From 24d68b5af8c03cbdda5211079780799ea17ad1fc Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Wed, 11 Apr 2018 17:10:27 +0100 Subject: [PATCH] Remove support for openssl 1.0.0 and 1.0.1. These are no longer supported by openssl. --- ChangeLog.txt | 2 ++ lib/net_mosq.c | 18 ++++-------------- lib/options.c | 15 +-------------- lib/tls_mosq.h | 7 ------- lib/util_mosq.c | 2 +- lib/util_mosq.h | 2 +- mosquitto.conf | 6 ++---- src/bridge.c | 2 +- src/conf.c | 20 ++++++++++---------- src/handle_connect.c | 8 ++++---- src/mosquitto_broker_internal.h | 2 +- src/net.c | 24 +++--------------------- test/broker/08-tls-psk-bridge.py | 4 ---- test/broker/08-tls-psk-pub.py | 4 ---- 14 files changed, 30 insertions(+), 86 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index db6f9db8..622eaf33 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -133,6 +133,8 @@ Build: - Add WITH_STATIC_LIBRARIES (defaulting to "no") that when set to "yes" will build and install static versions of the client libraries. - Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636. +- Support for openssl versions 1.0.0 and 1.0.1 has been removed as these are + no longer supported by openssl. Documentation: - Replace mentions of deprecated 'c_rehash' with 'openssl rehash'. diff --git a/lib/net_mosq.c b/lib/net_mosq.c index 0be1cedb..aa7116ab 100644 --- a/lib/net_mosq.c +++ b/lib/net_mosq.c @@ -190,7 +190,7 @@ int net__socket_close(struct mosquitto *mosq) } -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len) @@ -458,7 +458,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) } if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){ -#if OPENSSL_VERSION_NUMBER >= 0x10001000L if(!mosq->tls_version){ mosq->ssl_ctx = SSL_CTX_new(SSLv23_client_method()); }else if(!strcmp(mosq->tls_version, "tlsv1.2")){ @@ -472,15 +471,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) COMPAT_CLOSE(mosq->sock); return MOSQ_ERR_INVAL; } -#else - if(!mosq->tls_version || !strcmp(mosq->tls_version, "tlsv1")){ - mosq->ssl_ctx = SSL_CTX_new(TLSv1_client_method()); - }else{ - log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version); - COMPAT_CLOSE(mosq->sock); - return MOSQ_ERR_INVAL; - } -#endif + if(!mosq->ssl_ctx){ log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to create TLS context."); COMPAT_CLOSE(mosq->sock); @@ -488,10 +479,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) return MOSQ_ERR_TLS; } -#if OPENSSL_VERSION_NUMBER >= 0x10000000 /* Disable compression */ SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_COMPRESSION); -#endif + #ifdef SSL_MODE_RELEASE_BUFFERS /* Use even less memory per SSL connection. */ SSL_CTX_set_mode(mosq->ssl_ctx, SSL_MODE_RELEASE_BUFFERS); @@ -574,7 +564,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) return MOSQ_ERR_TLS; } } -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK }else if(mosq->tls_psk){ SSL_CTX_set_psk_client_callback(mosq->ssl_ctx, psk_client_callback); #endif diff --git a/lib/options.c b/lib/options.c index 670ab57a..a2997996 100644 --- a/lib/options.c +++ b/lib/options.c @@ -175,7 +175,6 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl mosq->tls_cert_reqs = cert_reqs; if(tls_version){ -#if OPENSSL_VERSION_NUMBER >= 0x10001000L if(!strcasecmp(tls_version, "tlsv1.2") || !strcasecmp(tls_version, "tlsv1.1") || !strcasecmp(tls_version, "tlsv1")){ @@ -185,20 +184,8 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl }else{ return MOSQ_ERR_INVAL; } -#else - if(!strcasecmp(tls_version, "tlsv1")){ - mosq->tls_version = mosquitto__strdup(tls_version); - if(!mosq->tls_version) return MOSQ_ERR_NOMEM; - }else{ - return MOSQ_ERR_INVAL; - } -#endif }else{ -#if OPENSSL_VERSION_NUMBER >= 0x10001000L mosq->tls_version = mosquitto__strdup("tlsv1.2"); -#else - mosq->tls_version = mosquitto__strdup("tlsv1"); -#endif if(!mosq->tls_version) return MOSQ_ERR_NOMEM; } if(ciphers){ @@ -231,7 +218,7 @@ int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value) int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers) { -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK if(!mosq || !psk || !identity) return MOSQ_ERR_INVAL; /* Check for hex only digits */ diff --git a/lib/tls_mosq.h b/lib/tls_mosq.h index f2e1c74d..66948180 100644 --- a/lib/tls_mosq.h +++ b/lib/tls_mosq.h @@ -26,13 +26,6 @@ Contributors: #ifdef WITH_TLS #include -#ifdef WITH_TLS_PSK -# if OPENSSL_VERSION_NUMBER >= 0x10000000 -# define REAL_WITH_TLS_PSK -# else -# warning "TLS-PSK not supported, openssl too old." -# endif -#endif int mosquitto__server_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx); int mosquitto__verify_certificate_hostname(X509 *cert, const char *hostname); diff --git a/lib/util_mosq.c b/lib/util_mosq.c index d4e39d8e..aab313dd 100644 --- a/lib/util_mosq.c +++ b/lib/util_mosq.c @@ -344,7 +344,7 @@ int mosquitto_topic_matches_sub2(const char *sub, size_t sublen, const char *top return MOSQ_ERR_SUCCESS; } -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len) { BIGNUM *bn = NULL; diff --git a/lib/util_mosq.h b/lib/util_mosq.h index 5b28ed80..0e65dd98 100644 --- a/lib/util_mosq.h +++ b/lib/util_mosq.h @@ -33,7 +33,7 @@ void mosquitto__check_keepalive(struct mosquitto *mosq); uint16_t mosquitto__mid_generate(struct mosquitto *mosq); FILE *mosquitto__fopen(const char *path, const char *mode, bool restrict_read); -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len); #endif diff --git a/mosquitto.conf b/mosquitto.conf index 3ce206f8..93f66f3d 100644 --- a/mosquitto.conf +++ b/mosquitto.conf @@ -221,10 +221,8 @@ #keyfile # This option defines the version of the TLS protocol to use for this listener. -# The default value allows v1.2, v1.1 and v1.0, if they are all supported by -# the version of openssl that the broker was compiled against. For openssl >= -# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the -# valid values are tlsv1. +# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2 +# tlsv1.1 and tlsv1. #tls_version # By default a TLS enabled listener will operate in a similar fashion to a diff --git a/src/bridge.c b/src/bridge.c index a3cb5eb3..32e85892 100644 --- a/src/bridge.c +++ b/src/bridge.c @@ -82,7 +82,7 @@ int bridge__new(struct mosquitto_db *db, struct mosquitto__bridge *bridge) new_context->tls_cert_reqs = SSL_VERIFY_PEER; new_context->tls_version = new_context->bridge->tls_version; new_context->tls_insecure = new_context->bridge->tls_insecure; -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK new_context->tls_psk_identity = new_context->bridge->tls_psk_identity; new_context->tls_psk = new_context->bridge->tls_psk; #endif diff --git a/src/conf.c b/src/conf.c index 05237d4a..3a628c2c 100644 --- a/src/conf.c +++ b/src/conf.c @@ -315,7 +315,7 @@ void config__cleanup(struct mosquitto__config *config) #ifdef WITH_TLS mosquitto__free(config->bridges[i].tls_version); mosquitto__free(config->bridges[i].tls_cafile); -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK mosquitto__free(config->bridges[i].tls_psk_identity); mosquitto__free(config->bridges[i].tls_psk); #endif @@ -586,7 +586,7 @@ int config__read(struct mosquitto__config *config, bool reload) log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); return MOSQ_ERR_INVAL; } -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK if(config->bridges[i].tls_psk && !config->bridges[i].tls_psk_identity){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration: missing bridge_identity.\n"); return MOSQ_ERR_INVAL; @@ -809,7 +809,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); return MOSQ_ERR_INVAL; } -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge."); return MOSQ_ERR_INVAL; @@ -826,7 +826,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); return MOSQ_ERR_INVAL; } -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge."); return MOSQ_ERR_INVAL; @@ -843,7 +843,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); return MOSQ_ERR_INVAL; } -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge."); return MOSQ_ERR_INVAL; @@ -854,7 +854,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TLS support not available."); #endif }else if(!strcmp(token, "bridge_identity")){ -#if defined(WITH_BRIDGE) && defined(REAL_WITH_TLS_PSK) +#if defined(WITH_BRIDGE) && defined(WITH_TLS_PSK) if(reload) continue; // FIXME if(!cur_bridge){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); @@ -889,7 +889,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); return MOSQ_ERR_INVAL; } -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge."); return MOSQ_ERR_INVAL; @@ -924,7 +924,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge support not available."); #endif }else if(!strcmp(token, "bridge_psk")){ -#if defined(WITH_BRIDGE) && defined(REAL_WITH_TLS_PSK) +#if defined(WITH_BRIDGE) && defined(WITH_TLS_PSK) if(reload) continue; // FIXME if(!cur_bridge){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); @@ -1554,7 +1554,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const log__printf(NULL, MOSQ_LOG_ERR, "Error: Empty protocol value in configuration."); } }else if(!strcmp(token, "psk_file")){ -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK conf__set_cur_security_options(config, cur_listener, &cur_security_options); if(reload){ mosquitto__free(cur_security_options->psk_file); @@ -1565,7 +1565,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS/TLS-PSK support not available."); #endif }else if(!strcmp(token, "psk_hint")){ -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK if(reload) continue; // Listeners