Security::ErrorDetail::ErrorDetail(const ErrorCode anErrorCode, const LibErrorCode aLibErrorNo, const int aSysErrorNo):
     ErrorDetail(anErrorCode, aSysErrorNo)
 {
@@ -508,7 +508,7 @@ Security::ErrorDetail::brief() const
         // TODO: Log ERR_error_string_n() instead, despite length, whitespace?
         // Example: `error:1408F09C:SSL routines:ssl3_get_record:http request`.
         os << "+TLS_LIB_ERR=" << asHex(lib_error_no).upperCase();
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         os << '+' << gnutls_strerror_name(lib_error_no);
 #endif
     }

diff --git a/src/security/ErrorDetail.h b/src/security/ErrorDetail.h
index fb121d0ed2d7311caafa366fa53fb22d1cc3bd2b..ca89673309f2caee8da6135ed09ba15b9b236733 100644 (file)
--- a/src/security/ErrorDetail.h
+++ b/src/security/ErrorDetail.h
@@ -52,7 +52,7 @@ public:
     /// \param anIoErrorNo TLS I/O function outcome; \see ErrorDetail::ioErrorNo
     /// \param aSysErrorNo saved errno(3); \see ErrorDetail::sysErrorNo
     ErrorDetail(ErrorCode anErrorCode, int anIoErrorNo, int aSysErrorNo);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     /// Details (or starts detailing) a non-validation failure.
     /// \param anLibErrorNo TLS function outcome; \see ErrorDetail::lib_error_no
     /// \param aSysErrorNo saved errno(3); \see ErrorDetail::sysErrorNo

diff --git a/src/security/Io.cc b/src/security/Io.cc
index fb5eea4ac664f6e964b2d02fbed774214d9863be..de5564d63557b7604d67e67d7e2ceff188e96d52 100644 (file)
--- a/src/security/Io.cc
+++ b/src/security/Io.cc
@@ -146,7 +146,7 @@ Security::Handshake(Comm::Connection &transport, const ErrorCode topError, Fun i
 
     return ioResult;
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     if (callResult == GNUTLS_E_SUCCESS) {
         // TODO: Avoid gnutls_*() calls if debugging is off.
         const auto desc = gnutls_session_get_desc(connection);
@@ -199,7 +199,7 @@ Security::Accept(Comm::Connection &transport)
     return Handshake(transport, SQUID_TLS_ERR_ACCEPT, [] (ConnectionPointer tlsConn) {
 #if USE_OPENSSL
         return SSL_accept(tlsConn);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         return gnutls_handshake(tlsConn);
 #else
         return sizeof(tlsConn); // the value is unused; should be unreachable
@@ -214,7 +214,7 @@ Security::Connect(Comm::Connection &transport)
     return Handshake(transport, SQUID_TLS_ERR_CONNECT, [] (ConnectionPointer tlsConn) {
 #if USE_OPENSSL
         return SSL_connect(tlsConn);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         return gnutls_handshake(tlsConn);
 #else
         return sizeof(tlsConn); // the value is unused; should be unreachable

diff --git a/src/security/KeyData.cc b/src/security/KeyData.cc
index 0ffd51b5aa020fc2f5271bdf47960d0bc7aeebe3..e2d4119a236c90f1005043f428dd3dfe03ba89b6 100644 (file)
--- a/src/security/KeyData.cc
+++ b/src/security/KeyData.cc
@@ -87,7 +87,7 @@ Security::KeyData::loadCertificates()
                Debug::Extra << "problem: " << CurrentException);
     }
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     const char *certFilename = certFile.c_str();
     gnutls_datum_t data;
     Security::LibErrorCode x = gnutls_load_file(certFilename, &data);
@@ -152,7 +152,7 @@ Security::KeyData::loadX509PrivateKeyFromFile()
         pkey.reset();
     }
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     const char *keyFilename = privateKeyFile.c_str();
     gnutls_datum_t data;
     if (gnutls_load_file(keyFilename, &data) == GNUTLS_E_SUCCESS) {

diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc
index 44a18dc45add631616941be3259a2e8ae39e1058..62bc08d0467943c1e391bad31e1ba9bc79739b4b 100644 (file)
--- a/src/security/PeerOptions.cc
+++ b/src/security/PeerOptions.cc
@@ -167,7 +167,7 @@ Security::PeerOptions::updateTlsVersionLimits()
                 add.append(":NO_TLSv1_1");
             if (v > 2)
                 add.append(":NO_TLSv1_2");
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
             if (v > 0)
                 add.append(":-VERS-TLS1.0");
             if (v > 1)
@@ -198,28 +198,28 @@ Security::PeerOptions::updateTlsVersionLimits()
         case 3:
 #if USE_OPENSSL
             add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
             add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
 #endif
             break;
         case 4:
 #if USE_OPENSSL
             add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3";
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
             add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
 #endif
             break;
         case 5:
 #if USE_OPENSSL
             add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2:NO_TLSv1_3";
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
             add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3";
 #endif
             break;
         case 6:
 #if USE_OPENSSL
             add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1:NO_TLSv1_3";
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
             add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3";
 #endif
             break;
@@ -251,7 +251,7 @@ Security::PeerOptions::createBlankContext() const
     }
     ctx = convertContextFromRawPtr(t);
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     // Initialize for X.509 certificate exchange
     gnutls_certificate_credentials_t t;
     if (const auto x = gnutls_certificate_allocate_credentials(&t)) {
@@ -522,7 +522,7 @@ Security::PeerOptions::parseOptions()
 #endif
     parsedOptions = op;
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     if (str.isEmpty()) {
         parsedOptions.reset();
         return;
@@ -636,7 +636,7 @@ Security::PeerOptions::updateContextOptions(Security::ContextPointer &ctx)
     parseOptions();
 #if USE_OPENSSL
     SSL_CTX_set_options(ctx.get(), parsedOptions);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     // NP: GnuTLS uses 'priorities' which are set only per-session instead.
     (void)ctx;
 #else
@@ -678,7 +678,7 @@ loadSystemTrustedCa(Security::ContextPointer &ctx)
     if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0)
         return Security::ErrorString(ERR_get_error());
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     auto x = gnutls_certificate_set_x509_system_trust(ctx.get());
     if (x < 0)
         return Security::ErrorString(x);
@@ -706,7 +706,7 @@ Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx)
             debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " <<
                    i << ": " << Security::ErrorString(x));
         }
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         const auto x = gnutls_certificate_set_x509_trust_file(ctx.get(), i.c_str(), GNUTLS_X509_FMT_PEM);
         if (x < 0) {
             debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " <<
@@ -762,7 +762,7 @@ Security::PeerOptions::updateContextTrust(Security::ContextPointer &ctx)
                Security::ErrorString(ERR_get_error()));
     }
 #endif
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     // Modern GnuTLS versions trust intermediate CA certificates by default.
     (void)ctx;
 #else
@@ -779,7 +779,7 @@ Security::PeerOptions::updateSessionOptions(Security::SessionPointer &s)
     // XXX: Options already set before (via the context) are not cleared!
     SSL_set_options(s.get(), parsedOptions);
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     LibErrorCode x;
     SBuf errMsg;
     if (!parsedOptions) {

diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h
index 7aed44e5bd67a6cf28ac17e53f11e3bcdf20d3ed..e78081d36efd65c0b0abe83721725bd098d956b6 100644 (file)
--- a/src/security/PeerOptions.h
+++ b/src/security/PeerOptions.h
@@ -115,7 +115,7 @@ protected:
             debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p);
             SSL_CTX_free(p);
         });
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx);
         return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) {
             debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p);

diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc
index 2118058eddb4251e9903e1ab22ae78651acc46d0..a9a58555d2e7cc3774a0a1b5be6fccf57f069801 100644 (file)
--- a/src/security/ServerOptions.cc
+++ b/src/security/ServerOptions.cc
@@ -173,7 +173,7 @@ Security::ServerOptions::createBlankContext() const
     }
     ctx = convertContextFromRawPtr(t);
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     // Initialize for X.509 certificate exchange
     gnutls_certificate_credentials_t t;
     if (const auto x = gnutls_certificate_allocate_credentials(&t)) {
@@ -249,7 +249,7 @@ Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &)
             }
         }
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         for (auto &keys : certs) {
             gnutls_x509_crt_t crt = keys.cert.get();
             gnutls_x509_privkey_t xkey = keys.pkey.get();
@@ -302,7 +302,7 @@ Security::ServerOptions::createSigningContexts(const AnyP::PortCfg &port)
 
