Rev 161 | Details | Compare with Previous | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
161 | magnus | 1 | Bug-Debian: https://bugs.debian.org/828512 |
2 | Description: Support OpenSSL 1.1 API changes |
||
3 | SSL_CTX_set_tmp_rsa_callback() (used for export-weakened keys) no longer does anything. |
||
4 | |||
5 | --- a/lib/ssl.c |
||
6 | +++ b/lib/ssl.c |
||
7 | @@ -78,17 +78,6 @@ static void os_initialize_prng(struct ss |
||
8 | int totbytes = 0; |
||
9 | int bytes; |
||
10 | |||
11 | - if (ssl_config->egd_socket) { |
||
12 | - if ((bytes = RAND_egd(ssl_config->egd_socket)) == -1) { |
||
13 | - log_fatal("EGD Socket %s failed", ssl_config->egd_socket); |
||
14 | - } else { |
||
15 | - totbytes += bytes; |
||
16 | - log_debug("Snagged %d random bytes from EGD Socket %s", |
||
17 | - bytes, ssl_config->egd_socket); |
||
18 | - goto SEEDED; /* ditto */ |
||
19 | - } |
||
20 | - } |
||
21 | - |
||
22 | /* Try the good-old default /dev/urandom, if available */ |
||
23 | totbytes += add_rand_file("/dev/urandom"); |
||
24 | if (prng_seeded(totbytes)) { |
||
25 | @@ -212,6 +201,8 @@ static int new_session_cb(SSL * ssl, SSL |
||
26 | unsigned char *data = NULL, *asn; |
||
27 | time_t expire; |
||
28 | int ret = -1; |
||
29 | + unsigned int session_id_length; |
||
30 | + unsigned char *session_id = SSL_SESSION_get_id(sess, &session_id_length); |
||
31 | |||
32 | if (!sess_dbopen) |
||
33 | return 0; |
||
34 | @@ -241,8 +232,7 @@ static int new_session_cb(SSL * ssl, SSL |
||
35 | if (data && len) { |
||
36 | /* store the session in our database */ |
||
37 | do { |
||
38 | - ret = DB->store(sessdb, (void *) sess->session_id, |
||
39 | - sess->session_id_length, |
||
40 | + ret = DB->store(sessdb, (void *) session_id, session_id_length, |
||
41 | (void *) data, len + sizeof(time_t), NULL); |
||
42 | } |
||
43 | while (ret == MYDB_AGAIN); |
||
44 | @@ -255,8 +245,8 @@ static int new_session_cb(SSL * ssl, SSL |
||
45 | if (ssl_verbose_logging) { |
||
46 | int i; |
||
47 | char idstr[SSL_MAX_SSL_SESSION_ID_LENGTH * 2 + 1]; |
||
48 | - for (i = 0; i < sess->session_id_length; i++) |
||
49 | - sprintf(idstr + i * 2, "%02X", sess->session_id[i]); |
||
50 | + for (i = 0; i < session_id_length; i++) |
||
51 | + sprintf(idstr + i * 2, "%02X", session_id[i]); |
||
52 | |||
53 | log_debug("new SSL session: id=%s, expire=%s, status=%s", |
||
54 | idstr, ctime(&expire), ret ? "failed" : "ok"); |
||
55 | @@ -298,7 +288,10 @@ static void remove_session(unsigned char |
||
56 | */ |
||
57 | static void remove_session_cb(SSL_CTX * ctx, SSL_SESSION * sess) |
||
58 | { |
||
59 | - remove_session(sess->session_id, sess->session_id_length); |
||
60 | + unsigned int session_id_length; |
||
61 | + unsigned char *session_id = SSL_SESSION_get_id(sess, &session_id_length); |
||
62 | + |
||
63 | + remove_session(session_id, session_id_length); |
||
64 | } |
||
65 | |||
66 | /* |
||
67 | @@ -398,9 +391,6 @@ void ssl_context_init(struct ssl_config |
||
68 | /* SSLv3 now also obsolete */ |
||
69 | SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv3); |
||
70 | |||
71 | - if (SSL_CTX_need_tmp_RSA(client_ctx)) |
||
72 | - SSL_CTX_set_tmp_rsa_callback(client_ctx, rsa_callback); |
||
73 | - |
||
74 | /* Don't bother with session cache for client side: not enough |
||
75 | * connections to worry about caching */ |
||
76 | SSL_CTX_set_session_cache_mode(client_ctx, SSL_SESS_CACHE_OFF); |
||
77 | @@ -509,10 +499,6 @@ void ssl_context_init(struct ssl_config |
||
78 | log_fatal("SSL_CTX_set_options(SSL_OP_CIPHER_SERVER_PREFERENCE)" |
||
79 | "failed"); |
||
80 | |||
81 | - /* Set up RSA temporary key callback routine */ |
||
82 | - if (SSL_CTX_need_tmp_RSA(server_ctx)) |
||
83 | - SSL_CTX_set_tmp_rsa_callback(server_ctx, rsa_callback); |
||
84 | - |
||
85 | /* Initialise RSA temporary key (will take a couple of secs to complete) */ |
||
86 | ssl_init_rsakey(ssl_config); |
||
87 | } |
||
88 | @@ -621,7 +607,7 @@ void *ssl_start_server(int fd, unsigned |
||
89 | else |
||
90 | log_debug("SSL: No client certificate"); |
||
91 | |||
92 | - switch (ssl->session->ssl_version) { |
||
93 | + switch (SSL_version(ssl)) { |
||
94 | case SSL2_VERSION: |
||
95 | ver = "SSLv2"; |
||
96 | break; |
||
97 | @@ -680,7 +666,7 @@ void *ssl_start_client(int fd, unsigned |
||
98 | |||
99 | /* Verify certificate here? Need local context to play with? */ |
||
100 | |||
101 | - switch (((SSL *) ssl)->session->ssl_version) { |
||
102 | + switch (SSL_version(ssl)) { |
||
103 | case SSL2_VERSION: |
||
104 | ver = "SSLv2"; |
||
105 | break; |
||
106 | --- a/shared/config.c |
||
107 | +++ b/shared/config.c |
||
108 | @@ -455,9 +455,9 @@ static struct { |
||
109 | "draft_att_total_max", config_number, OFFSET(draft_att_total_max)} |
||
110 | , { |
||
111 | "dualuse", config_bool, OFFSET(dualuse)} |
||
112 | - , { |
||
113 | + , /*{ |
||
114 | "egd_socket", config_path, OFFSET(egd_socket)} |
||
115 | - , { |
||
116 | + , */{ |
||
117 | "expunge_on_exit", config_bool, OFFSET(expunge_on_exit)} |
||
118 | , { |
||
119 | "fatal_dump_core", config_bool, OFFSET(fatal_dump_core)} |