OpenSSL 1.1.0 support

OpenSSL 1.1.0 includes some major changes in the interface. See
https://wiki.openssl.org/index.php/1.1_API_Changes .

Status: Right now there are still a few deprecation notes with OpenSSL
1.1.0. But it's a start.

Changes:
* CRYPTO_LOCK is no longer available. Replace it with its value for now.
  I don't completely understand what it is used for there.
* Remove several functions from libasteriskssl that seem to no longer be
  needed.
* Structures have become opaque and are accesses with accessors.
* ERR_remove_thread_state() no longer needed.
* SSLv2 code now could no longer be used in 1.1.

ASTERISK-26109 #close

Change-Id: I5e29d477d486ca29b6aae0dc2f5dff960c1cb82b

diff --git a/main/libasteriskssl.c b/main/libasteriskssl.c
index b3267014b8a13c037d9ae0b8e108ea5b6c3ff2f8..c4d4c56f4abaf007499443291908b539507402c2 100644 (file)
--- a/main/libasteriskssl.c
+++ b/main/libasteriskssl.c
@@ -67,13 +67,14 @@ static void ssl_lock(int mode, int n, const char *file, int line)
                return;
        }
 
-       if (mode & CRYPTO_LOCK) {
+       if (mode & 0x1) {
                ast_mutex_lock(&ssl_locks[n]);
        } else {
                ast_mutex_unlock(&ssl_locks[n]);
        }
 }
 
+#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
 int SSL_library_init(void)
 {
 #if defined(AST_DEVMODE)
@@ -115,6 +116,7 @@ void ERR_free_strings(void)
 {
        /* we can't allow this to be called, ever */
 }
+#endif /* !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L */
 
 #endif /* HAVE_OPENSSL */
 

diff --git a/main/tcptls.c b/main/tcptls.c
index bccb03d8565ef56ce74beb19d1a524db1d57cd2f..8ca89c8bde03d3499976756612850ff1ff9f69c4 100644 (file)
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -398,13 +398,19 @@ static int tcptls_stream_close(void *cookie)
                                        SSL_get_error(stream->ssl, res));
                        }
 
+#if defined(OPENSSL_API_COMPAT) && OPENSSL_API_COMPAT >= 0x10100000L
+                       if (!SSL_is_server(stream->ssl)) {
+#else
                        if (!stream->ssl->server) {
+#endif
                                /* For client threads, ensure that the error stack is cleared */
+#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
                                ERR_remove_thread_state(NULL);
 #else
                                ERR_remove_state(0);
 #endif /* OPENSSL_VERSION_NUMBER >= 0x10000000L */
+#endif  /* !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L */
                        }
 
                        SSL_free(stream->ssl);
@@ -813,7 +819,7 @@ static int __ssl_setup(struct ast_tls_config *cfg, int client)
        }
 
        if (client) {
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
                if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
                        ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
                        cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());