Commit c4419bdd authored by Matthias Andree's avatar Matthias Andree
Browse files

Permit LibreSSL on OpenBSD.

On OpenBSD, libressl is "normally distributed (in either source or
binary form) with the major components (compiler, kernel, and so on) of
the operating system on which the executable runs" according to Stuart
Henderson, so according to the GNU GPL v2 clause 3, we can permit
LibreSSL for OpenBSD.
parent ad96f3ef
......@@ -22,10 +22,10 @@ following clause applies:
|of the GNU General Public License cover the whole combination.
|
|In addition, as a special exception, the copyright holders of fetchmail
|give you permission to combine fetchmail with free
|software programs or libraries that are released under the GNU LGPL and with
|code included in the standard release of OpenSSL under the OpenSSL or SSLeay license
|(or modified versions of such code, with unchanged license).
|give you permission to combine fetchmail with free software programs or
|libraries that are released with code included in the standard release of
|OpenSSL under the OpenSSL or SSLeay license (or modified versions of such
|code, with unchanged license).
|
|You may copy and distribute such a system following the terms of the GNU GPL
|for fetchmail and the licenses of the other code concerned,
......
......@@ -25,7 +25,8 @@ See README.SSL for details.
Forked libraries deriving from OpenSSL and under the SSLeay or OpenSSL license
cannot be used due to licensing issues, and are not supported.
This affects, f.i., LibreSSL.
This affects, f.i., LibreSSL, unless it is part of the operating system
(f. i., on OpenBSD).
Since 6.4.25, there is experimental support for wolfSSL 5.0.0 or newer,
which is under GNU GPL v2 or later license and hence may be easier for
......
......@@ -100,9 +100,9 @@ fetchmail-6.4.25.rc4 (release candidate issued 2021-12-03, 31641 LoC):
# BREAKING CHANGES:
* Since distributions continue patching for LibreSSL use, which cannot be
linked legally, block out LibreSSL in configure.ac and socket.c, and
refer to COPYING. OpenSSL and wolfSSL 5 can be used.
SSL-related documentation was updated, do re-read
COPYING, INSTALL, README, README.packaging, README.SSL.
refer to COPYING, unless on OpenBSD (which ships it in the base system).
OpenSSL and wolfSSL 5 can be used. SSL-related documentation was updated, do
re-read COPYING, INSTALL, README, README.packaging, README.SSL.
* Bump OpenSSL version requirement to 1.0.2f in order to safely remove
the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e and
older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is
......
......@@ -889,9 +889,15 @@ AS_MESSAGE([
LIBS: $LIBS])
case "$LIBS" in *-lssl*|*libssl*|*-lwolfssl*|*libwolfssl*)
AC_CHECK_DECLS([LIBRESSL_VERSION_NUMBER],
case $host_os in
openbsd*) ;; dnl OpenBSD ships LibreSSL in the base operating system
dnl so makes use of the GPL2 clause 3 exception.
*)
AC_CHECK_DECLS([LIBRESSL_VERSION_NUMBER],
AC_MSG_ERROR([fetchmail cannot legally be linked against LibreSSL for lack of GPL2 clause 2b exception. See COPYING.]),,
[#include <openssl/ssl.h>])
;;
esac
AC_CHECK_DECLS([TLS1_3_VERSION],,
AC_MSG_WARN([Your OpenSSL version is too old and does not support TLS v1.3. Upgrade.]),
[#include <openssl/ssl.h>])
......
......@@ -317,13 +317,15 @@ int main(int argc, char **argv)
printf(GT_("OpenSSL: %s\nEngines: %s\n"),
OpenSSL_version(OPENSSL_DIR),
OpenSSL_version(OPENSSL_ENGINES_DIR));
#if !HAVE_DECL_TLS1_3_VERSION || defined(OPENSSL_NO_TLS1_3)
# if !HAVE_DECL_TLS1_3_VERSION || defined(OPENSSL_NO_TLS1_3)
printf(GT_("WARNING: Your SSL/TLS library does not support TLS v1.3.\n"));
#endif
#ifdef LIBRESSL_VERSION_NUMBER
# endif
# if defined(LIBRESSL_VERSION_NUMBER) && !defined(__OpenBSD__)
/* OpenBSD ships LibreSSL as part of the base system, so is exempt
* because it can pull the GPL v2 clause 3 exception */
printf(GT_("ERROR: Compiled against LibreSSL, which is a copyright violation for lack of GPL clause 2b exception. See COPYING. Aborting.\n"));
exit(PS_UNDEFINED);
#endif
# endif
#else
printf(GT_("WARNING: Compiled without SSL/TLS.\n"));
#endif
......@@ -355,13 +357,13 @@ int main(int argc, char **argv)
xfree(run.logfile);
}
#if 0
# if 0
/* not in daemon mode -> turn off logfile option */
if (0 == run.poll_interval) {
if (outlevel >= O_NORMAL) { fprintf(stderr, GT_("Not running in daemon mode, ignoring logfile option.\n")); }
xfree(run.logfile);
}
#endif
# endif
/* log file not writable -> turn off logfile option */
if (run.logfile && 0 != access(run.logfile, F_OK)) {
......
......@@ -407,8 +407,12 @@ va_dcl {
#define fm_MIN_OPENSSL_VER 0x1000206fL /* 1.0.2f */
#ifdef LIBRESSL_VERSION_NUMBER
#error "FAILED - LibreSSL cannot be used legally, for lack of GPL clause 2b exception, see COPYING."
#ifdef LIBRESSL_VERSION_NUMBER
# ifdef __OpenBSD__
# pragma message "WARNING - Linking against LibreSSL, which is not a supported configuration."
# else
# error "FAILED - LibreSSL cannot be used legally, for lack of GPL clause 2b exception, see COPYING."
# endif
#endif
#ifdef USING_WOLFSSL
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment