#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000
-#define ERR_remove_thread_state(x) /* deprecated, get rid of it */
#define ASN1_STRING_data(x) ASN1_STRING_get0_data(x)
-#define CRYPTO_free(x) OPENSSL_free(x)
-#define CRYPTO_NUM_LOCKS CRYPTO_num_locks()
#endif
typedef SSL_CTX tlso_ctx;
static void tlso_info_cb( const SSL *ssl, int where, int ret );
static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
+static int tlso_seed_PRNG( const char *randfile );
#if OPENSSL_VERSION_NUMBER < 0x10100000
+/*
+ * OpenSSL 1.1 API and later has new locking code
+*/
static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
-#endif
-
-static int tlso_seed_PRNG( const char *randfile );
#ifdef LDAP_R_COMPILE
/*
CRYPTO_set_id_callback( tlso_thread_self );
}
#endif /* LDAP_R_COMPILE */
+#else
+#ifdef LDAP_R_COMPILE
+static void tlso_thr_init( void ) {}
+#endif
+#endif /* OpenSSL 1.1 */
static STACK_OF(X509_NAME) *
tlso_ca_list( char * bundle, char * dir )
(void) tlso_seed_PRNG( lo->ldo_tls_randfile );
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_digests();
+#else
+ OPENSSL_init_ssl(0, NULL);
+#endif
/* FIXME: mod_ssl does this */
X509V3_add_standard_extensions();
{
struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
+#if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_cleanup();
#if OPENSSL_VERSION_NUMBER < 0x10000000
ERR_remove_state(0);
ERR_remove_thread_state(NULL);
#endif
ERR_free_strings();
+#endif
if ( lo->ldo_tls_randfile ) {
LDAP_FREE( lo->ldo_tls_randfile );
return -1;
}
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: "
+ "could not use default certificate paths", 0, 0, 0 );
+ tlso_report_error();
+ return -1;
+ }
+ } else {
if ( !SSL_CTX_load_verify_locations( ctx,
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
- !SSL_CTX_set_default_verify_paths( ctx ) )
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
{
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load verify locations (file:`%s',dir:`%s').\n",
certerr, 0, 0 );
}
if ( sname )
- CRYPTO_free ( sname );
+ OPENSSL_free ( sname );
if ( iname )
- CRYPTO_free ( iname );
+ OPENSSL_free ( iname );
#ifdef HAVE_EBCDIC
if ( certerr ) LDAP_FREE( certerr );
#endif