ssl: drop support OpenSSL v1.1.0 and older

v1.1.0 and older is no longer supported by OpenSSL
(https://www.openssl.org/policies/releasestrat.html). While there is
the possibility that someone is paying for support for v1.0.2, this
library is not regularly tested against these versions.

As a side-effect older workarounds for hostname verification can be
removed.

Signed-off-by: GitHub <noreply@github.com>

6 files changed, 2 insertions, 285 deletions

diff --git a/librabbitmq/CMakeLists.txt b/librabbitmq/CMakeLists.txt
index 16a5d4e..daecc02 100644
--- a/librabbitmq/CMakeLists.txt
+++ b/librabbitmq/CMakeLists.txt
@@ -70,8 +70,6 @@ if (ENABLE_SSL_SUPPORT)
       ${AMQP_SSL_SOCKET_SHIM_PATH}
       ${AMQP_SSL_SOCKET_H_PATH}
       amqp_openssl.c
-      amqp_openssl_hostname_validation.c
-      amqp_openssl_hostname_validation.h
       amqp_hostcheck.c
       amqp_hostcheck.h
       amqp_openssl_bio.c
diff --git a/librabbitmq/amqp_openssl.c b/librabbitmq/amqp_openssl.c
index 058d69a..478c1e1 100644
--- a/librabbitmq/amqp_openssl.c
+++ b/librabbitmq/amqp_openssl.c
@@ -33,7 +33,6 @@
 #endif
 
 #include "amqp_openssl_bio.h"
-#include "amqp_openssl_hostname_validation.h"
 #include "amqp_private.h"
 #include "amqp_socket.h"
 #include "amqp_time.h"
@@ -260,7 +259,8 @@ start_connect:
       goto error_out3;
     }
 
-    if (AMQP_HVR_MATCH_FOUND != amqp_ssl_validate_hostname(host, cert)) {
+    if (1 != X509_check_host(cert, host, 0,
+                             X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL)) {
       self->internal_error = 0;
       status = AMQP_STATUS_SSL_HOSTNAME_VERIFY_FAILED;
       goto error_out4;
@@ -637,14 +637,10 @@ static int setup_openssl(void) {
   CRYPTO_set_id_callback(ssl_threadid_callback);
   CRYPTO_set_locking_callback(ssl_locking_callback);
 
-#ifdef AMQP_OPENSSL_V110
   if (OPENSSL_init_ssl(0, NULL) <= 0) {
     status = AMQP_STATUS_SSL_ERROR;
     goto out;
   }
-#else
-  OPENSSL_config(NULL);
-#endif
   SSL_library_init();
   SSL_load_error_strings();
 
@@ -758,10 +754,6 @@ int amqp_uninitialize_ssl_library(void) {
   amqp_openssl_bio_destroy();
   openssl_bio_initialized = 0;
 
-#ifndef AMQP_OPENSSL_V110
-  ERR_remove_state(0);
-#endif
-
   CRYPTO_set_locking_callback(NULL);
   CRYPTO_set_id_callback(NULL);
   {
diff --git a/librabbitmq/amqp_openssl_bio.c b/librabbitmq/amqp_openssl_bio.c
index 3556d6f..9d99602 100644
--- a/librabbitmq/amqp_openssl_bio.c
+++ b/librabbitmq/amqp_openssl_bio.c
@@ -120,25 +120,11 @@ static int amqp_openssl_bio_read(BIO *b, char *out, int outl) {
 
   return res;
 }
-
-#ifndef AMQP_OPENSSL_V110
-static int BIO_meth_set_write(BIO_METHOD *biom,
-                              int (*wfn)(BIO *, const char *, int)) {
-  biom->bwrite = wfn;
-  return 0;
-}
-
-static int BIO_meth_set_read(BIO_METHOD *biom, int (*rfn)(BIO *, char *, int)) {
-  biom->bread = rfn;
-  return 0;
-}
-#endif /* AQP_OPENSSL_V110 */
 #endif /* AMQP_USE_AMQP_BIO */
 
