<pre style='margin:0'>
Joshua Root (jmroot) pushed a commit to branch master
in repository macports-ports.
</pre>
<p><a href="https://github.com/macports/macports-ports/commit/a2c5bd5ea0347b64a928b33f48dec4ba2d07f300">https://github.com/macports/macports-ports/commit/a2c5bd5ea0347b64a928b33f48dec4ba2d07f300</a></p>
<pre style="white-space: pre; background: #F8F8F8">The following commit(s) were added to refs/heads/master by this push:
<span style='display:block; white-space:pre;color:#404040;'> new a2c5bd5 squid3: fix build with openssl 1.1
</span>a2c5bd5 is described below
<span style='display:block; white-space:pre;color:#808000;'>commit a2c5bd5ea0347b64a928b33f48dec4ba2d07f300
</span>Author: Joshua Root <jmr@macports.org>
AuthorDate: Thu Sep 12 17:03:47 2019 +1000
<span style='display:block; white-space:pre;color:#404040;'> squid3: fix build with openssl 1.1
</span><span style='display:block; white-space:pre;color:#404040;'>
</span><span style='display:block; white-space:pre;color:#404040;'> Closes: https://trac.macports.org/ticket/58944
</span>---
net/squid3/Portfile | 3 +-
net/squid3/files/openssl-1.1.diff | 850 ++++++++++++++++++++++++++++++++++++++
2 files changed, 852 insertions(+), 1 deletion(-)
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/squid3/Portfile b/net/squid3/Portfile
</span><span style='display:block; white-space:pre;color:#808080;'>index 8581f89..266ecca 100644
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>--- a/net/squid3/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/squid3/Portfile
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -38,7 +38,8 @@ checksums md5 9367e0375ea53ba0e99f77054d4402c5 \
</span> patchfiles patch-cf.data.pre.diff \
patch-compat_types.h.diff \
patch-basic_pam_auth.cc.diff \
<span style='display:block; white-space:pre;background:#ffe0e0;'>- configure-db.h.diff
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ configure-db.h.diff \
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ openssl-1.1.diff
</span>
platform darwin 10 {
# ticket #37102, /usr/include/rpcsvc/yp_prot.h tries to redefine bool
<span style='display:block; white-space:pre;color:#808080;'>diff --git a/net/squid3/files/openssl-1.1.diff b/net/squid3/files/openssl-1.1.diff
</span>new file mode 100644
<span style='display:block; white-space:pre;color:#808080;'>index 0000000..352539b
</span><span style='display:block; white-space:pre;background:#ffe0e0;'>--- /dev/null
</span><span style='display:block; white-space:pre;background:#e0e0ff;'>+++ b/net/squid3/files/openssl-1.1.diff
</span><span style='display:block; white-space:pre;background:#e0e0e0;'>@@ -0,0 +1,850 @@
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/ssl/gadgets.h.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/ssl/gadgets.h 2019-09-10 15:14:31.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -80,13 +80,13 @@ public:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ * TidyPointer typedefs for common SSL objects
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CtoCpp1(X509_free, X509 *)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++typedef TidyPointer<X509, X509_free_cpp> X509_Pointer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sk_free_wrapper(sk_X509, STACK_OF(X509) *, X509_free)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ typedef TidyPointer<STACK_OF(X509), sk_X509_free_wrapper> X509_STACK_Pointer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CtoCpp1(EVP_PKEY_free, EVP_PKEY *)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++typedef TidyPointer<EVP_PKEY, EVP_PKEY_free_cpp> EVP_PKEY_Pointer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CtoCpp1(BN_free, BIGNUM *)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ typedef TidyPointer<BIGNUM, BN_free_cpp> BIGNUM_Pointer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -113,7 +113,7 @@ CtoCpp1(SSL_CTX_free, SSL_CTX *)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ typedef TidyPointer<SSL_CTX, SSL_CTX_free_cpp> SSL_CTX_Pointer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CtoCpp1(SSL_free, SSL *)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++typedef TidyPointer<SSL, SSL_free_cpp> SSL_Pointer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ CtoCpp1(DH_free, DH *);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ typedef TidyPointer<DH, DH_free_cpp> DH_Pointer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/ssl/gadgets.cc.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/ssl/gadgets.cc 2019-09-12 11:36:11.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -109,7 +109,7 @@ bool Ssl::writeCertAndPrivateKeyToFile(S
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!pkey || !cert)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal()));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::BIO_Pointer bio(BIO_new(BIO_s_file()));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!bio)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!BIO_write_filename(bio.get(), const_cast<char *>(filename)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -292,7 +292,8 @@ mimicExtensions(Ssl::X509_Pointer & cert
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ DecipherOnly
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ };
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- int mimicAlgo = OBJ_obj2nid(mimicCert.get()->cert_info->key->algor->algorithm);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int added = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int nid;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -302,7 +303,7 @@ mimicExtensions(Ssl::X509_Pointer & cert
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Mimic extension exactly.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (X509_add_ext(cert.get(), ext, -1))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ++added;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if ( nid == NID_key_usage && mimicAlgo != NID_rsaEncryption ) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if ( nid == NID_key_usage && !rsaPkey ) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // NSS does not requre the KeyEncipherment flag on EC keys
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // but it does require it for RSA keys. Since ssl-bump
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // substitutes RSA keys for EC ones, we need to ensure that
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -321,12 +322,12 @@ mimicExtensions(Ssl::X509_Pointer & cert
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ &ext_der,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (const ASN1_ITEM *)ASN1_ITEM_ptr(method->it));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ASN1_OCTET_STRING *ext_oct = M_ASN1_OCTET_STRING_new();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ASN1_OCTET_STRING *ext_oct = ASN1_OCTET_STRING_new();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ext_oct->data = ext_der;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ext_oct->length = ext_len;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ X509_EXTENSION_set_data(ext, ext_oct);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- M_ASN1_OCTET_STRING_free(ext_oct);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ASN1_OCTET_STRING_free(ext_oct);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ASN1_BIT_STRING_free(keyusage);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -462,7 +463,7 @@ static bool generateFakeSslCertificate(S
