github
/
mosquitto
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CRL file not being reloaded on HUP.

Browse Source 
Closes #35.
pull/1431/head
Roger A. Light 6 years ago
parent 9bbf5bb65f
commit 4dc98c4cef
4 changed files with 168 additions and 139 deletions
Show Stats Download Patch File Download Diff File

1
ChangeLog.txt
Unescape Escape View File

@ -10,6 +10,7 @@ Broker:
the number of "Socket error on client X, disconnecting" messages.
- Fix Will for v5 clients not being sent if will delay interval was greater
than the session expiry interval. Closes #1401.
- Fix CRL file not being reloaded on HUP. Closes #35.
Client library:
- Fix reconnect backoff for the situation where connections are dropped rather

2
src/mosquitto_broker_internal.h
Unescape Escape View File

@ -582,6 +582,8 @@ void net__broker_cleanup(void);
int net__socket_accept(struct mosquitto_db *db, mosq_sock_t listensock);
int net__socket_listen(struct mosquitto__listener *listener);
int net__socket_get_address(mosq_sock_t sock, char *buf, int len);
int net__tls_load_verify(struct mosquitto__listener *listener);
int net__tls_server_ctx(struct mosquitto__listener *listener);
/* ============================================================
* Read handling functions

277
src/net.c
Unescape Escape View File

@ -310,13 +310,17 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned
#endif
#ifdef WITH_TLS
static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
int net__tls_server_ctx(struct mosquitto__listener *listener)
{
char buf[256];
int rc;
FILE *dhparamfile;
DH *dhparam = NULL;
if(listener->ssl_ctx){
SSL_CTX_free(listener->ssl_ctx);
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L
listener->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
#else
@ -406,123 +410,40 @@ static int mosquitto__tls_server_ctx(struct mosquitto__listener *listener)
}
#endif
/* Creates a socket and listens on port 'port'.
* Returns 1 on failure
* Returns 0 on success.
*/
int net__socket_listen(struct mosquitto__listener *listener)
int net__load_crl_file(struct mosquitto__listener *listener)
{
mosq_sock_t sock = INVALID_SOCKET;
struct addrinfo hints;
struct addrinfo *ainfo, *rp;
char service[10];
int rc;
#ifndef WIN32
int ss_opt = 1;
#else
char ss_opt = 1;
#endif
#ifdef WITH_TLS
X509_STORE *store;
X509_LOOKUP *lookup;
ENGINE *engine = NULL;
#endif
#ifdef SO_BINDTODEVICE
struct ifreq ifr;
#endif
if(!listener) return MOSQ_ERR_INVAL;
snprintf(service, 10, "%d", listener->port);
memset(&hints, 0, sizeof(struct addrinfo));
if(listener->socket_domain){
hints.ai_family = listener->socket_domain;
}else{
hints.ai_family = AF_UNSPEC;
}
hints.ai_flags = AI_PASSIVE;
hints.ai_socktype = SOCK_STREAM;
rc = getaddrinfo(listener->host, service, &hints, &ainfo);
if (rc){
log__printf(NULL, MOSQ_LOG_ERR, "Error creating listener: %s.", gai_strerror(rc));
return INVALID_SOCKET;
}
listener->sock_count = 0;
listener->socks = NULL;
for(rp = ainfo; rp; rp = rp->ai_next){
if(rp->ai_family == AF_INET){
log__printf(NULL, MOSQ_LOG_INFO, "Opening ipv4 listen socket on port %d.", ntohs(((struct sockaddr_in *)rp->ai_addr)->sin_port));
}else if(rp->ai_family == AF_INET6){
log__printf(NULL, MOSQ_LOG_INFO, "Opening ipv6 listen socket on port %d.", ntohs(((struct sockaddr_in6 *)rp->ai_addr)->sin6_port));
}else{
continue;
}
sock = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if(sock == INVALID_SOCKET){
net__print_error(MOSQ_LOG_WARNING, "Warning: %s");
continue;
}
listener->sock_count++;
listener->socks = mosquitto__realloc(listener->socks, sizeof(mosq_sock_t)*listener->sock_count);
if(!listener->socks){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
return MOSQ_ERR_NOMEM;
}
listener->socks[listener->sock_count-1] = sock;
#ifndef WIN32
ss_opt = 1;
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &ss_opt, sizeof(ss_opt));
#endif
#ifdef IPV6_V6ONLY
ss_opt = 1;
setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &ss_opt, sizeof(ss_opt));
#endif
int rc;
if(net__socket_nonblock(&sock)){
store = SSL_CTX_get_cert_store(listener->ssl_ctx);
if(!store){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to obtain TLS store.");
net__print_error(MOSQ_LOG_ERR, "Error: %s");
return 1;
}
#ifdef SO_BINDTODEVICE
if(listener->bind_interface){
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, listener->bind_interface, sizeof(ifr.ifr_name)-1);
ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
log__printf(NULL, MOSQ_LOG_INFO, "Binding listener to interface \"%s\".", ifr.ifr_name);
if(setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) < 0) {
