v2.2.26.0 released

Wed Nov 2 12:37:41 UTC 2016

If the standard way works, I am happy to include the original patch I 
sent, amended so that it checks for presence of LIBRESSL_VERSION_NUMBER. 
If they keep this promise, then we should have no worries about things 
breaking up.

Aki

On 02.11.2016 14:24, Michael A. Peters wrote:
> Indeed, which is why I use it.
>
> But it also is in the minority which is why I find it acceptable for 
> FLOSS projects like dovecot to elect to only un-officially support 
> LibreSSL via a community maintained patch.
>
> One of the reasons why OpenSSL was forked is because they were trying 
> to support so many platforms that it made the code a real mess. Don't 
> want the same to happen to another project because of it.
>
> Especially with places like github that make it easy for members of 
> the community to create and maintain such a patch, it may be the best 
> option if the project itself doesn't have someone who can officially 
> maintain LibreSSL support.
>
> On 11/02/2016 05:08 AM, Ruga wrote:
>> libressl is a leaner and safer openssl
>>
>> Sent from ProtonMail Mobile
>>
>>
>> On Wed, Nov 2, 2016 at 12:39 PM, Michael A. Peters 
>> <'mpeters at domblogger.net'> wrote:
>> IMHO it would be acceptable to have a LibreSSL patch that is maintained
>> by the people who want it.
>>
>> It's free software, and that kind of is the point of Open Source.
>>
>> On 11/02/2016 04:36 AM, Michael A. Peters wrote:
>>> They have stated they are going to remain API compatible with 1.0.1h 
>>> (or
>>> g, forget which they forked) - their new stuff is outside of libcrypto.
>>>
>>> On 11/02/2016 04:25 AM, Aki Tuomi wrote:
>>>> It does work today, I am just bit worried that it will keep on 
>>>> breaking
>>>> with libressl as they evolve their API. I would personally like to 
>>>> avoid
>>>> more ifdef hell if possible...
>>>>
>>>> Aki
>>>>
>>>>
>>>> On 02.11.2016 13:22, Michael A. Peters wrote:
>>>>> Standard way to fix it (on the LibreSSL page) is to check for
>>>>> LIBRESSL_VERSION_NUMBER - e.g. the patch attached which I think
>>>>> catches them all where needed. Note the word think.
>>>>>
>>>>> It certainly appears to be working anyway with it.
>>>>>
>>>>> On 11/02/2016 04:07 AM, Aki Tuomi wrote:
>>>>>> After doing some testing by myself, I noticed that libressl, for 
>>>>>> some
>>>>>> unknown reason, defines
>>>>>>
>>>>>> #define OPENSSL_VERSION_NUMBER 0x20000000L
>>>>>>
>>>>>> No idea why they decided to advertise that they are OpenSSL 
>>>>>> v2.0.0. A
>>>>>> local fix, if you need one, is to use
>>>>>>
>>>>>> #if OPENSSL_VERSION_NUMBER == 0x20000000L
>>>>>> #define OPENSSL_VERSION_NUMBER 0x1000100L
>>>>>> #endif
>>>>>>
>>>>>> in dcrypt-openssl.c after includes.
>>>>>>
>>>>>> Aki
>>>>>>
>>>>>>
>>>>>> On 02.11.2016 12:39, Aki Tuomi wrote:
>>>>>>> Hi!
>>>>>>>
>>>>>>> Those are used if
>>>>>>>
>>>>>>> #if OPENSSL_VERSION_NUMBER >= 0x10100000L
>>>>>>>
>>>>>>> So (your) libressl is providing this define. We compile our code 
>>>>>>> using
>>>>>>> GCC and CLANG regularly, with OpenSSL v1.0.x which is the currently
>>>>>>> officially supported one.
>>>>>>>
>>>>>>> Aki
>>>>>>>
>>>>>>>
>>>>>>> On 02.11.2016 12:34, Ruga wrote:
>>>>>>>> dovecot 2.2.26.0 uses the following functions, which are not
>>>>>>>> available on libressl 2.4.3:
>>>>>>>>
>>>>>>>> HMAC_CTX_new
>>>>>>>> HMAC_CTX_free
>>>>>>>> EVP_PKEY_get0_EC_KEY
>>>>>>>> EVP_PKEY_get0_RSA
>>>>>>>> OBJ_length
>>>>>>>> EVP_MD_CTX_new
>>>>>>>> EVP_MD_CTX_free
>>>>>>>>
>>>>>>>> The result of calling a non-existent function is a runtime error,
>>>>>>>> and we do not want that on production servers.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> There are additional problems. I recommend compiling with 
>>>>>>>> clang-llvm
>>>>>>>> 3.9.0
>>>>>>>> to see them all.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -------- Original Message --------
>>>>>>>> Subject: Re: v2.2.26.0 released
>>>>>>>> Local Time: 1 November 2016 7:30 PM
>>>>>>>> UTC Time: 1 November 2016 18:30
>>>>>>>> From: aki.tuomi at dovecot.fi
>>>>>>>> To: Dovecot Mailing List <dovecot at dovecot.org>, Ruga
>>>>>>>> <ruga at protonmail.com>
>>>>>>>>
>>>>>>>> OpenSSL v1.0.1 is enough.
>>>>>>>>
>>>>>>>> Aki
>>>>>>>>
>>>>>>>>> On November 1, 2016 at 7:46 PM Ruga <ruga at protonmail.com> wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> We cannot upgrade from 2.2.24, because we use libressl and the 
>>>>>>>>> newer
>>>>>>>>> dovecot versions demand openssl v1.1.
>>>>>>>>>
>>>>>>>>> Please add the new library requirement to the INSTALL file.
>>>>>>>>>
>>>>>>>>> All the best.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -------- Original Message --------
>>>>>>>>> Subject: v2.2.26.0 released
>>>>>>>>> Local Time: 28 October 2016 6:51 PM
>>>>>>>>> UTC Time: 28 October 2016 16:51
>>>>>>>>> From: tss at iki.fi
>>>>>>>>> To: dovecot-news at dovecot.org, Dovecot Mailing List
>>>>>>>>> <dovecot at dovecot.org>
>>>>>>>>>
>>>>>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz
>>>>>>>>> http://dovecot.org/releases/2.2/dovecot-2.2.26.0.tar.gz.sig
>>>>>>>>>
>>>>>>>>> v2.2.26 had a couple of nasty bugs left in it, so here's a fixup
>>>>>>>>> release. The version number is also a little bit weird, but 
>>>>>>>>> had to
>>>>>>>>> be done this way (although 2.2.26.0.1 could have been another
>>>>>>>>> possibility).
>>>>>>>>>
>>>>>>>>> - Fixed some compiling issues.
>>>>>>>>> - auth: Fixed assert-crash when using NTLM or SKEY mechanisms and
>>>>>>>>> multiple passdbs.
>>>>>>>>> - auth: Fixed crash when exporting to auth-worker passdb extra
>>>>>>>>> fields
>>>>>>>>> that had empty values.
>>>>>>>>> - dsync: Fixed assert-crash in dsync_brain_sync_mailbox_deinit
>>>> >