From 349a8e9b4145fbb766e77c1bc881f067220d6577 Mon Sep 17 00:00:00 2001
From: eroen <nmap@occam.eroen.eu>
Date: Thu, 5 Jan 2017 02:47:57 +0100
Subject: [PATCH] Support openssl 1.1.0 without compatibility mode

Currently, the built fails if openssl 1.1.0 is built with --api=1.1. These
changes remedy that.

- Don't use deprecated initialization functions
- Replace X509_get_notBefore and X509_get_notAfter with variants returning
  const objects
- Include a few missing openssl headers

X-Gentoo-Bug: 592490
X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=592490
---
 ncat/ncat_ssl.c           | 32 ++++++++++++++++++++++++++++++++
 ncat/test/test-wildcard.c | 33 +++++++++++++++++++++++++++++++++
 nse_openssl.cc            |  3 ++-
 nse_ssl_cert.cc           |  8 ++++++--
 nsock/src/nsock_ssl.c     |  7 +++++++
 5 files changed, 80 insertions(+), 3 deletions(-)

diff --git a/ncat/ncat_ssl.c b/ncat/ncat_ssl.c
index 87ee0fef..f6e565df 100644
--- a/ncat/ncat_ssl.c
+++ b/ncat/ncat_ssl.c
@@ -173,10 +173,19 @@ SSL_CTX *setup_ssl_listen(void)
     if (sslctx)
         goto done;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     SSL_library_init();
     OpenSSL_add_all_algorithms();
     ERR_load_crypto_strings();
     SSL_load_error_strings();
+#else
+  /* This is now deprecated in OpenSSL 1.1.0 _ No explicit initialisation
+    or de-initialisation is necessary */
+    // SSL_library_init();
+    // OpenSSL_add_all_algorithms();
+    // ERR_load_crypto_strings();
+    // SSL_load_error_strings();
+#endif
 
     /* RAND_status initializes the random number generator through a variety of
        platform-dependent methods, then returns 1 if there is enough entropy or
@@ -585,12 +594,35 @@ static int ssl_gen_cert(X509 **cert, EVP_PKEY **key)
     if (X509_add_ext(*cert, ext, -1) == 0)
         goto err;
 
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined LIBRESSL_VERSION_NUMBER
+    {
+        ASN1_TIME *tb, *ta;
+        tb = NULL;
+        ta = NULL;
+
+        if (X509_set_issuer_name(*cert, X509_get_subject_name(*cert)) == 0
+            || (tb = ASN1_STRING_dup(X509_get0_notBefore(*cert))) == 0
+            || X509_gmtime_adj(tb, 0) == 0
+            || X509_set1_notBefore(*cert, tb) == 0
+            || (ta = ASN1_STRING_dup(X509_get0_notAfter(*cert))) == 0
+            || X509_gmtime_adj(ta, 60) == 0
+            || X509_set1_notAfter(*cert, ta) == 0
+            || X509_set_pubkey(*cert, *key) == 0) {
+            ASN1_STRING_free(tb);
+            ASN1_STRING_free(ta);
+            goto err;
+        }
+        ASN1_STRING_free(tb);
+        ASN1_STRING_free(ta);
+    }
+#else
     if (X509_set_issuer_name(*cert, X509_get_subject_name(*cert)) == 0
         || X509_gmtime_adj(X509_get_notBefore(*cert), 0) == 0
         || X509_gmtime_adj(X509_get_notAfter(*cert), DEFAULT_CERT_DURATION) == 0
         || X509_set_pubkey(*cert, *key) == 0) {
         goto err;
     }
+#endif
 
     /* Sign it. */
     if (X509_sign(*cert, *key, EVP_sha1()) == 0)
diff --git a/ncat/test/test-wildcard.c b/ncat/test/test-wildcard.c
index 25157ec2..f5d291ca 100644
--- a/ncat/test/test-wildcard.c
+++ b/ncat/test/test-wildcard.c
@@ -12,8 +12,10 @@ are rejected. The SSL transactions happen over OpenSSL BIO pairs.
 #include <unistd.h>
 
 #include <openssl/bio.h>
+#include <openssl/bn.h>
 #include <openssl/ssl.h>
 #include <openssl/err.h>
+#include <openssl/rsa.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -347,12 +349,35 @@ static int gen_cert(X509 **cert, EVP_PKEY **key,
     if (set_dNSNames(*cert, dNSNames) == 0)
         goto err;
 
