Merge branch 'master' into fixes

CMakeLists.txt

@@ -11,7 +11,7 @@ project(mosquitto)
 cmake_minimum_required(VERSION 2.8)
 # Only for version 3 and up. cmake_policy(SET CMP0042 NEW)
 
-set (VERSION 1.5.4)
+set (VERSION 1.5.5)
 
 add_definitions (-DCMAKE -DVERSION=\"${VERSION}\")
 

ChangeLog.txt

@@ -1,6 +1,12 @@
-1.5.5 - 201812xx
+1.5.5 - 20181211
 ================
 
+Security:
+- If `per_listener_settings` is set to true, then the `acl_file` setting was
+  ignored for the "default listener" only. This has been fixed. This does not
+  affect any listeners defined with the `listener` option. Closes #1073.
+  This is now tracked as CVE-2018-20145.
+
 Broker:
 - Add `socket_domain` option to allow listeners to disable IPv6 support.
   This is required to work around a problem in libwebsockets that means
@@ -14,6 +20,8 @@ Broker:
 - Don't reload auth_opt_ options on reload, to match the behaviour of the
   other plugin options. Closes #1068.
 - Print message on error when installing/uninstalling as a Windows service.
+- All non-error connect/disconnect messages are controlled by the
+  `connection_messages` option. Closes #772. Closes #613. Closes #537.
 
 Library:
 - Fix reconnect delay backoff behaviour. Closes #1027.
@@ -23,6 +31,9 @@ Client:
 - Always print leading zeros in mosquitto_sub when output format is hex.
   Closes #1066.
 
+Build:
+- Fix building where TLS-PSK is not available. Closes #68.
+
 
 1.5.4 - 20181108
 ================

client/client_shared.c

@@ -151,7 +151,7 @@ void client_config_cleanup(struct mosq_config *cfg)
 	free(cfg->keyfile);
 	free(cfg->ciphers);
 	free(cfg->tls_version);
-#  ifdef WITH_TLS_PSK
+#  ifdef FINAL_WITH_TLS_PSK
 	free(cfg->psk);
 	free(cfg->psk_identity);
 #  endif
@@ -309,7 +309,7 @@ int client_config_load(struct mosq_config *cfg, int pub_or_sub, int argc, char *
 		return 1;
 	}
 #endif
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 	if((cfg->cafile || cfg->capath) && cfg->psk){
 		if(!cfg->quiet) fprintf(stderr, "Error: Only one of --psk or --cafile/--capath may be used at once.\n");
 		return 1;
@@ -673,7 +673,7 @@ int client_config_line_proc(struct mosq_config *cfg, int pub_or_sub, int argc, c
 				i++;
 			}
 #endif
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 		}else if(!strcmp(argv[i], "--psk")){
 			if(i==argc-1){
 				fprintf(stderr, "Error: --psk argument given but no key specified.\n\n");
@@ -912,7 +912,7 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg)
 		mosquitto_lib_cleanup();
 		return 1;
 	}
-#  ifdef WITH_TLS_PSK
+#  ifdef FINAL_WITH_TLS_PSK
 	if(cfg->psk && mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){
 		if(!cfg->quiet) fprintf(stderr, "Error: Problem setting TLS-PSK options.\n");
 		mosquitto_lib_cleanup();
@@ -985,7 +985,7 @@ int client_connect(struct mosquitto *mosq, struct mosq_config *cfg)
 	if(cfg->port < 0){
 #ifdef WITH_TLS
 		if(cfg->cafile || cfg->capath
-#  ifdef WITH_TLS_PSK
+#  ifdef FINAL_WITH_TLS_PSK
 				|| cfg->psk
 #  endif
 				){

client/client_shared.h

@@ -66,7 +66,7 @@ struct mosq_config {
 	char *ciphers;
 	bool insecure;
 	char *tls_version;
-#  ifdef WITH_TLS_PSK
+#  ifdef FINAL_WITH_TLS_PSK
 	char *psk;
 	char *psk_identity;
 #  endif

