[arch-commits] Commit in sslsplit/trunk (2 files)

Jan de Groot jgc at archlinux.org
Tue Mar 21 23:01:32 UTC 2017


    Date: Tuesday, March 21, 2017 @ 23:01:32
  Author: jgc
Revision: 218235

upgpkg: sslsplit 0.5.0-2

OpenSSL 1.1.0

Added:
  sslsplit/trunk/0003-Add-fixes-for-OpenSSL-1.1-while-retaining-1.0-compat.patch
Modified:
  sslsplit/trunk/PKGBUILD

-----------------------------------------------------------------+
 0003-Add-fixes-for-OpenSSL-1.1-while-retaining-1.0-compat.patch |  510 ++++++++++
 PKGBUILD                                                        |   13 
 2 files changed, 520 insertions(+), 3 deletions(-)

Added: 0003-Add-fixes-for-OpenSSL-1.1-while-retaining-1.0-compat.patch
===================================================================
--- 0003-Add-fixes-for-OpenSSL-1.1-while-retaining-1.0-compat.patch	                        (rev 0)
+++ 0003-Add-fixes-for-OpenSSL-1.1-while-retaining-1.0-compat.patch	2017-03-21 23:01:32 UTC (rev 218235)
@@ -0,0 +1,510 @@
+From: Hilko Bengen <bengen at debian.org>
+Date: Tue, 8 Nov 2016 00:30:42 +0100
+Subject: Add fixes for OpenSSL 1.1 while retaining 1.0 compatibility
+
+---
+ cachedsess.t.c        |   4 ++
+ cachefkcrt.t.c        |   4 ++
+ cachemgr.h            |  21 ++++++----
+ cachessess.t.c        |  24 ++++++++++--
+ extra/pki/GNUmakefile |   4 +-
+ ssl.c                 | 105 +++++++++++++++++++++++++++++++++++---------------
+ ssl.t.c               |  11 ++++--
+ 7 files changed, 125 insertions(+), 48 deletions(-)
+
+diff --git a/cachedsess.t.c b/cachedsess.t.c
+index 7daa472..49fb9e0 100644
+--- a/cachedsess.t.c
++++ b/cachedsess.t.c
+@@ -120,6 +120,7 @@ START_TEST(cache_dsess_03)
+ }
+ END_TEST
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+ START_TEST(cache_dsess_04)
+ {
+ 	SSL_SESSION *s1, *s2;
+@@ -145,6 +146,7 @@ START_TEST(cache_dsess_04)
+ 	SSL_SESSION_free(s2);
+ }
+ END_TEST
++#endif
+ 
+ Suite *
+ cachedsess_suite(void)
+@@ -159,7 +161,9 @@ cachedsess_suite(void)
+ 	tcase_add_test(tc, cache_dsess_01);
+ 	tcase_add_test(tc, cache_dsess_02);
+ 	tcase_add_test(tc, cache_dsess_03);
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+ 	tcase_add_test(tc, cache_dsess_04);
++#endif
+ 	suite_add_tcase(s, tc);
+ 
+ 	return s;
+diff --git a/cachefkcrt.t.c b/cachefkcrt.t.c
+index db5e365..d79fb77 100644
+--- a/cachefkcrt.t.c
++++ b/cachefkcrt.t.c
+@@ -89,6 +89,7 @@ START_TEST(cache_fkcrt_03)
+ }
+ END_TEST
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+ START_TEST(cache_fkcrt_04)
+ {
+ 	X509 *c1, *c2;
+@@ -116,6 +117,7 @@ START_TEST(cache_fkcrt_04)
+ 	fail_unless(cachemgr_preinit() != -1, "reinit");
+ }
+ END_TEST
++#endif
+ 
+ Suite *
+ cachefkcrt_suite(void)
+@@ -130,7 +132,9 @@ cachefkcrt_suite(void)
+ 	tcase_add_test(tc, cache_fkcrt_01);
+ 	tcase_add_test(tc, cache_fkcrt_02);
+ 	tcase_add_test(tc, cache_fkcrt_03);
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+ 	tcase_add_test(tc, cache_fkcrt_04);
++#endif
+ 	suite_add_tcase(s, tc);
+ 
+ 	return s;
+diff --git a/cachemgr.h b/cachemgr.h
+index 8ec7306..2a0fb0e 100644
+--- a/cachemgr.h
++++ b/cachemgr.h
+@@ -61,15 +61,20 @@ void cachemgr_gc(void);
+ #define cachemgr_ssess_get(key, keysz) \
+         cache_get(cachemgr_ssess, cachessess_mkkey((key), (keysz)))
+ #define cachemgr_ssess_set(val) \
+-        cache_set(cachemgr_ssess, \
+-                  cachessess_mkkey((val)->session_id, \
+-                                   (val)->session_id_length), \
+-                  cachessess_mkval(val))
