commit 52d14a3fbf64cf0703fc461e9c5d02ccc5344d8a
parent 2b3119d0e207046d5f92cdfd88e5bab0f2ffd843
Author: Joris Vink <joris@coders.se>
Date: Wed, 11 Jul 2018 12:50:50 +0200
Unbreak building with LibreSSL.
Diffstat:
| src/domain.c | | | 55 | +++++++++++++++++++++++++++++++++++++++++++++---------- |
1 file changed, 45 insertions(+), 10 deletions(-)
diff --git a/src/domain.c b/src/domain.c
@@ -52,9 +52,10 @@ int tls_version = KORE_TLS_VERSION_1_2;
#endif
#if !defined(KORE_NO_TLS)
+static BIO *domain_bio_mem(const void *, size_t);
static int domain_x509_verify(int, X509_STORE_CTX *);
static void domain_load_crl(struct kore_domain *);
-static X509 *domain_load_certificate_chain(SSL_CTX *, const char *, size_t);
+static X509 *domain_load_certificate_chain(SSL_CTX *, const void *, size_t);
static void keymgr_init(void);
static void keymgr_await_data(void);
@@ -753,20 +754,14 @@ domain_x509_verify(int ok, X509_STORE_CTX *ctx)
* BIO set to the pem data that we received.
*/
static X509 *
-domain_load_certificate_chain(SSL_CTX *ctx, const char *data, size_t len)
+domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len)
{
- BIO *in;
unsigned long err;
+ BIO *in;
X509 *x, *ca;
- /* because OpenSSL likes taking ints as buffer sizes. */
- if (len > INT_MAX)
- fatal("domain_load_certificate_chain: len > INT_MAX");
-
ERR_clear_error();
-
- if ((in = BIO_new_mem_buf(data, len)) == NULL)
- fatal("BIO_new_mem_buf: %s", ssl_errno_s);
+ in = domain_bio_mem(data, len);
if ((x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL)) == NULL)
fatal("PEM_read_bio_X509_AUX: %s", ssl_errno_s);
@@ -775,13 +770,23 @@ domain_load_certificate_chain(SSL_CTX *ctx, const char *data, size_t len)
if (SSL_CTX_use_certificate(ctx, x) == 0)
fatal("SSL_CTX_use_certificate: %s", ssl_errno_s);
+#if defined(LIBRESSL_VERSION_TEXT)
+ sk_X509_pop_free(ctx->extra_certs, X509_free);
+ ctx->extra_certs = NULL;
+#else
SSL_CTX_clear_chain_certs(ctx);
+#endif
ERR_clear_error();
while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL)) != NULL) {
/* ca its reference count won't be increased. */
+#if defined(LIBRESSL_VERSION_TEXT)
+ if (SSL_CTX_add_extra_chain_cert(ctx, ca) == 0)
+ fatal("SSL_CTX_add_extra_chain_cert: %s", ssl_errno_s);
+#else
if (SSL_CTX_add0_chain_cert(ctx, ca) == 0)
fatal("SSL_CTX_add0_chain_cert: %s", ssl_errno_s);
+#endif
}
err = ERR_peek_last_error();
@@ -794,4 +799,34 @@ domain_load_certificate_chain(SSL_CTX *ctx, const char *data, size_t len)
return (x);
}
+
+/*
+ * XXX - Hack around the fact that LibreSSL its BIO_new_mem_buf() does not
+ * take a const pointer for their first argument.
+ *
+ * Since we build with -Wcast-qual and -Werror I rather do this than having
+ * a bunch of pragma preprocessor magic to remove the warnings for that code
+ * if we're dealing with LibreSSL.
+ *
+ * They fixed this in their upcoming 2.8.0 release but that is not out yet
+ * and I'd like this to run on older OpenBSD platforms as well.
+ */
+static BIO *
+domain_bio_mem(const void *data, size_t len)
+{
+ BIO *in;
+ union { void *p; const void *cp; } deconst;
+
+ /* because OpenSSL likes taking ints as memory buffer lengths. */
+ if (len > INT_MAX)
+ fatal("domain_bio_mem: len(%zu) > INT_MAX", len);
+
+ deconst.cp = data;
+
+ if ((in = BIO_new_mem_buf(deconst.p, len)) == NULL)
+ fatal("BIO_new_mem_buf: %s", ssl_errno_s);
+
+ return (in);
+}
+
#endif
