d0kuhn/mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Rework TLS engine support.

Browse Source
This commit is contained in:
Roger A. Light 2019-02-26 17:11:29 +00:00
parent 20894fcbce
commit e862a047a8
20 changed files with 230 additions and 254 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
client/client_shared.c
View File

@ -152,7 +152,7 @@ void client_config_cleanup(struct mosq_config *cfg)
free(cfg->ciphers);
free(cfg->tls_version);
free(cfg->tls_engine);
free(cfg->tls_engine_kpass_sha);
free(cfg->tls_engine_kpass_sha1);
free(cfg->keyform);
# ifdef WITH_TLS_PSK
free(cfg->psk);
@ -308,15 +308,15 @@ int client_config_load(struct mosq_config *cfg, int pub_or_sub, int argc, char *
}
#ifdef WITH_TLS
if((cfg->certfile && !cfg->keyfile) || (cfg->keyfile && !cfg->certfile)){
fprintf(stderr, "Error: Both certfile and keyfile must be provided if one of them is.\n");
fprintf(stderr, "Error: Both certfile and keyfile must be provided if one of them is set.\n");
return 1;
}
if((cfg->keyform && !cfg->keyfile)){
fprintf(stderr, "Error: keyfile must be specified if keyform is.\n");
fprintf(stderr, "Error: If keyform is set, keyfile must be also specified.\n");
return 1;
}
if((cfg->tls_engine_kpass_sha && (!cfg->keyform || !cfg->tls_engine))){
fprintf(stderr, "Error: when using tls-engine-kpass-sha, both tls-engine and keyform must also be provided.\n");
if((cfg->tls_engine_kpass_sha1 && (!cfg->keyform || !cfg->tls_engine))){
fprintf(stderr, "Error: when using tls-engine-kpass-sha1, both tls-engine and keyform must also be provided.\n");
return 1;
}
#endif
@ -444,12 +444,12 @@ int client_config_line_proc(struct mosq_config *cfg, int pub_or_sub, int argc, c
cfg->tls_engine = strdup(argv[i+1]);
}
i++;
}else if(!strcmp(argv[i], "--tls-engine-kpass-sha")){
}else if(!strcmp(argv[i], "--tls-engine-kpass-sha1")){
if(i==argc-1){
fprintf(stderr, "Error: --tls-engine-kpass-sha argument given but no kpass sha specified.\n\n");
fprintf(stderr, "Error: --tls-engine-kpass-sha1 argument given but no kpass sha1 specified.\n\n");
return 1;
}else{
cfg->tls_engine_kpass_sha = strdup(argv[i+1]);
cfg->tls_engine_kpass_sha1 = strdup(argv[i+1]);
}
i++;
#endif
@ -952,17 +952,17 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
mosquitto_lib_cleanup();
return 1;
}
if(cfg->tls_engine && mosquitto_tls_engine_set(mosq, cfg->tls_engine)){
if(cfg->tls_engine && mosquitto_string_option(mosq, MOSQ_OPT_TLS_ENGINE, cfg->tls_engine)){
if(!cfg->quiet) fprintf(stderr, "Error: Problem setting TLS engine.\n");
mosquitto_lib_cleanup();
return 1;
}
if(cfg->keyform && mosquitto_tls_keyform_set(mosq, cfg->keyform)){
if(cfg->keyform && mosquitto_string_option(mosq, MOSQ_OPT_TLS_KEYFORM, cfg->keyform)){
if(!cfg->quiet) fprintf(stderr, "Error: Problem setting keyform.\n");
mosquitto_lib_cleanup();
return 1;
}
if(cfg->tls_engine_kpass_sha && mosquitto_tls_engine_kpass_sha_set(mosq, cfg->tls_engine_kpass_sha)){
if(cfg->tls_engine_kpass_sha1 && mosquitto_string_option(mosq, MOSQ_OPT_TLS_ENGINE_KPASS_SHA1, cfg->tls_engine_kpass_sha1)){
if(!cfg->quiet) fprintf(stderr, "Error: Problem setting TLS engine key pass sha.\n");
mosquitto_lib_cleanup();
return 1;

