From 34e3241d80cf27c1ac37d4aab00bc77392a6265e Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Fri, 29 May 2015 15:46:47 -0400 Subject: [PATCH] OpenSSL: guard X509_check_host against LibreSSL LibreSSL's fork does not have this new function; as well as adding a `LIBRESSL_VERSION_NUMBER` value, that project bumped the OpenSSL version number in such a way as to conflict with our existing version checks. * Add a guard. * Add commentary, suggesting how to avoid getting into twistier knots with API divergence. Reported by Jasper Wallace, who provided a slightly different patch. Fixes bug 1635 --- src/ACKNOWLEDGMENTS | 1 + src/src/tls-openssl.c | 25 ++++++++++++++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/src/ACKNOWLEDGMENTS b/src/ACKNOWLEDGMENTS index 1c4a93445..ca88603e0 100644 --- a/src/ACKNOWLEDGMENTS +++ b/src/ACKNOWLEDGMENTS @@ -449,6 +449,7 @@ Jan Srzednicki Patch improving Dovecot authenticator Samuel Thibault Patch fixing IPv6 interface address detection on Hurd Martin Tscholak Reported issue with TLS anonymous ciphersuites Stephen Usher Patch fixing use of Oracle's LDAP libraries on Solaris +Jasper Wallace Patch for LibreSSL compatibility Holger Weiß Patch leting ${run} return more data than OS pipe buffer size Moritz Wilhelmy Pointed out PCRE_PRERELEASE glitch diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index f183e8b45..456ca8142 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -38,12 +38,27 @@ functions from the OpenSSL library. */ #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) # define EXIM_HAVE_OPENSSL_TLSEXT #endif -#if OPENSSL_VERSION_NUMBER >= 0x010100000L -# define EXIM_HAVE_OPENSSL_CHECKHOST -#endif -#if OPENSSL_VERSION_NUMBER >= 0x010000000L \ + +/* + * X509_check_host provides sane certificate hostname checking, but was added + * to OpenSSL late, after other projects forked off the code-base. So in + * addition to guarding against the base version number, beware that LibreSSL + * does not (at this time) support this function. + * + * If LibreSSL gains a different API, perhaps via libtls, then we'll probably + * opt to disentangle and ask a LibreSSL user to provide glue for a third + * crypto provider for libtls instead of continuing to tie the OpenSSL glue + * into even twistier knots. If LibreSSL gains the same API, we can just + * change this guard and punt the issue for a while longer. + */ +#ifndef LIBRESSL_VERSION_NUMBER +# if OPENSSL_VERSION_NUMBER >= 0x010100000L +# define EXIM_HAVE_OPENSSL_CHECKHOST +# endif +# if OPENSSL_VERSION_NUMBER >= 0x010000000L \ && (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L -# define EXIM_HAVE_OPENSSL_CHECKHOST +# define EXIM_HAVE_OPENSSL_CHECKHOST +# endif #endif #if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP) -- 2.30.2