Bug#828446: neon27: FTBFS with openssl 1.1.0

[Kurt Roeckx]

On Sun, Sep 25, 2016 at 08:15:08PM +0200, László Böszörményi (GCS) wrote:
> Hi Kurt,
> 
> On Sun, Sep 25, 2016 at 6:21 PM, Kurt Roeckx  wrote:
> > Attached is a patch for it. It's against a current svn trunk.
> >
> > It doesn't have any new regressions, but there are existing test
> > suite errors.
> >
> > I'll also submit this upstream.
>  Due to the test suite errors, I would wait some days on what upstream
> says about the patch. May you ping me when you get any answer?

To fix the regression tests, I need this diff:
--- src/ne_openssl.c(revision 1971)
+++ src/ne_openssl.c(working copy)
@@ -1284,7 +1284,7 @@
 
 struct ne_md5_ctx *ne_md5_create_ctx(void)
 {
-#if 1
+#if 0
 return NULL;
 #else
 struct ne_md5_ctx *ctx = ne_malloc(sizeof *ctx);


1971 is the latest revision in which this code was all rewritten.
I assume this was really some test code.


Kurt

Bug#828446: neon27: FTBFS with openssl 1.1.0

[GCS]

Hi Kurt,

On Sun, Sep 25, 2016 at 6:21 PM, Kurt Roeckx  wrote:
> Attached is a patch for it. It's against a current svn trunk.
>
> It doesn't have any new regressions, but there are existing test
> suite errors.
>
> I'll also submit this upstream.
 Due to the test suite errors, I would wait some days on what upstream
says about the patch. May you ping me when you get any answer?

Thanks,
Laszlo/GCS

Bug#828446: neon27: FTBFS with openssl 1.1.0

[Kurt Roeckx]

tags 828446 + patch

Hi,

Attached is a patch for it. It's against a current svn trunk.

It doesn't have any new regressions, but there are existing test
suite errors.

I'll also submit this upstream.


Kurt

Index: src/ne_auth.c
===
--- src/ne_auth.c	(revision 1971)
+++ src/ne_auth.c	(working copy)
@@ -333,7 +333,7 @@
 }
 else
 #elif defined(HAVE_OPENSSL)
-if (RAND_status() == 1 && RAND_pseudo_bytes(data, sizeof data) >= 0) {
+if (RAND_status() == 1 && RAND_bytes(data, sizeof data) >= 0) {
 	ne_md5_process_bytes(data, sizeof data, hash);
 } 
 else 
Index: src/ne_openssl.c
===
--- src/ne_openssl.c	(revision 1971)
+++ src/ne_openssl.c	(working copy)
@@ -67,6 +67,14 @@
 typedef const unsigned char ne_d2i_uchar;
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x1010L
+#define X509_up_ref(x) x->references++
+#define EVP_PKEY_up_ref(x) x->references++
+#define EVP_MD_CTX_new() ne_calloc(sizeof(EVP_MD_CTX))
+#define EVP_MD_CTX_free(ctx) ne_free(ctx)
+#define EVP_MD_CTX_reset EVP_MD_CTX_cleanup
+#endif
+
 struct ne_ssl_dname_s {
 X509_NAME *dn;
 };
@@ -152,15 +160,16 @@
 
 for (n = X509_NAME_entry_count(name->dn); n > 0; n--) {
 	X509_NAME_ENTRY *ent = X509_NAME_get_entry(name->dn, n-1);
+	ASN1_OBJECT *obj = X509_NAME_ENTRY_get_object(ent);
 	
 /* Skip commonName or emailAddress except if there is no other
  * attribute in dname. */
-	if ((OBJ_cmp(ent->object, cname) && OBJ_cmp(ent->object, email)) ||
+	if ((OBJ_cmp(obj, cname) && OBJ_cmp(obj, email)) ||
 (!flag && n == 1)) {
  	if (flag++)
 		ne_buffer_append(dump, ", ", 2);
 
-if (append_dirstring(dump, ent->value))
+if (append_dirstring(dump, X509_NAME_ENTRY_get_data(ent)))
 ne_buffer_czappend(dump, "???");
 	}
 }
@@ -501,8 +510,8 @@
 
 populate_cert(>cert, cc->cert.subject);
 
-cc->cert.subject->references++;
-cc->pkey->references++;
+X509_up_ref(cc->cert.subject);
+EVP_PKEY_up_ref(cc->pkey);
 return newcc;
 }
 
