diff options
author | Simon Giesecke <simon.giesecke@btc-ag.com> | 2018-03-12 14:07:18 +0100 |
---|---|---|
committer | Alan Antonuk <alan.antonuk@gmail.com> | 2018-03-22 23:33:17 -0700 |
commit | 0d7f84f0b1f5fb322ff2bca9262fb8faf99202e4 (patch) | |
tree | d4b7671592f1cc672e6f228c62d5a34767e50173 | |
parent | ef8c3b9d2bbe99c6c279554e86e460cf3fbe7ed3 (diff) | |
download | rabbitmq-c-0d7f84f0b1f5fb322ff2bca9262fb8faf99202e4.tar.gz |
Lib: remove use of OpenSSL functions deprecated in v1.1.0+
-rw-r--r-- | librabbitmq/amqp_openssl.c | 10 | ||||
-rw-r--r-- | librabbitmq/amqp_openssl_bio.c | 11 | ||||
-rw-r--r-- | librabbitmq/amqp_openssl_bio.h | 12 | ||||
-rw-r--r-- | librabbitmq/amqp_openssl_hostname_validation.c | 75 |
4 files changed, 70 insertions, 38 deletions
diff --git a/librabbitmq/amqp_openssl.c b/librabbitmq/amqp_openssl.c index e9f71f2..40a01e8 100644 --- a/librabbitmq/amqp_openssl.c +++ b/librabbitmq/amqp_openssl.c @@ -583,7 +583,15 @@ static int setup_openssl(void) { CRYPTO_set_id_callback(ssl_threadid_callback); CRYPTO_set_locking_callback(ssl_locking_callback); +#ifdef AMQP_OPENSSL_V110 + if (CONF_modules_load_file(NULL, "rabbitmq-c", CONF_MFLAGS_DEFAULT_SECTION) <= + 0) { + status = AMQP_STATUS_SSL_ERROR; + goto out; + } +#else OPENSSL_config(NULL); +#endif SSL_library_init(); SSL_load_error_strings(); @@ -660,7 +668,9 @@ int amqp_uninitialize_ssl_library(void) { amqp_openssl_bio_destroy(); openssl_bio_initialized = 0; +#ifndef AMQP_OPENSSL_V110 ERR_remove_state(0); +#endif FIPS_mode_set(0); CRYPTO_set_locking_callback(NULL); diff --git a/librabbitmq/amqp_openssl_bio.c b/librabbitmq/amqp_openssl_bio.c index 91a46bb..3556d6f 100644 --- a/librabbitmq/amqp_openssl_bio.c +++ b/librabbitmq/amqp_openssl_bio.c @@ -44,10 +44,6 @@ static int amqp_ssl_bio_initialized = 0; #ifdef AMQP_USE_AMQP_BIO -#if (OPENSSL_VERSION_NUMBER > 0x10100000L) -#define AMQP_OPENSSL_V110 -#endif - static BIO_METHOD *amqp_bio_method; static int amqp_openssl_bio_should_retry(int res) { @@ -147,7 +143,10 @@ int amqp_openssl_bio_init(void) { return AMQP_STATUS_NO_MEMORY; } - BIO_METHOD *meth = BIO_s_socket(); + // casting away const is necessary until + // https://github.com/openssl/openssl/pull/2181/, which is targeted for + // openssl 1.1.1 + BIO_METHOD *meth = (BIO_METHOD *)BIO_s_socket(); BIO_meth_set_create(amqp_bio_method, BIO_meth_get_create(meth)); BIO_meth_set_destroy(amqp_bio_method, BIO_meth_get_destroy(meth)); BIO_meth_set_ctrl(amqp_bio_method, BIO_meth_get_ctrl(meth)); @@ -184,7 +183,7 @@ void amqp_openssl_bio_destroy(void) { amqp_ssl_bio_initialized = 0; } -BIO_METHOD *amqp_openssl_bio(void) { +BIO_METHOD_PTR amqp_openssl_bio(void) { assert(amqp_ssl_bio_initialized); #ifdef AMQP_USE_AMQP_BIO return amqp_bio_method; diff --git a/librabbitmq/amqp_openssl_bio.h b/librabbitmq/amqp_openssl_bio.h index 9c99c78..ec09c5e 100644 --- a/librabbitmq/amqp_openssl_bio.h +++ b/librabbitmq/amqp_openssl_bio.h @@ -29,6 +29,16 @@ int amqp_openssl_bio_init(void); void amqp_openssl_bio_destroy(void); -BIO_METHOD* amqp_openssl_bio(void); +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) +#define AMQP_OPENSSL_V110 +#endif + +#ifdef AMQP_OPENSSL_V110 +typedef const BIO_METHOD *BIO_METHOD_PTR; +#else +typedef BIO_METHOD *BIO_METHOD_PTR; +#endif + +BIO_METHOD_PTR amqp_openssl_bio(void); #endif /* ifndef AMQP_OPENSSL_BIO */ diff --git a/librabbitmq/amqp_openssl_hostname_validation.c b/librabbitmq/amqp_openssl_hostname_validation.c index ea61186..133d73c 100644 --- a/librabbitmq/amqp_openssl_hostname_validation.c +++ b/librabbitmq/amqp_openssl_hostname_validation.c @@ -31,25 +31,28 @@ #include <openssl/x509v3.h> #include "amqp_hostcheck.h" +#include "amqp_openssl_bio.h" #include "amqp_openssl_hostname_validation.h" +#include <string.h> + #define HOSTNAME_MAX_SIZE 255 /** -* Tries to find a match for hostname in the certificate's Common Name field. -* -* Returns AMQP_HVR_MATCH_FOUND if a match was found. -* Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found. -* Returns AMQP_HVR_MALFORMED_CERTIFICATE if the Common Name had a NUL character -* embedded in it. -* Returns AMQP_HVR_ERROR if the Common Name could not be extracted. -*/ + * Tries to find a match for hostname in the