Use DTLS_client_method() and TLS_client_method() for OpenSSL 1.1+

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
sailfishos-mirror · Aug 4, 2016 · 2b6c774 · 2b6c774
1 parent 1835965
commit 2b6c774
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 7 deletions.
diff --git a/dtls.c b/dtls.c
@@ -247,13 +247,16 @@ static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
 #endif
 
 	if (!vpninfo->dtls_ctx) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 #ifdef HAVE_DTLS12
 		if (dtlsver == DTLS1_2_VERSION)
 			dtls_method = DTLSv1_2_client_method();
 		else
 #endif
 			dtls_method = DTLSv1_client_method();
-
+#else
+		dtls_method = DTLS_client_method();
+#endif
 		vpninfo->dtls_ctx = SSL_CTX_new(dtls_method);
 		if (!vpninfo->dtls_ctx) {
 			vpn_progress(vpninfo, PRG_ERR,
@@ -262,6 +265,21 @@ static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
 			vpninfo->dtls_attempt_period = 0;
 			return -EINVAL;
 		}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+		if (dtlsver == DTLS1_BAD_VER)
+			SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_CISCO_ANYCONNECT);
+#else
+		if (!SSL_CTX_set_min_proto_version(vpninfo->dtls_ctx, dtlsver) ||
+		    !SSL_CTX_set_max_proto_version(vpninfo->dtls_ctx, dtlsver)) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Set DTLS CTX version failed\n"));
+			openconnect_report_ssl_errors(vpninfo);
+			SSL_CTX_free(vpninfo->dtls_ctx);
+			vpninfo->dtls_ctx = NULL;
+			vpninfo->dtls_attempt_period = 0;
+			return -EINVAL;
+		}
+#endif
 
 		/* If we don't readahead, then we do short reads and throw
 		   away the tail of data packets. */
@@ -324,9 +342,6 @@ static int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
 	BIO_set_nbio(dtls_bio, 1);
 	SSL_set_bio(dtls_ssl, dtls_bio, dtls_bio);
 
-	if (dtlsver == DTLS1_BAD_VER)
-		SSL_set_options(dtls_ssl, SSL_OP_CISCO_ANYCONNECT);
-
 	vpninfo->dtls_ssl = dtls_ssl;
 
 	return 0;

diff --git a/openssl.c b/openssl.c
@@ -1501,7 +1501,6 @@ static int check_certificate_expiry(struct openconnect_info *vpninfo)
 
 int openconnect_open_https(struct openconnect_info *vpninfo)
 {
-	method_const SSL_METHOD *ssl3_method;
 	SSL *https_ssl;
 	BIO *https_bio;
 	int ssl_sock;
@@ -1522,9 +1521,24 @@ int openconnect_open_https(struct openconnect_info *vpninfo)
 	if (ssl_sock < 0)
 		return ssl_sock;
 
-	ssl3_method = TLSv1_client_method();
 	if (!vpninfo->https_ctx) {
-		vpninfo->https_ctx = SSL_CTX_new(ssl3_method);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+		vpninfo->https_ctx = SSL_CTX_new(TLSv1_client_method());
+#else
+		vpninfo->https_ctx = SSL_CTX_new(TLS_client_method());
+		if (vpninfo->https_ctx &&
+		    (!SSL_CTX_set_min_proto_version(vpninfo->https_ctx, TLS1_VERSION) ||
+		     !SSL_CTX_set_max_proto_version(vpninfo->https_ctx, TLS1_VERSION))) {
+			SSL_CTX_free(vpninfo->https_ctx);
+			vpninfo->https_ctx = NULL;
+		}
+#endif
+		if (!vpninfo->https_ctx) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Create TLSv1 CTX failed\n"));
+			openconnect_report_ssl_errors(vpninfo);
+			return -EINVAL;
+		}
 
 		/* Some servers (or their firewalls) really don't like seeing
 		   extensions. */