cadaver: Build with OpenSSL 1.1... by switching to gnutls and fixing that

6 files changed, 503 insertions, 20 deletions

diff --git a/www/cadaver/Makefile b/www/cadaver/Makefile
index 599b25443d5..15a14f7f282 100644
--- a/www/cadaver/Makefile
+++ b/www/cadaver/Makefile
@@ -1,37 +1,25 @@
-# $NetBSD: Makefile,v 1.51 2020/04/24 12:14:01 nia Exp $
+# $NetBSD: Makefile,v 1.52 2020/04/25 13:47:31 nia Exp $
 
 DISTNAME=		cadaver-0.23.3
-PKGREVISION=		5
+PKGREVISION=		6
 CATEGORIES=		www
-#MASTER_SITES=		http://www.webdav.org/cadaver/
+MASTER_SITES=		http://www.webdav.org/cadaver/
 
 MAINTAINER=		pkgsrc-users@NetBSD.org
-#HOMEPAGE=		http://www.webdav.org/cadaver/
+HOMEPAGE=		http://www.webdav.org/cadaver/
 COMMENT=		Command-line WebDAV client
-
-BROKEN=			"Fails to build with OpenSSL 1.1"
+LICENSE=		gnu-gpl-v2
 
 BUILD_TARGET=		cadaver
 GNU_CONFIGURE=		YES
 USE_PKGLOCALEDIR=	yes
 CONFIGURE_ARGS+=	--enable-netrc
 CONFIGURE_ARGS+=	--with-expat
-#CONFIGURE_ARGS+=	--with-included-neon
-CONFIGURE_ARGS+=	--with-ssl=yes
+CONFIGURE_ARGS+=	--with-ssl=gnutls
 LIBS+=			${BUILDLINK_LDADD.termcap}
 
-#INSTALL_MAKE_FLAGS+=	bindir=${DESTDIR:Q}${PREFIX:Q}/bin		\
-#			mandir=${DESTDIR:Q}${PREFIX:Q}/${PKGMANDIR:Q}
-
 .include "../../mk/readline.buildlink3.mk"
-.include "../../security/openssl/buildlink3.mk"
 .include "../../textproc/expat/buildlink3.mk"
-.include "../../www/neon/buildlink3.mk"
 .include "../../devel/gettext-lib/buildlink3.mk"
-# DON'T make this package depend on the www/neon package until neon
-# becomes stable; keep it using its internal copy of neon as with
-# www/sitecopy.  This package has in the past bounced back and forth
-# between using external and internal neon because neon moves faster
-# than cadaver, and does so incompatibly.
-
+.include "../../security/gnutls/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff --git a/www/cadaver/distinfo b/www/cadaver/distinfo
index 24789ceca82..ac4add390e6 100644
--- a/www/cadaver/distinfo
+++ b/www/cadaver/distinfo
@@ -1,7 +1,11 @@
-$NetBSD: distinfo,v 1.10 2015/11/04 02:46:51 agc Exp $
+$NetBSD: distinfo,v 1.11 2020/04/25 13:47:31 nia Exp $
 
 SHA1 (cadaver-0.23.3.tar.gz) = 4ad8ea2341b77e7dee26b46e4a8a496f1a2962cd
 RMD160 (cadaver-0.23.3.tar.gz) = 104f687cfd121b091ba2f509b37574509b4ffabd
 SHA512 (cadaver-0.23.3.tar.gz) = 48fe0a266be0ca7239f325377e5e2a8dc57a5d60466c7160e36c060ad24c09a50727695b9fa931844b1e66e173ebbb838f390d6c60fd07b614bd3b636cd4dd41
 Size (cadaver-0.23.3.tar.gz) = 831884 bytes
 SHA1 (patch-aa) = 6b8391e825d8bc4131fdab4aee7214a0181a9b69
+SHA1 (patch-lib_neon_ne__auth.c) = b3be23038af390d52830e1c00c8313606e79ba96
+SHA1 (patch-lib_neon_ne__gnutls.c) = ab502c65db85b2e2db100dcbaad3f51de3e9e895
+SHA1 (patch-lib_neon_ne__privssl.h) = 83431345d2333423c664ce4f764683b1ee48b571
+SHA1 (patch-lib_neon_ne__socket.c) = effeded3caa19853b1845fdeea4754491f11e009
diff --git a/www/cadaver/patches/patch-lib_neon_ne__auth.c b/www/cadaver/patches/patch-lib_neon_ne__auth.c
new file mode 100644
index 00000000000..f50f4413add
--- /dev/null
+++ b/www/cadaver/patches/patch-lib_neon_ne__auth.c
@@ -0,0 +1,24 @@
+$NetBSD: patch-lib_neon_ne__auth.c,v 1.1 2020/04/25 13:47:31 nia Exp $
+
+Fix build with newer gnutls.