client/pub_client.c

@@ -223,7 +223,7 @@ void print_usage(void)
 #ifdef WITH_TLS
 	printf("                     [{--cafile file | --capath dir} [--cert file] [--key file]\n");
 	printf("                      [--ciphers ciphers] [--insecure]]\n");
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 	printf("                     [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n");
 #endif
 #endif
@@ -280,7 +280,7 @@ void print_usage(void)
 	printf("              hostname. Using this option means that you cannot be sure that the\n");
 	printf("              remote host is the server you wish to connect to and so is insecure.\n");
 	printf("              Do not use this option in a production environment.\n");
-#  ifdef WITH_TLS_PSK
+#  ifdef FINAL_WITH_TLS_PSK
 	printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n");
 	printf(" --psk-identity : client identity string for TLS-PSK mode.\n");
 #  endif

client/sub_client.c

@@ -155,7 +155,7 @@ void print_usage(void)
 #ifdef WITH_TLS
 	printf("                     [{--cafile file | --capath dir} [--cert file] [--key file]\n");
 	printf("                      [--ciphers ciphers] [--insecure]]\n");
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 	printf("                     [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n");
 #endif
 #endif
@@ -218,7 +218,7 @@ void print_usage(void)
 	printf("              hostname. Using this option means that you cannot be sure that the\n");
 	printf("              remote host is the server you wish to connect to and so is insecure.\n");
 	printf("              Do not use this option in a production environment.\n");
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 	printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n");
 	printf(" --psk-identity : client identity string for TLS-PSK mode.\n");
 #endif

config.h

@@ -37,4 +37,12 @@
 #define uthash_malloc(sz) mosquitto__malloc(sz)
 #define uthash_free(ptr,sz) mosquitto__free(ptr)
 
+
+#ifdef WITH_TLS
+#  include <openssl/opensslconf.h>
+#  if defined(WITH_TLS_PSK) && !defined(OPENSSL_NO_PSK)
+#    define FINAL_WITH_TLS_PSK
+#  endif
+#endif
+
 #endif

config.mk

@@ -105,7 +105,7 @@ WITH_BUNDLED_DEPS:=yes
 
 # Also bump lib/mosquitto.h, CMakeLists.txt,
 # installer/mosquitto.nsi, installer/mosquitto64.nsi
-VERSION=1.5.4
+VERSION=1.5.5
 
 # Client library SO version. Bump if incompatible API/ABI changes are made.
 SOVERSION=1

docker/1.5/Dockerfile

@@ -3,8 +3,8 @@ FROM alpine:3.8
 LABEL maintainer="Roger Light <roger@atchoo.org>" \
     description="Eclipse Mosquitto MQTT Broker"
 
-ENV VERSION=1.5.4 \
-    DOWNLOAD_SHA256=5fd7f3454fd6d286645d032bc07f44a1c8583cec02ef2422c9eb32e0a89a9b2f \
+ENV VERSION=1.5.5 \
+    DOWNLOAD_SHA256=fcdb47e340864c545146681af7253399cc292e41775afd76400fda5b0d23d668 \
     GPG_KEYS=A0D6EEA1DCAE49A635A3B2F0779B22DFB3E717B7 \
     LWS_VERSION=2.4.2
 

installer/mosquitto.nsi

@@ -9,7 +9,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'
 
 Name "Eclipse Mosquitto"
-!define VERSION 1.5.4
+!define VERSION 1.5.5
 OutFile "mosquitto-${VERSION}-install-windows-x86.exe"
 
 InstallDir "$PROGRAMFILES\mosquitto"

installer/mosquitto64.nsi

@@ -9,7 +9,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'
 
 Name "Eclipse Mosquitto"
-!define VERSION 1.5.4
+!define VERSION 1.5.5
 OutFile "mosquitto-${VERSION}-install-windows-x64.exe"
 
