INN commit: branches/2.6 (4 files)
INN Commit
rra at isc.org
Mon Mar 28 17:47:40 UTC 2016
Date: Monday, March 28, 2016 @ 10:47:40
Author: iulius
Revision: 9988
Add support for OpenSSL 1.1.0
Modified:
branches/2.6/doc/pod/news.pod
branches/2.6/m4/openssl.m4
branches/2.6/nnrpd/tls.c
branches/2.6/nnrpd/tls.h
------------------+
doc/pod/news.pod | 4 ++++
m4/openssl.m4 | 5 +++--
nnrpd/tls.c | 14 ++++++++++++--
nnrpd/tls.h | 4 ++++
4 files changed, 23 insertions(+), 4 deletions(-)
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2016-03-28 17:47:10 UTC (rev 9987)
+++ doc/pod/news.pod 2016-03-28 17:47:40 UTC (rev 9988)
@@ -32,6 +32,10 @@
=item *
+S<OpenSSL 1.1.0> support has been added to INN.
+
+=item *
+
When an encryption layer is negotiated during a successful use of the
STARTTLS command, or after a successful authentication using a SASL
mechanism which negotiates an encryption layer, B<nnrpd> now updates
Modified: m4/openssl.m4
===================================================================
--- m4/openssl.m4 2016-03-28 17:47:10 UTC (rev 9987)
+++ m4/openssl.m4 2016-03-28 17:47:40 UTC (rev 9988)
@@ -28,6 +28,7 @@
dnl package, available at <http://www.eyrie.org/~eagle/software/rra-c-util/>.
dnl
dnl Written by Russ Allbery <eagle at eyrie.org>
+dnl Copyright 2016 Russ Allbery <eagle at eyrie.org>
dnl Copyright 2010, 2013
dnl The Board of Trustees of the Leland Stanford Junior University
dnl
@@ -71,10 +72,10 @@
[AC_MSG_ERROR([cannot find usable OpenSSL crypto library])])],
[$inn_openssl_extra])
AS_IF([test x"$inn_reduced_depends" = xtrue],
- [AC_CHECK_LIB([ssl], [SSL_library_init], [OPENSSL_LIBS=-lssl],
+ [AC_CHECK_LIB([ssl], [SSL_accept], [OPENSSL_LIBS=-lssl],
[AS_IF([test x"$1" = xtrue],
[AC_MSG_ERROR([cannot find usable OpenSSL library])])])],
- [AC_CHECK_LIB([ssl], [SSL_library_init],
+ [AC_CHECK_LIB([ssl], [SSL_accept],
[OPENSSL_LIBS="-lssl $CRYPTO_LIBS"],
[AS_IF([test x"$1" = xtrue],
[AC_MSG_ERROR([cannot find usable OpenSSL library])])],
Modified: nnrpd/tls.c
===================================================================
--- nnrpd/tls.c 2016-03-28 17:47:10 UTC (rev 9987)
+++ nnrpd/tls.c 2016-03-28 17:47:40 UTC (rev 9988)
@@ -216,7 +216,10 @@
default:
/* We should check current keylength vs. requested keylength
* also, this is an extremely expensive operation! */
- dh = DH_generate_parameters(keylength, DH_GENERATOR_2, NULL, NULL);
+ dh = DH_new();
+ if (dh != NULL) {
+ DH_generate_parameters_ex(dh, keylength, DH_GENERATOR_2, NULL);
+ }
r = dh;
}
@@ -492,10 +495,17 @@
if (tls_loglevel >= 2)
Printf("starting TLS engine");
+/* New functions have been introduced in OpenSSL 1.1.0. */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
SSL_load_error_strings();
SSLeay_add_ssl_algorithms();
+ CTX = SSL_CTX_new(SSLv23_server_method());
+#else
+ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
+ | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+ CTX = SSL_CTX_new(TLS_server_method());
+#endif
- CTX = SSL_CTX_new(SSLv23_server_method());
if (CTX == NULL) {
return (-1);
};
Modified: nnrpd/tls.h
===================================================================
--- nnrpd/tls.h 2016-03-28 17:47:10 UTC (rev 9987)
+++ nnrpd/tls.h 2016-03-28 17:47:40 UTC (rev 9988)
@@ -22,8 +22,12 @@
#ifndef TLS_H
#define TLS_H
+/* Comment out to avoid the use of deprecated interfaces. */
+/* #define OPENSSL_API_COMPAT 0x10100000L */
+
#include <openssl/lhash.h>
#include <openssl/bn.h>
+#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/pem.h>
#include <openssl/rand.h>
More information about the inn-committers
mailing list