[core] compile with upcoming openssl 1.1.0 release (fixes #2727)

(thx falemagn) x-ref: "Won't compile with OpenSSL 1.1.0" https://redmine.lighttpd.net/issues/2727
6 years ago · 49c74fff65
5 changed files with 27 additions and 5 deletions
--- a/1
+++ b/1
@ -81,6 +81,7 @@ NEWS
  * [core] open fd when appending file to cq (fixes #2655)
  * [config] server.listen-backlog option (fixes #1825, #2116)
  * [core] retry tempdirs on partial write, ENOSPC (fixes #2588)
+  * [core] compile with upcoming openssl 1.1.0 release (fixes #2727)

 - 1.4.39 - 2016-01-02
  * [core] fix memset_s call (fixes #2698)
--- a/src/connections-glue.c
+++ b/src/connections-glue.c
@ -180,9 +180,15 @@ static int connection_handle_read_ssl(server *srv, connection *con) {
 			while((ssl_err = ERR_get_error())) {
 				switch (ERR_GET_REASON(ssl_err)) {
 				case SSL_R_SSL_HANDSHAKE_FAILURE:
+			      #ifdef SSL_R_TLSV1_ALERT_UNKNOWN_CA
 				case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
+			      #endif
+			      #ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN
 				case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN:
+			      #endif
+			      #ifdef SSL_R_SSLV3_ALERT_BAD_CERTIFICATE
 				case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE:
+			      #endif
 					if (!con->conf.log_ssl_noise) continue;
 					break;
 				default:
--- a/src/network.c
+++ b/src/network.c
@ -826,20 +826,28 @@ int network_init(server *srv) {
 				return -1;
 			}
 		} else {
+			BIGNUM *dh_p, *dh_g;
 			/* Default DH parameters from RFC5114 */
 			dh = DH_new();
 			if (dh == NULL) {
 				log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed");
 				return -1;
 			}
-			dh->p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
-			dh->g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
-			dh->length = 160;
-			if ((dh->p == NULL) || (dh->g == NULL)) {
+			dh_p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL);
+			dh_g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL);
+			if ((dh_p == NULL) || (dh_g == NULL)) {
 				DH_free(dh);
 				log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed");
 				return -1;
 			}
+		      #if OPENSSL_VERSION_NUMBER < 0x10100000L
+			dh->p = dh_p;
+			dh->g = dh_g;
+			dh->length = 160;
+		      #else
+			DH_set0_pqg(dh, dh_p, NULL, dh_g);
+			DH_set_length(dh, 160);
+		      #endif
 		}
 		SSL_CTX_set_tmp_dh(s->ssl_ctx,dh);
 		SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE);
--- a/src/response.c
+++ b/src/response.c
@ -167,7 +167,8 @@ static void https_add_ssl_entries(connection *con) {
 		buffer_append_string(envds->key, xobjsn);
 		buffer_copy_string_len(
 			envds->value,
-			(const char *)xe->value->data, xe->value->length
+			(const char *)X509_NAME_ENTRY_get_data(xe)->data,
+			X509_NAME_ENTRY_get_data(xe)->length
 		);
 		/* pick one of the exported values as "REMOTE_USER", for example
 		 * ssl.verifyclient.username   = "SSL_CLIENT_S_DN_UID" or "SSL_CLIENT_S_DN_emailAddress"
--- a/src/server.c
+++ b/src/server.c
@ -381,7 +381,13 @@ static void server_free(server *srv) {
 	if (srv->ssl_is_init) {
 		CRYPTO_cleanup_all_ex_data();
 		ERR_free_strings();
+	      #if   OPENSSL_VERSION_NUMBER >= 0x10100000L
+		ERR_remove_thread_state();
+	      #elif OPENSSL_VERSION_NUMBER >= 0x10000000L
+		ERR_remove_thread_state(NULL);
+	      #else
 		ERR_remove_state(0);
+	      #endif
 		EVP_cleanup();
 	}
 #endif