d0kuhn/mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ssl: support openssl with ENGINE support disabled.

Browse Source 
Alternatively, just drop support for this config.

Signed-off-by: Karl Palsson <karlp@etactica.com>
This commit is contained in:
Karl Palsson 2019-05-02 16:37:03 +00:00
parent 0928797e57
commit 22303848e2
3 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/net_mosq.c
View File

@ -141,7 +141,9 @@ int net__init(void)
| OPENSSL_INIT_ADD_ALL_DIGESTS \
| OPENSSL_INIT_LOAD_CONFIG, NULL);
# endif
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_load_builtin_engines();
#endif
setup_ui_method();
if(tls_ex_index_mosq == -1){
tls_ex_index_mosq = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL);
@ -599,6 +601,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
SSL_CTX_set_mode(mosq->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
#if !defined(OPENSSL_NO_ENGINE)
if(mosq->tls_engine){
engine = ENGINE_by_id(mosq->tls_engine);
if(!engine){
@ -615,12 +618,15 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
ENGINE_set_default(engine, ENGINE_METHOD_ALL);
ENGINE_free(engine); /* release the structural reference from ENGINE_by_id() */
}
#endif
if(mosq->tls_ciphers){
ret = SSL_CTX_set_cipher_list(mosq->ssl_ctx, mosq->tls_ciphers);
if(ret == 0){
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set TLS ciphers. Check cipher list \"%s\".", mosq->tls_ciphers);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
COMPAT_CLOSE(mosq->sock);
mosq->sock = INVALID_SOCKET;
net__print_ssl_error(mosq);
@ -647,7 +653,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath);
}
#endif
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
COMPAT_CLOSE(mosq->sock);
mosq->sock = INVALID_SOCKET;
net__print_ssl_error(mosq);
@ -672,7 +680,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
#else
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client certificate \"%s\".", mosq->tls_certfile);
#endif
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
COMPAT_CLOSE(mosq->sock);
mosq->sock = INVALID_SOCKET;
net__print_ssl_error(mosq);
@ -681,6 +691,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
}
if(mosq->tls_keyfile){
if(mosq->tls_keyform == mosq_k_engine){
#if !defined(OPENSSL_NO_ENGINE)
UI_METHOD *ui_method = net__get_ui_method();
if(mosq->tls_engine_kpass_sha1){
if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
@ -714,6 +725,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
net__print_ssl_error(mosq);
return MOSQ_ERR_TLS;
}
#endif
}else{
ret = SSL_CTX_use_PrivateKey_file(mosq->ssl_ctx, mosq->tls_keyfile, SSL_FILETYPE_PEM);
if(ret != 1){
@ -722,7 +734,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
#else
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client key file \"%s\".", mosq->tls_keyfile);
#endif
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
COMPAT_CLOSE(mosq->sock);
mosq->sock = INVALID_SOCKET;
net__print_ssl_error(mosq);
@ -732,7 +746,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
ret = SSL_CTX_check_private_key(mosq->ssl_ctx);
if(ret != 1){
log__printf(mosq, MOSQ_LOG_ERR, "Error: Client certificate/key are inconsistent.");
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
COMPAT_CLOSE(mosq->sock);
mosq->sock = INVALID_SOCKET;
net__print_ssl_error(mosq);

2
lib/options.c
View File

@ -255,6 +255,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons
switch(option){
case MOSQ_OPT_TLS_ENGINE:
#ifdef WITH_TLS
# if !defined(OPENSSL_NO_ENGINE)
eng = ENGINE_by_id(value);
if(!eng){
return MOSQ_ERR_INVAL;
@ -265,6 +266,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons
return MOSQ_ERR_NOMEM;
}
return MOSQ_ERR_SUCCESS;
#endif
#else
return MOSQ_ERR_NOT_SUPPORTED;
#endif

18
src/net.c
View File

@ -534,6 +534,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
return 1;
}
if(listener->tls_engine){
#if !defined(OPENSSL_NO_ENGINE)
engine = ENGINE_by_id(listener->tls_engine);
if(!engine){
log__printf(NULL, MOSQ_LOG_ERR, "Error loading %s engine\n", listener->tls_engine);
@ -548,6 +549,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
}
ENGINE_set_default(engine, ENGINE_METHOD_ALL);
ENGINE_free(engine); /* release the structural reference from ENGINE_by_id() */
#endif
}
/* FIXME user data? */
if(listener->require_certificate){
@ -560,10 +562,13 @@ int net__socket_listen(struct mosquitto__listener *listener)
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server certificate \"%s\". Check certfile.", listener->certfile);
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return 1;
}
if(listener->tls_keyform == mosq_k_engine){
#if !defined(OPENSSL_NO_ENGINE)
UI_METHOD *ui_method = net__get_ui_method();
if(listener->tls_engine_kpass_sha1){
if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
@ -593,13 +598,16 @@ int net__socket_listen(struct mosquitto__listener *listener)
ENGINE_FINISH(engine);
return 1;
}
#endif
}else{
rc = SSL_CTX_use_PrivateKey_file(listener->ssl_ctx, listener->keyfile, SSL_FILETYPE_PEM);
if(rc != 1){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server key file \"%s\". Check keyfile.", listener->keyfile);
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return 1;
}
}
@ -608,7 +616,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
log__printf(NULL, MOSQ_LOG_ERR, "Error: Server certificate/key are inconsistent.");
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return 1;
}
/* Load CRLs if they exist. */
@ -618,7 +628,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to obtain TLS store.");
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return 1;
}
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
@ -627,7 +639,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load certificate revocation file \"%s\". Check crlfile.", listener->crlfile);
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return 1;
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
@ -644,7 +658,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
if(mosquitto__tls_server_ctx(listener)){
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return 1;
}
SSL_CTX_set_psk_server_callback(listener->ssl_ctx, psk_server_callback);
@ -654,7 +670,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set TLS PSK hint.");
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return 1;
}
}