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::EVP_PKEY_Pointer pkey;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Use signing certificates private key as generated certificate private key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (properties.signWithPkey.get())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- pkey.resetAndLock(properties.signWithPkey.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ pkey.reset(properties.signWithPkey.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else // if not exist generate one
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ pkey.reset(Ssl::createSslPrivateKey());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -603,7 +604,7 @@ static X509 * readSslX509Certificate(cha
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!certFilename)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal()));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::BIO_Pointer bio(BIO_new(BIO_s_file()));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!bio)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!BIO_read_filename(bio.get(), certFilename))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -616,7 +617,7 @@ EVP_PKEY * Ssl::readSslPrivateKey(char c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!keyFilename)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal()));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::BIO_Pointer bio(BIO_new(BIO_s_file()));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!bio)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!BIO_read_filename(bio.get(), keyFilename))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -750,7 +751,7 @@ bool Ssl::certificateMatchesProperties(X
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (cert1_altnames) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int numalts = sk_GENERAL_NAME_num(cert1_altnames);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (int i = 0; match && i < numalts; ++i) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const GENERAL_NAME *aName = sk_GENERAL_NAME_value(cert1_altnames, i);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ GENERAL_NAME *aName = sk_GENERAL_NAME_value(cert1_altnames, i);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ match = sk_GENERAL_NAME_find(cert2_altnames, aName);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else if (cert2_altnames)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/ssl/bio.h.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/ssl/bio.h 2019-09-12 14:58:05.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -40,11 +40,11 @@ public:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bool get(const SSL *ssl); ///< Retrieves the features from SSL object
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /// Retrieves features from raw SSL Hello message.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /// \param record whether to store Message to the helloMessage member
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- bool get(const MemBuf &, bool record = true);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bool get(const MemBuf &, bool record = true, SSL *ssl = NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /// Parses a v3 ClientHello message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- bool parseV3Hello(const unsigned char *hello, size_t helloSize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bool parseV3Hello(const unsigned char *hello, size_t helloSize, SSL *ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /// Parses a v23 ClientHello message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- bool parseV23Hello(const unsigned char *hello, size_t helloSize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ bool parseV23Hello(const unsigned char *hello, size_t helloSize, SSL *ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /// Parses a v3 ServerHello message.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bool parseV3ServerHello(const unsigned char *hello, size_t helloSize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /// Prints to os stream a human readable form of sslFeatures object
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/ssl/bio.cc.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/ssl/bio.cc 2019-09-12 14:53:50.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -41,25 +41,23 @@ static int squid_bio_destroy(BIO *data);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ /* SSL callbacks */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static void squid_ssl_info(const SSL *ssl, int where, int ret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-/// Initialization structure for the BIO table with
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-/// Squid-specific methods and BIO method wrappers.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-static BIO_METHOD SquidMethods = {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- BIO_TYPE_SOCKET,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- "squid",
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- squid_bio_write,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- squid_bio_read,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- squid_bio_puts,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- NULL, // squid_bio_gets not supported
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- squid_bio_ctrl,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- squid_bio_create,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- squid_bio_destroy,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- NULL // squid_callback_ctrl not supported
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-};
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++static BIO_METHOD *SquidMethods = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::Bio::Create(const int fd, Ssl::Bio::Type type)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (BIO *bio = BIO_new(&SquidMethods)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (!SquidMethods) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SquidMethods = BIO_meth_new(BIO_TYPE_SOCKET, "squid");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_meth_set_write(SquidMethods, squid_bio_write);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_meth_set_read(SquidMethods, squid_bio_read);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_meth_set_puts(SquidMethods, squid_bio_puts);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_meth_set_gets(SquidMethods, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_meth_set_ctrl(SquidMethods, squid_bio_ctrl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_meth_set_create(SquidMethods, squid_bio_create);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_meth_set_destroy(SquidMethods, squid_bio_destroy);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (BIO *bio = BIO_new(SquidMethods)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO_int_ctrl(bio, BIO_C_SET_FD, type, fd);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return bio;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -185,21 +183,6 @@ Ssl::ClientBio::ClientBio(const int anFd
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ renegotiations.configure(10*1000);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-bool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-Ssl::ClientBio::isClientHello(int state)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-{
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return (
