Subversion Repositories prayer

Compare Revisions

Ignore whitespace Rev 159 → Rev 161

/trunk/debian/changelog
1,3 → 1,11
prayer (1.3.5-dfsg1-4) unstable; urgency=low
 
* openssl1.1.patch: Support OpenSSL 1.1 API changes (Closes: #828512).
* Support for Entropy Gathering Daemon removed because it's really old
and support for it is no longer enabled in OpenSSL by default.
 
-- Magnus Holmgren <holmgren@debian.org> Sat, 29 Oct 2016 12:32:00 +0200
 
prayer (1.3.5-dfsg1-3) unstable; urgency=low
 
* disable_ssl3.patch (new): Disable SSL 3.0 due to CVE-2014-3566
/trunk/debian/patches/openssl1.1.patch
0,0 → 1,119
Bug-Debian: https://bugs.debian.org/828512
Description: Support OpenSSL 1.1 API changes
SSL_CTX_set_tmp_rsa_callback() (used for export-weakened keys) no longer does anything.
 
--- a/lib/ssl.c
+++ b/lib/ssl.c
@@ -78,17 +78,6 @@ static void os_initialize_prng(struct ss
int totbytes = 0;
int bytes;
- if (ssl_config->egd_socket) {
- if ((bytes = RAND_egd(ssl_config->egd_socket)) == -1) {
- log_fatal("EGD Socket %s failed", ssl_config->egd_socket);
- } else {
- totbytes += bytes;
- log_debug("Snagged %d random bytes from EGD Socket %s",
- bytes, ssl_config->egd_socket);
- goto SEEDED; /* ditto */
- }
- }
-
/* Try the good-old default /dev/urandom, if available */
totbytes += add_rand_file("/dev/urandom");
if (prng_seeded(totbytes)) {
@@ -212,6 +201,8 @@ static int new_session_cb(SSL * ssl, SSL
unsigned char *data = NULL, *asn;
time_t expire;
int ret = -1;
+ unsigned int session_id_length;
+ unsigned char *session_id = SSL_SESSION_get_id(sess, &session_id_length);
if (!sess_dbopen)
return 0;
@@ -241,8 +232,7 @@ static int new_session_cb(SSL * ssl, SSL
if (data && len) {
/* store the session in our database */
do {
- ret = DB->store(sessdb, (void *) sess->session_id,
- sess->session_id_length,
+ ret = DB->store(sessdb, (void *) session_id, session_id_length,
(void *) data, len + sizeof(time_t), NULL);
}
while (ret == MYDB_AGAIN);
@@ -255,8 +245,8 @@ static int new_session_cb(SSL * ssl, SSL
if (ssl_verbose_logging) {
int i;
char idstr[SSL_MAX_SSL_SESSION_ID_LENGTH * 2 + 1];
- for (i = 0; i < sess->session_id_length; i++)
- sprintf(idstr + i * 2, "%02X", sess->session_id[i]);
+ for (i = 0; i < session_id_length; i++)
+ sprintf(idstr + i * 2, "%02X", session_id[i]);
log_debug("new SSL session: id=%s, expire=%s, status=%s",
idstr, ctime(&expire), ret ? "failed" : "ok");
@@ -298,7 +288,10 @@ static void remove_session(unsigned char
*/
static void remove_session_cb(SSL_CTX * ctx, SSL_SESSION * sess)
{
- remove_session(sess->session_id, sess->session_id_length);
+ unsigned int session_id_length;
+ unsigned char *session_id = SSL_SESSION_get_id(sess, &session_id_length);
+
+ remove_session(session_id, session_id_length);
}
/*
@@ -398,9 +391,6 @@ void ssl_context_init(struct ssl_config
/* SSLv3 now also obsolete */
SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv3);
- if (SSL_CTX_need_tmp_RSA(client_ctx))
- SSL_CTX_set_tmp_rsa_callback(client_ctx, rsa_callback);
-
/* Don't bother with session cache for client side: not enough
* connections to worry about caching */
SSL_CTX_set_session_cache_mode(client_ctx, SSL_SESS_CACHE_OFF);
@@ -509,10 +499,6 @@ void ssl_context_init(struct ssl_config
log_fatal("SSL_CTX_set_options(SSL_OP_CIPHER_SERVER_PREFERENCE)"
"failed");
- /* Set up RSA temporary key callback routine */
- if (SSL_CTX_need_tmp_RSA(server_ctx))
- SSL_CTX_set_tmp_rsa_callback(server_ctx, rsa_callback);
-
/* Initialise RSA temporary key (will take a couple of secs to complete) */
ssl_init_rsakey(ssl_config);
}
@@ -621,7 +607,7 @@ void *ssl_start_server(int fd, unsigned
else
log_debug("SSL: No client certificate");
- switch (ssl->session->ssl_version) {
+ switch (SSL_version(ssl)) {
case SSL2_VERSION:
ver = "SSLv2";
break;
@@ -680,7 +666,7 @@ void *ssl_start_client(int fd, unsigned
/* Verify certificate here? Need local context to play with? */
- switch (((SSL *) ssl)->session->ssl_version) {
+ switch (SSL_version(ssl)) {
case SSL2_VERSION:
ver = "SSLv2";
break;
--- a/shared/config.c
+++ b/shared/config.c
@@ -455,9 +455,9 @@ static struct {
"draft_att_total_max", config_number, OFFSET(draft_att_total_max)}
, {
"dualuse", config_bool, OFFSET(dualuse)}
- , {
+ , /*{
"egd_socket", config_path, OFFSET(egd_socket)}
- , {
+ , */{
"expunge_on_exit", config_bool, OFFSET(expunge_on_exit)}
, {
"fatal_dump_core", config_bool, OFFSET(fatal_dump_core)}
/trunk/debian/patches/series
7,3 → 7,4
no_db_version_check.patch
hurd.patch
disable_ssl3.patch
openssl1.1.patch