Don't use deprecated openssl functions.

8 years ago · 943b311344
parent c95f24c342
commit 943b311344
6 changed files with 45 additions and 29 deletions
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@ -458,27 +458,33 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 	}

 	if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+		mosq->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#else
+		mosq->ssl_ctx = SSL_CTX_new(TLS_client_method());
+#endif
+
+		if(!mosq->ssl_ctx){
+			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
+			COMPAT_CLOSE(mosq->sock);
+			net__print_ssl_error(mosq);
+			return MOSQ_ERR_TLS;
+		}
+
 		if(!mosq->tls_version){
-			mosq->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3);
 		}else if(!strcmp(mosq->tls_version, "tlsv1.2")){
-			mosq->ssl_ctx = SSL_CTX_new(TLSv1_2_client_method());
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
 		}else if(!strcmp(mosq->tls_version, "tlsv1.1")){
-			mosq->ssl_ctx = SSL_CTX_new(TLSv1_1_client_method());
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
 		}else if(!strcmp(mosq->tls_version, "tlsv1")){
-			mosq->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
+			SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
 		}else{
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
 			COMPAT_CLOSE(mosq->sock);
 			return MOSQ_ERR_INVAL;
 		}

-		if(!mosq->ssl_ctx){
-			log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
-			COMPAT_CLOSE(mosq->sock);
-			net__print_ssl_error(mosq);
-			return MOSQ_ERR_TLS;
-		}
-
 		/* Disable compression */
 		SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_COMPRESSION);

--- a/lib/tls_mosq.c
+++ b/lib/tls_mosq.c
@ -135,14 +135,22 @@ int mosquitto__verify_certificate_hostname(X509 *cert, const char *hostname)
 		for(i=0; i<sk_GENERAL_NAME_num(san); i++){
 			nval = sk_GENERAL_NAME_value(san, i);
 			if(nval->type == GEN_DNS){
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 				data = ASN1_STRING_data(nval->d.dNSName);
+#else
+				data = ASN1_STRING_get0_data(nval->d.dNSName);
+#endif
 				if(data && !mosquitto__cmp_hostname_wildcard((char *)data, hostname)){
 					sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
 					return 1;
 				}
 				have_san_dns = true;
 			}else if(nval->type == GEN_IPADD){
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 				data = ASN1_STRING_data(nval->d.iPAddress);
+#else
+				data = ASN1_STRING_get0_data(nval->d.iPAddress);
+#endif
 				if(nval->d.iPAddress->length == 4 && ipv4_ok){
 					if(!memcmp(ipv4_addr, data, 4)){
 						sk_GENERAL_NAME_pop_free(san, GENERAL_NAME_free);
--- a/src/mosquitto.c
+++ b/src/mosquitto.c
@ -18,7 +18,7 @@ Contributors:

 #ifndef WIN32
 /* For initgroups() */
-#  define _BSD_SOURCE
+#  define _DEFAULT_SOURCE
 #  include <unistd.h>
 #  include <grp.h>
 #  include <assert.h>
--- a/src/mosquitto_passwd.c
+++ b/src/mosquitto_passwd.c
@ -15,7 +15,7 @@ Contributors:
 */

 #define _POSIX_C_SOURCE 200809L
-#define _BSD_SOURCE
+#define _DEFAULT_SOURCE

 #include <errno.h>
 #include <openssl/evp.h>
--- a/src/net.c
+++ b/src/net.c
@ -263,35 +263,39 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned
 #ifdef WITH_TLS
 static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
 {
-	int ssl_options = 0;
 	char buf[256];
 	int rc;

+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	listener->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
+#else
+	listener->ssl_ctx = SSL_CTX_new(TLS_client_method());
+#endif
+
+	if(!listener->ssl_ctx){
+		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
+		return 1;
+	}
+
 	if(listener->tls_version == NULL){
-		listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3);
 	}else if(!strcmp(listener->tls_version, "tlsv1.2")){
-		listener->ssl_ctx = SSL_CTX_new(TLSv1_2_server_method());
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1);
 	}else if(!strcmp(listener->tls_version, "tlsv1.1")){
-		listener->ssl_ctx = SSL_CTX_new(TLSv1_1_server_method());
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1);
 	}else if(!strcmp(listener->tls_version, "tlsv1")){
-		listener->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
-	}
-	if(!listener->ssl_ctx){
-		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
-		return 1;
+		SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1_2 | SSL_OP_NO_TLSv1_1);
 	}

-	/* Don't accept SSLv2 or SSLv3 */
-	ssl_options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 #ifdef SSL_OP_NO_COMPRESSION
 	/* Disable compression */
-	ssl_options |= SSL_OP_NO_COMPRESSION;
+	SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_COMPRESSION);
 #endif
 #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
 	/* Server chooses cipher */
-	ssl_options |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+	SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
 #endif
-	SSL_CTX_set_options(listener->ssl_ctx, ssl_options);

 #ifdef SSL_MODE_RELEASE_BUFFERS
 	/* Use even less memory per SSL connection. */
--- a/src/signals.c
+++ b/src/signals.c
@ -18,8 +18,6 @@ Contributors:
 #include "config.h"

 #ifndef WIN32
-/* For initgroups() */
-#  define _BSD_SOURCE
 #  include <unistd.h>
 #  include <grp.h>
 #  include <assert.h>