Re: PATCH: partially fix build if OpenSSL is built with no-deprecated option
On Fri, Dec 20, 2019 at 10:54 AM Илья Шипицин wrote: > > > > пт, 20 дек. 2019 г. в 22:39, Lukas Tribus : >> >> Hello Ilya, >> >> >> >> sorry about the delay ... >> >> >> On Wed, 27 Nov 2019 at 07:11, Илья Шипицин wrote: >> > >> > -#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) >> > +#if (HA_OPENSSL_VERSION_NUMBER >= 0x101fL) || >> > defined(OPENSSL_NO_DEPRECATED) >> > [...] >> > -#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x1010L) >> > +#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x1010L) && >> > !defined(OPENSSL_NO_DEPRECATED) no idea what patch this is, but OPENSSL_NO_DEPRECATED should not be used anywhere. Always use OPENSSL_API_COMPAT. >> > [...] >> > -#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x1010L) >> > +#if defined(USE_THREAD) && (HA_OPENSSL_VERSION_NUMBER < 0x1010L) && >> > !defined(OPENSSL_NO_DEPRECATED) >> > [...] >> >> I'm confused. This is not required in my environment for the build to >> succeed and I don't see any reason why HA_OPENSSL_VERSION_NUMBER would >> be smaller here? Can you elaborate why the HA_OPENSSL_VERSION_NUMBER >> comparison would fail to do its job in those comparisons? > > > what is the lowest openssl we support ? > > those callbacks are required if threads are used for non-deprecated builds > and for early openssl versions like 1.0.0 >> >> >> The X509_getm_ issue has been fixed by Rosen's patch [1], which is >> committed and backported. >> >> SSL_CTX_set_ecdh_auto issue is fixed by your patch (additional guard >> in ssl_sock.c) or by removing the existing guards and defining the >> same compatibility macro openssl uses [2] (as per the input from Willy >> and Emmanuel): >> >> #ifndef SSL_CTX_set_ecdh_auto >> #define SSL_CTX_set_ecdh_auto(dummy, onoff) ((onoff) != 0) >> #endif >> >> I'd prefer the latter, which is what OpenSSL uses (when not using >> no-deprecated) and does not pollute the ssl_sock.c. > > > that's just perfect > >> >> >> Everything builds just fine after that for me (both master and 2.0), >> without any warnings. I also tried with threading disabled >> (USE_THREAD=). >> >> I will be sending the single SSL_CTX_set_ecdh_auto() fix shortly. Let >> me know what you think and if you believe something is missing for >> no-deprecated compatibility. >> >> >> FYI: to avoid rebuilding openssl each time with and without >> no-deprecate option, the same can be achieved when building haproxy by >> adding DEFINE="-DOPENSSL_API_COMPAT=0x1010L >> -DOPENSSL_NO_DEPRECATED" to the make command (maybe this can be useful >> in CI - I don't know anything about that). > > > yep, I'll have a look at that and will send patch for CI > >> >> >> Once we agree on a fix and commit it, we should definitely add a CI >> build testing this (with openssl 1.1.1). I disagree to test the build >> against openssl master, because the API may continually change during >> development (I mentioned this point in another conversation but I >> don't recall whether it was on ML or GH). >> >> >> >> thanks, >> lukas >> >> >> [1] >> https://github.com/haproxy/haproxy/commit/b3814c2ca8a8c28a890f8f50e0a35d5247222a12 >> [2] >> https://github.com/openssl/openssl/blob/bf4006a6f9be691ba6eef0e8629e63369a033ccf/include/openssl/ssl.h#L1480
[PATCHv3] openssl-compat: Fix getm_ defines
LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition always true. Check for the define before checking it. Signed-off-by: Rosen Penev --- v3: Added BoringSSL support v2: Switched to HA_OPENSSL_VERSION_NUMBER as it's cleaner. include/common/openssl-compat.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/common/openssl-compat.h b/include/common/openssl-compat.h index 25102fbe3..31971bd9e 100644 --- a/include/common/openssl-compat.h +++ b/include/common/openssl-compat.h @@ -278,7 +278,8 @@ static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey) #define TLSEXT_signature_ecdsa 3 #endif -#if (OPENSSL_VERSION_NUMBER < 0x1010L) || (LIBRESSL_VERSION_NUMBER < 0x2070L) +#if ((HA_OPENSSL_VERSION_NUMBER < 0x101fL) && (LIBRESSL_VERSION_NUMBER < 0x207fL)) ||\ + defined(OPENSSL_IS_BORINGSSL) #define X509_getm_notBefore X509_get_notBefore #define X509_getm_notAfter X509_get_notAfter #endif -- 2.23.0
Re: [PATCH] openssl-compat: Fix getm_ defines
On Tue, Dec 17, 2019 at 11:34 AM Lukas Tribus wrote: > > Hello, > > On Mon, 16 Dec 2019 at 20:53, Rosen Penev wrote: > > > Any reason why would not just #ifndef X509_getm_notBefore, testing for > > > what we actually want instead of those backbreaking version > > > assumptions? > > X509_getm_notBefore is a function, not a define. > > A function which needs to be defined somewhere: > https://github.com/openssl/openssl/blob/25d7cd1d69e5d5df9c9f346922a48797baca03b7/include/openssl/x509.h#L658 > > We do exactly the same with X509_get_X509_PUBKEY: > https://github.com/haproxy/haproxy/blob/e9a100e982cd1fac201e6e2862cc666887e202e9/include/common/openssl-compat.h#L101 > > > We do need this code path for boringssl. We previously entered it when > boringssl was used (without being aware of it, because of the very > issue we are trying to fix here), so the build was fine. But if we fix > the issue we have to take care of boringssl also. > > > That's why I'm suggesting: > > #ifndef X509_getm_notBefore > #define X509_getm_notBefore X509_get_notBefore > #define X509_getm_notAfter X509_get_notAfter > #endif > > > Am I missing something? Yes you are. A macro is not the same as a declaration. Just to be sure I tried your change and it failed. That's twice I've had to explain basic C... > > > cheers, > lukas
Re: [PATCH] openssl-compat: Fix getm_ defines
On Mon, Dec 16, 2019 at 10:21 AM Илья Шипицин wrote: > > > > пн, 16 дек. 2019 г. в 22:40, Rosen Penev : >> >> On Mon, Dec 16, 2019 at 4:49 AM Lukas Tribus wrote: >> > >> > Hello Rosen, >> > >> > > пн, 16 дек. 2019 г. в 12:07, Rosen Penev : >> > >> >> > >> LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the >> > >> condition >> > >> always true. Check for the define before checking it. >> > >> > I cannot find this in the openssl sources, not in master and not in >> > the 1.1.1 branch. Please clarify where this is defined. >> Compile with -Wundef. Missing macros evaluate to 0. > > > I checked haproxy source, it does not use such compiler flag. Any reason for > introducing it ? > > if we want to make it first class citizen, maybe we should add it to proper > Makefile ? or to our CI ? > > assuming "undefined macros may ACCIDENTLY become equal to 0" scares me You serious? This is basic C. Undefined macros always evaluate to 0. -Wundef only warns about it. > >> >> > >> > The SSL compatibility layer is already complex enough and needs >> > continuous adjustments, we need to understand the reason for changes >> > very well. Fast fixes are continually coming back to hunt us. >> > >> > >> > On Mon, 16 Dec 2019 at 08:19, Илья Шипицин wrote: >> > > please have a look at https://github.com/haproxy/haproxy/issues/367 (it >> > > still misses germ part, I tried things like you send, but reg-tests >> > > fail. do you have travis-ci passed ?) >> > > also, there's a patch already sent, Lukas Tribus promised to review it >> > >> > Yeah, this one fell through the cracks. Give me a few days to catch up. >> > >> > Thanks, >> > Lukas
