diff --git a/CMakeLists.txt b/CMakeLists.txt index 161696da..265c106d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -11,7 +11,7 @@ project(mosquitto) cmake_minimum_required(VERSION 2.8) # Only for version 3 and up. cmake_policy(SET CMP0042 NEW) -set (VERSION 1.5.4) +set (VERSION 1.5.5) add_definitions (-DCMAKE -DVERSION=\"${VERSION}\") diff --git a/ChangeLog.txt b/ChangeLog.txt index c3a6c60a..ba8864db 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -1,6 +1,12 @@ -1.5.5 - 201812xx +1.5.5 - 20181211 ================ +Security: +- If `per_listener_settings` is set to true, then the `acl_file` setting was + ignored for the "default listener" only. This has been fixed. This does not + affect any listeners defined with the `listener` option. Closes #1073. + This is now tracked as CVE-2018-20145. + Broker: - Add `socket_domain` option to allow listeners to disable IPv6 support. This is required to work around a problem in libwebsockets that means @@ -14,6 +20,8 @@ Broker: - Don't reload auth_opt_ options on reload, to match the behaviour of the other plugin options. Closes #1068. - Print message on error when installing/uninstalling as a Windows service. +- All non-error connect/disconnect messages are controlled by the + `connection_messages` option. Closes #772. Closes #613. Closes #537. Library: - Fix reconnect delay backoff behaviour. Closes #1027. @@ -23,6 +31,9 @@ Client: - Always print leading zeros in mosquitto_sub when output format is hex. Closes #1066. +Build: +- Fix building where TLS-PSK is not available. Closes #68. + 1.5.4 - 20181108 ================ diff --git a/client/client_shared.c b/client/client_shared.c index 2788b7ce..8f993dc9 100644 --- a/client/client_shared.c +++ b/client/client_shared.c @@ -151,7 +151,7 @@ void client_config_cleanup(struct mosq_config *cfg) free(cfg->keyfile); free(cfg->ciphers); free(cfg->tls_version); -# ifdef WITH_TLS_PSK +# ifdef FINAL_WITH_TLS_PSK free(cfg->psk); free(cfg->psk_identity); # endif @@ -309,7 +309,7 @@ int client_config_load(struct mosq_config *cfg, int pub_or_sub, int argc, char * return 1; } #endif -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK if((cfg->cafile || cfg->capath) && cfg->psk){ if(!cfg->quiet) fprintf(stderr, "Error: Only one of --psk or --cafile/--capath may be used at once.\n"); return 1; @@ -673,7 +673,7 @@ int client_config_line_proc(struct mosq_config *cfg, int pub_or_sub, int argc, c i++; } #endif -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK }else if(!strcmp(argv[i], "--psk")){ if(i==argc-1){ fprintf(stderr, "Error: --psk argument given but no key specified.\n\n"); @@ -912,7 +912,7 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg) mosquitto_lib_cleanup(); return 1; } -# ifdef WITH_TLS_PSK +# ifdef FINAL_WITH_TLS_PSK if(cfg->psk && mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){ if(!cfg->quiet) fprintf(stderr, "Error: Problem setting TLS-PSK options.\n"); mosquitto_lib_cleanup(); @@ -985,7 +985,7 @@ int client_connect(struct mosquitto *mosq, struct mosq_config *cfg) if(cfg->port < 0){ #ifdef WITH_TLS if(cfg->cafile || cfg->capath -# ifdef WITH_TLS_PSK +# ifdef FINAL_WITH_TLS_PSK || cfg->psk # endif ){ diff --git a/client/client_shared.h b/client/client_shared.h index f1ce6f31..aee823a6 100644 --- a/client/client_shared.h +++ b/client/client_shared.h @@ -66,7 +66,7 @@ struct mosq_config { char *ciphers; bool insecure; char *tls_version; -# ifdef WITH_TLS_PSK +# ifdef FINAL_WITH_TLS_PSK char *psk; char *psk_identity; # endif diff --git a/client/pub_client.c b/client/pub_client.c index 8c729b87..49ca48c2 100644 --- a/client/pub_client.c +++ b/client/pub_client.c @@ -223,7 +223,7 @@ void print_usage(void) #ifdef WITH_TLS printf(" [{--cafile file | --capath dir} [--cert file] [--key file]\n"); printf(" [--ciphers ciphers] [--insecure]]\n"); -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK printf(" [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n"); #endif #endif @@ -280,7 +280,7 @@ void print_usage(void) printf(" hostname. Using this option means that you cannot be sure that the\n"); printf(" remote host is the server you wish to connect to and so is insecure.