2
client/client_shared.h
View File

@ -67,7 +67,7 @@ struct mosq_config {
bool insecure;
char *tls_version;
char *tls_engine;
char *tls_engine_kpass_sha;
char *tls_engine_kpass_sha1;
char *keyform;
# ifdef WITH_TLS_PSK
char *psk;

10
client/pub_client.c
View File

@ -222,8 +222,8 @@ void print_usage(void)
printf(" [--will-topic [--will-payload payload] [--will-qos qos] [--will-retain]]\n");
#ifdef WITH_TLS
printf(" [{--cafile file | --capath dir} [--cert file] [--key file]\n");
printf(" [--ciphers ciphers] [--insecure] [--tls-engine engine]\n");
printf(" [--keyform keyform] [--tls-engine-kpass-sha]]\n");
printf(" [--ciphers ciphers] [--insecure]\n");
printf(" [--tls-engine engine] [--keyform keyform] [--tls-engine-kpass-sha1]]\n");
#ifdef WITH_TLS_PSK
printf(" [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n");
#endif
@ -274,7 +274,7 @@ void print_usage(void)
printf(" communication.\n");
printf(" --cert : client certificate for authentication, if required by server.\n");
printf(" --key : client private key for authentication, if required by server.\n");
printf(" --keyform : keyfile type, can be one of pem or engine.\n");
printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
printf(" Defaults to tlsv1.2 if available.\n");
@ -282,8 +282,8 @@ void print_usage(void)
printf(" hostname. Using this option means that you cannot be sure that the\n");
printf(" remote host is the server you wish to connect to and so is insecure.\n");
printf(" Do not use this option in a production environment.\n");
printf(" --tls-engine : toggles the usage of a SSL engine device.\n");
printf(" --tls-engine-kpass-sha : SHA1 of the key password to be used with the selected SSL engine.\n");
printf(" --tls-engine : If set, enables the use of a SSL engine device.\n");
printf(" --tls-engine-kpass-sha1 : SHA1 of the key password to be used with the selected SSL engine.\n");
# ifdef WITH_TLS_PSK
printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n");
printf(" --psk-identity : client identity string for TLS-PSK mode.\n");

8
client/sub_client.c
View File

@ -158,7 +158,7 @@ void print_usage(void)
#ifdef WITH_TLS
printf(" [{--cafile file | --capath dir} [--cert file] [--key file]\n");
printf(" [--ciphers ciphers] [--insecure] [--tls-engine engine]\n");
printf(" [--keyform keyform] [--tls-engine-kpass-sha]]\n");
printf(" [--keyform keyform] [--tls-engine-kpass-sha1]]\n");
#ifdef WITH_TLS_PSK
printf(" [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n");
#endif
@ -216,7 +216,7 @@ void print_usage(void)
printf(" communication.\n");
printf(" --cert : client certificate for authentication, if required by server.\n");
printf(" --key : client private key for authentication, if required by server.\n");
printf(" --keyform : keyfile type, can be one of pem or engine.\n");
printf(" --keyform : keyfile type, can be either \"pem\" or \"engine\".\n");
printf(" --ciphers : openssl compatible list of TLS ciphers to support.\n");
printf(" --tls-version : TLS protocol version, can be one of tlsv1.2 tlsv1.1 or tlsv1.\n");
printf(" Defaults to tlsv1.2 if available.\n");
@ -224,8 +224,8 @@ void print_usage(void)
printf(" hostname. Using this option means that you cannot be sure that the\n");
printf(" remote host is the server you wish to connect to and so is insecure.\n");
printf(" Do not use this option in a production environment.\n");
printf(" --tls-engine : toggles the usage of a SSL engine device.\n");
printf(" --tls-engine-kpass-sha : SHA1 of the key password to be used with the selected SSL engine.\n");
printf(" --tls-engine : If set, enables the use of a SSL engine device.\n");
printf(" --tls-engine-kpass-sha1 : SHA1 of the key password to be used with the selected SSL engine.\n");
#ifdef WITH_TLS_PSK
printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n");
printf(" --psk-identity : client identity string for TLS-PSK mode.\n");