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#if defined(SSL2_ST_GET_CLIENT_HELLO_A)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- state == SSL2_ST_GET_CLIENT_HELLO_A ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- state == SSL3_ST_SR_CLNT_HELLO_A ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- state == SSL23_ST_SR_CLNT_HELLO_A ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- state == SSL23_ST_SR_CLNT_HELLO_B ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- state == SSL3_ST_SR_CLNT_HELLO_B ||
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- state == SSL3_ST_SR_CLNT_HELLO_C
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- );
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-}
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::ClientBio::stateChanged(const SSL *ssl, int where, int ret)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -570,10 +553,7 @@ Ssl::ServerBio::resumingSession()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ squid_bio_create(BIO *bi)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- bi->init = 0; // set when we store Bio object and socket fd (BIO_C_SET_FD)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- bi->num = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- bi->ptr = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- bi->flags = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_set_data(bi, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -581,8 +561,8 @@ squid_bio_create(BIO *bi)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ squid_bio_destroy(BIO *table)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- delete static_cast<Ssl::Bio*>(table->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- table->ptr = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ delete static_cast<Ssl::Bio*>(BIO_get_data(table));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_set_data(table, NULL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -590,7 +570,7 @@ squid_bio_destroy(BIO *table)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ squid_bio_write(BIO *table, const char *buf, int size)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::Bio *bio = static_cast<Ssl::Bio*>(table->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::Bio *bio = static_cast<Ssl::Bio*>(BIO_get_data(table));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(bio);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return bio->write(buf, size, table);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -599,7 +579,7 @@ squid_bio_write(BIO *table, const char *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ squid_bio_read(BIO *table, char *buf, int size)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::Bio *bio = static_cast<Ssl::Bio*>(table->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::Bio *bio = static_cast<Ssl::Bio*>(BIO_get_data(table));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(bio);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return bio->read(buf, size, table);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -627,15 +607,15 @@ squid_bio_ctrl(BIO *table, int cmd, long
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bio = new Ssl::ServerBio(fd);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bio = new Ssl::ClientBio(fd);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- assert(!table->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- table->ptr = bio;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- table->init = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ assert(!BIO_get_data(table));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_set_data(table, bio);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ BIO_set_init(table, 1);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case BIO_C_GET_FD:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (table->init) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::Bio *bio = static_cast<Ssl::Bio*>(table->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (BIO_get_init(table)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::Bio *bio = static_cast<Ssl::Bio*>(BIO_get_data(table));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(bio);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (arg2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ *static_cast<int*>(arg2) = bio->fd();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -649,8 +629,8 @@ squid_bio_ctrl(BIO *table, int cmd, long
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case BIO_CTRL_FLUSH:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (table->init) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::Bio *bio = static_cast<Ssl::Bio*>(table->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (BIO_get_init(table)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::Bio *bio = static_cast<Ssl::Bio*>(BIO_get_data(table));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(bio);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bio->flush(table);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -680,7 +660,7 @@ static void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ squid_ssl_info(const SSL *ssl, int where, int ret)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (BIO *table = SSL_get_rbio(ssl)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (Ssl::Bio *bio = static_cast<Ssl::Bio*>(table->ptr))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (Ssl::Bio *bio = static_cast<Ssl::Bio*>(BIO_get_data(table)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bio->stateChanged(ssl, where, ret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -721,32 +701,32 @@ Ssl::Bio::sslFeatures::get(const SSL *ss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if !defined(OPENSSL_NO_COMP)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (ssl->session->compress_meth)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- compressMethod = ssl->session->compress_meth;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (SSL_SESSION_get_compress_id(SSL_get_session(ssl)))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ compressMethod = SSL_SESSION_get_compress_id(SSL_get_session(ssl));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else if (sslVersion >= 3) //if it is 3 or newer version then compression is disabled
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ compressMethod = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83, 7, "SSL compression: " << compressMethod);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ STACK_OF(SSL_CIPHER) * ciphers = NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (ssl->server)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ciphers = ssl->session->ciphers;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (SSL_get_client_ciphers(ssl))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ciphers = SSL_get_client_ciphers(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- ciphers = ssl->cipher_list;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ciphers = SSL_get_ciphers(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ciphers) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (int i = 0; i < sk_SSL_CIPHER_num(ciphers); ++i) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const SSL_CIPHER *c = sk_SSL_CIPHER_value(ciphers, i);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (c != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!clientRequestedCiphers.empty())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ clientRequestedCiphers.append(":");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- clientRequestedCiphers.append(c->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ clientRequestedCiphers.append(SSL_CIPHER_get_name(c));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83, 7, "Ciphers requested by client: " << clientRequestedCiphers);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (sslVersion >=3 && ssl->s3 && ssl->s3->client_random[0]) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- memcpy(client_random, ssl->s3->client_random, SSL3_RANDOM_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (sslVersion >=3) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ SSL_get_client_random(ssl, client_random, SSL3_RANDOM_SIZE);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #if 0 /* XXX: OpenSSL 0.9.8k lacks at least some of these tlsext_* fields */
