Rejig OCSP code.

2019-03-26 22:13:42 +00:00 · 2019-03-26 22:13:42 +00:00 · 1220ba4bfe
commit 1220ba4bfe
parent ea046c2405
7 changed files with 22 additions and 51 deletions
--- a/ChangeLog.txt
+++ b/ChangeLog.txt
@ -19,6 +19,7 @@ Broker features:
 - Add support for Automotive DLT logging.
 - Disallow writing to $ topics where appropriate.
 - Fix mosquitto_passwd crashing on corrupt password file. Closes #1207.
+- Add support for OCSP stapling.

 Client library features:
 - Add mosquitto_subscribe_multiple() for sending subscriptions to multiple
@ -26,6 +27,7 @@ Client library features:
 - Add TLS Engine support.
 - Add explicit support for TLS v1.3.
 - Drop support for TLS v1.0.
+- Add support for OCSP stapling to bridges.

 Client features:
 - Add -E to mosquitto_sub, which causes it to exit immediately after having
--- a/lib/cpp/mosquittopp.cpp
+++ b/lib/cpp/mosquittopp.cpp
@ -378,8 +378,4 @@ int mosquittopp::tls_psk_set(const char *psk, const char *identity, const char *
 	return mosquitto_tls_psk_set(m_mosq, psk, identity, ciphers);
 }

-int mosquittopp::tls_ocsp_set(int ocsp_reqs)
-{
-	return mosquitto_tls_ocsp_set(m_mosq, ocsp_reqs);
-}
 }
--- a/lib/cpp/mosquittopp.h
+++ b/lib/cpp/mosquittopp.h
@ -110,7 +110,6 @@ class mosqpp_EXPORT mosquittopp {
 		int tls_opts_set(int cert_reqs, const char *tls_version=NULL, const char *ciphers=NULL);
 		int tls_insecure_set(bool value);
 		int tls_psk_set(const char *psk, const char *identity, const char *ciphers=NULL);
-		int tls_ocsp_set(int ocsp_reqs);
 		int opts_set(enum mosq_opt_t option, void *value);

 		int loop(int timeout=-1, int max_packets=1);
--- a/lib/linker.version
+++ b/lib/linker.version
@ -126,7 +126,6 @@ MOSQ_1.6 {
 		mosquitto_subscribe_multiple;
 		mosquitto_subscribe_v5;
 		mosquitto_subscribe_v5_callback_set;
-		mosquitto_tls_ocsp_set;
 		mosquitto_unsubscribe_multiple;
 		mosquitto_unsubscribe_v5;
 		mosquitto_unsubscribe_v5_callback_set;
--- a/lib/mosquitto.h
+++ b/lib/mosquitto.h
@ -109,6 +109,7 @@ enum mosq_opt_t {
 	MOSQ_OPT_TLS_KEYFORM = 6,
 	MOSQ_OPT_TLS_ENGINE = 7,
 	MOSQ_OPT_TLS_ENGINE_KPASS_SHA1 = 8,
+	MOSQ_OPT_TLS_OCSP_REQUIRED = 9,
 };


@ -1452,9 +1453,13 @@ libmosq_EXPORT int mosquitto_opts_set(struct mosquitto *mosq, enum mosq_opt_t op
 *	          use <mosquitto_tls_set> to configure the cafile/capath as a
 *	          minimum.
 *	          This option is only available for openssl 1.1.0 and higher.
+ *	MOSQ_OPT_TLS_OCSP_REQUIRED
+ *	          Set whether OCSP checking on TLS connections is required. Set to
+ *	          1 to enable checking, or 0 (the default) for no checking.
 */
 libmosq_EXPORT int mosquitto_int_option(struct mosquitto *mosq, enum mosq_opt_t option, int value);

+
 /*
 * Function: mosquitto_void_option
 *
@ -1725,26 +1730,6 @@ libmosq_EXPORT int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs,
 */
 libmosq_EXPORT int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers);

-/*
- * Function: mosquitto_tls_ocsp_set
- *
- * Set advanced SSL/TLS options. Must be called before <mosquitto_connect>.
- *
- * Parameters:
- *  mosq -        a valid mosquitto instance.
- *  ocsp_reqs -   whether OCSP checking is required:
- *                0 - no checking required
- *                1 - checking required
- *
- * Returns:
- *	MOSQ_ERR_SUCCESS - on success.
- * 	MOSQ_ERR_INVAL -   if the input parameters were invalid.
- *
- * See Also:
- *	<mosquitto_tls_set>
- */
-libmosq_EXPORT int mosquitto_tls_ocsp_set(struct mosquitto *mosq, int ocsp_reqs);
-

 /* ======================================================================
 *
--- a/lib/options.c
+++ b/lib/options.c
@ -195,24 +195,6 @@ int mosquitto_tls_set(struct mosquitto *mosq, const char *cafile, const char *ca
 }


-int mosquitto_tls_ocsp_set(struct mosquitto *mosq, int ocsp_reqs)
-{
-#ifdef WITH_TLS
-    if (ocsp_reqs==0) {
-        mosq->tls_ocsp_required = false;
-        return  MOSQ_ERR_SUCCESS;
-    }
-
-    if (ocsp_reqs==1) {
-        mosq->tls_ocsp_required = true;
-        return  MOSQ_ERR_SUCCESS;
-    }
-#endif
-
-    return MOSQ_ERR_INVAL;
-}
-
-
 int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs, const char *tls_version, const char *ciphers)
 {
 #ifdef WITH_TLS
@ -429,6 +411,14 @@ int mosquitto_int_option(struct mosquitto *mosq, enum mosq_opt_t option, int val
 			return MOSQ_ERR_NOT_SUPPORTED;
 #endif

+		case MOSQ_OPT_TLS_OCSP_REQUIRED:
+#ifdef WITH_TLS
+			mosq->tls_ocsp_required = (bool)value;
+#else
+			return MOSQ_ERR_NOT_SUPPORTED;
+#endif
+			break;
+
 		default:
 			return MOSQ_ERR_INVAL;
 	}
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@ -1779,6 +1779,13 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
 							can be used on one bridge at once.</para>
 					</listitem>
 				</varlistentry>
+				<varlistentry>
+					<term><option>bridge_require_ocsp</option> [ true | false ]</term>
+					<listitem>
+						<para>When set to true, the bridge requires OCSP on the TLS
+							connection it opens as client.</para>
+					</listitem>
+				</varlistentry>
 				<varlistentry>
 					<term><option>bridge_tls_version</option> <replaceable>version</replaceable></term>
 					<listitem>
@ -1792,13 +1799,6 @@ topic clients/total in 0 test/mosquitto/org $SYS/broker/
 							connection to succeed.</para>
 					</listitem>
 				</varlistentry>
-				<varlistentry>
-					<term><option>bridge_require_ocsp</option> [ true | false ]</term>
-					<listitem>
-						<para>When set to true, the bridge requires OCSP on the TLS
-							connection it opens as client.</para>
-					</listitem>
-				</varlistentry>
 			</variablelist>
 		</refsect2>
 	</refsect1>