Fix CRL file not being reloaded on HUP.

Closes #35.

ChangeLog.txt

@@ -10,6 +10,7 @@ Broker:
   the number of "Socket error on client X, disconnecting" messages.
 - Fix Will for v5 clients not being sent if will delay interval was greater
   than the session expiry interval. Closes #1401.
+- Fix CRL file not being reloaded on HUP. Closes #35.
 
 Client library:
 - Fix reconnect backoff for the situation where connections are dropped rather

src/mosquitto_broker_internal.h

@@ -582,6 +582,8 @@ void net__broker_cleanup(void);
 int net__socket_accept(struct mosquitto_db *db, mosq_sock_t listensock);
 int net__socket_listen(struct mosquitto__listener *listener);
 int net__socket_get_address(mosq_sock_t sock, char *buf, int len);
+int net__tls_load_verify(struct mosquitto__listener *listener);
+int net__tls_server_ctx(struct mosquitto__listener *listener);
 
 /* ============================================================
  * Read handling functions

src/net.c

@@ -310,13 +310,17 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned
 #endif
 
 #ifdef WITH_TLS
-static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
+int net__tls_server_ctx(struct mosquitto__listener *listener)
 {
 	char buf[256];
 	int rc;
 	FILE *dhparamfile;
 	DH *dhparam = NULL;
 
+	if(listener->ssl_ctx){
+		SSL_CTX_free(listener->ssl_ctx);
+	}
+
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
 #else
@@ -406,123 +410,40 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
 }
 #endif
 
-/* Creates a socket and listens on port 'port'.
+
- * Returns 1 on failure
+int net__load_crl_file(struct mosquitto__listener *listener)
- * Returns 0 on success.
- */
-int net__socket_listen(struct mosquitto__listener *listener)
 {
-	mosq_sock_t sock = INVALID_SOCKET;
-	struct addrinfo hints;
-	struct addrinfo *ainfo, *rp;
-	char service[10];
-	int rc;
-#ifndef WIN32
-	int ss_opt = 1;
-#else
-	char ss_opt = 1;
-#endif
 #ifdef WITH_TLS
 	X509_STORE *store;
 	X509_LOOKUP *lookup;
-	ENGINE *engine = NULL;
+	int rc;
-#endif
-#ifdef SO_BINDTODEVICE
-	struct ifreq ifr;
-#endif
-
-	if(!listener) return MOSQ_ERR_INVAL;
-
-	snprintf(service, 10, "%d", listener->port);
-	memset(&hints, 0, sizeof(struct addrinfo));
-	if(listener->socket_domain){
-		hints.ai_family = listener->socket_domain;
-	}else{
-		hints.ai_family = AF_UNSPEC;
-	}
-	hints.ai_flags = AI_PASSIVE;
-	hints.ai_socktype = SOCK_STREAM;
-
-	rc = getaddrinfo(listener->host, service, &hints, &ainfo);
-	if (rc){
-		log__printf(NULL, MOSQ_LOG_ERR, "Error creating listener: %s.", gai_strerror(rc));
-		return INVALID_SOCKET;
-	}
-
-	listener->sock_count = 0;
-	listener->socks = NULL;
-
-	for(rp = ainfo; rp; rp = rp->ai_next){
-		if(rp->ai_family == AF_INET){
-			log__printf(NULL, MOSQ_LOG_INFO, "Opening ipv4 listen socket on port %d.", ntohs(((struct sockaddr_in *)rp->ai_addr)->sin_port));
-		}else if(rp->ai_family == AF_INET6){
-			log__printf(NULL, MOSQ_LOG_INFO, "Opening ipv6 listen socket on port %d.", ntohs(((struct sockaddr_in6 *)rp->ai_addr)->sin6_port));
-		}else{
-			continue;
-		}
-
-		sock = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
-		if(sock == INVALID_SOCKET){
-			net__print_error(MOSQ_LOG_WARNING, "Warning: %s");
-			continue;
-		}
-		listener->sock_count++;
-		listener->socks = mosquitto__realloc(listener->socks, sizeof(mosq_sock_t)*listener->sock_count);
-		if(!listener->socks){
-			log__printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
-			return MOSQ_ERR_NOMEM;
-		}
-		listener->socks[listener->sock_count-1] = sock;
-
-#ifndef WIN32
-		ss_opt = 1;
-		setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &ss_opt, sizeof(ss_opt));
-#endif
-#ifdef IPV6_V6ONLY
-		ss_opt = 1;
-		setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &ss_opt, sizeof(ss_opt));
-#endif
 