@@ -540,8 +549,8 @@
 if (sess->client_cert) {
 ne_ssl_client_cert *const cc = sess->client_cert;
 	NE_DEBUG(NE_DBG_SSL, "Supplying client certificate.\n");
-	cc->pkey->references++;
-	cc->cert.subject->references++;
+	EVP_PKEY_up_ref(cc->pkey);
+	X509_up_ref(cc->cert.subject);
 	*cert = cc->cert.subject;
 	*pkey = cc->pkey;
 	return 1;
@@ -577,13 +586,8 @@
 SSL_CTX_set_options(ctx->ctx, SSL_OP_NO_TICKET);
 #endif
 } else {
-#ifdef OPENSSL_NO_SSL2
 ne_free(ctx);
 return NULL;
-#else
-ctx->ctx = SSL_CTX_new(SSLv2_server_method());
-SSL_CTX_set_session_cache_mode(ctx->ctx, SSL_SESS_CACHE_CLIENT);
-#endif
 }
 return ctx;
 }
@@ -671,8 +675,14 @@
  * sufficient. */
 static int SSL_SESSION_cmp(SSL_SESSION *a, SSL_SESSION *b)
 {
-return a->session_id_length == b->session_id_length
-&& memcmp(a->session_id, b->session_id, a->session_id_length) == 0;
+const char *session1_buf, *session2_buf;
+unsigned int session1_len, session2_len;
+
+session1_buf = SSL_SESSION_get_id(a, _len);
+session2_buf = SSL_SESSION_get_id(b, _len);
+
+return session1_len == session2_len
+&& memcmp(session1_buf, session2_buf, session1_len) == 0;
 }
 #endif
 
@@ -1188,6 +1198,7 @@
 
 int ne__ssl_init(void)
 {
+#if OPENSSL_VERSION_NUMBER < 0x1010L
 CRYPTO_malloc_init();
 SSL_load_error_strings();
 SSL_library_init();
@@ -1230,6 +1241,7 @@
  "for %" NE_FMT_SIZE_T " locks.\n", num_locks);
 }
 #endif
+#endif /* OPENSSL_VERSION_NUMBER < 0x1010L */
 
 return 0;
 }
@@ -1266,16 +1278,15 @@
 }
 
 struct ne_md5_ctx {
-EVP_MD_CTX ctx;
+EVP_MD_CTX *ctx;
 };
 
 /* Returns zero on succes, non-zero on failure. */
 static int init_md5_ctx(struct ne_md5_ctx *ctx)
 {
-EVP_MD_CTX_init(>ctx);
+ctx->ctx = EVP_MD_CTX_new();
 
-if (EVP_DigestInit_ex(>ctx, EVP_md5(), NULL) != 1) {
-EVP_MD_CTX_cleanup(>ctx);
+if (EVP_DigestInit_ex(ctx->ctx, EVP_md5(), NULL) != 1) {
 return 1;
 }
 
@@ -1301,18 +1312,18 @@
 void ne_md5_process_block(const void *buffer, size_t len,
   struct ne_md5_ctx *ctx)
 {
-EVP_DigestUpdate(>ctx, buffer, len);
+EVP_DigestUpdate(ctx->ctx, buffer, len);
 }
 
 void ne_md5_process_bytes(const void *buffer, size_t len,
   struct ne_md5_ctx *ctx)
 {
-EVP_DigestUpdate(>ctx, buffer, len);
+EVP_DigestUpdate(ctx->ctx, buffer, len);
 }
 
 void *ne_md5_finish_ctx(struct ne_md5_ctx *ctx, void *resbuf)
 {
-EVP_DigestFinal(>ctx, resbuf, NULL);
+EVP_DigestFinal(ctx->ctx, resbuf, NULL);
 
 return resbuf;
 }
@@ -1321,7 +1332,7 @@
 {
 struct ne_md5_ctx *r = ne_md5_create_ctx();
 
-EVP_MD_CTX_copy_ex(>ctx, >ctx);
+EVP_MD_CTX_copy_ex(r->ctx, ctx->ctx);
 
 return r;
 }
@@ 

Bug#828446: neon27: FTBFS with openssl 1.1.0

[Kurt Roeckx]

Source: neon27
Version: 0.30.1-3
Severity: important
Control: block 827061 by -1

Hi,

OpenSSL 1.1.0 is about to released.  During a rebuild of all packages using
OpenSSL this package fail to build.  A log of that build can be found at:
https://breakpoint.cc/openssl-1.1-rebuild-2016-05-29/Attempted/neon27_0.30.1-3_amd64-20160529-1453

On https://wiki.openssl.org/index.php/1.1_API_Changes you can see various of the
reasons why it might fail.  There are also updated man pages at
https://www.openssl.org/docs/manmaster/ that should contain useful information.

There is a libssl-dev package available in experimental that contains a recent
snapshot, I suggest you try building against that to see if everything works.

If you have problems making things work, feel free to contact us.


Kurt