[exim-cvs] LibreSSL: fixes pulled from OpenBSD patchset

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] LibreSSL: fixes pulled from OpenBSD patchset
Gitweb: https://git.exim.org/exim.git/commitdiff/7b162fc84e202a16b89fa11224737ffbdd240bc8
Commit:     7b162fc84e202a16b89fa11224737ffbdd240bc8
Parent:     ecc6864e666fee1502d9784ba69f7c52b1a1c1f7
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Dec 8 14:33:26 2024 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Dec 8 14:33:26 2024 +0000


    LibreSSL: fixes pulled from OpenBSD patchset


    Note these are untested apart from regression vs. OpenSSL
---
 src/src/dane-openssl.c | 69 ++++++++++++++++++++++++++++++--------------------
 src/src/tls-openssl.c  |  1 +
 2 files changed, 43 insertions(+), 27 deletions(-)


diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index 6ed352929..ef1013531 100644
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -2,7 +2,7 @@
* Author: Viktor Dukhovni
* License: THIS CODE IS IN THE PUBLIC DOMAIN.
*
- * Copyright (c) The Exim Maintainers 2014 - 2019
+ * Copyright (c) The Exim Maintainers 2014 - 2024
*/
#include <stdio.h>
#include <string.h>
@@ -22,22 +22,40 @@
# error "OpenSSL 1.0.0 or higher required"
#endif

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+# define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
+#endif
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL
+/* Exact version number uncertain */
# define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
#endif

-/* LibreSSL 2.9.0 and later - 2.9.0 has removed a number of macros ... */
-#ifdef LIBRESSL_VERSION_NUMBER
-# if LIBRESSL_VERSION_NUMBER >= 0x2090000fL
+#ifndef LIBRESSL_VERSION_NUMBER        /* OpenSSL */
+# if OPENSSL_VERSION_NUMBER >= 0x10100000L
+                    /* Newer OpenSSL */
 #  define EXIM_HAVE_ASN1_MACROS
+#  define EXIM_OPAQUE_X509
+# else
+                    /* Older OpenSSL */
+#  define EXIM_TRANSPARENT_CTX
+# endif
+
+#else                    /* LibreSSL */
+# if LIBRESSL_VERSION_NUMBER >= 0x3050000fL
+#  define EXIM_OPAQUE_X509        /* Exact version number uncertain */
+#  define EXIM_NO_NEED_SHA2_REGISTER
+
+# elif LIBRESSL_VERSION_NUMBER >= 0x2090000fL
+    /* LibreSSL 2.9.0 and later - 2.9.0 has removed a number of macros ... */
+#  define EXIM_HAVE_ASN1_MACROS
+
+# else
+#  define EXIM_TRANSPARENT_CTX
 # endif
 #endif
-/* OpenSSL */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-# define EXIM_HAVE_ASN1_MACROS
-# define EXIM_OPAQUE_X509
-/* Older OpenSSL and all LibreSSL */
-#else
+
+#ifdef EXIM_TRANSPARENT_CTX
+/* Older OpenSSL and LibreSSL */
 # define X509_STORE_CTX_get_verify(ctx)        (ctx)->verify
 # define X509_STORE_CTX_get_verify_cb(ctx)    (ctx)->verify_cb
 # define X509_STORE_CTX_get0_cert(ctx)        (ctx)->cert
@@ -1621,10 +1639,8 @@ return -1;
 static void
 dane_init(void)
 {
-/*
- * Store library id in zeroth function slot, used to locate the library
- * name.  This must be done before we load the error strings.
- */
+/* Store library id in zeroth function slot, used to locate the library
+name.  This must be done before we load the error strings.  */
 err_lib_dane = ERR_get_next_error_library();


#ifndef OPENSSL_NO_ERR
@@ -1636,24 +1652,23 @@ if (err_lib_dane > 0)
}
#endif

-/*
- * Register SHA-2 digests, if implemented and not already registered.
- */
-#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
+#ifndef EXIM_NO_NEED_SHA2_REGISTER
+/* Register SHA-2 digests, if implemented and not already registered. */
+
+# if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
if (!EVP_get_digestbyname(LN_sha224)) EVP_add_digest(EVP_sha224());
if (!EVP_get_digestbyname(LN_sha256)) EVP_add_digest(EVP_sha256());
-#endif
-#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
+# endif
+# if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
if (!EVP_get_digestbyname(LN_sha384)) EVP_add_digest(EVP_sha384());
if (!EVP_get_digestbyname(LN_sha512)) EVP_add_digest(EVP_sha512());
+# endif
#endif

-/*
- * Register an SSL index for the connection-specific ssl_dane structure.
- * Using a separate index makes it possible to add DANE support to
- * existing OpenSSL releases that don't have a suitable pointer in the
- * SSL structure.
- */
+/* Register an SSL index for the connection-specific ssl_dane structure.
+Using a separate index makes it possible to add DANE support to existing OpenSSL
+releases that don't have a suitable pointer in the SSL structure. */
+
dane_idx = SSL_get_ex_new_index(0, 0, 0, 0, 0);
}

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7ac2e94b0..028239095 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -99,6 +99,7 @@ change this guard and punt the issue for a while longer. */

#if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
+# define OPENSSL_AUTO_SHA256
#endif
#if LIBRESSL_VERSION_NUMBER >= 0x3050000fL
# define EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_CERTS

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/