From 1220ba4bfe0a81a95ce4253e08c9854b2b942525 Mon Sep 17 00:00:00 2001 From: "Roger A. Light" Date: Tue, 26 Mar 2019 22:13:42 +0000 Subject: [PATCH] Rejig OCSP code. --- ChangeLog.txt | 2 ++ lib/cpp/mosquittopp.cpp | 4 ---- lib/cpp/mosquittopp.h | 1 - lib/linker.version | 1 - lib/mosquitto.h | 25 +++++-------------------- lib/options.c | 26 ++++++++------------------ man/mosquitto.conf.5.xml | 14 +++++++------- 7 files changed, 22 insertions(+), 51 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index 35700b94a2..1f97696a1a 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -19,6 +19,7 @@ Broker features: - Add support for Automotive DLT logging. - Disallow writing to $ topics where appropriate. - Fix mosquitto_passwd crashing on corrupt password file. Closes #1207. +- Add support for OCSP stapling. Client library features: - Add mosquitto_subscribe_multiple() for sending subscriptions to multiple @@ -26,6 +27,7 @@ Client library features: - Add TLS Engine support. - Add explicit support for TLS v1.3. - Drop support for TLS v1.0. +- Add support for OCSP stapling to bridges. Client features: - Add -E to mosquitto_sub, which causes it to exit immediately after having diff --git a/lib/cpp/mosquittopp.cpp b/lib/cpp/mosquittopp.cpp index c93ee04cc5..e1c6cc5db8 100644 --- a/lib/cpp/mosquittopp.cpp +++ b/lib/cpp/mosquittopp.cpp @@ -378,8 +378,4 @@ int mosquittopp::tls_psk_set(const char *psk, const char *identity, const char * return mosquitto_tls_psk_set(m_mosq, psk, identity, ciphers); } -int mosquittopp::tls_ocsp_set(int ocsp_reqs) -{ - return mosquitto_tls_ocsp_set(m_mosq, ocsp_reqs); -} } diff --git a/lib/cpp/mosquittopp.h b/lib/cpp/mosquittopp.h index 863fd80c8d..163d616fea 100644 --- a/lib/cpp/mosquittopp.h +++ b/lib/cpp/mosquittopp.h @@ -110,7 +110,6 @@ class mosqpp_EXPORT mosquittopp { int tls_opts_set(int cert_reqs, const char *tls_version=NULL, const char *ciphers=NULL); int tls_insecure_set(bool value); int tls_psk_set(const char *psk, const char *identity, const char *ciphers=NULL); - int tls_ocsp_set(int ocsp_reqs); int opts_set(enum mosq_opt_t option, void *value); int loop(int timeout=-1, int max_packets=1); diff --git a/lib/linker.version b/lib/linker.version index 1b13118257..017d5a5e52 100644 --- a/lib/linker.version +++ b/lib/linker.version @@ -126,7 +126,6 @@ MOSQ_1.6 { mosquitto_subscribe_multiple; mosquitto_subscribe_v5; mosquitto_subscribe_v5_callback_set; - mosquitto_tls_ocsp_set; mosquitto_unsubscribe_multiple; mosquitto_unsubscribe_v5; mosquitto_unsubscribe_v5_callback_set; diff --git a/lib/mosquitto.h b/lib/mosquitto.h index 3d4eddcfb6..b18af4d246 100644 --- a/lib/mosquitto.h +++ b/lib/mosquitto.h @@ -109,6 +109,7 @@ enum mosq_opt_t { MOSQ_OPT_TLS_KEYFORM = 6, MOSQ_OPT_TLS_ENGINE = 7, MOSQ_OPT_TLS_ENGINE_KPASS_SHA1 = 8, + MOSQ_OPT_TLS_OCSP_REQUIRED = 9, }; @@ -1452,9 +1453,13 @@ libmosq_EXPORT int mosquitto_opts_set(struct mosquitto *mosq, enum mosq_opt_t op * use to configure the cafile/capath as a * minimum. * This option is only available for openssl 1.1.0 and higher. + * MOSQ_OPT_TLS_OCSP_REQUIRED + * Set whether OCSP checking on TLS connections is required. Set to + * 1 to enable checking, or 0 (the default) for no checking. */ libmosq_EXPORT int mosquitto_int_option(struct mosquitto *mosq, enum mosq_opt_t option, int value); + /* * Function: mosquitto_void_option * @@ -1725,26 +1730,6 @@ libmosq_EXPORT int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, */ libmosq_EXPORT int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers); -/* - * Function: mosquitto_tls_ocsp_set - * - * Set advanced SSL/TLS options. Must be called before . - * - * Parameters: - * mosq - a valid mosquitto instance. - * ocsp_reqs - whether OCSP checking is required: - * 0 - no checking required - * 1 - checking required - * - * Returns: - * MOSQ_ERR_SUCCESS - on success. - * MOSQ_ERR_INVAL - if the input parameters were invalid. - * - * See Also: - * - */ -libmosq_EXPORT int mosquitto_tls_ocsp_set(struct mosquitto *mosq, int ocsp_reqs); - /* ====================================================================== * diff --git a/lib/options.c b/lib/options.c index 2720a43a96..dfd1df3974 100644 --- a/lib/options.c +++ b/lib/options.c @@ -195,24 +195,6 @@ int mosquitto_tls_set(struct mosquitto *mosq, const char *cafile, const char *ca } -int mosquitto_tls_ocsp_set(struct mosquitto *mosq, int ocsp_reqs) -{ -#ifdef WITH_TLS - if (ocsp_reqs==0) { - mosq->tls_ocsp_required = false; - return MOSQ_ERR_SUCCESS; - } - - if (ocsp_reqs==1) { - mosq->tls_ocsp_required = true; - return MOSQ_ERR_SUCCESS; - } -#endif - - return MOSQ_ERR_INVAL; -} - - int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tls_version, const char *ciphers) { #ifdef WITH_TLS @@ -429,6 +411,14 @@ int mosquitto_int_option(struct mosquitto *mosq, enum mosq_opt_t option, int val return MOSQ_ERR_NOT_SUPPORTED; #endif + case MOSQ_OPT_TLS_OCSP_REQUIRED: +#ifdef WITH_TLS + mosq->tls_ocsp_required = (bool)value; +#else + return MOSQ_ERR_NOT_SUPPORTED; +#endif + break; + default: return MOSQ_ERR_INVAL; } diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml index d69b639d58..25005cb78f 100644 --- a/man/mosquitto.conf.5.xml +++ b/man/mosquitto.conf.5.xml @@ -1779,6 +1779,13 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/ can be used on one bridge at once. + + [ true | false ] + + When set to true, the bridge requires OCSP on the TLS + connection it opens as client. + + version @@ -1792,13 +1799,6 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/ connection to succeed. - - [ true | false ] - - When set to true, the bridge requires OCSP on the TLS - connection it opens as client. - -