-		if(net__socket_nonblock(&sock)){
+	store = SSL_CTX_get_cert_store(listener->ssl_ctx);
+	if(!store){
+		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to obtain TLS store.");
+		net__print_error(MOSQ_LOG_ERR, "Error: %s");
 		return 1;
 	}
-
+	lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
-#ifdef SO_BINDTODEVICE
+	rc = X509_load_crl_file(lookup, listener->crlfile, X509_FILETYPE_PEM);
-		if(listener->bind_interface){
+	if(rc != 1){
-			memset(&ifr, 0, sizeof(ifr));
+		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load certificate revocation file \"%s\". Check crlfile.", listener->crlfile);
-			strncpy(ifr.ifr_name, listener->bind_interface, sizeof(ifr.ifr_name)-1);
-			ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
-			log__printf(NULL, MOSQ_LOG_INFO, "Binding listener to interface \"%s\".", ifr.ifr_name);
-			if(setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) < 0) {
 		net__print_error(MOSQ_LOG_ERR, "Error: %s");
-				COMPAT_CLOSE(sock);
 		return 1;
 	}
-		}
+	X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
 #endif
 
-		if(bind(sock, rp->ai_addr, rp->ai_addrlen) == -1){
+	return MOSQ_ERR_SUCCESS;
-			net__print_error(MOSQ_LOG_ERR, "Error: %s");
+}
-			COMPAT_CLOSE(sock);
-			return 1;
-		}
 
-		if(listen(sock, 100) == -1){
-			net__print_error(MOSQ_LOG_ERR, "Error: %s");
-			COMPAT_CLOSE(sock);
-			return 1;
-		}
-	}
-	freeaddrinfo(ainfo);
 
-	/* We need to have at least one working socket. */
+int net__tls_load_verify(struct mosquitto__listener *listener)
-	if(listener->sock_count > 0){
+{
 #ifdef WITH_TLS
-		if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
+	ENGINE *engine = NULL;
-			if(mosquitto__tls_server_ctx(listener)){
+#endif
-				COMPAT_CLOSE(sock);
+	int rc;
-				return 1;
-			}
 