2
config.h
View File

@ -17,6 +17,8 @@
#define _GNU_SOURCE
#define OPENSSL_LOAD_CONF
/* ============================================================
* Compatibility defines
* ============================================================ */

15
lib/cpp/mosquittopp.cpp
View File

@ -366,19 +366,4 @@ int mosquittopp::tls_psk_set(const char *psk, const char *identity, const char *
return mosquitto_tls_psk_set(m_mosq, psk, identity, ciphers);
}
int mosquittopp::tls_engine_set(const char *engine_id)
{
return mosquitto_tls_engine_set(m_mosq, engine_id);
}
int mosquittopp::tls_keyform_set(const char *keyform)
{
return mosquitto_tls_keyform_set(m_mosq, keyform);
}
int mosquittopp::tls_engine_kpass_sha_set(const char *kpass_sha)
{
return mosquitto_tls_engine_kpass_sha_set(m_mosq, kpass_sha);
}
}

3
lib/cpp/mosquittopp.h
View File

@ -110,9 +110,6 @@ class mosqpp_EXPORT mosquittopp {
int tls_opts_set(int cert_reqs, const char *tls_version=NULL, const char *ciphers=NULL);
int tls_insecure_set(bool value);
int tls_psk_set(const char *psk, const char *identity, const char *ciphers=NULL);
int tls_engine_set(const char *engine_id);
int tls_keyform_set(const char *keyform);
int tls_engine_kpass_sha_set(const char *kpass_sha);
int opts_set(enum mosq_opt_t option, void *value);
int loop(int timeout=-1, int max_packets=1);

4
lib/linker.version
View File

@ -90,12 +90,10 @@ MOSQ_1.5 {
mosquitto_sub_topic_check2;
mosquitto_topic_matches_sub2;
mosquitto_connect_with_flags_callback_set;
mosquitto_tls_engine_set;
mosquitto_tls_keyform_set;
mosquitto_tls_engine_kpass_sha_set;
} MOSQ_1.4;
MOSQ_1.6 {
global:
mosquitto_string_option;
mosquitto_subscribe_multiple;
} MOSQ_1.5;

