From 8fce5023867dc70428f098709c9b5470ad0f399b Mon Sep 17 00:00:00 2001 From: eroen Date: Sat, 7 Jan 2017 17:07:36 +0100 Subject: [PATCH 4/4] Avoid openssl 1.1.0 deprecated APIs When openssl is built with `--api=1.1 disable-deprecated`, use of deprecated APIs results in build failure. - Don't call initialization functions, they are handled internally in openssl - Replace ASN1_STRING_data with const version ASN1_STRING_get0_data when available X-Gentoo-Bug: 604882 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=604882 --- configure.ac | 1 + lib/compat/openssl_support.h | 4 ++++ lib/crypto.c | 8 +++++++- lib/tlscontext.c | 2 +- tests/loggen/loggen.c | 4 ++++ 5 files changed, 17 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 612b3842..1dcf747f 100644 --- a/configure.ac +++ b/configure.ac @@ -806,6 +806,7 @@ AC_CHECK_DECLS([SSL_CTX_get0_param],[], [], [[#include ]]) AC_CHECK_DECLS([X509_STORE_CTX_get0_cert],[], [], [[#include ]]) AC_CHECK_DECLS([X509_get_extension_flags], [], [], [[#include ]]) AC_CHECK_DECLS([EVP_MD_CTX_reset], [], [], [[#include ]]) +AC_CHECK_DECLS([ASN1_STRING_get0_data], [], [], [[#include ]]) dnl dnl Right now, openssl is never linked statically as it is only used by the diff --git a/lib/compat/openssl_support.h b/lib/compat/openssl_support.h index 89e793ac..501f465b 100644 --- a/lib/compat/openssl_support.h +++ b/lib/compat/openssl_support.h @@ -49,5 +49,9 @@ uint32_t X509_get_extension_flags(X509 *x); #define EVP_MD_CTX_destroy(md_ctx) EVP_MD_CTX_cleanup(md_ctx) #endif +#if !HAVE_DECL_ASN1_STRING_GET0_DATA +#define ASN1_STRING_get0_data ASN1_STRING_data +#endif + #endif diff --git a/lib/crypto.c b/lib/crypto.c index e2c1224e..96151bc1 100644 --- a/lib/crypto.c +++ b/lib/crypto.c @@ -34,9 +34,10 @@ #include #include +static gboolean randfile_loaded; +#if OPENSSL_VERSION_NUMBER < 0x10100000L static gint ssl_lock_count; static GStaticMutex *ssl_locks; -static gboolean randfile_loaded; static void ssl_locking_callback(int mode, int type, const char *file, int line) @@ -83,6 +84,7 @@ crypto_deinit_threading(void) } g_free(ssl_locks); } +#endif void crypto_deinit(void) @@ -95,16 +97,20 @@ crypto_deinit(void) if (rnd_file[0]) RAND_write_file(rnd_file); } +#if OPENSSL_VERSION_NUMBER < 0x10100000L crypto_deinit_threading(); +#endif } static void crypto_init(void) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); crypto_init_threading(); +#endif if (RAND_status() < 0 || getenv("RANDFILE")) { diff --git a/lib/tlscontext.c b/lib/tlscontext.c index 9670d02f..31d04011 100644 --- a/lib/tlscontext.c +++ b/lib/tlscontext.c @@ -559,7 +559,7 @@ tls_verify_certificate_name(X509 *cert, const gchar *host_name) gen_name = sk_GENERAL_NAME_value(alt_names, i); if (gen_name->type == GEN_DNS) { - guchar *dnsname = ASN1_STRING_data(gen_name->d.dNSName); + const guchar *dnsname = ASN1_STRING_get0_data(gen_name->d.dNSName); guint dnsname_len = ASN1_STRING_length(gen_name->d.dNSName); if (dnsname_len > sizeof(pattern_buf) - 1) diff --git a/tests/loggen/loggen.c b/tests/loggen/loggen.c index eca2d470..8cd97947 100644 --- a/tests/loggen/loggen.c +++ b/tests/loggen/loggen.c @@ -530,7 +530,9 @@ gen_messages_ssl(int sock, int id, FILE *readfrom) SSL *ssl; /* Initialize SSL library */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L OpenSSL_add_ssl_algorithms(); +#endif if (NULL == (ctx = SSL_CTX_new(SSLv23_client_method()))) return 1; @@ -538,8 +540,10 @@ gen_messages_ssl(int sock, int id, FILE *readfrom) if (NULL == (ssl = SSL_new(ctx))) return 1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_load_error_strings(); ERR_load_crypto_strings(); +#endif SSL_set_fd (ssl, sock); if (-1 == (err = SSL_connect(ssl))) -- 2.11.0