Comment on why/how we're disabling freelists.

OpenBSD was clever enough to throw these out so no need to munge the freelist stuff there anymore.
2014-04-11 08:46:50 +02:00 · 2014-04-11 08:46:50 +02:00 · 1c685cce90
parent 95819d2dc2
commit 1c685cce90
1 changed files with 11 additions and 0 deletions
--- a/src/domain.c
+++ b/src/domain.c
@ -114,7 +114,18 @@ kore_domain_sslstart(struct kore_domain *dom)
 	SSL_CTX_set_session_id_context(dom->ssl_ctx,
 	    (unsigned char *)SSL_SESSION_ID, strlen(SSL_SESSION_ID));

+	/*
+	 * Force OpenSSL to not use its freelists. Even without using
+	 * SSL_MODE_RELEASE_BUFFERS there are times it will use the
+	 * freelists. So forcefully putting its max length to 0 is the
+	 * only we choice we seem to have.
+	 *
+	 * Note that OpenBSD has since heartbleed removed freelists
+	 * from its OpenSSL in base so we don't need to care about it.
+	 */
+#if !defined(OpenBSD) || (OpenBSD < 201405)
 	dom->ssl_ctx->freelist_max_len = 0;
+#endif
 	SSL_CTX_set_mode(dom->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);

 	SSL_CTX_set_options(dom->ssl_ctx, SSL_OP_NO_SSLv2);