--- neon-0.30.0/macros/neon.m4.pkcs11

+++ neon-0.30.0/macros/neon.m4

@@ -982,10 +982,11 @@

    # Check for functions in later releases

    NE_CHECK_FUNCS([gnutls_session_get_data2 gnutls_x509_dn_get_rdn_ava \

-                  gnutls_sign_callback_set \

                   gnutls_certificate_get_issuer \

                   gnutls_certificate_get_x509_cas \

-                  gnutls_x509_crt_sign2])

+                  gnutls_x509_crt_sign2 \

+                  gnutls_certificate_set_retrieve_function2 \

+                  gnutls_privkey_import_ext])

    # fail if gnutls_x509_crt_sign2 is not found (it was introduced in 1.2.0, which is required)

    if test x${ac_cv_func_gnutls_x509_crt_sign2} != xyes; then

@@ -1039,7 +1040,7 @@

   ;;

 esac

-case ${with_pakchois}X${ac_cv_func_gnutls_sign_callback_set}Y${ne_cv_lib_ssl097} in

+case ${with_pakchois}X${ac_cv_func_gnutls_privkey_import_ext}Y${ne_cv_lib_ssl097} in

 noX*Y*) ;;

 *X*Yyes|*XyesY*)

     # PKCS#11... ho!

--- neon-0.30.0/src/ne_gnutls.c.pkcs11

+++ neon-0.30.0/src/ne_gnutls.c

@@ -89,6 +89,13 @@

     ne_ssl_certificate cert;

     gnutls_x509_privkey_t pkey;

     char *friendly_name;

+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT

+    /* Signing callback & userdata provided by ne_pkcs11.c.  It would

+     * be better to rewrite the whole module to use gnutls_privkey_t

+     * directly, but it seems impossible to dup such an object. */

+    gnutls_privkey_sign_func sign_func;

+    void *sign_ud;

+#endif

 };

 /* Returns the highest used index in subject (or issuer) DN of

@@ -189,7 +196,7 @@

 char *ne_ssl_readable_dname(const ne_ssl_dname *name)

 {

     gnutls_x509_dn_t dn;

-    int ret, rdn = 0, flag = 0;

+    int ret, rdn = 0;

     ne_buffer *buf;

     gnutls_x509_ava_st val;

@@ -227,7 +234,6 @@

                 && ((!CMPOID(&val, OID_emailAddress)

                      && !CMPOID(&val, OID_commonName))

                     || (buf->used == 1 && rdn == 0))) {

-                flag = 1;

                 if (buf->used > 1) ne_buffer_append(buf, ", ", 2);

                 append_dirstring(buf, &val.value, val.value_tag);

@@ -526,6 +532,10 @@

     if (cc->keyless) {

         newcc->keyless = 1;

+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT

+        newcc->sign_func = cc->sign_func;

+        newcc->sign_ud = cc->sign_ud;

+#endif

     }

     else {

         ret = gnutls_x509_privkey_init(&newcc->pkey);

@@ -554,7 +564,15 @@

 static int provide_client_cert(gnutls_session_t session,

                                const gnutls_datum_t *req_ca_rdn, int nreqs,

                                const gnutls_pk_algorithm_t *sign_algos,

-                               int sign_algos_length, gnutls_retr_st *st)

+                               int sign_algos_length, 

+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2

+                               gnutls_pcert_st **pcert, 

+                               unsigned int *pcert_length, 

+                               gnutls_privkey_t *pkey

+#else

+                               gnutls_retr2_st *st

+#endif

+    )

 {

     ne_session *sess = gnutls_session_get_ptr(session);

@@ -612,27 +630,58 @@

     if (sess->client_cert) {

         gnutls_certificate_type_t type = gnutls_certificate_type_get(session);

         if (type == GNUTLS_CRT_X509

-#if LIBGNUTLS_VERSION_NUMBER > 0x030000

-            /* Ugly hack; prevent segfaults w/GnuTLS 3.0. */

-            && sess->client_cert->pkey != NULL

+            && (sess->client_cert->pkey || sess->client_cert->keyless)) {

+            int ret;

+

+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2

+            gnutls_privkey_init(pkey);

+

+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT

+            if (sess->client_cert->sign_func) {

+                int algo = gnutls_x509_crt_get_pk_algorithm(sess->client_cert->cert.subject, NULL);

+                NE_DEBUG(NE_DBG_SSL, "ssl: Signing for %s.\n", gnutls_pk_algorithm_get_name(algo));

+                         

+                ret = gnutls_privkey_import_ext(*pkey, algo, sess->client_cert->sign_ud,

+                                                sess->client_cert->sign_func, NULL, 0);

+            }

+            else

 #endif

-            ) {

-            NE_DEBUG(NE_DBG_SSL, "Supplying client certificate.\n");

+            if (sess->client_cert->keyless) {

+                ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;

+            }

+            else {

+                ret = gnutls_privkey_import_x509(*pkey, sess->client_cert->pkey, 0);

+            }

-            st->type = type;

+            if (ret) {

+                NE_DEBUG(NE_DBG_SSL, "ssl: Failed to import private key: %s.\n", gnutls_strerror(ret));

+                ne_set_error(sess, _("Failed to import private key: %s"), gnutls_strerror(ret));

+                return ret;

+            }

+            

+            *pcert = gnutls_calloc(1, sizeof **pcert);

+            gnutls_pcert_import_x509(*pcert, sess->client_cert->cert.subject, 0);

+            *pcert_length = 1;

+#else /* !HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2 */

+            st->cert_type = type;

             st->ncerts = 1;

             st->cert.x509 = &sess->client_cert->cert.subject;

             st->key.x509 = sess->client_cert->pkey;

