From 475a708d30edbcdad19bec2c9416bbe30172b817 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Wed, 11 Jan 2023 22:30:30 +0000 Subject: [PATCH] Fix openssl 3 deprecations. --- lib/net_mosq.c | 28 ++++++++++++++-------------- lib/options.c | 8 ++++---- src/net.c | 30 ++++++++++++++++++++++++++++-- 3 files changed, 46 insertions(+), 20 deletions(-) diff --git a/lib/net_mosq.c b/lib/net_mosq.c index e4e44d99..0b21981d 100644 --- a/lib/net_mosq.c +++ b/lib/net_mosq.c @@ -153,12 +153,12 @@ void net__cleanup(void) ERR_free_strings(); ERR_remove_thread_state(NULL); EVP_cleanup(); +# endif -# if !defined(OPENSSL_NO_ENGINE) +# if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 ENGINE_cleanup(); -# endif - is_tls_initialized = false; # endif + is_tls_initialized = false; cleanup_ui_method(); #endif @@ -182,7 +182,7 @@ void net__init_tls(void) SSL_library_init(); OpenSSL_add_all_algorithms(); # endif -#if !defined(OPENSSL_NO_ENGINE) +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 ENGINE_load_builtin_engines(); #endif setup_ui_method(); @@ -646,12 +646,12 @@ static int net__tls_load_ca(struct mosquitto *mosq) static int net__init_ssl_ctx(struct mosquitto *mosq) { int ret; +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 ENGINE *engine = NULL; - uint8_t tls_alpn_wire[256]; - uint8_t tls_alpn_len; -#if !defined(OPENSSL_NO_ENGINE) EVP_PKEY *pkey; #endif + uint8_t tls_alpn_wire[256]; + uint8_t tls_alpn_len; #ifndef WITH_BROKER if(mosq->user_ssl_ctx){ @@ -726,7 +726,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) SSL_CTX_set_mode(mosq->ssl_ctx, SSL_MODE_RELEASE_BUFFERS); #endif -#if !defined(OPENSSL_NO_ENGINE) +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 if(mosq->tls_engine){ engine = ENGINE_by_id(mosq->tls_engine); if(!engine){ @@ -747,7 +747,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) ret = SSL_CTX_set_cipher_list(mosq->ssl_ctx, mosq->tls_ciphers); if(ret == 0){ log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set TLS ciphers. Check cipher list \"%s\".", mosq->tls_ciphers); -#if !defined(OPENSSL_NO_ENGINE) +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 ENGINE_FINISH(engine); #endif net__print_ssl_error(mosq); @@ -768,7 +768,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_use_os_certs){ ret = net__tls_load_ca(mosq); if(ret != MOSQ_ERR_SUCCESS){ -# if !defined(OPENSSL_NO_ENGINE) +# if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 ENGINE_FINISH(engine); # endif net__print_ssl_error(mosq); @@ -793,7 +793,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) #else log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client certificate \"%s\".", mosq->tls_certfile); #endif -#if !defined(OPENSSL_NO_ENGINE) +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 ENGINE_FINISH(engine); #endif net__print_ssl_error(mosq); @@ -802,7 +802,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) } if(mosq->tls_keyfile){ if(mosq->tls_keyform == mosq_k_engine){ -#if !defined(OPENSSL_NO_ENGINE) +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 UI_METHOD *ui_method = net__get_ui_method(); if(mosq->tls_engine_kpass_sha1){ if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){ @@ -841,7 +841,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) #else log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client key file \"%s\".", mosq->tls_keyfile); #endif -#if !defined(OPENSSL_NO_ENGINE) +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 ENGINE_FINISH(engine); #endif net__print_ssl_error(mosq); @@ -851,7 +851,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) ret = SSL_CTX_check_private_key(mosq->ssl_ctx); if(ret != 1){ log__printf(mosq, MOSQ_LOG_ERR, "Error: Client certificate/key are inconsistent."); -#if !defined(OPENSSL_NO_ENGINE) +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 ENGINE_FINISH(engine); #endif net__print_ssl_error(mosq); diff --git a/lib/options.c b/lib/options.c index 782bd193..9b2ef9ed 100644 --- a/lib/options.c +++ b/lib/options.c @@ -266,7 +266,7 @@ int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value) int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, const char *value) { -#ifdef WITH_TLS +#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 ENGINE *eng; char *str; #endif @@ -275,7 +275,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons switch(option){ case MOSQ_OPT_TLS_ENGINE: -#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) +#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 mosquitto__FREE(mosq->tls_engine); if(value){ eng = ENGINE_by_id(value); @@ -295,7 +295,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons break; case MOSQ_OPT_TLS_KEYFORM: -#ifdef WITH_TLS +#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 if(!value) return MOSQ_ERR_INVAL; if(!strcasecmp(value, "pem")){ mosq->tls_keyform = mosq_k_pem; @@ -312,7 +312,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons case MOSQ_OPT_TLS_ENGINE_KPASS_SHA1: -#ifdef WITH_TLS +#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 mosquitto__FREE(mosq->tls_engine_kpass_sha1); if(mosquitto__hex2bin_sha1(value, (unsigned char**)&str) != MOSQ_ERR_SUCCESS){ return MOSQ_ERR_INVAL; diff --git a/src/net.c b/src/net.c index 2fb8fc47..097fd7e9 100644 --- a/src/net.c +++ b/src/net.c @@ -345,8 +345,13 @@ int net__tls_server_ctx(struct mosquitto__listener *listener) { char buf[256]; int rc; +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + BIO *bio; + EVP_PKEY *dhparam = NULL; +#else FILE *dhparamfile; DH *dhparam = NULL; +#endif if(listener->ssl_ctx){ SSL_CTX_free(listener->ssl_ctx); @@ -458,6 +463,26 @@ int net__tls_server_ctx(struct mosquitto__listener *listener) #endif if(listener->dhparamfile){ +#if OPENSSL_VERSION_NUMBER >= 0x30000000 + bio = BIO_new_file(listener->dhparamfile, "r"); + if(!bio){ + log__printf(NULL, MOSQ_LOG_ERR, "Error loading dhparamfile \"%s\".", listener->dhparamfile); + return MOSQ_ERR_TLS; + } + dhparam = EVP_PKEY_new(); + if(dhparam == NULL || !PEM_read_bio_Parameters(bio, &dhparam)){ + BIO_free(bio); + log__printf(NULL, MOSQ_LOG_ERR, "Error loading dhparamfile \"%s\".", listener->dhparamfile); + net__print_ssl_error(NULL); + return MOSQ_ERR_TLS; + } + BIO_free(bio); + if(dhparam == NULL || SSL_CTX_set0_tmp_dh_pkey(listener->ssl_ctx, dhparam) != 1){ + log__printf(NULL, MOSQ_LOG_ERR, "Error loading dhparamfile \"%s\".", listener->dhparamfile); + net__print_ssl_error(NULL); + return MOSQ_ERR_TLS; + } +#else dhparamfile = fopen(listener->dhparamfile, "r"); if(!dhparamfile){ log__printf(NULL, MOSQ_LOG_ERR, "Error loading dhparamfile \"%s\".", listener->dhparamfile); @@ -471,6 +496,7 @@ int net__tls_server_ctx(struct mosquitto__listener *listener) net__print_ssl_error(NULL); return MOSQ_ERR_TLS; } +#endif } return MOSQ_ERR_SUCCESS; } @@ -549,7 +575,7 @@ int net__load_certificates(struct mosquitto__listener *listener) } -#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) +#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 static int net__load_engine(struct mosquitto__listener *listener) { ENGINE *engine = NULL; @@ -644,7 +670,7 @@ int net__tls_load_verify(struct mosquitto__listener *listener) } # endif -# if !defined(OPENSSL_NO_ENGINE) +# if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 if(net__load_engine(listener)){ return MOSQ_ERR_TLS; }