++        { \
++                unsigned int len; \
++                const unsigned char* id = SSL_SESSION_get_id(val, &len); \
++                cache_set(cachemgr_ssess, \
++                          cachessess_mkkey(id, len), \
++                          cachessess_mkval(val));    \
++        }
+ #define cachemgr_ssess_del(val) \
+-        cache_del(cachemgr_ssess, \
+-                  cachessess_mkkey((val)->session_id, \
+-                                   (val)->session_id_length))
+-
++        { \
++                unsigned int len; \
++                const unsigned char* id = SSL_SESSION_get_id(val, &len); \
++                cache_del(cachemgr_ssess, \
++                          cachessess_mkkey(id, len)); \
++        }
+ #define cachemgr_dsess_get(addr, addrlen, sni) \
+         cache_get(cachemgr_dsess, cachedsess_mkkey((addr), (addrlen), (sni)))
+ #define cachemgr_dsess_set(addr, addrlen, sni, val) \
+diff --git a/cachessess.t.c b/cachessess.t.c
+index 8da5287..b23b661 100644
+--- a/cachessess.t.c
++++ b/cachessess.t.c
+@@ -68,13 +68,16 @@ cachemgr_teardown(void)
+ START_TEST(cache_ssess_01)
+ {
+ 	SSL_SESSION *s1, *s2;
++	char* session_id;
++	unsigned int len;
+ 
+ 	s1 = ssl_session_from_file(TMP_SESS_FILE);
+ 	fail_unless(!!s1, "creating session failed");
+ 	fail_unless(ssl_session_is_valid(s1), "session invalid");
+ 
+ 	cachemgr_ssess_set(s1);
+-	s2 = cachemgr_ssess_get(s1->session_id, s1->session_id_length);
++	session_id = SSL_SESSION_get_id(s1, &len);
++	s2 = cachemgr_ssess_get(session_id, len);
+ 	fail_unless(!!s2, "cache returned no session");
+ 	fail_unless(s2 != s1, "cache returned same pointer");
+ 	SSL_SESSION_free(s1);
+@@ -85,12 +88,15 @@ END_TEST
+ START_TEST(cache_ssess_02)
+ {
+ 	SSL_SESSION *s1, *s2;
++	char* session_id;
++	unsigned int len;
+ 
+ 	s1 = ssl_session_from_file(TMP_SESS_FILE);
+ 	fail_unless(!!s1, "creating session failed");
+ 	fail_unless(ssl_session_is_valid(s1), "session invalid");
+ 
+-	s2 = cachemgr_ssess_get(s1->session_id, s1->session_id_length);
++	session_id = SSL_SESSION_get_id(s1, &len);
++	s2 = cachemgr_ssess_get(session_id, len);
+ 	fail_unless(s2 == NULL, "session was already in empty cache");
+ 	SSL_SESSION_free(s1);
+ }
+@@ -99,6 +105,8 @@ END_TEST
+ START_TEST(cache_ssess_03)
+ {
+ 	SSL_SESSION *s1, *s2;
++	char* session_id;
++	unsigned int len;
+ 
+ 	s1 = ssl_session_from_file(TMP_SESS_FILE);
+ 	fail_unless(!!s1, "creating session failed");
+@@ -106,15 +114,19 @@ START_TEST(cache_ssess_03)
+ 
+ 	cachemgr_ssess_set(s1);
+ 	cachemgr_ssess_del(s1);
+-	s2 = cachemgr_ssess_get(s1->session_id, s1->session_id_length);
++	session_id = SSL_SESSION_get_id(s1, &len);
++	s2 = cachemgr_ssess_get(session_id, len);
+ 	fail_unless(s2 == NULL, "cache returned deleted session");
+ 	SSL_SESSION_free(s1);
+ }
+ END_TEST
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+ START_TEST(cache_ssess_04)
+ {
+ 	SSL_SESSION *s1, *s2;
++	char* session_id;
++	unsigned int len;
+ 
+ 	s1 = ssl_session_from_file(TMP_SESS_FILE);
+ 	fail_unless(!!s1, "creating session failed");
+@@ -123,7 +135,8 @@ START_TEST(cache_ssess_04)
+ 	fail_unless(s1->references == 1, "refcount != 1");
+ 	cachemgr_ssess_set(s1);
+ 	fail_unless(s1->references == 1, "refcount != 1");
+-	s2 = cachemgr_ssess_get(s1->session_id, s1->session_id_length);
++	session_id = SSL_SESSION_get_id(s1, &len);
++	s2 = cachemgr_ssess_get(session_id, len);
+ 	fail_unless(s1->references == 1, "refcount != 1");
