Rework TLS engine support.

2019-02-26 17:11:29 +00:00 · 2019-02-26 17:11:29 +00:00 · e862a047a8
commit e862a047a8
parent 20894fcbce
20 changed files with 230 additions and 254 deletions
--- a/client/client_shared.c
+++ b/client/client_shared.c
@ -152,7 +152,7 @@ void client_config_cleanup(struct mosq_config *cfg)
 	free(cfg->ciphers);
 	free(cfg->tls_version);
 	free(cfg->tls_engine);
-	free(cfg->tls_engine_kpass_sha);
+	free(cfg->tls_engine_kpass_sha1);
 	free(cfg->keyform);
 #  ifdef WITH_TLS_PSK
 	free(cfg->psk);
@ -308,15 +308,15 @@ int client_config_load(struct mosq_config *cfg, int pub_or_sub, int argc, char *
 	}
 #ifdef WITH_TLS
 	if((cfg->certfile && !cfg->keyfile) || (cfg->keyfile && !cfg->certfile)){
-		fprintf(stderr, "Error: Both certfile and keyfile must be provided if one of them is.\n");
+		fprintf(stderr, "Error: Both certfile and keyfile must be provided if one of them is set.\n");
 		return 1;
 	}
 	if((cfg->keyform && !cfg->keyfile)){
-		fprintf(stderr, "Error: keyfile must be specified if keyform is.\n");
+		fprintf(stderr, "Error: If keyform is set, keyfile must be also specified.\n");
 		return 1;
 	}
-	if((cfg->tls_engine_kpass_sha && (!cfg->keyform || !cfg->tls_engine))){
+	if((cfg->tls_engine_kpass_sha1 && (!cfg->keyform || !cfg->tls_engine))){
-		fprintf(stderr, "Error: when using tls-engine-kpass-sha, both tls-engine and keyform must also be provided.\n");
+		fprintf(stderr, "Error: when using tls-engine-kpass-sha1, both tls-engine and keyform must also be provided.\n");
 		return 1;
 	}
 #endif
@ -444,12 +444,12 @@ int client_config_line_proc(struct mosq_config *cfg, int pub_or_sub, int argc, c
 				cfg->tls_engine = strdup(argv[i+1]);
 			}
 			i++;
-		}else if(!strcmp(argv[i], "--tls-engine-kpass-sha")){
+		}else if(!strcmp(argv[i], "--tls-engine-kpass-sha1")){
 			if(i==argc-1){
-				fprintf(stderr, "Error: --tls-engine-kpass-sha argument given but no kpass sha specified.\n\n");
+				fprintf(stderr, "Error: --tls-engine-kpass-sha1 argument given but no kpass sha1 specified.\n\n");
 				return 1;
 			}else{
-				cfg->tls_engine_kpass_sha = strdup(argv[i+1]);
+				cfg->tls_engine_kpass_sha1 = strdup(argv[i+1]);
 			}
 			i++;
 #endif
@ -952,17 +952,17 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
 		mosquitto_lib_cleanup();
 		return 1;
 	}
-	if(cfg->tls_engine && mosquitto_tls_engine_set(mosq, cfg->tls_engine)){
+	if(cfg->tls_engine && mosquitto_string_option(mosq, MOSQ_OPT_TLS_ENGINE, cfg->tls_engine)){
 		if(!cfg->quiet) fprintf(stderr, "Error: Problem setting TLS engine.\n");
 		mosquitto_lib_cleanup();
 		return 1;
 	}
-	if(cfg->keyform && mosquitto_tls_keyform_set(mosq, cfg->keyform)){
+	if(cfg->keyform && mosquitto_string_option(mosq, MOSQ_OPT_TLS_KEYFORM, cfg->keyform)){
 		if(!cfg->quiet) fprintf(stderr, "Error: Problem setting keyform.\n");
 		mosquitto_lib_cleanup();
 		return 1;
 	}
-	if(cfg->tls_engine_kpass_sha && mosquitto_tls_engine_kpass_sha_set(mosq, cfg->tls_engine_kpass_sha)){
+	if(cfg->tls_engine_kpass_sha1 && mosquitto_string_option(mosq, MOSQ_OPT_TLS_ENGINE_KPASS_SHA1, cfg->tls_engine_kpass_sha1)){
 		if(!cfg->quiet) fprintf(stderr, "Error: Problem setting TLS engine key pass sha.\n");
 		mosquitto_lib_cleanup();
 		return 1;
--- a/client/client_shared.h
+++ b/client/client_shared.h
@ -67,7 +67,7 @@ struct mosq_config {
 	bool insecure;
 	char *tls_version;
 	char *tls_engine;
-	char *tls_engine_kpass_sha;
+	char *tls_engine_kpass_sha1;
 	char *keyform;
 #  ifdef WITH_TLS_PSK
 	char *psk;
--- a/client/pub_client.c
+++ b/client/pub_client.c
@ -222,8 +222,8 @@ void print_usage(void)
 	printf("                     [--will-topic [--will-payload payload] [--will-qos qos] [--will-retain]]\n");
 #ifdef WITH_TLS
 	printf("                     [{--cafile file | --capath dir} [--cert file] [--key file]\n");