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -915,7 +895,7 @@ Ssl::Bio::sslFeatures::helloRecord(const
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-Ssl::Bio::sslFeatures::get(const MemBuf &buf, bool record)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Ssl::Bio::sslFeatures::get(const MemBuf &buf, bool record, SSL *ssl)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int msgSize;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if ((msgSize = parseMsgHead(buf)) <= 0) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -935,7 +915,7 @@ Ssl::Bio::sslFeatures::get(const MemBuf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (msg[0] & 0x80)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return parseV23Hello(msg, (size_t)msgSize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return parseV23Hello(msg, (size_t)msgSize, ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Hello messages require 5 bytes header + 1 byte Msg type + 3 bytes for Msg size
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (buf.contentSize() < 9)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -950,7 +930,7 @@ Ssl::Bio::sslFeatures::get(const MemBuf
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else if (msg[5] == 0x1) // ClientHello message,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return parseV3Hello(msg, (size_t)msgSize);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ return parseV3Hello(msg, (size_t)msgSize, ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1030,7 +1010,7 @@ Ssl::Bio::sslFeatures::parseV3ServerHell
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-Ssl::Bio::sslFeatures::parseV3Hello(const unsigned char *messageContainer, size_t messageContainerSize)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Ssl::Bio::sslFeatures::parseV3Hello(const unsigned char *messageContainer, size_t messageContainerSize, SSL *ssl)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Parse a ClientHello Handshake message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // RFC5246 section 7.4, 7.4.1.2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1093,18 +1073,13 @@ Ssl::Bio::sslFeatures::parseV3Hello(cons
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ciphers += 2;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ciphersLen) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const SSL_METHOD *method = TLS_method();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const SSL_METHOD *method = SSLv23_method();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (size_t i = 0; i < ciphersLen; i += 2) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // each cipher in v3/tls HELLO message is of size 2
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const SSL_CIPHER *c = method->get_cipher_by_char((ciphers + i));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const SSL_CIPHER *c = SSL_CIPHER_find(ssl, (ciphers + i));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (c != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!clientRequestedCiphers.empty())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ clientRequestedCiphers.append(":");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- clientRequestedCiphers.append(c->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ clientRequestedCiphers.append(SSL_CIPHER_get_name(c));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unknownCiphers = true;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1181,7 +1156,7 @@ Ssl::Bio::sslFeatures::parseV3Hello(cons
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bool
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-Ssl::Bio::sslFeatures::parseV23Hello(const unsigned char *hello, size_t size)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++Ssl::Bio::sslFeatures::parseV23Hello(const unsigned char *hello, size_t size, SSL *ssl)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83, 7, "Get fake features from v23 ClientHello message.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (size < 7)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1194,11 +1169,6 @@ Ssl::Bio::sslFeatures::parseV23Hello(con
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return false;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ciphersLen) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const SSL_METHOD *method = TLS_method();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const SSL_METHOD *method = SSLv23_method();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (unsigned int i = 0; i < ciphersLen; i += 3) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // The v2 hello messages cipher has 3 bytes.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // The v2 cipher has the first byte not null
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1206,11 +1176,11 @@ Ssl::Bio::sslFeatures::parseV23Hello(con
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // are ignoring these ciphers
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ciphers[i] != 0)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ continue;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- const SSL_CIPHER *c = method->get_cipher_by_char((ciphers + i + 1));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const SSL_CIPHER *c = SSL_CIPHER_find(ssl, (ciphers + i + 1));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (c != NULL) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!clientRequestedCiphers.empty())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ clientRequestedCiphers.append(":");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- clientRequestedCiphers.append(c->name);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ clientRequestedCiphers.append(SSL_CIPHER_get_name(c));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/ssl/cert_validate_message.cc.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/ssl/cert_validate_message.cc 2019-09-12 15:05:19.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -209,7 +209,7 @@ Ssl::CertValidationResponse::RecvdError
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::CertValidationResponse::RecvdError::setCert(X509 *aCert)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- cert.resetAndLock(aCert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cert.reset(aCert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::CertValidationMsg::CertItem::CertItem(const CertItem &old)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -228,7 +228,7 @@ Ssl::CertValidationMsg::CertItem & Ssl::
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::CertValidationMsg::CertItem::setCert(X509 *aCert)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- cert.resetAndLock(aCert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cert.reset(aCert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const std::string Ssl::CertValidationMsg::code_cert_validate("cert_validate");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/ssl/ErrorDetail.cc.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/ssl/ErrorDetail.cc 2019-09-12 15:07:25.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -627,12 +627,12 @@ const String &Ssl::ErrorDetail::toString
