kore

commit eab94eda499c318d6da0969d972523d0fd1ddca8
parent 54ca865c11cf1179f07a65577be75931c2987e6a
Author: Joris Vink <joris@coders.se>
Date:   Wed, 25 Sep 2019 15:39:39 +0200

move libressl support to minimum 3.3.0.

Diffstat:
README.md
 | 
2
+-
src/domain.c
 | 
45
++-------------------------------------------

2 files changed, 3 insertions(+), 44 deletions(-)
diff --git a/README.md b/README.md
@@ -53,7 +53,7 @@ Clone this repository or get the latest release at [https://kore.io/releases/3.2
 Requirements
 * openssl (1.0.2, 1.1.0 or 1.1.1)
   (note: this requirement drops away when building with NOTLS=1 NOHTTP=1)
-  (note: libressl works as a replacement)
+  (note: libressl 3.0.0+ works as a replacement)
 
 Requirement for asynchronous curl (optional)
 * libcurl
diff --git a/src/domain.c b/src/domain.c
@@ -55,7 +55,6 @@ int				tls_version = KORE_TLS_VERSION_BOTH;
 #endif
 
 #if !defined(KORE_NO_TLS)
-static BIO	*domain_bio_mem(const void *, size_t);
 static int	domain_x509_verify(int, X509_STORE_CTX *);
 static X509	*domain_load_certificate_chain(SSL_CTX *, const void *, size_t);
 
@@ -448,7 +447,7 @@ kore_domain_crl_add(struct kore_domain *dom, const void *pem, size_t pemlen)
 	X509_STORE		*store;
 
 	ERR_clear_error();
-	in = domain_bio_mem(pem, pemlen);
+	in = BIO_new_mem_buf(pem, pemlen);
 
 	if ((store = SSL_CTX_get_cert_store(dom->ssl_ctx)) == NULL) {
 		BIO_free(in);
@@ -845,7 +844,7 @@ domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len)
 	X509		*x, *ca;
 
 	ERR_clear_error();
-	in = domain_bio_mem(data, len);
+	in = BIO_new_mem_buf(data, len);
 
 	if ((x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL)) == NULL)
 		fatal("PEM_read_bio_X509_AUX: %s", ssl_errno_s);
@@ -854,23 +853,13 @@ domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len)
 	if (SSL_CTX_use_certificate(ctx, x) == 0)
 		fatal("SSL_CTX_use_certificate: %s", ssl_errno_s);
 
-#if defined(LIBRESSL_VERSION_TEXT)
-	sk_X509_pop_free(ctx->extra_certs, X509_free);
-	ctx->extra_certs = NULL;
-#else
 	SSL_CTX_clear_chain_certs(ctx);
-#endif
 
 	ERR_clear_error();
 	while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL)) != NULL) {
 		/* ca its reference count won't be increased. */
-#if defined(LIBRESSL_VERSION_TEXT)
-		if (SSL_CTX_add_extra_chain_cert(ctx, ca) == 0)
-			fatal("SSL_CTX_add_extra_chain_cert: %s", ssl_errno_s);
-#else
 		if (SSL_CTX_add0_chain_cert(ctx, ca) == 0)
 			fatal("SSL_CTX_add0_chain_cert: %s", ssl_errno_s);
-#endif
 	}
 
 	err = ERR_peek_last_error();
@@ -883,34 +872,4 @@ domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len)
 
 	return (x);
 }
-
-/*
- * XXX - Hack around the fact that LibreSSL its BIO_new_mem_buf() does not
- * take a const pointer for their first argument.
- *
- * Since we build with -Wcast-qual and -Werror I rather do this than having
- * a bunch of pragma preprocessor magic to remove the warnings for that code
- * if we're dealing with LibreSSL.
- *
- * They fixed this in their upcoming 2.8.0 release but that is not out yet
- * and I'd like this to run on older OpenBSD platforms as well.
- */
-static BIO *
-domain_bio_mem(const void *data, size_t len)
-{
-	BIO					*in;
-	union { void *p; const void *cp; }	deconst;
-
-	/* because OpenSSL likes taking ints as memory buffer lengths. */
-	if (len > INT_MAX)
-		fatal("domain_bio_mem: len(%zu) > INT_MAX", len);
-
-	deconst.cp = data;
-
-	if ((in = BIO_new_mem_buf(deconst.p, len)) == NULL)
-		fatal("BIO_new_mem_buf: %s", ssl_errno_s);
-
-	return (in);
-}
-
 #endif