[packages/apache-mod_pagespeed.git] / serf-openssl1.1.patch

Based on serf changes:

#From 03f3f8a6d56726bed26eb3202dfb1e485274ca90 Mon Sep 17 00:00:00 2001
#From: Bert Huijben <rhuijben@apache.org>
#Date: Thu, 16 Jun 2016 09:47:56 +0000
#Subject: [PATCH] Adapt to OpenSSL 1.1.x API changes.
#
#OpenSSL 1.1.x makes various types opaque, requiring the use of
#accessors, and rewrote the state machine describing the handshake
#process.  Of particular interest to serf are the BIO, BIO_METHOD, and
#X509_STORE types.
#
#Patch by: 'James McCoy' <jamessan{_AT_}debian.org>
#
#* buckets/ssl_buckets.c
#  (): New USE_LEGACY_OPENSSL define
#  (): New X509_STORE_get0_param() define for use with pre-1.1.x OpenSSL
#  (detect_renegotiate): Use SSL_get_state to check for the
#    TLS_ST_SW_HELLO_REQ state, indicating the server is starting a new
#    negotiation.
#  (bio_set_data, bio_get_data): New functions to abstract access to
#    the BIO data.
#  (bio_bucket_read, bio_bucket_write, bio_file_read, bio_file_write,
#   bio_file_gets): Use bio_get_data.
#  (bio_bucket_create): Use BIO accessor functions when available.
#  (bio_meth_bucket_new, bio_meth_file_new): New functions to abstract
#    creation of BIO_METHOD.  With OpenSSL 1.1.x or newer, the BIO_meth_*
#    functions are used to allocate a new BIO_METOD and set the
#    callbacks, otherwise the pointers to the statically defined structs
#    are used.
#  (bio_meth_free): New function.
#  (ocsp_callback): Use OCSP_response_status to get status instead of
#    accessing internals of OCSP_RESPONSE struct.  Remove unused
#    OCSP_RESPBYTES variable.
#  (ssl_decrypt): Use SSL_get_state to check for the TLS_ST_OK state,
#    indicating completed handshake.
#  (init_ssl_libraries): Exclude threading code when OpenSSL 1.1.x is in
#    use since OpenSSL now handles this appropriately without users of
#    the library setting up locking functions.
#  (ssl_need_client_cert, ssl_init_context, serf_ssl_load_cert_file,
#   serf_ssl_add_crl_from_file): Use new bio_meth_*_new functions to
#   provide the BIO_METHOD* to BIO_new().  Also use the bio_set_data
#   function to set the data for the callback.
#
#* test/MockHTTPinC/MockHTTP_server.c
#  (): New USE_OPENSSL_1_1_API define
#  (bio_set_data, bio_get_data): New functions to abstract access to
#    the BIO data.
#  (bio_apr_socket_read, bio_apr_socket_write): Use bio_get_data.
#  (bio_apr_socket_create): Use BIO accessor functions when available.
#  (bio_meth_apr_socket_new): New function to abstract creation of
#    BIO_METHOD.  With OpenSSL 1.1.x or newer, the BIO_meth_* functions
#    are used to allocate a new BIO_METOD and set the callbacks,
#    otherwise the pointer to the statically defined struct is used.
#  (initSSLCtx): Use new bio_meth_apr_socket_new function to
#   provide the BIO_METHOD* to BIO_new().  Also use the bio_set_data
#   function to set the data for the callback.
#
#
#git-svn-id: https://svn.apache.org/repos/asf/serf/trunk@1748673 13f79535-47bb-0310-9956-ffa450edef68
#---
# buckets/ssl_buckets.c              | 146 ++++++++++++++++++++++++-----
# test/MockHTTPinC/MockHTTP_server.c |  74 ++++++++++++++-
# 2 files changed, 194 insertions(+), 26 deletions(-)

