summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2015-05-29 15:46:47 -0400
committerPhil Pennock <pdp@exim.org>2015-05-29 15:51:53 -0400
commit34e3241d80cf27c1ac37d4aab00bc77392a6265e (patch)
tree2781ff1fdd8367c480cb634452b788d48e738f44
parent895ddecbf0ce674422032b88c4aa41c45c97186f (diff)
OpenSSL: guard X509_check_host against LibreSSL
LibreSSL's fork does not have this new function; as well as adding a `LIBRESSL_VERSION_NUMBER` value, that project bumped the OpenSSL version number in such a way as to conflict with our existing version checks. * Add a guard. * Add commentary, suggesting how to avoid getting into twistier knots with API divergence. Reported by Jasper Wallace, who provided a slightly different patch. Fixes bug 1635
-rw-r--r--src/ACKNOWLEDGMENTS1
-rw-r--r--src/src/tls-openssl.c25
2 files changed, 21 insertions, 5 deletions
diff --git a/src/ACKNOWLEDGMENTS b/src/ACKNOWLEDGMENTS
index 1c4a93445..ca88603e0 100644
--- a/src/ACKNOWLEDGMENTS
+++ b/src/ACKNOWLEDGMENTS
@@ -449,6 +449,7 @@ Jan Srzednicki Patch improving Dovecot authenticator
Samuel Thibault Patch fixing IPv6 interface address detection on Hurd
Martin Tscholak Reported issue with TLS anonymous ciphersuites
Stephen Usher Patch fixing use of Oracle's LDAP libraries on Solaris
+Jasper Wallace Patch for LibreSSL compatibility
Holger Weiß Patch leting ${run} return more data than OS pipe
buffer size
Moritz Wilhelmy Pointed out PCRE_PRERELEASE glitch
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index f183e8b45..456ca8142 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -38,12 +38,27 @@ functions from the OpenSSL library. */
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
# define EXIM_HAVE_OPENSSL_TLSEXT
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x010100000L
-# define EXIM_HAVE_OPENSSL_CHECKHOST
-#endif
-#if OPENSSL_VERSION_NUMBER >= 0x010000000L \
+
+/*
+ * X509_check_host provides sane certificate hostname checking, but was added
+ * to OpenSSL late, after other projects forked off the code-base. So in
+ * addition to guarding against the base version number, beware that LibreSSL
+ * does not (at this time) support this function.
+ *
+ * If LibreSSL gains a different API, perhaps via libtls, then we'll probably
+ * opt to disentangle and ask a LibreSSL user to provide glue for a third
+ * crypto provider for libtls instead of continuing to tie the OpenSSL glue
+ * into even twistier knots. If LibreSSL gains the same API, we can just
+ * change this guard and punt the issue for a while longer.
+ */
+#ifndef LIBRESSL_VERSION_NUMBER
+# if OPENSSL_VERSION_NUMBER >= 0x010100000L
+# define EXIM_HAVE_OPENSSL_CHECKHOST
+# endif
+# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
&& (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
-# define EXIM_HAVE_OPENSSL_CHECKHOST
+# define EXIM_HAVE_OPENSSL_CHECKHOST
+# endif
#endif
#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)