Merge branch 'master' of git:https://github.com/LarsVoelker/mosquitto into …

…LarsVoelker-master

lib/CMakeLists.txt

@@ -29,7 +29,7 @@ set(C_SRC
  mosquitto.c mosquitto.h
  mosquitto_internal.h
  mqtt_protocol.h
- net_mosq.c net_mosq.h
+ net_mosq_ocsp.c net_mosq.c net_mosq.h
  options.c
  packet_datatypes.c
  packet_mosq.c packet_mosq.h

lib/Makefile

@@ -21,6 +21,7 @@ MOSQ_OBJS=mosquitto.o \
  loop.o \
  memory_mosq.o \
  messages_mosq.o \
+ net_mosq_ocsp.o \
  net_mosq.o \
  options.o \
  packet_datatypes.o \
@@ -151,6 +152,9 @@ messages_mosq.o : messages_mosq.c messages_mosq.h
 memory_mosq.o : memory_mosq.c memory_mosq.h
  ${CROSS_COMPILE}$(CC) $(LIB_CFLAGS) -c $< -o $@
 
+net_mosq_ocsp.o : net_mosq_ocsp.c net_mosq.h
+ ${CROSS_COMPILE}$(CC) $(LIB_CFLAGS) -c $< -o $@
+
 net_mosq.o : net_mosq.c net_mosq.h
  ${CROSS_COMPILE}$(CC) $(LIB_CFLAGS) -c $< -o $@
 

lib/cpp/mosquittopp.cpp

@@ -378,4 +378,8 @@ int mosquittopp::tls_psk_set(const char *psk, const char *identity, const char *
  return mosquitto_tls_psk_set(m_mosq, psk, identity, ciphers);
 }
 
+int mosquittopp::tls_ocsp_set(int ocsp_reqs)
+{
+ return mosquitto_tls_ocsp_set(m_mosq, ocsp_reqs);
+}
 }

lib/cpp/mosquittopp.h

@@ -110,6 +110,7 @@ class mosqpp_EXPORT mosquittopp {
  int tls_opts_set(int cert_reqs, const char *tls_version=NULL, const char *ciphers=NULL);
  int tls_insecure_set(bool value);
  int tls_psk_set(const char *psk, const char *identity, const char *ciphers=NULL);
+ int tls_ocsp_set(int ocsp_reqs);
  int opts_set(enum mosq_opt_t option, void *value);
 
  int loop(int timeout=-1, int max_packets=1);

lib/linker.version

@@ -126,6 +126,7 @@ MOSQ_1.6 {
  mosquitto_subscribe_multiple;
  mosquitto_subscribe_v5;
  mosquitto_subscribe_v5_callback_set;
+ mosquitto_tls_ocsp_set;
  mosquitto_unsubscribe_multiple;
  mosquitto_unsubscribe_v5;
  mosquitto_unsubscribe_v5_callback_set;

lib/mosquitto.c

@@ -180,6 +180,7 @@ int mosquitto_reinitialise(struct mosquitto *mosq, const char *id, bool clean_st
  mosq->tls_cert_reqs = SSL_VERIFY_PEER;
  mosq->tls_insecure = false;
  mosq->want_write = false;
+ mosq->tls_ocsp_required = false;
 #endif
 #ifdef WITH_THREADING
  pthread_mutex_init(&mosq->callback_mutex, NULL);

lib/mosquitto.h

@@ -96,6 +96,7 @@ enum mosq_err_t {
  MOSQ_ERR_TLS_HANDSHAKE = 23,
  MOSQ_ERR_QOS_NOT_SUPPORTED = 24,
  MOSQ_ERR_OVERSIZE_PACKET = 25,
+ MOSQ_ERR_OCSP = 26,
 };
 
 /* Error values */
@@ -1724,6 +1725,26 @@ libmosq_EXPORT int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs,
  */
 libmosq_EXPORT int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers);
 
+/*
+ * Function: mosquitto_tls_ocsp_set
+ *
+ * Set advanced SSL/TLS options. Must be called before <mosquitto_connect>.
+ *
+ * Parameters:
+ * mosq - a valid mosquitto instance.
+ * ocsp_reqs - whether OCSP checking is required:
+ * 0 - no checking required
+ * 1 - checking required
+ *
+ * Returns:
+ * MOSQ_ERR_SUCCESS - on success.
+ * MOSQ_ERR_INVAL - if the input parameters were invalid.
+ *
+ * See Also:
+ * <mosquitto_tls_set>
+ */
+libmosq_EXPORT int mosquitto_tls_ocsp_set(struct mosquitto *mosq, int ocsp_reqs);
+
 
