Remove support for openssl 1.0.0 and 1.0.1.

These are no longer supported by openssl.
8 years ago · 24d68b5af8
parent 8470ca89b9
commit 24d68b5af8
14 changed files with 30 additions and 86 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -133,6 +133,8 @@ Build:
 - Add WITH_STATIC_LIBRARIES (defaulting to "no") that when set to "yes" will
  build and install static versions of the client libraries.
 - Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636.
+- Support for openssl versions 1.0.0 and 1.0.1 has been removed as these are
+  no longer supported by openssl.

 Documentation:
 - Replace mentions of deprecated 'c_rehash' with 'openssl rehash'.
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@ -190,7 +190,7 @@ int net__socket_close(struct mosquitto *mosq)
 }


-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
 		char *identity, unsigned int max_identity_len,
 		unsigned char *psk, unsigned int max_psk_len)
@ -458,7 +458,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 	}

 	if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
 		if(!mosq->tls_version){
 			mosq->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
 		}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
@ -472,15 +471,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			COMPAT_CLOSE(mosq->sock);
 			return MOSQ_ERR_INVAL;
 		}
-#else
-		if(!mosq->tls_version || !strcmp(mosq->tls_version, "tlsv1")){
-			mosq->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
-		}else{
-			log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
-			COMPAT_CLOSE(mosq->sock);
-			return MOSQ_ERR_INVAL;
-		}
-#endif
+
 		if(!mosq->ssl_ctx){
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
 			COMPAT_CLOSE(mosq->sock);
@ -488,10 +479,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			return MOSQ_ERR_TLS;
 		}

-#if OPENSSL_VERSION_NUMBER >= 0x10000000
 		/* Disable compression */
 		SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_COMPRESSION);
-#endif
+
 #ifdef SSL_MODE_RELEASE_BUFFERS
 			/* Use even less memory per SSL connection. */
 			SSL_CTX_set_mode(mosq->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
@ -574,7 +564,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 					return MOSQ_ERR_TLS;
 				}
 			}
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 		}else if(mosq->tls_psk){
 			SSL_CTX_set_psk_client_callback(mosq->ssl_ctx, psk_client_callback);
 #endif
--- a/lib/options.c
+++ b/lib/options.c
@ -175,7 +175,6 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl

 	mosq->tls_cert_reqs = cert_reqs;
 	if(tls_version){
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
 		if(!strcasecmp(tls_version, "tlsv1.2")
 				|| !strcasecmp(tls_version, "tlsv1.1")
 				|| !strcasecmp(tls_version, "tlsv1")){
@ -185,20 +184,8 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl
 		}else{
 			return MOSQ_ERR_INVAL;
 		}
-#else
-		if(!strcasecmp(tls_version, "tlsv1")){
-			mosq->tls_version = mosquitto__strdup(tls_version);
-			if(!mosq->tls_version) return MOSQ_ERR_NOMEM;
-		}else{
-			return MOSQ_ERR_INVAL;
-		}
-#endif
 	}else{
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
 		mosq->tls_version = mosquitto__strdup("tlsv1.2");
-#else
-		mosq->tls_version = mosquitto__strdup("tlsv1");
-#endif
 		if(!mosq->tls_version) return MOSQ_ERR_NOMEM;
 	}
 	if(ciphers){
@ -231,7 +218,7 @@ int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value)

 int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers)
 {
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 	if(!mosq || !psk || !identity) return MOSQ_ERR_INVAL;

 	/* Check for hex only digits */
--- a/lib/tls_mosq.h
+++ b/lib/tls_mosq.h
@ -26,13 +26,6 @@ Contributors:
 #ifdef WITH_TLS

 #include <openssl/ssl.h>
-#ifdef WITH_TLS_PSK
-#  if OPENSSL_VERSION_NUMBER >= 0x10000000
-#    define REAL_WITH_TLS_PSK
-#  else
-#    warning "TLS-PSK not supported, openssl too old."
-#  endif
-#endif

 int mosquitto__server_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx);
 int mosquitto__verify_certificate_hostname(X509 *cert, const char *hostname);
--- a/lib/util_mosq.c
+++ b/lib/util_mosq.c
@ -344,7 +344,7 @@ int mosquitto_topic_matches_sub2(const char *sub, size_t sublen, const char *top
 	return MOSQ_ERR_SUCCESS;
 }