\n"); printf(" Do not use this option in a production environment.\n"); -# ifdef WITH_TLS_PSK +# ifdef FINAL_WITH_TLS_PSK printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n"); printf(" --psk-identity : client identity string for TLS-PSK mode.\n"); # endif diff --git a/client/sub_client.c b/client/sub_client.c index 3d91ed0f..607f258c 100644 --- a/client/sub_client.c +++ b/client/sub_client.c @@ -155,7 +155,7 @@ void print_usage(void) #ifdef WITH_TLS printf(" [{--cafile file | --capath dir} [--cert file] [--key file]\n"); printf(" [--ciphers ciphers] [--insecure]]\n"); -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK printf(" [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n"); #endif #endif @@ -218,7 +218,7 @@ void print_usage(void) printf(" hostname. Using this option means that you cannot be sure that the\n"); printf(" remote host is the server you wish to connect to and so is insecure.\n"); printf(" Do not use this option in a production environment.\n"); -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n"); printf(" --psk-identity : client identity string for TLS-PSK mode.\n"); #endif diff --git a/config.h b/config.h index 97ac6be9..3c777059 100644 --- a/config.h +++ b/config.h @@ -37,4 +37,12 @@ #define uthash_malloc(sz) mosquitto__malloc(sz) #define uthash_free(ptr,sz) mosquitto__free(ptr) + +#ifdef WITH_TLS +# include +# if defined(WITH_TLS_PSK) && !defined(OPENSSL_NO_PSK) +# define FINAL_WITH_TLS_PSK +# endif +#endif + #endif diff --git a/config.mk b/config.mk index d591cd49..0ee3fa44 100644 --- a/config.mk +++ b/config.mk @@ -105,7 +105,7 @@ WITH_BUNDLED_DEPS:=yes # Also bump lib/mosquitto.h, CMakeLists.txt, # installer/mosquitto.nsi, installer/mosquitto64.nsi -VERSION=1.5.4 +VERSION=1.5.5 # Client library SO version. Bump if incompatible API/ABI changes are made. SOVERSION=1 diff --git a/docker/1.5/Dockerfile b/docker/1.5/Dockerfile index 5661fb35..2c9b15c6 100644 --- a/docker/1.5/Dockerfile +++ b/docker/1.5/Dockerfile @@ -3,8 +3,8 @@ FROM alpine:3.8 LABEL maintainer="Roger Light " \ description="Eclipse Mosquitto MQTT Broker" -ENV VERSION=1.5.4 \ - DOWNLOAD_SHA256=5fd7f3454fd6d286645d032bc07f44a1c8583cec02ef2422c9eb32e0a89a9b2f \ +ENV VERSION=1.5.5 \ + DOWNLOAD_SHA256=fcdb47e340864c545146681af7253399cc292e41775afd76400fda5b0d23d668 \ GPG_KEYS=A0D6EEA1DCAE49A635A3B2F0779B22DFB3E717B7 \ LWS_VERSION=2.4.2 diff --git a/installer/mosquitto.nsi b/installer/mosquitto.nsi index d7db79b8..0574e0b1 100644 --- a/installer/mosquitto.nsi +++ b/installer/mosquitto.nsi @@ -9,7 +9,7 @@ !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"' Name "Eclipse Mosquitto" -!define VERSION 1.5.4 +!define VERSION 1.5.5 OutFile "mosquitto-${VERSION}-install-windows-x86.exe" InstallDir "$PROGRAMFILES\mosquitto" diff --git a/installer/mosquitto64.nsi b/installer/mosquitto64.nsi index 7ae8dccd..5e9706c4 100644 --- a/installer/mosquitto64.nsi +++ b/installer/mosquitto64.nsi @@ -9,7 +9,7 @@ !