+ 	fail_unless(!!s2, "cache returned no session");
+ 	fail_unless(s2->references == 1, "refcount != 1");
+@@ -137,6 +150,7 @@ START_TEST(cache_ssess_04)
+ 	SSL_SESSION_free(s2);
+ }
+ END_TEST
++#endif
+ 
+ Suite *
+ cachessess_suite(void)
+@@ -151,7 +165,9 @@ cachessess_suite(void)
+ 	tcase_add_test(tc, cache_ssess_01);
+ 	tcase_add_test(tc, cache_ssess_02);
+ 	tcase_add_test(tc, cache_ssess_03);
++#if OPENSSL_VERSION_NUMBER < 0x10100000
+ 	tcase_add_test(tc, cache_ssess_04);
++#endif
+ 	suite_add_tcase(s, tc);
+ 
+ 	return s;
+diff --git a/extra/pki/GNUmakefile b/extra/pki/GNUmakefile
+index bd7b8d6..d0300fe 100644
+--- a/extra/pki/GNUmakefile
++++ b/extra/pki/GNUmakefile
+@@ -63,7 +63,7 @@ ec.key:
+ 	$(OPENSSL) req -new -nodes -x509 $(DIGEST) -out $@ -key $< \
+ 		-config $(CONFIG) -extensions $(CA_EXT) \
+ 		-subj $(CA_SUBJECT) \
+-		-set_serial 0 -days $(CA_DAYS)
++		-set_serial 1 -days $(CA_DAYS)
+ 
+ server.key:
+ 	$(OPENSSL) genrsa -out $@ 2048
+@@ -112,7 +112,7 @@ targets/wildcard.roe.ch.pem: rsa.crt
+ 
+ # localhost network connectivity is required
+ session.pem:
+-	openssl s_server -accept 46143 -cert server.pem -quiet -no_ssl2 & \
++	openssl s_server -accept 46143 -cert server.pem -quiet & \
+ 		pid=$$! ; \
+ 		sleep 1 ; \
+ 		echo q | $(OPENSSL) s_client -connect localhost:46143 \
+diff --git a/ssl.c b/ssl.c
+index ca19263..417d57d 100644
+--- a/ssl.c
++++ b/ssl.c
+@@ -88,6 +88,39 @@ ssl_ssl_cert_get(SSL *s)
+ }
+ #endif /* OpenSSL 0.9.8y, 1.0.0k or 1.0.1e */
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000
++#define SSL_is_server(ssl) (ssl->type != SSL_ST_CONNECT)
++#define X509_get_signature_nid(x509) (OBJ_obj2nid(x509->sig_alg->algorithm))
++static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
++{
++    /* If the fields p and g in d are NULL, the corresponding input
++     * parameters MUST be non-NULL.  q may remain NULL.
++     */
++    if ((dh->p == NULL && p == NULL)
++        || (dh->g == NULL && g == NULL))
++        return 0;
++
++    if (p != NULL) {
++        BN_free(dh->p);
++        dh->p = p;
++    }
++    if (q != NULL) {
++        BN_free(dh->q);
++        dh->q = q;
++    }
++    if (g != NULL) {
++        BN_free(dh->g);
++        dh->g = g;
++    }
++
++    if (q != NULL) {
++        dh->length = BN_num_bits(q);
++    }
++
++    return 1;
++}
++#endif
++
+ 
+ /*
+  * Print OpenSSL version and build-time configuration to standard error and
+@@ -226,7 +259,7 @@ ssl_openssl_version(void)
+  */
+ static int ssl_initialized = 0;
+ 
+-#ifdef OPENSSL_THREADS
++#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ struct CRYPTO_dynlock_value {
+ 	pthread_mutex_t mutex;
+ };
+@@ -331,7 +364,7 @@ ssl_init(void)
+ 	OpenSSL_add_all_algorithms();
+ 
+ 	/* thread-safety */
+-#ifdef OPENSSL_THREADS
++#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	ssl_mutex_num = CRYPTO_num_locks();
+ 	ssl_mutex = malloc(ssl_mutex_num * sizeof(*ssl_mutex));
+ 	for (int i = 0; i < ssl_mutex_num; i++) {
+@@ -397,7 +430,7 @@ ssl_reinit(void)
+ 	if (!ssl_initialized)
+ 		return;
+ 
+-#ifdef OPENSSL_THREADS
++#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	for (int i = 0; i < ssl_mutex_num; i++) {
+ 		pthread_mutex_init(&ssl_mutex[i], NULL);
+ 	}
+@@ -416,7 +449,7 @@ ssl_fini(void)
+ 
+ 	ERR_remove_state(0); /* current thread */
+ 
+-#ifdef OPENSSL_THREADS
++#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	CRYPTO_set_locking_callback(NULL);
+ 	CRYPTO_set_dynlock_create_callback(NULL);
+ 	CRYPTO_set_dynlock_lock_callback(NULL);