--- modpagespeed-1.9.32.4/third_party/serf/instaweb_ssl_buckets.c.orig	2015-07-14 01:16:54.000000000 +0200
+++ modpagespeed-1.9.32.4/third_party/serf/instaweb_ssl_buckets.c	2019-04-17 06:45:35.833070953 +0200
@@ -68,6 +68,11 @@
 #define APR_ARRAY_PUSH(ary,type) (*((type *)apr_array_push(ary)))
 #endif
 
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#define USE_LEGACY_OPENSSL
+#define X509_STORE_get0_param(store) store->param
+#endif
+
 
 /*#define SSL_VERBOSE*/
 
@@ -158,6 +163,7 @@
     SSL_CTX *ctx;
     SSL *ssl;
     BIO *bio;
+    BIO_METHOD *biom;
 
     serf_ssl_stream_t encrypt;
     serf_ssl_stream_t decrypt;
@@ -203,10 +209,28 @@
     int depth;
 };
 
+static void bio_set_data(BIO *bio, void *data)
+{
+#ifndef USE_LEGACY_OPENSSL
+    BIO_set_data(bio, data);
+#else
+    bio->ptr = data;
+#endif
+}
+
+static void *bio_get_data(BIO *bio)
+{
+#ifndef USE_LEGACY_OPENSSL
+    return BIO_get_data(bio);
+#else
+    return bio->ptr;
+#endif
+}
+
 /* Returns the amount read. */
 static int bio_bucket_read(BIO *bio, char *in, int inlen)
 {
-    serf_ssl_context_t *ctx = bio->ptr;
+    serf_ssl_context_t *ctx = bio_get_data(bio);
     const char *data;
     apr_status_t status;
     apr_size_t len;
@@ -252,7 +276,7 @@
 /* Returns the amount written. */
 static int bio_bucket_write(BIO *bio, const char *in, int inl)
 {
-    serf_ssl_context_t *ctx = bio->ptr;
+    serf_ssl_context_t *ctx = bio_get_data(bio);
     serf_bucket_t *tmp;
 
 #ifdef SSL_VERBOSE
@@ -281,7 +305,7 @@
 /* Returns the amount read. */
 static int bio_file_read(BIO *bio, char *in, int inlen)
 {
-    apr_file_t *file = bio->ptr;
+    apr_file_t *file = bio_get_data(bio);
     apr_status_t status;
     apr_size_t len;
 
@@ -306,7 +330,7 @@
 /* Returns the amount written. */
 static int bio_file_write(BIO *bio, const char *in, int inl)
 {
-    apr_file_t *file = bio->ptr;
+    apr_file_t *file = bio_get_data(bio);
     apr_size_t nbytes;
 
     BIO_clear_retry_flags(bio);
@@ -324,10 +348,16 @@
 
 static int bio_bucket_create(BIO *bio)
 {
+#ifndef USE_LEGACY_OPENSSL
+    BIO_set_shutdown(bio, 1);
+    BIO_set_init(bio, 1);
+    BIO_set_data(bio, NULL);
+#else
     bio->shutdown = 1;
     bio->init = 1;
     bio->num = -1;
     bio->ptr = NULL;
+#endif
 