-	printf("                      [--ciphers ciphers] [--insecure] [--tls-engine engine]\n");
+	printf("                      [--ciphers ciphers] [--insecure]\n");
-	printf("                      [--keyform keyform] [--tls-engine-kpass-sha]]\n");
+	printf("                      [--tls-engine engine] [--keyform keyform] [--tls-engine-kpass-sha1]]\n");
 #ifdef WITH_TLS_PSK
 	printf("                     [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n");
 #endif
@ -274,7 +274,7 @@ void print_usage(void)
 	printf("            communication.\n");
 	printf(" --cert : client certificate for authentication, if required by server.\n");
 	printf(" --key : client private key for authentication, if required by server.\n");
-	printf(" --keyform : keyfile type, can be one of pem or engine.\n");
+	printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
 	printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
 	printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
 	printf("                 Defaults to tlsv1.2 if available.\n");
@ -282,8 +282,8 @@ void print_usage(void)
 	printf("              hostname. Using this option means that you cannot be sure that the\n");
 	printf("              remote host is the server you wish to connect to and so is insecure.\n");
 	printf("              Do not use this option in a production environment.\n");
-	printf(" --tls-engine : toggles the usage of a SSL engine device.\n");
+	printf(" --tls-engine : If set, enables the use of a SSL engine device.\n");
-	printf(" --tls-engine-kpass-sha : SHA1 of the key password to be used with the selected SSL engine.\n");
+	printf(" --tls-engine-kpass-sha1 : SHA1 of the key password to be used with the selected SSL engine.\n");
 #  ifdef WITH_TLS_PSK
 	printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n");
 	printf(" --psk-identity : client identity string for TLS-PSK mode.\n");
--- a/client/sub_client.c
+++ b/client/sub_client.c
@ -158,7 +158,7 @@ void print_usage(void)
 #ifdef WITH_TLS
 	printf("                     [{--cafile file | --capath dir} [--cert file] [--key file]\n");
 	printf("                      [--ciphers ciphers] [--insecure] [--tls-engine engine]\n");
-	printf("                      [--keyform keyform] [--tls-engine-kpass-sha]]\n");
+	printf("                      [--keyform keyform] [--tls-engine-kpass-sha1]]\n");
 #ifdef WITH_TLS_PSK
 	printf("                     [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n");
 #endif
@ -216,7 +216,7 @@ void print_usage(void)
 	printf("            communication.\n");
 	printf(" --cert : client certificate for authentication, if required by server.\n");
 	printf(" --key : client private key for authentication, if required by server.\n");
-	printf(" --keyform : keyfile type, can be one of pem or engine.\n");
+	printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
 	printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
 	printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
 	printf("                 Defaults to tlsv1.2 if available.\n");
@ -224,8 +224,8 @@ void print_usage(void)
 	printf("              hostname. Using this option means that you cannot be sure that the\n");
 	printf("              remote host is the server you wish to connect to and so is insecure.\n");
 	printf("              Do not use this option in a production environment.\n");
-	printf(" --tls-engine : toggles the usage of a SSL engine device.\n");
+	printf(" --tls-engine : If set, enables the use of a SSL engine device.\n");
-	printf(" --tls-engine-kpass-sha : SHA1 of the key password to be used with the selected SSL engine.\n");
+	printf(" --tls-engine-kpass-sha1 : SHA1 of the key password to be used with the selected SSL engine.\n");
 #ifdef WITH_TLS_PSK
 	printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n");
