diff options
-rw-r--r-- | src/core/capsicum.c | 7 | ||||
-rw-r--r-- | src/core/network-openssl.c | 17 |
2 files changed, 24 insertions, 0 deletions
diff --git a/src/core/capsicum.c b/src/core/capsicum.c index 79db780a..3b0708cb 100644 --- a/src/core/capsicum.c +++ b/src/core/capsicum.c @@ -403,6 +403,13 @@ static void cmd_capsicum_enter(void) return; } + /* + * XXX: We should use pdwait(2) to wait for children. Unfortunately + * it's not implemented yet. Thus the workaround, to get rid + * of the zombies at least. + */ + signal(SIGCHLD, SIG_IGN); + error = cap_enter(); if (error != 0) { signal_emit("capability mode failed", 1, strerror(errno)); diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c index 2054f28a..7ec902fb 100644 --- a/src/core/network-openssl.c +++ b/src/core/network-openssl.c @@ -45,6 +45,19 @@ #define ASN1_STRING_data(x) ASN1_STRING_get0_data(x) #endif +/* OpenSSL 1.1.0 also introduced some useful additions to the api */ +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined (LIBRESSL_VERSION_NUMBER) +static int X509_STORE_up_ref(X509_STORE *vfy) +{ + int n; + + n = CRYPTO_add(&vfy->references, 1, CRYPTO_LOCK_X509_STORE); + g_assert(n > 1); + + return (n > 1) ? 1 : 0; +} +#endif + /* ssl i/o channel object */ typedef struct { @@ -510,6 +523,10 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, int port, SERVER_ g_free(scapath); verify = TRUE; } else if (store != NULL) { + /* Make sure to increment the refcount every time the store is + * used, that's essential not to get it free'd by OpenSSL when + * the SSL_CTX is destroyed. */ + X509_STORE_up_ref(store); SSL_CTX_set_cert_store(ctx, store); } |