From 8b0fb68e04323248df1208516e8a9293af9859d8 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Tue, 18 Oct 2016 23:22:03 -0400 Subject: [PATCH] Unbreak build: crypto hdrs not in system includes If using pkg-config to get the paths for various packages and the crypto library headers are not in the system headers, then the hash work broke the Exim build by requiring the CFLAGS manipulation for _all_ builds, not just the TLS libraries. Shows up on MacOS where there's a system OpenSSL but not system OpenSSL headers (because only SecureTransport is supported) and using brew-installed OpenSSL. I've also coded the fix for GnuTLS on the same basis, but that's untested. Fixes bug 1906 --- doc/doc-txt/ChangeLog | 3 +++ src/scripts/Configure-Makefile | 16 ++++++++++++++++ src/src/EDITME | 4 ++++ src/src/sha_ver.h | 7 +++++++ 4 files changed, 30 insertions(+) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index c68e45ce8..1267d75dc 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -117,6 +117,9 @@ JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext. PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created by me. Added RFC7919 DH primes as an alternative. +PP/02 Unbreak build via pkg-config with new hash support when crypto headers + are not in the system include path. + Exim version 4.87 ----------------- diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile index 4aa7d76cd..3e486a6bb 100755 --- a/src/scripts/Configure-Makefile +++ b/src/scripts/Configure-Makefile @@ -136,13 +136,16 @@ then USE_*_PC) eval "pc_value=\"\$$var\"" need_this='' + need_core='' if [ ".$SUPPORT_TLS" = "." ]; then # no TLS, not referencing true elif [ ".$var" = ".USE_GNUTLS_PC" ] && [ ".$USE_GNUTLS" != "." ]; then need_this=t + need_core="gnutls-special" elif [ ".$var" = ".USE_OPENSSL_PC" ] && [ ".$USE_GNUTLS" = "." ]; then need_this=t + need_core=t fi if [ ".$need_this" != "." ]; then tls_include=`pkg-config --cflags $pc_value` @@ -153,6 +156,19 @@ then tls_libs=`pkg-config --libs $pc_value` echo "TLS_INCLUDE=$tls_include" echo "TLS_LIBS=$tls_libs" + # With hash.h pulling crypto into the core, we need to also handle that + if [ ".$need_this" = ".t" ]; then + echo "CFLAGS += $tls_include" + echo "LDFLAGS += $tls_libs" + elif [ ".$need_this" = ".gnutls-special" ]; then + if pkg-config --atleast-version=2.10 gnutls ; then + echo "CFLAGS += $tls_include" + echo "LDFLAGS += $tls_libs" + else + echo "CFLAGS += $(libgcrypt-config --cflags)" + echo "LDFLAGS += $(libgcrypt-config --libs)" + fi + fi fi ;; diff --git a/src/src/EDITME b/src/src/EDITME index e2d8cf921..69293467e 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -746,6 +746,10 @@ HEADERS_CHARSET="ISO-8859-1" # USE_GNUTLS_PC=gnutls # TLS_LIBS=-lgnutls -ltasn1 -lgcrypt +# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's +# build process will require libgcrypt-config to exist in your $PATH. A +# version that old is likely to become unsupported by Exim in 2017. + # The security fix we provide with the gnutls_allow_auto_pkcs11 option # (4.82 PP/09) introduces a compatibility regression. The symbol is # not available if GnuTLS is build without p11-kit (--without-p11-kit diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h index fd1a4d083..387ac52c1 100644 --- a/src/src/sha_ver.h +++ b/src/src/sha_ver.h @@ -9,6 +9,13 @@ #include "exim.h" +/* Please be aware that pulling in extra headers which are not in the system + * includes may require careful juggling of CFLAGS in + * scripts/Configure-Makefile -- that logic should be kept in sync with this. + * In particular, building with just something like USE_OPENSSL_PC=openssl + * and not massaging CFLAGS in Local/Makefile is fully supported. + */ + #ifdef SUPPORT_TLS # define EXIM_HAVE_SHA2 -- 2.30.2