-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len)
 {
 	BIGNUM *bn = NULL;
--- a/lib/util_mosq.h
+++ b/lib/util_mosq.h
@ -33,7 +33,7 @@ void mosquitto__check_keepalive(struct mosquitto *mosq);
 uint16_t mosquitto__mid_generate(struct mosquitto *mosq);
 FILE *mosquitto__fopen(const char *path, const char *mode, bool restrict_read);

-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len);
 #endif

--- a/mosquitto.conf
+++ b/mosquitto.conf
@ -221,10 +221,8 @@
 #keyfile

 # This option defines the version of the TLS protocol to use for this listener.
-# The default value allows v1.2, v1.1 and v1.0, if they are all supported by
-# the version of openssl that the broker was compiled against. For openssl >=
-# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the
-# valid values are tlsv1.
+# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
+# tlsv1.1 and tlsv1.
 #tls_version

 # By default a TLS enabled listener will operate in a similar fashion to a
--- a/src/bridge.c
+++ b/src/bridge.c
@ -82,7 +82,7 @@ int bridge__new(struct mosquitto_db *db, struct mosquitto__bridge *bridge)
 	new_context->tls_cert_reqs = SSL_VERIFY_PEER;
 	new_context->tls_version = new_context->bridge->tls_version;
 	new_context->tls_insecure = new_context->bridge->tls_insecure;
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 	new_context->tls_psk_identity = new_context->bridge->tls_psk_identity;
 	new_context->tls_psk = new_context->bridge->tls_psk;
 #endif
--- a/src/conf.c
+++ b/src/conf.c
@ -315,7 +315,7 @@ void config__cleanup(struct mosquitto__config *config)
 #ifdef WITH_TLS
 			mosquitto__free(config->bridges[i].tls_version);
 			mosquitto__free(config->bridges[i].tls_cafile);
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 			mosquitto__free(config->bridges[i].tls_psk_identity);
 			mosquitto__free(config->bridges[i].tls_psk);
 #endif
@ -586,7 +586,7 @@ int config__read(struct mosquitto__config *config, bool reload)
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
 			return MOSQ_ERR_INVAL;
 		}
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 		if(config->bridges[i].tls_psk && !config->bridges[i].tls_psk_identity){
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration: missing bridge_identity.\n");
 			return MOSQ_ERR_INVAL;
@ -809,7 +809,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
 						return MOSQ_ERR_INVAL;
 					}
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 					if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
 						return MOSQ_ERR_INVAL;
@ -826,7 +826,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
 						return MOSQ_ERR_INVAL;
 					}
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 					if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
 						return MOSQ_ERR_INVAL;
@ -843,7 +843,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
 						return MOSQ_ERR_INVAL;
 					}
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 					if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
 						return MOSQ_ERR_INVAL;
@ -854,7 +854,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TLS support not available.");
 #endif
 				}else if(!strcmp(token, "bridge_identity")){
-#if defined(WITH_BRIDGE) && defined(REAL_WITH_TLS_PSK)
+#if defined(WITH_BRIDGE) && defined(WITH_TLS_PSK)
 					if(reload) continue; // FIXME
 					if(!cur_bridge){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
@ -889,7 +889,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
 						return MOSQ_ERR_INVAL;
 					}
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 					if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
 						return MOSQ_ERR_INVAL;
@ -924,7 +924,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge support not available.");
 #endif
 				}else if(!strcmp(token, "bridge_psk")){
-#if defined(WITH_BRIDGE) && defined(REAL_WITH_TLS_PSK)
+#if defined(WITH_BRIDGE) && defined(WITH_TLS_PSK)
 					if(reload) continue; // FIXME
 					if(!cur_bridge){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
@ -1554,7 +1554,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Empty protocol value in configuration.");
 					}
 				}else if(!strcmp(token, "psk_file")){
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 					conf__set_cur_security_options(config, cur_listener, &cur_security_options);
 					if(reload){
 						mosquitto__free(cur_security_options->psk_file);
@ -1565,7 +1565,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS/TLS-PSK support not available.");
 #endif
 				}else if(!strcmp(token, "psk_hint")){
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 					if(reload) continue; // Listeners not valid for reloading.
 					if(conf__parse_string(&token, "psk_hint", &cur_listener->psk_hint, saveptr)) return MOSQ_ERR_INVAL;
 #else
--- a/src/handle_connect.c
+++ b/src/handle_connect.c
@ -396,7 +396,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
 			rc = 1;
 			goto handle_connect_error;
 		}
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 		if(context->listener->psk_hint){
 			/* Client should have provided an identity to get this far. */
 			if(!context->username){
@ -405,7 +405,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
 				goto handle_connect_error;
 			}
 		}else{
-#endif /* REAL_WITH_TLS_PSK */
+#endif /* WITH_TLS_PSK */
 			client_cert = SSL_get_peer_certificate(context->ssl);
 			if(!client_cert){
 				send__connack(context, 0, CONNACK_REFUSED_BAD_USERNAME_PASSWORD);
@ -451,9 +451,9 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
 			}
 			X509_free(client_cert);
 			client_cert = NULL;
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 		}
-#endif /* REAL_WITH_TLS_PSK */
+#endif /* WITH_TLS_PSK */
 	}else{
 #endif /* WITH_TLS */
 		if(username_flag){
--- a/src/mosquitto_broker_internal.h
+++ b/src/mosquitto_broker_internal.h
@ -458,7 +458,7 @@ struct mosquitto__bridge{
 	char *tls_certfile;
 	char *tls_keyfile;
 	char *tls_version;
-#  ifdef REAL_WITH_TLS_PSK
+#  ifdef WITH_TLS_PSK
 	char *tls_psk_identity;
 	char *tls_psk;
 #  endif
--- a/src/net.c
+++ b/src/net.c
@ -209,7 +209,7 @@ static int client_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx)
 }
 #endif