Re: [PATCH] openssl-compat: Fix getm_ defines
On Mon, Dec 16, 2019 at 10:09 AM Lukas Tribus wrote: > > On Mon, 16 Dec 2019 at 19:00, Илья Шипицин wrote: > > > > > > > > пн, 16 дек. 2019 г. в 22:42, Rosen Penev : > >> > >> LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition > >> always true. Check for the define before checking it. > >> > >> Signed-off-by: Rosen Penev > >> --- > >> include/common/openssl-compat.h | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/include/common/openssl-compat.h > >> b/include/common/openssl-compat.h > >> index 25102fbe3..c5029d133 100644 > >> --- a/include/common/openssl-compat.h > >> +++ b/include/common/openssl-compat.h > >> @@ -278,7 +278,7 @@ static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey) > >> #define TLSEXT_signature_ecdsa 3 > >> #endif > >> > >> -#if (OPENSSL_VERSION_NUMBER < 0x1010L) || (LIBRESSL_VERSION_NUMBER < > >> 0x2070L) > >> +#if (HA_OPENSSL_VERSION_NUMBER < 0x101fL) && (LIBRESSL_VERSION_NUMBER > >> < 0x207fL) > > > > > > assuming "&& (LIBRESSL_VERSION_NUMBER < 0x207fL)" part ... it is only > > relevant for LibreSSL, right ? > > if so, should we leave just second part and omit first ? > > Any reason why would not just #ifndef X509_getm_notBefore, testing for > what we actually want instead of those backbreaking version > assumptions? X509_getm_notBefore is a function, not a define. > > > Lukas
Re: [PATCH] openssl-compat: Fix getm_ defines
On Mon, Dec 16, 2019 at 10:00 AM Илья Шипицин wrote: > > > > пн, 16 дек. 2019 г. в 22:42, Rosen Penev : >> >> LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition >> always true. Check for the define before checking it. >> >> Signed-off-by: Rosen Penev >> --- >> include/common/openssl-compat.h | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/include/common/openssl-compat.h >> b/include/common/openssl-compat.h >> index 25102fbe3..c5029d133 100644 >> --- a/include/common/openssl-compat.h >> +++ b/include/common/openssl-compat.h >> @@ -278,7 +278,7 @@ static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey) >> #define TLSEXT_signature_ecdsa 3 >> #endif >> >> -#if (OPENSSL_VERSION_NUMBER < 0x1010L) || (LIBRESSL_VERSION_NUMBER < >> 0x2070L) >> +#if (HA_OPENSSL_VERSION_NUMBER < 0x101fL) && (LIBRESSL_VERSION_NUMBER < >> 0x207fL) > > > assuming "&& (LIBRESSL_VERSION_NUMBER < 0x207fL)" part ... it is only > relevant for LibreSSL, right ? > if so, should we leave just second part and omit first ? No. As I said previously, undefined macros evaluate to 0. OpenSSL does not define LIBRESSL_VERSION_NUMBER. > > >> >> #define X509_getm_notBefore X509_get_notBefore >> #define X509_getm_notAfter X509_get_notAfter >> #endif >> -- >> 2.23.0 >> >>
Re: [PATCH] openssl-compat: Fix getm_ defines
On Mon, Dec 16, 2019 at 4:49 AM Lukas Tribus wrote: > > Hello Rosen, > > > пн, 16 дек. 2019 г. в 12:07, Rosen Penev : > >> > >> LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition > >> always true. Check for the define before checking it. > > I cannot find this in the openssl sources, not in master and not in > the 1.1.1 branch. Please clarify where this is defined. Compile with -Wundef. Missing macros evaluate to 0. > > The SSL compatibility layer is already complex enough and needs > continuous adjustments, we need to understand the reason for changes > very well. Fast fixes are continually coming back to hunt us. > > > On Mon, 16 Dec 2019 at 08:19, Илья Шипицин wrote: > > please have a look at https://github.com/haproxy/haproxy/issues/367 (it > > still misses germ part, I tried things like you send, but reg-tests fail. > > do you have travis-ci passed ?) > > also, there's a patch already sent, Lukas Tribus promised to review it > > Yeah, this one fell through the cracks. Give me a few days to catch up. > > Thanks, > Lukas