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
rc = X509_load_crl_file(lookup, listener->crlfile, X509_FILETYPE_PEM);
if(rc != 1){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load certificate revocation file \"%s\". Check crlfile.", listener->crlfile);
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
return 1;
}
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
#endif
if(bind(sock, rp->ai_addr, rp->ai_addrlen) == -1){
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
return 1;
}
return MOSQ_ERR_SUCCESS;
}
if(listen(sock, 100) == -1){
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
return 1;
}
}
freeaddrinfo(ainfo);
/* We need to have at least one working socket. */
if(listener->sock_count > 0){
int net__tls_load_verify(struct mosquitto__listener *listener)
{
#ifdef WITH_TLS
if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
if(mosquitto__tls_server_ctx(listener)){
COMPAT_CLOSE(sock);
return 1;
}
ENGINE *engine = NULL;
#endif
int rc;
rc = SSL_CTX_load_verify_locations(listener->ssl_ctx, listener->cafile, listener->capath);
if(rc == 0){
@ -534,7 +455,6 @@ int net__socket_listen(struct mosquitto__listener *listener)
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load CA certificates. Check capath \"%s\".", listener->capath);
}
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
return 1;
}
if(listener->tls_engine){
@ -542,13 +462,11 @@ int net__socket_listen(struct mosquitto__listener *listener)
engine = ENGINE_by_id(listener->tls_engine);
if(!engine){
log__printf(NULL, MOSQ_LOG_ERR, "Error loading %s engine\n", listener->tls_engine);
COMPAT_CLOSE(sock);
return 1;
}
if(!ENGINE_init(engine)){
log__printf(NULL, MOSQ_LOG_ERR, "Failed engine initialisation\n");
ENGINE_free(engine);
COMPAT_CLOSE(sock);
return 1;
}
ENGINE_set_default(engine, ENGINE_METHOD_ALL);
@ -565,25 +483,22 @@ int net__socket_listen(struct mosquitto__listener *listener)
if(rc != 1){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server certificate \"%s\". Check certfile.", listener->certfile);
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return 1;
}
if(listener->tls_keyform == mosq_k_engine){
if(listener->tls_engine && listener->tls_keyform == mosq_k_engine){
#if !defined(OPENSSL_NO_ENGINE)
UI_METHOD *ui_method = net__get_ui_method();
if(listener->tls_engine_kpass_sha1){
if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha");
COMPAT_CLOSE(sock);
ENGINE_FINISH(engine);
return 1;
}
if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, listener->tls_engine_kpass_sha1, NULL, 0)){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set engine pin");
COMPAT_CLOSE(sock);
ENGINE_FINISH(engine);
return 1;
}
@ -592,13 +507,11 @@ int net__socket_listen(struct mosquitto__listener *listener)
EVP_PKEY *pkey = ENGINE_load_private_key(engine, listener->keyfile, ui_method, NULL);
if(!pkey){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load engine private key file \"%s\".", listener->keyfile);
COMPAT_CLOSE(sock);
ENGINE_FINISH(engine);
return 1;
}
if(SSL_CTX_use_PrivateKey(listener->ssl_ctx, pkey) <= 0){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to use engine private key file \"%s\".", listener->keyfile);
COMPAT_CLOSE(sock);
ENGINE_FINISH(engine);
return 1;
}
@ -608,7 +521,6 @@ int net__socket_listen(struct mosquitto__listener *listener)
if(rc != 1){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server key file \"%s\". Check keyfile.", listener->keyfile);
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
@ -619,7 +531,6 @@ int net__socket_listen(struct mosquitto__listener *listener)
if(rc != 1){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Server certificate/key are inconsistent.");
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
@ -627,30 +538,136 @@ int net__socket_listen(struct mosquitto__listener *listener)
}
/* Load CRLs if they exist. */
if(listener->crlfile){
store = SSL_CTX_get_cert_store(listener->ssl_ctx);
if(!store){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to obtain TLS store.");
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
rc = net__load_crl_file(listener);
if(rc){
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return rc;
}
}
return MOSQ_ERR_SUCCESS;
}
/* Creates a socket and listens on port 'port'.
* Returns 1 on failure
* Returns 0 on success.
*/
int net__socket_listen(struct mosquitto__listener *listener)
{
mosq_sock_t sock = INVALID_SOCKET;
struct addrinfo hints;
struct addrinfo *ainfo, *rp;
char service[10];
int rc;
#ifndef WIN32
int ss_opt = 1;
#else
char ss_opt = 1;