     return 1;
 }
@@ -364,6 +394,7 @@
     return ret;
 }
 
+#ifdef USE_LEGACY_OPENSSL
 static BIO_METHOD bio_bucket_method = {
     BIO_TYPE_MEM,
     "Serf SSL encryption and decryption buckets",
@@ -393,6 +424,56 @@
     NULL /* sslc does not have the callback_ctrl field */
 #endif
 };
+#endif
+
+static BIO_METHOD *bio_meth_bucket_new(void)
+{
+    BIO_METHOD *biom = NULL;
+
+#ifndef USE_LEGACY_OPENSSL
+    biom = BIO_meth_new(BIO_TYPE_MEM,
+                        "Serf SSL encryption and decryption buckets");
+    if (biom) {
+        BIO_meth_set_write(biom, bio_bucket_write);
+        BIO_meth_set_read(biom, bio_bucket_read);
+        BIO_meth_set_ctrl(biom, bio_bucket_ctrl);
+        BIO_meth_set_create(biom, bio_bucket_create);
+        BIO_meth_set_destroy(biom, bio_bucket_destroy);
+    }
+#else
+    biom = &bio_bucket_method;
+#endif
+
+    return biom;
+}
+
+static BIO_METHOD *bio_meth_file_new(void)
+{
+    BIO_METHOD *biom = NULL;
+
+#ifndef USE_LEGACY_OPENSSL
+    biom = BIO_meth_new(BIO_TYPE_FILE, "Wrapper around APR file structures");
+    if (biom) {
+        BIO_meth_set_write(biom, bio_file_write);
+        BIO_meth_set_read(biom, bio_file_read);
+        BIO_meth_set_gets(biom, bio_file_gets);
+        BIO_meth_set_ctrl(biom, bio_bucket_ctrl);
+        BIO_meth_set_create(biom, bio_bucket_create);
+        BIO_meth_set_destroy(biom, bio_bucket_destroy);
+    }
+#else
+    biom = &bio_file_method;
+#endif
+
+    return biom;
+}
+
+static void bio_meth_free(BIO_METHOD *biom)
+{
+#ifndef USE_LEGACY_OPENSSL
+    BIO_meth_free(biom);
+#endif
+}
 
 static int
 validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
@@ -799,7 +880,7 @@
     return status;
 }
 
-#if APR_HAS_THREADS
+#if APR_HAS_THREADS && defined(USE_LEGACY_OPENSSL)
 static apr_pool_t *ssl_pool;
 static apr_thread_mutex_t **ssl_locks;
 
@@ -878,18 +959,22 @@
 #endif
 
     if (!val) {
-#if APR_HAS_THREADS
+#if APR_HAS_THREADS && defined(USE_LEGACY_OPENSSL)
         int i, numlocks;
 #endif
 #ifndef OPENSSL_IS_BORINGSSL
+#ifndef USE_LEGACY_OPENSSL
+        OPENSSL_malloc_init();
+#else
         CRYPTO_malloc_init();
 #endif
+#endif
         ERR_load_crypto_strings();
         SSL_load_error_strings();
         SSL_library_init();
         OpenSSL_add_all_algorithms();
 
-#if APR_HAS_THREADS
+#if APR_HAS_THREADS && defined(USE_LEGACY_OPENSSL)
         numlocks = CRYPTO_num_locks();
         apr_pool_create(&ssl_pool, NULL);
         ssl_locks = apr_palloc(ssl_pool, sizeof(apr_thread_mutex_t*)*numlocks);
@@ -929,6 +1014,7 @@
         const char *cert_path;
         apr_file_t *cert_file;
         BIO *bio;
+        BIO_METHOD *biom;
         PKCS12 *p12;
         int i;
         int retrying_success = 0;
@@ -954,8 +1040,9 @@
             continue;
         }
 
-        bio = BIO_new(&bio_file_method);
-        bio->ptr = cert_file;
+        biom = bio_meth_file_new();
+        bio = BIO_new(biom);
+        bio_set_data(bio, cert_file);
 
         ctx->cert_path = cert_path;
         p12 = d2i_PKCS12_bio(bio, NULL);
@@ -965,6 +1052,7 @@
 
         if (i == 1) {
             PKCS12_free(p12);
+            bio_meth_free(biom);
             ctx->cached_cert = *cert;
             ctx->cached_cert_pw = *pkey;
             if (!retrying_success && ctx->cert_cache_pool) {
@@ -1005,6 +1093,7 @@
                         i = PKCS12_parse(p12, password, pkey, cert, NULL);
                         if (i == 1) {
                             PKCS12_free(p12);
+                            bio_meth_free(biom);
                             ctx->cached_cert = *cert;
                             ctx->cached_cert_pw = *pkey;
                             if (!retrying_success && ctx->cert_cache_pool) {
@@ -1032,6 +1121,7 @@
                     }
                 }
                 PKCS12_free(p12);
+                bio_meth_free(biom);
                 return 0;
             }
             else {
@@ -1039,6 +1129,7 @@
                        ERR_GET_FUNC(err),
                        ERR_GET_REASON(err));
                 PKCS12_free(p12);
+                bio_meth_free(biom);
             }
         }
     }
@@ -1135,8 +1226,9 @@
     SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_ALL);
 