+
+--- lib/neon/ne_auth.c.orig	2009-12-02 21:27:34.000000000 +0000
++++ lib/neon/ne_auth.c
+@@ -46,7 +46,7 @@
+ #ifdef HAVE_OPENSSL
+ #include <openssl/rand.h>
+ #elif defined(HAVE_GNUTLS)
+-#include <gcrypt.h>
++#include <gnutls/crypto.h>
+ #endif
+ 
+ #include <errno.h>
+@@ -316,7 +316,7 @@ static char *get_cnonce(void) 
+ 
+ #ifdef HAVE_GNUTLS
+     if (1) {
+-        gcry_create_nonce(data, sizeof data);
++        gnutls_rnd(GNUTLS_RND_NONCE, data, sizeof data);
+         ne_md5_process_bytes(data, sizeof data, hash);
+     }
+     else
diff --git a/www/cadaver/patches/patch-lib_neon_ne__gnutls.c b/www/cadaver/patches/patch-lib_neon_ne__gnutls.c
new file mode 100644
index 00000000000..834cc9841a5
--- /dev/null
+++ b/www/cadaver/patches/patch-lib_neon_ne__gnutls.c
@@ -0,0 +1,340 @@
+$NetBSD: patch-lib_neon_ne__gnutls.c,v 1.1 2020/04/25 13:47:31 nia Exp $
+
+Fix build with newer gnutls.
+
+--- lib/neon/ne_gnutls.c.orig	2009-12-02 21:40:41.000000000 +0000
++++ lib/neon/ne_gnutls.c
+@@ -33,15 +33,13 @@
+ #include <errno.h>
+ 
+ #include <gnutls/gnutls.h>
++#include <gnutls/abstract.h>
+ #include <gnutls/pkcs12.h>
+ 
+ #ifdef NE_HAVE_TS_SSL
+ #include <errno.h>
+ #include <pthread.h>
+-#include <gcrypt.h>
+ GCRY_THREAD_OPTION_PTHREAD_IMPL;
+-#else
+-#include <gcrypt.h>
+ #endif
+ 
+ #ifdef HAVE_ICONV
+@@ -67,30 +65,30 @@ struct ne_ssl_dname_s {
+     gnutls_x509_dn_t dn;
+ #else
+     int subject; /* non-zero if this is the subject DN object */
+-    gnutls_x509_crt cert;
++    gnutls_x509_crt_t cert;
+ #endif
+ };
+ 
+ struct ne_ssl_certificate_s {
+     ne_ssl_dname subj_dn, issuer_dn;
+-    gnutls_x509_crt subject;
++    gnutls_x509_crt_t subject;
+     ne_ssl_certificate *issuer;
+     char *identity;
+ };
+ 
+ struct ne_ssl_client_cert_s {
+-    gnutls_pkcs12 p12;
++    gnutls_pkcs12_t p12;
+     int decrypted; /* non-zero if successfully decrypted. */
+     int keyless;
+     ne_ssl_certificate cert;
+-    gnutls_x509_privkey pkey;
++    gnutls_x509_privkey_t pkey;
+     char *friendly_name;
+ };
+ 
+ /* Returns the highest used index in subject (or issuer) DN of
+  * certificate CERT for OID, or -1 if no RDNs are present in the DN
+  * using that OID. */
+-static int oid_find_highest_index(gnutls_x509_crt cert, int subject, const char *oid)
++static int oid_find_highest_index(gnutls_x509_crt_t cert, int subject, const char *oid)
+ {
+     int ret, idx = -1;
+ 
+@@ -113,7 +111,7 @@ static int oid_find_highest_index(gnutls
+ 
+ #ifdef HAVE_ICONV
+ static void convert_dirstring(ne_buffer *buf, const char *charset, 
+-                              gnutls_datum *data)
++                              gnutls_datum_t *data)
+ {
+     iconv_t id = iconv_open("UTF-8", charset);
+     size_t inlen = data->size, outlen = buf->length - buf->used;
+@@ -150,7 +148,7 @@ static void convert_dirstring(ne_buffer 
+ #define TAG_UNIVERSAL (28)
+ #define TAG_BMP (30)
+ 
+-static void append_dirstring(ne_buffer *buf, gnutls_datum *data, unsigned long tag)
++static void append_dirstring(ne_buffer *buf, gnutls_datum_t *data, unsigned long tag)