 !include "x64.nsh"

lib/loop.c

@@ -286,9 +286,6 @@ int mosquitto_loop_forever(struct mosquitto *mosq, int timeout, int max_packets)
 
 int mosquitto_loop_misc(struct mosquitto *mosq)
 {
-	time_t now;
-	int rc;
-
 	if(!mosq) return MOSQ_ERR_INVAL;
 	if(mosq->sock == INVALID_SOCKET) return MOSQ_ERR_NO_CONN;
 

lib/mosquitto.h

@@ -47,7 +47,7 @@ extern "C" {
 
 #define LIBMOSQUITTO_MAJOR 1
 #define LIBMOSQUITTO_MINOR 5
-#define LIBMOSQUITTO_REVISION 4
+#define LIBMOSQUITTO_REVISION 5
 /* LIBMOSQUITTO_VERSION_NUMBER looks like 1002001 for e.g. version 1.2.1. */
 #define LIBMOSQUITTO_VERSION_NUMBER (LIBMOSQUITTO_MAJOR*1000000+LIBMOSQUITTO_MINOR*1000+LIBMOSQUITTO_REVISION)
 

lib/net_mosq.c

@@ -183,7 +183,7 @@ int net__socket_close(struct mosquitto *mosq)
 }
 
 
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
 		char *identity, unsigned int max_identity_len,
 		unsigned char *psk, unsigned int max_psk_len)
@@ -594,7 +594,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 					return MOSQ_ERR_TLS;
 				}
 			}
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 		}else if(mosq->tls_psk){
 			SSL_CTX_set_psk_client_callback(mosq->ssl_ctx, psk_client_callback);
 #endif

lib/options.c

@@ -223,7 +223,7 @@ int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value)
 
 int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers)
 {
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 	if(!mosq || !psk || !identity) return MOSQ_ERR_INVAL;
 
 	/* Check for hex only digits */

lib/util_mosq.c

@@ -349,7 +349,7 @@ int mosquitto_topic_matches_sub2(const char *sub, size_t sublen, const char *top
 	return MOSQ_ERR_SUCCESS;
 }
 
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len)
 {
 	BIGNUM *bn = NULL;

lib/util_mosq.h

@@ -33,7 +33,7 @@ int mosquitto__check_keepalive(struct mosquitto *mosq);
 uint16_t mosquitto__mid_generate(struct mosquitto *mosq);
 FILE *mosquitto__fopen(const char *path, const char *mode, bool restrict_read);
 
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len);
 #endif
 

set-version.sh

@@ -2,7 +2,7 @@
 
 MAJOR=1
 MINOR=5
-REVISION=4
+REVISION=5
 
 sed -i "s/^VERSION=.*/VERSION=${MAJOR}.${MINOR}.${REVISION}/" config.mk
 

snap/snapcraft.yaml

@@ -1,5 +1,5 @@
 name: mosquitto
-version: 1.5.4
+version: 1.5.5
 summary: Eclipse Mosquitto MQTT broker
 description: This is a message broker that supports version 3.1 and 3.1.1 of the MQTT
     protocol.

src/bridge.c

@@ -82,7 +82,7 @@ int bridge__new(struct mosquitto_db *db, struct mosquitto__bridge *bridge)
 	new_context->tls_cert_reqs = SSL_VERIFY_PEER;
 	new_context->tls_version = new_context->bridge->tls_version;
 	new_context->tls_insecure = new_context->bridge->tls_insecure;
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 	new_context->tls_psk_identity = new_context->bridge->tls_psk_identity;
 	new_context->tls_psk = new_context->bridge->tls_psk;
 #endif

