summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/core/capsicum.c7
-rw-r--r--src/core/network-openssl.c17
2 files changed, 24 insertions, 0 deletions
diff --git a/src/core/capsicum.c b/src/core/capsicum.c
index 79db780a..3b0708cb 100644
--- a/src/core/capsicum.c
+++ b/src/core/capsicum.c
@@ -403,6 +403,13 @@ static void cmd_capsicum_enter(void)
return;
}
+ /*
+ * XXX: We should use pdwait(2) to wait for children. Unfortunately
+ * it's not implemented yet. Thus the workaround, to get rid
+ * of the zombies at least.
+ */
+ signal(SIGCHLD, SIG_IGN);
+
error = cap_enter();
if (error != 0) {
signal_emit("capability mode failed", 1, strerror(errno));
diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c
index 2054f28a..7ec902fb 100644
--- a/src/core/network-openssl.c
+++ b/src/core/network-openssl.c
@@ -45,6 +45,19 @@
#define ASN1_STRING_data(x) ASN1_STRING_get0_data(x)
#endif
+/* OpenSSL 1.1.0 also introduced some useful additions to the api */
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined (LIBRESSL_VERSION_NUMBER)
+static int X509_STORE_up_ref(X509_STORE *vfy)
+{
+ int n;
+
+ n = CRYPTO_add(&vfy->references, 1, CRYPTO_LOCK_X509_STORE);
+ g_assert(n > 1);
+
+ return (n > 1) ? 1 : 0;
+}
+#endif
+
/* ssl i/o channel object */
typedef struct
{
@@ -510,6 +523,10 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, int port, SERVER_
g_free(scapath);
verify = TRUE;
} else if (store != NULL) {
+ /* Make sure to increment the refcount every time the store is
+ * used, that's essential not to get it free'd by OpenSSL when
+ * the SSL_CTX is destroyed. */
+ X509_STORE_up_ref(store);
SSL_CTX_set_cert_store(ctx, store);
}