On 2017-10-13 11:21:03 [-0400], Ryan Kavanagh wrote: > Hi Sebastian, Hi Ryan,
> To clarify: I wrote a patch that I believe ports opensmtpd to OpenSSL > 1.1, but with no backwards compatibility for 1.0. It has not been > applied (nor reviewed) by upstream, because upstream needs to cope with > multiple SSL libraries and they are waiting to see how other OpenBSD > portable daemons deal with this. See this comment[0] for details on > their situation. Could you retry with the following patch? SSL_F_SSL_CTX_USE_CERTIFICATE_FILE and SSL_CTX_clear_extra_chain_certs was around in openssl since before they forked it. So with this patch it should work with their libressl, libssl 1.0.2 and 1.1. From: Ryan Kavanagh <r...@debian.org> Date: Sun, 6 Nov 2016 11:40:32 -0500 Subject: [PATCH] OpenSSL 1.1 compat: update SSL ctx usages [ bigeasy @ breakpoint --- openbsd-compat/libressl.c | 17 +++++++---------- smtpd/libressl.c | 13 +++++-------- smtpd/ssl.h | 14 ++++++++++++++ 3 files changed, 26 insertions(+), 18 deletions(-) --- a/openbsd-compat/libressl.c +++ b/openbsd-compat/libressl.c @@ -81,14 +81,14 @@ SSL_CTX_use_certificate_chain(SSL_CTX *c x = ca = NULL; if ((in = BIO_new_mem_buf(buf, len)) == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); + SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_BUF_LIB); goto end; } if ((x = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); + SSL_CTX_get_default_passwd_cb(ctx), + SSL_CTX_get_default_passwd_cb_userdata(ctx))) == NULL) { + SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB); goto end; } @@ -99,14 +99,11 @@ SSL_CTX_use_certificate_chain(SSL_CTX *c * the CA certificates. */ - if (ctx->extra_certs != NULL) { - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - } + SSL_CTX_clear_extra_chain_certs(ctx); while ((ca = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) != NULL) { + SSL_CTX_get_default_passwd_cb(ctx), + SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) { if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) goto end; --- a/smtpd/libressl.c +++ b/smtpd/libressl.c @@ -94,8 +94,8 @@ ssl_ctx_use_certificate_chain_bio(SSL_CT ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ - x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); + x = PEM_read_bio_X509_AUX(in, NULL, SSL_CTX_get_default_passwd_cb(ctx), + SSL_CTX_get_default_passwd_cb_userdata(ctx)); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); goto end; @@ -115,14 +115,11 @@ ssl_ctx_use_certificate_chain_bio(SSL_CT int r; unsigned long err; - if (ctx->extra_certs != NULL) { - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - } + SSL_CTX_clear_extra_chain_certs(ctx); while ((ca = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) != NULL) { + SSL_CTX_get_default_passwd_cb(ctx), + SSL_CTX_get_default_passwd_cb_userdata(ctx))) != NULL) { r = SSL_CTX_add_extra_chain_cert(ctx, ca); if (!r) { X509_free(ca); --- a/smtpd/ssl.h +++ b/smtpd/ssl.h @@ -73,3 +73,17 @@ void SSL_CTX_set_ecdh_auto(SSL_CTX *, in void SSL_CTX_set_dh_auto(SSL_CTX *, int); #endif int SSL_CTX_use_certificate_chain_mem(SSL_CTX *, void *, int); + +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + +static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) +{ + return ctx->default_passwd_callback; +} + +static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) +{ + return ctx->default_passwd_callback_userdata; +} + +#endif > Best, > Ryan > Sebastian