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined LIBRESSL_VERSION_NUMBER
+    {
+        ASN1_TIME *tb, *ta;
+        tb = NULL;
+        ta = NULL;
+
+        if (X509_set_issuer_name(*cert, X509_get_subject_name(*cert)) == 0
+            || (tb = ASN1_STRING_dup(X509_get0_notBefore(*cert))) == 0
+            || X509_gmtime_adj(tb, 0) == 0
+            || X509_set1_notBefore(*cert, tb) == 0
+            || (ta = ASN1_STRING_dup(X509_get0_notAfter(*cert))) == 0
+            || X509_gmtime_adj(ta, 60) == 0
+            || X509_set1_notAfter(*cert, ta) == 0
+            || X509_set_pubkey(*cert, *key) == 0) {
+            ASN1_STRING_free(tb);
+            ASN1_STRING_free(ta);
+            goto err;
+        }
+        ASN1_STRING_free(tb);
+        ASN1_STRING_free(ta);
+    }
+#else
     if (X509_set_issuer_name(*cert, X509_get_subject_name(*cert)) == 0
         || X509_gmtime_adj(X509_get_notBefore(*cert), 0) == 0
         || X509_gmtime_adj(X509_get_notAfter(*cert), 60) == 0
         || X509_set_pubkey(*cert, *key) == 0) {
         goto err;
     }
+#endif
 
     /* Sign it. */
     if (X509_sign(*cert, *key, EVP_sha1()) == 0)
@@ -556,9 +581,17 @@ int main(void)
 {
     unsigned int i;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     SSL_library_init();
     ERR_load_crypto_strings();
     SSL_load_error_strings();
+#else
+  /* This is now deprecated in OpenSSL 1.1.0 _ No explicit initialisation
+    or de-initialisation is necessary */
+    // SSL_library_init();
+    // ERR_load_crypto_strings();
+    // SSL_load_error_strings();
+#endif
 
     /* Test single pattens in both the commonName and dNSName positions. */
     for (i = 0; i < NELEMS(single_tests); i++)
diff --git a/nse_openssl.cc b/nse_openssl.cc
index f529a262..7f75a171 100644
--- a/nse_openssl.cc
+++ b/nse_openssl.cc
@@ -602,12 +602,13 @@ static const struct luaL_Reg openssllib[] = {
 
 LUALIB_API int luaopen_openssl(lua_State *L) {
 
-  OpenSSL_add_all_algorithms();
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
+  OpenSSL_add_all_algorithms();
   ERR_load_crypto_strings();
 #else
   /* This is now deprecated in OpenSSL 1.1.0 _ No explicit initialisation
     or de-initialisation is necessary */
+  // OpenSSL_add_all_algorithms();
   // ERR_load_crypto_strings();
 #endif
 
diff --git a/nse_ssl_cert.cc b/nse_ssl_cert.cc
index c691ddbb..61f8d236 100644
--- a/nse_ssl_cert.cc
+++ b/nse_ssl_cert.cc
@@ -142,6 +142,7 @@
 #include <openssl/bn.h>
 #include <openssl/bio.h>
 #include <openssl/pem.h>
+#include <openssl/rsa.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -152,6 +153,9 @@
 /* Technically some of these things were added in 0x10100006
  * but that was pre-release. */
 #define HAVE_OPAQUE_STRUCTS 1
+#else
+#define X509_get0_notBefore X509_get_notBefore
+#define X509_get0_notAfter X509_get_notAfter
 #endif
 
 
@@ -457,9 +461,9 @@ static void x509_validity_to_table(lua_State *L, X509 *cert)
 {
   lua_newtable(L);
 
-  asn1_time_to_obj(L, X509_get_notBefore(cert));
+  asn1_time_to_obj(L, X509_get0_notBefore(cert));
   lua_setfield(L, -2, "notBefore");
-  asn1_time_to_obj(L, X509_get_notAfter(cert));
+  asn1_time_to_obj(L, X509_get0_notAfter(cert));
   lua_setfield(L, -2, "notAfter");
 }
 
diff --git a/nsock/src/nsock_ssl.c b/nsock/src/nsock_ssl.c
index 537087ca..ba5ff6c4 100644
--- a/nsock/src/nsock_ssl.c
+++ b/nsock/src/nsock_ssl.c
@@ -84,8 +84,15 @@ extern struct timeval nsock_tod;
 static SSL_CTX *ssl_init_common() {
   SSL_CTX *ctx;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
   SSL_load_error_strings();
   SSL_library_init();
+#else
+  /* This is now deprecated in OpenSSL 1.1.0 _ No explicit initialisation
+    or de-initialisation is necessary */
+  // SSL_load_error_strings();
+  // SSL_library_init();
+#endif
 
   ctx = SSL_CTX_new(SSLv23_client_method());
   if (!ctx) {
-- 
2.11.0