     ssl_ctx->ssl = SSL_new(ssl_ctx->ctx);
-    ssl_ctx->bio = BIO_new(&bio_bucket_method);
-    ssl_ctx->bio->ptr = ssl_ctx;
+    ssl_ctx->biom = bio_meth_bucket_new();
+    ssl_ctx->bio = BIO_new(ssl_ctx->biom);
+    bio_set_data(ssl_ctx->bio, ssl_ctx);
 
     SSL_set_bio(ssl_ctx->ssl, ssl_ctx->bio, ssl_ctx->bio);
 
@@ -1180,6 +1272,7 @@
     ssl_ctx->ssl = NULL;
     SSL_CTX_free(ssl_ctx->ctx);
     ssl_ctx->ctx = NULL;
+    bio_meth_free(ssl_ctx->biom);
 
     p = ssl_ctx->pool;
Commit	Line	Data
6772b4d7 JB	1	Based on serf changes:
	2
	3	#From 03f3f8a6d56726bed26eb3202dfb1e485274ca90 Mon Sep 17 00:00:00 2001
	4	#From: Bert Huijben <rhuijben@apache.org>
	5	#Date: Thu, 16 Jun 2016 09:47:56 +0000
	6	#Subject: [PATCH] Adapt to OpenSSL 1.1.x API changes.
	7	#
	8	#OpenSSL 1.1.x makes various types opaque, requiring the use of
	9	#accessors, and rewrote the state machine describing the handshake
	10	#process. Of particular interest to serf are the BIO, BIO_METHOD, and
	11	#X509_STORE types.
	12	#
	13	#Patch by: 'James McCoy' <jamessan{_AT_}debian.org>
	14	#
	15	#* buckets/ssl_buckets.c
	16	# (): New USE_LEGACY_OPENSSL define
	17	# (): New X509_STORE_get0_param() define for use with pre-1.1.x OpenSSL
	18	# (detect_renegotiate): Use SSL_get_state to check for the
	19	# TLS_ST_SW_HELLO_REQ state, indicating the server is starting a new
	20	# negotiation.
	21	# (bio_set_data, bio_get_data): New functions to abstract access to
	22	# the BIO data.
	23	# (bio_bucket_read, bio_bucket_write, bio_file_read, bio_file_write,
	24	# bio_file_gets): Use bio_get_data.
	25	# (bio_bucket_create): Use BIO accessor functions when available.
	26	# (bio_meth_bucket_new, bio_meth_file_new): New functions to abstract
	27	# creation of BIO_METHOD. With OpenSSL 1.1.x or newer, the BIO_meth_*
	28	# functions are used to allocate a new BIO_METOD and set the
	29	# callbacks, otherwise the pointers to the statically defined structs
	30	# are used.
	31	# (bio_meth_free): New function.
	32	# (ocsp_callback): Use OCSP_response_status to get status instead of
	33	# accessing internals of OCSP_RESPONSE struct. Remove unused
	34	# OCSP_RESPBYTES variable.
	35	# (ssl_decrypt): Use SSL_get_state to check for the TLS_ST_OK state,
	36	# indicating completed handshake.
	37	# (init_ssl_libraries): Exclude threading code when OpenSSL 1.1.x is in
	38	# use since OpenSSL now handles this appropriately without users of
	39	# the library setting up locking functions.
	40	# (ssl_need_client_cert, ssl_init_context, serf_ssl_load_cert_file,
	41	# serf_ssl_add_crl_from_file): Use new bio_meth_*_new functions to
	42	# provide the BIO_METHOD* to BIO_new(). Also use the bio_set_data