+ {
+     switch (tag) {
+     case TAG_UTF8:
+@@ -240,7 +238,7 @@ char *ne_ssl_readable_dname(const ne_ssl
+ 
+ /* Appends the value of RDN with given oid from certitifcate x5
+  * subject (if subject is non-zero), or issuer DN to buffer 'buf': */
+-static void append_rdn(ne_buffer *buf, gnutls_x509_crt x5, int subject, const char *oid)
++static void append_rdn(ne_buffer *buf, gnutls_x509_crt_t x5, int subject, const char *oid)
+ {
+     int idx, top, ret;
+     char rdn[50];
+@@ -353,7 +351,7 @@ void ne_ssl_cert_validity_time(const ne_
+  * If 'identity' is non-NULL, store the malloc-allocated identity in
+  * *identity.  If 'server' is non-NULL, it must be the network address
+  * of the server in use, and identity must be NULL. */
+-static int check_identity(const ne_uri *server, gnutls_x509_crt cert,
++static int check_identity(const ne_uri *server, gnutls_x509_crt_t cert,
+                           char **identity)
+ {
+     char name[255];
+@@ -460,7 +458,7 @@ static int check_identity(const ne_uri *
+  * that x5 is owned by returned cert object and must not be otherwise
+  * freed by the caller.  */
+ static ne_ssl_certificate *populate_cert(ne_ssl_certificate *cert,
+-                                         gnutls_x509_crt x5)
++                                         gnutls_x509_crt_t x5)
+ {
+ #ifdef HAVE_NEW_DN_API
+     gnutls_x509_crt_get_subject(x5, &cert->subj_dn.dn);
+@@ -479,12 +477,12 @@ static ne_ssl_certificate *populate_cert
+ }
+ 
+ /* Returns a copy certificate of certificate SRC. */
+-static gnutls_x509_crt x509_crt_copy(gnutls_x509_crt src)
++static gnutls_x509_crt_t x509_crt_copy(gnutls_x509_crt_t src)
+ {
+     int ret;
+     size_t size;
+-    gnutls_datum tmp;
+-    gnutls_x509_crt dest;
++    gnutls_datum_t tmp;
++    gnutls_x509_crt_t dest;
+     
+     if (gnutls_x509_crt_init(&dest) != 0) {
+         return NULL;
+@@ -547,10 +545,10 @@ dup_error:
+ }    
+ 
+ /* Callback invoked when the SSL server requests a client certificate.  */
+-static int provide_client_cert(gnutls_session session,
+-                               const gnutls_datum *req_ca_rdn, int nreqs,
+-                               const gnutls_pk_algorithm *sign_algos,
+-                               int sign_algos_length, gnutls_retr_st *st)
++static int provide_client_cert(gnutls_session_t session,
++                               const gnutls_datum_t *req_ca_rdn, int nreqs,
++                               const gnutls_pk_algorithm_t *sign_algos,
++                               int sign_algos_length, gnutls_retr2_st *st)
+ {
+     ne_session *sess = gnutls_session_get_ptr(session);
+     
+@@ -606,11 +604,11 @@ static int provide_client_cert(gnutls_se
+     }
+ 
+     if (sess->client_cert) {
+-        gnutls_certificate_type type = gnutls_certificate_type_get(session);
++        gnutls_certificate_type_t type = gnutls_certificate_type_get(session);
+         if (type == GNUTLS_CRT_X509) {
+             NE_DEBUG(NE_DBG_SSL, "Supplying client certificate.\n");
+ 
+-            st->type = type;
