tags 828446 + patch Hi,
Attached is a patch for it. It's against a current svn trunk. It doesn't have any new regressions, but there are existing test suite errors. I'll also submit this upstream. Kurt
Index: src/ne_auth.c =================================================================== --- src/ne_auth.c (revision 1971) +++ src/ne_auth.c (working copy) @@ -333,7 +333,7 @@ } else #elif defined(HAVE_OPENSSL) - if (RAND_status() == 1 && RAND_pseudo_bytes(data, sizeof data) >= 0) { + if (RAND_status() == 1 && RAND_bytes(data, sizeof data) >= 0) { ne_md5_process_bytes(data, sizeof data, hash); } else Index: src/ne_openssl.c =================================================================== --- src/ne_openssl.c (revision 1971) +++ src/ne_openssl.c (working copy) @@ -67,6 +67,14 @@ typedef const unsigned char ne_d2i_uchar; #endif +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define X509_up_ref(x) x->references++ +#define EVP_PKEY_up_ref(x) x->references++ +#define EVP_MD_CTX_new() ne_calloc(sizeof(EVP_MD_CTX)) +#define EVP_MD_CTX_free(ctx) ne_free(ctx) +#define EVP_MD_CTX_reset EVP_MD_CTX_cleanup +#endif + struct ne_ssl_dname_s { X509_NAME *dn; }; @@ -152,15 +160,16 @@ for (n = X509_NAME_entry_count(name->dn); n > 0; n--) { X509_NAME_ENTRY *ent = X509_NAME_get_entry(name->dn, n-1); + ASN1_OBJECT *obj = X509_NAME_ENTRY_get_object(ent); /* Skip commonName or emailAddress except if there is no other * attribute in dname. */ - if ((OBJ_cmp(ent->object, cname) && OBJ_cmp(ent->object, email)) || + if ((OBJ_cmp(obj, cname) && OBJ_cmp(obj, email)) || (!flag && n == 1)) { if (flag++) ne_buffer_append(dump, ", ", 2); - if (append_dirstring(dump, ent->value)) + if (append_dirstring(dump, X509_NAME_ENTRY_get_data(ent))) ne_buffer_czappend(dump, "???"); } } @@ -501,8 +510,8 @@ populate_cert(&newcc->cert, cc->cert.subject); - cc->cert.subject->references++; - cc->pkey->references++; + X509_up_ref(cc->cert.subject); + EVP_PKEY_up_ref(cc->pkey); return newcc; } @@ -540,8 +549,8 @@ if (sess->client_cert) { ne_ssl_client_cert *const cc = sess->client_cert; NE_DEBUG(NE_DBG_SSL, "Supplying client certificate.\n"); - cc->pkey->references++; - cc->cert.subject->references++; + EVP_PKEY_up_ref(cc->pkey); + X509_up_ref(cc->cert.subject); *cert = cc->cert.subject; *pkey = cc->pkey; return 1; @@ -577,13 +586,8 @@ SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_TICKET); #endif } else { -#ifdef OPENSSL_NO_SSL2 ne_free(ctx); return NULL; -#else - ctx->ctx = SSL_CTX_new(SSLv2_server_method()); - SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_CLIENT); -#endif } return ctx; } @@ -671,8 +675,14 @@ * sufficient. */ static int SSL_SESSION_cmp(SSL_SESSION *a, SSL_SESSION *b) { - return a->session_id_length == b->session_id_length - && memcmp(a->session_id, b->session_id, a->session_id_length) == 0; + const char *session1_buf, *session2_buf; + unsigned int session1_len, session2_len; + + session1_buf = SSL_SESSION_get_id(a, &session1_len); + session2_buf = SSL_SESSION_get_id(b, &session2_len); + + return session1_len == session2_len + && memcmp(session1_buf, session2_buf, session1_len) == 0; } #endif @@ -1188,6 +1198,7 @@ int ne__ssl_init(void) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L CRYPTO_malloc_init(); SSL_load_error_strings(); SSL_library_init(); @@ -1230,6 +1241,7 @@ "for %" NE_FMT_SIZE_T " locks.\n", num_locks); } #endif +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ return 0; } @@ -1266,16 +1278,15 @@ } struct ne_md5_ctx { - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx; }; /* Returns zero on succes, non-zero on failure. */ static int init_md5_ctx(struct ne_md5_ctx *ctx) { - EVP_MD_CTX_init(&ctx->ctx); + ctx->ctx = EVP_MD_CTX_new(); - if (EVP_DigestInit_ex(&ctx->ctx, EVP_md5(), NULL) != 1) { - EVP_MD_CTX_cleanup(&ctx->ctx); + if (EVP_DigestInit_ex(ctx->ctx, EVP_md5(), NULL) != 1) { return 1; } @@ -1301,18 +1312,18 @@ void ne_md5_process_block(const void *buffer, size_t len, struct ne_md5_ctx *ctx) { - EVP_DigestUpdate(&ctx->ctx, buffer, len); + EVP_DigestUpdate(ctx->ctx, buffer, len); } void ne_md5_process_bytes(const void *buffer, size_t len, struct ne_md5_ctx *ctx) { - EVP_DigestUpdate(&ctx->ctx, buffer, len); + EVP_DigestUpdate(ctx->ctx, buffer, len); } void *ne_md5_finish_ctx(struct ne_md5_ctx *ctx, void *resbuf) { - EVP_DigestFinal(&ctx->ctx, resbuf, NULL); + EVP_DigestFinal(ctx->ctx, resbuf, NULL); return resbuf; } @@ -1321,7 +1332,7 @@ { struct ne_md5_ctx *r = ne_md5_create_ctx(); - EVP_MD_CTX_copy_ex(&r->ctx, &ctx->ctx); + EVP_MD_CTX_copy_ex(r->ctx, ctx->ctx); return r; } @@ -1328,7 +1339,7 @@ void ne_md5_reset_ctx(struct ne_md5_ctx *ctx) { - EVP_MD_CTX_cleanup(&ctx->ctx); + EVP_MD_CTX_reset(ctx->ctx); init_md5_ctx(ctx); } @@ -1335,6 +1346,6 @@ void ne_md5_destroy_ctx(struct ne_md5_ctx *ctx) { - EVP_MD_CTX_cleanup(&ctx->ctx); + EVP_MD_CTX_free(ctx->ctx); ne_free(ctx); } Index: src/ne_socket.c =================================================================== --- src/ne_socket.c (revision 1971) +++ src/ne_socket.c (working copy) @@ -1858,6 +1858,8 @@ } #else SSL_SESSION *sess; + const unsigned char *session_buf; + unsigned int session_len; if (!sock->ssl) { return -1; @@ -1865,17 +1867,18 @@ sess = SSL_get0_session(sock->ssl); + session_buf = SSL_SESSION_get_id(sess, &session_len); if (!buf) { - *buflen = sess->session_id_length; + *buflen = session_len; return 0; } - if (*buflen < sess->session_id_length) { + if (*buflen < session_len) { return -1; } - *buflen = sess->session_id_length; - memcpy(buf, sess->session_id, *buflen); + *buflen = session_len; + memcpy(buf, session_buf, session_len); return 0; #endif #else