From e97e50b68b0497f906a73a1acc26c3a97d9c9d7f Mon Sep 17 00:00:00 2001
From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
Date: Sat, 21 Jan 2017 07:59:15 +0200
Subject: [PATCH] tcptls: use TLS_client_method with OpenSSL 1.1

OpenSSL 1.1 introduced TLS_client_method() and deprecated the previous
version-specific methods (such as TLSv1_client_method(). Other than
being simpler to use and more correct (gain support for TLS newer that
TLS1, in our case), the older ones produce a deprecation warning that
fails the build in dev-mode.

ASTERISK-26109 #close

Change-Id: I257b1c8afd09dcb0d96cda3a41cb9f7a15d0ba07
---

diff --git a/main/tcptls.c b/main/tcptls.c
index 71bd92e..36a6c96 100644
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -833,12 +833,16 @@
 			cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
 		} else
 #endif
+#if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER  >= 0x10100000L)
+		cfg->ssl_ctx = SSL_CTX_new(TLS_client_method());
+#else
 		if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
 			cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
 		} else {
 			disable_ssl = 1;
 			cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
 		}
+#endif
 	} else {
 		disable_ssl = 1;
 		cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
From 99b40e72ae347d7047547836f7f897d3ea2bc8dc Mon Sep 17 00:00:00 2001
From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
Date: Fri, 03 Feb 2017 10:25:33 +0200
Subject: [PATCH] libasteriskssl: do nothing with OpenSSL >= 1.1

OpenSSL 1.1 requires no explicit initialization. The hacks in the
library are not needed. They also happen to fail running Asterisk.

ASTERISK-26109 #close

Change-Id: I3b3efd5d80234a4c45a8ee58dcfe25b15d9ad100
---

diff --git a/main/libasteriskssl.c b/main/libasteriskssl.c
index bf5ecc1..9dea3df 100644
--- a/main/libasteriskssl.c
+++ b/main/libasteriskssl.c
@@ -123,10 +123,13 @@
 /*!
  * \internal
  * \brief Common OpenSSL initialization for all of Asterisk.
+ *
+ * Not needed for OpenSSL versions >= 1.1.0
  */
 int ast_ssl_init(void)
 {
-#ifdef HAVE_OPENSSL
+#if defined(HAVE_OPENSSL) && defined(OPENSSL_VERSION_NUMBER) && \
+	OPENSSL_VERSION_NUMBER < 0x10100000L
 	unsigned int i;
 	int (*real_SSL_library_init)(void);
 	void (*real_CRYPTO_set_id_callback)(unsigned long (*)(void));
@@ -191,7 +194,7 @@
 
 	startup_complete = 1;
 
-#endif /* HAVE_OPENSSL */
+#endif /* HAVE_OPENSSL and its version < 1.1 */
 	return 0;
 }
 
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -400,11 +400,13 @@
 
 			if (!stream->ssl->server) {
 				/* For client threads, ensure that the error stack is cleared */
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10000000L
 				ERR_remove_thread_state(NULL);
 #else
 				ERR_remove_state(0);
-#endif	/* OPENSSL_VERSION_NUMBER >= 0x10000000L */
+#endif	/* openssl == 1.0 */
+#endif  /* openssl < 1.1 */
 			}
 
 			SSL_free(stream->ssl);
From c572e172665647abd27ea65a4c45f893161c8c44 Mon Sep 17 00:00:00 2001
From: Tzafrir Cohen <tzafrir.cohen@xorcom.com>
Date: Sat, 21 Jan 2017 07:57:33 +0200
Subject: [PATCH] openssl 1.1 support: use OPENSSL_VERSION_NUMBER

Use OPENSSL_VERSION_NUMBER instead of OPENSSL_API_COMPAT to detect
the openssl 1.1 API.

ASTERISK-26109 #close

Change-Id: I4e448f55ef516aedf6ad154037c35577a421a458
---

--- a/main/libasteriskssl.c
+++ b/main/libasteriskssl.c
@@ -74,6 +74,7 @@
 	}
 }
 
+#if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L
 int SSL_library_init(void)
 {
 #if defined(AST_DEVMODE)
@@ -115,6 +116,7 @@
 {
 	/* we can't allow this to be called, ever */
 }
+#endif /* !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L */
 
 #endif /* HAVE_OPENSSL */
 
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -398,7 +398,11 @@
 					SSL_get_error(stream->ssl, res));
 			}
 
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+			if (!SSL_is_server(stream->ssl)) {
+#else
 			if (!stream->ssl->server) {
+#endif
 				/* For client threads, ensure that the error stack is cleared */
 #if !defined(OPENSSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000L
 #if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10000000L
--- a/main/tcptls.c
+++ b/main/tcptls.c
@@ -779,7 +779,7 @@
 	}
 
 	if (client) {
-#ifndef OPENSSL_NO_SSL2
+#if !defined(OPENSSL_NO_SSL2) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
 		if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
 			ast_log(LOG_WARNING, "Usage of SSLv2 is discouraged due to known vulnerabilities. Please use 'tlsv1' or leave the TLS method unspecified!\n");
 			cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