+@@ -476,16 +509,14 @@ ssl_ssl_state_to_str(SSL *ssl)
+ 	char *str = NULL;
+ 	int rv;
+ 
+-	rv = asprintf(&str, "%08x = %s%s%s%04x = %s (%s) [%s]",
+-	              ssl->state,
+-	              (ssl->state & SSL_ST_CONNECT) ? "SSL_ST_CONNECT|" : "",
+-	              (ssl->state & SSL_ST_ACCEPT) ? "SSL_ST_ACCEPT|" : "",
+-	              (ssl->state & SSL_ST_BEFORE) ? "SSL_ST_BEFORE|" : "",
+-	              ssl->state & SSL_ST_MASK,
++	rv = asprintf(&str, "%08x = %s%s%04x = %s (%s) [%s]",
++	              SSL_get_state(ssl),
++	              (SSL_get_state(ssl) & SSL_ST_CONNECT) ? "SSL_ST_CONNECT|" : "",
++	              (SSL_get_state(ssl) & SSL_ST_ACCEPT) ? "SSL_ST_ACCEPT|" : "",
++	              SSL_get_state(ssl) & SSL_ST_MASK,
+ 	              SSL_state_string(ssl),
+ 	              SSL_state_string_long(ssl),
+-	              (ssl->type == SSL_ST_CONNECT) ? "connect socket"
+-	                                            : "accept socket");
++	              SSL_is_server(ssl) ? "accept socket" : "connect socket");
+ 
+ 	return (rv < 0) ? NULL : str;
+ }
+@@ -587,6 +618,7 @@ DH *
+ ssl_tmp_dh_callback(UNUSED SSL *s, int is_export, int keylength)
+ {
+ 	DH *dh;
++	int success = 0;
+ 
+ 	if (!(dh = DH_new())) {
+ 		log_err_printf("DH_new() failed\n");
+@@ -594,16 +626,20 @@ ssl_tmp_dh_callback(UNUSED SSL *s, int is_export, int keylength)
+ 	}
+ 	switch (keylength) {
+ 		case 512:
+-			dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
++			success = DH_set0_pqg(dh, BN_bin2bn(dh512_p, sizeof(dh512_p), NULL), NULL,
++				    BN_bin2bn(dh_g, sizeof(dh_g), NULL));
+ 			break;
+ 		case 1024:
+-			dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
++			success = DH_set0_pqg(dh, BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL), NULL,
++				    BN_bin2bn(dh_g, sizeof(dh_g), NULL));
+ 			break;
+ 		case 2048:
+-			dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
++			success = DH_set0_pqg(dh, BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL), NULL,
++				    BN_bin2bn(dh_g, sizeof(dh_g), NULL));
+ 			break;
+ 		case 4096:
+-			dh->p = BN_bin2bn(dh4096_p, sizeof(dh4096_p), NULL);
++			success = DH_set0_pqg(dh, BN_bin2bn(dh4096_p, sizeof(dh4096_p), NULL), NULL,
++				    BN_bin2bn(dh_g, sizeof(dh_g), NULL));
+ 			break;
+ 		default:
+ 			log_err_printf("Unhandled DH keylength %i%s\n",
+@@ -612,8 +648,7 @@ ssl_tmp_dh_callback(UNUSED SSL *s, int is_export, int keylength)
+ 			DH_free(dh);
+ 			return NULL;
+ 	}
+-	dh->g = BN_bin2bn(dh_g, sizeof(dh_g), NULL);
+-	if (!dh->p || !dh->g) {
++	if (!success) {
+ 		log_err_printf("Failed to load DH p and g from memory\n");
+ 		DH_free(dh);
+ 		return NULL;
+@@ -841,7 +876,7 @@ ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt,
+ 			if (!gn)
+ 				goto errout2;
+ 			gn->type = GEN_DNS;
+-			gn->d.dNSName = M_ASN1_IA5STRING_new();
++			gn->d.dNSName = ASN1_IA5STRING_new();
+ 			if (!gn->d.dNSName)
+ 				goto errout3;
+ 			ASN1_STRING_set(gn->d.dNSName,
+@@ -865,10 +900,10 @@ ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt,
+ #endif /* DEBUG_CERTIFICATE */
+ 
+ 	const EVP_MD *md;
+-	switch (EVP_PKEY_type(cakey->type)) {
++	switch (EVP_PKEY_type(EVP_PKEY_base_id(cakey))) {
+ #ifndef OPENSSL_NO_RSA
+ 	case EVP_PKEY_RSA:
+-		switch (OBJ_obj2nid(origcrt->sig_alg->algorithm)) {
++		switch (X509_get_signature_nid(origcrt)) {
+ 		case NID_md5WithRSAEncryption:
+ 			md = EVP_md5();
+ 			break;
+@@ -897,12 +932,20 @@ ssl_x509_forge(X509 *cacrt, EVP_PKEY *cakey, X509 *origcrt,
