Skip to content

Commit

Permalink
Fix various OpenSSL version compatibilities.
Browse files Browse the repository at this point in the history 
Since 1.1.0 the library will auto initialize and on 3.x these functions are deprecated.
Use ERR_get_error instead of ERR_get_error_line_data since we don't use the extra options.
Detect if library supports SSL_OP_NO_TLSv1_1 before using.
  • Loading branch information
@dougnazar
dougnazar committed Aug 1, 2024
1 parent 9221a7a commit b391bcd
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 16 deletions.
20 changes: 12 additions & 8 deletions src/check_nrpe.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -855,11 +855,13 @@ void setup_ssl()

/* initialize SSL */
if (use_ssl == TRUE) {
#if OPENSSL_VERSION_NUMBER < 0x10100000
SSL_load_error_strings();
SSL_library_init();
ENGINE_load_builtin_engines();
RAND_set_rand_engine(NULL);
ENGINE_register_all_complete();
#endif

#if OPENSSL_VERSION_NUMBER >= 0x10100000

Expand Down Expand Up @@ -952,7 +954,9 @@ void setup_ssl()
#endif
case TLSv1_2:
case TLSv1_2_plus:
#ifdef SSL_OP_NO_TLSv1_1
ssl_opts |= SSL_OP_NO_TLSv1_1;
#endif
case TLSv1_1:
case TLSv1_1_plus:
ssl_opts |= SSL_OP_NO_TLSv1;
Expand All @@ -972,7 +976,7 @@ void setup_ssl()
if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) {
if (!SSL_CTX_use_certificate_chain_file(ctx, sslprm.cert_file)) {
printf("Error: could not use certificate file '%s'.\n", sslprm.cert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
while ((x = ERR_get_error()) != 0) {
printf("Error: could not use certificate file '%s': %s\n", sslprm.cert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
Expand All @@ -981,7 +985,7 @@ void setup_ssl()
if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) {
SSL_CTX_free(ctx);
printf("Error: could not use private key file '%s'.\n", sslprm.privatekey_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
while ((x = ERR_get_error()) != 0) {
printf("Error: could not use private key file '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
Expand All @@ -994,8 +998,8 @@ void setup_ssl()
SSL_CTX_set_verify(ctx, vrfy, verify_callback);
if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
printf("Error: could not use CA certificate '%s'.\n", sslprm.cacert_file);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
printf("Error: could not use CA certificate '%s': %s\n", sslprm.privatekey_file, ERR_reason_error_string(x));
while ((x = ERR_get_error()) != 0) {
printf("Error: could not use CA certificate '%s': %s\n", sslprm.cacert_file, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
exit(timeout_return_code);
Expand All @@ -1021,7 +1025,7 @@ void setup_ssl()

if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) {
printf("Error: Could not set SSL/TLS cipher list: %s\n", sslprm.cipher_list);
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
while ((x = ERR_get_error()) != 0) {
printf("Could not set SSL/TLS cipher list '%s': %s\n", sslprm.cipher_list, ERR_reason_error_string(x));
}
SSL_CTX_free(ctx);
Expand Down Expand Up @@ -1095,15 +1099,15 @@ int connect_to_remote()

if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
rc = 0;
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
logit(LOG_ERR, "Error: (ERR_get_error_line_data = %d), Could not complete SSL handshake with %s: %s", x, rem_host, ERR_reason_error_string(x));
while ((x = ERR_get_error()) != 0) {
logit(LOG_ERR, "Error: (ERR_get_error = 0x%08x), Could not complete SSL handshake with %s: %s", x, rem_host, ERR_reason_error_string(x));
++nerrs;
}
if (nerrs == 0) {
logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: rc=%d SSL-error=%d", rem_host, rc, ssl_err);
}
} else {
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
while ((x = ERR_get_error()) != 0) {
logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: %s", rem_host, ERR_reason_error_string(x));
++nerrs;
}
Expand Down
18 changes: 10 additions & 8 deletions src/nrpe.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,15 +288,14 @@ void init_ssl(void)
if (sslprm.log_opts & SSL_LogStartup)
log_ssl_startup();

#if OPENSSL_VERSION_NUMBER < 0x10100000
/* initialize SSL */
SSL_load_error_strings();
SSL_library_init();
ENGINE_load_builtin_engines();
RAND_set_rand_engine(NULL);
ENGINE_register_all_complete();

meth = SSLv23_server_method();

#endif
/* use week random seed if necessary */
if (allow_weak_random_seed && (RAND_status() == 0)) {
if (RAND_file_name(seedfile, sizeof(seedfile) - 1))
Expand All @@ -322,6 +321,7 @@ void init_ssl(void)

#else /* OPENSSL_VERSION_NUMBER >= 0x10100000 */

meth = SSLv23_server_method();
# ifndef OPENSSL_NO_SSL2
if (sslprm.ssl_proto_ver == SSLv2)
meth = SSLv2_server_method();
Expand Down Expand Up @@ -410,7 +410,9 @@ void init_ssl(void)
#endif
case TLSv1_2:
case TLSv1_2_plus:
#ifdef SSL_OP_NO_TLSv1_1
ssl_opts |= SSL_OP_NO_TLSv1_1;
#endif
case TLSv1_1:
case TLSv1_1_plus:
ssl_opts |= SSL_OP_NO_TLSv1;
Expand All @@ -429,7 +431,7 @@ void init_ssl(void)

if (sslprm.cacert_file != NULL) {
if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) {
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
while ((x = ERR_get_error()) != 0) {
logit(LOG_ERR, "Error: could not use CA certificate file '%s': %s\n",
sslprm.cacert_file, ERR_reason_error_string(x));
}
Expand Down Expand Up @@ -2057,9 +2059,9 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
if (sslprm.log_opts & (SSL_LogCertDetails | SSL_LogIfClientCert)) {
int nerrs = 0;
rc = 0;
while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) {
while ((x = ERR_get_error()) != 0) {
errmsg = ERR_reason_error_string(x);
logit(LOG_ERR, "Error: (ERR_get_error_line_data = %d), Could not complete SSL handshake with %s: %s", x, remote_host, errmsg);
logit(LOG_ERR, "Error: (ERR_get_error = 0x%08x), Could not complete SSL handshake with %s: %s", x, remote_host, errmsg);

if (errmsg && !strcmp(errmsg, "no shared cipher") && (sslprm.cert_file == NULL || sslprm.cacert_file == NULL))
logit(LOG_ERR, "Error: This could be because you have not specified certificate or ca-certificate files");
Expand All @@ -2068,10 +2070,10 @@ int handle_conn_ssl(int sock, void *ssl_ptr)
}

if (nerrs == 0) {
logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: %d", remote_host, SSL_get_error(ssl, rc));
logit(LOG_ERR, "Error: (nerrs = 0) Could not complete SSL handshake with %s: 0x%08x", remote_host, SSL_get_error(ssl, rc));
}
} else {
logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: %d", remote_host, SSL_get_error(ssl, rc));
logit(LOG_ERR, "Error: (!log_opts) Could not complete SSL handshake with %s: 0x%08x", remote_host, SSL_get_error(ssl, rc));
}
# ifdef DEBUG
errfp = fopen("/tmp/err.log", "a");
Expand Down

0 comments on commit b391bcd

Please sign in to comment.