Fix support for openssl 3.0

5 years ago · 762ad432e8
parent 24049b1a1e
commit 762ad432e8
3 changed files with 80 additions and 21 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -7,10 +7,12 @@ Broker:
 - Fix memory leak when connecting clients rejected.
 - Don't disconnect clients that are already disconnected. This prevents the
  session expiry being extended on SIGHUP. Closes #1521.
 - Fix support for openssl 3.0.
 Client library:
 - Don't treat an unexpected PUBACK, PUBREL, or PUBCOMP as a fatal error.
  Issue #1629.
 - Fix support for openssl 3.0.
 Clients:
 - Fix mosquitto_sub %j or %J not working on Windows. Closes #1674.
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@ -531,6 +531,60 @@ int net__socket_connect_tls(struct mosquitto *mosq)
 #ifdef WITH_TLS
 static int net__tls_load_ca(struct mosquitto *mosq)
 {
 	int ret;
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 	ret = SSL_CTX_load_verify_locations(mosq->ssl_ctx, mosq->tls_cafile, mosq->tls_capath);
 	if(ret == 0){
 #  ifdef WITH_BROKER
 		if(mosq->tls_cafile && mosq->tls_capath){
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\" and bridge_capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
 		}else if(mosq->tls_cafile){
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile);
 		}else{
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath);
 		}
 #  else
 		if(mosq->tls_cafile && mosq->tls_capath){
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\" and capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
 		}else if(mosq->tls_cafile){
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile);
 		}else{
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath);
 		}
 #  endif
 		return MOSQ_ERR_TLS;
 	}
 #else
 	if(mosq->tls_cafile){
 		ret = SSL_CTX_load_verify_file(mosq->ssl_ctx, mosq->tls_cafile);
 		if(ret == 0){
 #  ifdef WITH_BROKER
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile);
 #  else
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile);
 #  endif
 			return MOSQ_ERR_TLS;
 		}
 	}
 	if(mosq->tls_capath){
 		ret = SSL_CTX_load_verify_dir(mosq->ssl_ctx, mosq->tls_capath);
 		if(ret == 0){
 #  ifdef WITH_BROKER
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath);
 #  else
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath);
 #  endif
 			return MOSQ_ERR_TLS;
 		}
 	}
 #endif
 	return MOSQ_ERR_SUCCESS;
 }
 static int net__init_ssl_ctx(struct mosquitto *mosq)
 {
 	int ret;
@ -643,28 +697,11 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			}
 		}
 		if(mosq->tls_cafile || mosq->tls_capath){
-			ret = SSL_CTX_load_verify_locations(mosq->ssl_ctx, mosq->tls_cafile, mosq->tls_capath);
+			ret = net__tls_load_ca(mosq);
-			if(ret == 0){
+			if(ret != MOSQ_ERR_SUCCESS){
-#ifdef WITH_BROKER
+#  if !defined(OPENSSL_NO_ENGINE)
 				if(mosq->tls_cafile && mosq->tls_capath){
 					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\" and bridge_capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
 				}else if(mosq->tls_cafile){
 					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile);
 				}else{
 					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath);
 				}
 #else
 				if(mosq->tls_cafile && mosq->tls_capath){
 					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\" and capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
 				}else if(mosq->tls_cafile){
 					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile);
 				}else{
 					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath);
 				}
 #endif
 #if !defined(OPENSSL_NO_ENGINE)
 				ENGINE_FINISH(engine);
-#endif
+#  endif
 				COMPAT_CLOSE(mosq->sock);
 				mosq->sock = INVALID_SOCKET;
 				net__print_ssl_error(mosq);
--- a/src/net.c
+++ b/src/net.c
@ -444,6 +444,7 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
 #  endif
 	int rc;
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
 	rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
 	if(rc == 0){
 		if(listener->cafile && listener->capath){
@ -456,6 +457,25 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
 		net__print_ssl_error(NULL);
 		return 1;
 	}
 #else
 	if(listener->cafile){
 		rc = SSL_CTX_load_verify_file(listener->ssl_ctx, listener->cafile);
 		if(rc == 0){
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile);
 			net__print_ssl_error(NULL);
 			return MOSQ_ERR_TLS;
 		}
 	}
 	if(listener->capath){
 		rc = SSL_CTX_load_verify_dir(listener->ssl_ctx, listener->capath);
 		if(rc == 0){
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
 			net__print_ssl_error(NULL);
 			return MOSQ_ERR_TLS;
 		}
 	}
 #endif
 	if(listener->tls_engine){
 #if !defined(OPENSSL_NO_ENGINE)
 		engine = ENGINE_by_id(listener->tls_engine);