 #if USE_OPENSSL
     Ssl::generateUntrustedCert(untrustedSigningCa.cert, untrustedSigningCa.pkey, signingCa.cert, signingCa.pkey);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     // TODO: implement for GnuTLS. Just a warning for now since generate is implicitly on for all crypto builds.
     signingCa.cert.reset();
     signingCa.pkey.reset();

diff --git a/src/security/ServerOptions.h b/src/security/ServerOptions.h
index a321cbb0fc093f2b765f6f0d43dce771ef0c6ed0..d74a8874072abb5a342733c37909aa2ab61dc37e 100644 (file)
--- a/src/security/ServerOptions.h
+++ b/src/security/ServerOptions.h
@@ -73,7 +73,7 @@ public:
 
 #if USE_OPENSSL
     bool generateHostCertificates = true; ///< dynamically make host cert
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     // TODO: GnuTLS does implement TLS server connections so the cert
     // generate vs static choice can be reached in the code now.
     // But this feature is not fully working implemented so must not

diff --git a/src/security/Session.cc b/src/security/Session.cc
index f09f95b8826094dfe647c2e8cbb509c5113a9ac8..07416873674c1da40f2072a858060a80d383f65d 100644 (file)
--- a/src/security/Session.cc
+++ b/src/security/Session.cc
@@ -28,7 +28,7 @@ static Ipc::MemMap *SessionCache = nullptr;
 static const char *SessionCacheName = "tls_session_cache";
 #endif
 
-#if USE_OPENSSL || USE_GNUTLS
+#if USE_OPENSSL || HAVE_LIBGNUTLS
 static int
 tls_read_method(int fd, char *buf, int len)
 {
@@ -37,7 +37,7 @@ tls_read_method(int fd, char *buf, int len)
 
 #if USE_OPENSSL
     int i = SSL_read(session, buf, len);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     int i = gnutls_record_recv(session, buf, len);
 #endif
 
@@ -48,7 +48,7 @@ tls_read_method(int fd, char *buf, int len)
 
 #if USE_OPENSSL
     if (i > 0 && SSL_pending(session) > 0) {
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     if (i > 0 && gnutls_record_check_pending(session) > 0) {
 #endif
         debugs(83, 2, "TLS FD " << fd << " is pending");
@@ -74,7 +74,7 @@ tls_write_method(int fd, const char *buf, int len)
 
 #if USE_OPENSSL
     int i = SSL_write(session, buf, len);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     int i = gnutls_record_send(session, buf, len);
 #endif
 
@@ -106,7 +106,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer
         return false;
     }
 
-#if USE_OPENSSL || USE_GNUTLS
+#if USE_OPENSSL || HAVE_LIBGNUTLS
 
     const char *errAction = "with no TLS/SSL library";
     Security::LibErrorCode errCode = 0;
@@ -117,7 +117,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer
         errAction = "failed to allocate handle";
         debugs(83, DBG_IMPORTANT, "ERROR: TLS failure: " << errAction << ": " << Security::ErrorString(errCode));
     }
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     gnutls_session_t tmp;
     errCode = gnutls_init(&tmp, static_cast<unsigned int>(type) | GNUTLS_NONBLOCK);
     Security::SessionPointer session(tmp, [](gnutls_session_t p) {
@@ -130,7 +130,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer
         errAction = "failed to initialize session";
         debugs(83, DBG_IMPORTANT, "ERROR: TLS failure: " << errAction << ": " << Security::ErrorString(errCode));
     }
-#endif /* USE_GNUTLS */
+#endif /* HAVE_LIBGNUTLS */
 
     if (session) {
         const int fd = conn->fd;
@@ -139,7 +139,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer
         // without BIO, we would call SSL_set_fd(ssl.get(), fd) instead
         if (BIO *bio = Ssl::Bio::Create(fd, type)) {
             Ssl::Bio::Link(session.get(), bio); // cannot fail
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         errCode = gnutls_credentials_set(session.get(), GNUTLS_CRD_CERTIFICATE, ctx.get());
         if (errCode == GNUTLS_E_SUCCESS) {
 
@@ -149,7 +149,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer
             //     this does the equivalent of SSL_set_fd() for now.
             gnutls_transport_set_int(session.get(), fd);
             gnutls_handshake_set_timeout(session.get(), GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
-#endif /* USE_GNUTLS */
+#endif /* HAVE_LIBGNUTLS */
 
             debugs(83, 5, "link FD " << fd << " to TLS session=" << (void*)session.get());
 