src/conf.c

@@ -341,7 +341,7 @@ void config__cleanup(struct mosquitto__config *config)
 #ifdef WITH_TLS
 			mosquitto__free(config->bridges[i].tls_version);
 			mosquitto__free(config->bridges[i].tls_cafile);
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 			mosquitto__free(config->bridges[i].tls_psk_identity);
 			mosquitto__free(config->bridges[i].tls_psk);
 #endif
@@ -497,6 +497,7 @@ int config__parse_args(struct mosquitto_db *db, struct mosquitto__config *config
 		config->listeners[config->listener_count-1].use_identity_as_username = config->default_listener.use_identity_as_username;
 		config->listeners[config->listener_count-1].use_subject_as_username = config->default_listener.use_subject_as_username;
 #endif
+		config->listeners[config->listener_count-1].security_options.acl_file = config->default_listener.security_options.acl_file;
 		config->listeners[config->listener_count-1].security_options.password_file = config->default_listener.security_options.password_file;
 		config->listeners[config->listener_count-1].security_options.psk_file = config->default_listener.security_options.psk_file;
 		config->listeners[config->listener_count-1].security_options.auth_plugin_configs = config->default_listener.security_options.auth_plugin_configs;
@@ -686,7 +687,7 @@ int config__read(struct mosquitto_db *db, struct mosquitto__config *config, bool
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
 			return MOSQ_ERR_INVAL;
 		}
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 		if(config->bridges[i].tls_psk && !config->bridges[i].tls_psk_identity){
 			log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration: missing bridge_identity.\n");
 			return MOSQ_ERR_INVAL;
@@ -920,7 +921,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
 						return MOSQ_ERR_INVAL;
 					}
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 					if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
 						return MOSQ_ERR_INVAL;
@@ -937,7 +938,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
 						return MOSQ_ERR_INVAL;
 					}
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 					if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
 						return MOSQ_ERR_INVAL;
@@ -954,7 +955,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
 						return MOSQ_ERR_INVAL;
 					}
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 					if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
 						return MOSQ_ERR_INVAL;
@@ -965,7 +966,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TLS support not available.");
 #endif
 				}else if(!strcmp(token, "bridge_identity")){
-#if defined(WITH_BRIDGE) && defined(WITH_TLS_PSK)
+#if defined(WITH_BRIDGE) && defined(FINAL_WITH_TLS_PSK)
 					if(reload) continue; // FIXME
 					if(!cur_bridge){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
@@ -1000,7 +1001,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
 						return MOSQ_ERR_INVAL;
 					}
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 					if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge.");
 						return MOSQ_ERR_INVAL;
@@ -1035,7 +1036,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge support not available.");
 #endif
 				}else if(!strcmp(token, "bridge_psk")){
-#if defined(WITH_BRIDGE) && defined(WITH_TLS_PSK)
+#if defined(WITH_BRIDGE) && defined(FINAL_WITH_TLS_PSK)
 					if(reload) continue; // FIXME
 					if(!cur_bridge){
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration.");
@@ -1691,7 +1692,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
 						log__printf(NULL, MOSQ_LOG_ERR, "Error: Empty protocol value in configuration.");
 					}
 				}else if(!strcmp(token, "psk_file")){
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 					conf__set_cur_security_options(config, cur_listener, &cur_security_options);
 					if(reload){
 						mosquitto__free(cur_security_options->psk_file);
@@ -1702,7 +1703,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct
 					log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS/TLS-PSK support not available.");
 #endif
 				}else if(!strcmp(token, "psk_hint")){
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 					if(reload) continue; // Listeners not valid for reloading.
 					if(conf__parse_string(&token, "psk_hint", &cur_listener->psk_hint, saveptr)) return MOSQ_ERR_INVAL;
 #else

src/handle_connect.c

@@ -420,7 +420,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
 			rc = 1;
 			goto handle_connect_error;
 		}
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 		if(context->listener->psk_hint){
 			/* Client should have provided an identity to get this far. */
 			if(!context->username){
@@ -429,7 +429,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
 				goto handle_connect_error;
 			}
 		}else{
-#endif /* WITH_TLS_PSK */
+#endif /* FINAL_WITH_TLS_PSK */
 			client_cert = SSL_get_peer_certificate(context->ssl);
 			if(!client_cert){
 				send__connack(context, 0, CONNACK_REFUSED_BAD_USERNAME_PASSWORD);
@@ -496,9 +496,9 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context)
 			}
 			X509_free(client_cert);
 			client_cert = NULL;
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 		}
-#endif /* WITH_TLS_PSK */
+#endif /* FINAL_WITH_TLS_PSK */
 	}else{
 #endif /* WITH_TLS */
 		if(username_flag){