[PATCH] openssl-compat: Fix getm_ defines
LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition always true. Check for the define before checking it. Signed-off-by: Rosen Penev --- include/common/openssl-compat.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/common/openssl-compat.h b/include/common/openssl-compat.h index 25102fbe3..c5029d133 100644 --- a/include/common/openssl-compat.h +++ b/include/common/openssl-compat.h @@ -278,7 +278,7 @@ static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey) #define TLSEXT_signature_ecdsa 3 #endif -#if (OPENSSL_VERSION_NUMBER < 0x1010L) || (LIBRESSL_VERSION_NUMBER < 0x2070L) +#if (HA_OPENSSL_VERSION_NUMBER < 0x101fL) && (LIBRESSL_VERSION_NUMBER < 0x207fL) #define X509_getm_notBefore X509_get_notBefore #define X509_getm_notAfter X509_get_notAfter #endif -- 2.23.0
[PATCH] openssl-compat: Fix getm_ defines
LIBRESSL_VERSION_NUMBER evaluates to 0 under OpenSSL, making the condition always true. Check for the define before checking it. Signed-off-by: Rosen Penev --- include/common/openssl-compat.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/common/openssl-compat.h b/include/common/openssl-compat.h index 25102fbe3..8b1630110 100644 --- a/include/common/openssl-compat.h +++ b/include/common/openssl-compat.h @@ -278,7 +278,8 @@ static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey) #define TLSEXT_signature_ecdsa 3 #endif -#if (OPENSSL_VERSION_NUMBER < 0x1010L) || (LIBRESSL_VERSION_NUMBER < 0x2070L) +#if (OPENSSL_VERSION_NUMBER < 0x1010L) || \ + (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2070L)) #define X509_getm_notBefore X509_get_notBefore #define X509_getm_notAfter X509_get_notAfter #endif -- 2.23.0
Re: [PATCHv2] ssl: Fix compilation without deprecated OpenSSL 1.1 APIs
On Sat, Dec 15, 2018 at 7:57 AM Willy Tarreau wrote: > > On Fri, Dec 14, 2018 at 08:47:02AM -0800, Rosen Penev wrote: > > Removing deprecated APIs is an optional part of OpenWrt's build system to > > save some space on embedded devices. > > > > Also added compatibility for LibreSSL. > > Looks good, now applied. Thanks for the explanation by the way. All good. Hope it makes it in the next release so I can drop the patch locally. > > Willy
[PATCHv2] ssl: Fix compilation without deprecated OpenSSL 1.1 APIs
Removing deprecated APIs is an optional part of OpenWrt's build system to
save some space on embedded devices.
Also added compatibility for LibreSSL.
Signed-off-by: Rosen Penev
---
LibreSSL support is totally untested. I went based off the git repository
src/ssl_sock.c | 35 ++-
1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5fd4f4e9..b08d8a68 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -39,6 +39,7 @@
#include
#include
+#include
#include
#include
#include
@@ -60,6 +61,17 @@
#include
#endif
+#ifndef OPENSSL_VERSION
+#define OPENSSL_VERSIONSSLEAY_VERSION
+#define OpenSSL_version(x) SSLeay_version(x)
+#define OpenSSL_version_numSSLeay
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x1010L) || (LIBRESSL_VERSION_NUMBER <
0x2070L)
+#define X509_getm_notBeforeX509_get_notBefore
+#define X509_getm_notAfter X509_get_notAfter
+#endif
