Rejig OCSP code.

eclipse · Mar 26, 2019 · 1220ba4 · 1220ba4
1 parent ea046c2
commit 1220ba4
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 51 deletions.
diff --git a/ChangeLog.txt b/ChangeLog.txt
@@ -19,13 +19,15 @@ Broker features:
 - Add support for Automotive DLT logging.
 - Disallow writing to $ topics where appropriate.
 - Fix mosquitto_passwd crashing on corrupt password file. Closes #1207.
+- Add support for OCSP stapling.
 
 Client library features:
 - Add mosquitto_subscribe_multiple() for sending subscriptions to multiple
  topics in one command.
 - Add TLS Engine support.
 - Add explicit support for TLS v1.3.
 - Drop support for TLS v1.0.
+- Add support for OCSP stapling to bridges.
 
 Client features:
 - Add -E to mosquitto_sub, which causes it to exit immediately after having

diff --git a/lib/cpp/mosquittopp.cpp b/lib/cpp/mosquittopp.cpp
@@ -378,8 +378,4 @@ int mosquittopp::tls_psk_set(const char *psk, const char *identity, const char *
  return mosquitto_tls_psk_set(m_mosq, psk, identity, ciphers);
 }
 
-int mosquittopp::tls_ocsp_set(int ocsp_reqs)
-{
- return mosquitto_tls_ocsp_set(m_mosq, ocsp_reqs);
-}
 }
diff --git a/lib/cpp/mosquittopp.h b/lib/cpp/mosquittopp.h
@@ -110,7 +110,6 @@ class mosqpp_EXPORT mosquittopp {
  int tls_opts_set(int cert_reqs, const char *tls_version=NULL, const char *ciphers=NULL);
  int tls_insecure_set(bool value);
  int tls_psk_set(const char *psk, const char *identity, const char *ciphers=NULL);
- int tls_ocsp_set(int ocsp_reqs);
  int opts_set(enum mosq_opt_t option, void *value);
 
  int loop(int timeout=-1, int max_packets=1);

diff --git a/lib/linker.version b/lib/linker.version
@@ -126,7 +126,6 @@ MOSQ_1.6 {
  mosquitto_subscribe_multiple;
  mosquitto_subscribe_v5;
  mosquitto_subscribe_v5_callback_set;
- mosquitto_tls_ocsp_set;
  mosquitto_unsubscribe_multiple;
  mosquitto_unsubscribe_v5;
  mosquitto_unsubscribe_v5_callback_set;

diff --git a/lib/mosquitto.h b/lib/mosquitto.h
@@ -109,6 +109,7 @@ enum mosq_opt_t {
  MOSQ_OPT_TLS_KEYFORM = 6,
  MOSQ_OPT_TLS_ENGINE = 7,
  MOSQ_OPT_TLS_ENGINE_KPASS_SHA1 = 8,
+ MOSQ_OPT_TLS_OCSP_REQUIRED = 9,
 };
 
 
@@ -1452,9 +1453,13 @@ libmosq_EXPORT int mosquitto_opts_set(struct mosquitto *mosq, enum mosq_opt_t op
  * use <mosquitto_tls_set> to configure the cafile/capath as a
  * minimum.
  * This option is only available for openssl 1.1.0 and higher.
+ * MOSQ_OPT_TLS_OCSP_REQUIRED
+ * Set whether OCSP checking on TLS connections is required. Set to
+ * 1 to enable checking, or 0 (the default) for no checking.
  */
 libmosq_EXPORT int mosquitto_int_option(struct mosquitto *mosq, enum mosq_opt_t option, int value);
 
+
 /*
  * Function: mosquitto_void_option
  *
@@ -1725,26 +1730,6 @@ libmosq_EXPORT int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs,
  */
 libmosq_EXPORT int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers);
 
-/*
- * Function: mosquitto_tls_ocsp_set
- *
- * Set advanced SSL/TLS options. Must be called before <mosquitto_connect>.
- *
- * Parameters:
- * mosq - a valid mosquitto instance.
- * ocsp_reqs - whether OCSP checking is required:
- * 0 - no checking required
- * 1 - checking required
- *
- * Returns:
- * MOSQ_ERR_SUCCESS - on success.
- * MOSQ_ERR_INVAL - if the input parameters were invalid.
- *
- * See Also:
- * <mosquitto_tls_set>
- */
-libmosq_EXPORT int mosquitto_tls_ocsp_set(struct mosquitto *mosq, int ocsp_reqs);
-
 
 /* ======================================================================
  *

diff --git a/lib/options.c b/lib/options.c
@@ -195,24 +195,6 @@ int mosquitto_tls_set(struct mosquitto *mosq, const char *cafile, const char *ca
 }
 
 
-int mosquitto_tls_ocsp_set(struct mosquitto *mosq, int ocsp_reqs)
-{
-#ifdef WITH_TLS
- if (ocsp_reqs==0) {
- mosq->tls_ocsp_required = false;
- return MOSQ_ERR_SUCCESS;
- }
-
- if (ocsp_reqs==1) {
- mosq->tls_ocsp_required = true;
- return MOSQ_ERR_SUCCESS;
- }
-#endif
-
- return MOSQ_ERR_INVAL;
-}
-
-
 int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tls_version, const char *ciphers)
 {
 #ifdef WITH_TLS
@@ -429,6 +411,14 @@ int mosquitto_int_option(struct mosquitto *mosq, enum mosq_opt_t option, int val
  return MOSQ_ERR_NOT_SUPPORTED;
 #endif
 
+ case MOSQ_OPT_TLS_OCSP_REQUIRED:
+#ifdef WITH_TLS
+ mosq->tls_ocsp_required = (bool)value;
+#else
+ return MOSQ_ERR_NOT_SUPPORTED;
+#endif
+ break;
+
  default:
  return MOSQ_ERR_INVAL;
  }

diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml
@@ -1779,6 +1779,13 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
  can be used on one bridge at once.</para>
  </listitem>
  </varlistentry>
+ <varlistentry>
+ <term><option>bridge_require_ocsp</option> [ true | false ]</term>
+ <listitem>
+ <para>When set to true, the bridge requires OCSP on the TLS
+ connection it opens as client.</para>
+ </listitem>
+ </varlistentry>
  <varlistentry>
  <term><option>bridge_tls_version</option> <replaceable>version</replaceable></term>
  <listitem>
@@ -1792,13 +1799,6 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
  connection to succeed.</para>
  </listitem>
  </varlistentry>
- <varlistentry>
- <term><option>bridge_require_ocsp</option> [ true | false ]</term>
- <listitem>
- <para>When set to true, the bridge requires OCSP on the TLS
- connection it opens as client.</para>
- </listitem>
- </varlistentry>
  </variablelist>
  </refsect2>
  </refsect1>