Some OpenSSL engines (selectable via tls_engine option) may require a
password to make use of private keys created with them in the first place.
The TPM engine for example, will require a password to access the underlying
TPM's Storage Root Key (SRK), which is the root key of a hierarchy of keys
associated with a TPM; it is generated within a TPM and is a non-migratable
key. Each owned TPM contains a SRK, generated by the TPM at the request
of the Owner. [1]
By default, the engine will prompt the user to introduce the SRK password
before any private keys created with the engine can be used. This could
be inconvenient when running on an unattended system.
Here's where the new tls_engine_kpass_sha option comes in handy. The user
can specify a SHA1 hash of its engine private key password via command
line or config file and it will be passed on to the engine directly.
This commit adds support for both clients (libmosquitto) and broker.
[1] https://goo.gl/qQoXBY
Signed-off-by: Nicolás Pernas Maradei <nicopernas@gmail.com>
Add same OpenSSL engine support to mosquitto (server side) previously added to
client side only.
Signed-off-by: Nicolás Pernas Maradei <nicopernas@gmail.com>
- Clients can now offload crypto tasks to an external crypto device through
the OpenSSL ENGINE API.
- The keyfiles can now be treated as PEM or ENGINE keys.
- Two new functions were added to libmosquitto to set up the previously
mentioned features.
- Both mosquitto_sub and mosquitto_pub include support to turn on the mentioned
features through command line options.
Signed-off-by: Nicolás Pernas Maradei <nicopernas@gmail.com>
When using a TLS enabled websockets listener with "require_certificate"
enabled, the mosquitto broker does not correctly verify client certificates.
This is now fixed. All other security measures operate as expected, and in
particular non-websockets listeners are not affected by this. Closes#996.
Thanks to creising.
Define of _GNU_SOURCE is needed to be able to use EAI_INPROGRESS in
loop.c.
This patch fixes a build error
loop.c:334:17: error: ‘EAI_INPROGRESS’ undeclared (first use in this function)
if(rc == EAI_INPROGRESS){
occuring with a glibc-2.27-based buildroot toolchain for sparc64
Target: sparc64-buildroot-linux-gnu
[...]
gcc version 6.4.0 (Buildroot 2018.05)
Source:
http://autobuild.buildroot.org/toolchains/tarballs/br-sparc64-full-2018.05.tar.bz2
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Since dde005ef92 mosquito_pub is throwing error
that 'threading support has not been compiled' when compiled using cmake.
It looks like WITH_THREADING flag is not set at top level Makefile and used
only in lib/ directory, so library is correctly compiled with threading.
But for client this flag is undefined, so it gives error on '-l' option.
This commit moves part related to WITH_THREADING flag out of lib/CMakeLists.txt
to top levele CMakeLists.txt, so it could be accessible to all subdirectories.
Signed-off-by: Marek Wodzinski <majek@w7i.pl>
This causes the client to exit immediately after its subscriptions are
acknowledged by the broker, and can be used to create a durable client
session without requiring messages to be delivered.
Closes#952.
