From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 29 Aug 2016 07:05:19 +0000 (+0000)
Subject: - Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A. Siewior.
X-Git-Tag: release-1.5.10~28
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ca5eca956733cc0e4601b7c38fb59ee2b1edfc88;p=thirdparty%2Funbound.git

- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A. Siewior.


git-svn-id: file:///svn/unbound/trunk@3837 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/daemon/remote.c b/daemon/remote.c
index 7fac32d6b..4b38e4bc5 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -144,7 +144,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d)
  * (some openssl versions reject DH that is 'too small', eg. 512).
  */
 #ifndef S_SPLINT_S
-DH *get_dh2048()
+static DH *get_dh2048(void)
 {
 	static unsigned char dh2048_p[]={
 		0xE7,0x36,0x28,0x3B,0xE4,0xC3,0x32,0x1C,0x01,0xC3,0x67,0xD6,
@@ -173,14 +173,31 @@ DH *get_dh2048()
 	static unsigned char dh2048_g[]={
 		0x02,
 		};
-	DH *dh;
-
-	if ((dh=DH_new()) == NULL) return(NULL);
-	dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
-	dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
-	if ((dh->p == NULL) || (dh->g == NULL))
-		{ DH_free(dh); return(NULL); }
-	return(dh);
+	DH *dh = NULL;
+	BIGNUM *p = NULL, *g = NULL;
+
+	dh = DH_new();
+	p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+	g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+	if (!dh || !p || !g)
+		goto err;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+	dh->p = p;
+	dh->g = g;
+#else
+	if (!DH_set0_pqg(dh, p, NULL, g))
+		goto err;
+#endif
+	return dh;
+err:
+	if (p)
+		BN_free(p);
+	if (g)
+		BN_free(g);
+	if (dh)
+		DH_free(dh);
+	return NULL;
 }
 #endif /* SPLINT */
 
diff --git a/doc/Changelog b/doc/Changelog
index 445fef7a9..74091e7d0 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+29 August 2016: Ralph
+	- Fix #777: OpenSSL 1.1.0 compatibility, patch from Sebastian A.
+	  Siewior.
+
 25 August 2016: Ralph
 	- Clarify local-zone-override entry in unbound.conf.5 
 	
diff --git a/sldns/keyraw.c b/sldns/keyraw.c
index 8d28bf40a..8b1c18f2b 100644
--- a/sldns/keyraw.c
+++ b/sldns/keyraw.c
@@ -215,6 +215,7 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 #ifndef S_SPLINT_S
 	dsa->p = P;
 	dsa->q = Q;
@@ -222,6 +223,25 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 	dsa->pub_key = Y;
 #endif /* splint */
 
+#else /* OPENSSL_VERSION_NUMBER */
+	if (!DSA_set0_pqg(dsa, P, Q, G)) {
+		/* QPG not yet attached, need to free */
+		BN_free(Q);
+		BN_free(P);
+		BN_free(G);
+
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+	if (!DSA_set0_key(dsa, Y, NULL)) {
+		/* QPG attached, cleaned up by DSA_fre() */
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+#endif
+
 	return dsa;
 }
 
@@ -273,11 +293,21 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 		BN_free(modulus);
 		return NULL;
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 #ifndef S_SPLINT_S
 	rsa->n = modulus;
 	rsa->e = exponent;
 #endif /* splint */
 
+#else /* OPENSSL_VERSION_NUMBER */
+	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
+		BN_free(exponent);
+		BN_free(modulus);
+		RSA_free(rsa);
+		return NULL;
+	}
+#endif
+
 	return rsa;
 }
 
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index bd5aa90db..fb0f796fe 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -592,7 +592,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 		log_err("EVP_MD_CTX_new: malloc failure");
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
-		else if(docrypto_free) CRYPTO_free(sigblock);
+		else if(docrypto_free) OPENSSL_free(sigblock);
 		return sec_status_unchecked;
 	}
 	if(EVP_VerifyInit(ctx, digest_type) == 0) {
@@ -600,7 +600,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
-		else if(docrypto_free) CRYPTO_free(sigblock);
+		else if(docrypto_free) OPENSSL_free(sigblock);
 		return sec_status_unchecked;
 	}
 	if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), 
@@ -609,7 +609,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
-		else if(docrypto_free) CRYPTO_free(sigblock);
+		else if(docrypto_free) OPENSSL_free(sigblock);
 		return sec_status_unchecked;
 	}
 
@@ -623,7 +623,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock,
 	EVP_PKEY_free(evp_key);
 
 	if(dofree) free(sigblock);
-	else if(docrypto_free) CRYPTO_free(sigblock);
+	else if(docrypto_free) OPENSSL_free(sigblock);
 
 	if(res == 1) {
 		return sec_status_secure;