diff options
| author | Stanislav Levin <slev@altlinux.org> | 2019-05-13 17:56:36 +0300 |
|---|---|---|
| committer | Christian Heimes <cheimes@redhat.com> | 2019-05-14 15:58:40 +0200 |
| commit | 7b8a2af2197381058ca532d1ae206defb16fac88 (patch) | |
| tree | cdf28599875fc5ea88a60d68d1c288eba03e231d /ipaclient | |
| parent | 64dc92ccb4f057ec49070b323f3b827d8642cece (diff) | |
| download | freeipa-7b8a2af2197381058ca532d1ae206defb16fac88.tar.gz freeipa-7b8a2af2197381058ca532d1ae206defb16fac88.tar.xz freeipa-7b8a2af2197381058ca532d1ae206defb16fac88.zip | |
Fix `build_requestinfo` in LibreSSL environments
`build_requestinfo` was broken in @ac6568dcf.
In this case LibreSSL behavior is the same as OpenSSL < 1.1.x.
Thus, an additional check for SSL implementation was added.
Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Diffstat (limited to 'ipaclient')
| -rw-r--r-- | ipaclient/csrgen_ffi.py | 25 |
1 files changed, 22 insertions, 3 deletions
diff --git a/ipaclient/csrgen_ffi.py b/ipaclient/csrgen_ffi.py index 64906f972..e53f66bb7 100644 --- a/ipaclient/csrgen_ffi.py +++ b/ipaclient/csrgen_ffi.py @@ -6,13 +6,32 @@ from ipalib import errors _ffi = FFI() _ffi.cdef(''' +/* libcrypto/crypto.h */ unsigned long OpenSSL_version_num(void); unsigned long SSLeay(void); +const char * OpenSSL_version(int t); +const char * SSLeay_version(int t); + +#define OPENSSL_VERSION 0 ''') _libcrypto = _ffi.dlopen(ctypes.util.find_library('crypto')) +# SSLeay_version has been renamed with OpenSSL_version in OpenSSL 1.1.0 +# LibreSSL has OpenSSL_version since 2.7.0 +try: + OpenSSL_version = _libcrypto.OpenSSL_version +except AttributeError: + OpenSSL_version = _libcrypto.SSLeay_version + +_version = OpenSSL_version(_libcrypto.OPENSSL_VERSION) +_version = _ffi.string(_version).decode('utf-8') +LIBRESSL = _version.startswith('LibreSSL') +if not _version.startswith("OpenSSL") and not LIBRESSL: + raise ImportError("Only LibreSSL and OpenSSL are supported") + # SSLeay has been renamed with OpenSSL_version_num in OpenSSL 1.1.0 +# LibreSSL has OpenSSL_version_num since 2.7.0 try: OpenSSL_version_num = _libcrypto.OpenSSL_version_num except AttributeError: @@ -98,7 +117,7 @@ typedef struct X509_req_info_st { ''') # since OpenSSL 1.1.0 req_info field is no longer pointer to X509_REQ_INFO -if _openssl_version >= 0x10100000: +if _openssl_version >= 0x10100000 and not LIBRESSL: _ffi.cdef(''' typedef struct X509_req_st { X509_REQ_INFO req_info; @@ -334,7 +353,7 @@ def build_requestinfo(config, public_key_info): reqdata, ext_ctx, extn_section, req): _raise_openssl_errors() - if _openssl_version < 0x10100000: + if _openssl_version < 0x10100000 or LIBRESSL: der_len = i2d_X509_REQ_INFO(req.req_info, NULL) else: req_info = _ffi.new("X509_REQ_INFO *", req.req_info) @@ -345,7 +364,7 @@ def build_requestinfo(config, public_key_info): der_buf = _ffi.new("unsigned char[%d]" % der_len) der_out = _ffi.new("unsigned char **", der_buf) - if _openssl_version < 0x10100000: + if _openssl_version < 0x10100000 or LIBRESSL: der_len = i2d_X509_REQ_INFO(req.req_info, der_out) else: der_len = i2d_X509_REQ_INFO(req_info, der_out) |