Fix openssl 3 deprecations.

3 years ago · 475a708d30
parent 291e46bb1a
commit 475a708d30
3 changed files with 46 additions and 20 deletions
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@ -153,12 +153,12 @@ void net__cleanup(void)
 	ERR_free_strings();
 	ERR_remove_thread_state(NULL);
 	EVP_cleanup();
+#  endif

-#    if !defined(OPENSSL_NO_ENGINE)
+#  if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE_cleanup();
-#    endif
-	is_tls_initialized = false;
 #  endif
+	is_tls_initialized = false;

 	cleanup_ui_method();
 #endif
@ -182,7 +182,7 @@ void net__init_tls(void)
 	SSL_library_init();
 	OpenSSL_add_all_algorithms();
 #  endif
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE_load_builtin_engines();
 #endif
 	setup_ui_method();
@ -646,12 +646,12 @@ static int net__tls_load_ca(struct mosquitto *mosq)
 static int net__init_ssl_ctx(struct mosquitto *mosq)
 {
 	int ret;
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE *engine = NULL;
-	uint8_t tls_alpn_wire[256];
-	uint8_t tls_alpn_len;
-#if !defined(OPENSSL_NO_ENGINE)
 	EVP_PKEY *pkey;
 #endif
+	uint8_t tls_alpn_wire[256];
+	uint8_t tls_alpn_len;

 #ifndef WITH_BROKER
 	if(mosq->user_ssl_ctx){
@ -726,7 +726,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			SSL_CTX_set_mode(mosq->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif

-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 		if(mosq->tls_engine){
 			engine = ENGINE_by_id(mosq->tls_engine);
 			if(!engine){
@ -747,7 +747,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			ret = SSL_CTX_set_cipher_list(mosq->ssl_ctx, mosq->tls_ciphers);
 			if(ret == 0){
 				log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set TLS ciphers. Check cipher list \"%s\".", mosq->tls_ciphers);
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 				ENGINE_FINISH(engine);
 #endif
 				net__print_ssl_error(mosq);
@ -768,7 +768,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 		if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_use_os_certs){
 			ret = net__tls_load_ca(mosq);
 			if(ret != MOSQ_ERR_SUCCESS){
-#  if !defined(OPENSSL_NO_ENGINE)
+#  if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 				ENGINE_FINISH(engine);
 #  endif
 				net__print_ssl_error(mosq);
@ -793,7 +793,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #else
 					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client certificate \"%s\".", mosq->tls_certfile);
 #endif
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 					ENGINE_FINISH(engine);
 #endif
 					net__print_ssl_error(mosq);
@ -802,7 +802,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			}
 			if(mosq->tls_keyfile){
 				if(mosq->tls_keyform == mosq_k_engine){
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 					UI_METHOD *ui_method = net__get_ui_method();
 					if(mosq->tls_engine_kpass_sha1){
 						if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
@ -841,7 +841,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #else
 						log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client key file \"%s\".", mosq->tls_keyfile);
 #endif
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 						ENGINE_FINISH(engine);
 #endif
 						net__print_ssl_error(mosq);
@ -851,7 +851,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 				ret = SSL_CTX_check_private_key(mosq->ssl_ctx);
 				if(ret != 1){
 					log__printf(mosq, MOSQ_LOG_ERR, "Error: Client certificate/key are inconsistent.");
-#if !defined(OPENSSL_NO_ENGINE)
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 					ENGINE_FINISH(engine);
 #endif
 					net__print_ssl_error(mosq);
--- a/lib/options.c
+++ b/lib/options.c
@ -266,7 +266,7 @@ int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value)

 int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, const char *value)
 {
-#ifdef WITH_TLS
+#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	ENGINE *eng;
 	char *str;
 #endif
@ -275,7 +275,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons

 	switch(option){
 		case MOSQ_OPT_TLS_ENGINE:
-#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE)
+#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 			mosquitto__FREE(mosq->tls_engine);
 			if(value){
 				eng = ENGINE_by_id(value);
@ -295,7 +295,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons
 			break;

 		case MOSQ_OPT_TLS_KEYFORM:
-#ifdef WITH_TLS
+#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 			if(!value) return MOSQ_ERR_INVAL;
 			if(!strcasecmp(value, "pem")){
 				mosq->tls_keyform = mosq_k_pem;
@ -312,7 +312,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons


 		case MOSQ_OPT_TLS_ENGINE_KPASS_SHA1:
-#ifdef WITH_TLS
+#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 			mosquitto__FREE(mosq->tls_engine_kpass_sha1);
 			if(mosquitto__hex2bin_sha1(value, (unsigned char**)&str) != MOSQ_ERR_SUCCESS){
 				return MOSQ_ERR_INVAL;
--- a/src/net.c
+++ b/src/net.c
@ -345,8 +345,13 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 {
 	char buf[256];
 	int rc;
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+	BIO *bio;
+	EVP_PKEY *dhparam = NULL;
+#else
 	FILE *dhparamfile;
 	DH *dhparam = NULL;
+#endif

 	if(listener->ssl_ctx){
 		SSL_CTX_free(listener->ssl_ctx);
@ -458,6 +463,26 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 #endif

 	if(listener->dhparamfile){
+#if OPENSSL_VERSION_NUMBER >= 0x30000000
+		bio = BIO_new_file(listener->dhparamfile, "r");
+		if(!bio){
+			log__printf(NULL, MOSQ_LOG_ERR, "Error loading dhparamfile \"%s\".", listener->dhparamfile);
+			return MOSQ_ERR_TLS;
+		}
+		dhparam = EVP_PKEY_new();
+		if(dhparam == NULL || !PEM_read_bio_Parameters(bio, &dhparam)){
+			BIO_free(bio);
+			log__printf(NULL, MOSQ_LOG_ERR, "Error loading dhparamfile \"%s\".", listener->dhparamfile);
+			net__print_ssl_error(NULL);
+			return MOSQ_ERR_TLS;
+		}
+		BIO_free(bio);
+		if(dhparam == NULL || SSL_CTX_set0_tmp_dh_pkey(listener->ssl_ctx, dhparam) != 1){
+			log__printf(NULL, MOSQ_LOG_ERR, "Error loading dhparamfile \"%s\".", listener->dhparamfile);
+			net__print_ssl_error(NULL);
+			return MOSQ_ERR_TLS;
+		}
+#else
 		dhparamfile = fopen(listener->dhparamfile, "r");
 		if(!dhparamfile){
 			log__printf(NULL, MOSQ_LOG_ERR, "Error loading dhparamfile \"%s\".", listener->dhparamfile);
@ -471,6 +496,7 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 			net__print_ssl_error(NULL);
 			return MOSQ_ERR_TLS;
 		}
+#endif
 	}
 	return MOSQ_ERR_SUCCESS;
 }
@ -549,7 +575,7 @@ int net__load_certificates(struct mosquitto__listener *listener)
 }


-#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE)
+#if defined(WITH_TLS) && !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 static int net__load_engine(struct mosquitto__listener *listener)
 {
 	ENGINE *engine = NULL;
@ -644,7 +670,7 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
 	}
 #  endif

-#  if !defined(OPENSSL_NO_ENGINE)
+#  if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	if(net__load_engine(listener)){
 		return MOSQ_ERR_TLS;
 	}