95
lib/mosquitto.h
View File

@ -94,8 +94,13 @@ enum mosq_opt_t {
MOSQ_OPT_PROTOCOL_VERSION = 1,
MOSQ_OPT_SSL_CTX = 2,
MOSQ_OPT_SSL_CTX_WITH_DEFAULTS = 3,
MOSQ_OPT_TLS_KEYFORM = 6,
MOSQ_OPT_TLS_ENGINE = 7,
MOSQ_OPT_TLS_ENGINE_KPASS_SHA1 = 8,
};
/* MQTT specification restricts client ids to a maximum of 23 characters */
#define MOSQ_MQTT_ID_MAX_LENGTH 23
@ -1160,65 +1165,6 @@ libmosq_EXPORT int mosquitto_tls_opts_set(struct mosquitto *mosq, int cert_reqs,
*/
libmosq_EXPORT int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers);
/*
* Function: mosquitto_tls_engine_set
*
* Configure the client for TLS engine support. Must be called
* before <mosquitto_connect>.
*
* Parameters:
* mosq - a valid mosquitto instance.
* engine_id - the engine ID that wants to be used.
*
* Returns:
* MOSQ_ERR_SUCCESS - on success.
* MOSQ_ERR_INVAL - if the input parameters were invalid.
*
* See Also:
* <mosquitto_tls_set>
*/
libmosq_EXPORT int mosquitto_tls_engine_set(struct mosquitto *mosq, const char *engine_id);
/*
* Function: mosquitto_tls_keyform_set
*
* Configure the client to treat the keyfile differently depending on its type.
* Must be called before <mosquitto_connect>.
*
* Parameters:
* mosq - a valid mosquitto instance.
* keyform - the key type. Currently only "pem" or "engine" are supported.
*
* Returns:
* MOSQ_ERR_SUCCESS - on success.
* MOSQ_ERR_INVAL - if the input parameters were invalid.
*
* See Also:
* <mosquitto_tls_set>
*/
libmosq_EXPORT int mosquitto_tls_keyform_set(struct mosquitto *mosq, const char *keyform);
/*
* Function: mosquitto_tls_engine_kpass_sha_set
*
* Some SSL engines may require the usage of a password in order to being
* accessed, like the TPM engine. This function allows a SHA1 hash of the
* password to be passed on to the engine directly.
* Must be called before <mosquitto_connect>.
*
* Parameters:
* mosq - a valid mosquitto instance.
* kpass_sha - SHA1 of the private key password.
*
* Returns:
* MOSQ_ERR_SUCCESS - on success.
* MOSQ_ERR_INVAL - if the input parameters were invalid.
*
* See Also:
* <mosquitto_tls_set>
*/
libmosq_EXPORT int mosquitto_tls_engine_kpass_sha_set(struct mosquitto *mosq, const char *kpass_sha);
/*
* Function: mosquitto_connect_callback_set
*
@ -1391,6 +1337,37 @@ libmosq_EXPORT void mosquitto_unsubscribe_callback_set(struct mosquitto *mosq, v
*/
libmosq_EXPORT void mosquitto_log_callback_set(struct mosquitto *mosq, void (*on_log)(struct mosquitto *, void *, int, const char *));
/*
* Function: mosquitto_string_option
*
* Used to set const char* options for the client.
*
* Parameters:
* mosq - a valid mosquitto instance.
* option - the option to set.
* value - the option specific value.
*
* Options:
* MOSQ_OPT_TLS_ENGINE
* Configure the client for TLS Engine support. Pass a TLS Engine ID
* to be used when creating TLS connections.
* Must be set before <mosquitto_connect>.
* MOSQ_OPT_TLS_KEYFORM
* Configure the client to treat the keyfile differently depending
* on its type. Must be set before <mosquitto_connect>.
* Set as either "pem" or "engine", to determine from where the
* private key for a TLS connection will be obtained. Defaults to
* "pem", a normal private key file.
* MOSQ_OPT_TLS_KPASS_SHA1
* Where the TLS Engine requires the use of a password to be
* accessed, this option allows a hex encoded SHA1 hash of the
* private key password to be passed to the engine directly.
* Must be set before <mosquitto_connect>.
*/
libmosq_EXPORT int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, const char *value);
/*
* Function: mosquitto_reconnect_delay_set
*

6
lib/mosquitto_internal.h
View File

@ -154,7 +154,7 @@ struct mosquitto_message_all{
};
#ifdef WITH_TLS
enum _mosquitto_keyform {
enum mosquitto__keyform {
mosq_k_pem = 0,
mosq_k_engine = 1,
};
@ -199,8 +199,8 @@ struct mosquitto {
bool tls_insecure;
bool ssl_ctx_defaults;
char *tls_engine;
char *tls_engine_kpass_sha;
enum _mosquitto_keyform tls_keyform;
char *tls_engine_kpass_sha1;
enum mosquitto__keyform tls_keyform;
#endif
bool want_write;
bool want_connect;

7
lib/net_mosq.c
View File

@ -126,7 +126,6 @@ int net__init(void)
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
OPENSSL_config(NULL);
ENGINE_load_builtin_engines();
setup_ui_method();
if(tls_ex_index_mosq == -1){
@ -616,15 +615,15 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
if(mosq->tls_keyfile){
if(mosq->tls_keyform == mosq_k_engine){
UI_METHOD *ui_method = net__get_ui_method();
if(mosq->tls_engine_kpass_sha){
if(mosq->tls_engine_kpass_sha1){
if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha");
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha1");
ENGINE_FINISH(engine);
COMPAT_CLOSE(mosq->sock);
net__print_ssl_error(mosq);
return MOSQ_ERR_TLS;
}
if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, mosq->tls_engine_kpass_sha, NULL, 0)){
if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, mosq->tls_engine_kpass_sha1, NULL, 0)){
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set engine pin");
ENGINE_FINISH(engine);
COMPAT_CLOSE(mosq->sock);

