Unbreak build: crypto hdrs not in system includes

If using pkg-config to get the paths for various packages and the crypto
library headers are not in the system headers, then the hash work broke
the Exim build by requiring the CFLAGS manipulation for _all_ builds,
not just the TLS libraries.

Shows up on MacOS where there's a system OpenSSL but not system OpenSSL
headers (because only SecureTransport is supported) and using
brew-installed OpenSSL.

I've also coded the fix for GnuTLS on the same basis, but that's
untested.

Fixes bug 1906

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c68e45ce8d9ba1352b0fa0985e8a98b8afd96c72..1267d75dcc2f6b559c7a3e47b04e468a4abd49d9 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -117,6 +117,9 @@ JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
 PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
       by me.  Added RFC7919 DH primes as an alternative.
 
+PP/02 Unbreak build via pkg-config with new hash support when crypto headers
+      are not in the system include path.
+
 
 Exim version 4.87
 -----------------

diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
index 4aa7d76cdc88c4199260eb5bccb3aeecd16e3264..3e486a6bb9e3cfe232a95deb73209028ed04f622 100755 (executable)
--- a/src/scripts/Configure-Makefile
+++ b/src/scripts/Configure-Makefile
@@ -136,13 +136,16 @@ then
       USE_*_PC)
         eval "pc_value=\"\$$var\""
         need_this=''
+        need_core=''
         if [ ".$SUPPORT_TLS" = "." ]; then
           # no TLS, not referencing
           true
         elif [ ".$var" = ".USE_GNUTLS_PC" ] && [ ".$USE_GNUTLS" != "." ]; then
           need_this=t
+          need_core="gnutls-special"
         elif [ ".$var" = ".USE_OPENSSL_PC" ] && [ ".$USE_GNUTLS" = "." ]; then
           need_this=t
+          need_core=t
         fi
         if [ ".$need_this" != "." ]; then
           tls_include=`pkg-config --cflags $pc_value`
@@ -153,6 +156,19 @@ then
           tls_libs=`pkg-config --libs $pc_value`
           echo "TLS_INCLUDE=$tls_include"
           echo "TLS_LIBS=$tls_libs"
+          # With hash.h pulling crypto into the core, we need to also handle that
+          if [ ".$need_this" = ".t" ]; then
+            echo "CFLAGS += $tls_include"
+            echo "LDFLAGS += $tls_libs"
+          elif [ ".$need_this" = ".gnutls-special" ]; then
+            if pkg-config --atleast-version=2.10 gnutls ; then
+              echo "CFLAGS += $tls_include"
+              echo "LDFLAGS += $tls_libs"
+            else
+              echo "CFLAGS += $(libgcrypt-config --cflags)"
+              echo "LDFLAGS += $(libgcrypt-config --libs)"
+            fi
+          fi
         fi
         ;;
 

diff --git a/src/src/EDITME b/src/src/EDITME
index e2d8cf921f803712fee60ace299c5fdd22c44d61..69293467e0fa99f63d1bce563fc700e8beb4d306 100644 (file)
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -746,6 +746,10 @@ HEADERS_CHARSET="ISO-8859-1"
 # USE_GNUTLS_PC=gnutls
 # TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
 
+# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
+# build process will require libgcrypt-config to exist in your $PATH.  A
+# version that old is likely to become unsupported by Exim in 2017.
+
 # The security fix we provide with the gnutls_allow_auto_pkcs11 option
 # (4.82 PP/09) introduces a compatibility regression.  The symbol is
 # not available if GnuTLS is build without p11-kit (--without-p11-kit

diff --git a/src/src/sha_ver.h b/src/src/sha_ver.h
index fd1a4d083f9dff176fdd323662c1801113ffbb94..387ac52c179030c1f0d0ea090e1e6ec961d3033f 100644 (file)
--- a/src/src/sha_ver.h
+++ b/src/src/sha_ver.h
@@ -9,6 +9,13 @@
 
 #include "exim.h"
 
+/* Please be aware that pulling in extra headers which are not in the system
+ * includes may require careful juggling of CFLAGS in
+ * scripts/Configure-Makefile -- that logic should be kept in sync with this.
+ * In particular, building with just something like USE_OPENSSL_PC=openssl
+ * and not massaging CFLAGS in Local/Makefile is fully supported.
+ */
+
 #ifdef SUPPORT_TLS
 
 # define EXIM_HAVE_SHA2