+ #endif /* !OPENSSL_NO_RSA */
+ #ifndef OPENSSL_NO_DSA
+ 	case EVP_PKEY_DSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		md = EVP_dss1();
++#else
++		md = EVP_sha1();
++#endif
+ 		break;
+ #endif /* !OPENSSL_NO_DSA */
+ #ifndef OPENSSL_NO_ECDSA
+ 	case EVP_PKEY_EC:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		md = EVP_ecdsa();
++#else
++		md = EVP_sha1();
++#endif
+ 		break;
+ #endif /* !OPENSSL_NO_ECDSA */
+ 	default:
+@@ -1015,7 +1058,6 @@ ssl_x509chain_use(SSL_CTX *sslctx, X509 *crt, STACK_OF(X509) *chain)
+ 
+ 		tmpcrt = sk_X509_value(chain, i);
+ 		ssl_x509_refcount_inc(tmpcrt);
+-		sk_X509_push(sslctx->extra_certs, tmpcrt);
+ 		SSL_CTX_add_extra_chain_cert(sslctx, tmpcrt);
+ 	}
+ }
+@@ -1117,14 +1159,15 @@ int
+ ssl_key_identifier_sha1(EVP_PKEY *key, unsigned char *keyid)
+ {
+ 	X509_PUBKEY *pubkey = NULL;
+-	ASN1_BIT_STRING *pk;
++	const unsigned char *pk;
++	int length;
+ 
+ 	/* X509_PUBKEY_set() will attempt to free pubkey if != NULL */
+ 	if (X509_PUBKEY_set(&pubkey, key) != 1 || !pubkey)
+ 		return -1;
+-	if (!(pk = pubkey->public_key))
++	if (!X509_PUBKEY_get0_param(NULL, &pk, &length, NULL, pubkey))
+ 		goto errout;
+-	if (!EVP_Digest(pk->data, pk->length, keyid, NULL, EVP_sha1(), NULL))
++	if (!EVP_Digest(pk, length, keyid, NULL, EVP_sha1(), NULL))
+ 		goto errout;
+ 	X509_PUBKEY_free(pubkey);
+ 	return 0;
+@@ -1221,10 +1264,10 @@ ssl_x509_fingerprint(X509 *crt, int colons)
+ void
+ ssl_dh_refcount_inc(DH *dh)
+ {
+-#ifdef OPENSSL_THREADS
++#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	CRYPTO_add(&dh->references, 1, CRYPTO_LOCK_DH);
+ #else /* !OPENSSL_THREADS */
+-	dh->references++;
++	DH_up_ref(dh);
+ #endif /* !OPENSSL_THREADS */
+ }
+ #endif /* !OPENSSL_NO_DH */
+@@ -1236,10 +1279,10 @@ ssl_dh_refcount_inc(DH *dh)
+ void
+ ssl_key_refcount_inc(EVP_PKEY *key)
+ {
+-#ifdef OPENSSL_THREADS
++#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	CRYPTO_add(&key->references, 1, CRYPTO_LOCK_EVP_PKEY);
+ #else /* !OPENSSL_THREADS */
+-	key->references++;
++	EVP_PKEY_up_ref(key);
+ #endif /* !OPENSSL_THREADS */
+ }
+ 
+@@ -1251,10 +1294,10 @@ ssl_key_refcount_inc(EVP_PKEY *key)
+ void
+ ssl_x509_refcount_inc(X509 *crt)
+ {
+-#ifdef OPENSSL_THREADS
++#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	CRYPTO_add(&crt->references, 1, CRYPTO_LOCK_X509);
+ #else /* !OPENSSL_THREADS */
+-	crt->references++;
++	X509_up_ref(crt);
+ #endif /* !OPENSSL_THREADS */
+ }
+ 
+diff --git a/ssl.t.c b/ssl.t.c
+index 997794f..9705976 100644
+--- a/ssl.t.c
++++ b/ssl.t.c
+@@ -498,6 +498,10 @@ START_TEST(ssl_tls_clienthello_parse_10)
+ }
+ END_TEST
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000
++#define ASN1_STRING_get0_data(value) ASN1_STRING_data(value)
++#endif
++
+ START_TEST(ssl_key_identifier_sha1_01)
+ {
+ 	X509 *c;
+@@ -515,9 +519,10 @@ START_TEST(ssl_key_identifier_sha1_01)
+ 	int loc = X509_get_ext_by_NID(c, NID_subject_key_identifier, -1);
+ 	X509_EXTENSION *ext = X509_get_ext(c, loc);
+ 	fail_unless(!!ext, "loading ext failed");
+-	fail_unless(ext->value->length - 2 == SSL_KEY_IDSZ,
+-	            "extension length mismatch");
+-	fail_unless(!memcmp(ext->value->data + 2, keyid, SSL_KEY_IDSZ),
++	ASN1_STRING *value = X509_EXTENSION_get_data(ext);
++	fail_unless(ASN1_STRING_length(value) - 2 == SSL_KEY_IDSZ,
++	             "extension length mismatch");
++	fail_unless(!memcmp(ASN1_STRING_get0_data(value) + 2, keyid, SSL_KEY_IDSZ),
+ 	            "key id mismatch");
+ }
+ END_TEST

