From 762ad432e8d243dac8934603186efe10c500e76b Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Tue, 12 May 2020 13:39:49 +0100 Subject: [PATCH] Fix support for openssl 3.0 --- ChangeLog.txt | 2 ++ lib/net_mosq.c | 79 ++++++++++++++++++++++++++++++++++++-------------- src/net.c | 20 +++++++++++++ 3 files changed, 80 insertions(+), 21 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index 08921778..a075207b 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -7,10 +7,12 @@ Broker: - Fix memory leak when connecting clients rejected. - Don't disconnect clients that are already disconnected. This prevents the session expiry being extended on SIGHUP. Closes #1521. +- Fix support for openssl 3.0. Client library: - Don't treat an unexpected PUBACK, PUBREL, or PUBCOMP as a fatal error. Issue #1629. +- Fix support for openssl 3.0. Clients: - Fix mosquitto_sub %j or %J not working on Windows. Closes #1674. diff --git a/lib/net_mosq.c b/lib/net_mosq.c index 8d9d9a7c..35650024 100644 --- a/lib/net_mosq.c +++ b/lib/net_mosq.c @@ -531,6 +531,60 @@ int net__socket_connect_tls(struct mosquitto *mosq) #ifdef WITH_TLS +static int net__tls_load_ca(struct mosquitto *mosq) +{ + int ret; + +#if OPENSSL_VERSION_NUMBER < 0x30000000L + ret = SSL_CTX_load_verify_locations(mosq->ssl_ctx, mosq->tls_cafile, mosq->tls_capath); + if(ret == 0){ +# ifdef WITH_BROKER + if(mosq->tls_cafile && mosq->tls_capath){ + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\" and bridge_capath \"%s\".", mosq->tls_cafile, mosq->tls_capath); + }else if(mosq->tls_cafile){ + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile); + }else{ + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath); + } +# else + if(mosq->tls_cafile && mosq->tls_capath){ + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\" and capath \"%s\".", mosq->tls_cafile, mosq->tls_capath); + }else if(mosq->tls_cafile){ + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile); + }else{ + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath); + } +# endif + return MOSQ_ERR_TLS; + } +#else + if(mosq->tls_cafile){ + ret = SSL_CTX_load_verify_file(mosq->ssl_ctx, mosq->tls_cafile); + if(ret == 0){ +# ifdef WITH_BROKER + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile); +# else + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile); +# endif + return MOSQ_ERR_TLS; + } + } + if(mosq->tls_capath){ + ret = SSL_CTX_load_verify_dir(mosq->ssl_ctx, mosq->tls_capath); + if(ret == 0){ +# ifdef WITH_BROKER + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath); +# else + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath); +# endif + return MOSQ_ERR_TLS; + } + } +#endif + return MOSQ_ERR_SUCCESS; +} + + static int net__init_ssl_ctx(struct mosquitto *mosq) { int ret; @@ -643,28 +697,11 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) } } if(mosq->tls_cafile || mosq->tls_capath){ - ret = SSL_CTX_load_verify_locations(mosq->ssl_ctx, mosq->tls_cafile, mosq->tls_capath); - if(ret == 0){ -#ifdef WITH_BROKER - if(mosq->tls_cafile && mosq->tls_capath){ - log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\" and bridge_capath \"%s\".", mosq->tls_cafile, mosq->tls_capath); - }else if(mosq->tls_cafile){ - log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile); - }else{ - log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath); - } -#else - if(mosq->tls_cafile && mosq->tls_capath){ - log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\" and capath \"%s\".", mosq->tls_cafile, mosq->tls_capath); - }else if(mosq->tls_cafile){ - log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile); - }else{ - log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath); - } -#endif -#if !defined(OPENSSL_NO_ENGINE) + ret = net__tls_load_ca(mosq); + if(ret != MOSQ_ERR_SUCCESS){ +# if !defined(OPENSSL_NO_ENGINE) ENGINE_FINISH(engine); -#endif +# endif COMPAT_CLOSE(mosq->sock); mosq->sock = INVALID_SOCKET; net__print_ssl_error(mosq); diff --git a/src/net.c b/src/net.c index 689c43cc..169c0a99 100644 --- a/src/net.c +++ b/src/net.c @@ -444,6 +444,7 @@ int net__tls_load_verify(struct mosquitto__listener *listener) # endif int rc; +#if OPENSSL_VERSION_NUMBER < 0x30000000L rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath); if(rc == 0){ if(listener->cafile && listener->capath){ @@ -456,6 +457,25 @@ int net__tls_load_verify(struct mosquitto__listener *listener) net__print_ssl_error(NULL); return 1; } +#else + if(listener->cafile){ + rc = SSL_CTX_load_verify_file(listener->ssl_ctx, listener->cafile); + if(rc == 0){ + log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile); + net__print_ssl_error(NULL); + return MOSQ_ERR_TLS; + } + } + if(listener->capath){ + rc = SSL_CTX_load_verify_dir(listener->ssl_ctx, listener->capath); + if(rc == 0){ + log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath); + net__print_ssl_error(NULL); + return MOSQ_ERR_TLS; + } + } +#endif + if(listener->tls_engine){ #if !defined(OPENSSL_NO_ENGINE) engine = ENGINE_by_id(listener->tls_engine);