src/loop.c

@@ -87,7 +87,9 @@ static void temp__expire_websockets_clients(struct mosquitto_db *db)
 						}else{
 							id = "<unknown>";
 						}
-						log__printf(NULL, MOSQ_LOG_NOTICE, "Client %s has exceeded timeout, disconnecting.", id);
+						if(db->config->connection_messages == true){
+							log__printf(NULL, MOSQ_LOG_NOTICE, "Client %s has exceeded timeout, disconnecting.", id);
+						}
 					}
 					/* Client has exceeded keepalive*1.5 */
 					do_disconnect(db, context);
@@ -666,7 +668,9 @@ void do_disconnect(struct mosquitto_db *db, struct mosquitto *context)
 		}
 #ifdef WITH_EPOLL
 		if (context->sock != INVALID_SOCKET && epoll_ctl(db->epollfd, EPOLL_CTL_DEL, context->sock, &ev) == -1) {
-			log__printf(NULL, MOSQ_LOG_DEBUG, "Error in epoll disconnecting: %s", strerror(errno));
+			if(db->config->connection_messages == true){
+				log__printf(NULL, MOSQ_LOG_DEBUG, "Error in epoll disconnecting: %s", strerror(errno));
+			}
 		}
 #endif		
 		context__disconnect(db, context);

src/mosquitto_broker_internal.h

@@ -463,7 +463,7 @@ struct mosquitto__bridge{
 	char *tls_certfile;
 	char *tls_keyfile;
 	char *tls_version;
-#  ifdef WITH_TLS_PSK
+#  ifdef FINAL_WITH_TLS_PSK
 	char *tls_psk_identity;
 	char *tls_psk;
 #  endif

src/net.c

@@ -152,8 +152,10 @@ int net__socket_accept(struct mosquitto_db *db, mosq_sock_t listensock)
 	fromhost(&wrap_req);
 	if(!hosts_access(&wrap_req)){
 		/* Access is denied */
-		if(!net__socket_get_address(new_sock, address, 1024)){
-			log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied access by tcpd.", address);
+		if(db->config->connection_messages == true){
+			if(!net__socket_get_address(new_sock, address, 1024)){
+				log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied access by tcpd.", address);
+			}
 		}
 		COMPAT_CLOSE(new_sock);
 		return -1;
@@ -187,7 +189,9 @@ int net__socket_accept(struct mosquitto_db *db, mosq_sock_t listensock)
 	}
 
 	if(new_context->listener->max_connections > 0 && new_context->listener->client_count > new_context->listener->max_connections){
-		log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied: max_connections exceeded.", new_context->address);
+		if(db->config->connection_messages == true){
+			log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied: max_connections exceeded.", new_context->address);
+		}
 		context__cleanup(db, new_context, true);
 		return -1;
 	}
@@ -217,12 +221,14 @@ int net__socket_accept(struct mosquitto_db *db, mosq_sock_t listensock)
 						}else if(rc == SSL_ERROR_WANT_WRITE){
 							new_context->want_write = true;
 						}else{
-							e = ERR_get_error();
-							while(e){
-								log__printf(NULL, MOSQ_LOG_NOTICE,
-										"Client connection from %s failed: %s.",
-										new_context->address, ERR_error_string(e, ebuf));
+							if(db->config->connection_messages == true){
 								e = ERR_get_error();
+								while(e){
+									log__printf(NULL, MOSQ_LOG_NOTICE,
+											"Client connection from %s failed: %s.",
+											new_context->address, ERR_error_string(e, ebuf));
+									e = ERR_get_error();
+								}
 							}
 							context__cleanup(db, new_context, true);
 							return -1;
@@ -234,7 +240,9 @@ int net__socket_accept(struct mosquitto_db *db, mosq_sock_t listensock)
 	}
 #endif
 
-	log__printf(NULL, MOSQ_LOG_NOTICE, "New connection from %s on port %d.", new_context->address, new_context->listener->port);
+	if(db->config->connection_messages == true){
+		log__printf(NULL, MOSQ_LOG_NOTICE, "New connection from %s on port %d.", new_context->address, new_context->listener->port);
+	}
 
 	return new_sock;
 }
@@ -247,7 +255,7 @@ static int client_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx)
 }
 #endif
 
-#ifdef WITH_TLS_PSK
+#ifdef FINAL_WITH_TLS_PSK
 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len)
 {
 	struct mosquitto_db *db;
@@ -520,7 +528,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
 				X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
 			}
 
-#  ifdef WITH_TLS_PSK
+#  ifdef FINAL_WITH_TLS_PSK
 		}else if(listener->psk_hint){
 			if(tls_ex_index_context == -1){
 				tls_ex_index_context = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL);
@@ -543,7 +551,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
 					return 1;
 				}
 			}
-#  endif /* WITH_TLS_PSK */
+#  endif /* FINAL_WITH_TLS_PSK */
 		}
 #endif /* WITH_TLS */
 		return 0;

src/websockets.c

@@ -229,7 +229,9 @@ static int callback_mqtt(struct libwebsocket_context *context,
 				return -1;
 			}
 			if(mosq->listener->max_connections > 0 && mosq->listener->client_count > mosq->listener->max_connections){
-				log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied: max_connections exceeded.", mosq->address);
+				if(db->config->connection_messages == true){
+					log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied: max_connections exceeded.", mosq->address);
+				}
 				mosquitto__free(mosq);
 				u->mosq = NULL;
 				return -1;

www/README.md

@@ -0,0 +1,3 @@
+This is the mosquitto website, it can be built with `nikola`:
+
+`nikola build`

www/conf.py

@@ -87,6 +87,7 @@ NAVIGATION_LINKS = {
         #("/sponsoring/", "Sponsoring"),
         (
             (
+                ("/roadmap/", "Roadmap"),
                 ("/api/", "API"),
                 ("/man/libmosquitto-3.html", "libmosquitto"),
                 ("/man/mosquitto-8.html", "mosquitto"),

www/pages/download.md

@@ -11,7 +11,7 @@
 
 # Source
 
-* [mosquitto-1.5.4.tar.gz](https://mosquitto.org/files/source/mosquitto-1.5.4.tar.gz) (319kB) ([GPG signature](https://mosquitto.org/files/source/mosquitto-1.5.4.tar.gz.asc))
+* [mosquitto-1.5.5.tar.gz](https://mosquitto.org/files/source/mosquitto-1.5.5.tar.gz) (319kB) ([GPG signature](https://mosquitto.org/files/source/mosquitto-1.5.5.tar.gz.asc))
 * [mosquitto-1.5.4.tar.gz](https://www.eclipse.org/downloads/download.php?file=/mosquitto/source/mosquitto-1.5.4.tar.gz) (via Eclipse)
 * [Git source code repository](https://github.com/eclipse/mosquitto) (github.com)
 

