Fix support for openssl 3.0

5 years ago · 762ad432e8
parent 24049b1a1e
commit 762ad432e8
3 changed files with 80 additions and 21 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -7,10 +7,12 @@ Broker:
 - Fix memory leak when connecting clients rejected.
 - Don't disconnect clients that are already disconnected. This prevents the
  session expiry being extended on SIGHUP. Closes #1521.
+- Fix support for openssl 3.0.
 
 Client library:
 - Don't treat an unexpected PUBACK, PUBREL, or PUBCOMP as a fatal error.
  Issue #1629.
+- Fix support for openssl 3.0.

 Clients:
 - Fix mosquitto_sub %j or %J not working on Windows. Closes #1674.
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@ -531,6 +531,60 @@ int net__socket_connect_tls(struct mosquitto *mosq)


 #ifdef WITH_TLS
+static int net__tls_load_ca(struct mosquitto *mosq)
+{
+	int ret;
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+	ret = SSL_CTX_load_verify_locations(mosq->ssl_ctx, mosq->tls_cafile, mosq->tls_capath);
+	if(ret == 0){
+#  ifdef WITH_BROKER
+		if(mosq->tls_cafile && mosq->tls_capath){
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\" and bridge_capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
+		}else if(mosq->tls_cafile){
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile);
+		}else{
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath);
+		}
+#  else
+		if(mosq->tls_cafile && mosq->tls_capath){
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\" and capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
+		}else if(mosq->tls_cafile){
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile);
+		}else{
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath);
+		}
+#  endif
+		return MOSQ_ERR_TLS;
+	}
+#else
+	if(mosq->tls_cafile){
+		ret = SSL_CTX_load_verify_file(mosq->ssl_ctx, mosq->tls_cafile);
+		if(ret == 0){
+#  ifdef WITH_BROKER
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile);
+#  else
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile);
+#  endif
+			return MOSQ_ERR_TLS;
+		}
+	}
+	if(mosq->tls_capath){
+		ret = SSL_CTX_load_verify_dir(mosq->ssl_ctx, mosq->tls_capath);
+		if(ret == 0){
+#  ifdef WITH_BROKER
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath);
+#  else
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath);
+#  endif
+			return MOSQ_ERR_TLS;
+		}
+	}
+#endif
+	return MOSQ_ERR_SUCCESS;
+}
+
+
 static int net__init_ssl_ctx(struct mosquitto *mosq)
 {
 	int ret;
@ -643,25 +697,8 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			}
 		}
 		if(mosq->tls_cafile || mosq->tls_capath){
-			ret = SSL_CTX_load_verify_locations(mosq->ssl_ctx, mosq->tls_cafile, mosq->tls_capath);
-			if(ret == 0){
-#ifdef WITH_BROKER
-				if(mosq->tls_cafile && mosq->tls_capath){
-					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\" and bridge_capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
-				}else if(mosq->tls_cafile){
-					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_cafile \"%s\".", mosq->tls_cafile);
-				}else{
-					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check bridge_capath \"%s\".", mosq->tls_capath);
-				}
-#else
-				if(mosq->tls_cafile && mosq->tls_capath){
-					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\" and capath \"%s\".", mosq->tls_cafile, mosq->tls_capath);
-				}else if(mosq->tls_cafile){
-					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check cafile \"%s\".", mosq->tls_cafile);
-				}else{
-					log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath);
-				}
-#endif
+			ret = net__tls_load_ca(mosq);
+			if(ret != MOSQ_ERR_SUCCESS){
 #  if !defined(OPENSSL_NO_ENGINE)
 				ENGINE_FINISH(engine);
 #  endif
--- a/src/net.c
+++ b/src/net.c
@ -444,6 +444,7 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
 #  endif
 	int rc;

+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
 	if(rc == 0){
 		if(listener->cafile && listener->capath){
@ -456,6 +457,25 @@ int net__tls_load_verify(struct mosquitto__listener *listener)
 		net__print_ssl_error(NULL);
 		return 1;
 	}
+#else
+	if(listener->cafile){
+		rc = SSL_CTX_load_verify_file(listener->ssl_ctx, listener->cafile);
+		if(rc == 0){
+			log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check cafile \"%s\".", listener->cafile);
+			net__print_ssl_error(NULL);
+			return MOSQ_ERR_TLS;
+		}
+	}
+	if(listener->capath){
+		rc = SSL_CTX_load_verify_dir(listener->ssl_ctx, listener->capath);
+		if(rc == 0){
+			log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
+			net__print_ssl_error(NULL);
+			return MOSQ_ERR_TLS;
+		}
+	}
+#endif
+
 	if(listener->tls_engine){
 #if !defined(OPENSSL_NO_ENGINE)
 		engine = ENGINE_by_id(listener->tls_engine);