From 01cbb7f4c6326f053d3daf317d0cc0b26a1b02fe Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Thu, 6 Apr 2017 11:47:06 -0700
Subject: [PATCH] ITS#8353, ITS#8533 - Ensure that the deprecated API is not
 used when using OpenSSL 1.1 or later

---
 libraries/libldap/tls_o.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index b1893a3c43..3aa628ec82 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -48,10 +48,7 @@
 #endif
 
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
-#define ERR_remove_thread_state(x)	/* deprecated, get rid of it */
 #define ASN1_STRING_data(x)	ASN1_STRING_get0_data(x)
-#define CRYPTO_free(x)	OPENSSL_free(x)
-#define CRYPTO_NUM_LOCKS	CRYPTO_num_locks()
 #endif
 
 typedef SSL_CTX tlso_ctx;
@@ -64,11 +61,12 @@ static void tlso_report_error( void );
 static void tlso_info_cb( const SSL *ssl, int where, int ret );
 static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
 static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
+static int tlso_seed_PRNG( const char *randfile );
 #if OPENSSL_VERSION_NUMBER < 0x10100000
+/*
+ * OpenSSL 1.1 API and later has new locking code
+*/
 static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
-#endif
-
-static int tlso_seed_PRNG( const char *randfile );
 
 #ifdef LDAP_R_COMPILE
 /*
@@ -109,6 +107,7 @@ static void tlso_thr_init( void )
 	CRYPTO_set_id_callback( tlso_thread_self );
 }
 #endif /* LDAP_R_COMPILE */
+#endif /* OpenSSL 1.1 */
 
 static STACK_OF(X509_NAME) *
 tlso_ca_list( char * bundle, char * dir )
@@ -154,9 +153,13 @@ tlso_init( void )
 	(void) tlso_seed_PRNG( lo->ldo_tls_randfile );
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 	SSL_load_error_strings();
 	SSL_library_init();
 	OpenSSL_add_all_digests();
+#else
+	OPENSSL_init_ssl(0, NULL);
+#endif
 
 	/* FIXME: mod_ssl does this */
 	X509V3_add_standard_extensions();
@@ -172,6 +175,7 @@ tlso_destroy( void )
 {
 	struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();   
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
 	EVP_cleanup();
 #if OPENSSL_VERSION_NUMBER < 0x10000000
 	ERR_remove_state(0);
@@ -179,6 +183,7 @@ tlso_destroy( void )
 	ERR_remove_thread_state(NULL);
 #endif
 	ERR_free_strings();
+#endif
 
 	if ( lo->ldo_tls_randfile ) {
 		LDAP_FREE( lo->ldo_tls_randfile );
@@ -1162,9 +1167,9 @@ tlso_verify_cb( int ok, X509_STORE_CTX *ctx )
 			certerr, 0, 0 );
 	}
 	if ( sname )
-		CRYPTO_free ( sname );
+		OPENSSL_free ( sname );
 	if ( iname )
-		CRYPTO_free ( iname );
+		OPENSSL_free ( iname );
 #ifdef HAVE_EBCDIC
 	if ( certerr ) LDAP_FREE( certerr );
 #endif
-- 
2.39.5