Subversion Repositories

?revision_form?Rev ?revision_input??revision_submit??revision_endform?

Go to most recent revision | Blame | Compare with Previous | Last modification | View Log | RSS feed

Bug-Debian: https://bugs.debian.org/828512
Description: Support OpenSSL 1.1 API changes
 SSL_CTX_set_tmp_rsa_callback() (used for export-weakened keys) no longer does anything.

--- a/lib/ssl.c
+++ b/lib/ssl.c
@@ -78,17 +78,6 @@ static void os_initialize_prng(struct ss
     int totbytes = 0;
     int bytes;
 
-    if (ssl_config->egd_socket) {
-        if ((bytes = RAND_egd(ssl_config->egd_socket)) == -1) {
-            log_fatal("EGD Socket %s failed", ssl_config->egd_socket);
-        } else {
-            totbytes += bytes;
-            log_debug("Snagged %d random bytes from EGD Socket %s",
-                      bytes, ssl_config->egd_socket);
-            goto SEEDED;        /* ditto */
-        }
-    }
-
     /* Try the good-old default /dev/urandom, if available  */
     totbytes += add_rand_file("/dev/urandom");
     if (prng_seeded(totbytes)) {
@@ -212,6 +201,8 @@ static int new_session_cb(SSL * ssl, SSL
     unsigned char *data = NULL, *asn;
     time_t expire;
     int ret = -1;
+    unsigned int session_id_length;
+    unsigned char *session_id = SSL_SESSION_get_id(sess, &session_id_length);
 
     if (!sess_dbopen)
         return 0;
@@ -241,8 +232,7 @@ static int new_session_cb(SSL * ssl, SSL
     if (data && len) {
         /* store the session in our database */
         do {
-            ret = DB->store(sessdb, (void *) sess->session_id,
-                            sess->session_id_length,
+            ret = DB->store(sessdb, (void *) session_id, session_id_length,
                             (void *) data, len + sizeof(time_t), NULL);
         }
         while (ret == MYDB_AGAIN);
@@ -255,8 +245,8 @@ static int new_session_cb(SSL * ssl, SSL
     if (ssl_verbose_logging) {
         int i;
         char idstr[SSL_MAX_SSL_SESSION_ID_LENGTH * 2 + 1];
-        for (i = 0; i < sess->session_id_length; i++)
-            sprintf(idstr + i * 2, "%02X", sess->session_id[i]);
+        for (i = 0; i < session_id_length; i++)
+            sprintf(idstr + i * 2, "%02X", session_id[i]);
 
         log_debug("new SSL session: id=%s, expire=%s, status=%s",
                   idstr, ctime(&expire), ret ? "failed" : "ok");
@@ -298,7 +288,10 @@ static void remove_session(unsigned char
  */
 static void remove_session_cb(SSL_CTX * ctx, SSL_SESSION * sess)
 {
-    remove_session(sess->session_id, sess->session_id_length);
+    unsigned int session_id_length;
+    unsigned char *session_id = SSL_SESSION_get_id(sess, &session_id_length);
+
+    remove_session(session_id, session_id_length);
 }
 
 /*
@@ -398,9 +391,6 @@ void ssl_context_init(struct ssl_config
     /* SSLv3 now also obsolete */
     SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv3);
 
-    if (SSL_CTX_need_tmp_RSA(client_ctx))
-        SSL_CTX_set_tmp_rsa_callback(client_ctx, rsa_callback);
-
     /* Don't bother with session cache for client side: not enough
      * connections to worry about caching */
     SSL_CTX_set_session_cache_mode(client_ctx, SSL_SESS_CACHE_OFF);
@@ -509,10 +499,6 @@ void ssl_context_init(struct ssl_config
         log_fatal("SSL_CTX_set_options(SSL_OP_CIPHER_SERVER_PREFERENCE)"
                   "failed");
 
-    /* Set up RSA temporary key callback routine */
-    if (SSL_CTX_need_tmp_RSA(server_ctx))
-        SSL_CTX_set_tmp_rsa_callback(server_ctx, rsa_callback);
-
     /* Initialise RSA temporary key (will take a couple of secs to complete) */
     ssl_init_rsakey(ssl_config);
 }
@@ -621,7 +607,7 @@ void *ssl_start_server(int fd, unsigned
     else
         log_debug("SSL: No client certificate");
 
-    switch (ssl->session->ssl_version) {
+    switch (SSL_version(ssl)) {
     case SSL2_VERSION:
         ver = "SSLv2";
         break;
@@ -680,7 +666,7 @@ void *ssl_start_client(int fd, unsigned
 
     /* Verify certificate here? Need local context to play with? */
 
-    switch (((SSL *) ssl)->session->ssl_version) {
+    switch (SSL_version(ssl)) {
     case SSL2_VERSION:
         ver = "SSLv2";
         break;
--- a/shared/config.c
+++ b/shared/config.c
@@ -455,9 +455,9 @@ static struct {
     "draft_att_total_max", config_number, OFFSET(draft_att_total_max)}
     , {
     "dualuse", config_bool, OFFSET(dualuse)}
-    , {
+    , /*{
     "egd_socket", config_path, OFFSET(egd_socket)}
-    , {
+    , */{
     "expunge_on_exit", config_bool, OFFSET(expunge_on_exit)}
     , {
     "fatal_dump_core", config_bool, OFFSET(fatal_dump_core)}