not valid for reloading. if(conf__parse_string(&token, "psk_hint", &cur_listener->psk_hint, saveptr)) return MOSQ_ERR_INVAL; #else diff --git a/src/handle_connect.c b/src/handle_connect.c index 6ccac712..c6f0e96a 100644 --- a/src/handle_connect.c +++ b/src/handle_connect.c @@ -396,7 +396,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context) rc = 1; goto handle_connect_error; } -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK if(context->listener->psk_hint){ /* Client should have provided an identity to get this far. */ if(!context->username){ @@ -405,7 +405,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context) goto handle_connect_error; } }else{ -#endif /* REAL_WITH_TLS_PSK */ +#endif /* WITH_TLS_PSK */ client_cert = SSL_get_peer_certificate(context->ssl); if(!client_cert){ send__connack(context, 0, CONNACK_REFUSED_BAD_USERNAME_PASSWORD); @@ -451,9 +451,9 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context) } X509_free(client_cert); client_cert = NULL; -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK } -#endif /* REAL_WITH_TLS_PSK */ +#endif /* WITH_TLS_PSK */ }else{ #endif /* WITH_TLS */ if(username_flag){ diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h index 81c0c3c2..6f976912 100644 --- a/src/mosquitto_broker_internal.h +++ b/src/mosquitto_broker_internal.h @@ -458,7 +458,7 @@ struct mosquitto__bridge{ char *tls_certfile; char *tls_keyfile; char *tls_version; -# ifdef REAL_WITH_TLS_PSK +# ifdef WITH_TLS_PSK char *tls_psk_identity; char *tls_psk; # endif diff --git a/src/net.c b/src/net.c index e3b67490..ac20ef3d 100644 --- a/src/net.c +++ b/src/net.c @@ -209,7 +209,7 @@ static int client_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx) } #endif -#ifdef REAL_WITH_TLS_PSK +#ifdef WITH_TLS_PSK static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) { struct mosquitto_db *db; @@ -266,13 +266,7 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener) int ssl_options = 0; char buf[256]; int rc; -#ifdef WITH_EC -#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L - EC_KEY *ecdh = NULL; -#endif -#endif -#if OPENSSL_VERSION_NUMBER >= 0x10001000L if(listener->tls_version == NULL){ listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); }else if(!strcmp(listener->tls_version, "tlsv1.2")){ @@ -282,9 +276,6 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener) }else if(!strcmp(listener->tls_version, "tlsv1")){ listener->ssl_ctx = SSL_CTX_new(TLSv1_server_method()); } -#else - listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method()); -#endif if(!listener->ssl_ctx){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS context."); return 1; @@ -310,15 +301,6 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener) #ifdef WITH_EC #if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 0x10100000L SSL_CTX_set_ecdh_auto(listener->ssl_ctx, 1); -#elif OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L - ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if(!ecdh){ - log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS ECDH curve."); - return 1; - } - SSL_CTX_set_tmp_ecdh(listener->ssl_ctx, ecdh); - EC_KEY_free(ecdh); -#endif #endif snprintf(buf, 256, "mosquitto-%d", listener->port); @@ -485,7 +467,7 @@ int net__socket_listen(struct mosquitto__listener *listener) X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK); } -# ifdef REAL_WITH_TLS_PSK +# ifdef WITH_TLS_PSK }else if(listener->psk_hint){ if(tls_ex_index_context == -1){ tls_ex_index_context = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL); @@ -507,7 +489,7 @@ int net__socket_listen(struct mosquitto__listener *listener) return 1; } } -# endif /* REAL_WITH_TLS_PSK */ +# endif /* WITH_TLS_PSK */ } #endif /* WITH_TLS */ return 0; diff --git a/test/broker/08-tls-psk-bridge.py b/test/broker/08-tls-psk-bridge.py index 97c27bb2..b4412879 100755 --- a/test/broker/08-tls-psk-bridge.py +++ b/test/broker/08-tls-psk-bridge.py @@ -9,10 +9,6 @@ if sys.version < '2.7': print("WARNING: SSL not supported on Python 2.6") exit(0) -if ssl.OPENSSL_VERSION_NUMBER < 0x10000000: - print("WARNING: TLS-PSK not supported on OpenSSL < 1.0") - exit(0) - import inspect, os # From http://stackoverflow.com/questions/279237/python-import-a-module-from-a-folder diff --git a/test/broker/08-tls-psk-pub.py b/test/broker/08-tls-psk-pub.py index a552f5ad..2c15a40a 100755 --- a/test/broker/08-tls-psk-pub.py +++ b/test/broker/08-tls-psk-pub.py @@ -8,10 +8,6 @@ if sys.version < '2.7': print("WARNING: SSL not supported on Python 2.6") exit(0) -if ssl.OPENSSL_VERSION_NUMBER < 0x10000000: - print("WARNING: TLS-PSK not supported on OpenSSL < 1.0") - exit(0) - import inspect, os # From http://stackoverflow.com/questions/279237/python-import-a-module-from-a-folder