libressl is a leaner and safer openssl Sent from ProtonMail Mobile
On Wed, Nov 2, 2016 at 12:39 PM, Michael A. Peters <'mpet...@domblogger.net'> wrote: IMHO it would be acceptable to have a LibreSSL patch that is maintained by the people who want it. It's free software, and that kind of is the point of Open Source. On 11/02/2016 04:36 AM, Michael A. Peters wrote: > They have stated they are going to remain API compatible with 1.0.1h (or > g, forget which they forked) - their new stuff is outside of libcrypto. > > On 11/02/2016 04:25 AM, Aki Tuomi wrote: >> It does work today, I am just bit worried that it will keep on breaking >> with libressl as they evolve their API. I would personally like to avoid >> more ifdef hell if possible... >> >> Aki >> >> >> On 02.11.2016 13:22, Michael A. Peters wrote: >>> Standard way to fix it (on the LibreSSL page) is to check for >>> LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think >>> catches them all where needed. Note the word think. >>> >>> It certainly appears to be working anyway with it. >>> >>> On 11/02/2016 04:07 AM, Aki Tuomi wrote: >>>> After doing some testing by myself, I noticed that libressl, for some >>>> unknown reason, defines >>>> >>>> #define OPENSSL_VERSION_NUMBER 0x20000000L >>>> >>>> No idea why they decided to advertise that they are OpenSSL v2.0.0. A >>>> local fix, if you need one, is to use >>>> >>>> #if OPENSSL_VERSION_NUMBER == 0x20000000L >>>> #define OPENSSL_VERSION_NUMBER 0x1000100L >>>> #endif >>>> >>>> in dcrypt-openssl.c after includes. >>>> >>>> Aki >>>> >>>> >>>> On 02.11.2016 12:39, Aki Tuomi wrote: >>>>> Hi! >>>>> >>>>> Those are used if >>>>> >>>>> #if OPENSSL_VERSION_NUMBER >= 0x10100000L >>>>> >>>>> So (your) libressl is providing this define. We compile our code using >>>>> GCC and CLANG regularly, with OpenSSL v1.0.x which is the currently >>>>> officially supported one. >>>>> >>>>> Aki >>>>> >>>>> >>>>> On 02.11.2016 12:34, Ruga wrote: >>>>>> dovecot 2.2.26.0 uses the following functions, which are not >>>>>> available on libressl 2.4.3: >>>>>> >>>>>> HMAC_CTX_new >>>>>> HMAC_CTX_free >>>>>> EVP_PKEY_get0_EC_KEY >>>>>> EVP_PKEY_get0_RSA >>>>>> OBJ_length >>>>>> EVP_MD_CTX_new >>>>>> EVP_MD_CTX_free >>>>>> >>>>>> The result of calling a non-existent function is a runtime error, >>>>>> and we do not want that on production servers. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> There are additional problems. I recommend compiling with clang-llvm >>>>>> 3.9.0 >>>>>> to see them all. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -------- Original Message -------- >>>>>> Subject: Re: v2.2.26.0 released >>>>>> Local Time: 1 November 2016 7:30 PM >>>>>> UTC Time: 1 November 2016 18:30 >>>>>> From: aki.tu...@dovecot.fi >>>>>> To: Dovecot Mailing List <dovecot@dovecot.org>, Ruga >>>>>> <r...@protonmail.com> >>>>>> >>>>>> OpenSSL v1.0.1 is enough. >>>>>> >>>>>> Aki >>>>>> >>>>>>> On November 1, 2016 at 7:46 PM Ruga <r...@protonmail.com> wrote: >>>>>>> >>>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> We cannot upgrade from 2.2.24, because we use libressl and the newer >>>>>>> dovecot versions demand openssl v1.1. >>>>>>> >>>>>>> Please add the new library requirement to the INSTALL file. >>>>>>> >>>>>>> All the best. >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -------- Original Message -------- >>>>>>> Subject: v2.2.26.0 released >>>>>>> Local Time: 28 October 2016 6:51 PM >>>>>>> UTC Time: 28 October 2016 16:51 >>>>>>> From: t...@iki.fi >>>>>>> To: dovecot-n...@dovecot.org, Dovecot Mailing List >>>>>>> <dovecot@dovecot.org> >>>>>>> >>>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz >>>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz.sig >>>>>>> >>>>>>> v2.2.26 had a couple of nasty bugs left in it, so here's a fixup >>>>>>> release. The version number is also a little bit weird, but had to >>>>>>> be done this way (although 2.2.26.0.1 could have been another >>>>>>> possibility). >>>>>>> >>>>>>> - Fixed some compiling issues. >>>>>>> - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and >>>>>>> multiple passdbs. >>>>>>> - auth: Fixed crash when exporting to auth-worker passdb extra >>>>>>> fields >>>>>>> that had empty values. >>>>>>> - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit >>>
