1 files changed, 51 insertions, 8 deletions
diff --git a/cpp/src/IceSSL/OpenSSLEngine.cpp b/cpp/src/IceSSL/OpenSSLEngine.cpp
index 029cf825ffd..a7232b06f7f 100644
--- a/cpp/src/IceSSL/OpenSSLEngine.cpp
+++ b/cpp/src/IceSSL/OpenSSLEngine.cpp
@@ -42,7 +42,10 @@ namespace
 IceUtil::Mutex* staticMutex = 0;
 int instanceCount = 0;
 bool initOpenSSL = false;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 IceUtil::Mutex* locks = 0;
+#endif
 
 class Init
 {
@@ -55,17 +58,22 @@ public:
 
     ~Init()
     {
+        //
+        // OpenSSL 1.1.0 introduces a new thread API and removes 
+        // the need to use a custom thread callback.
+        //
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
         CRYPTO_set_locking_callback(0);
         CRYPTO_set_id_callback(0);
 
-        delete staticMutex;
-        staticMutex = 0;
-
         if(locks)
         {
             delete[] locks;
             locks = 0;
         }
+#endif
+        delete staticMutex;
+        staticMutex = 0;
     }
 };
 
@@ -76,6 +84,11 @@ extern "C"
 {
 
 //
+// OpenSSL 1.1.0 introduces a new thread API and removes 
+// the need to use a custom thread callback.
+//
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+//
 // OpenSSL mutex callback.
 //
 void
@@ -114,6 +127,7 @@ IceSSL_opensslThreadIdCallback()
 #    error "Unknown platform"
 #  endif
 }
+#endif
 
 int
 IceSSL_opensslPasswordCallback(char* buf, int size, int flag, void* userData)
@@ -144,7 +158,12 @@ IceSSL_opensslPasswordCallback(char* buf, int size, int flag, void* userData)
 DH*
 IceSSL_opensslDHCallback(SSL* ssl, int /*isExport*/, int keyLength)
 {
-    OpenSSLEngine* p = reinterpret_cast<OpenSSLEngine*>(SSL_CTX_get_ex_data(ssl->ctx, 0));
+#  if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    SSL_CTX* ctx = SSL_get_SSL_CTX(ssl);
+#  else
+    SSL_CTX* ctx = ssl->ctx;
+#  endif
+    OpenSSLEngine* p = reinterpret_cast<OpenSSLEngine*>(SSL_CTX_get_ex_data(ctx, 0));
     return p->dhParams(keyLength);
 }
 #  endif
@@ -196,6 +215,11 @@ OpenSSLEngine::OpenSSLEngine(const CommunicatorPtr& communicator) :
         initOpenSSL = properties->getPropertyAsIntWithDefault("IceSSL.InitOpenSSL", 1) > 0;
         if(initOpenSSL)
         {
+
+            //
+            // OpenSSL 1.1.0 remove the need for library initialization and cleanup.
+            //
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
             //
             // Create the mutexes and set the callbacks.
             //
@@ -221,13 +245,11 @@ OpenSSLEngine::OpenSSLEngine(const CommunicatorPtr& communicator) :
             // load private key files generated by OpenSSL 1.x.
             //
             OpenSSL_add_all_algorithms();
+#endif
 
             //
             // Initialize the PRNG.
             //
-#  ifdef WINDOWS
-            RAND_screen(); // Uses data from the screen if possible.
-#  endif
             char randFile[1024];
             if(RAND_file_name(randFile, sizeof(randFile))) // Gets the name of a default seed file.
             {
@@ -301,6 +323,10 @@ OpenSSLEngine::OpenSSLEngine(const CommunicatorPtr& communicator) :
 
 OpenSSLEngine::~OpenSSLEngine()
 {
+//
+// OpenSSL 1.1.0 remove the need for library initialization and cleanup.
+//
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     //
     // Clean up OpenSSL resources.
     //
@@ -323,6 +349,7 @@ OpenSSLEngine::~OpenSSLEngine()
         ERR_free_strings();
         EVP_cleanup();
     }
+#endif
 }
 
 bool
@@ -372,6 +399,18 @@ OpenSSLEngine::initialize()
                                                     "IceSSL: unable to create SSL context:\n" + sslErrors());
             }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+            int securityLevel = properties->getPropertyAsIntWithDefault(propPrefix + "SecurityLevel", -1);
+            if(securityLevel != -1)
+            {
+                SSL_CTX_set_security_level(_ctx, securityLevel);
+                if(SSL_CTX_get_security_level(_ctx) != securityLevel)
+                {
+                    throw PluginInitializationException(__FILE__, __LINE__,
+                                                        "IceSSL: unable to set SSL security level:\n" + sslErrors());
+                }
+            }
+#endif
             //
             // Check for a default directory. We look in this directory for
             // files mentioned in the configuration.
@@ -528,6 +567,7 @@ OpenSSLEngine::initialize()
                                                          "IceSSL: certificate file not found:\n" + file);
                     }
                     file = resolved;
+
                     //
                     // First we try to load the certificate using PKCS12 format if that fails
                     // we fallback to PEM format.
@@ -945,6 +985,9 @@ OpenSSLEngine::parseProtocols(const StringSeq& protocols) const
 SSL_METHOD*
 OpenSSLEngine::getMethod(int /*protocols*/)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    SSL_METHOD* meth = const_cast<SSL_METHOD*>(TLS_method());
+#else
     //
     // Despite its name, the SSLv23 method can negotiate SSL3, TLS1.0, TLS1.1, and TLS1.2.
     // We use the const_cast for backward compatibility with older OpenSSL releases.
@@ -959,7 +1002,7 @@ OpenSSLEngine::getMethod(int /*protocols*/)
         meth = const_cast<SSL_METHOD*>(TLSv1_2_method());
     }
     */
-
+#endif
     return meth;
 }