casa-mp-base

--- src/ssl/gadgets.h.orig  2018-07-16 06:46:55.000000000 +1000

+++ src/ssl/gadgets.h   2019-09-10 15:14:31.000000000 +1000

@@ -80,13 +80,13 @@ public:

  * TidyPointer typedefs for  common SSL objects

  */

 CtoCpp1(X509_free, X509 *)

-typedef LockingPointer<X509, X509_free_cpp, CRYPTO_LOCK_X509> X509_Pointer;

+typedef TidyPointer<X509, X509_free_cpp> X509_Pointer;

 sk_free_wrapper(sk_X509, STACK_OF(X509) *, X509_free)

 typedef TidyPointer<STACK_OF(X509), sk_X509_free_wrapper> X509_STACK_Pointer;

 CtoCpp1(EVP_PKEY_free, EVP_PKEY *)

-typedef LockingPointer<EVP_PKEY, EVP_PKEY_free_cpp, CRYPTO_LOCK_EVP_PKEY> EVP_PKEY_Pointer;

+typedef TidyPointer<EVP_PKEY, EVP_PKEY_free_cpp> EVP_PKEY_Pointer;

 CtoCpp1(BN_free, BIGNUM *)

 typedef TidyPointer<BIGNUM, BN_free_cpp> BIGNUM_Pointer;

@@ -113,7 +113,7 @@ CtoCpp1(SSL_CTX_free, SSL_CTX *)

 typedef TidyPointer<SSL_CTX, SSL_CTX_free_cpp> SSL_CTX_Pointer;

 CtoCpp1(SSL_free, SSL *)

-typedef LockingPointer<SSL, SSL_free_cpp, CRYPTO_LOCK_SSL> SSL_Pointer;

+typedef TidyPointer<SSL, SSL_free_cpp> SSL_Pointer;

 CtoCpp1(DH_free, DH *);

 typedef TidyPointer<DH, DH_free_cpp> DH_Pointer;

--- src/ssl/gadgets.cc.orig 2018-07-16 06:46:55.000000000 +1000

+++ src/ssl/gadgets.cc  2019-09-12 11:36:11.000000000 +1000

@@ -109,7 +109,7 @@ bool Ssl::writeCertAndPrivateKeyToFile(S

     if (!pkey || !cert)

         return false;

-    Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal()));

+    Ssl::BIO_Pointer bio(BIO_new(BIO_s_file()));

     if (!bio)

         return false;

     if (!BIO_write_filename(bio.get(), const_cast<char *>(filename)))

@@ -292,7 +292,8 @@ mimicExtensions(Ssl::X509_Pointer & cert

         DecipherOnly

     };

-    int mimicAlgo = OBJ_obj2nid(mimicCert.get()->cert_info->key->algor->algorithm);

+    EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get());

+    const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != NULL);

     int added = 0;

     int nid;

@@ -302,7 +303,7 @@ mimicExtensions(Ssl::X509_Pointer & cert

             // Mimic extension exactly.

             if (X509_add_ext(cert.get(), ext, -1))

                 ++added;

-            if ( nid == NID_key_usage && mimicAlgo != NID_rsaEncryption ) {

+            if ( nid == NID_key_usage && !rsaPkey ) {

                 // NSS does not requre the KeyEncipherment flag on EC keys

                 // but it does require it for RSA keys.  Since ssl-bump

                 // substitutes RSA keys for EC ones, we need to ensure that

@@ -321,12 +322,12 @@ mimicExtensions(Ssl::X509_Pointer & cert

                                                 &ext_der,

                                                 (const ASN1_ITEM *)ASN1_ITEM_ptr(method->it));

-                    ASN1_OCTET_STRING *ext_oct = M_ASN1_OCTET_STRING_new();

+                    ASN1_OCTET_STRING *ext_oct = ASN1_OCTET_STRING_new();