Remove support for openssl 1.0.0 and 1.0.1.

These are no longer supported by openssl.

ChangeLog.txt

@@ -133,6 +133,8 @@ Build:
 - Add WITH_STATIC_LIBRARIES (defaulting to "no") that when set to "yes" will
  build and install static versions of the client libraries.
 - Don't run TLS-PSK tests if TLS-PSK disabled at compile time. Closes #636.
+- Support for openssl versions 1.0.0 and 1.0.1 has been removed as these are
+ no longer supported by openssl.
 
 Documentation:
 - Replace mentions of deprecated 'c_rehash' with 'openssl rehash'.

lib/net_mosq.c

@@ -190,7 +190,7 @@ int net__socket_close(struct mosquitto *mosq)
 }
 
 
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
  char *identity, unsigned int max_identity_len,
  unsigned char *psk, unsigned int max_psk_len)
@@ -458,7 +458,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  }
 
  if(mosq->tls_cafile || mosq->tls_capath || mosq->tls_psk){
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
  if(!mosq->tls_version){
  mosq->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
  }else if(!strcmp(mosq->tls_version, "tlsv1.2")){
@@ -472,26 +471,17 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  COMPAT_CLOSE(mosq->sock);
  return MOSQ_ERR_INVAL;
  }
-#else
- if(!mosq->tls_version || !strcmp(mosq->tls_version, "tlsv1")){
- mosq->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
- }else{
- log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
- COMPAT_CLOSE(mosq->sock);
- return MOSQ_ERR_INVAL;
- }
-#endif
+
  if(!mosq->ssl_ctx){
  log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
  COMPAT_CLOSE(mosq->sock);
  net__print_ssl_error(mosq);
  return MOSQ_ERR_TLS;
  }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10000000
  /* Disable compression */
  SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_COMPRESSION);
-#endif
+
 #ifdef SSL_MODE_RELEASE_BUFFERS
  /* Use even less memory per SSL connection. */
  SSL_CTX_set_mode(mosq->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
@@ -574,7 +564,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  return MOSQ_ERR_TLS;
  }
  }
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  }else if(mosq->tls_psk){
  SSL_CTX_set_psk_client_callback(mosq->ssl_ctx, psk_client_callback);
 #endif

lib/options.c

@@ -175,7 +175,6 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl
 
  mosq->tls_cert_reqs = cert_reqs;
  if(tls_version){
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
  if(!strcasecmp(tls_version, "tlsv1.2")
  || !strcasecmp(tls_version, "tlsv1.1")
  || !strcasecmp(tls_version, "tlsv1")){
@@ -185,20 +184,8 @@ int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tl
  }else{
  return MOSQ_ERR_INVAL;
  }
-#else
- if(!strcasecmp(tls_version, "tlsv1")){
- mosq->tls_version = mosquitto__strdup(tls_version);
- if(!mosq->tls_version) return MOSQ_ERR_NOMEM;
- }else{
- return MOSQ_ERR_INVAL;
- }
-#endif
  }else{
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
  mosq->tls_version = mosquitto__strdup("tlsv1.2");
-#else
- mosq->tls_version = mosquitto__strdup("tlsv1");
-#endif
  if(!mosq->tls_version) return MOSQ_ERR_NOMEM;
  }
  if(ciphers){
@@ -231,7 +218,7 @@ int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value)
 
 int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers)
 {
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  if(!mosq || !psk || !identity) return MOSQ_ERR_INVAL;
 
  /* Check for hex only digits */

lib/tls_mosq.h

@@ -26,13 +26,6 @@ and the Eclipse Distribution License is available at
 #ifdef WITH_TLS
 
 #include <openssl/ssl.h>
-#ifdef WITH_TLS_PSK
-# if OPENSSL_VERSION_NUMBER >= 0x10000000
-# define REAL_WITH_TLS_PSK
-# else
-# warning "TLS-PSK not supported, openssl too old."
-# endif
-#endif
 
 int mosquitto__server_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx);
 int mosquitto__verify_certificate_hostname(X509 *cert, const char *hostname);

lib/util_mosq.c

@@ -344,7 +344,7 @@ int mosquitto_topic_matches_sub2(const char *sub, size_t sublen, const char *top
  return MOSQ_ERR_SUCCESS;
 }
 