 	printf(" --psk-identity : client identity string for TLS-PSK mode.\n");
--- a/config.h
+++ b/config.h
@ -17,6 +17,8 @@
 #define _GNU_SOURCE
 #define OPENSSL_LOAD_CONF
 /* ============================================================
 * Compatibility defines
 * ============================================================ */
--- a/lib/cpp/mosquittopp.cpp
+++ b/lib/cpp/mosquittopp.cpp
@ -366,19 +366,4 @@ int mosquittopp::tls_psk_set(const char *psk, const char *identity, const char *
 	return mosquitto_tls_psk_set(m_mosq, psk, identity, ciphers);
 }
 int mosquittopp::tls_engine_set(const char *engine_id)
 {
   return mosquitto_tls_engine_set(m_mosq, engine_id);
 }
 int mosquittopp::tls_keyform_set(const char *keyform)
 {
   return mosquitto_tls_keyform_set(m_mosq, keyform);
 }
 int mosquittopp::tls_engine_kpass_sha_set(const char *kpass_sha)
 {
   return mosquitto_tls_engine_kpass_sha_set(m_mosq, kpass_sha);
 }
 }
--- a/lib/cpp/mosquittopp.h
+++ b/lib/cpp/mosquittopp.h
@ -110,9 +110,6 @@ class mosqpp_EXPORT mosquittopp {
 		int tls_opts_set(int cert_reqs, const char *tls_version=NULL, const char *ciphers=NULL);
 		int tls_insecure_set(bool value);
 		int tls_psk_set(const char *psk, const char *identity, const char *ciphers=NULL);
 		int tls_engine_set(const char *engine_id);
 		int tls_keyform_set(const char *keyform);
 		int tls_engine_kpass_sha_set(const char *kpass_sha);
 		int opts_set(enum mosq_opt_t option, void *value);
 		int loop(int timeout=-1, int max_packets=1);
--- a/lib/linker.version
+++ b/lib/linker.version
@ -90,12 +90,10 @@ MOSQ_1.5 {
 		mosquitto_sub_topic_check2;
 		mosquitto_topic_matches_sub2;
 		mosquitto_connect_with_flags_callback_set;
 		mosquitto_tls_engine_set;
 		mosquitto_tls_keyform_set;
 		mosquitto_tls_engine_kpass_sha_set;
 } MOSQ_1.4;
 MOSQ_1.6 {
 	global:
 		mosquitto_string_option;
 		mosquitto_subscribe_multiple;
 } MOSQ_1.5;
--- a/lib/mosquitto.h
+++ b/lib/mosquitto.h
@ -94,8 +94,13 @@ enum mosq_opt_t {
 	MOSQ_OPT_PROTOCOL_VERSION = 1,
 	MOSQ_OPT_SSL_CTX = 2,
 	MOSQ_OPT_SSL_CTX_WITH_DEFAULTS = 3,
 	MOSQ_OPT_TLS_KEYFORM = 6,
 	MOSQ_OPT_TLS_ENGINE = 7,
 	MOSQ_OPT_TLS_ENGINE_KPASS_SHA1 = 8,
 };
 /* MQTT specification restricts client ids to a maximum of 23 characters */
 #define MOSQ_MQTT_ID_MAX_LENGTH 23
@ -1160,65 +1165,6 @@ libmosq_EXPORT int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs,
 */
 libmosq_EXPORT int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers);
 /*
 * Function: mosquitto_tls_engine_set
 *
 * Configure the client for TLS engine support. Must be called
 * before <mosquitto_connect>.
 *
 * Parameters:
 *  mosq -       a valid mosquitto instance.
 *  engine_id - the engine ID that wants to be used.
 *
 * Returns:
 *  MOSQ_ERR_SUCCESS - on success.
 *  MOSQ_ERR_INVAL -   if the input parameters were invalid.
 *
 * See Also:
 * <mosquitto_tls_set>
 */
 libmosq_EXPORT int mosquitto_tls_engine_set(struct mosquitto *mosq, const char *engine_id);
 /*
 * Function: mosquitto_tls_keyform_set
 *
 * Configure the client to treat the keyfile differently depending on its type.
 * Must be called before <mosquitto_connect>.
 *
 * Parameters:
 *  mosq -    a valid mosquitto instance.
 *  keyform - the key type. Currently only "pem" or "engine" are supported.
 *
 * Returns:
 *  MOSQ_ERR_SUCCESS - on success.
 *  MOSQ_ERR_INVAL -   if the input parameters were invalid.
 *
 * See Also:
 * <mosquitto_tls_set>
 */
 libmosq_EXPORT int mosquitto_tls_keyform_set(struct mosquitto *mosq, const char *keyform);
 /*
 * Function: mosquitto_tls_engine_kpass_sha_set
 *
 * Some SSL engines may require the usage of a password in order to being
 * accessed, like the TPM engine. This function allows a SHA1 hash of the
 * password to be passed on to the engine directly.
 * Must be called before <mosquitto_connect>.
 *
 * Parameters:
 *  mosq -      a valid mosquitto instance.