++            st->cert_type = type;
+             st->ncerts = 1;
+             st->cert.x509 = &sess->client_cert->cert.subject;
+             st->key.x509 = sess->client_cert->pkey;
+@@ -639,8 +637,7 @@ ne_ssl_context *ne_ssl_context_create(in
+     ne_ssl_context *ctx = ne_calloc(sizeof *ctx);
+     gnutls_certificate_allocate_credentials(&ctx->cred);
+     if (flags == NE_SSL_CTX_CLIENT) {
+-        gnutls_certificate_client_set_retrieve_function(ctx->cred,
+-                                                        provide_client_cert);
++        gnutls_certificate_set_retrieve_function(ctx->cred, provide_client_cert);
+     }
+     gnutls_certificate_set_verify_flags(ctx->cred, 
+                                         GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
+@@ -689,9 +686,9 @@ void ne_ssl_context_destroy(ne_ssl_conte
+ #ifdef HAVE_GNUTLS_CERTIFICATE_GET_X509_CAS
+ /* Return the issuer of the given certificate, or NULL if none can be
+  * found. */
+-static gnutls_x509_crt find_issuer(gnutls_x509_crt *ca_list,
++static gnutls_x509_crt_t find_issuer(gnutls_x509_crt_t *ca_list,
+                                    unsigned int num_cas,
+-                                   gnutls_x509_crt cert)
++                                   gnutls_x509_crt_t cert)
+ {
+     unsigned int n;
+ 
+@@ -705,11 +702,11 @@ static gnutls_x509_crt find_issuer(gnutl
+ #endif
+ 
+ /* Return the certificate chain sent by the peer, or NULL on error. */
+-static ne_ssl_certificate *make_peers_chain(gnutls_session sock,
+-                                            gnutls_certificate_credentials crd)
++static ne_ssl_certificate *make_peers_chain(gnutls_session_t sock,
++                                            gnutls_certificate_credentials_t crd)
+ {
+     ne_ssl_certificate *current = NULL, *top = NULL;
+-    const gnutls_datum *certs;
++    const gnutls_datum_t *certs;
+     unsigned int n, count;
+     ne_ssl_certificate *cert;
+ 
+@@ -721,7 +718,7 @@ static ne_ssl_certificate *make_peers_ch
+     NE_DEBUG(NE_DBG_SSL, "ssl: Got %u certs in peer chain.\n", count);
+     
+     for (n = 0; n < count; n++) {
+-        gnutls_x509_crt x5;
++        gnutls_x509_crt_t x5;
+ 
+         if (gnutls_x509_crt_init(&x5) ||
+             gnutls_x509_crt_import(x5, &certs[n], GNUTLS_X509_FMT_DER)) {
+@@ -746,8 +743,8 @@ static ne_ssl_certificate *make_peers_ch
+      * in the Certificate list during the handshake.  Fill in the
+      * complete chain manually against the certs we trust: */
+     if (current->issuer == NULL) {
+-        gnutls_x509_crt issuer;
+-        gnutls_x509_crt *ca_list;
++        gnutls_x509_crt_t issuer;
++        gnutls_x509_crt_t *ca_list;
+         unsigned int num_cas;
+         
+         gnutls_certificate_get_x509_cas(crd, &ca_list, &num_cas);
+@@ -849,7 +846,7 @@ static int check_chain_expiry(ne_ssl_cer
+ }
+ 
+ /* Verifies an SSL server certificate. */
+-static int check_certificate(ne_session *sess, gnutls_session sock,
++static int check_certificate(ne_session *sess, gnutls_session_t sock,