+
#include
#include
@@ -220,7 +232,7 @@ static struct {
.capture_cipherlist = 0,
};
-#ifdef USE_THREAD
+#if defined(USE_THREAD) && ((OPENSSL_VERSION_NUMBER < 0x1010L) ||
defined(LIBRESSL_VERSION_NUMBER))
static HA_RWLOCK_T *ssl_rwlocks;
@@ -1735,8 +1747,8 @@ ssl_sock_do_create_cert(const char *servername, struct
bind_conf *bind_conf, SSL
ASN1_INTEGER_set(X509_get_serialNumber(newcrt),
HA_ATOMIC_ADD(_ctx_serial, 1));
/* Set duration for the certificate */
- if (!X509_gmtime_adj(X509_get_notBefore(newcrt), (long)-60*60*24) ||
- !X509_gmtime_adj(X509_get_notAfter(newcrt),(long)60*60*24*365))
+ if (!X509_gmtime_adj(X509_getm_notBefore(newcrt), (long)-60*60*24) ||
+ !X509_gmtime_adj(X509_getm_notAfter(newcrt),(long)60*60*24*365))
goto mkcert_error;
/* set public key in the certificate */
@@ -6420,7 +6432,7 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct
sample *smp, const char
goto out;
smp_trash = get_trash_chunk();
- if (ssl_sock_get_time(X509_get_notAfter(crt), smp_trash) <= 0)
+ if (ssl_sock_get_time(X509_getm_notAfter(crt), smp_trash) <= 0)
goto out;
smp->data.u.str = *smp_trash;
@@ -6520,7 +6532,7 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct
sample *smp, const char
goto out;
smp_trash = get_trash_chunk();
- if (ssl_sock_get_time(X509_get_notBefore(crt), smp_trash) <= 0)
+ if (ssl_sock_get_time(X509_getm_notBefore(crt), smp_trash) <= 0)
goto out;
smp->data.u.str = *smp_trash;
@@ -9274,10 +9286,12 @@ static void __ssl_sock_init(void)
#endif
xprt_register(XPRT_SSL, _sock);
+#if OPENSSL_VERSION_NUMBER < 0x1010L
SSL_library_init();
+#endif
cm = SSL_COMP_get_compression_methods();
sk_SSL_COMP_zero(cm);
-#ifdef USE_THREAD
+#if defined(USE_THREAD) && ((OPENSSL_VERSION_NUMBER < 0x1010L) ||
defined(LIBRESSL_VERSION_NUMBER))
ssl_locking_init();
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT &&
!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
@@ -9320,8 +9334,8 @@ static void ssl_register_build_options()
#else /* OPENSSL_IS_BORINGSSL */
OPENSSL_VERSION_TEXT
"\nRunning on OpenSSL version : %s%s",
- SSLeay_version(SSLEAY_VERSION),
- ((OPENSSL_VERSION_NUMBER ^ SSLeay()) >> 8) ? " (VERSIONS
DIFFER!)" : "");
+ OpenSSL_version(OPENSSL_VERSION),
+ ((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? "
(VERSIONS DIFFER!)" : "");
#endif
memprintf(, "%s\nOpenSSL library supports TLS extensions : "
#if OPENSSL_VERSION_NUMBER < 0x00907000L
@@ -9400,12 +9414,15 @@ static void __ssl_sock_deinit(void)
}
#endif
+#if (OPENSSL_VERSION_NUMBER < 0x1010L) || defined(LIBRESSL_VERSION_NUMBER)
ERR_remove_state(0);
ERR_free_strings();
EVP_cleanup();
+#endif
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+#if ((OPENSSL_VERSION_NUMBER >= 0x00907000L) && (OPENSSL_VERSION_NUMBER <
0x1010L)) \
+|| defined(LIBRESSL_VERSION_NUMBER)
CRYPTO_cleanup_all_ex_data();
#endif
}
--
2.20.0
Re: [PATCH] ssl: Fix compilation without deprecated OpenSSL 1.1 APIs
On Thu, Dec 13, 2018 at 8:41 PM Willy Tarreau wrote: > > Hello, > > On Thu, Dec 13, 2018 at 02:20:06PM -0800, Rosen Penev wrote: > > Signed-off-by: Rosen Penev > > Could you please provide a real commit message explaining what is the > problem you're trying to solve, how it manifests itself, and in what > condition it was tested as appropriate ? Will do so. > > In addition, do you know if it still works with libressl/boringssl ? This will break LibreSSL as they broke OPENSSL_VERSION_NUMBER. BoringSSL should be fine. > Some users rely on these forks and I know that we very easily break > them once in a while when touching the API. I'm fine if you don't > know since these forks are not our primary target, but it's good to > know upfront what to expect (especially for those who might have to > get back to this patch if some breakage is detected). > > Thanks, > Willy