 int amqp_openssl_bio_init(void) {
   assert(!amqp_ssl_bio_initialized);
 #ifdef AMQP_USE_AMQP_BIO
-#ifdef AMQP_OPENSSL_V110
   if (!(amqp_bio_method = BIO_meth_new(BIO_TYPE_SOCKET, "amqp_bio_method"))) {
     return AMQP_STATUS_NO_MEMORY;
   }
@@ -155,13 +141,7 @@ int amqp_openssl_bio_init(void) {
   BIO_meth_set_write(amqp_bio_method, BIO_meth_get_write(meth));
   BIO_meth_set_gets(amqp_bio_method, BIO_meth_get_gets(meth));
   BIO_meth_set_puts(amqp_bio_method, BIO_meth_get_puts(meth));
-#else
-  if (!(amqp_bio_method = OPENSSL_malloc(sizeof(BIO_METHOD)))) {
-    return AMQP_STATUS_NO_MEMORY;
-  }
 
-  memcpy(amqp_bio_method, BIO_s_socket(), sizeof(BIO_METHOD));
-#endif
   BIO_meth_set_write(amqp_bio_method, amqp_openssl_bio_write);
   BIO_meth_set_read(amqp_bio_method, amqp_openssl_bio_read);
 #endif
@@ -173,11 +153,7 @@ int amqp_openssl_bio_init(void) {
 void amqp_openssl_bio_destroy(void) {
   assert(amqp_ssl_bio_initialized);
 #ifdef AMQP_USE_AMQP_BIO
-#ifdef AMQP_OPENSSL_V110
   BIO_meth_free(amqp_bio_method);
-#else
-  OPENSSL_free(amqp_bio_method);
-#endif
   amqp_bio_method = NULL;
 #endif
   amqp_ssl_bio_initialized = 0;
diff --git a/librabbitmq/amqp_openssl_bio.h b/librabbitmq/amqp_openssl_bio.h
index ec09c5e..586f655 100644
--- a/librabbitmq/amqp_openssl_bio.h
+++ b/librabbitmq/amqp_openssl_bio.h
@@ -29,15 +29,7 @@ int amqp_openssl_bio_init(void);
 
 void amqp_openssl_bio_destroy(void);
 
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
-#define AMQP_OPENSSL_V110
-#endif
-
-#ifdef AMQP_OPENSSL_V110
 typedef const BIO_METHOD *BIO_METHOD_PTR;
-#else
-typedef BIO_METHOD *BIO_METHOD_PTR;
-#endif
 
 BIO_METHOD_PTR amqp_openssl_bio(void);
 