	43	# function to set the data for the callback.
	44	#
	45	#* test/MockHTTPinC/MockHTTP_server.c
	46	# (): New USE_OPENSSL_1_1_API define
	47	# (bio_set_data, bio_get_data): New functions to abstract access to
	48	# the BIO data.
	49	# (bio_apr_socket_read, bio_apr_socket_write): Use bio_get_data.
	50	# (bio_apr_socket_create): Use BIO accessor functions when available.
	51	# (bio_meth_apr_socket_new): New function to abstract creation of
	52	# BIO_METHOD. With OpenSSL 1.1.x or newer, the BIO_meth_* functions
	53	# are used to allocate a new BIO_METOD and set the callbacks,
	54	# otherwise the pointer to the statically defined struct is used.
	55	# (initSSLCtx): Use new bio_meth_apr_socket_new function to
	56	# provide the BIO_METHOD* to BIO_new(). Also use the bio_set_data
	57	# function to set the data for the callback.
	58	#
	59	#
	60	#git-svn-id: https://svn.apache.org/repos/asf/serf/trunk@1748673 13f79535-47bb-0310-9956-ffa450edef68
	61	#---
	62	# buckets/ssl_buckets.c \| 146 ++++++++++++++++++++++++-----
	63	# test/MockHTTPinC/MockHTTP_server.c \| 74 ++++++++++++++-
	64	# 2 files changed, 194 insertions(+), 26 deletions(-)
65
66	--- modpagespeed-1.9.32.4/third_party/serf/instaweb_ssl_buckets.c.orig 2015-07-14 01:16:54.000000000 +0200
67	+++ modpagespeed-1.9.32.4/third_party/serf/instaweb_ssl_buckets.c 2019-04-17 06:45:35.833070953 +0200
68	@@ -68,6 +68,11 @@
69	#define APR_ARRAY_PUSH(ary,type) (((type )apr_array_push(ary)))
70	#endif
71
72	+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L
73	+#define USE_LEGACY_OPENSSL
74	+#define X509_STORE_get0_param(store) store->param
75	+#endif
76	+
77
78	/#define SSL_VERBOSE/
79
80	@@ -158,6 +163,7 @@
81	SSL_CTX *ctx;
82	SSL *ssl;
83	BIO *bio;
84	+ BIO_METHOD *biom;
85
86	serf_ssl_stream_t encrypt;
87	serf_ssl_stream_t decrypt;
88	@@ -203,10 +209,28 @@
89	int depth;
90	};
91
92	+static void bio_set_data(BIO bio, void data)
93	+{
94	+#ifndef USE_LEGACY_OPENSSL
95	+ BIO_set_data(bio, data);
96	+#else
97	+ bio->ptr = data;
98	+#endif
99	+}
100	+
101	+static void bio_get_data(BIO bio)
102	+{
103	+#ifndef USE_LEGACY_OPENSSL
104	+ return BIO_get_data(bio);
105	+#else
106	+ return bio->ptr;
107	+#endif
108	+}
109	+
110	/* Returns the amount read. */
111	static int bio_bucket_read(BIO bio, char in, int inlen)
112	{
113	- serf_ssl_context_t *ctx = bio->ptr;
114	+ serf_ssl_context_t *ctx = bio_get_data(bio);
115	const char *data;
116	apr_status_t status;
117	apr_size_t len;
118	@@ -252,7 +276,7 @@
119	/* Returns the amount written. */
120	static int bio_bucket_write(BIO bio, const char in, int inl)
121	{
122	- serf_ssl_context_t *ctx = bio->ptr;
123	+ serf_ssl_context_t *ctx = bio_get_data(bio);
