this time targetting ABI level 3; partially based on how claudio@
handled it in rpki-client. Fun how this bit of code has come full
circle (gmid inspired what I wrote for got, which inspired what was
written for rpki-client, which has come back.)
it's not used (we define OPENSSL_PRNG_ONLY) and fails the build
with -Werror. Keep the function commented instead of deleting it
just in case we need to undefine OPENSSL_PRNG_ONLY in the future.
gmid (like all other daemons that want to do privsep crypto) has a
very close relationship with libtls and need to stay in sync with
it.
OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD
instead of the older ECDSA_METHOD, on the gmid side we have to do
the same otherwise failures happens at runtime. In a similar manner,
privsep crypto is silently broken in the current libretls (next
version should fix it.)
The proper solution would be to complete the signer APIs so that
applications don't need to dive into the library' internals, but
that's a mid-term goal, for the immediate bundling the 'little'
libtls is the lesser evil.
The configure script has gained a new (undocumented for the time
being) flag `--with-libtls=bundled|system' to control which libtls
to use. It defaults to `bundled' except for OpenBSD where it uses
the `system' one. Note that OpenBSD versions before 7.3 (inclusive)
ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
Set a sane default for INSTALL, allow it to be changed either as
environment variable or configure argument, and propagate it correctly
to the generated config.mk.
Issue reported by xavi, thanks!
We might end up calling client_close() from start_reply(), but that
will free the fcgi/proxy bufferevent while they're still used on the
stack.
Instead, start_reply() only sets REQUEST_DONE and exits, returning the
error eventually, so callers know when to stop.
The idea is to require SCRIPT_NAME to be defined and strip it from
the beginning of the path to get PATH_INFO. Soon(tm) a `fastcgi
request strip' option will be added too. Maybe even `fastcgi script
name "path"` that sets SCRIPT_NAME automatically.
Doesn't seem to be available on many systems. It is also not strictly
needed since we include vis.h only after headers like stdlib.h that
already pulls in the type it needs.
strnvis originates on OpenBSD. When NetBSD added it to their libc
they decided to swap the argument. Without starting a holy war on
the "best" argument order, adding an implementation of a function
that's widely available and making its signature purposefully
incompatible is beyond justification. FreeBSD (and so macos too?)
followed NetBSD in this, so we end up with *two* major and incompatible
strnvis implementations. libbsd is in a limbo, they started with
the OpenBSD version but they'll probably switch to the NetBSD version
in the future.
That's why we can't have nice things.
Do the right thing(tm) and check for the presence of the original
strnvis(3), if not available or broken use the bundled one.
The new config_test() fails miserably when the privsep crypto engine is
not enabled. As a temporary workaround, forcibly disable it during
config_test() as we're not going to run anyway.
Attempt to do also a few more steps that were previously done only
at runtime. This can help verifying that the keypairs are matching
for example, but also that there are no typos in the path to the
root directories.
Was requested some time ago by Marian Mizik, thanks for the feature
request!
Was requested ages ago by Karl Jeacle, now that there is some better
support for configuring the logging there's no excuse to add this.
It helps with filtering from syslog.d / syslog.conf.
I think the condensed is better but it'll need to change post 2.0
to accomodate for logging the number of bytes read in the body of
a titan request (and it's weird to hardcode a zero there.) 2.0
will ship with the legacy logging style thus.
Omar Polo