kore

An easy to use, scalable and secure web application framework for writing web APIs in C.
Commits | Files | Refs | README | LICENSE | git clone https://git.kore.io/kore.git

commit eab94eda499c318d6da0969d972523d0fd1ddca8
parent 54ca865c11cf1179f07a65577be75931c2987e6a
Author: Joris Vink <joris@coders.se>
Date:   Wed, 25 Sep 2019 15:39:39 +0200

move libressl support to minimum 3.3.0.

Diffstat:
README.md | 2+-
src/domain.c | 45++-------------------------------------------
2 files changed, 3 insertions(+), 44 deletions(-)

diff --git a/README.md b/README.md @@ -53,7 +53,7 @@ Clone this repository or get the latest release at [https://kore.io/releases/3.2 Requirements * openssl (1.0.2, 1.1.0 or 1.1.1) (note: this requirement drops away when building with NOTLS=1 NOHTTP=1) - (note: libressl works as a replacement) + (note: libressl 3.0.0+ works as a replacement) Requirement for asynchronous curl (optional) * libcurl diff --git a/src/domain.c b/src/domain.c @@ -55,7 +55,6 @@ int tls_version = KORE_TLS_VERSION_BOTH; #endif #if !defined(KORE_NO_TLS) -static BIO *domain_bio_mem(const void *, size_t); static int domain_x509_verify(int, X509_STORE_CTX *); static X509 *domain_load_certificate_chain(SSL_CTX *, const void *, size_t); @@ -448,7 +447,7 @@ kore_domain_crl_add(struct kore_domain *dom, const void *pem, size_t pemlen) X509_STORE *store; ERR_clear_error(); - in = domain_bio_mem(pem, pemlen); + in = BIO_new_mem_buf(pem, pemlen); if ((store = SSL_CTX_get_cert_store(dom->ssl_ctx)) == NULL) { BIO_free(in); @@ -845,7 +844,7 @@ domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len) X509 *x, *ca; ERR_clear_error(); - in = domain_bio_mem(data, len); + in = BIO_new_mem_buf(data, len); if ((x = PEM_read_bio_X509_AUX(in, NULL, NULL, NULL)) == NULL) fatal("PEM_read_bio_X509_AUX: %s", ssl_errno_s); @@ -854,23 +853,13 @@ domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len) if (SSL_CTX_use_certificate(ctx, x) == 0) fatal("SSL_CTX_use_certificate: %s", ssl_errno_s); -#if defined(LIBRESSL_VERSION_TEXT) - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; -#else SSL_CTX_clear_chain_certs(ctx); -#endif ERR_clear_error(); while ((ca = PEM_read_bio_X509(in, NULL, NULL, NULL)) != NULL) { /* ca its reference count won't be increased. */ -#if defined(LIBRESSL_VERSION_TEXT) - if (SSL_CTX_add_extra_chain_cert(ctx, ca) == 0) - fatal("SSL_CTX_add_extra_chain_cert: %s", ssl_errno_s); -#else if (SSL_CTX_add0_chain_cert(ctx, ca) == 0) fatal("SSL_CTX_add0_chain_cert: %s", ssl_errno_s); -#endif } err = ERR_peek_last_error(); @@ -883,34 +872,4 @@ domain_load_certificate_chain(SSL_CTX *ctx, const void *data, size_t len) return (x); } - -/* - * XXX - Hack around the fact that LibreSSL its BIO_new_mem_buf() does not - * take a const pointer for their first argument. - * - * Since we build with -Wcast-qual and -Werror I rather do this than having - * a bunch of pragma preprocessor magic to remove the warnings for that code - * if we're dealing with LibreSSL. - * - * They fixed this in their upcoming 2.8.0 release but that is not out yet - * and I'd like this to run on older OpenBSD platforms as well. - */ -static BIO * -domain_bio_mem(const void *data, size_t len) -{ - BIO *in; - union { void *p; const void *cp; } deconst; - - /* because OpenSSL likes taking ints as memory buffer lengths. */ - if (len > INT_MAX) - fatal("domain_bio_mem: len(%zu) > INT_MAX", len); - - deconst.cp = data; - - if ((in = BIO_new_mem_buf(deconst.p, len)) == NULL) - fatal("BIO_new_mem_buf: %s", ssl_errno_s); - - return (in); -} - #endif