 *  kpass_sha - SHA1 of the private key password.
 *
 * Returns:
 *  MOSQ_ERR_SUCCESS - on success.
 *  MOSQ_ERR_INVAL -   if the input parameters were invalid.
 *
 * See Also:
 * <mosquitto_tls_set>
 */
 libmosq_EXPORT int mosquitto_tls_engine_kpass_sha_set(struct mosquitto *mosq, const char *kpass_sha);
 /*
 * Function: mosquitto_connect_callback_set
 *
@ -1391,6 +1337,37 @@ libmosq_EXPORT void mosquitto_unsubscribe_callback_set(struct mosquitto *mosq, v
 */
 libmosq_EXPORT void mosquitto_log_callback_set(struct mosquitto *mosq, void (*on_log)(struct mosquitto *, void *, int, const char *));
 /*
 * Function: mosquitto_string_option
 *
 * Used to set const char* options for the client.
 *
 * Parameters:
 *	mosq -   a valid mosquitto instance.
 *	option - the option to set.
 *	value -  the option specific value.
 *
 * Options:
 *	MOSQ_OPT_TLS_ENGINE
 *	          Configure the client for TLS Engine support. Pass a TLS Engine ID
 *	          to be used when creating TLS connections.
 *	          Must be set before <mosquitto_connect>.
 *	MOSQ_OPT_TLS_KEYFORM
 *            Configure the client to treat the keyfile differently depending
 *            on its type.  Must be set before <mosquitto_connect>.
 *	          Set as either "pem" or "engine", to determine from where the
 *	          private key for a TLS connection will be obtained. Defaults to
 *	          "pem", a normal private key file.
 *	MOSQ_OPT_TLS_KPASS_SHA1
 *	          Where the TLS Engine requires the use of a password to be
 *	          accessed, this option allows a hex encoded SHA1 hash of the
 *	          private key password to be passed to the engine directly.
 *	          Must be set before <mosquitto_connect>.
 */
 libmosq_EXPORT int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, const char *value);
 /*
 * Function: mosquitto_reconnect_delay_set
 *
--- a/lib/mosquitto_internal.h
+++ b/lib/mosquitto_internal.h
@ -154,7 +154,7 @@ struct mosquitto_message_all{
 };
 #ifdef WITH_TLS
-enum _mosquitto_keyform {
+enum mosquitto__keyform {
 	mosq_k_pem = 0,
 	mosq_k_engine = 1,
 };
@ -199,8 +199,8 @@ struct mosquitto {
 	bool tls_insecure;
 	bool ssl_ctx_defaults;
 	char *tls_engine;
-	char *tls_engine_kpass_sha;
+	char *tls_engine_kpass_sha1;
-	enum _mosquitto_keyform tls_keyform;
+	enum mosquitto__keyform tls_keyform;
 #endif
 	bool want_write;
 	bool want_connect;
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@ -126,7 +126,6 @@ int net__init(void)
 	SSL_load_error_strings();
 	SSL_library_init();
 	OpenSSL_add_all_algorithms();
 	OPENSSL_config(NULL);
 	ENGINE_load_builtin_engines();
 	setup_ui_method();
 	if(tls_ex_index_mosq == -1){
@ -616,15 +615,15 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			if(mosq->tls_keyfile){
 				if(mosq->tls_keyform == mosq_k_engine){
 					UI_METHOD *ui_method = net__get_ui_method();
-					if(mosq->tls_engine_kpass_sha){
+					if(mosq->tls_engine_kpass_sha1){
 						if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
-							log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha");
+							log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha1");
 							ENGINE_FINISH(engine);
 							COMPAT_CLOSE(mosq->sock);
 							net__print_ssl_error(mosq);
 							return MOSQ_ERR_TLS;
 						}
-						if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, mosq->tls_engine_kpass_sha, NULL, 0)){
+						if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, mosq->tls_engine_kpass_sha1, NULL, 0)){
 							log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set engine pin");
 							ENGINE_FINISH(engine);
 							COMPAT_CLOSE(mosq->sock);
--- a/lib/options.c
+++ b/lib/options.c
@ -22,6 +22,10 @@ Contributors:
 #include <string.h>
 #ifdef WITH_TLS
 #  include <openssl/engine.h>
 #endif
 #include "mosquitto.h"
 #include "mosquitto_internal.h"
 #include "memory_mosq.h"