 	rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
 	if(rc == 0){
@@ -534,7 +455,6 @@ int net__socket_listen(struct mosquitto__listener *listener)
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
 		}
 		net__print_error(MOSQ_LOG_ERR, "Error: %s");
-				COMPAT_CLOSE(sock);
 		return 1;
 	}
 	if(listener->tls_engine){
@@ -542,13 +462,11 @@ int net__socket_listen(struct mosquitto__listener *listener)
 		engine = ENGINE_by_id(listener->tls_engine);
 		if(!engine){
 			log__printf(NULL, MOSQ_LOG_ERR, "Error loading %s engine\n", listener->tls_engine);
-					COMPAT_CLOSE(sock);
 			return 1;
 		}
 		if(!ENGINE_init(engine)){
 			log__printf(NULL, MOSQ_LOG_ERR, "Failed engine initialisation\n");
 			ENGINE_free(engine);
-					COMPAT_CLOSE(sock);
 			return 1;
 		}
 		ENGINE_set_default(engine, ENGINE_METHOD_ALL);
@@ -565,25 +483,22 @@ int net__socket_listen(struct mosquitto__listener *listener)
 	if(rc != 1){
 		log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server certificate \"%s\". Check certfile.", listener->certfile);
 		net__print_error(MOSQ_LOG_ERR, "Error: %s");
-				COMPAT_CLOSE(sock);
 #if !defined(OPENSSL_NO_ENGINE)
 		ENGINE_FINISH(engine);
 #endif
 		return 1;
 	}
-			if(listener->tls_keyform == mosq_k_engine){
+	if(listener->tls_engine && listener->tls_keyform == mosq_k_engine){
 #if !defined(OPENSSL_NO_ENGINE)
 		UI_METHOD *ui_method = net__get_ui_method();
 		if(listener->tls_engine_kpass_sha1){
 			if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
 				log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha");
-						COMPAT_CLOSE(sock);
 				ENGINE_FINISH(engine);
 				return 1;
 			}
 			if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, listener->tls_engine_kpass_sha1, NULL, 0)){
 				log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set engine pin");
-						COMPAT_CLOSE(sock);
 				ENGINE_FINISH(engine);
 				return 1;
 			}
@@ -592,13 +507,11 @@ int net__socket_listen(struct mosquitto__listener *listener)
 		EVP_PKEY *pkey = ENGINE_load_private_key(engine, listener->keyfile, ui_method, NULL);
 		if(!pkey){
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load engine private key file \"%s\".", listener->keyfile);
-					COMPAT_CLOSE(sock);
 			ENGINE_FINISH(engine);
 			return 1;
 		}
 		if(SSL_CTX_use_PrivateKey(listener->ssl_ctx, pkey) <= 0){
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to use engine private key file \"%s\".", listener->keyfile);
-					COMPAT_CLOSE(sock);
 			ENGINE_FINISH(engine);
 			return 1;
 		}
@@ -608,7 +521,6 @@ int net__socket_listen(struct mosquitto__listener *listener)
 		if(rc != 1){
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server key file \"%s\". Check keyfile.", listener->keyfile);
 			net__print_error(MOSQ_LOG_ERR, "Error: %s");
-					COMPAT_CLOSE(sock);
 #if !defined(OPENSSL_NO_ENGINE)
 			ENGINE_FINISH(engine);
 #endif
@@ -619,7 +531,6 @@ int net__socket_listen(struct mosquitto__listener *listener)
 	if(rc != 1){
 		log__printf(NULL, MOSQ_LOG_ERR, "Error: Server certificate/key are inconsistent.");
 		net__print_error(MOSQ_LOG_ERR, "Error: %s");
-				COMPAT_CLOSE(sock);
 #if !defined(OPENSSL_NO_ENGINE)
 		ENGINE_FINISH(engine);
 #endif
@@ -627,30 +538,136 @@ int net__socket_listen(struct mosquitto__listener *listener)
 	}
 	/* Load CRLs if they exist. */
 	if(listener->crlfile){
-				store = SSL_CTX_get_cert_store(listener->ssl_ctx);
+		rc = net__load_crl_file(listener);
-				if(!store){
+		if(rc){
-					log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to obtain TLS store.");
-					net__print_error(MOSQ_LOG_ERR, "Error: %s");
-					COMPAT_CLOSE(sock);
 #if !defined(OPENSSL_NO_ENGINE)
 			ENGINE_FINISH(engine);
 #endif
+			return rc;
+		}
+	}
+
+	return MOSQ_ERR_SUCCESS;
+}
+
+
+/* Creates a socket and listens on port 'port'.
+ * Returns 1 on failure
+ * Returns 0 on success.
+ */
+int net__socket_listen(struct mosquitto__listener *listener)
+{
+	mosq_sock_t sock = INVALID_SOCKET;
+	struct addrinfo hints;
+	struct addrinfo *ainfo, *rp;
+	char service[10];
+	int rc;
+#ifndef WIN32
+	int ss_opt = 1;
+#else
+	char ss_opt = 1;
+#endif
+#ifdef SO_BINDTODEVICE
+	struct ifreq ifr;
+#endif
+
+	if(!listener) return MOSQ_ERR_INVAL;
+
+	snprintf(service, 10, "%d", listener->port);
+	memset(&hints, 0, sizeof(struct addrinfo));
+	if(listener->socket_domain){
+		hints.ai_family = listener->socket_domain;
+	}else{
+		hints.ai_family = AF_UNSPEC;
+	}
+	hints.ai_flags = AI_PASSIVE;
+	hints.ai_socktype = SOCK_STREAM;
+
+	rc = getaddrinfo(listener->host, service, &hints, &ainfo);
+	if (rc){
+		log__printf(NULL, MOSQ_LOG_ERR, "Error creating listener: %s.", gai_strerror(rc));
+		return INVALID_SOCKET;
+	}
+
+	listener->sock_count = 0;
+	listener->socks = NULL;
+
+	for(rp = ainfo; rp; rp = rp->ai_next){
+		if(rp->ai_family == AF_INET){
+			log__printf(NULL, MOSQ_LOG_INFO, "Opening ipv4 listen socket on port %d.", ntohs(((struct sockaddr_in *)rp->ai_addr)->sin_port));
+		}else if(rp->ai_family == AF_INET6){
+			log__printf(NULL, MOSQ_LOG_INFO, "Opening ipv6 listen socket on port %d.", ntohs(((struct sockaddr_in6 *)rp->ai_addr)->sin6_port));
+		}else{
+			continue;
+		}
+
+		sock = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
+		if(sock == INVALID_SOCKET){
+			net__print_error(MOSQ_LOG_WARNING, "Warning: %s");
+			continue;
+		}
+		listener->sock_count++;
+		listener->socks = mosquitto__realloc(listener->socks, sizeof(mosq_sock_t)*listener->sock_count);
+		if(!listener->socks){
+			log__printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
+			return MOSQ_ERR_NOMEM;
+		}
+		listener->socks[listener->sock_count-1] = sock;
+
+#ifndef WIN32
+		ss_opt = 1;
+		setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &ss_opt, sizeof(ss_opt));
+#endif
+#ifdef IPV6_V6ONLY
+		ss_opt = 1;
+		setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &ss_opt, sizeof(ss_opt));
+#endif
+
+		if(net__socket_nonblock(&sock)){
 			return 1;
 		}
-				lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+
-				rc = X509_load_crl_file(lookup, listener->crlfile, X509_FILETYPE_PEM);
+#ifdef SO_BINDTODEVICE
-				if(rc != 1){
+		if(listener->bind_interface){
-					log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load certificate revocation file \"%s\". Check crlfile.", listener->crlfile);
+			memset(&ifr, 0, sizeof(ifr));
+			strncpy(ifr.ifr_name, listener->bind_interface, sizeof(ifr.ifr_name)-1);
+			ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
+			log__printf(NULL, MOSQ_LOG_INFO, "Binding listener to interface \"%s\".", ifr.ifr_name);
+			if(setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) < 0) {
 				net__print_error(MOSQ_LOG_ERR, "Error: %s");
 				COMPAT_CLOSE(sock);
-#if !defined(OPENSSL_NO_ENGINE)
+				return 1;
-					ENGINE_FINISH(engine);
+			}
+		}
 #endif
+
+		if(bind(sock, rp->ai_addr, rp->ai_addrlen) == -1){
+			net__print_error(MOSQ_LOG_ERR, "Error: %s");
+			COMPAT_CLOSE(sock);
 			return 1;
 		}
-				X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
+
+		if(listen(sock, 100) == -1){
+			net__print_error(MOSQ_LOG_ERR, "Error: %s");
+			COMPAT_CLOSE(sock);
+			return 1;
+		}
+	}
+	freeaddrinfo(ainfo);
+
+	/* We need to have at least one working socket. */
+	if(listener->sock_count > 0){
+#ifdef WITH_TLS
+		if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
+			if(net__tls_server_ctx(listener)){
+				COMPAT_CLOSE(sock);
+				return 1;
 			}
 
