From d6b05bcff7037c63c52c5f10444be3cac30ef9cc Mon Sep 17 00:00:00 2001
From: Joris Vink <joris@coders.se>
Date: Mon, 14 Jan 2019 20:57:40 +0100
Subject: [PATCH 1/4] always force reload cert so we get a new x509 store.

Otherwise older OpenSSL or current LibreSSL will fail to add the new
CRL as they still match on subject name rather then hash of the CRL data.
---
 include/kore/kore.h |  2 --
 src/domain.c        |  3 ---
 src/keymgr.c        | 20 +++++---------------
 3 files changed, 5 insertions(+), 20 deletions(-)

diff --git a/include/kore/kore.h b/include/kore/kore.h
index 0ff922a..79f9141 100644
--- a/include/kore/kore.h
+++ b/include/kore/kore.h
@@ -411,9 +411,7 @@ struct kore_domain {
 #if !defined(KORE_NO_TLS)
 	char					*cafile;
 	char					*crlfile;
-	time_t					crl_mtime;
 	char					*certfile;
-	time_t					cert_mtime;
 	char					*certkey;
 	SSL_CTX					*ssl_ctx;
 	int					x509_verify_depth;
diff --git a/src/domain.c b/src/domain.c
index 4361db1..9fe5cf1 100644
--- a/src/domain.c
+++ b/src/domain.c
@@ -210,9 +210,6 @@ kore_domain_new(char *domain)
 	dom->ssl_ctx = NULL;
 	dom->certfile = NULL;
 	dom->crlfile = NULL;
-
-	dom->crl_mtime = 0;
-	dom->cert_mtime = 0;
 	dom->x509_verify_depth = 1;
 #endif
 	dom->domain = kore_strdup(domain);
diff --git a/src/keymgr.c b/src/keymgr.c
index faae90d..f9305fd 100644
--- a/src/keymgr.c
+++ b/src/keymgr.c
@@ -73,7 +73,7 @@ static void	keymgr_entropy_request(struct kore_msg *, const void *);
 static void	keymgr_certificate_request(struct kore_msg *, const void *);
 static void	keymgr_submit_certificates(struct kore_domain *, u_int16_t);
 static void	keymgr_submit_file(u_int8_t, struct kore_domain *,
-		    const char *, u_int16_t, time_t *, int);
+		    const char *, u_int16_t, int);
 
 static void	keymgr_rsa_encrypt(struct kore_msg *, const void *,
 		    struct key *);
@@ -197,18 +197,15 @@ keymgr_reload(void)
 static void
 keymgr_submit_certificates(struct kore_domain *dom, u_int16_t dst)
 {
-	keymgr_submit_file(KORE_MSG_CERTIFICATE,
-	    dom, dom->certfile, dst, &dom->cert_mtime, 0);
+	keymgr_submit_file(KORE_MSG_CERTIFICATE, dom, dom->certfile, dst, 0);
 
-	if (dom->crlfile != NULL) {
-		keymgr_submit_file(KORE_MSG_CRL,
-		    dom, dom->crlfile, dst, &dom->crl_mtime, 1);
-	}
+	if (dom->crlfile != NULL)
+		keymgr_submit_file(KORE_MSG_CRL, dom, dom->crlfile, dst, 1);
 }
 
 static void
 keymgr_submit_file(u_int8_t id, struct kore_domain *dom,
-    const char *file, u_int16_t dst, time_t *mtime, int can_fail)
+    const char *file, u_int16_t dst, int can_fail)
 {
 	int				fd;
 	struct stat			st;
@@ -234,13 +231,6 @@ keymgr_submit_file(u_int8_t id, struct kore_domain *dom,
 		    (intmax_t)st.st_size);
 	}
 
-	if (st.st_mtime == *mtime) {
-		close(fd);
-		return;
-	}
-
-	*mtime = st.st_mtime;
-
 	len = sizeof(*msg) + st.st_size;
 	payload = kore_calloc(1, len);
 

From d1e87c1a548366b7c32357ada70477f6b92ddd4f Mon Sep 17 00:00:00 2001
From: Joris Vink <joris@coders.se>
Date: Tue, 15 Jan 2019 10:20:13 +0100
Subject: [PATCH 2/4] deal with PyObject_CallObject() returning NULL.

---
 src/python.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/python.c b/src/python.c
index 7b2bd99..bdf080b 100644
--- a/src/python.c
+++ b/src/python.c
@@ -1484,7 +1484,7 @@ pytimer_run(void *arg, u_int64_t now)
 
 	PyErr_Clear();
 	ret = PyObject_CallObject(timer->callable, NULL);
-	Py_DECREF(ret);
+	Py_XDECREF(ret);
 
 	if (timer->flags & KORE_TIMER_ONESHOT) {
 		timer->run = NULL;

From 3f083d6126e7d25be57d7403a129c6c0c718422d Mon Sep 17 00:00:00 2001
From: Joris Vink <joris@coders.se>
Date: Sat, 19 Jan 2019 11:49:54 +0100
Subject: [PATCH 3/4] deal with crls being expired / not-yet-valid.

if a crl is expired or not-yet-valid SSL_get_verify_result()
will return these errors too so check for them explicitly
instead of depending on X509_V_OK.

found by @dacechavez
---
 src/connection.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/connection.c b/src/connection.c
index d143b44..89459b6 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -306,7 +306,12 @@ kore_connection_handle(struct connection *c)
 		}
 
 		r = SSL_get_verify_result(c->ssl);
-		if (r != X509_V_OK) {
+		switch (r) {
+		case X509_V_OK:
+		case X509_V_ERR_CRL_NOT_YET_VALID:
+		case X509_V_ERR_CRL_HAS_EXPIRED:
+			break;
+		default:
 			kore_debug("SSL_get_verify_result(): %d, %s",
 			    r, ssl_errno_s);
 			return (KORE_RESULT_ERROR);

From 39467847fb2bdbcb8dccb1f9b68282b802281b6d Mon Sep 17 00:00:00 2001
From: Joris Vink <joris@coders.se>
Date: Mon, 21 Jan 2019 10:36:50 +0100
Subject: [PATCH 4/4] remove SSL_get_verify_result() check.

If peer verification is turned on this becomes part of the handshake
process anyway and SSL_accept() will fail when appropriate.
---
 src/connection.c | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/src/connection.c b/src/connection.c
index 89459b6..28d1b33 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -305,18 +305,6 @@ kore_connection_handle(struct connection *c)
 			c->cert = NULL;
 		}
 
-		r = SSL_get_verify_result(c->ssl);
-		switch (r) {
-		case X509_V_OK:
-		case X509_V_ERR_CRL_NOT_YET_VALID:
-		case X509_V_ERR_CRL_HAS_EXPIRED:
-			break;
-		default:
-			kore_debug("SSL_get_verify_result(): %d, %s",
-			    r, ssl_errno_s);
-			return (KORE_RESULT_ERROR);
-		}
-
 		if (c->owner != NULL) {
 			listener = (struct listener *)c->owner;
 			if (listener->connect != NULL) {