77
lib/options.c
View File

@ -22,6 +22,10 @@ Contributors:
#include <string.h>
#ifdef WITH_TLS
# include <openssl/engine.h>
#endif
#include "mosquitto.h"
#include "mosquitto_internal.h"
#include "memory_mosq.h"
@ -219,55 +223,66 @@ int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value)
}
int mosquitto_tls_engine_set(struct mosquitto *mosq, const char *engine_id)
int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, const char *value)
{
#ifdef WITH_TLS
if(!mosq) return MOSQ_ERR_INVAL;
ENGINE *e = ENGINE_by_id(engine_id);
if (!e)
return MOSQ_ERR_INVAL;
ENGINE_free(e); /* release the structural reference from ENGINE_by_id() */
mosq->tls_engine = mosquitto__strdup(engine_id);
return MOSQ_ERR_SUCCESS;
#else
return MOSQ_ERR_NOT_SUPPORTED;
ENGINE *eng;
char *str;
#endif
}
int mosquitto_tls_keyform_set(struct mosquitto *mosq, const char *keyform)
{
#ifdef WITH_TLS
if(!mosq) return MOSQ_ERR_INVAL;
if (keyform){
if(!strcasecmp(keyform, "pem"))
mosq->tls_keyform = mosq_k_pem;
else if (!strcasecmp(keyform, "engine"))
mosq->tls_keyform = mosq_k_engine;
else
switch(option){
case MOSQ_OPT_TLS_ENGINE:
#ifdef WITH_TLS
eng = ENGINE_by_id(value);
if(!eng){
return MOSQ_ERR_INVAL;
}else{
mosq->tls_keyform = mosq_k_pem;
}
ENGINE_free(eng); /* release the structural reference from ENGINE_by_id() */
mosq->tls_engine = mosquitto__strdup(value);
if(!mosq->tls_engine){
return MOSQ_ERR_NOMEM;
}
return MOSQ_ERR_SUCCESS;
#else
return MOSQ_ERR_NOT_SUPPORTED;
#endif
}
break;
int mosquitto_tls_engine_kpass_sha_set(struct mosquitto *mosq, const char *kpass_sha)
{
case MOSQ_OPT_TLS_KEYFORM:
#ifdef WITH_TLS
if(!mosq) return MOSQ_ERR_INVAL;
char *kpass_sha_bin = NULL;
if(mosquitto__hex2bin_sha1(kpass_sha, (unsigned char**)&kpass_sha_bin) != MOSQ_ERR_SUCCESS) return MOSQ_ERR_INVAL;
mosq->tls_engine_kpass_sha = kpass_sha_bin;
if(!value) return MOSQ_ERR_INVAL;
if(!strcasecmp(value, "pem")){
mosq->tls_keyform = mosq_k_pem;
}else if (!strcasecmp(value, "engine")){
mosq->tls_keyform = mosq_k_engine;
}else{
return MOSQ_ERR_INVAL;
}
#else
return MOSQ_ERR_NOT_SUPPORTED;
#endif
break;
case MOSQ_OPT_TLS_ENGINE_KPASS_SHA1:
#ifdef WITH_TLS
if(mosquitto__hex2bin_sha1(value, (unsigned char**)&str) != MOSQ_ERR_SUCCESS){
return MOSQ_ERR_INVAL;
}
mosq->tls_engine_kpass_sha1 = str;
return MOSQ_ERR_SUCCESS;
#else
return MOSQ_ERR_NOT_SUPPORTED;
#endif
break;
default:
return MOSQ_ERR_INVAL;
}
return MOSQ_ERR_INVAL;
}

5
lib/util_mosq.c
View File

@ -351,17 +351,16 @@ int mosquitto__hex2bin_sha1(const char *hex, unsigned char **bin)
{
unsigned char *sha, tmp[SHA_DIGEST_LENGTH];
if(mosquitto__hex2bin(hex, tmp, SHA_DIGEST_LENGTH) != SHA_DIGEST_LENGTH)
if(mosquitto__hex2bin(hex, tmp, SHA_DIGEST_LENGTH) != SHA_DIGEST_LENGTH){
return MOSQ_ERR_INVAL;
}
sha = mosquitto__malloc(SHA_DIGEST_LENGTH);
memcpy(sha, tmp, SHA_DIGEST_LENGTH);
*bin = sha;
return MOSQ_ERR_SUCCESS;
}
#endif
#if defined(WITH_TLS_PSK) || defined(WITH_TLS)
int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len)
{
BIGNUM *bn = NULL;

3
lib/util_mosq.h
View File

@ -35,9 +35,6 @@ FILE *mosquitto__fopen(const char *path, const char *mode, bool restrict_read);
#ifdef WITH_TLS
int mosquitto__hex2bin_sha1(const char *hex, unsigned char **bin);
#endif
#if defined(WITH_TLS_PSK) || defined(WITH_TLS)
int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len);
#endif

57
man/mosquitto.conf.5.xml
View File

@ -894,33 +894,6 @@
the "openssl ciphers" command.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>tls_engine</option> <replaceable>engine</replaceable></term>
<listitem>
<para>A valid openssl engine id. These can be listed with
openssl engine command.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>tls_keyform</option> [ pem | engine ]</term>
<listitem>
<para>Specifies the type of key in use. This could be pem or
engine. This parameter is useful for example when a TPM
module is being used and the key has been created with
it. If not specified, pem keys are assumed</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>tls_engine_kpass_sha</option> <replaceable>engine_kpass_sha</replaceable></term>
<listitem>
<para>SHA1 of private key password when using an SSL engine.
Some SSL engines may require the usage of a password
in order to being accessed, like the TPM engine. Instead
of being prompted for the password, this option allows
a SHA1 hash of the password to be passed on to the
engine directly, without user interaction.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>crlfile</option> <replaceable>file path</replaceable></term>
<listitem>
@ -955,6 +928,36 @@
mechanisms provided by MQTT.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>tls_engine</option> <replaceable>engine</replaceable></term>
<listitem>
<para>A valid openssl engine id. These can be listed with
openssl engine command.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>tls_engine_kpass_sha1</option> <replaceable>engine_kpass_sha1</replaceable></term>
<listitem>
<para>SHA1 of the private key password when using an
TLS engine. Some TLS engines such as the TPM
engine may require the use of a password in order
to be accessed. This option allows a hex encoded
SHA1 hash of the password to the engine directly,
instead of the user being prompted for the
password.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>tls_keyform</option> [ pem | engine ]</term>
<listitem>
<para>Specifies the type of private key in use when
making TLS connections.. This can be "pem" or
"engine". This parameter is useful when a TPM
module is being used and the private key has been
created with it. Defaults to "pem", which means
normal private key files are used.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>tls_version</option> <replaceable>version</replaceable></term>
<listitem>

64
man/mosquitto_pub.1.xml
View File

@ -68,7 +68,7 @@
<arg choice='plain'><replaceable>pem</replaceable></arg>
<arg choice='plain'><replaceable>engine</replaceable></arg>
</group></arg>
<arg><option>--tls-engine-kpass-sha</option> <replaceable>kpass-sha</replaceable></arg>
<arg><option>--tls-engine-kpass-sha1</option> <replaceable>kpass-sha1</replaceable></arg>
<arg><option>--insecure</option></arg>
</arg>
<arg>
@ -187,36 +187,6 @@
for more information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--tls-engine</option></term>
<listitem>
<para>A valid openssl engine id. These can be listed with
openssl engine command.</para>
<para>See also <option>--keyform</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--keyform</option></term>
<listitem>
<para>Specifies the type of key in use. This could be pem or
engine. This parameter is useful for example when a TPM
module is being used and the key has been created with
it. If not specified, pem keys are assumed</para>
<para>See also <option>--tls-engine</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--tls-engine-kpass-sha</option></term>
<listitem>
<para>SHA1 of private key password when using an SSL engine.
Some SSL engines may require the usage of a password
in order to being accessed, like the TPM engine. Instead
of being prompted for the password, this option allows
a SHA1 hash of the password to be passed on to the
engine directly, without user interaction.</para>
<para>See also <option>--tls-engine</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-d</option></term>
<term><option>--debug</option></term>
@ -298,6 +268,18 @@
<para>See also <option>--cert</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--keyform</option></term>
<listitem>
<para>Specifies the type of private key in use when making
TLS connections.. This can be "pem" or "engine". This
parameter is useful when a TPM module is being used and
the private key has been created with it. Defaults to
"pem", which means normal private key files are
used.</para>
<para>See also <option>--tls-engine</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-L</option></term>
<term><option>--url</option></term>
@ -438,6 +420,26 @@
<para>The MQTT topic on which to publish the message. See <citerefentry><refentrytitle>mqtt</refentrytitle><manvolnum>7</manvolnum></citerefentry> for more information on MQTT topics.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--tls-engine</option></term>
<listitem>
<para>A valid openssl engine id. These can be listed with
openssl engine command.</para>
<para>See also <option>--keyform</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--tls-engine-kpass-sha1</option></term>
<listitem>
<para>SHA1 of the private key password when using an TLS
engine. Some TLS engines such as the TPM engine may
require the use of a password in order to be accessed.
This option allows a hex encoded SHA1 hash of the
password to the engine directly, instead of the user
being prompted for the password.</para>
<para>See also <option>--tls-engine</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--tls-version</option></term>
<listitem>