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::ErrorDetail::ErrorDetail( Ssl::ssl_error_t err_no, X509 *cert, X509 *broken, const char *aReason): error_no (err_no), lib_error_no(SSL_ERROR_NONE), errReason(aReason)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (cert)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- peer_cert.resetAndLock(cert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ peer_cert.reset(cert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (broken)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- broken_cert.resetAndLock(broken);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ broken_cert.reset(broken);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- broken_cert.resetAndLock(cert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ broken_cert.reset(cert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ detailEntry.error_no = SSL_ERROR_NONE;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -643,11 +643,11 @@ Ssl::ErrorDetail::ErrorDetail(Ssl::Error
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ request = anErrDetail.request;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (anErrDetail.peer_cert.get()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- peer_cert.resetAndLock(anErrDetail.peer_cert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ peer_cert.reset(anErrDetail.peer_cert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (anErrDetail.broken_cert.get()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- broken_cert.resetAndLock(anErrDetail.broken_cert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ broken_cert.reset(anErrDetail.broken_cert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ detailEntry = anErrDetail.detailEntry;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/ssl/PeerConnector.cc.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/ssl/PeerConnector.cc 2019-09-12 15:27:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -149,7 +149,7 @@ Ssl::PeerConnector::initializeSsl()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // In server-first bumping mode, clientSsl is NULL.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (SSL *clientSsl = fd_table[clientConn->fd].ssl) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *b = SSL_get_rbio(clientSsl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- cltBio = static_cast<Ssl::ClientBio *>(b->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cltBio = static_cast<Ssl::ClientBio *>(BIO_get_data(b));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const Ssl::Bio::sslFeatures &features = cltBio->getFeatures();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!features.serverName.isEmpty())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ hostName = new SBuf(features.serverName);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -175,7 +175,7 @@ Ssl::PeerConnector::initializeSsl()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ features.applyToSSL(ssl, csd->sslBumpMode);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *b = SSL_get_rbio(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Inherite client features, like SSL version, SNI and other
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ srvBio->setClientFeatures(features);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ srvBio->recordInput(true);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -218,7 +218,6 @@ Ssl::PeerConnector::initializeSsl()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (request->clientConnectionManager.valid() &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ request->clientConnectionManager->serverBump() &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ (peeked_cert = request->clientConnectionManager->serverBump()->serverCert.get())) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CRYPTO_add(&(peeked_cert->references),1,CRYPTO_LOCK_X509);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL_set_ex_data(ssl, ssl_ex_index_ssl_peeked_cert, peeked_cert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -292,7 +291,7 @@ Ssl::PeerConnector::serverCertificateVer
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (ConnStateData *csd = request->clientConnectionManager.valid()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::X509_Pointer serverCert;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if(Ssl::ServerBump *serverBump = csd->serverBump())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- serverCert.resetAndLock(serverBump->serverCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ serverCert.reset(serverBump->serverCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const int fd = serverConnection()->fd;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL *ssl = fd_table[fd].ssl;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -398,7 +397,7 @@ Ssl::PeerConnector::checkForPeekAndSplic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpServerFirst));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL *ssl = fd_table[serverConn->fd].ssl;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *b = SSL_get_rbio(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!srvBio->canSplice())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpSplice));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!srvBio->canBump())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -411,7 +410,7 @@ Ssl::PeerConnector::checkForPeekAndSplic
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL *ssl = fd_table[serverConn->fd].ssl;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *b = SSL_get_rbio(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83,5, "Will check for peek and splice on FD " << serverConn->fd);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::BumpMode finalAction = action;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -578,7 +577,7 @@ Ssl::PeerConnector::handleNegotiateError
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL *ssl = fd_table[fd].ssl;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ssl_error = SSL_get_error(ssl, ret);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *b = SSL_get_rbio(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ #ifdef EPROTO
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int sysErrNo = EPROTO;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -676,7 +675,7 @@ Ssl::PeerConnector::handleNegotiateError
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (request->clientConnectionManager.valid()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // remember the server certificate from the ErrorDetail object
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- serverBump->serverCert.resetAndLock(anErr->detail->peerCert());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ serverBump->serverCert.reset(anErr->detail->peerCert());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // For intercepted connections, set the host name to the server
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // certificate CN. Otherwise, we just hope that CONNECT is using
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/ssl/ServerBump.cc.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/ssl/ServerBump.cc 2019-09-12 15:30:14.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -55,7 +55,7 @@ Ssl::ServerBump::attachServerSSL(SSL *ss
