https://bugs.exim.org/show_bug.cgi?id=1635
Git Commit <git@???> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |git@???
--- Comment #2 from Git Commit <git@???> ---
Git commit:
http://git.exim.org/exim.git/commitdiff/34e3241d80cf27c1ac37d4aab00bc77392a6265e
commit 34e3241d80cf27c1ac37d4aab00bc77392a6265e
Author: Phil Pennock <pdp@???>
AuthorDate: Fri May 29 15:46:47 2015 -0400
Commit: Phil Pennock <pdp@???>
CommitDate: Fri May 29 15:51:53 2015 -0400
OpenSSL: guard X509_check_host against LibreSSL
LibreSSL's fork does not have this new function; as well as adding a
`LIBRESSL_VERSION_NUMBER` value, that project bumped the OpenSSL version
number in such a way as to conflict with our existing version checks.
* Add a guard.
* Add commentary, suggesting how to avoid getting into twistier knots
with API divergence.
Reported by Jasper Wallace, who provided a slightly different patch.
Fixes bug 1635
---
src/ACKNOWLEDGMENTS | 1 +
src/src/tls-openssl.c | 25 ++++++++++++++++++++-----
2 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/src/ACKNOWLEDGMENTS b/src/ACKNOWLEDGMENTS
index 1c4a934..ca88603 100644
--- a/src/ACKNOWLEDGMENTS
+++ b/src/ACKNOWLEDGMENTS
@@ -449,6 +449,7 @@ Jan Srzednicki Patch improving Dovecot
authenticator
Samuel Thibault Patch fixing IPv6 interface address detection on
Hurd
Martin Tscholak Reported issue with TLS anonymous ciphersuites
Stephen Usher Patch fixing use of Oracle's LDAP libraries on
Solaris
+Jasper Wallace Patch for LibreSSL compatibility
Holger Weià Patch leting ${run} return more data than OS pipe
buffer size
Moritz Wilhelmy Pointed out PCRE_PRERELEASE glitch
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index f183e8b..456ca81 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -38,12 +38,27 @@ functions from the OpenSSL library. */
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
# define EXIM_HAVE_OPENSSL_TLSEXT
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x010100000L
-# define EXIM_HAVE_OPENSSL_CHECKHOST
-#endif
-#if OPENSSL_VERSION_NUMBER >= 0x010000000L \
+
+/*
+ * X509_check_host provides sane certificate hostname checking, but was added
+ * to OpenSSL late, after other projects forked off the code-base. So in
+ * addition to guarding against the base version number, beware that LibreSSL
+ * does not (at this time) support this function.
+ *
+ * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
+ * opt to disentangle and ask a LibreSSL user to provide glue for a third
+ * crypto provider for libtls instead of continuing to tie the OpenSSL glue
+ * into even twistier knots. If LibreSSL gains the same API, we can just
+ * change this guard and punt the issue for a while longer.
+ */
+#ifndef LIBRESSL_VERSION_NUMBER
+# if OPENSSL_VERSION_NUMBER >= 0x010100000L
+# define EXIM_HAVE_OPENSSL_CHECKHOST
+# endif
+# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
&& (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
-# define EXIM_HAVE_OPENSSL_CHECKHOST
+# define EXIM_HAVE_OPENSSL_CHECKHOST
+# endif
#endif
#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
--
You are receiving this mail because:
You are on the CC list for the bug.
