Standard way to fix it (on the LibreSSL page) is to check for LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think catches them all where needed. Note the word think. It certainly appears to be working anyway with it. On 11/02/2016 04:07 AM, Aki Tuomi wrote:> After doing some testing by myself, I noticed that libressl, for some > unknown reason, defines > > #define OPENSSL_VERSION_NUMBER 0x20000000L > > No idea why they decided to advertise that they are OpenSSL v2.0.0. A > local fix, if you need one, is to use > > #if OPENSSL_VERSION_NUMBER == 0x20000000L > #define OPENSSL_VERSION_NUMBER 0x1000100L > #endif > > in dcrypt-openssl.c after includes. > > Aki > > > On 02.11.2016 12:39, Aki Tuomi wrote: >> Hi! >> >> Those are used if >> >> #if OPENSSL_VERSION_NUMBER >= 0x10100000L >> >> So (your) libressl is providing this define. We compile our code using >> GCC and CLANG regularly, with OpenSSL v1.0.x which is the currently >> officially supported one. >> >> Aki >> >> >> On 02.11.2016 12:34, Ruga wrote: >>> dovecot 2.2.26.0 uses the following functions, which are not >>> available on libressl 2.4.3: >>> >>> HMAC_CTX_new >>> HMAC_CTX_free >>> EVP_PKEY_get0_EC_KEY >>> EVP_PKEY_get0_RSA >>> OBJ_length >>> EVP_MD_CTX_new >>> EVP_MD_CTX_free >>> >>> The result of calling a non-existent function is a runtime error, >>> and we do not want that on production servers. >>> >>> >>> >>> >>> >>> >>> >>> There are additional problems. I recommend compiling with clang-llvm >>> 3.9.0 >>> to see them all. >>> >>> >>> >>> >>> >>> >>> >>> -------- Original Message -------- >>> Subject: Re: v2.2.26.0 released >>> Local Time: 1 November 2016 7:30 PM >>> UTC Time: 1 November 2016 18:30 >>> From: aki.tuomi at dovecot.fi >>> To: Dovecot Mailing List <dovecot at dovecot.org>, Ruga >>> <ruga at protonmail.com> >>> >>> OpenSSL v1.0.1 is enough. >>> >>> Aki >>> >>>> On November 1, 2016 at 7:46 PM Ruga <ruga at protonmail.com> wrote: >>>> >>>> >>>> Hello, >>>> >>>> We cannot upgrade from 2.2.24, because we use libressl and the newer >>>> dovecot versions demand openssl v1.1. >>>> >>>> Please add the new library requirement to the INSTALL file. >>>> >>>> All the best. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -------- Original Message -------- >>>> Subject: v2.2.26.0 released >>>> Local Time: 28 October 2016 6:51 PM >>>> UTC Time: 28 October 2016 16:51 >>>> From: tss at iki.fi >>>> To: dovecot-news at dovecot.org, Dovecot Mailing List >>>> <dovecot at dovecot.org> >>>> >>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz >>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz.sig >>>> >>>> v2.2.26 had a couple of nasty bugs left in it, so here's a fixup >>>> release. The version number is also a little bit weird, but had to >>>> be done this way (although 2.2.26.0.1 could have been another >>>> possibility). >>>> >>>> - Fixed some compiling issues. >>>> - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and >>>> multiple passdbs. >>>> - auth: Fixed crash when exporting to auth-worker passdb extra fields >>>> that had empty values. >>>> - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit-------------- next part -------------- A non-text attachment was scrubbed... Name: dovecot-2.2.26.0-libressl.patch Type: text/x-patch Size: 4597 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20161102/0e6ac618/attachment.bin>
It does work today, I am just bit worried that it will keep on breaking with libressl as they evolve their API. I would personally like to avoid more ifdef hell if possible... Aki On 02.11.2016 13:22, Michael A. Peters wrote:> Standard way to fix it (on the LibreSSL page) is to check for > LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think > catches them all where needed. Note the word think. > > It certainly appears to be working anyway with it. > > On 11/02/2016 04:07 AM, Aki Tuomi wrote: >> After doing some testing by myself, I noticed that libressl, for some >> unknown reason, defines >> >> #define OPENSSL_VERSION_NUMBER 0x20000000L >> >> No idea why they decided to advertise that they are OpenSSL v2.0.0. A >> local fix, if you need one, is to use >> >> #if OPENSSL_VERSION_NUMBER == 0x20000000L >> #define OPENSSL_VERSION_NUMBER 0x1000100L >> #endif >> >> in dcrypt-openssl.c after includes. >> >> Aki >> >> >> On 02.11.2016 12:39, Aki Tuomi wrote: >>> Hi! >>> >>> Those are used if >>> >>> #if OPENSSL_VERSION_NUMBER >= 0x10100000L >>> >>> So (your) libressl is providing this define. We compile our code using >>> GCC and CLANG regularly, with OpenSSL v1.0.x which is the currently >>> officially supported one. >>> >>> Aki >>> >>> >>> On 02.11.2016 12:34, Ruga wrote: >>>> dovecot 2.2.26.0 uses the following functions, which are not >>>> available on libressl 2.4.3: >>>> >>>> HMAC_CTX_new >>>> HMAC_CTX_free >>>> EVP_PKEY_get0_EC_KEY >>>> EVP_PKEY_get0_RSA >>>> OBJ_length >>>> EVP_MD_CTX_new >>>> EVP_MD_CTX_free >>>> >>>> The result of calling a non-existent function is a runtime error, >>>> and we do not want that on production servers. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> There are additional problems. I recommend compiling with clang-llvm >>>> 3.9.0 >>>> to see them all. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -------- Original Message -------- >>>> Subject: Re: v2.2.26.0 released >>>> Local Time: 1 November 2016 7:30 PM >>>> UTC Time: 1 November 2016 18:30 >>>> From: aki.tuomi at dovecot.fi >>>> To: Dovecot Mailing List <dovecot at dovecot.org>, Ruga >>>> <ruga at protonmail.com> >>>> >>>> OpenSSL v1.0.1 is enough. >>>> >>>> Aki >>>> >>>>> On November 1, 2016 at 7:46 PM Ruga <ruga at protonmail.com> wrote: >>>>> >>>>> >>>>> Hello, >>>>> >>>>> We cannot upgrade from 2.2.24, because we use libressl and the newer >>>>> dovecot versions demand openssl v1.1. >>>>> >>>>> Please add the new library requirement to the INSTALL file. >>>>> >>>>> All the best. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -------- Original Message -------- >>>>> Subject: v2.2.26.0 released >>>>> Local Time: 28 October 2016 6:51 PM >>>>> UTC Time: 28 October 2016 16:51 >>>>> From: tss at iki.fi >>>>> To: dovecot-news at dovecot.org, Dovecot Mailing List >>>>> <dovecot at dovecot.org> >>>>> >>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz >>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz.sig >>>>> >>>>> v2.2.26 had a couple of nasty bugs left in it, so here's a fixup >>>>> release. The version number is also a little bit weird, but had to >>>>> be done this way (although 2.2.26.0.1 could have been another >>>>> possibility). >>>>> >>>>> - Fixed some compiling issues. >>>>> - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and >>>>> multiple passdbs. >>>>> - auth: Fixed crash when exporting to auth-worker passdb extra fields >>>>> that had empty values. >>>>> - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit >
They have stated they are going to remain API compatible with 1.0.1h (or g, forget which they forked) - their new stuff is outside of libcrypto. On 11/02/2016 04:25 AM, Aki Tuomi wrote:> It does work today, I am just bit worried that it will keep on breaking > with libressl as they evolve their API. I would personally like to avoid > more ifdef hell if possible... > > Aki > > > On 02.11.2016 13:22, Michael A. Peters wrote: >> Standard way to fix it (on the LibreSSL page) is to check for >> LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think >> catches them all where needed. Note the word think. >> >> It certainly appears to be working anyway with it. >> >> On 11/02/2016 04:07 AM, Aki Tuomi wrote: >>> After doing some testing by myself, I noticed that libressl, for some >>> unknown reason, defines >>> >>> #define OPENSSL_VERSION_NUMBER 0x20000000L >>> >>> No idea why they decided to advertise that they are OpenSSL v2.0.0. A >>> local fix, if you need one, is to use >>> >>> #if OPENSSL_VERSION_NUMBER == 0x20000000L >>> #define OPENSSL_VERSION_NUMBER 0x1000100L >>> #endif >>> >>> in dcrypt-openssl.c after includes. >>> >>> Aki >>> >>> >>> On 02.11.2016 12:39, Aki Tuomi wrote: >>>> Hi! >>>> >>>> Those are used if >>>> >>>> #if OPENSSL_VERSION_NUMBER >= 0x10100000L >>>> >>>> So (your) libressl is providing this define. We compile our code using >>>> GCC and CLANG regularly, with OpenSSL v1.0.x which is the currently >>>> officially supported one. >>>> >>>> Aki >>>> >>>> >>>> On 02.11.2016 12:34, Ruga wrote: >>>>> dovecot 2.2.26.0 uses the following functions, which are not >>>>> available on libressl 2.4.3: >>>>> >>>>> HMAC_CTX_new >>>>> HMAC_CTX_free >>>>> EVP_PKEY_get0_EC_KEY >>>>> EVP_PKEY_get0_RSA >>>>> OBJ_length >>>>> EVP_MD_CTX_new >>>>> EVP_MD_CTX_free >>>>> >>>>> The result of calling a non-existent function is a runtime error, >>>>> and we do not want that on production servers. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> There are additional problems. I recommend compiling with clang-llvm >>>>> 3.9.0 >>>>> to see them all. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -------- Original Message -------- >>>>> Subject: Re: v2.2.26.0 released >>>>> Local Time: 1 November 2016 7:30 PM >>>>> UTC Time: 1 November 2016 18:30 >>>>> From: aki.tuomi at dovecot.fi >>>>> To: Dovecot Mailing List <dovecot at dovecot.org>, Ruga >>>>> <ruga at protonmail.com> >>>>> >>>>> OpenSSL v1.0.1 is enough. >>>>> >>>>> Aki >>>>> >>>>>> On November 1, 2016 at 7:46 PM Ruga <ruga at protonmail.com> wrote: >>>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> We cannot upgrade from 2.2.24, because we use libressl and the newer >>>>>> dovecot versions demand openssl v1.1. >>>>>> >>>>>> Please add the new library requirement to the INSTALL file. >>>>>> >>>>>> All the best. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -------- Original Message -------- >>>>>> Subject: v2.2.26.0 released >>>>>> Local Time: 28 October 2016 6:51 PM >>>>>> UTC Time: 28 October 2016 16:51 >>>>>> From: tss at iki.fi >>>>>> To: dovecot-news at dovecot.org, Dovecot Mailing List >>>>>> <dovecot at dovecot.org> >>>>>> >>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz >>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz.sig >>>>>> >>>>>> v2.2.26 had a couple of nasty bugs left in it, so here's a fixup >>>>>> release. The version number is also a little bit weird, but had to >>>>>> be done this way (although 2.2.26.0.1 could have been another >>>>>> possibility). >>>>>> >>>>>> - Fixed some compiling issues. >>>>>> - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and >>>>>> multiple passdbs. >>>>>> - auth: Fixed crash when exporting to auth-worker passdb extra fields >>>>>> that had empty values. >>>>>> - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit >>
Thank you. Sent from ProtonMail Mobile On Wed, Nov 2, 2016 at 12:22 PM, Michael A. Peters <'mpeters at domblogger.net'> wrote: Standard way to fix it (on the LibreSSL page) is to check for LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think catches them all where needed. Note the word think. It certainly appears to be working anyway with it. On 11/02/2016 04:07 AM, Aki Tuomi wrote:> After doing some testing by myself, I noticed that libressl, for some > unknown reason, defines > > #define OPENSSL_VERSION_NUMBER 0x20000000L > > No idea why they decided to advertise that they are OpenSSL v2.0.0. A > local fix, if you need one, is to use > > #if OPENSSL_VERSION_NUMBER == 0x20000000L > #define OPENSSL_VERSION_NUMBER 0x1000100L > #endif > > in dcrypt-openssl.c after includes. > > Aki > > > On 02.11.2016 12:39, Aki Tuomi wrote: >> Hi! >> >> Those are used if >> >> #if OPENSSL_VERSION_NUMBER >= 0x10100000L >> >> So (your) libressl is providing this define. We compile our code using >> GCC and CLANG regularly, with OpenSSL v1.0.x which is the currently >> officially supported one. >> >> Aki >> >> >> On 02.11.2016 12:34, Ruga wrote: >>> dovecot 2.2.26.0 uses the following functions, which are not >>> available on libressl 2.4.3: >>> >>> HMAC_CTX_new >>> HMAC_CTX_free >>> EVP_PKEY_get0_EC_KEY >>> EVP_PKEY_get0_RSA >>> OBJ_length >>> EVP_MD_CTX_new >>> EVP_MD_CTX_free >>> >>> The result of calling a non-existent function is a runtime error, >>> and we do not want that on production servers. >>> >>> >>> >>> >>> >>> >>> >>> There are additional problems. I recommend compiling with clang-llvm >>> 3.9.0 >>> to see them all. >>> >>> >>> >>> >>> >>> >>> >>> -------- Original Message -------- >>> Subject: Re: v2.2.26.0 released >>> Local Time: 1 November 2016 7:30 PM >>> UTC Time: 1 November 2016 18:30 >>> From: aki.tuomi at dovecot.fi >>> To: Dovecot Mailing List <dovecot at dovecot.org>, Ruga >>> <ruga at protonmail.com> >>> >>> OpenSSL v1.0.1 is enough. >>> >>> Aki >>> >>>> On November 1, 2016 at 7:46 PM Ruga <ruga at protonmail.com> wrote: >>>> >>>> >>>> Hello, >>>> >>>> We cannot upgrade from 2.2.24, because we use libressl and the newer >>>> dovecot versions demand openssl v1.1. >>>> >>>> Please add the new library requirement to the INSTALL file. >>>> >>>> All the best. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> -------- Original Message -------- >>>> Subject: v2.2.26.0 released >>>> Local Time: 28 October 2016 6:51 PM >>>> UTC Time: 28 October 2016 16:51 >>>> From: tss at iki.fi >>>> To: dovecot-news at dovecot.org, Dovecot Mailing List >>>> <dovecot at dovecot.org> >>>> >>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz >>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz.sig >>>> >>>> v2.2.26 had a couple of nasty bugs left in it, so here's a fixup >>>> release. The version number is also a little bit weird, but had to >>>> be done this way (although 2.2.26.0.1 could have been another >>>> possibility). >>>> >>>> - Fixed some compiling issues. >>>> - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and >>>> multiple passdbs. >>>> - auth: Fixed crash when exporting to auth-worker passdb extra fields >>>> that had empty values. >>>> - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit