Merge pull request #1255 from etactica/ssl-fixes

Ssl fixes for ENGINE and UI includes
eclipse · May 29, 2019 · 44d1700 · 44d1700
2 parents 96d0a26 + 2230384
commit 44d1700
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
@@ -50,6 +50,7 @@ and the Eclipse Distribution License is available at
 #include <openssl/conf.h>
 #include <openssl/engine.h>
 #include <openssl/err.h>
+#include <openssl/ui.h>
 #include <tls_mosq.h>
 #endif
 
@@ -140,7 +141,9 @@ int net__init(void)
  | OPENSSL_INIT_ADD_ALL_DIGESTS \
  | OPENSSL_INIT_LOAD_CONFIG, NULL);
 # endif
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_load_builtin_engines();
+#endif
  setup_ui_method();
  if(tls_ex_index_mosq == -1){
  tls_ex_index_mosq = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL);
@@ -598,6 +601,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  SSL_CTX_set_mode(mosq->ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
 #endif
 
+#if !defined(OPENSSL_NO_ENGINE)
  if(mosq->tls_engine){
  engine = ENGINE_by_id(mosq->tls_engine);
  if(!engine){
@@ -614,12 +618,15 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  ENGINE_set_default(engine, ENGINE_METHOD_ALL);
  ENGINE_free(engine); /* release the structural reference from ENGINE_by_id() */
  }
+#endif
 
  if(mosq->tls_ciphers){
  ret = SSL_CTX_set_cipher_list(mosq->ssl_ctx, mosq->tls_ciphers);
  if(ret == 0){
  log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set TLS ciphers. Check cipher list \"%s\".", mosq->tls_ciphers);
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  COMPAT_CLOSE(mosq->sock);
  mosq->sock = INVALID_SOCKET;
  net__print_ssl_error(mosq);
@@ -646,7 +653,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath);
  }
 #endif
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  COMPAT_CLOSE(mosq->sock);
  mosq->sock = INVALID_SOCKET;
  net__print_ssl_error(mosq);
@@ -671,7 +680,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #else
  log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client certificate \"%s\".", mosq->tls_certfile);
 #endif
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  COMPAT_CLOSE(mosq->sock);
  mosq->sock = INVALID_SOCKET;
  net__print_ssl_error(mosq);
@@ -680,6 +691,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  }
  if(mosq->tls_keyfile){
  if(mosq->tls_keyform == mosq_k_engine){
+#if !defined(OPENSSL_NO_ENGINE)
  UI_METHOD *ui_method = net__get_ui_method();
  if(mosq->tls_engine_kpass_sha1){
  if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
@@ -713,6 +725,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  net__print_ssl_error(mosq);
  return MOSQ_ERR_TLS;
  }
+#endif
  }else{
  ret = SSL_CTX_use_PrivateKey_file(mosq->ssl_ctx, mosq->tls_keyfile, SSL_FILETYPE_PEM);
  if(ret != 1){
@@ -721,7 +734,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #else
  log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client key file \"%s\".", mosq->tls_keyfile);
 #endif
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  COMPAT_CLOSE(mosq->sock);
  mosq->sock = INVALID_SOCKET;
  net__print_ssl_error(mosq);
@@ -731,7 +746,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
  ret = SSL_CTX_check_private_key(mosq->ssl_ctx);
  if(ret != 1){
  log__printf(mosq, MOSQ_LOG_ERR, "Error: Client certificate/key are inconsistent.");
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  COMPAT_CLOSE(mosq->sock);
  mosq->sock = INVALID_SOCKET;
  net__print_ssl_error(mosq);

diff --git a/lib/options.c b/lib/options.c
@@ -262,6 +262,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons
  switch(option){
  case MOSQ_OPT_TLS_ENGINE:
 #ifdef WITH_TLS
+# if !defined(OPENSSL_NO_ENGINE)
  eng = ENGINE_by_id(value);
  if(!eng){
  return MOSQ_ERR_INVAL;
@@ -272,6 +273,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons
  return MOSQ_ERR_NOMEM;
  }
  return MOSQ_ERR_SUCCESS;
+#endif
 #else
  return MOSQ_ERR_NOT_SUPPORTED;
 #endif

diff --git a/src/net.c b/src/net.c
@@ -534,6 +534,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
  return 1;
  }
  if(listener->tls_engine){
+#if !defined(OPENSSL_NO_ENGINE)
  engine = ENGINE_by_id(listener->tls_engine);
  if(!engine){
  log__printf(NULL, MOSQ_LOG_ERR, "Error loading %s engine\n", listener->tls_engine);
@@ -548,6 +549,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
  }
  ENGINE_set_default(engine, ENGINE_METHOD_ALL);
  ENGINE_free(engine); /* release the structural reference from ENGINE_by_id() */
+#endif
  }
  /* FIXME user data? */
  if(listener->require_certificate){
@@ -560,10 +562,13 @@ int net__socket_listen(struct mosquitto__listener *listener)
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server certificate \"%s\". Check certfile.", listener->certfile);
  net__print_error(MOSQ_LOG_ERR, "Error: %s");
  COMPAT_CLOSE(sock);
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  return 1;
  }
  if(listener->tls_keyform == mosq_k_engine){
+#if !defined(OPENSSL_NO_ENGINE)
  UI_METHOD *ui_method = net__get_ui_method();
  if(listener->tls_engine_kpass_sha1){
  if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
@@ -593,13 +598,16 @@ int net__socket_listen(struct mosquitto__listener *listener)
  ENGINE_FINISH(engine);
  return 1;
  }
+#endif
  }else{
  rc = SSL_CTX_use_PrivateKey_file(listener->ssl_ctx, listener->keyfile, SSL_FILETYPE_PEM);
  if(rc != 1){
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server key file \"%s\". Check keyfile.", listener->keyfile);
  net__print_error(MOSQ_LOG_ERR, "Error: %s");
  COMPAT_CLOSE(sock);
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  return 1;
  }
  }
@@ -608,7 +616,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Server certificate/key are inconsistent.");
  net__print_error(MOSQ_LOG_ERR, "Error: %s");
  COMPAT_CLOSE(sock);
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  return 1;
  }
  /* Load CRLs if they exist. */
@@ -618,7 +628,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to obtain TLS store.");
  net__print_error(MOSQ_LOG_ERR, "Error: %s");
  COMPAT_CLOSE(sock);
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  return 1;
  }
  lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
@@ -627,7 +639,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load certificate revocation file \"%s\". Check crlfile.", listener->crlfile);
  net__print_error(MOSQ_LOG_ERR, "Error: %s");
  COMPAT_CLOSE(sock);
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  return 1;
  }
  X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
@@ -644,7 +658,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
 
  if(mosquitto__tls_server_ctx(listener)){
  COMPAT_CLOSE(sock);
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  return 1;
  }
  SSL_CTX_set_psk_server_callback(listener->ssl_ctx, psk_server_callback);
@@ -654,7 +670,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
  log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set TLS PSK hint.");
  net__print_error(MOSQ_LOG_ERR, "Error: %s");
  COMPAT_CLOSE(sock);
+#if !defined(OPENSSL_NO_ENGINE)
  ENGINE_FINISH(engine);
+#endif
  return 1;
  }
  }