@@ -163,7 +163,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer
         errCode = ERR_get_error();
         errAction = "failed to initialize I/O";
         (void)opts;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         errAction = "failed to assign credentials";
 #endif
     }
@@ -175,7 +175,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer
     (void)opts;
     (void)type;
     (void)squidCtx;
-#endif /* USE_OPENSSL || USE_GNUTLS */
+#endif /* USE_OPENSSL || HAVE_LIBGNUTLS */
     return false;
 }
 
@@ -202,7 +202,7 @@ Security::SessionSendGoodbye(const Security::SessionPointer &s)
     if (s) {
 #if USE_OPENSSL
         SSL_shutdown(s.get());
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         gnutls_bye(s.get(), GNUTLS_SHUT_RDWR);
 #endif
     }
@@ -214,7 +214,7 @@ Security::SessionIsResumed(const Security::SessionPointer &s)
     bool result = false;
 #if USE_OPENSSL
     result = SSL_session_reused(s.get()) == 1;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     result = gnutls_session_is_resumed(s.get()) != 0;
 #endif
     debugs(83, 7, "session=" << (void*)s.get() << ", query? answer: " << (result ? 'T' : 'F') );
@@ -228,7 +228,7 @@ Security::MaybeGetSessionResumeData(const Security::SessionPointer &s, Security:
 #if USE_OPENSSL
         // nil is valid for SSL_get1_session(), it cannot fail.
         data.reset(SSL_get1_session(s.get()));
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         gnutls_datum_t *tmp = nullptr;
         const auto x = gnutls_session_get_data2(s.get(), tmp);
         if (x != GNUTLS_E_SUCCESS) {
@@ -252,7 +252,7 @@ Security::SetSessionResumeData(const Security::SessionPointer &s, const Security
             debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() <<
                    " resume error: " << Security::ErrorString(ssl_error));
         }
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
         const auto x = gnutls_session_set_data(s.get(), data->data, data->size);
         if (x != GNUTLS_E_SUCCESS) {
             debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() <<

diff --git a/src/security/Session.h b/src/security/Session.h
index 127f87a76f9c1a7f7ccc644c314e6b6a32ed1a18..28c48fa67d0d4ead60c6f9be1ccc4854b6aef06a 100644 (file)
--- a/src/security/Session.h
+++ b/src/security/Session.h
@@ -23,7 +23,7 @@
 #endif
 #endif
 
-#if USE_GNUTLS
+#if HAVE_LIBGNUTLS
 #if HAVE_GNUTLS_GNUTLS_H
 #include <gnutls/gnutls.h>
 #endif
@@ -50,7 +50,7 @@ typedef std::shared_ptr<SSL> SessionPointer;
 
 typedef std::unique_ptr<SSL_SESSION, HardFun<void, SSL_SESSION*, &SSL_SESSION_free>> SessionStatePointer;
 
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 // to be finalized when it is actually needed/used
 struct Connection {};
 

diff --git a/src/security/forward.h b/src/security/forward.h
index 10cf9b3afa3bb5a2bafcfe8e387a005435e3de11..107723d9461be92425705689da2e06da8b3b9f5c 100644 (file)
--- a/src/security/forward.h
+++ b/src/security/forward.h
@@ -14,9 +14,11 @@
 #include "base/ToCpp.h"
 #include "security/LockingPointer.h"
 
-#if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H
+#if HAVE_LIBGNUTLS
+#if HAVE_GNUTLS_ABSTRACT_H
 #include <gnutls/abstract.h>
 #endif
+#endif /* HAVE_LIBGNUTLS */
 #include <list>
 #include <limits>
 #include <memory>
@@ -57,7 +59,7 @@
 #define SSL_FLAG_VERIFY_CRL_ALL     (1<<6)
 #define SSL_FLAG_CONDITIONAL_AUTH   (1<<7)
 
-#if !USE_OPENSSL && !USE_GNUTLS
+#if !USE_OPENSSL && !HAVE_LIBGNUTLS
 /// A helper type to keep all three possible underlying types of the
 /// Security::Certificate typedef below inside global namespace, so that
 /// argument-dependent lookup for operator "<<" (Certificate) works inside
@@ -75,7 +77,7 @@ typedef CbDataList<Security::CertError> CertErrors;
 