124	serf_bucket_t *tmp;
125
126	#ifdef SSL_VERBOSE
127	@@ -281,7 +305,7 @@
128	/* Returns the amount read. */
129	static int bio_file_read(BIO bio, char in, int inlen)
130	{
131	- apr_file_t *file = bio->ptr;
132	+ apr_file_t *file = bio_get_data(bio);
133	apr_status_t status;
134	apr_size_t len;
135
136	@@ -306,7 +330,7 @@
137	/* Returns the amount written. */
138	static int bio_file_write(BIO bio, const char in, int inl)
139	{
140	- apr_file_t *file = bio->ptr;
141	+ apr_file_t *file = bio_get_data(bio);
142	apr_size_t nbytes;
143
144	BIO_clear_retry_flags(bio);
145	@@ -324,10 +348,16 @@
146
147	static int bio_bucket_create(BIO *bio)
148	{
149	+#ifndef USE_LEGACY_OPENSSL
150	+ BIO_set_shutdown(bio, 1);
151	+ BIO_set_init(bio, 1);
152	+ BIO_set_data(bio, NULL);
153	+#else
154	bio->shutdown = 1;
155	bio->init = 1;
156	bio->num = -1;
157	bio->ptr = NULL;
158	+#endif
159
160	return 1;
161	}
162	@@ -364,6 +394,7 @@
163	return ret;
164	}
165
166	+#ifdef USE_LEGACY_OPENSSL
167	static BIO_METHOD bio_bucket_method = {
168	BIO_TYPE_MEM,
169	"Serf SSL encryption and decryption buckets",
170	@@ -393,6 +424,56 @@
171	NULL /* sslc does not have the callback_ctrl field */
172	#endif
173	};
174	+#endif
175	+
176	+static BIO_METHOD *bio_meth_bucket_new(void)
177	+{
178	+ BIO_METHOD *biom = NULL;
179	+
180	+#ifndef USE_LEGACY_OPENSSL
181	+ biom = BIO_meth_new(BIO_TYPE_MEM,
182	+ "Serf SSL encryption and decryption buckets");
183	+ if (biom) {
184	+ BIO_meth_set_write(biom, bio_bucket_write);
185	+ BIO_meth_set_read(biom, bio_bucket_read);
186	+ BIO_meth_set_ctrl(biom, bio_bucket_ctrl);
187	+ BIO_meth_set_create(biom, bio_bucket_create);
188	+ BIO_meth_set_destroy(biom, bio_bucket_destroy);
189	+ }
190	+#else
191	+ biom = &bio_bucket_method;
192	+#endif
193	+
194	+ return biom;
195	+}
196	+
197	+static BIO_METHOD *bio_meth_file_new(void)
198	+{
199	+ BIO_METHOD *biom = NULL;
200	+
201	+#ifndef USE_LEGACY_OPENSSL
202	+ biom = BIO_meth_new(BIO_TYPE_FILE, "Wrapper around APR file structures");
203	+ if (biom) {
204	+ BIO_meth_set_write(biom, bio_file_write);
205	+ BIO_meth_set_read(biom, bio_file_read);
206	+ BIO_meth_set_gets(biom, bio_file_gets);
207	+ BIO_meth_set_ctrl(biom, bio_bucket_ctrl);
208	+ BIO_meth_set_create(biom, bio_bucket_create);
209	+ BIO_meth_set_destroy(biom, bio_bucket_destroy);
210	+ }
211	+#else
212	+ biom = &bio_file_method;
213	+#endif
214	+
215	+ return biom;
216	+}
217	+
218	+static void bio_meth_free(BIO_METHOD *biom)
219	+{
220	+#ifndef USE_LEGACY_OPENSSL
221	+ BIO_meth_free(biom);
222	+#endif
223	+}
224
225	static int
226	validate_server_certificate(int cert_valid, X509_STORE_CTX *store_ctx)