@ -219,55 +223,66 @@ int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value)
 }
-int mosquitto_tls_engine_set(struct mosquitto *mosq, const char *engine_id)
+int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, const char *value)
 {
 #ifdef WITH_TLS
-	if(!mosq) return MOSQ_ERR_INVAL;
+	ENGINE *eng;
-	ENGINE *e = ENGINE_by_id(engine_id);
+	char *str;
 	if (!e)
 		return MOSQ_ERR_INVAL;
 	ENGINE_free(e); /* release the structural reference from ENGINE_by_id() */
 	mosq->tls_engine = mosquitto__strdup(engine_id);
 	return MOSQ_ERR_SUCCESS;
 #else
 	return MOSQ_ERR_NOT_SUPPORTED;
 #endif
 }
 int mosquitto_tls_keyform_set(struct mosquitto *mosq, const char *keyform)
 {
 #ifdef WITH_TLS
 	if(!mosq) return MOSQ_ERR_INVAL;
-	if (keyform){
+	switch(option){
-		if(!strcasecmp(keyform, "pem"))
+		case MOSQ_OPT_TLS_ENGINE:
-			mosq->tls_keyform = mosq_k_pem;
+#ifdef WITH_TLS
-		else if (!strcasecmp(keyform, "engine"))
+			eng = ENGINE_by_id(value);
-			mosq->tls_keyform = mosq_k_engine;
+			if(!eng){
-		else
+				return MOSQ_ERR_INVAL;
 			}
 			ENGINE_free(eng); /* release the structural reference from ENGINE_by_id() */
 			mosq->tls_engine = mosquitto__strdup(value);
 			if(!mosq->tls_engine){
 				return MOSQ_ERR_NOMEM;
 			}
 			return MOSQ_ERR_SUCCESS;
 #else
 			return MOSQ_ERR_NOT_SUPPORTED;
 #endif
 			break;
 		case MOSQ_OPT_TLS_KEYFORM:
 #ifdef WITH_TLS
 			if(!value) return MOSQ_ERR_INVAL;
 			if(!strcasecmp(value, "pem")){
 				mosq->tls_keyform = mosq_k_pem;
 			}else if (!strcasecmp(value, "engine")){
 				mosq->tls_keyform = mosq_k_engine;
 			}else{
 				return MOSQ_ERR_INVAL;
 			}
 #else
 			return MOSQ_ERR_NOT_SUPPORTED;
 #endif
 			break;
 		case MOSQ_OPT_TLS_ENGINE_KPASS_SHA1:
 #ifdef WITH_TLS
 			if(mosquitto__hex2bin_sha1(value, (unsigned char**)&str) != MOSQ_ERR_SUCCESS){
 				return MOSQ_ERR_INVAL;
 			}
 			mosq->tls_engine_kpass_sha1 = str;
 			return MOSQ_ERR_SUCCESS;
 #else
 			return MOSQ_ERR_NOT_SUPPORTED;
 #endif
 			break;
 		default:
 			return MOSQ_ERR_INVAL;
 	}else{
 		mosq->tls_keyform = mosq_k_pem;
 	}
 	return MOSQ_ERR_SUCCESS;
 #else
 	return MOSQ_ERR_NOT_SUPPORTED;
 #endif
 }
-
+	return MOSQ_ERR_INVAL;
 int mosquitto_tls_engine_kpass_sha_set(struct mosquitto *mosq, const char *kpass_sha)
 {
 #ifdef WITH_TLS
 	if(!mosq) return MOSQ_ERR_INVAL;
 	char *kpass_sha_bin = NULL;
 	if(mosquitto__hex2bin_sha1(kpass_sha, (unsigned char**)&kpass_sha_bin) != MOSQ_ERR_SUCCESS) return MOSQ_ERR_INVAL;
 	mosq->tls_engine_kpass_sha = kpass_sha_bin;
 	return MOSQ_ERR_SUCCESS;
 #else
 	return MOSQ_ERR_NOT_SUPPORTED;
 #endif
 }
--- a/lib/util_mosq.c
+++ b/lib/util_mosq.c
@ -351,17 +351,16 @@ int mosquitto__hex2bin_sha1(const char *hex, unsigned char **bin)
 {
 	unsigned char *sha, tmp[SHA_DIGEST_LENGTH];
-	if(mosquitto__hex2bin(hex, tmp, SHA_DIGEST_LENGTH) != SHA_DIGEST_LENGTH)
+	if(mosquitto__hex2bin(hex, tmp, SHA_DIGEST_LENGTH) != SHA_DIGEST_LENGTH){
 		return MOSQ_ERR_INVAL;
 	}
 	sha = mosquitto__malloc(SHA_DIGEST_LENGTH);
 	memcpy(sha, tmp, SHA_DIGEST_LENGTH);
 	*bin = sha;
 	return MOSQ_ERR_SUCCESS;
 }
 #endif
 #if defined(WITH_TLS_PSK) || defined(WITH_TLS)
 int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len)
 {
 	BIGNUM *bn = NULL;
--- a/lib/util_mosq.h
+++ b/lib/util_mosq.h
@ -35,9 +35,6 @@ FILE *mosquitto__fopen(const char *path, const char *mode, bool restrict_read);
 #ifdef WITH_TLS
 int mosquitto__hex2bin_sha1(const char *hex, unsigned char **bin);
 #endif
 #if defined(WITH_TLS_PSK) || defined(WITH_TLS)
 int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len);
 #endif
--- a/man/mosquitto.conf.5.xml
+++ b/man/mosquitto.conf.5.xml
@ -894,33 +894,6 @@
 							the "openssl ciphers" command.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term><option>tls_engine</option> <replaceable>engine</replaceable></term>
 					<listitem>