[PATCH] ssl: Fix compilation without deprecated OpenSSL 1.1 APIs
Signed-off-by: Rosen Penev
---
src/ssl_sock.c | 34 +-
1 file changed, 25 insertions(+), 9 deletions(-)
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index 5fd4f4e9..2df05559 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -39,6 +39,7 @@
#include
#include
+#include
#include
#include
#include
@@ -60,6 +61,17 @@
#include
#endif
+#ifndef OPENSSL_VERSION
+#define OPENSSL_VERSIONSSLEAY_VERSION
+#define OpenSSL_version(x) SSLeay_version(x)
+#define OpenSSL_version_numSSLeay
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x1010L
+#define X509_getm_notBeforeX509_get_notBefore
+#define X509_getm_notAfter X509_get_notAfter
+#endif
+
#include
#include
@@ -220,7 +232,7 @@ static struct {
.capture_cipherlist = 0,
};
-#ifdef USE_THREAD
+#if defined(USE_THREAD) && (OPENSSL_VERSION_NUMBER < 0x1010L)
static HA_RWLOCK_T *ssl_rwlocks;
@@ -1735,8 +1747,8 @@ ssl_sock_do_create_cert(const char *servername, struct
bind_conf *bind_conf, SSL
ASN1_INTEGER_set(X509_get_serialNumber(newcrt),
HA_ATOMIC_ADD(_ctx_serial, 1));
/* Set duration for the certificate */
- if (!X509_gmtime_adj(X509_get_notBefore(newcrt), (long)-60*60*24) ||
- !X509_gmtime_adj(X509_get_notAfter(newcrt),(long)60*60*24*365))
+ if (!X509_gmtime_adj(X509_getm_notBefore(newcrt), (long)-60*60*24) ||
+ !X509_gmtime_adj(X509_getm_notAfter(newcrt),(long)60*60*24*365))
goto mkcert_error;
/* set public key in the certificate */
@@ -6420,7 +6432,7 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct
sample *smp, const char
goto out;
smp_trash = get_trash_chunk();
- if (ssl_sock_get_time(X509_get_notAfter(crt), smp_trash) <= 0)
+ if (ssl_sock_get_time(X509_getm_notAfter(crt), smp_trash) <= 0)
goto out;
smp->data.u.str = *smp_trash;
@@ -6520,7 +6532,7 @@ smp_fetch_ssl_x_notbefore(const struct arg *args, struct
sample *smp, const char
goto out;
smp_trash = get_trash_chunk();
- if (ssl_sock_get_time(X509_get_notBefore(crt), smp_trash) <= 0)
+ if (ssl_sock_get_time(X509_getm_notBefore(crt), smp_trash) <= 0)
goto out;
smp->data.u.str = *smp_trash;
@@ -9274,10 +9286,12 @@ static void __ssl_sock_init(void)
#endif
xprt_register(XPRT_SSL, _sock);
+#if OPENSSL_VERSION_NUMBER < 0x1010L
SSL_library_init();
+#endif
cm = SSL_COMP_get_compression_methods();
sk_SSL_COMP_zero(cm);
-#ifdef USE_THREAD
+#if defined(USE_THREAD) && (OPENSSL_VERSION_NUMBER < 0x1010L)
ssl_locking_init();
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT &&
!defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
@@ -9320,8 +9334,8 @@ static void ssl_register_build_options()
#else /* OPENSSL_IS_BORINGSSL */
OPENSSL_VERSION_TEXT
"\nRunning on OpenSSL version : %s%s",
- SSLeay_version(SSLEAY_VERSION),
- ((OPENSSL_VERSION_NUMBER ^ SSLeay()) >> 8) ? " (VERSIONS
DIFFER!)" : "");
+ OpenSSL_version(OPENSSL_VERSION),
+ ((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? "
(VERSIONS DIFFER!)" : "");
#endif
memprintf(, "%s\nOpenSSL library supports TLS extensions : "
#if OPENSSL_VERSION_NUMBER < 0x00907000L
@@ -9400,12 +9414,14 @@ static void __ssl_sock_deinit(void)
}
#endif
+#if OPENSSL_VERSION_NUMBER < 0x1010L
ERR_remove_state(0);
ERR_free_strings();
EVP_cleanup();
+#endif
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L && OPENSSL_VERSION_NUMBER <
0x1010L
CRYPTO_cleanup_all_ex_data();
#endif
}
--
2.20.0