64
man/mosquitto_sub.1.xml
View File

@ -75,7 +75,7 @@
<arg choice='plain'><replaceable>pem</replaceable></arg>
<arg choice='plain'><replaceable>engine</replaceable></arg>
</group></arg>
<arg><option>--tls-engine-kpass-sha</option> <replaceable>kpass-sha</replaceable></arg>
<arg><option>--tls-engine-kpass-sha1</option> <replaceable>kpass-sha1</replaceable></arg>
<arg><option>--insecure</option></arg>
</arg>
<arg>
@ -197,36 +197,6 @@
for more information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--tls-engine</option></term>
<listitem>
<para>A valid openssl engine id. These can be listed with
openssl engine command.</para>
<para>See also <option>--keyform</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--keyform</option></term>
<listitem>
<para>Specifies the type of key in use. This could be pem or
engine. This parameter is useful for example when a TPM
module is being used and the key has been created with
it. If not specified, pem keys are assumed</para>
<para>See also <option>--tls-engine</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--tls-engine-kpass-sha</option></term>
<listitem>
<para>SHA1 of private key password when using an SSL engine.
Some SSL engines may require the usage of a password
in order to being accessed, like the TPM engine. Instead
of being prompted for the password, this option allows
a SHA1 hash of the password to be passed on to the
engine directly, without user interaction.</para>
<para>See also <option>--tls-engine</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-C</option></term>
<listitem>
@ -339,6 +309,18 @@
<para>See also <option>--cert</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--keyform</option></term>
<listitem>
<para>Specifies the type of private key in use when making
TLS connections.. This can be "pem" or "engine". This
parameter is useful when a TPM module is being used and
the private key has been created with it. Defaults to
"pem", which means normal private key files are
used.</para>
<para>See also <option>--tls-engine</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>-L</option></term>
<term><option>--url</option></term>
@ -503,6 +485,26 @@
topics or topic trees.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--tls-engine</option></term>
<listitem>
<para>A valid openssl engine id. These can be listed with
openssl engine command.</para>
<para>See also <option>--keyform</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--tls-engine-kpass-sha1</option></term>
<listitem>
<para>SHA1 of the private key password when using an TLS
engine. Some TLS engines such as the TPM engine may
require the use of a password in order to be accessed.
This option allows a hex encoded SHA1 hash of the
password to the engine directly, instead of the user
being prompted for the password.</para>
<para>See also <option>--tls-engine</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--tls-version</option></term>
<listitem>