 						<para>A valid openssl engine id. These can be listed with
 						openssl engine command.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term><option>tls_keyform</option> [ pem | engine ]</term>
 					<listitem>
 						<para>Specifies the type of key in use. This could be pem or
 						engine. This parameter is useful for example when a TPM
 						module is being used and the key has been created with
 						it. If not specified, pem keys are assumed</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term><option>tls_engine_kpass_sha</option> <replaceable>engine_kpass_sha</replaceable></term>
 					<listitem>
 						<para>SHA1 of private key password when using an SSL engine.
 						Some SSL engines may require the usage of a password
 						in order to being accessed, like the TPM engine. Instead
 						of being prompted for the password, this option allows
 						a SHA1 hash of the password to be passed on to the
 						engine directly, without user interaction.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term><option>crlfile</option> <replaceable>file path</replaceable></term>
 					<listitem>
@ -955,6 +928,36 @@
 							mechanisms provided by MQTT.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term><option>tls_engine</option> <replaceable>engine</replaceable></term>
 					<listitem>
 						<para>A valid openssl engine id. These can be listed with
 						openssl engine command.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term><option>tls_engine_kpass_sha1</option> <replaceable>engine_kpass_sha1</replaceable></term>
 					<listitem>
 						<para>SHA1 of the private key password when using an
 							TLS engine.  Some TLS engines such as the TPM
 							engine may require the use of a password in order
 							to be accessed.  This option allows a hex encoded
 							SHA1 hash of the password to the engine directly,
 							instead of the user being prompted for the
 							password.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term><option>tls_keyform</option> [ pem | engine ]</term>
 					<listitem>
 						<para>Specifies the type of private key in use when
 							making TLS connections.. This can be "pem" or
 							"engine". This parameter is useful when a TPM
 							module is being used and the private key has been
 							created with it. Defaults to "pem", which means
 							normal private key files are used.</para>
 					</listitem>
 				</varlistentry>
 				<varlistentry>
 					<term><option>tls_version</option> <replaceable>version</replaceable></term>
 					<listitem>
--- a/man/mosquitto_pub.1.xml
+++ b/man/mosquitto_pub.1.xml
@ -68,7 +68,7 @@
 						<arg choice='plain'><replaceable>pem</replaceable></arg>
 						<arg choice='plain'><replaceable>engine</replaceable></arg>
 					</group></arg>
-					<arg><option>--tls-engine-kpass-sha</option> <replaceable>kpass-sha</replaceable></arg>
+					<arg><option>--tls-engine-kpass-sha1</option> <replaceable>kpass-sha1</replaceable></arg>
 					<arg><option>--insecure</option></arg>
 				</arg>
 				<arg>
@ -187,36 +187,6 @@
 						for more information.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-engine</option></term>
 				<listitem>
 					<para>A valid openssl engine id. These can be listed with
 						openssl engine command.</para>
 					<para>See also <option>--keyform</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--keyform</option></term>
 				<listitem>
 					<para>Specifies the type of key in use. This could be pem or
 						engine. This parameter is useful for example when a TPM
 						module is being used and the key has been created with
 						it. If not specified, pem keys are assumed</para>
 					<para>See also <option>--tls-engine</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-engine-kpass-sha</option></term>
 				<listitem>
 					<para>SHA1 of private key password when using an SSL engine.