             /* tell GNU TLS not to deallocate the certs. */

             st->deinit_all = 0;

+#endif

         } else {

             return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;

         }

     } 

     else {

-        NE_DEBUG(NE_DBG_SSL, "No client certificate supplied.\n");

+        NE_DEBUG(NE_DBG_SSL, "ssl: No client certificate supplied.\n");

+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2

+        *pcert_length = 0;

+#else        

         st->ncerts = 0;

+#endif

         sess->ssl_cc_requested = 1;

         return 0;

     }

@@ -650,8 +699,12 @@

     ne_ssl_context *ctx = ne_calloc(sizeof *ctx);

     gnutls_certificate_allocate_credentials(&ctx->cred);

     if (flags == NE_SSL_CTX_CLIENT) {

+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2

+        gnutls_certificate_set_retrieve_function2(ctx->cred, provide_client_cert);

+#else

         gnutls_certificate_client_set_retrieve_function(ctx->cred,

                                                         provide_client_cert);

+#endif

     }

     gnutls_certificate_set_verify_flags(ctx->cred, 

                                         GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);

@@ -694,7 +747,11 @@

 {

     gnutls_certificate_free_credentials(ctx->cred);

     if (ctx->cache.client.data) {

+#if defined(HAVE_GNUTLS_SESSION_GET_DATA2)

+        gnutls_free(ctx->cache.client.data);

+#else

         ne_free(ctx->cache.client.data);

+#endif

     } else if (ctx->cache.server.key.data) {

         gnutls_free(ctx->cache.server.key.data);

         gnutls_free(ctx->cache.server.data.data);

@@ -1164,7 +1221,9 @@

     gnutls_x509_crt_t cert = NULL;

     gnutls_x509_privkey_t pkey = NULL;

-    data.data = buffer;

+    /* The datum structure is not modified by gnutls_pkcs12_import,

+     * cast safely: */

+    data.data = (unsigned char *)buffer;

     data.size = buflen;

     if (gnutls_pkcs12_init(&p12) != 0) {

@@ -1201,8 +1260,10 @@

     }

 }

-ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der,

-                                                 size_t der_len)

+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT

+ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len,

+                                                 gnutls_privkey_sign_func sign_func,

+                                                 void *userdata)

 {

     ne_ssl_client_cert *cc;

     gnutls_x509_crt_t x5;

@@ -1221,9 +1282,12 @@

     cc->keyless = 1;

     cc->decrypted = 1;

     populate_cert(&cc->cert, x5);

+    cc->sign_func = sign_func;

+    cc->sign_ud = userdata;

-    return cc;    

+    return cc;

 }

+#endif

 int ne_ssl_clicert_encrypted(const ne_ssl_client_cert *cc)

 {

--- neon-0.30.0/src/ne_pkcs11.c.pkcs11

+++ neon-0.30.0/src/ne_pkcs11.c

@@ -160,6 +160,13 @@

 }

 #endif

+#ifdef HAVE_GNUTLS

+static int pk11_sign_callback(gnutls_privkey_t pkey,

+                              void *userdata,

+                              const gnutls_datum_t *raw_data,

+                              gnutls_datum_t *signature);

+#endif

+

 static int pk11_find_x509(ne_ssl_pkcs11_provider *prov,

                           pakchois_session_t *pks, 

                           unsigned char *certid, unsigned long *cid_len)

@@ -207,9 +214,9 @@

             ne_ssl_client_cert *cc;

 #ifdef HAVE_GNUTLS

-            cc = ne__ssl_clicert_exkey_import(value, a[0].value_len);

+            cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, pk11_sign_callback, prov);

 #else

-            cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, pk11_rsa_method(prov));

+            cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, prov->method);

 #endif

             if (cc) {

                 NE_DEBUG(NE_DBG_SSL, "pk11: Imported X.509 cert.\n");

@@ -302,10 +309,8 @@

 #ifdef HAVE_GNUTLS

 /* Callback invoked by GnuTLS to provide the signature.  The signature

  * operation is handled here by the PKCS#11 provider.  */

-static int pk11_sign_callback(gnutls_session_t session,

+static int pk11_sign_callback(gnutls_privkey_t pkey,

                               void *userdata,

-                              gnutls_certificate_type_t cert_type,

-                              const gnutls_datum_t *cert,

                               const gnutls_datum_t *hash,

                               gnutls_datum_t *signature)

 {

@@ -575,11 +580,6 @@

 void ne_ssl_set_pkcs11_provider(ne_session *sess, 

                                 ne_ssl_pkcs11_provider *provider)

 {

-#ifdef HAVE_GNUTLS

-    sess->ssl_context->sign_func = pk11_sign_callback;

-    sess->ssl_context->sign_data = provider;

-#endif

-

     ne_ssl_provide_clicert(sess, pk11_provide, provider);

 }

--- neon-0.30.0/src/ne_privssl.h.pkcs11

+++ neon-0.30.0/src/ne_privssl.h

@@ -58,6 +58,10 @@

 #include <gnutls/gnutls.h>

+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT

+#include <gnutls/abstract.h>

+#endif

+

 struct ne_ssl_context_s {

     gnutls_certificate_credentials_t cred;

     int verify; /* non-zero if client cert verification required */

@@ -78,17 +82,13 @@

         } client;

 #endif

     } cache;

-

-#ifdef HAVE_GNUTLS_SIGN_CALLBACK_SET

-    gnutls_sign_func sign_func;

-    void *sign_data;

-#endif

 };

 typedef gnutls_session_t ne_ssl_socket;

 NE_PRIVATE ne_ssl_client_cert *

-ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len);

+ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len,

+                             gnutls_privkey_sign_func sign_func, void *userdata);

 #endif /* HAVE_GNUTLS */