[exim-dev] [Bug 1635] LibreSSL dosn't have X509_check_host

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 1635] New: LibreSSL dosn't have X590_check_host
Subject: [exim-dev] [Bug 1635] LibreSSL dosn't have X509_check_host
https://bugs.exim.org/show_bug.cgi?id=1635

Git Commit <git@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |git@???


--- Comment #2 from Git Commit <git@???> ---
Git commit:
http://git.exim.org/exim.git/commitdiff/34e3241d80cf27c1ac37d4aab00bc77392a6265e

commit 34e3241d80cf27c1ac37d4aab00bc77392a6265e
Author:     Phil Pennock <pdp@???>
AuthorDate: Fri May 29 15:46:47 2015 -0400
Commit:     Phil Pennock <pdp@???>
CommitDate: Fri May 29 15:51:53 2015 -0400


    OpenSSL: guard X509_check_host against LibreSSL


    LibreSSL's fork does not have this new function; as well as adding a
    `LIBRESSL_VERSION_NUMBER` value, that project bumped the OpenSSL version
    number in such a way as to conflict with our existing version checks.


    * Add a guard.
    * Add commentary, suggesting how to avoid getting into twistier knots
      with API divergence.


    Reported by Jasper Wallace, who provided a slightly different patch.


    Fixes bug 1635
---
 src/ACKNOWLEDGMENTS   |  1 +
 src/src/tls-openssl.c | 25 ++++++++++++++++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)


diff --git a/src/ACKNOWLEDGMENTS b/src/ACKNOWLEDGMENTS
index 1c4a934..ca88603 100644
--- a/src/ACKNOWLEDGMENTS
+++ b/src/ACKNOWLEDGMENTS
@@ -449,6 +449,7 @@ Jan Srzednicki            Patch improving Dovecot
authenticator
 Samuel Thibault           Patch fixing IPv6 interface address detection on
Hurd
 Martin Tscholak           Reported issue with TLS anonymous ciphersuites
 Stephen Usher             Patch fixing use of Oracle's LDAP libraries on
Solaris
+Jasper Wallace            Patch for LibreSSL compatibility
 Holger Weià              Patch leting ${run} return more data than OS pipe
                             buffer size
 Moritz Wilhelmy           Pointed out PCRE_PRERELEASE glitch
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index f183e8b..456ca81 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -38,12 +38,27 @@ functions from the OpenSSL library. */
 #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
 # define EXIM_HAVE_OPENSSL_TLSEXT
 #endif
-#if OPENSSL_VERSION_NUMBER >= 0x010100000L
-# define EXIM_HAVE_OPENSSL_CHECKHOST
-#endif
-#if OPENSSL_VERSION_NUMBER >= 0x010000000L \
+
+/*
+ * X509_check_host provides sane certificate hostname checking, but was added
+ * to OpenSSL late, after other projects forked off the code-base.  So in
+ * addition to guarding against the base version number, beware that LibreSSL
+ * does not (at this time) support this function.
+ *
+ * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
+ * opt to disentangle and ask a LibreSSL user to provide glue for a third
+ * crypto provider for libtls instead of continuing to tie the OpenSSL glue
+ * into even twistier knots.  If LibreSSL gains the same API, we can just
+ * change this guard and punt the issue for a while longer.
+ */
+#ifndef LIBRESSL_VERSION_NUMBER
+# if OPENSSL_VERSION_NUMBER >= 0x010100000L
+#  define EXIM_HAVE_OPENSSL_CHECKHOST
+# endif
+# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
     && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
-# define EXIM_HAVE_OPENSSL_CHECKHOST
+#  define EXIM_HAVE_OPENSSL_CHECKHOST
+# endif
 #endif


#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)

--
You are receiving this mail because:
You are on the CC list for the bug.