[Asterisk-code-review] OpenSSL 1.1.0 support (asterisk[master])

Tue Jun 28 16:50:12 CDT 2016

Tzafrir Cohen has uploaded a new change for review.

  https://gerrit.asterisk.org/3102

Change subject: OpenSSL 1.1.0 support
......................................................................

OpenSSL 1.1.0 support

OpenSSL 1.1.0 includes some major changes in the interface. See
https://wiki.openssl.org/index.php/1.1_API_Changes .

Status: Right now it fails to build with openssl 1.0 for a reason I fail to
understand. But it's a start.

Changes:
* CRYPTO_LOCK is no longer available. Replace it with its value for now.
  I don't completely understand what it is used for there.
* Remove several functions from libasteriskssl that seem to no longer be
  needed.
* Structures have become opaque and are accesses with accessors.
* ERR_remove_thread_state() no longer needed.
* SSLv2 code now could no longer be used. Do we need it?

Change-Id: I5e29d477d486ca29b6aae0dc2f5dff960c1cb82b
---
M main/libasteriskssl.c
M main/tcptls.c
2 files changed, 8 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/02/3102/1

diff --git a/main/libasteriskssl.c b/main/libasteriskssl.c
index 7603465..cd988ec 100644
--- a/main/libasteriskssl.c
+++ b/main/libasteriskssl.c
@@ -67,13 +67,14 @@
 		return;
 	}
 
-	if (mode & CRYPTO_LOCK) {
+	if (mode & 0x1) {
 		ast_mutex_lock(&ssl_locks[n]);
 	} else {
 		ast_mutex_unlock(&ssl_locks[n]);
 	}
 }
 
+#if OPENSSL_API_COMPAT < 0x10100000L
 int SSL_library_init(void)
 {
 #if defined(AST_DEVMODE)
@@ -90,8 +91,8 @@
 	if (startup_complete) {
 		ast_debug(1, "Called after startup... ignoring!\n");
 	}
-#endif
 }
+#endif
 
 void CRYPTO_set_id_callback(unsigned long (*func)(void))
 {
@@ -115,6 +116,7 @@
 {
 	/* we can't allow this to be called, ever */
 }
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 #endif /* HAVE_OPENSSL */
 
diff --git a/main/tcptls.c b/main/tcptls.c
index 046501b..6476a5b 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -397,13 +397,15 @@
 					SSL_get_error(stream->ssl, res));
 			}
 
-			if (!stream->ssl->server) {
+			if (!SSL_is_server(stream->ssl)) {
 				/* For client threads, ensure that the error stack is cleared */
+#if OPENSSL_API_COMPAT < 0x10100000L
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
 				ERR_remove_thread_state(NULL);
 #else
 				ERR_remove_state(0);
 #endif	/* OPENSSL_VERSION_NUMBER >= 0x10000000L */
+#endif  /* OPENSSL_API_COMPAT < 0x10100000L */
 			}
 
 			SSL_free(stream->ssl);
@@ -830,7 +832,7 @@
 	}
 
 	if (client) {
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
 		if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
 			ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
 			cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());

-- 
To view, visit https://gerrit.asterisk.org/3102
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I5e29d477d486ca29b6aae0dc2f5dff960c1cb82b
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Tzafrir Cohen <tzafrir.cohen at xorcom.com>