 						Some SSL engines may require the usage of a password
 						in order to being accessed, like the TPM engine. Instead
 						of being prompted for the password, this option allows
 						a SHA1 hash of the password to be passed on to the
 						engine directly, without user interaction.</para>
 					<para>See also <option>--tls-engine</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>-d</option></term>
 				<term><option>--debug</option></term>
@ -298,6 +268,18 @@
 					<para>See also <option>--cert</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--keyform</option></term>
 				<listitem>
 					<para>Specifies the type of private key in use when making
 						TLS connections.. This can be "pem" or "engine". This
 						parameter is useful when a TPM module is being used and
 						the private key has been created with it. Defaults to
 						"pem", which means normal private key files are
 						used.</para>
 					<para>See also <option>--tls-engine</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>-L</option></term>
 				<term><option>--url</option></term>
@ -438,6 +420,26 @@
 					<para>The MQTT topic on which to publish the message. See <citerefentry><refentrytitle>mqtt</refentrytitle><manvolnum>7</manvolnum></citerefentry> for more information on MQTT topics.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-engine</option></term>
 				<listitem>
 					<para>A valid openssl engine id. These can be listed with
 						openssl engine command.</para>
 					<para>See also <option>--keyform</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-engine-kpass-sha1</option></term>
 				<listitem>
 					<para>SHA1 of the private key password when using an TLS
 						engine.  Some TLS engines such as the TPM engine may
 						require the use of a password in order to be accessed.
 						This option allows a hex encoded SHA1 hash of the
 						password to the engine directly, instead of the user
 						being prompted for the password.</para>
 					<para>See also <option>--tls-engine</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-version</option></term>
 				<listitem>
--- a/man/mosquitto_sub.1.xml
+++ b/man/mosquitto_sub.1.xml
@ -75,7 +75,7 @@
 						<arg choice='plain'><replaceable>pem</replaceable></arg>
 						<arg choice='plain'><replaceable>engine</replaceable></arg>
 					</group></arg>
-					<arg><option>--tls-engine-kpass-sha</option> <replaceable>kpass-sha</replaceable></arg>
+					<arg><option>--tls-engine-kpass-sha1</option> <replaceable>kpass-sha1</replaceable></arg>
 					<arg><option>--insecure</option></arg>
 				</arg>
 				<arg>
@ -197,36 +197,6 @@
 						for more information.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-engine</option></term>
 				<listitem>
 					<para>A valid openssl engine id. These can be listed with
 						openssl engine command.</para>
 					<para>See also <option>--keyform</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--keyform</option></term>
 				<listitem>
 					<para>Specifies the type of key in use. This could be pem or
 						engine. This parameter is useful for example when a TPM
 						module is being used and the key has been created with
 						it. If not specified, pem keys are assumed</para>
 					<para>See also <option>--tls-engine</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-engine-kpass-sha</option></term>
 				<listitem>
 					<para>SHA1 of private key password when using an SSL engine.
 						Some SSL engines may require the usage of a password
 						in order to being accessed, like the TPM engine. Instead
 						of being prompted for the password, this option allows
 						a SHA1 hash of the password to be passed on to the
 						engine directly, without user interaction.</para>
 					<para>See also <option>--tls-engine</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>-C</option></term>
 				<listitem>
@ -339,6 +309,18 @@
 					<para>See also <option>--cert</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--keyform</option></term>
 				<listitem>
 					<para>Specifies the type of private key in use when making
 						TLS connections.. This can be "pem" or "engine". This
 						parameter is useful when a TPM module is being used and
 						the private key has been created with it. Defaults to
 						"pem", which means normal private key files are
 						used.</para>
 					<para>See also <option>--tls-engine</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>-L</option></term>
 				<term><option>--url</option></term>
@ -503,6 +485,26 @@
 						topics or topic trees.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-engine</option></term>
 				<listitem>
 					<para>A valid openssl engine id. These can be listed with
 						openssl engine command.</para>
 					<para>See also <option>--keyform</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-engine-kpass-sha1</option></term>
 				<listitem>
 					<para>SHA1 of the private key password when using an TLS
 						engine.  Some TLS engines such as the TPM engine may
 						require the use of a password in order to be accessed.
