From 5e98f9ba84db6d7464809f5cd3f50bc483c656ba Mon Sep 17 00:00:00 2001 From: reyk Date: Fri, 16 Jan 2015 15:08:52 +0000 Subject: [PATCH] SSL_CTX_use_certificate_chain() has been added to LibreSSL and there is no need to keep a local copy in ssl_privsep.c. This adds a little burden on OpenSMTPD-portable because it will have to put it in openbsd-compat for compatibility with legacy OpenSSL. OK gilles@ --- usr.sbin/relayd/relay.c | 4 +-- usr.sbin/relayd/relayd.h | 3 +- usr.sbin/relayd/ssl_privsep.c | 65 +---------------------------------- usr.sbin/smtpd/ssl.c | 4 +-- usr.sbin/smtpd/ssl.h | 3 +- usr.sbin/smtpd/ssl_privsep.c | 65 +---------------------------------- 6 files changed, 8 insertions(+), 136 deletions(-) diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index eff2ee2db13..091db106075 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.186 2015/01/16 15:06:40 deraadt Exp $ */ +/* $OpenBSD: relay.c,v 1.187 2015/01/16 15:08:52 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -2061,7 +2061,7 @@ relay_tls_ctx_create(struct relay *rlay) return (ctx); log_debug("%s: loading certificate", __func__); - if (!ssl_ctx_use_certificate_chain(ctx, + if (!SSL_CTX_use_certificate_chain(ctx, rlay->rl_tls_cert, rlay->rl_conf.tls_cert_len)) goto err; diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index 1a450d2e1cf..e67ca49a5e3 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.204 2015/01/16 15:06:41 deraadt Exp $ */ +/* $OpenBSD: relayd.h,v 1.205 2015/01/16 15:08:52 reyk Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter @@ -1221,7 +1221,6 @@ int ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t, char *, off_t, X509 **, EVP_PKEY **); /* ssl_privsep.c */ -int ssl_ctx_use_certificate_chain(SSL_CTX *, char *, off_t); int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t); /* ca.c */ diff --git a/usr.sbin/relayd/ssl_privsep.c b/usr.sbin/relayd/ssl_privsep.c index 203a2700f58..b90d5960b11 100644 --- a/usr.sbin/relayd/ssl_privsep.c +++ b/usr.sbin/relayd/ssl_privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_privsep.c,v 1.10 2014/04/18 13:55:26 reyk Exp $ */ +/* $OpenBSD: ssl_privsep.c,v 1.11 2015/01/16 15:08:52 reyk Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. @@ -76,7 +76,6 @@ #include #include -int ssl_ctx_use_certificate_chain(SSL_CTX *, char *, off_t); int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t); int ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **); @@ -95,68 +94,6 @@ X509_LOOKUP_METHOD x509_mem_lookup = { #define X509_L_ADD_MEM 3 -int -ssl_ctx_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len) -{ - int ret; - BIO *in; - X509 *x; - X509 *ca; - unsigned long err; - - ret = 0; - x = ca = NULL; - - if ((in = BIO_new_mem_buf(buf, len)) == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); - goto end; - } - - if ((x = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); - goto end; - } - - if (!SSL_CTX_use_certificate(ctx, x) || ERR_peek_error() != 0) - goto end; - - /* If we could set up our certificate, now proceed to - * the CA certificates. - */ - - if (ctx->extra_certs != NULL) { - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - } - - while ((ca = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) != NULL) { - - if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) - goto end; - } - - err = ERR_peek_last_error(); - if (ERR_GET_LIB(err) == ERR_LIB_PEM && - ERR_GET_REASON(err) == PEM_R_NO_START_LINE) - ERR_clear_error(); - else - goto end; - - ret = 1; -end: - if (ca != NULL) - X509_free(ca); - if (x != NULL) - X509_free(x); - if (in != NULL) - BIO_free(in); - return (ret); -} - int ssl_ctx_load_verify_memory(SSL_CTX *ctx, char *buf, off_t len) { diff --git a/usr.sbin/smtpd/ssl.c b/usr.sbin/smtpd/ssl.c index 156bfec0654..b9b8ddbda9f 100644 --- a/usr.sbin/smtpd/ssl.c +++ b/usr.sbin/smtpd/ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.c,v 1.73 2015/01/16 14:34:51 reyk Exp $ */ +/* $OpenBSD: ssl.c,v 1.74 2015/01/16 15:08:52 reyk Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard @@ -280,7 +280,7 @@ ssl_ctx_create(const char *pkiname, char *cert, off_t cert_len) if (cert != NULL) { if (pkiname != NULL) pkinamelen = strlen(pkiname) + 1; - if (!ssl_ctx_use_certificate_chain(ctx, cert, cert_len)) { + if (!SSL_CTX_use_certificate_chain(ctx, cert, cert_len)) { ssl_error("ssl_ctx_create"); fatal("ssl_ctx_create: invalid certificate chain"); } else if (!ssl_ctx_fake_private_key(ctx, diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h index 414e120e083..28d4ed816a6 100644 --- a/usr.sbin/smtpd/ssl.h +++ b/usr.sbin/smtpd/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.9 2014/05/20 17:33:36 reyk Exp $ */ +/* $OpenBSD: ssl.h,v 1.10 2015/01/16 15:08:52 reyk Exp $ */ /* * Copyright (c) 2013 Gilles Chehade * @@ -67,6 +67,5 @@ int ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t, char *, off_t, X509 **, EVP_PKEY **); /* ssl_privsep.c */ -int ssl_ctx_use_certificate_chain(SSL_CTX *, char *, off_t); int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t); int ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **); diff --git a/usr.sbin/smtpd/ssl_privsep.c b/usr.sbin/smtpd/ssl_privsep.c index 66dd0c9b5f0..aa8c15d7210 100644 --- a/usr.sbin/smtpd/ssl_privsep.c +++ b/usr.sbin/smtpd/ssl_privsep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_privsep.c,v 1.7 2014/04/29 19:13:14 reyk Exp $ */ +/* $OpenBSD: ssl_privsep.c,v 1.8 2015/01/16 15:08:52 reyk Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. @@ -77,7 +77,6 @@ #include int ssl_ctx_use_private_key(SSL_CTX *, char *, off_t); -int ssl_ctx_use_certificate_chain(SSL_CTX *, char *, off_t); int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t); int ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **); @@ -96,68 +95,6 @@ X509_LOOKUP_METHOD x509_mem_lookup = { #define X509_L_ADD_MEM 3 -int -ssl_ctx_use_certificate_chain(SSL_CTX *ctx, char *buf, off_t len) -{ - int ret; - BIO *in; - X509 *x; - X509 *ca; - unsigned long err; - - ret = 0; - x = ca = NULL; - - if ((in = BIO_new_mem_buf(buf, len)) == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); - goto end; - } - - if ((x = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) == NULL) { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); - goto end; - } - - if (!SSL_CTX_use_certificate(ctx, x) || ERR_peek_error() != 0) - goto end; - - /* If we could set up our certificate, now proceed to - * the CA certificates. - */ - - if (ctx->extra_certs != NULL) { - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - } - - while ((ca = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) != NULL) { - - if (!SSL_CTX_add_extra_chain_cert(ctx, ca)) - goto end; - } - - err = ERR_peek_last_error(); - if (ERR_GET_LIB(err) == ERR_LIB_PEM && - ERR_GET_REASON(err) == PEM_R_NO_START_LINE) - ERR_clear_error(); - else - goto end; - - ret = 1; -end: - if (ca != NULL) - X509_free(ca); - if (x != NULL) - X509_free(x); - if (in != NULL) - BIO_free(in); - return (ret); -} - int ssl_ctx_load_verify_memory(SSL_CTX *ctx, char *buf, off_t len) { -- 2.20.1