Unbreak build: crypto hdrs not in system includes
authorPhil Pennock <pdp@exim.org>
Wed, 19 Oct 2016 03:22:03 +0000 (23:22 -0400)
committerPhil Pennock <pdp@exim.org>
Wed, 19 Oct 2016 03:28:13 +0000 (23:28 -0400)
If using pkg-config to get the paths for various packages and the crypto
library headers are not in the system headers, then the hash work broke
the Exim build by requiring the CFLAGS manipulation for _all_ builds,
not just the TLS libraries.

Shows up on MacOS where there's a system OpenSSL but not system OpenSSL
headers (because only SecureTransport is supported) and using
brew-installed OpenSSL.

I've also coded the fix for GnuTLS on the same basis, but that's
untested.

Fixes bug 1906

doc/doc-txt/ChangeLog
src/scripts/Configure-Makefile
src/src/EDITME
src/src/sha_ver.h

index c68e45c..1267d75 100644 (file)
@@ -117,6 +117,9 @@ JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
 PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
       by me.  Added RFC7919 DH primes as an alternative.
 
+PP/02 Unbreak build via pkg-config with new hash support when crypto headers
+      are not in the system include path.
+
 
 Exim version 4.87
 -----------------
index 4aa7d76..3e486a6 100755 (executable)
@@ -136,13 +136,16 @@ then
       USE_*_PC)
         eval "pc_value=\"\$$var\""
         need_this=''
+        need_core=''
         if [ ".$SUPPORT_TLS" = "." ]; then
           # no TLS, not referencing
           true
         elif [ ".$var" = ".USE_GNUTLS_PC" ] && [ ".$USE_GNUTLS" != "." ]; then
           need_this=t
+          need_core="gnutls-special"
         elif [ ".$var" = ".USE_OPENSSL_PC" ] && [ ".$USE_GNUTLS" = "." ]; then
           need_this=t
+          need_core=t
         fi
         if [ ".$need_this" != "." ]; then
           tls_include=`pkg-config --cflags $pc_value`
@@ -153,6 +156,19 @@ then
           tls_libs=`pkg-config --libs $pc_value`
           echo "TLS_INCLUDE=$tls_include"
           echo "TLS_LIBS=$tls_libs"
+          # With hash.h pulling crypto into the core, we need to also handle that
+          if [ ".$need_this" = ".t" ]; then
+            echo "CFLAGS += $tls_include"
+            echo "LDFLAGS += $tls_libs"
+          elif [ ".$need_this" = ".gnutls-special" ]; then
+            if pkg-config --atleast-version=2.10 gnutls ; then
+              echo "CFLAGS += $tls_include"
+              echo "LDFLAGS += $tls_libs"
+            else
+              echo "CFLAGS += $(libgcrypt-config --cflags)"
+              echo "LDFLAGS += $(libgcrypt-config --libs)"
+            fi
+          fi
         fi
         ;;
 
index e2d8cf9..6929346 100644 (file)
@@ -746,6 +746,10 @@ HEADERS_CHARSET="ISO-8859-1"
 # USE_GNUTLS_PC=gnutls
 # TLS_LIBS=-lgnutls -ltasn1 -lgcrypt
 
+# If using GnuTLS older than 2.10 and using pkg-config then note that Exim's
+# build process will require libgcrypt-config to exist in your $PATH.  A
+# version that old is likely to become unsupported by Exim in 2017.
+
 # The security fix we provide with the gnutls_allow_auto_pkcs11 option
 # (4.82 PP/09) introduces a compatibility regression.  The symbol is
 # not available if GnuTLS is build without p11-kit (--without-p11-kit
index fd1a4d0..387ac52 100644 (file)
@@ -9,6 +9,13 @@
 
 #include "exim.h"
 
+/* Please be aware that pulling in extra headers which are not in the system
+ * includes may require careful juggling of CFLAGS in
+ * scripts/Configure-Makefile -- that logic should be kept in sync with this.
+ * In particular, building with just something like USE_OPENSSL_PC=openssl
+ * and not massaging CFLAGS in Local/Makefile is fully supported.
+ */
+
 #ifdef SUPPORT_TLS
 
 # define EXIM_HAVE_SHA2