 						This option allows a hex encoded SHA1 hash of the
 						password to the engine directly, instead of the user
 						being prompted for the password.</para>
 					<para>See also <option>--tls-engine</option>.</para>
 				</listitem>
 			</varlistentry>
 			<varlistentry>
 				<term><option>--tls-version</option></term>
 				<listitem>
--- a/src/conf.c
+++ b/src/conf.c
@ -299,7 +299,7 @@ void config__cleanup(struct mosquitto__config *config)
 			mosquitto__free(config->listeners[i].crlfile);
 			mosquitto__free(config->listeners[i].tls_version);
 			mosquitto__free(config->listeners[i].tls_engine);
-			mosquitto__free(config->listeners[i].tls_engine_kpass_sha);
+			mosquitto__free(config->listeners[i].tls_engine_kpass_sha1);
 #ifdef WITH_WEBSOCKETS
 			if(!config->listeners[i].ws_context) /* libwebsockets frees its own SSL_CTX */
 #endif
@ -437,7 +437,7 @@ int config__parse_args(struct mosquitto_db *db, struct mosquitto__config *config
 			|| config->default_listener.keyfile
 			|| config->default_listener.tls_engine
 			|| config->default_listener.tls_keyform != mosq_k_pem
-			|| config->default_listener.tls_engine_kpass_sha
+			|| config->default_listener.tls_engine_kpass_sha1
 			|| config->default_listener.ciphers
 			|| config->default_listener.psk_hint
 			|| config->default_listener.require_certificate
@ -490,7 +490,7 @@ int config__parse_args(struct mosquitto_db *db, struct mosquitto__config *config
 		config->listeners[config->listener_count-1].tls_version = config->default_listener.tls_version;
 		config->listeners[config->listener_count-1].tls_engine = config->default_listener.tls_engine;
 		config->listeners[config->listener_count-1].tls_keyform = config->default_listener.tls_keyform;
-		config->listeners[config->listener_count-1].tls_engine_kpass_sha = config->default_listener.tls_engine_kpass_sha;
+		config->listeners[config->listener_count-1].tls_engine_kpass_sha1 = config->default_listener.tls_engine_kpass_sha1;
 		config->listeners[config->listener_count-1].cafile = config->default_listener.cafile;
 		config->listeners[config->listener_count-1].capath = config->default_listener.capath;
 		config->listeners[config->listener_count-1].certfile = config->default_listener.certfile;
@ -1112,16 +1112,16 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
 #else
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available.");
 #endif
-				}else if(!strcmp(token, "tls_engine_kpass_sha")){
+				}else if(!strcmp(token, "tls_engine_kpass_sha1")){
 #ifdef WITH_TLS
 					if(reload) continue; // Listeners not valid for reloading.
 					char *kpass_sha = NULL, *kpass_sha_bin = NULL;
-					if(conf__parse_string(&token, "tls_engine_kpass_sha", &kpass_sha, saveptr)) return MOSQ_ERR_INVAL;
+					if(conf__parse_string(&token, "tls_engine_kpass_sha1", &kpass_sha, saveptr)) return MOSQ_ERR_INVAL;
 					if(mosquitto__hex2bin_sha1(kpass_sha, (unsigned char**)&kpass_sha_bin) != MOSQ_ERR_SUCCESS){
 						mosquitto__free(kpass_sha);
 						return MOSQ_ERR_INVAL;
 					}
-					cur_listener->tls_engine_kpass_sha = kpass_sha_bin;
+					cur_listener->tls_engine_kpass_sha1 = kpass_sha_bin;
 					mosquitto__free(kpass_sha);
 #else
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available.");
--- a/src/mosquitto_broker_internal.h
+++ b/src/mosquitto_broker_internal.h
@ -225,16 +225,16 @@ struct mosquitto__listener {
 	char *certfile;
 	char *keyfile;
 	char *tls_engine;
-	enum _mosquitto_keyform tls_keyform;
+	char *tls_engine_kpass_sha1;
 	char *tls_engine_kpass_sha;
 	char *ciphers;
 	char *psk_hint;
 	SSL_CTX *ssl_ctx;
 	char *crlfile;
 	char *tls_version;
 	bool use_identity_as_username;
 	bool use_subject_as_username;
 	bool require_certificate;
-	char *tls_version;
+	enum mosquitto__keyform tls_keyform;
 #endif
 #ifdef WITH_WEBSOCKETS
 	struct libwebsocket_context *ws_context;
--- a/src/net.c
+++ b/src/net.c
@ -502,14 +502,14 @@ int net__socket_listen(struct mosquitto__listener *listener)
 			}
 			if(listener->tls_keyform == mosq_k_engine){
 				UI_METHOD *ui_method = net__get_ui_method();
-				if(listener->tls_engine_kpass_sha){
+				if(listener->tls_engine_kpass_sha1){
 					if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha");
 						COMPAT_CLOSE(sock);
 						ENGINE_FINISH(engine);
 						return 1;
 					}
-					if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, listener->tls_engine_kpass_sha, NULL, 0)){
+					if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, listener->tls_engine_kpass_sha1, NULL, 0)){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set engine pin");
 						COMPAT_CLOSE(sock);
 						ENGINE_FINISH(engine);