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len)
 {
  BIGNUM *bn = NULL;

lib/util_mosq.h

@@ -33,7 +33,7 @@ void mosquitto__check_keepalive(struct mosquitto *mosq);
 uint16_t mosquitto__mid_generate(struct mosquitto *mosq);
 FILE *mosquitto__fopen(const char *path, const char *mode, bool restrict_read);
 
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len);
 #endif
 

mosquitto.conf

@@ -221,10 +221,8 @@
 #keyfile
 
 # This option defines the version of the TLS protocol to use for this listener.
-# The default value allows v1.2, v1.1 and v1.0, if they are all supported by
-# the version of openssl that the broker was compiled against. For openssl >=
-# 1.0.1 the valid values are tlsv1.2 tlsv1.1 and tlsv1. For openssl < 1.0.1 the
-# valid values are tlsv1.
+# The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
+# tlsv1.1 and tlsv1.
 #tls_version
 
 # By default a TLS enabled listener will operate in a similar fashion to a

src/bridge.c

@@ -82,7 +82,7 @@ int bridge__new(struct mosquitto_db *db, struct mosquitto__bridge *bridge)
  new_context->tls_cert_reqs = SSL_VERIFY_PEER;
  new_context->tls_version = new_context->bridge->tls_version;
  new_context->tls_insecure = new_context->bridge->tls_insecure;
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  new_context->tls_psk_identity = new_context->bridge->tls_psk_identity;
  new_context->tls_psk = new_context->bridge->tls_psk;
 #endif

src/conf.c

@@ -315,7 +315,7 @@ void config__cleanup(struct mosquitto__config *config)
 #ifdef WITH_TLS
  mosquitto__free(config->bridges[i].tls_version);
  mosquitto__free(config->bridges[i].tls_cafile);
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  mosquitto__free(config->bridges[i].tls_psk_identity);
  mosquitto__free(config->bridges[i].tls_psk);
 #endif
@@ -586,7 +586,7 @@ int config__read(struct mosquitto__config *config, bool reload)
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
  return MOSQ_ERR_INVAL;
  }
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  if(config->bridges[i].tls_psk && !config->bridges[i].tls_psk_identity){
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration: missing bridge_identity.\n");
  return MOSQ_ERR_INVAL;
@@ -809,7 +809,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
  return MOSQ_ERR_INVAL;
  }
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
  return MOSQ_ERR_INVAL;
@@ -826,7 +826,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
  return MOSQ_ERR_INVAL;
  }
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
  return MOSQ_ERR_INVAL;
@@ -843,7 +843,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
  return MOSQ_ERR_INVAL;
  }
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
  return MOSQ_ERR_INVAL;
@@ -854,7 +854,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
  log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TLS support not available.");
 #endif
  }else if(!strcmp(token, "bridge_identity")){
-#if defined(WITH_BRIDGE) && defined(REAL_WITH_TLS_PSK)
+#if defined(WITH_BRIDGE) && defined(WITH_TLS_PSK)
  if(reload) continue; // FIXME
  if(!cur_bridge){
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
@@ -889,7 +889,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
  return MOSQ_ERR_INVAL;
  }
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
  return MOSQ_ERR_INVAL;
@@ -924,7 +924,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
  log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge support not available.");
 #endif
  }else if(!strcmp(token, "bridge_psk")){
-#if defined(WITH_BRIDGE) && defined(REAL_WITH_TLS_PSK)
+#if defined(WITH_BRIDGE) && defined(WITH_TLS_PSK)
  if(reload) continue; // FIXME
  if(!cur_bridge){
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
@@ -1554,7 +1554,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Empty protocol value in configuration.");
  }
  }else if(!strcmp(token, "psk_file")){
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  conf__set_cur_security_options(config, cur_listener, &cur_security_options);
  if(reload){
  mosquitto__free(cur_security_options->psk_file);
@@ -1565,7 +1565,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, const
  log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS/TLS-PSK support not available.");
 #endif
  }else if(!strcmp(token, "psk_hint")){
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  if(reload) continue; // Listeners not valid for reloading.
  if(conf__parse_string(&token, "psk_hint", &cur_listener->psk_hint, saveptr)) return MOSQ_ERR_INVAL;
 #else