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (serverSSL.get())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- serverSSL.resetAndLock(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ serverSSL.reset(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const Ssl::CertErrors *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/ssl/support.cc.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/ssl/support.cc 2019-09-12 16:03:35.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -227,7 +227,7 @@ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ssl_verify_cb(int ok, X509_STORE_CTX * ctx)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // preserve original ctx->error before SSL_ calls can overwrite it
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::ssl_error_t error_no = ok ? SSL_ERROR_NONE : ctx->error;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::ssl_error_t error_no = ok ? SSL_ERROR_NONE : X509_STORE_CTX_get_error(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ char buffer[256] = "";
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL *ssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -236,7 +236,7 @@ ssl_verify_cb(int ok, X509_STORE_CTX * c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ void *dont_verify_domain = SSL_CTX_get_ex_data(sslctx, ssl_ctx_ex_index_dont_verify_domain);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ACLChecklist *check = (ACLChecklist*)SSL_get_ex_data(ssl, ssl_ex_index_cert_error_check);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ X509 *peeked_cert = (X509 *)SSL_get_ex_data(ssl, ssl_ex_index_ssl_peeked_cert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- X509 *peer_cert = ctx->cert;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ X509 *peer_cert = X509_STORE_CTX_get0_cert(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ X509_NAME_oneline(X509_get_subject_name(peer_cert), buffer,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sizeof(buffer));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -308,7 +308,7 @@ ssl_verify_cb(int ok, X509_STORE_CTX * c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ACLFilledChecklist *filledCheck = Filled(check);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(!filledCheck->sslErrors);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ filledCheck->sslErrors = new Ssl::CertErrors(Ssl::CertError(error_no, broken_cert));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- filledCheck->serverCert.resetAndLock(peer_cert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ filledCheck->serverCert.reset(peer_cert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (check->fastCheck() == ACCESS_ALLOWED) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ok = 1;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -651,7 +651,7 @@ Ssl::parse_flags(const char *flags)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // "dup" function for SSL_get_ex_new_index("cert_err_check")
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static int
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-ssl_dupAclChecklist(CRYPTO_EX_DATA *, CRYPTO_EX_DATA *, void *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *,
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int, long, void *)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // We do not support duplication of ACLCheckLists.
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1088,13 +1088,8 @@ Ssl::method(int version)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ switch (version) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 2:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#if !defined(OPENSSL_NO_SSL2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- debugs(83, 5, "Using SSLv2.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return SSLv2_client_method();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 3:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1150,13 +1145,8 @@ Ssl::serverMethod(int version)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ switch (version) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 2:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#if !defined(OPENSSL_NO_SSL2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- debugs(83, 5, "Using SSLv2.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- return SSLv2_server_method();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 3:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1579,13 +1569,8 @@ Ssl::contextMethod(int version)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ switch (version) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 2:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#if !defined(OPENSSL_NO_SSL2)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- debugs(83, 5, "Using SSLv2.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- method = SSLv2_server_method();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#else
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83, DBG_IMPORTANT, "SSLv2 is not available in this Proxy.");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-#endif
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ case 3:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1691,7 +1676,7 @@ Ssl::chainCertificatesToSSLContext(SSL_C
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ X509 *signingCert = port.signingCert.get();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (SSL_CTX_add_extra_chain_cert(sslContext, signingCert)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // increase the certificate lock
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CRYPTO_add(&(signingCert->references),1,CRYPTO_LOCK_X509);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const int ssl_error = ERR_get_error();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(33, DBG_IMPORTANT, "WARNING: can not add signing certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1804,7 +1789,7 @@ void Ssl::addChainToSslContext(SSL_CTX *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ X509 *cert = sk_X509_value(chain, i);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (SSL_CTX_add_extra_chain_cert(sslContext, cert)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // increase the certificate lock
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CRYPTO_add(&(cert->references),1,CRYPTO_LOCK_X509);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ ;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const int ssl_error = ERR_get_error();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83, DBG_IMPORTANT, "WARNING: can not add certificate to SSL context chain: " << ERR_error_string(ssl_error, NULL));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1847,7 +1832,7 @@ findCertByIssuerFast(X509_STORE_CTX *ctx
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const Pair ret = list.equal_range(SBuf(buffer));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (Ssl::CertsIndexedList::iterator it = ret.first; it != ret.second; ++it) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ X509 *issuer = it->second;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (ctx->check_issued(ctx, cert, issuer)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (X509_STORE_CTX_get_check_issued(ctx)(ctx, cert, issuer)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return issuer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1861,7 +1846,7 @@ findCertByIssuerSlowly(X509_STORE_CTX *c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const int skItemsNum = sk_X509_num(sk);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (int i = 0; i < skItemsNum; ++i) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ X509 *issuer = sk_X509_value(sk, i);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (ctx->check_issued(ctx, cert, issuer))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (X509_STORE_CTX_get_check_issued(ctx)(ctx, cert, issuer))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return issuer;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1873,11 +1858,12 @@ completeIssuers(X509_STORE_CTX *ctx, STA