certificate's Common Name field. + * + * Returns AMQP_HVR_MATCH_FOUND if a match was found. + * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found. + * Returns AMQP_HVR_MALFORMED_CERTIFICATE if the Common Name had a NUL character + * embedded in it. + * Returns AMQP_HVR_ERROR if the Common Name could not be extracted. + */ static amqp_hostname_validation_result amqp_matches_common_name( const char *hostname, const X509 *server_cert) { int common_name_loc = -1; X509_NAME_ENTRY *common_name_entry = NULL; ASN1_STRING *common_name_asn1 = NULL; - char *common_name_str = NULL; + const char *common_name_str = NULL; // Find the position of the CN field in the Subject field of the certificate common_name_loc = X509_NAME_get_index_by_NID( @@ -70,7 +73,12 @@ static amqp_hostname_validation_result amqp_matches_common_name( if (common_name_asn1 == NULL) { return AMQP_HVR_ERROR; } + +#ifdef AMQP_OPENSSL_V110 + common_name_str = (const char *)ASN1_STRING_get0_data(common_name_asn1); +#else common_name_str = (char *)ASN1_STRING_data(common_name_asn1); +#endif // Make sure there isn't an embedded NUL character in the CN if ((size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) { @@ -86,16 +94,16 @@ static amqp_hostname_validation_result amqp_matches_common_name( } /** -* Tries to find a match for hostname in the certificate's Subject Alternative -* Name extension. -* -* Returns AMQP_HVR_MATCH_FOUND if a match was found. -* Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found. -* Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL -* character embedded in it. -* Returns AMQP_HVR_NO_SAN_PRESENT if the SAN extension was not present in the -* certificate. -*/ + * Tries to find a match for hostname in the certificate's Subject Alternative + * Name extension. + * + * Returns AMQP_HVR_MATCH_FOUND if a match was found. + * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found. + * Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL + * character embedded in it. + * Returns AMQP_HVR_NO_SAN_PRESENT if the SAN extension was not present in the + * certificate. + */ static amqp_hostname_validation_result amqp_matches_subject_alternative_name( const char *hostname, const X509 *server_cert) { amqp_hostname_validation_result result = AMQP_HVR_MATCH_NOT_FOUND; @@ -117,7 +125,12 @@ static amqp_hostname_validation_result amqp_matches_subject_alternative_name( if (current_name->type == GEN_DNS) { // Current name is a DNS name, let's check it - char *dns_name = (char *)ASN1_STRING_data(current_name->d.dNSName); + const char *dns_name = (const char *) +#ifdef AMQP_OPENSSL_V110 + ASN1_STRING_get0_data(current_name->d.dNSName); +#else + ASN1_STRING_data(current_name->d.dNSName); +#endif // Make sure there isn't an embedded NUL character in the DNS name if ((size_t)ASN1_STRING_length(current_name->d.dNSName) != @@ -138,17 +151,17 @@ static amqp_hostname_validation_result amqp_matches_subject_alternative_name( } /** -* Validates the server's identity by looking for the expected hostname in the -* server's certificate. As described in RFC 6125, it first tries to find a match -* in the Subject Alternative Name extension. If the extension is not present in -* the certificate, it checks the Common Name instead. -* -* Returns AMQP_HVR_MATCH_FOUND if a match was found. -* Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found. -* Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL -* character embedded in it. -* Returns AMQP_HVR_ERROR if there was an error. -*/ + * Validates the server's identity by looking for the expected hostname in the + * server's certificate. As described in RFC 6125, it first tries to find a + * match in the Subject Alternative Name extension. If the extension is not + * present in the certificate, it checks the Common Name instead. + * + * Returns AMQP_HVR_MATCH_FOUND if a match was found. + * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found. + * Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL + * character embedded in it. + * Returns AMQP_HVR_ERROR if there was an error. + */ amqp_hostname_validation_result amqp_ssl_validate_hostname( const char *hostname, const X509 *server_cert) { amqp_hostname_validation_result result; |