+                              ne_ssl_certificate *chain)
+ {
+     int ret, failures;
+@@ -911,7 +908,7 @@ int ne__negotiate_ssl(ne_session *sess)
+ {
+     ne_ssl_context *const ctx = sess->ssl_context;
+     ne_ssl_certificate *chain;
+-    gnutls_session sock;
++    gnutls_session_t sock;
+ 
+     NE_DEBUG(NE_DBG_SSL, "Negotiating SSL connection.\n");
+ 
+@@ -980,7 +977,7 @@ const char *ne_ssl_cert_identity(const n
+ 
+ void ne_ssl_context_trustcert(ne_ssl_context *ctx, const ne_ssl_certificate *cert)
+ {
+-    gnutls_x509_crt certs = cert->subject;
++    gnutls_x509_crt_t certs = cert->subject;
+     gnutls_certificate_set_x509_trust(ctx->cred, &certs, 1);
+ }
+ 
+@@ -994,7 +991,7 @@ void ne_ssl_trust_default_ca(ne_session 
+ }
+ 
+ /* Read the contents of file FILENAME into *DATUM. */
+-static int read_to_datum(const char *filename, gnutls_datum *datum)
++static int read_to_datum(const char *filename, gnutls_datum_t *datum)
+ {
+     FILE *f = fopen(filename, "r");
+     ne_buffer *buf;
+@@ -1026,11 +1023,11 @@ static int read_to_datum(const char *fil
+ /* Parses a PKCS#12 structure and loads the certificate, private key
+  * and friendly name if possible.  Returns zero on success, non-zero
+  * on error. */
+-static int pkcs12_parse(gnutls_pkcs12 p12, gnutls_x509_privkey *pkey,
+-                        gnutls_x509_crt *x5, char **friendly_name,
++static int pkcs12_parse(gnutls_pkcs12_t p12, gnutls_x509_privkey_t *pkey,
++                        gnutls_x509_crt_t *x5, char **friendly_name,
+                         const char *password)
+ {
+-    gnutls_pkcs12_bag bag = NULL;
++    gnutls_pkcs12_bag_t bag = NULL;
+     int i, j, ret = 0;
+ 
+     for (i = 0; ret == 0; ++i) {
+@@ -1045,8 +1042,8 @@ static int pkcs12_parse(gnutls_pkcs12 p1
+         gnutls_pkcs12_bag_decrypt(bag, password);
+ 
+         for (j = 0; ret == 0 && j < gnutls_pkcs12_bag_get_count(bag); ++j) {
+-            gnutls_pkcs12_bag_type type;
+-            gnutls_datum data;
++            gnutls_pkcs12_bag_type_t type;
++            gnutls_datum_t data;
+ 
+             if (friendly_name && *friendly_name == NULL) {
+                 char *name = NULL;
+@@ -1113,12 +1110,12 @@ static int pkcs12_parse(gnutls_pkcs12 p1
+ ne_ssl_client_cert *ne_ssl_clicert_read(const char *filename)
+ {
+     int ret;
+-    gnutls_datum data;
+-    gnutls_pkcs12 p12;
++    gnutls_datum_t data;
++    gnutls_pkcs12_t p12;
+     ne_ssl_client_cert *cc;
+     char *friendly_name = NULL;
+-    gnutls_x509_crt cert = NULL;
+-    gnutls_x509_privkey pkey = NULL;
++    gnutls_x509_crt_t cert = NULL;
++    gnutls_x509_privkey_t pkey = NULL;
+ 
+     if (read_to_datum(filename, &data))
+         return NULL;
+@@ -1162,8 +1159,8 @@ ne_ssl_client_cert *ne__ssl_clicert_exke
+                                                  size_t der_len)
+ {
+     ne_ssl_client_cert *cc;
+-    gnutls_x509_crt x5;
+-    gnutls_datum datum;
++    gnutls_x509_crt_t x5;
++    gnutls_datum_t datum;
+ 
+     datum.data = (unsigned char *)der;
+     datum.size = der_len;    
+@@ -1190,8 +1187,8 @@ int ne_ssl_clicert_encrypted(const ne_ss
+ int ne_ssl_clicert_decrypt(ne_ssl_client_cert *cc, const char *password)
+ {
+     int ret;
+-    gnutls_x509_crt cert = NULL;
+-    gnutls_x509_privkey pkey = NULL;
++    gnutls_x509_crt_t cert = NULL;
++    gnutls_x509_privkey_t pkey = NULL;
+ 
+     if (gnutls_pkcs12_verify_mac(cc->p12, password) != 0) {
+         return -1;
+@@ -1228,8 +1225,8 @@ const char *ne_ssl_clicert_name(const ne
+ ne_ssl_certificate *ne_ssl_cert_read(const char *filename)
+ {
+     int ret;
+-    gnutls_datum data;
+-    gnutls_x509_crt x5;
++    gnutls_datum_t data;
++    gnutls_x509_crt_t x5;
+ 
+     if (read_to_datum(filename, &data))
+         return NULL;
+@@ -1300,8 +1297,8 @@ ne_ssl_certificate *ne_ssl_cert_import(c
+     int ret;
+     size_t len;
+     unsigned char *der;
+-    gnutls_datum buffer = { NULL, 0 };
+-    gnutls_x509_crt x5;
++    gnutls_datum_t buffer = { NULL, 0 };
++    gnutls_x509_crt_t x5;
+ 
+     if (gnutls_x509_crt_init(&x5) != 0)
+         return NULL;
+@@ -1369,10 +1366,6 @@ int ne_ssl_cert_digest(const ne_ssl_cert
+ 
+ int ne__ssl_init(void)
+ {
+-#ifdef NE_HAVE_TS_SSL
+-    gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread);
+-#endif
+-    gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM, 0);
+     return gnutls_global_init();
+ }
+ 
diff --git a/www/cadaver/patches/patch-lib_neon_ne__privssl.h b/www/cadaver/patches/patch-lib_neon_ne__privssl.h
new file mode 100644
index 00000000000..621a324ad4e
--- /dev/null
+++ b/www/cadaver/patches/patch-lib_neon_ne__privssl.h
@@ -0,0 +1,37 @@
+$NetBSD: patch-lib_neon_ne__privssl.h,v 1.1 2020/04/25 13:47:31 nia Exp $
+
+Fix build with newer gnutls.
+
+--- lib/neon/ne_privssl.h.orig	2009-09-02 14:04:43.000000000 +0000
++++ lib/neon/ne_privssl.h
+@@ -59,7 +59,7 @@ ne__ssl_clicert_exkey_import(const unsig
+ #include <gnutls/gnutls.h>
+ 
+ struct ne_ssl_context_s {
+-    gnutls_certificate_credentials cred;
++    gnutls_certificate_credentials_t cred;
+     int verify; /* non-zero if client cert verification required */
+ 
+     const char *hostname; /* for SNI */
+@@ -67,10 +67,10 @@ struct ne_ssl_context_s {
+     /* Session cache. */
+     union ne_ssl_scache {
+         struct {
+-            gnutls_datum key, data;
++            gnutls_datum_t key, data;
+         } server;
+ #if defined(HAVE_GNUTLS_SESSION_GET_DATA2)
+-        gnutls_datum client;
++        gnutls_datum_t client;
+ #else
+         struct {
+             char *data;
+@@ -85,7 +85,7 @@ struct ne_ssl_context_s {
+ #endif
+ };
+ 
+-typedef gnutls_session ne_ssl_socket;
++typedef gnutls_session_t ne_ssl_socket;
+ 
+ NE_PRIVATE ne_ssl_client_cert *
+ ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len);
diff --git a/www/cadaver/patches/patch-lib_neon_ne__socket.c b/www/cadaver/patches/patch-lib_neon_ne__socket.c
new file mode 100644
index 00000000000..3ace7b8e537
--- /dev/null
+++ b/www/cadaver/patches/patch-lib_neon_ne__socket.c
@@ -0,0 +1,90 @@
+$NetBSD: patch-lib_neon_ne__socket.c,v 1.1 2020/04/25 13:47:31 nia Exp $
+
+Fix build with newer gnutls.