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83, 2, "completing " << sk_X509_num(untrustedCerts) << " OpenSSL untrusted certs using " << SquidUntrustedCerts.size() << " configured untrusted certificates");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- int depth = ctx->param->depth;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- X509 *current = ctx->cert;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ int depth = X509_VERIFY_PARAM_get_depth(param);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ X509 *current = X509_STORE_CTX_get0_cert(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int i = 0;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ for (i = 0; current && (i < depth); ++i) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- if (ctx->check_issued(ctx, current, current)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ if (X509_STORE_CTX_get_check_issued(ctx)(ctx, current, current)) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // either ctx->cert is itself self-signed or untrustedCerts
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // aready contain the self-signed current certificate
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ break;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1905,12 +1891,12 @@ untrustedToStoreCtx_cb(X509_STORE_CTX *c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // OpenSSL already maintains ctx->untrusted but we cannot modify
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // internal OpenSSL list directly. We have to give OpenSSL our own
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // list, but it must include certificates on the OpenSSL ctx->untrusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- STACK_OF(X509) *oldUntrusted = ctx->untrusted;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ STACK_OF(X509) *oldUntrusted = X509_STORE_CTX_get0_untrusted(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ STACK_OF(X509) *sk = sk_X509_dup(oldUntrusted); // oldUntrusted is always not NULL
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ completeIssuers(ctx, sk);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- X509_STORE_CTX_set_chain(ctx, sk); // No locking/unlocking, just sets ctx->untrusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ X509_STORE_CTX_set0_untrusted(ctx, sk); // No locking/unlocking, just sets ctx->untrusted
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ int ret = X509_verify_cert(ctx);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- X509_STORE_CTX_set_chain(ctx, oldUntrusted); // Set back the old untrusted list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ X509_STORE_CTX_set0_untrusted(ctx, oldUntrusted); // Set back the old untrusted list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ sk_X509_free(sk); // Release sk list
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return ret;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1950,7 +1936,7 @@ static X509 * readSslX509CertificatesCha
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!certFilename)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal()));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::BIO_Pointer bio(BIO_new(BIO_s_file()));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!bio)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!BIO_read_filename(bio.get(), certFilename))
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2023,8 +2009,8 @@ bool Ssl::generateUntrustedCert(X509_Poi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // O, OU, and other CA subject fields will be mimicked
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Expiration date and other common properties will be mimicked
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ certProperties.signAlgorithm = Ssl::algSignSelf;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- certProperties.signWithPkey.resetAndLock(pkey.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- certProperties.mimicCert.resetAndLock(cert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ certProperties.signWithPkey.reset(pkey.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ certProperties.mimicCert.reset(cert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return Ssl::generateSslCertificate(untrustedCert, untrustedPkey, certProperties);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2077,19 +2063,19 @@ Ssl::CreateServer(SSL_CTX *sslContext, c
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::CertError::CertError(ssl_error_t anErr, X509 *aCert): code(anErr)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- cert.resetAndLock(aCert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cert.reset(aCert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::CertError::CertError(CertError const &err): code(err.code)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- cert.resetAndLock(err.cert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cert.reset(err.cert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::CertError &
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::CertError::operator = (const CertError &old)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ code = old.code;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- cert.resetAndLock(old.cert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ cert.reset(old.cert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return *this;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2115,8 +2101,8 @@ store_session_cb(SSL *ssl, SSL_SESSION *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL_SESSION_set_timeout(session, Config.SSL.session_ttl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- unsigned char *id = session->session_id;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- unsigned int idlen = session->session_id_length;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ unsigned int idlen;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ const unsigned char *id = SSL_SESSION_get_id(session, &idlen);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ unsigned char key[MEMMAP_SLOT_KEY_SIZE];
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Session ids are of size 32bytes. They should always fit to a
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // MemMap::Slot::key
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -2159,7 +2145,7 @@ remove_session_cb(SSL_CTX *, SSL_SESSION
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ static SSL_SESSION *
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+-get_session_cb(SSL *, unsigned char *sessionID, int len, int *copy)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++get_session_cb(SSL *, const unsigned char *sessionID, int len, int *copy)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!SslSessionCache)
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return NULL;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/ssl/helper.cc.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/ssl/helper.cc 2019-09-12 16:17:03.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -265,7 +265,6 @@ void Ssl::CertValidationHelper::sslSubmi
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ crtdvdData->query += '\n';
