[asterisk-commits] OpenSSL 1.1.0 support (asterisk[master])
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Nov 30 23:26:49 CST 2016
Anonymous Coward #1000019 has submitted this change and it was merged. ( https://gerrit.asterisk.org/3102 )
Change subject: OpenSSL 1.1.0 support
......................................................................
OpenSSL 1.1.0 support
OpenSSL 1.1.0 includes some major changes in the interface. See
https://wiki.openssl.org/index.php/1.1_API_Changes .
Status: Right now there are still a few deprecation notes with OpenSSL
1.1.0. But it's a start.
Changes:
* CRYPTO_LOCK is no longer available. Replace it with its value for now.
I don't completely understand what it is used for there.
* Remove several functions from libasteriskssl that seem to no longer be
needed.
* Structures have become opaque and are accesses with accessors.
* ERR_remove_thread_state() no longer needed.
* SSLv2 code now could no longer be used in 1.1.
ASTERISK-26109 #close
Change-Id: I5e29d477d486ca29b6aae0dc2f5dff960c1cb82b
---
M main/iostream.c
M main/libasteriskssl.c
M main/tcptls.c
3 files changed, 14 insertions(+), 2 deletions(-)
Approvals:
Anonymous Coward #1000019: Verified
Joshua Colp: Looks good to me, approved
Corey Farrell: Looks good to me, but someone else must approve
diff --git a/main/iostream.c b/main/iostream.c
index 0088881..a20a048 100644
--- a/main/iostream.c
+++ b/main/iostream.c
@@ -462,9 +462,19 @@
SSL_get_error(stream->ssl, res));
}
+#if defined(OPENSSL_API_COMPAT) && OPENSSL_API_COMPAT >= 0x10100000L
+ if (!SSL_is_server(stream->ssl)) {
+#else
if (!stream->ssl->server) {
+#endif
/* For client threads, ensure that the error stack is cleared */
+#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+ ERR_remove_thread_state(NULL);
+#else
ERR_remove_state(0);
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10000000L */
+#endif /* !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L */
}
SSL_free(stream->ssl);
diff --git a/main/libasteriskssl.c b/main/libasteriskssl.c
index 16a1aa7..9905b15 100644
--- a/main/libasteriskssl.c
+++ b/main/libasteriskssl.c
@@ -65,13 +65,14 @@
return;
}
- if (mode & CRYPTO_LOCK) {
+ if (mode & 0x1) {
ast_mutex_lock(&ssl_locks[n]);
} else {
ast_mutex_unlock(&ssl_locks[n]);
}
}
+#if !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L
int SSL_library_init(void)
{
#if defined(AST_DEVMODE)
@@ -113,6 +114,7 @@
{
/* we can't allow this to be called, ever */
}
+#endif /* !defined(OPENSSL_API_COMPAT) || OPENSSL_API_COMPAT < 0x10100000L */
#endif /* HAVE_OPENSSL */
diff --git a/main/tcptls.c b/main/tcptls.c
index c8ebab4..6b040ae 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -310,7 +310,7 @@
}
if (client) {
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
--
To view, visit https://gerrit.asterisk.org/3102
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I5e29d477d486ca29b6aae0dc2f5dff960c1cb82b
Gerrit-PatchSet: 7
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Tzafrir Cohen <tzafrir.cohen at xorcom.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: Corey Farrell <git at cfware.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Matt Jordan <mjordan at digium.com>
Gerrit-Reviewer: Matthew Fredrickson <creslin at digium.com>
Gerrit-Reviewer: Scott Griepentrog <sgriepentrog at digium.com>
Gerrit-Reviewer: Tzafrir Cohen <tzafrir.cohen at xorcom.com>
More information about the asterisk-commits
mailing list