Package: prayer / 1.3.5-dfsg1-6

openssl1.1.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
Bug-Debian: https://bugs.debian.org/828512
Description: Support OpenSSL 1.1 API changes
 SSL_CTX_set_tmp_rsa_callback() (used for export-weakened keys) no longer does anything.

--- a/lib/ssl.c
+++ b/lib/ssl.c
@@ -78,17 +78,6 @@ static void os_initialize_prng(struct ss
     int totbytes = 0;
     int bytes;
 
-    if (ssl_config->egd_socket) {
-        if ((bytes = RAND_egd(ssl_config->egd_socket)) == -1) {
-            log_fatal("EGD Socket %s failed", ssl_config->egd_socket);
-        } else {
-            totbytes += bytes;
-            log_debug("Snagged %d random bytes from EGD Socket %s",
-                      bytes, ssl_config->egd_socket);
-            goto SEEDED;        /* ditto */
-        }
-    }
-
     /* Try the good-old default /dev/urandom, if available  */
     totbytes += add_rand_file("/dev/urandom");
     if (prng_seeded(totbytes)) {
@@ -212,6 +201,8 @@ static int new_session_cb(SSL * ssl, SSL
     unsigned char *data = NULL, *asn;
     time_t expire;
     int ret = -1;
+    unsigned int session_id_length;
+    unsigned char *session_id = SSL_SESSION_get_id(sess, &session_id_length);
 
     if (!sess_dbopen)
         return 0;
@@ -241,8 +232,7 @@ static int new_session_cb(SSL * ssl, SSL
     if (data && len) {
         /* store the session in our database */
         do {
-            ret = DB->store(sessdb, (void *) sess->session_id,
-                            sess->session_id_length,
+            ret = DB->store(sessdb, (void *) session_id, session_id_length,
                             (void *) data, len + sizeof(time_t), NULL);
         }
         while (ret == MYDB_AGAIN);
@@ -255,8 +245,8 @@ static int new_session_cb(SSL * ssl, SSL
     if (ssl_verbose_logging) {
         int i;
         char idstr[SSL_MAX_SSL_SESSION_ID_LENGTH * 2 + 1];
-        for (i = 0; i < sess->session_id_length; i++)
-            sprintf(idstr + i * 2, "%02X", sess->session_id[i]);
+        for (i = 0; i < session_id_length; i++)
+            sprintf(idstr + i * 2, "%02X", session_id[i]);
 
         log_debug("new SSL session: id=%s, expire=%s, status=%s",
                   idstr, ctime(&expire), ret ? "failed" : "ok");
@@ -298,7 +288,10 @@ static void remove_session(unsigned char
  */
 static void remove_session_cb(SSL_CTX * ctx, SSL_SESSION * sess)
 {
-    remove_session(sess->session_id, sess->session_id_length);
+    unsigned int session_id_length;
+    unsigned char *session_id = SSL_SESSION_get_id(sess, &session_id_length);
+
+    remove_session(session_id, session_id_length);
 }
 
 /*
@@ -398,9 +391,6 @@ void ssl_context_init(struct ssl_config
     /* SSLv3 now also obsolete */
     SSL_CTX_set_options(client_ctx, SSL_OP_NO_SSLv3);
 
-    if (SSL_CTX_need_tmp_RSA(client_ctx))
-        SSL_CTX_set_tmp_rsa_callback(client_ctx, rsa_callback);
-
     /* Don't bother with session cache for client side: not enough
      * connections to worry about caching */
     SSL_CTX_set_session_cache_mode(client_ctx, SSL_SESS_CACHE_OFF);
@@ -509,10 +499,6 @@ void ssl_context_init(struct ssl_config
         log_fatal("SSL_CTX_set_options(SSL_OP_CIPHER_SERVER_PREFERENCE)"
                   "failed");
 
-    /* Set up RSA temporary key callback routine */
-    if (SSL_CTX_need_tmp_RSA(server_ctx))
-        SSL_CTX_set_tmp_rsa_callback(server_ctx, rsa_callback);
-
     /* Initialise RSA temporary key (will take a couple of secs to complete) */
     ssl_init_rsakey(ssl_config);
 }
@@ -621,7 +607,7 @@ void *ssl_start_server(int fd, unsigned
     else
         log_debug("SSL: No client certificate");
 
-    switch (ssl->session->ssl_version) {
+    switch (SSL_version(ssl)) {
     case SSL2_VERSION:
         ver = "SSLv2";
         break;
@@ -680,7 +666,7 @@ void *ssl_start_client(int fd, unsigned
 
     /* Verify certificate here? Need local context to play with? */
 
-    switch (((SSL *) ssl)->session->ssl_version) {
+    switch (SSL_version(ssl)) {
     case SSL2_VERSION:
         ver = "SSLv2";
         break;
--- a/shared/config.c
+++ b/shared/config.c
@@ -455,9 +455,9 @@ static struct {
     "draft_att_total_max", config_number, OFFSET(draft_att_total_max)}
     , {
     "dualuse", config_bool, OFFSET(dualuse)}
-    , {
+    , /*{
     "egd_socket", config_path, OFFSET(egd_socket)}
-    , {
+    , */{
     "expunge_on_exit", config_bool, OFFSET(expunge_on_exit)}
     , {
     "fatal_dump_core", config_bool, OFFSET(fatal_dump_core)}