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2017-03-21 23:01:12 UTC (rev 218234)
+++ PKGBUILD	2017-03-21 23:01:32 UTC (rev 218235)
@@ -2,7 +2,7 @@
 
 pkgname=sslsplit
 pkgver=0.5.0
-pkgrel=1
+pkgrel=2
 pkgdesc="Tool for man-in-the-middle attacks against SSL/TLS encrypted network connections"
 url="https://www.roe.ch/SSLsplit"
 arch=('i686' 'x86_64')
@@ -9,11 +9,18 @@
 license=('BSD')
 depends=('libevent' 'openssl')
 checkdepends=('check')
-source=(https://mirror.roe.ch/rel/${pkgname}/${pkgname}-${pkgver}.tar.bz2{,.asc})
+source=(https://mirror.roe.ch/rel/${pkgname}/${pkgname}-${pkgver}.tar.bz2{,.asc}
+        0003-Add-fixes-for-OpenSSL-1.1-while-retaining-1.0-compat.patch)
 sha512sums=('d8d4f294018a7a28b6e5cdec4690c5078118e1fc9c8b78d626290cdb5f2c8d2ecdbbee776a50666a99c522e9e22a15e85b5a602c412e242ec4cce64327555862'
-            'SKIP')
+            'SKIP'
+            'b3fbde26b992c40adb15d218ce067ecc53707ed9746b3a7e166d0333543283368a0c439903d36dedfb6fd9d33599abbf0554b731a68bd2524824319e1970de56')
 validpgpkeys=('BFF9C7D7EA0EAC7F1AA55B3EFABE3324B5D3397E') # Daniel Roethlisberger <daniel at roe.ch>
 
+prepare() {
+  cd ${pkgname}-${pkgver}
+  patch -Np1 -i ../0003-Add-fixes-for-OpenSSL-1.1-while-retaining-1.0-compat.patch
+}
+
 build() {
   cd ${pkgname}-${pkgver}
   make


More information about the arch-commits mailing list