www/pages/roadmap.md

@@ -0,0 +1,81 @@
+<!--
+.. title: Roadmap
+.. slug: roadmap
+.. date: 2018-11-09 10:53:50 UTC
+.. tags:
+.. category:
+.. link:
+.. description:
+.. type: text
+-->
+
+# Roadmap
+
+## Version 1.6
+
+The next minor release. The focus of this release is on providing support for
+version 5 of the MQTT protocol.
+
+This release will provide a feature complete implementation, but does not
+represent the final interface for all features. In particular, functions are
+being added to libmosquitto to provide support for MQTT 5 features, but these
+will be consolidated with the API changes planned for version 2.0.
+
+### Deprecation notices
+
+#### libmosquittopp
+
+libmosquittopp, the C++ wrapper around libmosquitto is now deprecated and will
+be removed in the next major release (2.0). The wrapper came about by an
+external request and at the time it was created there were no other C++
+solutions for MQTT. This has changed in the past years and this wrapper
+provides no benefit over true C++ libraries or using the pure C libmosquitto.
+
+#### libmosquitto API changes
+
+The Mosquitto project has maintained API and ABI compatibility in libmosquitto
+since version 1.0, and has dealt with the introduction of new specification
+features by adding new functions which duplicate the behaviour of existing
+functions, but with additional arguments to support the new features.
+Particularly with regards to adding support for MQTT version 5, this has lead
+to a proliferation of functions which offer small variations on a theme.
+
+The libmosquitto functions listed below (which includes some new functions
+included in 1.6) are going to be updated for version 2.0. Functions not listed
+here should still be considered at risk of being updated.
+
+* mosquitto\_will\_set
+* mosquitto\_connect\*
+* mosquitto\_reconnect\*
+* mosquitto\_disconnect
+* mosquitto\_publish\*
+* mosquitto\_subscribe\*
+* mosquitto\_unsubscribe\*
+* mosquitto\_loop\*
+* mosquitto\_\*\_callback\_set
+* All callbacks
+* mosquitto\_\*\_topic\_check\*
+
+
+## Version 2.0
+
+This is the next major release and includes breaking changes. Other features
+planned include:
+
+## Disk persistence improvements
+
+A new disk persistence interface will be created to allow persistence to occur
+immediately, rather than periodically. This will allow queued messages for
+disconnected clients to be removed from memory, and reduce the periodic pause
+caused when writing the persistence file.
+
+## Breaking changes
+
+### libmosquitto
+
+The libmosquitto API is being consolidated to better support the new MQTT 5
+features whilst reducing the number of function variants.
+
+### libmosquittopp
+
+The C++ wrapper around libmosquitto will be removed in this release.

www/pages/security.md

@@ -19,6 +19,8 @@ follow the steps on [Eclipse Security] page to report it.
 Listed with most recent first. Further information on security related issues
 can be found in the [security category].
 
+* December 2018: [CVE-2018-20145]. Affecting versions **1.5** to **1.5.4**
+  inclusive, fixed in **1.5.5.**. More details at [version-155-released].
 * November 2018: No CVE assigned. Affecting versions **1.4** to **1.5.3**
   inclusive, fixed in **1.5.4**. More details at [version-154-released].
 * September 2018: [CVE-2018-12543] affecting versions **1.5** to **1.5.2**
@@ -43,6 +45,7 @@ can be found in the [security category].
   inclusive, fixed in **1.4.12**. More details at
   [security-advisory-cve-2017-7650].
 
+[version-155-released]: /2018/11/version-155-released/
 [version-154-released]: /2018/11/version-154-released/
 [security-advisory-cve-2018-12543]: /2018/09/security-advisory-cve-2018-12543/
 [security-advisory-cve-2017-7651-cve-2017-7652]: /2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
@@ -52,6 +55,7 @@ can be found in the [security category].
 [Eclipse Security]: https://www.eclipse.org/security/
 [security category]: /blog/categories/security/
 
+[CVE-2018-20145]: https://nvd.nist.gov/vuln/detail/CVE-2018-20145
 [CVE-2018-12543]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543
 [CVE-2017-9868]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868
 [CVE-2017-7655]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652