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"' Name "Eclipse Mosquitto" -!define VERSION 1.5.4 +!define VERSION 1.5.5 OutFile "mosquitto-${VERSION}-install-windows-x64.exe" !include "x64.nsh" diff --git a/lib/loop.c b/lib/loop.c index 4b277752..e4a985eb 100644 --- a/lib/loop.c +++ b/lib/loop.c @@ -286,9 +286,6 @@ int mosquitto_loop_forever(struct mosquitto *mosq, int timeout, int max_packets) int mosquitto_loop_misc(struct mosquitto *mosq) { - time_t now; - int rc; - if(!mosq) return MOSQ_ERR_INVAL; if(mosq->sock == INVALID_SOCKET) return MOSQ_ERR_NO_CONN; diff --git a/lib/mosquitto.h b/lib/mosquitto.h index b3600b2c..57a22ec3 100644 --- a/lib/mosquitto.h +++ b/lib/mosquitto.h @@ -47,7 +47,7 @@ extern "C" { #define LIBMOSQUITTO_MAJOR 1 #define LIBMOSQUITTO_MINOR 5 -#define LIBMOSQUITTO_REVISION 4 +#define LIBMOSQUITTO_REVISION 5 /* LIBMOSQUITTO_VERSION_NUMBER looks like 1002001 for e.g. version 1.2.1. */ #define LIBMOSQUITTO_VERSION_NUMBER (LIBMOSQUITTO_MAJOR*1000000+LIBMOSQUITTO_MINOR*1000+LIBMOSQUITTO_REVISION) diff --git a/lib/net_mosq.c b/lib/net_mosq.c index f2bb628b..09a26042 100644 --- a/lib/net_mosq.c +++ b/lib/net_mosq.c @@ -183,7 +183,7 @@ int net__socket_close(struct mosquitto *mosq) } -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, unsigned int max_identity_len, unsigned char *psk, unsigned int max_psk_len) @@ -594,7 +594,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) return MOSQ_ERR_TLS; } } -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK }else if(mosq->tls_psk){ SSL_CTX_set_psk_client_callback(mosq->ssl_ctx, psk_client_callback); #endif diff --git a/lib/options.c b/lib/options.c index 00951a68..b4b8ac84 100644 --- a/lib/options.c +++ b/lib/options.c @@ -223,7 +223,7 @@ int mosquitto_tls_insecure_set(struct mosquitto *mosq, bool value) int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers) { -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK if(!mosq || !psk || !identity) return MOSQ_ERR_INVAL; /* Check for hex only digits */ diff --git a/lib/util_mosq.c b/lib/util_mosq.c index 405cb390..d98bbde4 100644 --- a/lib/util_mosq.c +++ b/lib/util_mosq.c @@ -349,7 +349,7 @@ int mosquitto_topic_matches_sub2(const char *sub, size_t sublen, const char *top return MOSQ_ERR_SUCCESS; } -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len) { BIGNUM *bn = NULL; diff --git a/lib/util_mosq.h b/lib/util_mosq.h index 8e601a0f..d94661e7 100644 --- a/lib/util_mosq.h +++ b/lib/util_mosq.h @@ -33,7 +33,7 @@ int mosquitto__check_keepalive(struct mosquitto *mosq); uint16_t mosquitto__mid_generate(struct mosquitto *mosq); FILE *mosquitto__fopen(const char *path, const char *mode, bool restrict_read); -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len); #endif diff --git a/set-version.sh b/set-version.sh index 54958189..ec105f6b 100755 --- a/set-version.sh +++ b/set-version.sh @@ -2,7 +2,7 @@ MAJOR=1 MINOR=5 -REVISION=4 +REVISION=5 sed -i "s/^VERSION=.*/VERSION=${MAJOR}.${MINOR}.${REVISION}/" config.mk diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index fa1127ed..b337fe0b 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,5 +1,5 @@ name: mosquitto -version: 1.5.4 +version: 1.5.5 summary: Eclipse Mosquitto MQTT broker description: This is a message broker that supports version 3.1 and 3.1.1 of the MQTT protocol. diff --git a/src/bridge.c b/src/bridge.c index e35cacce..6e4b94fa 100644 --- a/src/bridge.c +++ b/src/bridge.c @@ -82,7 +82,7 @@ int bridge__new(struct mosquitto_db *db, struct mosquitto__bridge *bridge) new_context->tls_cert_reqs = SSL_VERIFY_PEER; new_context->tls_version = new_context->bridge->tls_version; new_context->tls_insecure = new_context->bridge->tls_insecure; -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK new_context->tls_psk_identity = new_context->bridge->tls_psk_identity; new_context->tls_psk = new_context->bridge->tls_psk; #endif diff --git a/src/conf.c b/src/conf.c index 67e172b0..0968d326 100644 --- a/src/conf.c +++ b/src/conf.c @@ -341,7 +341,7 @@ void config__cleanup(struct mosquitto__config *config) #ifdef WITH_TLS mosquitto__free(config->bridges[i].tls_version); mosquitto__free(config->bridges[i].tls_cafile); -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK mosquitto__free(config->bridges[i].tls_psk_identity); mosquitto__free(config->bridges[i].tls_psk); #endif @@ -497,6 +497,7 @@ int config__parse_args(struct mosquitto_db *db, struct mosquitto__config *config config->listeners[config->listener_count-1].use_identity_as_username = config->default_listener.use_identity_as_username; config->listeners[config->listener_count-1].use_subject_as_username = config->default_listener.use_subject_as_username; #endif + config->listeners[config->listener_count-1].security_options.acl_file = config->default_listener.security_options.acl_file; config->listeners[config->listener_count-1].security_options.password_file = config->default_listener.security_options.password_file; config->listeners[config->listener_count-1].security_options.psk_file = config->default_listener.security_options.psk_file; config->listeners[config->listener_count-1].security_options.auth_plugin_configs = config->default_listener.security_options.auth_plugin_configs; @@ -686,7 +687,7 @@ int config__read(struct mosquitto_db *db, struct mosquitto__config *config, bool log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); return MOSQ_ERR_INVAL; } -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK if(config->bridges[i].tls_psk && !config->bridges[i].tls_psk_identity){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration: missing bridge_identity.\n"); return MOSQ_ERR_INVAL; @@ -920,7 +921,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); return MOSQ_ERR_INVAL; } -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge."); return MOSQ_ERR_INVAL; @@ -937,7 +938,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); return MOSQ_ERR_INVAL; } -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge."); return MOSQ_ERR_INVAL; @@ -954,7 +955,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); return MOSQ_ERR_INVAL; } -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge."); return MOSQ_ERR_INVAL; @@ -965,7 +966,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge and/or TLS support not available."); #endif }else if(!strcmp(token, "bridge_identity")){ -#if defined(WITH_BRIDGE) && defined(WITH_TLS_PSK) +#if defined(WITH_BRIDGE) && defined(FINAL_WITH_TLS_PSK) if(reload) continue; // FIXME if(!cur_bridge){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); @@ -1000,7 +1001,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); return MOSQ_ERR_INVAL; } -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK if(cur_bridge->tls_psk_identity || cur_bridge->tls_psk){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Cannot use both certificate and psk encryption in a single bridge."); return MOSQ_ERR_INVAL; @@ -1035,7 +1036,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct log__printf(NULL, MOSQ_LOG_WARNING, "Warning: Bridge support not available."); #endif }else if(!strcmp(token, "bridge_psk")){ -#if defined(WITH_BRIDGE) && defined(WITH_TLS_PSK) +#if defined(WITH_BRIDGE) && defined(FINAL_WITH_TLS_PSK) if(reload) continue; // FIXME if(!cur_bridge){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Invalid bridge configuration."); @@ -1691,7 +1692,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct log__printf(NULL, MOSQ_LOG_ERR, "Error: Empty protocol value in configuration."); } }else if(!strcmp(token, "psk_file")){ -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK conf__set_cur_security_options(config, cur_listener, &cur_security_options); if(reload){ mosquitto__free(cur_security_options->psk_file); @@ -1702,7 +1703,7 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS/TLS-PSK support not available."); #endif }else if(!strcmp(token, "psk_hint")){ -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK if(reload) continue; // Listeners not valid for reloading. if(conf__parse_string(&token, "psk_hint", &cur_listener->psk_hint, saveptr)) return MOSQ_ERR_INVAL; #else diff --git a/src/handle_connect.c b/src/handle_connect.c index 2d300fc0..b9b0fefd 100644 --- a/src/handle_connect.c +++ b/src/handle_connect.c @@ -420,7 +420,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context) rc = 1; goto handle_connect_error; } -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK if(context->listener->psk_hint){ /* Client should have provided an identity to get this far. */ if(!context->username){ @@ -429,7 +429,7 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context) goto handle_connect_error; } }else{ -#endif /* WITH_TLS_PSK */ +#endif /* FINAL_WITH_TLS_PSK */ client_cert = SSL_get_peer_certificate(context->ssl); if(!client_cert){ send__connack(context, 0, CONNACK_REFUSED_BAD_USERNAME_PASSWORD); @@ -496,9 +496,9 @@ int handle__connect(struct mosquitto_db *db, struct mosquitto *context) } X509_free(client_cert); client_cert = NULL; -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK } -#endif /* WITH_TLS_PSK */ +#endif /* FINAL_WITH_TLS_PSK */ }else{ #endif /* WITH_TLS */ if(username_flag){ diff --git a/src/loop.c b/src/loop.c index 6773185a..8d084749 100644 --- a/src/loop.c +++ b/src/loop.c @@ -87,7 +87,9 @@ static void temp__expire_websockets_clients(struct mosquitto_db *db) }else{ id = ""; } - log__printf(NULL, MOSQ_LOG_NOTICE, "Client %s has exceeded timeout, disconnecting.", id); + if(db->config->connection_messages == true){ + log__printf(NULL, MOSQ_LOG_NOTICE, "Client %s has exceeded timeout, disconnecting.", id); + } } /* Client has exceeded keepalive*1.5 */ do_disconnect(db, context); @@ -666,7 +668,9 @@ void do_disconnect(struct mosquitto_db *db, struct mosquitto *context) } #ifdef WITH_EPOLL if (context->sock != INVALID_SOCKET && epoll_ctl(db->epollfd, EPOLL_CTL_DEL, context->sock, &ev) == -1) { - log__printf(NULL, MOSQ_LOG_DEBUG, "Error in epoll disconnecting: %s", strerror(errno)); + if(db->config->connection_messages == true){ + log__printf(NULL, MOSQ_LOG_DEBUG, "Error in epoll disconnecting: %s", strerror(errno)); + } } #endif context__disconnect(db, context); diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h index bd6ad136..bf13eebb 100644 --- a/src/mosquitto_broker_internal.h +++ b/src/mosquitto_broker_internal.h @@ -463,7 +463,7 @@ struct mosquitto__bridge{ char *tls_certfile; char *tls_keyfile; char *tls_version; -# ifdef WITH_TLS_PSK +# ifdef FINAL_WITH_TLS_PSK char *tls_psk_identity; char *tls_psk; # endif diff --git a/src/net.c b/src/net.c index 21f5ec68..937f6ce1 100644 --- a/src/net.c +++ b/src/net.c @@ -152,8 +152,10 @@ int net__socket_accept(struct mosquitto_db *db, mosq_sock_t listensock) fromhost(&wrap_req); if(!hosts_access(&wrap_req)){ /* Access is denied */ - if(!net__socket_get_address(new_sock, address, 1024)){ - log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied access by tcpd.", address); + if(db->config->connection_messages == true){ + if(!net__socket_get_address(new_sock, address, 1024)){ + log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied access by tcpd.", address); + } } COMPAT_CLOSE(new_sock); return -1; @@ -187,7 +189,9 @@ int net__socket_accept(struct mosquitto_db *db, mosq_sock_t listensock) } if(new_context->listener->max_connections > 0 && new_context->listener->client_count > new_context->listener->max_connections){ - log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied: max_connections exceeded.", new_context->address); + if(db->config->connection_messages == true){ + log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied: max_connections exceeded.", new_context->address); + } context__cleanup(db, new_context, true); return -1; } @@ -217,12 +221,14 @@ int net__socket_accept(struct mosquitto_db *db, mosq_sock_t listensock) }else if(rc == SSL_ERROR_WANT_WRITE){ new_context->want_write = true; }else{ - e = ERR_get_error(); - while(e){ - log__printf(NULL, MOSQ_LOG_NOTICE, - "Client connection from %s failed: %s.", - new_context->address, ERR_error_string(e, ebuf)); + if(db->config->connection_messages == true){ e = ERR_get_error(); + while(e){ + log__printf(NULL, MOSQ_LOG_NOTICE, + "Client connection from %s failed: %s.", + new_context->address, ERR_error_string(e, ebuf)); + e = ERR_get_error(); + } } context__cleanup(db, new_context, true); return -1; @@ -234,7 +240,9 @@ int net__socket_accept(struct mosquitto_db *db, mosq_sock_t listensock) } #endif - log__printf(NULL, MOSQ_LOG_NOTICE, "New connection from %s on port %d.", new_context->address, new_context->listener->port); + if(db->config->connection_messages == true){ + log__printf(NULL, MOSQ_LOG_NOTICE, "New connection from %s on port %d.", new_context->address, new_context->listener->port); + } return new_sock; } @@ -247,7 +255,7 @@ static int client_certificate_verify(int preverify_ok, X509_STORE_CTX *ctx) } #endif -#ifdef WITH_TLS_PSK +#ifdef FINAL_WITH_TLS_PSK static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) { struct mosquitto_db *db; @@ -520,7 +528,7 @@ int net__socket_listen(struct mosquitto__listener *listener) X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK); } -# ifdef WITH_TLS_PSK +# ifdef FINAL_WITH_TLS_PSK }else if(listener->psk_hint){ if(tls_ex_index_context == -1){ tls_ex_index_context = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL); @@ -543,7 +551,7 @@ int net__socket_listen(struct mosquitto__listener *listener) return 1; } } -# endif /* WITH_TLS_PSK */ +# endif /* FINAL_WITH_TLS_PSK */ } #endif /* WITH_TLS */ return 0; diff --git a/src/websockets.c b/src/websockets.c index a57330aa..6ac446f6 100644 --- a/src/websockets.c +++ b/src/websockets.c @@ -229,7 +229,9 @@ static int callback_mqtt(struct libwebsocket_context *context, return -1; } if(mosq->listener->max_connections > 0 && mosq->listener->client_count > mosq->listener->max_connections){ - log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied: max_connections exceeded.", mosq->address); + if(db->config->connection_messages == true){ + log__printf(NULL, MOSQ_LOG_NOTICE, "Client connection from %s denied: max_connections exceeded.", mosq->address); + } mosquitto__free(mosq); u->mosq = NULL; return -1; diff --git a/www/README.md b/www/README.md new file mode 100644 index 00000000..923f54bf --- /dev/null +++ b/www/README.md @@ -0,0 +1,3 @@ +This is the mosquitto website, it can be built with `nikola`: + +`nikola build` \ No newline at end of file diff --git a/www/conf.py b/www/conf.py index b4145237..7b5f4ded 100644 --- a/www/conf.py +++ b/www/conf.py @@ -87,6 +87,7 @@ NAVIGATION_LINKS = { #("/sponsoring/", "Sponsoring"), ( ( + ("/roadmap/", "Roadmap"), ("/api/", "API"), ("/man/libmosquitto-3.html", "libmosquitto"), ("/man/mosquitto-8.html", "mosquitto"), diff --git a/www/pages/download.md b/www/pages/download.md index 2a9b54e0..2aceb0a5 100644 --- a/www/pages/download.md +++ b/www/pages/download.md @@ -11,7 +11,7 @@ # Source -* [mosquitto-1.5.4.tar.gz](https://mosquitto.org/files/source/mosquitto-1.5.4.tar.gz) (319kB) ([GPG signature](https://mosquitto.org/files/source/mosquitto-1.5.4.tar.gz.asc)) +* [mosquitto-1.5.5.tar.gz](https://mosquitto.org/files/source/mosquitto-1.5.5.tar.gz) (319kB) ([GPG signature](https://mosquitto.org/files/source/mosquitto-1.5.5.tar.gz.asc)) * [mosquitto-1.5.4.tar.gz](https://www.eclipse.org/downloads/download.php?file=/mosquitto/source/mosquitto-1.5.4.tar.gz) (via Eclipse) * [Git source code repository](https://github.com/eclipse/mosquitto) (github.com) diff --git a/www/pages/roadmap.md b/www/pages/roadmap.md new file mode 100644 index 00000000..7e607cf7 --- /dev/null +++ b/www/pages/roadmap.md @@ -0,0 +1,81 @@ + + +# Roadmap + +## Version 1.6 + +The next minor release. The focus of this release is on providing support for +version 5 of the MQTT protocol. + +This release will provide a feature complete implementation, but does not +represent the final