blackbeard420/kore
1
0
Fork 0
mirror of https://github.com/jorisvink/kore synced 2025-03-09 12:39:01 -04:00
Code Issues Projects Releases Wiki Activity

move libressl support to minimum 3.3.0.

Browse Source
This commit is contained in:
Joris Vink 2019-09-25 15:39:39 +02:00
parent 54ca865c11
commit eab94eda49
2 changed files with 3 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -53,7 +53,7 @@ Clone this repository or get the latest release at [https://kore.io/releases/3.2
Requirements
* openssl (1.0.2, 1.1.0 or 1.1.1)
(note: this requirement drops away when building with NOTLS=1 NOHTTP=1)
(note: libressl works as a replacement)
(note: libressl 3.0.0+ works as a replacement)
Requirement for asynchronous curl (optional)
* libcurl

45
src/domain.c
View File

@ -55,7 +55,6 @@ int tls_version = KORE_TLS_VERSION_BOTH;
#endif
#if !defined(KORE_NO_TLS)
static BIO *domain_bio_mem(const void *, size_t);
static int domain_x509_verify(int, X509_STORE_CTX *);
static X509 *domain_load_certificate_chain(SSL_CTX *, const void *, size_t);
@ -448,7 +447,7 @@ kore_domain_crl_add(struct kore_domain *dom, const void *pem, size_t pemlen)
X509_STORE *store;
ERR_clear_error();
in = domain_bio_mem(pem, pemlen);
in = BIO_new_mem_buf(pem, pemlen);
if ((store = SSL_CTX_get_cert_store(dom->ssl_ctx)) == NULL) {
BIO_free(in);
@ -845,7 +844,7 @@ domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len)
X509 *x, *ca;
ERR_clear_error();
in = domain_bio_mem(data, len);
in = BIO_new_mem_buf(data, len);
if ((x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL)) == NULL)
fatal("PEM_read_bio_X509_AUX: %s", ssl_errno_s);
@ -854,23 +853,13 @@ domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len)
if (SSL_CTX_use_certificate(ctx, x) == 0)
fatal("SSL_CTX_use_certificate: %s", ssl_errno_s);
#if defined(LIBRESSL_VERSION_TEXT)
sk_X509_pop_free(ctx->extra_certs, X509_free);
ctx->extra_certs = NULL;
#else
SSL_CTX_clear_chain_certs(ctx);
#endif
ERR_clear_error();
while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL)) != NULL) {
/* ca its reference count won't be increased. */
#if defined(LIBRESSL_VERSION_TEXT)
if (SSL_CTX_add_extra_chain_cert(ctx, ca) == 0)
fatal("SSL_CTX_add_extra_chain_cert: %s", ssl_errno_s);
#else
if (SSL_CTX_add0_chain_cert(ctx, ca) == 0)
fatal("SSL_CTX_add0_chain_cert: %s", ssl_errno_s);
#endif
}
err = ERR_peek_last_error();
@ -883,34 +872,4 @@ domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len)
return (x);
}
/*
* XXX - Hack around the fact that LibreSSL its BIO_new_mem_buf() does not
* take a const pointer for their first argument.
*
* Since we build with -Wcast-qual and -Werror I rather do this than having
* a bunch of pragma preprocessor magic to remove the warnings for that code
* if we're dealing with LibreSSL.
*
* They fixed this in their upcoming 2.8.0 release but that is not out yet
* and I'd like this to run on older OpenBSD platforms as well.
*/
static BIO *
domain_bio_mem(const void *data, size_t len)
{
BIO *in;
union { void *p; const void *cp; } deconst;
/* because OpenSSL likes taking ints as memory buffer lengths. */
if (len > INT_MAX)
fatal("domain_bio_mem: len(%zu) > INT_MAX", len);
deconst.cp = data;
if ((in = BIO_new_mem_buf(deconst.p, len)) == NULL)
fatal("BIO_new_mem_buf: %s", ssl_errno_s);
return (in);
}
#endif