+
+--- lib/neon/ne_socket.c.orig	2009-12-02 21:27:34.000000000 +0000
++++ lib/neon/ne_socket.c
+@@ -1608,14 +1608,14 @@ void ne_sock_connect_timeout(ne_socket *
+  * session. */
+ 
+ /* Copy datum 'src' to 'dest'. */
+-static void copy_datum(gnutls_datum *dest, gnutls_datum *src)
++static void copy_datum(gnutls_datum_t *dest, gnutls_datum_t *src)
+ {
+     dest->size = src->size;
+     dest->data = memcpy(gnutls_malloc(src->size), src->data, src->size);
+ }
+ 
+ /* Callback to store a session 'data' with id 'key'. */
+-static int store_sess(void *userdata, gnutls_datum key, gnutls_datum data)
++static int store_sess(void *userdata, gnutls_datum_t key, gnutls_datum_t data)
+ {
+     ne_ssl_context *ctx = userdata;
+ 
+@@ -1631,17 +1631,17 @@ static int store_sess(void *userdata, gn
+ }
+ 
+ /* Returns non-zero if d1 and d2 are the same datum. */
+-static int match_datum(gnutls_datum *d1, gnutls_datum *d2)
++static int match_datum(gnutls_datum_t *d1, gnutls_datum_t *d2)
+ {
+     return d1->size == d2->size
+         && memcmp(d1->data, d2->data, d1->size) == 0;
+ }
+ 
+ /* Callback to retrieve a session of id 'key'. */
+-static gnutls_datum retrieve_sess(void *userdata, gnutls_datum key)
++static gnutls_datum_t retrieve_sess(void *userdata, gnutls_datum_t key)
+ {
+     ne_ssl_context *ctx = userdata;
+-    gnutls_datum ret = { NULL, 0 };
++    gnutls_datum_t ret = { NULL, 0 };
+ 
+     if (match_datum(&ctx->cache.server.key, &key)) {
+         copy_datum(&ret, &ctx->cache.server.data);
+@@ -1652,7 +1652,7 @@ static gnutls_datum retrieve_sess(void *
+ 
+ /* Callback to remove a session of id 'key'; stub needed but
+  * implementation seems unnecessary. */
+-static int remove_sess(void *userdata, gnutls_datum key)
++static int remove_sess(void *userdata, gnutls_datum_t key)
+ {
+     return -1;
+ }
+@@ -1678,6 +1678,8 @@ int ne_sock_accept_ssl(ne_socket *sock, 
+         NE_DEBUG(NE_DBG_SSL, "ssl: Server reused session.\n");
+     }
+ #elif defined(HAVE_GNUTLS)
++    unsigned int verify_status;
++
+     gnutls_init(&ssl, GNUTLS_SERVER);
+     gnutls_credentials_set(ssl, GNUTLS_CRD_CERTIFICATE, ctx->cred);
+     gnutls_set_default_priority(ssl);
+@@ -1689,15 +1691,15 @@ int ne_sock_accept_ssl(ne_socket *sock, 
+     gnutls_db_set_ptr(ssl, ctx);
+ 
+     if (ctx->verify)
+-        gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUEST);
++        gnutls_certificate_server_set_request(ssl, GNUTLS_CERT_REQUIRE);
+ 
+     sock->ssl = ssl;
+-    gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr)(long)sock->fd);
++    gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr_t)(long)sock->fd);
+     ret = gnutls_handshake(ssl);
+     if (ret < 0) {
+         return error_gnutls(sock, ret);
+     }
+-    if (ctx->verify && gnutls_certificate_verify_peers(ssl)) {
++    if (ctx->verify && (gnutls_certificate_verify_peers2(ssl, &verify_status) || verify_status)) {
+         set_error(sock, _("Client certificate verification failed"));
+         return NE_SOCK_ERROR;
+     }
+@@ -1774,7 +1776,7 @@ int ne_sock_connect_ssl(ne_socket *sock,
+                                strlen(ctx->hostname));
+     }                               
+ 
+-    gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr)(long)sock->fd);
++    gnutls_transport_set_ptr(sock->ssl, (gnutls_transport_ptr_t)(long)sock->fd);
+ 
+     if (ctx->cache.client.data) {
+ #if defined(HAVE_GNUTLS_SESSION_GET_DATA2)