INN commit: branches/2.6 (4 files)

INN Commit rra at isc.org
Mon Mar 28 17:47:40 UTC 2016


    Date: Monday, March 28, 2016 @ 10:47:40
  Author: iulius
Revision: 9988

Add support for OpenSSL 1.1.0

Modified:
  branches/2.6/doc/pod/news.pod
  branches/2.6/m4/openssl.m4
  branches/2.6/nnrpd/tls.c
  branches/2.6/nnrpd/tls.h

------------------+
 doc/pod/news.pod |    4 ++++
 m4/openssl.m4    |    5 +++--
 nnrpd/tls.c      |   14 ++++++++++++--
 nnrpd/tls.h      |    4 ++++
 4 files changed, 23 insertions(+), 4 deletions(-)

Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod	2016-03-28 17:47:10 UTC (rev 9987)
+++ doc/pod/news.pod	2016-03-28 17:47:40 UTC (rev 9988)
@@ -32,6 +32,10 @@
 
 =item *
 
+S<OpenSSL 1.1.0> support has been added to INN.
+
+=item *
+
 When an encryption layer is negotiated during a successful use of the
 STARTTLS command, or after a successful authentication using a SASL
 mechanism which negotiates an encryption layer, B<nnrpd> now updates

Modified: m4/openssl.m4
===================================================================
--- m4/openssl.m4	2016-03-28 17:47:10 UTC (rev 9987)
+++ m4/openssl.m4	2016-03-28 17:47:40 UTC (rev 9988)
@@ -28,6 +28,7 @@
 dnl package, available at <http://www.eyrie.org/~eagle/software/rra-c-util/>.
 dnl
 dnl Written by Russ Allbery <eagle at eyrie.org>
+dnl Copyright 2016 Russ Allbery <eagle at eyrie.org>
 dnl Copyright 2010, 2013
 dnl     The Board of Trustees of the Leland Stanford Junior University
 dnl
@@ -71,10 +72,10 @@
         [AC_MSG_ERROR([cannot find usable OpenSSL crypto library])])],
     [$inn_openssl_extra])
  AS_IF([test x"$inn_reduced_depends" = xtrue],
-    [AC_CHECK_LIB([ssl], [SSL_library_init], [OPENSSL_LIBS=-lssl],
+    [AC_CHECK_LIB([ssl], [SSL_accept], [OPENSSL_LIBS=-lssl],
         [AS_IF([test x"$1" = xtrue],
             [AC_MSG_ERROR([cannot find usable OpenSSL library])])])],
-    [AC_CHECK_LIB([ssl], [SSL_library_init],
+    [AC_CHECK_LIB([ssl], [SSL_accept],
         [OPENSSL_LIBS="-lssl $CRYPTO_LIBS"],
         [AS_IF([test x"$1" = xtrue],
             [AC_MSG_ERROR([cannot find usable OpenSSL library])])],

Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c	2016-03-28 17:47:10 UTC (rev 9987)
+++ nnrpd/tls.c	2016-03-28 17:47:40 UTC (rev 9988)
@@ -216,7 +216,10 @@
 	default:
 		/* We should check current keylength vs. requested keylength
 		 * also, this is an extremely expensive operation! */
-		dh = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+                dh = DH_new();
+                if (dh != NULL) {
+                    DH_generate_parameters_ex(dh, keylength, DH_GENERATOR_2, NULL);
+                }
 		r = dh;
 	}
 
@@ -492,10 +495,17 @@
     if (tls_loglevel >= 2)
       Printf("starting TLS engine");
 
+/* New functions have been introduced in OpenSSL 1.1.0. */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     SSL_load_error_strings();
     SSLeay_add_ssl_algorithms();
+    CTX = SSL_CTX_new(SSLv23_server_method());
+#else
+    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
+                     | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+    CTX = SSL_CTX_new(TLS_server_method());
+#endif
 
-    CTX = SSL_CTX_new(SSLv23_server_method());
     if (CTX == NULL) {
       return (-1);
     };

Modified: nnrpd/tls.h
===================================================================
--- nnrpd/tls.h	2016-03-28 17:47:10 UTC (rev 9987)
+++ nnrpd/tls.h	2016-03-28 17:47:40 UTC (rev 9988)
@@ -22,8 +22,12 @@
 #ifndef TLS_H
 #define TLS_H
 
+/* Comment out to avoid the use of deprecated interfaces. */
+/* #define OPENSSL_API_COMPAT 0x10100000L */
+
 #include <openssl/lhash.h>
 #include <openssl/bn.h>
+#include <openssl/dh.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/rand.h>



More information about the inn-committers mailing list