 #if USE_OPENSSL
 typedef X509 Certificate;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 typedef struct gnutls_x509_crt_int Certificate;
 #else
 typedef struct notls_x509 Certificate;
@@ -84,7 +86,7 @@ typedef struct notls_x509 Certificate;
 #if USE_OPENSSL
 CtoCpp1(X509_free, X509 *);
 typedef Security::LockingPointer<X509, X509_free_cpp, HardFun<int, X509 *, X509_up_ref> > CertPointer;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 typedef std::shared_ptr<struct gnutls_x509_crt_int> CertPointer;
 #else
 typedef std::shared_ptr<Certificate> CertPointer;
@@ -93,7 +95,7 @@ typedef std::shared_ptr<Certificate> CertPointer;
 #if USE_OPENSSL
 CtoCpp1(X509_CRL_free, X509_CRL *);
 typedef Security::LockingPointer<X509_CRL, X509_CRL_free_cpp, HardFun<int, X509_CRL *, X509_CRL_up_ref> > CrlPointer;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t);
 typedef Security::LockingPointer<struct gnutls_x509_crl_int, gnutls_x509_crl_deinit> CrlPointer;
 #else
@@ -107,7 +109,7 @@ typedef std::list<Security::CrlPointer> CertRevokeList;
 #if USE_OPENSSL
 CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
 using PrivateKeyPointer = Security::LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, HardFun<int, EVP_PKEY *, EVP_PKEY_up_ref>>;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 using PrivateKeyPointer = std::shared_ptr<struct gnutls_x509_privkey_int>;
 #else
 using PrivateKeyPointer = std::shared_ptr<void>;
@@ -120,7 +122,7 @@ typedef Security::LockingPointer<DH, DH_free_cpp, HardFun<int, DH *, DH_up_ref>
 #else
 using DhePointer = PrivateKeyPointer;
 #endif
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 using DhePointer = void *;
 #else
 using DhePointer = void *;
@@ -137,7 +139,7 @@ typedef int ErrorCode;
 /// `openssl errstr` expands these numbers into human-friendlier strings like
 /// `error:1408F09C:SSL routines:ssl3_get_record:http request`
 typedef unsigned long LibErrorCode;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 /// the result of an API function like gnutls_handshake() (e.g.,
 /// GNUTLS_E_WARNING_ALERT_RECEIVED)
 typedef int LibErrorCode;
@@ -150,7 +152,7 @@ typedef int LibErrorCode;
 inline const char *ErrorString(const LibErrorCode code) {
 #if USE_OPENSSL
     return ERR_error_string(code, nullptr);
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     return gnutls_strerror(code);
 #else
     (void)code;
@@ -168,7 +170,7 @@ enum Type {
 #if USE_OPENSSL
     BIO_TO_CLIENT = 6000,
     BIO_TO_SERVER
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
     // NP: this is odd looking but correct.
     // 'to-client' means we are a server, and vice versa.
     BIO_TO_CLIENT = GNUTLS_SERVER,
@@ -190,7 +192,7 @@ class KeyLog;
 
 #if USE_OPENSSL
 using ParsedOptions = uint64_t;
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 typedef std::shared_ptr<struct gnutls_priority_st> ParsedOptions;
 #else
 class ParsedOptions {}; // we never parse/use TLS options in this case

diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc
index e6871e0296c8fb73cb740482c3dd66ae791d746c..c4d3accab938350a9a678c87c62b4d499b33f71f 100644 (file)
--- a/src/tests/stub_libsecurity.cc
+++ b/src/tests/stub_libsecurity.cc
@@ -63,7 +63,7 @@ void Security::KeyLogger::maybeLog(const Connection &, const Acl::ChecklistFille
 Security::ErrorDetail::ErrorDetail(ErrorCode, const CertPointer &, const CertPointer &, const char *) STUB
 #if USE_OPENSSL
 Security::ErrorDetail::ErrorDetail(ErrorCode, int, int) STUB
-#elif USE_GNUTLS
+#elif HAVE_LIBGNUTLS
 Security::ErrorDetail::ErrorDetail(ErrorCode, LibErrorCode, int) STUB
 #endif
 void Security::ErrorDetail::setPeerCertificate(const CertPointer &) STUB