-
Notifications
You must be signed in to change notification settings - Fork 284
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support building on OpenBSD #224
base: main
Are you sure you want to change the base?
Conversation
LibreSSL hasn't got SSL_CTX_select_current_cert and it was broken as side effect at 88da15b
LibreSSL doesn't implement any 448bit curves, so some ifdef magic is required to be able build it on OpenBSD.
OpenBSD 7.6 won't have EVP_PKEY_check anymore, see: openbsd/src@a8d73a0
|
||
#ifdef HAVE_X25519 | ||
if (IS_XD_CURVE(nid)) { | ||
unsigned char buf[128]; | ||
size_t len = sizeof(buf); | ||
EVP_PKEY_get_raw_public_key(pub, buf, &len); | ||
pub_pt_hex = OPENSSL_buf2hexstr(buf, len); | ||
pub_pt_hex = binary_to_hex_ucase(buf, len); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's now invalid to call OPENSSL_free() in this code path. binary_to_hex_ucase() result doesn't have to be freed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ooops, it's defently a kind of missed things that someone usually makes at 1am :) Thanks for catching it!
|
||
#ifdef HAVE_X25519 | ||
if (IS_XD_CURVE(nid)) { | ||
unsigned char buf[128]; | ||
size_t len = sizeof(buf); | ||
EVP_PKEY_get_raw_public_key(priv, buf, &len); | ||
pub_pt_hex = OPENSSL_buf2hexstr(buf, len); | ||
pub_pt_hex = binary_to_hex_ucase(buf, len); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here too
SSL_CTX_select_current_cert(ctx, x); | ||
#endif |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if something breaks now because these aren't called, @cmouse ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure, would have to test this. @catap would be nice if you could test out that:
local_name cert {
}
blocks work still correctly with SNI
and that e.g. drwetter's SSL checker gives clean bill of health .
LibreSSL hasn't got it, and here binary_to_hex_ucase which is the same and is used for OpenSSL 3.
grep is used for simple patterns and basic regular expressions (BREs); egrep can handle extended regular expressions (EREs). A pattern in form 'a|b|c' requires ERE, and BRE isn't enough for non-GNU grep.
Well, I've tried to run it and discoevered that dovecot can't start on OpenBSD and probably on non Linux. It doesn't build and install
but it is included into So, when I try to run dovecot, it fails as:
Thus, I had pushed some small polish, but I haven't tested that SNI works because I can't start it :( |
you could just disable imap-hibernate? not sure why it even tries to start up though. do you have service imap-hibernate block in your config? |
I don’t but it is added via default settings :) I’m making a way to exclude it, but it is a bit messy and I’m cleaning it right now. |
I just pushed an updated version. It was tested with keys which is generated by command:
A test was:
and confirmation that the rigth cerificate is used. The used config:
|
Here some micro polish which allows to build the main branch on OpenBSD 7.6 beta.
I haven't tested it a lot, but it defently compiled :)