12
src/conf.c
View File

@ -299,7 +299,7 @@ void config__cleanup(struct mosquitto__config *config)
mosquitto__free(config->listeners[i].crlfile);
mosquitto__free(config->listeners[i].tls_version);
mosquitto__free(config->listeners[i].tls_engine);
mosquitto__free(config->listeners[i].tls_engine_kpass_sha);
mosquitto__free(config->listeners[i].tls_engine_kpass_sha1);
#ifdef WITH_WEBSOCKETS
if(!config->listeners[i].ws_context) /* libwebsockets frees its own SSL_CTX */
#endif
@ -437,7 +437,7 @@ int config__parse_args(struct mosquitto_db *db, struct mosquitto__config *config
|| config->default_listener.keyfile
|| config->default_listener.tls_engine
|| config->default_listener.tls_keyform != mosq_k_pem
|| config->default_listener.tls_engine_kpass_sha
|| config->default_listener.tls_engine_kpass_sha1
|| config->default_listener.ciphers
|| config->default_listener.psk_hint
|| config->default_listener.require_certificate
@ -490,7 +490,7 @@ int config__parse_args(struct mosquitto_db *db, struct mosquitto__config *config
config->listeners[config->listener_count-1].tls_version = config->default_listener.tls_version;
config->listeners[config->listener_count-1].tls_engine = config->default_listener.tls_engine;
config->listeners[config->listener_count-1].tls_keyform = config->default_listener.tls_keyform;
config->listeners[config->listener_count-1].tls_engine_kpass_sha = config->default_listener.tls_engine_kpass_sha;
config->listeners[config->listener_count-1].tls_engine_kpass_sha1 = config->default_listener.tls_engine_kpass_sha1;
config->listeners[config->listener_count-1].cafile = config->default_listener.cafile;
config->listeners[config->listener_count-1].capath = config->default_listener.capath;
config->listeners[config->listener_count-1].certfile = config->default_listener.certfile;
@ -1112,16 +1112,16 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
#else
log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available.");
#endif
}else if(!strcmp(token, "tls_engine_kpass_sha")){
}else if(!strcmp(token, "tls_engine_kpass_sha1")){
#ifdef WITH_TLS
if(reload) continue; // Listeners not valid for reloading.
char *kpass_sha = NULL, *kpass_sha_bin = NULL;
if(conf__parse_string(&token, "tls_engine_kpass_sha", &kpass_sha, saveptr)) return MOSQ_ERR_INVAL;
if(conf__parse_string(&token, "tls_engine_kpass_sha1", &kpass_sha, saveptr)) return MOSQ_ERR_INVAL;
if(mosquitto__hex2bin_sha1(kpass_sha, (unsigned char**)&kpass_sha_bin) != MOSQ_ERR_SUCCESS){
mosquitto__free(kpass_sha);
return MOSQ_ERR_INVAL;
}
cur_listener->tls_engine_kpass_sha = kpass_sha_bin;
cur_listener->tls_engine_kpass_sha1 = kpass_sha_bin;
mosquitto__free(kpass_sha);
#else
log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available.");

6
src/mosquitto_broker_internal.h
View File

@ -225,16 +225,16 @@ struct mosquitto__listener {
char *certfile;
char *keyfile;
char *tls_engine;
enum _mosquitto_keyform tls_keyform;
char *tls_engine_kpass_sha;
char *tls_engine_kpass_sha1;
char *ciphers;
char *psk_hint;
SSL_CTX *ssl_ctx;
char *crlfile;
char *tls_version;
bool use_identity_as_username;
bool use_subject_as_username;
bool require_certificate;
char *tls_version;
enum mosquitto__keyform tls_keyform;
#endif
#ifdef WITH_WEBSOCKETS
struct libwebsocket_context *ws_context;

4
src/net.c
View File

@ -502,14 +502,14 @@ int net__socket_listen(struct mosquitto__listener *listener)
}
if(listener->tls_keyform == mosq_k_engine){
UI_METHOD *ui_method = net__get_ui_method();
if(listener->tls_engine_kpass_sha){
if(listener->tls_engine_kpass_sha1){
if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha");
COMPAT_CLOSE(sock);
ENGINE_FINISH(engine);
return 1;
}
if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, listener->tls_engine_kpass_sha, NULL, 0)){
if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, listener->tls_engine_kpass_sha1, NULL, 0)){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set engine pin");
COMPAT_CLOSE(sock);
ENGINE_FINISH(engine);