On 2017-10-13 11:21:03 [-0400], Ryan Kavanagh wrote:
> Hi Sebastian,
Hi Ryan,
> To clarify: I wrote a patch that I believe ports opensmtpd to OpenSSL
> 1.1, but with no backwards compatibility for 1.0. It has not been
> applied (nor reviewed) by upstream, because upstream needs to cope with
> multiple SSL libraries and they are waiting to see how other OpenBSD
> portable daemons deal with this. See this comment[0] for details on
> their situation.
Could you retry with the following patch?
SSL_F_SSL_CTX_USE_CERTIFICATE_FILE and SSL_CTX_clear_extra_chain_certs
was around in openssl since before they forked it. So with this patch it
should work with their libressl, libssl 1.0.2 and 1.1.
From: Ryan Kavanagh <r...@debian.org>
Date: Sun, 6 Nov 2016 11:40:32 -0500
Subject: [PATCH] OpenSSL 1.1 compat: update SSL ctx usages
[ bigeasy @ breakpoint
---
openbsd-compat/libressl.c | 17 +++++++----------
smtpd/libressl.c | 13 +++++--------
smtpd/ssl.h | 14 ++++++++++++++
3 files changed, 26 insertions(+), 18 deletions(-)
--- a/openbsd-compat/libressl.c
+++ b/openbsd-compat/libressl.c
@@ -81,14 +81,14 @@ SSL_CTX_use_certificate_chain(SSL_CTX *c
x = ca = NULL;
if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB);
goto end;
}
if ((x = PEM_read_bio_X509(in, NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata)) == NULL) {
- SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
+ SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) {
+ SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
goto end;
}
@@ -99,14 +99,11 @@ SSL_CTX_use_certificate_chain(SSL_CTX *c
* the CA certificates.
*/
- if (ctx->extra_certs != NULL) {
- sk_X509_pop_free(ctx->extra_certs, X509_free);
- ctx->extra_certs = NULL;
- }
+ SSL_CTX_clear_extra_chain_certs(ctx);
while ((ca = PEM_read_bio_X509(in, NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata)) != NULL) {
+ SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
if (!SSL_CTX_add_extra_chain_cert(ctx, ca))
goto end;
--- a/smtpd/libressl.c
+++ b/smtpd/libressl.c
@@ -94,8 +94,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CT
ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
- x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata);
+ x = PEM_read_bio_X509_AUX(in, NULL, SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx));
if (x == NULL) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
goto end;
@@ -115,14 +115,11 @@ ssl_ctx_use_certificate_chain_bio(SSL_CT
int r;
unsigned long err;
- if (ctx->extra_certs != NULL) {
- sk_X509_pop_free(ctx->extra_certs, X509_free);
- ctx->extra_certs = NULL;
- }
+ SSL_CTX_clear_extra_chain_certs(ctx);
while ((ca = PEM_read_bio_X509(in, NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata)) != NULL) {
+ SSL_CTX_get_default_passwd_cb(ctx),
+ SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) {
r = SSL_CTX_add_extra_chain_cert(ctx, ca);
if (!r) {
X509_free(ca);
--- a/smtpd/ssl.h
+++ b/smtpd/ssl.h
@@ -73,3 +73,17 @@ void SSL_CTX_set_ecdh_auto(SSL_CTX *, in
void SSL_CTX_set_dh_auto(SSL_CTX *, int);
#endif
int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, void *, int);
+
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
+
+static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
+{
+ return ctx->default_passwd_callback;
+}
+
+static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
+{
+ return ctx->default_passwd_callback_userdata;
+}
+
+#endif
> Best,
> Ryan
>
Sebastian