 /* ======================================================================
  *

lib/mosquitto_internal.h

@@ -220,6 +220,7 @@ struct mosquitto {
  int tls_cert_reqs;
  bool tls_insecure;
  bool ssl_ctx_defaults;
+ bool tls_ocsp_required;
  char *tls_engine;
  char *tls_engine_kpass_sha1;
  enum mosquitto__keyform tls_keyform;

lib/net_mosq.c

@@ -476,6 +476,23 @@ int net__socket_connect_tls(struct mosquitto *mosq)
  int ret, err;
 
  ERR_clear_error();
+ long res;
+ if (mosq->tls_ocsp_required) {
+ // Note: OCSP is available in all currently supported OpenSSL versions.
+ if ((res=SSL_set_tlsext_status_type(mosq->ssl, TLSEXT_STATUSTYPE_ocsp)) != 1) {
+ log__printf(mosq, MOSQ_LOG_ERR, "Could not activate OCSP (error: %ld)", res);
+ return MOSQ_ERR_OCSP;
+ }
+ if ((res=SSL_CTX_set_tlsext_status_cb(mosq->ssl_ctx, mosquitto__verify_ocsp_status_cb)) != 1) {
+ log__printf(mosq, MOSQ_LOG_ERR, "Could not activate OCSP (error: %ld)", res);
+ return MOSQ_ERR_OCSP;
+ }
+ if ((res=SSL_CTX_set_tlsext_status_arg(mosq->ssl_ctx, mosq)) != 1) {
+ log__printf(mosq, MOSQ_LOG_ERR, "Could not activate OCSP (error: %ld)", res);
+ return MOSQ_ERR_OCSP;
+ }
+ }
+
  ret = SSL_connect(mosq->ssl);
  if(ret != 1) {
  err = SSL_get_error(mosq->ssl, ret);

lib/net_mosq.h

@@ -71,6 +71,7 @@ ssize_t net__write(struct mosquitto *mosq, void *buf, size_t count);
 #ifdef WITH_TLS
 int net__socket_apply_tls(struct mosquitto *mosq);
 int net__socket_connect_tls(struct mosquitto *mosq);
+int mosquitto__verify_ocsp_status_cb(SSL * ssl, void *arg);
 UI_METHOD *net__get_ui_method(void);
 #define ENGINE_FINISH(e) if(e) ENGINE_finish(e)
 #define ENGINE_SECRET_MODE "SECRET_MODE"