diff --git a/librabbitmq/amqp_openssl_hostname_validation.c b/librabbitmq/amqp_openssl_hostname_validation.c
deleted file mode 100644
index 01cf740..0000000
--- a/librabbitmq/amqp_openssl_hostname_validation.c
+++ /dev/null
@@ -1,183 +0,0 @@
-/*
- * Copyright (C) 2012, iSEC Partners.
- * Copyright (C) 2015 Alan Antonuk.
- *
- * All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
- * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
- * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
- * USE OR OTHER DEALINGS IN THE SOFTWARE.
- *
- * Except as contained in this notice, the name of a copyright holder shall
- * not be used in advertising or otherwise to promote the sale, use or other
- * dealings in this Software without prior written authorization of the
- * copyright holder.
- */
-
-/* Originally from:
- * https://github.com/iSECPartners/ssl-conservatory
- * https://wiki.openssl.org/index.php/Hostname_validation
- */
-
-#if defined(_WIN32)
-#define WIN32_LEAN_AND_MEAN
-#endif
-
-#include <openssl/ssl.h>
-#include <openssl/x509v3.h>
-
-#include "amqp_hostcheck.h"
-#include "amqp_openssl_bio.h"
-#include "amqp_openssl_hostname_validation.h"
-
-#include <string.h>
-
-#define HOSTNAME_MAX_SIZE 255
-
-/**
- * Tries to find a match for hostname in the certificate's Common Name field.
- *
- * Returns AMQP_HVR_MATCH_FOUND if a match was found.
- * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found.
- * Returns AMQP_HVR_MALFORMED_CERTIFICATE if the Common Name had a NUL character
- * embedded in it.
- * Returns AMQP_HVR_ERROR if the Common Name could not be extracted.
- */
-static amqp_hostname_validation_result amqp_matches_common_name(
-    const char *hostname, const X509 *server_cert) {
-  int common_name_loc = -1;
-  X509_NAME_ENTRY *common_name_entry = NULL;
-  ASN1_STRING *common_name_asn1 = NULL;
-  const char *common_name_str = NULL;
-
-  // Find the position of the CN field in the Subject field of the certificate
-  common_name_loc = X509_NAME_get_index_by_NID(
-      X509_get_subject_name((X509 *)server_cert), NID_commonName, -1);
-  if (common_name_loc < 0) {
-    return AMQP_HVR_ERROR;
-  }
-
-  // Extract the CN field
-  common_name_entry = X509_NAME_get_entry(
-      X509_get_subject_name((X509 *)server_cert), common_name_loc);
-  if (common_name_entry == NULL) {
-    return AMQP_HVR_ERROR;
-  }
-
-  // Convert the CN field to a C string
-  common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
-  if (common_name_asn1 == NULL) {
-    return AMQP_HVR_ERROR;
-  }
-
-#ifdef AMQP_OPENSSL_V110
-  common_name_str = (const char *)ASN1_STRING_get0_data(common_name_asn1);
-#else
-  common_name_str = (char *)ASN1_STRING_data(common_name_asn1);
-#endif
-
-  // Make sure there isn't an embedded NUL character in the CN
-  if ((size_t)ASN1_STRING_length(common_name_asn1) != strlen(common_name_str)) {
-    return AMQP_HVR_MALFORMED_CERTIFICATE;
-  }
-
-  // Compare expected hostname with the CN
-  if (amqp_hostcheck(common_name_str, hostname) == AMQP_HCR_MATCH) {
-    return AMQP_HVR_MATCH_FOUND;
-  } else {
-    return AMQP_HVR_MATCH_NOT_FOUND;
-  }
-}
-
-/**
- * Tries to find a match for hostname in the certificate's Subject Alternative
- * Name extension.
- *
- * Returns AMQP_HVR_MATCH_FOUND if a match was found.
- * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found.
- * Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL
- * character embedded in it.
- * Returns AMQP_HVR_NO_SAN_PRESENT if the SAN extension was not present in the
- * certificate.
- */
-static amqp_hostname_validation_result amqp_matches_subject_alternative_name(
-    const char *hostname, const X509 *server_cert) {
-  amqp_hostname_validation_result result = AMQP_HVR_MATCH_NOT_FOUND;
-  int i;
-  int san_names_nb = -1;
-  STACK_OF(GENERAL_NAME) *san_names = NULL;
-
-  // Try to extract the names within the SAN extension from the certificate
-  san_names =
-      X509_get_ext_d2i((X509 *)server_cert, NID_subject_alt_name, NULL, NULL);
-  if (san_names == NULL) {
-    return AMQP_HVR_NO_SAN_PRESENT;
-  }
-  san_names_nb = sk_GENERAL_NAME_num(san_names);
-
-  // Check each name within the extension