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ crtdvdData->callback = callback;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ crtdvdData->ssl = request.ssl;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- CRYPTO_add(&crtdvdData->ssl->references,1,CRYPTO_LOCK_SSL);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::CertValidationResponse::Pointer const*validationResponse;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (CertValidationHelper::HelperCache &&
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/client_side.cc.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/client_side.cc 2019-09-12 16:25:54.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4071,9 +4071,9 @@ void ConnStateData::buildSslCertGenerati
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // fake certificate adaptation requires bump-server-first mode
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (!sslServerBump) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(port->signingCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- certProperties.signWithX509.resetAndLock(port->signingCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ certProperties.signWithX509.reset(port->signingCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (port->signPkey.get())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- certProperties.signWithPkey.resetAndLock(port->signPkey.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ certProperties.signWithPkey.reset(port->signPkey.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ certProperties.signAlgorithm = Ssl::algSignTrusted;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ return;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4085,7 +4085,7 @@ void ConnStateData::buildSslCertGenerati
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(sslServerBump->entry);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (sslServerBump->entry->isEmpty()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (X509 *mimicCert = sslServerBump->serverCert.get())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- certProperties.mimicCert.resetAndLock(mimicCert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ certProperties.mimicCert.reset(mimicCert);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ ACLFilledChecklist checklist(NULL, sslServerBump->request.getRaw(),
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ clientConnection != NULL ? clientConnection->rfc931 : dash_str);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4138,14 +4138,14 @@ void ConnStateData::buildSslCertGenerati
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (certProperties.signAlgorithm == Ssl::algSignUntrusted) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(port->untrustedSigningCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- certProperties.signWithX509.resetAndLock(port->untrustedSigningCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- certProperties.signWithPkey.resetAndLock(port->untrustedSignPkey.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ certProperties.signWithX509.reset(port->untrustedSigningCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ certProperties.signWithPkey.reset(port->untrustedSignPkey.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ } else {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(port->signingCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- certProperties.signWithX509.resetAndLock(port->signingCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ certProperties.signWithX509.reset(port->signingCert.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (port->signPkey.get())
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- certProperties.signWithPkey.resetAndLock(port->signPkey.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ certProperties.signWithPkey.reset(port->signPkey.get());
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ signAlgorithm = certProperties.signAlgorithm;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4324,7 +4324,7 @@ clientPeekAndSpliceSSL(int fd, void *dat
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *b = SSL_get_rbio(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(BIO_get_data(b));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (bio->gotHello()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ if (conn->serverBump()) {
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ Ssl::Bio::sslFeatures const &features = bio->getFeatures();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4360,7 +4360,7 @@ void ConnStateData::startPeekAndSplice()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL *ssl = fd_table[clientConnection->fd].ssl;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *b = SSL_get_rbio(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(BIO_get_data(b));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bio->hold(true);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ }
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4391,7 +4391,7 @@ void httpsSslBumpStep2AccessCheckDone(al
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ //Normally we can splice here, because we just got client hello message
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL *ssl = fd_table[connState->clientConnection->fd].ssl;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *b = SSL_get_rbio(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(BIO_get_data(b));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ MemBuf const &rbuf = bio->rBufData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(83,5, "Bio for " << connState->clientConnection << " read " << rbuf.contentSize() << " helo bytes");
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ // Do splice:
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -4446,7 +4446,7 @@ ConnStateData::doPeekAndSpliceStep()
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL *ssl = fd_table[clientConnection->fd].ssl;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *b = SSL_get_rbio(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(b);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(b->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::ClientBio *bio = static_cast<Ssl::ClientBio *>(BIO_get_data(b));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ debugs(33, 5, "PeekAndSplice mode, proceed with client negotiation. Currrent state:" << SSL_state_string_long(ssl));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ bio->hold(false);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+--- src/tunnel.cc.orig 2018-07-16 06:46:55.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++++ src/tunnel.cc 2019-09-12 16:28:50.000000000 +1000
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+@@ -1281,7 +1281,7 @@ switchToTunnel(HttpRequest *request, Com
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ SSL *ssl = fd_table[srvConn->fd].ssl;
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ assert(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ BIO *b = SSL_get_rbio(ssl);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+- Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(b->ptr);
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>++ Ssl::ServerBio *srvBio = static_cast<Ssl::ServerBio *>(BIO_get_data(b));
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ const MemBuf &buf = srvBio->rBufData();
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+
</span><span style='display:block; white-space:pre;background:#e0ffe0;'>+ AsyncCall::Pointer call = commCbCall(5,5, "tunnelConnectedWriteDone",
</span></pre><pre style='margin:0'>
</pre>