lib/net_mosq_ocsp.c

@@ -0,0 +1,159 @@
+/*
+Copyright (c) 2009-2014 Roger Light <[email protected]>
+Copyright (c) 2017 Bayerische Motoren Werke Aktiengesellschaft (BMW AG), Dr. Lars Voelker <[email protected]>
+
+All rights reserved. This program and the accompanying materials
+are made available under the terms of the Eclipse Public License v1.0
+and Eclipse Distribution License v1.0 which accompany this distribution.
+
+The Eclipse Public License is available at
+ http:https://www.eclipse.org/legal/epl-v10.html
+and the Eclipse Distribution License is available at
+ http:https://www.eclipse.org/org/documents/edl-v10.php.
+
+Contributors:
+ Dr. Lars Voelker, BMW AG
+*/
+
+/*
+COPYRIGHT AND PERMISSION NOTICE of curl on which the ocsp code is based:
+
+Copyright (c) 1996 - 2016, Daniel Stenberg, <[email protected]>, and many
+contributors, see the THANKS file.
+
+All rights reserved.
+
+Permission to use, copy, modify, and distribute this software for any purpose
+with or without fee is hereby granted, provided that the above copyright
+notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN
+NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
+DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
+OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+OR OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of a copyright holder shall not
+be used in advertising or otherwise to promote the sale, use or other dealings
+in this Software without prior written authorization of the copyright holder.
+*/
+
+#ifdef WITH_TLS
+#include <openssl/safestack.h>
+#include <openssl/tls1.h>
+#include <openssl/ssl.h>
+#include <openssl/ocsp.h>
+
+#include <logging_mosq.h>
+#include <mosquitto_internal.h>
+#include <net_mosq.h>
+
+int mosquitto__verify_ocsp_status_cb(SSL * ssl, void *arg)
+{
+ struct mosquitto *mosq = (struct mosquitto *)arg;
+ int ocsp_status, result2, i;
+ unsigned char *p;
+ const unsigned char *cp;
+ OCSP_RESPONSE *rsp = NULL;
+ OCSP_BASICRESP *br = NULL;
+ X509_STORE *st = NULL;
+ STACK_OF(X509) *ch = NULL;
+
+ long len = SSL_get_tlsext_status_ocsp_resp(mosq->ssl, &p);
+ log__printf(mosq, MOSQ_LOG_DEBUG, "OCSP: SSL_get_tlsext_status_ocsp_resp returned %ld bytes", len);
+
+ // the following functions expect a const pointer
+ cp = (const unsigned char *)p;
+
+ if (!cp || len <= 0) {
+ log__printf(mosq, MOSQ_LOG_DEBUG, "OCSP: no response");
+ goto end;
+ }
+
+
+ rsp = d2i_OCSP_RESPONSE(NULL, &cp, len);
+ if (rsp==NULL) {
+ log__printf(mosq, MOSQ_LOG_DEBUG, "OCSP: invalid response");
+ goto end;
+ }
+
+ ocsp_status = OCSP_response_status(rsp);
+ if(ocsp_status != OCSP_RESPONSE_STATUS_SUCCESSFUL) {
+ log__printf(mosq, MOSQ_LOG_DEBUG, "OCSP: invalid status: %s (%d)",
+ OCSP_response_status_str(ocsp_status), ocsp_status);
+ goto end;
+ }
+
+ br = OCSP_response_get1_basic(rsp);
+ if (!br) {
+ log__printf(mosq, MOSQ_LOG_DEBUG, "OCSP: invalid response");
+ goto end;
+ }
+
+ ch = SSL_get_peer_cert_chain(mosq->ssl);
+ if (sk_X509_num(ch) <= 0) {
+ log__printf(mosq, MOSQ_LOG_ERR, "OCSP: we did not receive certificates of the server (num: %d)", sk_X509_num(ch));
+ goto end;
+ }
+
+ st = SSL_CTX_get_cert_store(mosq->ssl_ctx);
+
+ // Note:
+ // Other checkers often fix problems in OpenSSL before 1.0.2a (e.g. libcurl).
+ // For all currently supported versions of the OpenSSL project, this is not needed anymore.
+
+ if ((result2=OCSP_basic_verify(br, ch, st, 0)) <= 0) {
+ log__printf(mosq, MOSQ_LOG_DEBUG, "OCSP: response verification failed (error: %d)", result2);
+ goto end;
+ }
+
+ for(i = 0; i < OCSP_resp_count(br); i++) {
+ int cert_status, crl_reason;
+ OCSP_SINGLERESP *single = NULL;
+
+ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
+
+ single = OCSP_resp_get0(br, i);
+ if(!single)
+ continue;
+
+ cert_status = OCSP_single_get0_status(single, &crl_reason, &rev, &thisupd, &nextupd);
+
+ log__printf(mosq, MOSQ_LOG_DEBUG, "OCSP: SSL certificate status: %s (%d)",
+ OCSP_cert_status_str(cert_status), cert_status);
+
+ switch(cert_status) {
+ case V_OCSP_CERTSTATUS_GOOD:
+ // Note: A OCSP stapling result will be accepted up to 5 minutes after it expired!
+ if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
+ log__printf(mosq, MOSQ_LOG_DEBUG, "OCSP: OCSP response has expired");
+ goto end;
+ }
+ break;
+
+ case V_OCSP_CERTSTATUS_REVOKED:
+ log__printf(mosq, MOSQ_LOG_DEBUG, "OCSP: SSL certificate revocation reason: %s (%d)",
+ OCSP_crl_reason_str(crl_reason), crl_reason);
+ goto end;
+
+ case V_OCSP_CERTSTATUS_UNKNOWN:
+ goto end;
+
+ default:
+ log__printf(mosq, MOSQ_LOG_DEBUG, "OCSP: SSL certificate revocation status unknown");
+ goto end;
+ }
+ }
+
+ if (br!=NULL) OCSP_BASICRESP_free(br);
+ if (rsp!=NULL) OCSP_RESPONSE_free(rsp);
+ return 1; // OK
+
+end:
+ if (br!=NULL) OCSP_BASICRESP_free(br);
+ if (rsp!=NULL) OCSP_RESPONSE_free(rsp);
+ return 0; // Not OK
+}
+#endif

lib/options.c

@@ -195,6 +195,24 @@ int mosquitto_tls_set(struct mosquitto *mosq, const char *cafile, const char *ca
 }
 