+			if(net__tls_load_verify(listener)){
+				COMPAT_CLOSE(sock);
+				return 1;
+			}
 #  ifdef FINAL_WITH_TLS_PSK
 		}else if(listener->psk_hint){
 			if(tls_ex_index_context == -1){
@@ -660,11 +677,8 @@ int net__socket_listen(struct mosquitto__listener *listener)
 				tls_ex_index_listener = SSL_get_ex_new_index(0, "listener", NULL, NULL, NULL);
 			}
 
-			if(mosquitto__tls_server_ctx(listener)){
+			if(net__tls_server_ctx(listener)){
 				COMPAT_CLOSE(sock);
-#if !defined(OPENSSL_NO_ENGINE)
-				ENGINE_FINISH(engine);
-#endif
 				return 1;
 			}
 			SSL_CTX_set_psk_server_callback(listener->ssl_ctx, psk_server_callback);
@@ -674,9 +688,6 @@ int net__socket_listen(struct mosquitto__listener *listener)
 					log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set TLS PSK hint.");
 					net__print_error(MOSQ_LOG_ERR, "Error: %s");
 					COMPAT_CLOSE(sock);
-#if !defined(OPENSSL_NO_ENGINE)
-					ENGINE_FINISH(engine);
-#endif
 					return 1;
 				}
 			}

src/security_default.c

@@ -971,10 +971,25 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
 	X509_NAME *name;
 	X509_NAME_ENTRY *name_entry;
 	ASN1_STRING *name_asn1 = NULL;
+	struct mosquitto__listener *listener;
 #endif
 
 	if(!db) return MOSQ_ERR_INVAL;
 
+#ifdef WITH_TLS
+	for(i=0; i<db->config->listener_count; i++){
+		listener = &db->config->listeners[i];
+		if(listener && listener->ssl_ctx && (listener->cafile || listener->capath) && listener->crlfile && listener->require_certificate){
+			if(net__tls_server_ctx(listener)){
+				return 1;
+			}
+
+			if(net__tls_load_verify(listener)){
+				return 1;
+			}
+		}
+	}
+#endif
 
 	HASH_ITER(hh_id, db->contexts_by_id, context, ctxt_tmp){
 		/* Check for anonymous clients when allow_anonymous is false */