src/handle_connect.c

@@ -396,7 +396,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
  rc = 1;
  goto handle_connect_error;
  }
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  if(context->listener->psk_hint){
  /* Client should have provided an identity to get this far. */
  if(!context->username){
@@ -405,7 +405,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
  goto handle_connect_error;
  }
  }else{
-#endif /* REAL_WITH_TLS_PSK */
+#endif /* WITH_TLS_PSK */
  client_cert = SSL_get_peer_certificate(context->ssl);
  if(!client_cert){
  send__connack(context, 0, CONNACK_REFUSED_BAD_USERNAME_PASSWORD);
@@ -451,9 +451,9 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
  }
  X509_free(client_cert);
  client_cert = NULL;
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
  }
-#endif /* REAL_WITH_TLS_PSK */
+#endif /* WITH_TLS_PSK */
  }else{
 #endif /* WITH_TLS */
  if(username_flag){

src/mosquitto_broker_internal.h

@@ -458,7 +458,7 @@ struct mosquitto__bridge{
  char *tls_certfile;
  char *tls_keyfile;
  char *tls_version;
-# ifdef REAL_WITH_TLS_PSK
+# ifdef WITH_TLS_PSK
  char *tls_psk_identity;
  char *tls_psk;
 # endif

src/net.c

@@ -209,7 +209,7 @@ static int client_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx)
 }
 #endif
 
-#ifdef REAL_WITH_TLS_PSK
+#ifdef WITH_TLS_PSK
 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len)
 {
  struct mosquitto_db *db;
@@ -266,13 +266,7 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
  int ssl_options = 0;
  char buf[256];
  int rc;
-#ifdef WITH_EC
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L
- EC_KEY *ecdh = NULL;
-#endif
-#endif
 
-#if OPENSSL_VERSION_NUMBER >= 0x10001000L
  if(listener->tls_version == NULL){
  listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
  }else if(!strcmp(listener->tls_version, "tlsv1.2")){
@@ -282,9 +276,6 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
  }else if(!strcmp(listener->tls_version, "tlsv1")){
  listener->ssl_ctx = SSL_CTX_new(TLSv1_server_method());
  }
-#else
- listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
-#endif
  if(!listener->ssl_ctx){
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
  return 1;
@@ -310,15 +301,6 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
 #ifdef WITH_EC
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 0x10100000L
  SSL_CTX_set_ecdh_auto(listener->ssl_ctx, 1);
-#elif OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10002000L
- ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
- if(!ecdh){
- log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to create TLS ECDH curve.");
- return 1;
- }
- SSL_CTX_set_tmp_ecdh(listener->ssl_ctx, ecdh);
- EC_KEY_free(ecdh);
-#endif
 #endif
 
  snprintf(buf, 256, "mosquitto-%d", listener->port);
@@ -485,7 +467,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
  X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
  }
 
-# ifdef REAL_WITH_TLS_PSK
+# ifdef WITH_TLS_PSK
  }else if(listener->psk_hint){
  if(tls_ex_index_context == -1){
  tls_ex_index_context = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL);
@@ -507,7 +489,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
  return 1;
  }
  }
-# endif /* REAL_WITH_TLS_PSK */
+# endif /* WITH_TLS_PSK */
  }
 #endif /* WITH_TLS */
  return 0;

test/broker/08-tls-psk-bridge.py

@@ -9,10 +9,6 @@
  print("WARNING: SSL not supported on Python 2.6")
  exit(0)
 
-if ssl.OPENSSL_VERSION_NUMBER < 0x10000000:
- print("WARNING: TLS-PSK not supported on OpenSSL < 1.0")
- exit(0)
-
 
 import inspect, os
 # From https://stackoverflow.com/questions/279237/python-import-a-module-from-a-folder

test/broker/08-tls-psk-pub.py

@@ -8,10 +8,6 @@
  print("WARNING: SSL not supported on Python 2.6")
  exit(0)
 
-if ssl.OPENSSL_VERSION_NUMBER < 0x10000000:
- print("WARNING: TLS-PSK not supported on OpenSSL < 1.0")
- exit(0)
-
 
 import inspect, os
 # From https://stackoverflow.com/questions/279237/python-import-a-module-from-a-folder