www/posts/2018/11/mqtt5-progress.md

@@ -0,0 +1,59 @@
+<!--
+.. title: MQTT 5 progress
+.. slug: mqtt5-progress
+.. date: 2018-11-29 21:33:29 UTC+00:00
+.. tags: MQTT5
+.. category: 
+.. link: 
+.. description: 
+.. type: text
+-->
+
+Development of support for MQTT 5 is ongoing and making good progress, but has
+been substantially delayed due to other non-Mosquitto work having to take
+priority.
+
+It is possible to test the current state of MQTT 5 support by using the `mqtt5`
+branch of the [repository]. Please note that this is very much a work in
+progress, so parts are incomplete and interfaces may yet change. The client
+library in particular has had to have an increase in functions available in
+order to provide the features needed whilst providing backwards compatibility.
+Part of the plan for the 2.0 release, which will follow after 1.6, is to
+consolidate the libmosquitto API with breaking changes. There are more details
+on the [roadmap].
+
+Current features include:
+
+* Support for all incoming and outgoing packets, although not everything is
+  processed.
+* Support for sending and receiving all properties, with not all properties
+  processed.
+* Client support for setting properties
+* Request/response support (client cannot process incoming correlation data)
+* Retain availability
+* Message expiry interval support
+* Server support for assigned client identifiers
+* Payload format indicator support
+* Content-type support
+* Basic topic alias support from client to broker
+* Lots of new tests
+
+Both `mosquitto_pub` and `mosquitto_sub` support setting properties on the
+command line, for example:
+
+```
+mosquitto_sub -t topic -v -D connect session-expiry-interval 60 -D connect user-property key value -D subscribe user-property sub-key sub-value
+```
+
+```
+mosquitto_pub -t topic -m '{"key":"value"}' -D publish content-type "application/json"
+```
+
+```
+./sensor_read.sh | mosquitto_pub -t topic -l  -D publish topic-alias 1
+```
+
+Further updates will be posted when more features are available.
+
+[repository]: https://github.com/eclipse/mosquitto/tree/mqtt5
+[roadmap]: https://mosquitto.org/roadmap/

www/posts/2018/12/version-155-released.md

@@ -0,0 +1,62 @@
+<!--
+.. title: Version 1.5.5 released
+.. slug: version-155-released
+.. date: 2018-12-11 15:57:18 UTC+00:00
+.. tags: Releases
+.. category: 
+.. link: 
+.. description: 
+.. type: text
+-->
+
+This is a bugfix and security release.
+
+# Version 1.5.5 changes
+
+## Security
+- If `per_listener_settings` is set to true, then the `acl_file` setting was
+  ignored for the "default listener" only. This has been fixed. This does not
+  affect any listeners defined with the `listener` option. Closes [#1073].
+  This is now tracked as [CVE-2018-20145].
+
+## Broker
+- Add `socket_domain` option to allow listeners to disable IPv6 support.
+  This is required to work around a problem in libwebsockets that means
+  sockets only listen on IPv6 by default if IPv6 support is compiled in.
+  Closes [#1004].
+- When using ADNS, don't ask for all network protocols when connecting,
+  because this can lead to confusing "Protocol not supported" errors if the
+  network is down. Closes [#1062].
+- Fix outgoing retained messages not being sent by bridges on initial
+  connection. Closes [#1040].
+- Don't reload `auth_opt_` options on reload, to match the behaviour of the
+  other plugin options. Closes [#1068].
+- Print message on error when installing/uninstalling as a Windows service.
+- All non-error connect/disconnect messages are controlled by the
+  `connection_messages` option. Closes [#772]. Closes [#613]. Closes [#537].
+
+## Library
+- Fix reconnect delay backoff behaviour. Closes [#1027].
+- Don't call `on_disconnect()` twice if keepalive tests fail. Closes [#1067].
+
+## Client
+- Always print leading zeros in `mosquitto_sub` when output format is hex.
+  Closes [#1066].
+
+## Build
+- Fix building where TLS-PSK is not available. Closes [#68].
+
+
+[CVE-2018-20145]: https://nvd.nist.gov/vuln/detail/CVE-2018-20145
+[#68]: https://github.com/eclipse/mosquitto/issues/68
+[#537]: https://github.com/eclipse/mosquitto/issues/537
+[#613]: https://github.com/eclipse/mosquitto/issues/613
+[#772]: https://github.com/eclipse/mosquitto/issues/772
+[#1004]: https://github.com/eclipse/mosquitto/issues/1004
+[#1027]: https://github.com/eclipse/mosquitto/issues/1027
+[#1040]: https://github.com/eclipse/mosquitto/issues/1040
+[#1062]: https://github.com/eclipse/mosquitto/issues/1062
+[#1066]: https://github.com/eclipse/mosquitto/issues/1066
+[#1067]: https://github.com/eclipse/mosquitto/issues/1067
+[#1068]: https://github.com/eclipse/mosquitto/issues/1068
+[#1073]: https://github.com/eclipse/mosquitto/issues/1073