 
+int mosquitto_tls_ocsp_set(struct mosquitto *mosq, int ocsp_reqs)
+{
+#ifdef WITH_TLS
+ if (ocsp_reqs==0) {
+ mosq->tls_ocsp_required = false;
+ return MOSQ_ERR_SUCCESS;
+ }
+
+ if (ocsp_reqs==1) {
+ mosq->tls_ocsp_required = true;
+ return MOSQ_ERR_SUCCESS;
+ }
+#endif
+
+ return MOSQ_ERR_INVAL;
+}
+
+
 int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tls_version, const char *ciphers)
 {
 #ifdef WITH_TLS

man/mosquitto.conf.5.xml

@@ -1792,6 +1792,13 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
  connection to succeed.</para>
  </listitem>
  </varlistentry>
+ <varlistentry>
+ <term><option>bridge_require_ocsp</option> [ true | false ]</term>
+ <listitem>
+ <para>When set to true, the bridge requires OCSP on the TLS
+ connection it opens as client.</para>
+ </listitem>
+ </varlistentry>
  </variablelist>
  </refsect2>
  </refsect1>

src/CMakeLists.txt

@@ -27,7 +27,7 @@ set (MOSQ_SRCS
  mosquitto.c
  mosquitto_broker.h mosquitto_broker_internal.h
  net.c
- ../lib/net_mosq.c ../lib/net_mosq.h
+ ../lib/net_mosq_ocsp.c ../lib/net_mosq.c ../lib/net_mosq.h
  ../lib/packet_datatypes.c
  ../lib/packet_mosq.c ../lib/packet_mosq.h
  persist_read_v234.c persist_read_v5.c persist_read.c

src/Makefile

@@ -32,6 +32,7 @@ OBJS= mosquitto.o \
  memory_mosq.o \
  net.o \
  net_mosq.o \
+ net_mosq_ocsp.o \
  packet_datatypes.o \
  packet_mosq.o \
  property_broker.o \
@@ -140,6 +141,9 @@ memory_mosq.o : ../lib/memory_mosq.c ../lib/memory_mosq.h
 net.o : net.c mosquitto_broker_internal.h
  ${CROSS_COMPILE}${CC} $(BROKER_CFLAGS) -c $< -o $@
 
+net_mosq_ocsp.o : ../lib/net_mosq_ocsp.c ../lib/net_mosq.h
+ ${CROSS_COMPILE}${CC} $(BROKER_CFLAGS) -c $< -o $@
+
 net_mosq.o : ../lib/net_mosq.c ../lib/net_mosq.h
  ${CROSS_COMPILE}${CC} $(BROKER_CFLAGS) -c $< -o $@
 

src/bridge.c

@@ -84,6 +84,7 @@ int bridge__new(struct mosquitto_db *db, struct mosquitto__bridge *bridge)
  new_context->tls_certfile = new_context->bridge->tls_certfile;
  new_context->tls_keyfile = new_context->bridge->tls_keyfile;
  new_context->tls_cert_reqs = SSL_VERIFY_PEER;
+ new_context->tls_ocsp_required = new_context->bridge->tls_ocsp_required;
  new_context->tls_version = new_context->bridge->tls_version;
  new_context->tls_insecure = new_context->bridge->tls_insecure;
 #ifdef FINAL_WITH_TLS_PSK

src/conf.c

@@ -1023,6 +1023,17 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
  }
 #else
  log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TLS-PSK support not available.");
+#endif
+ }else if(!strcmp(token, "bridge_require_ocsp")){
+#if defined(WITH_BRIDGE) && defined(WITH_TLS)
+ if(reload) continue; // Listeners not valid for reloading.
+ if(!cur_bridge){
+ log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
+ return MOSQ_ERR_INVAL;
+ }
+ if(conf__parse_bool(&token, "bridge_require_ocsp", &cur_bridge->tls_ocsp_required, saveptr)) return MOSQ_ERR_INVAL;
+#else
+ log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available.");
 #endif
  }else if(!strcmp(token, "bridge_keyfile")){
 #if defined(WITH_BRIDGE) && defined(WITH_TLS)

src/mosquitto_broker_internal.h

@@ -486,6 +486,7 @@ struct mosquitto__bridge{
  bool initial_notification_done;
 #ifdef WITH_TLS
  bool tls_insecure;
+ bool tls_ocsp_required;
  char *tls_cafile;
  char *tls_capath;
  char *tls_certfile;