227	@@ -799,7 +880,7 @@
228	return status;
229	}
230
231	-#if APR_HAS_THREADS
232	+#if APR_HAS_THREADS && defined(USE_LEGACY_OPENSSL)
233	static apr_pool_t *ssl_pool;
234	static apr_thread_mutex_t **ssl_locks;
235
236	@@ -878,18 +959,22 @@
237	#endif
238
239	if (!val) {
240	-#if APR_HAS_THREADS
241	+#if APR_HAS_THREADS && defined(USE_LEGACY_OPENSSL)
242	int i, numlocks;
243	#endif
244	#ifndef OPENSSL_IS_BORINGSSL
245	+#ifndef USE_LEGACY_OPENSSL
246	+ OPENSSL_malloc_init();
247	+#else
248	CRYPTO_malloc_init();
249	#endif
250	+#endif
251	ERR_load_crypto_strings();
252	SSL_load_error_strings();
253	SSL_library_init();
254	OpenSSL_add_all_algorithms();
255
256	-#if APR_HAS_THREADS
257	+#if APR_HAS_THREADS && defined(USE_LEGACY_OPENSSL)
258	numlocks = CRYPTO_num_locks();
259	apr_pool_create(&ssl_pool, NULL);
260	ssl_locks = apr_palloc(ssl_pool, sizeof(apr_thread_mutex_t)numlocks);
261	@@ -929,6 +1014,7 @@
262	const char *cert_path;
263	apr_file_t *cert_file;
264	BIO *bio;
265	+ BIO_METHOD *biom;
266	PKCS12 *p12;
267	int i;
268	int retrying_success = 0;
269	@@ -954,8 +1040,9 @@
270	continue;
271	}
272
273	- bio = BIO_new(&bio_file_method);
274	- bio->ptr = cert_file;
275	+ biom = bio_meth_file_new();
276	+ bio = BIO_new(biom);
277	+ bio_set_data(bio, cert_file);
278
279	ctx->cert_path = cert_path;
280	p12 = d2i_PKCS12_bio(bio, NULL);
281	@@ -965,6 +1052,7 @@
282
283	if (i == 1) {
284	PKCS12_free(p12);
285	+ bio_meth_free(biom);
286	ctx->cached_cert = *cert;
287	ctx->cached_cert_pw = *pkey;
288	if (!retrying_success && ctx->cert_cache_pool) {
289	@@ -1005,6 +1093,7 @@
290	i = PKCS12_parse(p12, password, pkey, cert, NULL);
291	if (i == 1) {
292	PKCS12_free(p12);
293	+ bio_meth_free(biom);
294	ctx->cached_cert = *cert;
295	ctx->cached_cert_pw = *pkey;
296	if (!retrying_success && ctx->cert_cache_pool) {
297	@@ -1032,6 +1121,7 @@
298	}
299	}
300	PKCS12_free(p12);
301	+ bio_meth_free(biom);
302	return 0;
303	}
304	else {
305	@@ -1039,6 +1129,7 @@
306	ERR_GET_FUNC(err),
307	ERR_GET_REASON(err));
308	PKCS12_free(p12);
309	+ bio_meth_free(biom);
310	}
311	}
312	}
313	@@ -1135,8 +1226,9 @@
314	SSL_CTX_set_options(ssl_ctx->ctx, SSL_OP_ALL);
315
316	ssl_ctx->ssl = SSL_new(ssl_ctx->ctx);
317	- ssl_ctx->bio = BIO_new(&bio_bucket_method);
318	- ssl_ctx->bio->ptr = ssl_ctx;
319	+ ssl_ctx->biom = bio_meth_bucket_new();
320	+ ssl_ctx->bio = BIO_new(ssl_ctx->biom);
321	+ bio_set_data(ssl_ctx->bio, ssl_ctx);
322
323	SSL_set_bio(ssl_ctx->ssl, ssl_ctx->bio, ssl_ctx->bio);
324
325	@@ -1180,6 +1272,7 @@
326	ssl_ctx->ssl = NULL;
327	SSL_CTX_free(ssl_ctx->ctx);
328	ssl_ctx->ctx = NULL;
329	+ bio_meth_free(ssl_ctx->biom);
330
331	p = ssl_ctx->pool;
332