- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A. Siewior.

git-svn-id: file:///svn/unbound/trunk@3837 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/daemon/remote.c b/daemon/remote.c
index 7fac32d6b71784b1c3478b12ad6d22f0f902af1a..4b38e4bc5c72e89650e32f14d2c1ef211e377825 100644 (file)
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -144,7 +144,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
  * (some openssl versions reject DH that is 'too small', eg. 512).
  */
 #ifndef S_SPLINT_S
-DH *get_dh2048()
+static DH *get_dh2048(void)
 {
        static unsigned char dh2048_p[]={
                0xE7,0x36,0x28,0x3B,0xE4,0xC3,0x32,0x1C,0x01,0xC3,0x67,0xD6,
@@ -173,14 +173,31 @@ DH *get_dh2048()
        static unsigned char dh2048_g[]={
                0x02,
                };
-       DH *dh;
-
-       if ((dh=DH_new()) == NULL) return(NULL);
-       dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
-       dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
-       if ((dh->p == NULL) || (dh->g == NULL))
-               { DH_free(dh); return(NULL); }
-       return(dh);
+       DH *dh = NULL;
+       BIGNUM *p = NULL, *g = NULL;
+
+       dh = DH_new();
+       p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+       g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+       if (!dh || !p || !g)
+               goto err;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+       dh->p = p;
+       dh->g = g;
+#else
+       if (!DH_set0_pqg(dh, p, NULL, g))
+               goto err;
+#endif
+       return dh;
+err:
+       if (p)
+               BN_free(p);
+       if (g)
+               BN_free(g);
+       if (dh)
+               DH_free(dh);
+       return NULL;
 }
 #endif /* SPLINT */
 

diff --git a/doc/Changelog b/doc/Changelog
index 445fef7a9eae3e4d5a11000adae3316db340ad43..74091e7d0fd4e5b4698a15f2979ffea600986db5 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+29 August 2016: Ralph
+       - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
+         Siewior.
+
 25 August 2016: Ralph
        - Clarify local-zone-override entry in unbound.conf.5 
        

diff --git a/sldns/keyraw.c b/sldns/keyraw.c
index 8d28bf40ab325d34c6ed5de224f53af5be150a6f..8b1c18f2b79daad643a8aa5514dfa9177a14f981 100644 (file)
--- a/sldns/keyraw.c
+++ b/sldns/keyraw.c
@@ -215,6 +215,7 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
                BN_free(Y);
                return NULL;
        }
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 #ifndef S_SPLINT_S
        dsa->p = P;
        dsa->q = Q;
@@ -222,6 +223,25 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
        dsa->pub_key = Y;
 #endif /* splint */
 
+#else /* OPENSSL_VERSION_NUMBER */
+       if (!DSA_set0_pqg(dsa, P, Q, G)) {
+               /* QPG not yet attached, need to free */
+               BN_free(Q);
+               BN_free(P);
+               BN_free(G);
+
+               DSA_free(dsa);
+               BN_free(Y);
+               return NULL;
+       }
+       if (!DSA_set0_key(dsa, Y, NULL)) {
+               /* QPG attached, cleaned up by DSA_fre() */
+               DSA_free(dsa);
+               BN_free(Y);
+               return NULL;
+       }
+#endif
+
        return dsa;
 }
 
@@ -273,11 +293,21 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
                BN_free(modulus);
                return NULL;
        }
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 #ifndef S_SPLINT_S
        rsa->n = modulus;
        rsa->e = exponent;
 #endif /* splint */
 
+#else /* OPENSSL_VERSION_NUMBER */
+       if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
+               BN_free(exponent);
+               BN_free(modulus);
+               RSA_free(rsa);
+               return NULL;
+       }
+#endif
+
        return rsa;
 }
 

diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index bd5aa90db3a7e6c959616880e73a9f70ef19d0c0..fb0f796fe3426328ba76dc89f16b39e0e49bb998 100644 (file)
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -592,7 +592,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
                log_err("EVP_MD_CTX_new: malloc failure");
                EVP_PKEY_free(evp_key);
                if(dofree) free(sigblock);
-               else if(docrypto_free) CRYPTO_free(sigblock);
+               else if(docrypto_free) OPENSSL_free(sigblock);
                return sec_status_unchecked;
        }
        if(EVP_VerifyInit(ctx, digest_type) == 0) {
@@ -600,7 +600,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
                EVP_MD_CTX_destroy(ctx);
                EVP_PKEY_free(evp_key);
                if(dofree) free(sigblock);
-               else if(docrypto_free) CRYPTO_free(sigblock);
+               else if(docrypto_free) OPENSSL_free(sigblock);
                return sec_status_unchecked;
        }
        if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 
@@ -609,7 +609,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
                EVP_MD_CTX_destroy(ctx);
                EVP_PKEY_free(evp_key);
                if(dofree) free(sigblock);
-               else if(docrypto_free) CRYPTO_free(sigblock);
+               else if(docrypto_free) OPENSSL_free(sigblock);
                return sec_status_unchecked;
        }
 
@@ -623,7 +623,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
        EVP_PKEY_free(evp_key);
 
        if(dofree) free(sigblock);
-       else if(docrypto_free) CRYPTO_free(sigblock);
+       else if(docrypto_free) OPENSSL_free(sigblock);
 
        if(res == 1) {
                return sec_status_secure;