#endif
#ifdef SO_BINDTODEVICE
struct ifreq ifr;
#endif
if(!listener) return MOSQ_ERR_INVAL;
snprintf(service, 10, "%d", listener->port);
memset(&hints, 0, sizeof(struct addrinfo));
if(listener->socket_domain){
hints.ai_family = listener->socket_domain;
}else{
hints.ai_family = AF_UNSPEC;
}
hints.ai_flags = AI_PASSIVE;
hints.ai_socktype = SOCK_STREAM;
rc = getaddrinfo(listener->host, service, &hints, &ainfo);
if (rc){
log__printf(NULL, MOSQ_LOG_ERR, "Error creating listener: %s.", gai_strerror(rc));
return INVALID_SOCKET;
}
listener->sock_count = 0;
listener->socks = NULL;
for(rp = ainfo; rp; rp = rp->ai_next){
if(rp->ai_family == AF_INET){
log__printf(NULL, MOSQ_LOG_INFO, "Opening ipv4 listen socket on port %d.", ntohs(((struct sockaddr_in *)rp->ai_addr)->sin_port));
}else if(rp->ai_family == AF_INET6){
log__printf(NULL, MOSQ_LOG_INFO, "Opening ipv6 listen socket on port %d.", ntohs(((struct sockaddr_in6 *)rp->ai_addr)->sin6_port));
}else{
continue;
}
sock = socket(rp->ai_family, rp->ai_socktype, rp->ai_protocol);
if(sock == INVALID_SOCKET){
net__print_error(MOSQ_LOG_WARNING, "Warning: %s");
continue;
}
listener->sock_count++;
listener->socks = mosquitto__realloc(listener->socks, sizeof(mosq_sock_t)*listener->sock_count);
if(!listener->socks){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Out of memory.");
return MOSQ_ERR_NOMEM;
}
listener->socks[listener->sock_count-1] = sock;
#ifndef WIN32
ss_opt = 1;
setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &ss_opt, sizeof(ss_opt));
#endif
#ifdef IPV6_V6ONLY
ss_opt = 1;
setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &ss_opt, sizeof(ss_opt));
#endif
if(net__socket_nonblock(&sock)){
return 1;
}
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
rc = X509_load_crl_file(lookup, listener->crlfile, X509_FILETYPE_PEM);
if(rc != 1){
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load certificate revocation file \"%s\". Check crlfile.", listener->crlfile);
#ifdef SO_BINDTODEVICE
if(listener->bind_interface){
memset(&ifr, 0, sizeof(ifr));
strncpy(ifr.ifr_name, listener->bind_interface, sizeof(ifr.ifr_name)-1);
ifr.ifr_name[sizeof(ifr.ifr_name)-1] = '\0';
log__printf(NULL, MOSQ_LOG_INFO, "Binding listener to interface \"%s\".", ifr.ifr_name);
if(setsockopt(sock, SOL_SOCKET, SO_BINDTODEVICE, (void *)&ifr, sizeof(ifr)) < 0) {
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
return 1;
}
}
#endif
if(bind(sock, rp->ai_addr, rp->ai_addrlen) == -1){
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
return 1;
}
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
if(listen(sock, 100) == -1){
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
return 1;
}
}
freeaddrinfo(ainfo);
/* We need to have at least one working socket. */
if(listener->sock_count > 0){
#ifdef WITH_TLS
if((listener->cafile || listener->capath) && listener->certfile && listener->keyfile){
if(net__tls_server_ctx(listener)){
COMPAT_CLOSE(sock);
return 1;
}
if(net__tls_load_verify(listener)){
COMPAT_CLOSE(sock);
return 1;
}
# ifdef FINAL_WITH_TLS_PSK
}else if(listener->psk_hint){
if(tls_ex_index_context == -1){
@ -660,11 +677,8 @@ int net__socket_listen(struct mosquitto__listener *listener)
tls_ex_index_listener = SSL_get_ex_new_index(0, "listener", NULL, NULL, NULL);
}
if(mosquitto__tls_server_ctx(listener)){
if(net__tls_server_ctx(listener)){
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return 1;
}
SSL_CTX_set_psk_server_callback(listener->ssl_ctx, psk_server_callback);
@ -674,9 +688,6 @@ int net__socket_listen(struct mosquitto__listener *listener)
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set TLS PSK hint.");
net__print_error(MOSQ_LOG_ERR, "Error: %s");
COMPAT_CLOSE(sock);
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_FINISH(engine);
#endif
return 1;
}
}

15
src/security_default.c
Unescape Escape View File

@ -971,10 +971,25 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
X509_NAME *name;
X509_NAME_ENTRY *name_entry;
ASN1_STRING *name_asn1 = NULL;
struct mosquitto__listener *listener;
#endif
if(!db) return MOSQ_ERR_INVAL;
#ifdef WITH_TLS
for(i=0; i<db->config->listener_count; i++){
listener = &db->config->listeners[i];
if(listener && listener->ssl_ctx && (listener->cafile || listener->capath) && listener->crlfile && listener->require_certificate){
if(net__tls_server_ctx(listener)){
return 1;
}
if(net__tls_load_verify(listener)){
return 1;
}
}
}
#endif
HASH_ITER(hh_id, db->contexts_by_id, context, ctxt_tmp){
/* Check for anonymous clients when allow_anonymous is false */

Write Preview
Loading…
Cancel
Save