-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len)
 {
 	struct mosquitto_db *db;
@ -266,13 +266,7 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
 	int ssl_options = 0;
 	char buf[256];
 	int rc;
-#ifdef WITH_EC
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L
-	EC_KEY *ecdh = NULL;
-#endif
-#endif

-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
 	if(listener->tls_version == NULL){
 		listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 	}else if(!strcmp(listener->tls_version, "tlsv1.2")){
@ -282,9 +276,6 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
 	}else if(!strcmp(listener->tls_version, "tlsv1")){
 		listener->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
 	}
-#else
-	listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
-#endif
 	if(!listener->ssl_ctx){
 		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
 		return 1;
@ -310,15 +301,6 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
 #ifdef WITH_EC
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_CTX_set_ecdh_auto(listener->ssl_ctx, 1);
-#elif OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L
-	ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
-	if(!ecdh){
-		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS ECDH curve.");
-		return 1;
-	}
-	SSL_CTX_set_tmp_ecdh(listener->ssl_ctx, ecdh);
-	EC_KEY_free(ecdh);
-#endif
 #endif

 	snprintf(buf, 256, "mosquitto-%d", listener->port);
@ -485,7 +467,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
 				X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
 			}

-#  ifdef REAL_WITH_TLS_PSK
+#  ifdef WITH_TLS_PSK
 		}else if(listener->psk_hint){
 			if(tls_ex_index_context == -1){
 				tls_ex_index_context = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL);
@ -507,7 +489,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
 					return 1;
 				}
 			}
-#  endif /* REAL_WITH_TLS_PSK */
+#  endif /* WITH_TLS_PSK */
 		}
 #endif /* WITH_TLS */
 		return 0;
--- a/test/broker/08-tls-psk-bridge.py
+++ b/test/broker/08-tls-psk-bridge.py
@ -9,10 +9,6 @@ if sys.version < '2.7':
    print("WARNING: SSL not supported on Python 2.6")
    exit(0)

-if ssl.OPENSSL_VERSION_NUMBER < 0x10000000:
-    print("WARNING: TLS-PSK not supported on OpenSSL < 1.0")
-    exit(0)
-

 import inspect, os
 # From http://stackoverflow.com/questions/279237/python-import-a-module-from-a-folder
--- a/test/broker/08-tls-psk-pub.py
+++ b/test/broker/08-tls-psk-pub.py
@ -8,10 +8,6 @@ if sys.version < '2.7':
    print("WARNING: SSL not supported on Python 2.6")
    exit(0)

-if ssl.OPENSSL_VERSION_NUMBER < 0x10000000:
-    print("WARNING: TLS-PSK not supported on OpenSSL < 1.0")
-    exit(0)
-

 import inspect, os
 # From http://stackoverflow.com/questions/279237/python-import-a-module-from-a-folder