-  for (i = 0; i < san_names_nb; i++) {
-    const GENERAL_NAME *current_name = sk_GENERAL_NAME_value(san_names, i);
-
-    if (current_name->type == GEN_DNS) {
-      // Current name is a DNS name, let's check it
-      const char *dns_name = (const char *)
-#ifdef AMQP_OPENSSL_V110
-          ASN1_STRING_get0_data(current_name->d.dNSName);
-#else
-          ASN1_STRING_data(current_name->d.dNSName);
-#endif
-
-      // Make sure there isn't an embedded NUL character in the DNS name
-      if ((size_t)ASN1_STRING_length(current_name->d.dNSName) !=
-          strlen(dns_name)) {
-        result = AMQP_HVR_MALFORMED_CERTIFICATE;
-        break;
-      } else {  // Compare expected hostname with the DNS name
-        if (amqp_hostcheck(dns_name, hostname) == AMQP_HCR_MATCH) {
-          result = AMQP_HVR_MATCH_FOUND;
-          break;
-        }
-      }
-    }
-  }
-  sk_GENERAL_NAME_pop_free(san_names, GENERAL_NAME_free);
-
-  return result;
-}
-
-/**
- * Validates the server's identity by looking for the expected hostname in the
- * server's certificate. As described in RFC 6125, it first tries to find a
- * match in the Subject Alternative Name extension. If the extension is not
- * present in the certificate, it checks the Common Name instead.
- *
- * Returns AMQP_HVR_MATCH_FOUND if a match was found.
- * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found.
- * Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL
- * character embedded in it.
- * Returns AMQP_HVR_ERROR if there was an error.
- */
-amqp_hostname_validation_result amqp_ssl_validate_hostname(
-    const char *hostname, const X509 *server_cert) {
-  amqp_hostname_validation_result result;
-
-  if ((hostname == NULL) || (server_cert == NULL)) return AMQP_HVR_ERROR;
-
-  // First try the Subject Alternative Names extension
-  result = amqp_matches_subject_alternative_name(hostname, server_cert);
-  if (result == AMQP_HVR_NO_SAN_PRESENT) {
-    // Extension was not found: try the Common Name
-    result = amqp_matches_common_name(hostname, server_cert);
-  }
-
-  return result;
-}
diff --git a/librabbitmq/amqp_openssl_hostname_validation.h b/librabbitmq/amqp_openssl_hostname_validation.h
deleted file mode 100644
index 920c5b3..0000000
--- a/librabbitmq/amqp_openssl_hostname_validation.h
+++ /dev/null
@@ -1,58 +0,0 @@
-#ifndef librabbitmq_amqp_openssl_hostname_validation_h
-#define librabbitmq_amqp_openssl_hostname_validation_h
-
-/*
- * Copyright (C) 2012, iSEC Partners.
- * Copyright (C) 2015 Alan Antonuk.
- *
- * All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
- * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
- * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
- * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
- * USE OR OTHER DEALINGS IN THE SOFTWARE.
- *
- * Except as contained in this notice, the name of a copyright holder shall
- * not be used in advertising or otherwise to promote the sale, use or other
- * dealings in this Software without prior written authorization of the
- * copyright holder.
- */
-
-/* Originally from:
- * https://github.com/iSECPartners/ssl-conservatory
- * https://wiki.openssl.org/index.php/Hostname_validation
- */
-
-#include <openssl/ossl_typ.h>
-
-typedef enum {
-  AMQP_HVR_MATCH_FOUND,
-  AMQP_HVR_MATCH_NOT_FOUND,
-  AMQP_HVR_NO_SAN_PRESENT,
-  AMQP_HVR_MALFORMED_CERTIFICATE,
-  AMQP_HVR_ERROR
-} amqp_hostname_validation_result;
-
-/**
- * Validates the server's identity by looking for the expected hostname in the
- * server's certificate. As described in RFC 6125, it first tries to find a
- * match in the Subject Alternative Name extension. If the extension is not
- * present in the certificate, it checks the Common Name instead.
- *
- * Returns AMQP_HVR_MATCH_FOUND if a match was found.
- * Returns AMQP_HVR_MATCH_NOT_FOUND if no matches were found.
- * Returns AMQP_HVR_MALFORMED_CERTIFICATE if any of the hostnames had a NUL
- * character embedded in it.
- * Returns AMQP_HVR_ERROR if there was an error.
- */
-amqp_hostname_validation_result amqp_ssl_validate_hostname(
-    const char *hostname, const X509 *server_cert);
-
-#endif