interface for all features. In particular, functions are +being added to libmosquitto to provide support for MQTT 5 features, but these +will be consolidated with the API changes planned for version 2.0. + +### Deprecation notices + +#### libmosquittopp + +libmosquittopp, the C++ wrapper around libmosquitto is now deprecated and will +be removed in the next major release (2.0). The wrapper came about by an +external request and at the time it was created there were no other C++ +solutions for MQTT. This has changed in the past years and this wrapper +provides no benefit over true C++ libraries or using the pure C libmosquitto. + +#### libmosquitto API changes + +The Mosquitto project has maintained API and ABI compatibility in libmosquitto +since version 1.0, and has dealt with the introduction of new specification +features by adding new functions which duplicate the behaviour of existing +functions, but with additional arguments to support the new features. +Particularly with regards to adding support for MQTT version 5, this has lead +to a proliferation of functions which offer small variations on a theme. + +The libmosquitto functions listed below (which includes some new functions +included in 1.6) are going to be updated for version 2.0. Functions not listed +here should still be considered at risk of being updated. + +* mosquitto\_will\_set +* mosquitto\_connect\* +* mosquitto\_reconnect\* +* mosquitto\_disconnect +* mosquitto\_publish\* +* mosquitto\_subscribe\* +* mosquitto\_unsubscribe\* +* mosquitto\_loop\* +* mosquitto\_\*\_callback\_set +* All callbacks +* mosquitto\_\*\_topic\_check\* + + +## Version 2.0 + +This is the next major release and includes breaking changes. Other features +planned include: + +## Disk persistence improvements + +A new disk persistence interface will be created to allow persistence to occur +immediately, rather than periodically. This will allow queued messages for +disconnected clients to be removed from memory, and reduce the periodic pause +caused when writing the persistence file. + +## Breaking changes + +### libmosquitto + +The libmosquitto API is being consolidated to better support the new MQTT 5 +features whilst reducing the number of function variants. + +### libmosquittopp + +The C++ wrapper around libmosquitto will be removed in this release. diff --git a/www/pages/security.md b/www/pages/security.md index 7696dca9..b8abf73d 100644 --- a/www/pages/security.md +++ b/www/pages/security.md @@ -19,6 +19,8 @@ follow the steps on [Eclipse Security] page to report it. Listed with most recent first. Further information on security related issues can be found in the [security category]. +* December 2018: [CVE-2018-20145]. Affecting versions **1.5** to **1.5.4** + inclusive, fixed in **1.5.5.**. More details at [version-155-released]. * November 2018: No CVE assigned. Affecting versions **1.4** to **1.5.3** inclusive, fixed in **1.5.4**. More details at [version-154-released]. * September 2018: [CVE-2018-12543] affecting versions **1.5** to **1.5.2** @@ -43,6 +45,7 @@ can be found in the [security category]. inclusive, fixed in **1.4.12**. More details at [security-advisory-cve-2017-7650]. +[version-155-released]: /2018/11/version-155-released/ [version-154-released]: /2018/11/version-154-released/ [security-advisory-cve-2018-12543]: /2018/09/security-advisory-cve-2018-12543/ [security-advisory-cve-2017-7651-cve-2017-7652]: /2018/02/security-advisory-cve-2017-7651-cve-2017-7652/ @@ -52,6 +55,7 @@ can be found in the [security category]. [Eclipse Security]: https://www.eclipse.org/security/ [security category]: /blog/categories/security/ +[CVE-2018-20145]: https://nvd.nist.gov/vuln/detail/CVE-2018-20145 [CVE-2018-12543]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12543 [CVE-2017-9868]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9868 [CVE-2017-7655]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7652 diff --git a/www/posts/2018/11/mqtt5-progress.md b/www/posts/2018/11/mqtt5-progress.md new file mode 100644 index 00000000..2b27e821 --- /dev/null +++ b/www/posts/2018/11/mqtt5-progress.md @@ -0,0 +1,59 @@ + + +Development of support for MQTT 5 is ongoing and making good progress, but has +been substantially delayed due to other non-Mosquitto work having to take +priority. + +It is possible to test the current state of MQTT 5 support by using the `mqtt5` +branch of the [repository]. Please note that this is very much a work in +progress, so parts are incomplete and interfaces may yet change. The client +library in particular has had to have an increase in functions available in +order to provide the features needed whilst providing backwards compatibility. +Part of the plan for the 2.0 release, which will follow after 1.6, is to +consolidate the libmosquitto API with breaking changes. There are more details +on the [roadmap]. + +Current features include: + +* Support for all incoming and outgoing packets, although not everything is + processed. +* Support for sending and receiving all properties, with not all properties + processed. +* Client support for setting properties +* Request/response support (client cannot process incoming correlation data) +* Retain availability +* Message expiry interval support +* Server support for assigned client identifiers +* Payload format indicator support +* Content-type support +* Basic topic alias support from client to broker +* Lots of new tests + +Both `mosquitto_pub` and `mosquitto_sub` support setting properties on the +command line, for example: + +``` +mosquitto_sub -t topic -v -D connect session-expiry-interval 60 -D connect user-property key value -D subscribe user-property sub-key sub-value +``` + +``` +mosquitto_pub -t topic -m '{"key":"value"}' -D publish content-type "application/json" +``` + +``` +./sensor_read.sh | mosquitto_pub -t topic -l -D publish topic-alias 1 +``` + +Further updates will be posted when more features are available. + +[repository]: https://github.com/eclipse/mosquitto/tree/mqtt5 +[roadmap]: https://mosquitto.org/roadmap/ \ No newline at end of file diff --git a/www/posts/2018/12/version-155-released.md b/www/posts/2018/12/version-155-released.md new file mode 100644 index 00000000..b2d5f96e --- /dev/null +++ b/www/posts/2018/12/version-155-released.md @@ -0,0 +1,62 @@ + + +This is a bugfix and security release. + +# Version 1.5.5 changes + +## Security +- If `per_listener_settings` is set to true, then the `acl_file` setting was + ignored for the "default listener" only. This has been fixed. This does not + affect any listeners defined with the `listener` option. Closes [#1073]. + This is now tracked as [CVE-2018-20145]. + +## Broker +- Add `socket_domain` option to allow listeners to disable IPv6 support. + This is required to work around a problem in libwebsockets that means + sockets only listen on IPv6 by default if IPv6 support is compiled in. + Closes [#1004]. +- When using ADNS, don't ask for all network protocols when connecting, + because this can lead to confusing "Protocol not supported" errors if the + network is down. Closes [#1062]. +- Fix outgoing retained messages not being sent by bridges on initial + connection. Closes [#1040]. +- Don't reload `auth_opt_` options on reload, to match the behaviour of the + other plugin options. Closes [#1068]. +- Print message on error when installing/uninstalling as a Windows service. +- All non-error connect/disconnect messages are controlled by the + `connection_messages` option. Closes [#772]. Closes [#613]. Closes [#537]. + +## Library +- Fix reconnect delay backoff behaviour. Closes [#1027]. +- Don't call `on_disconnect()` twice if keepalive tests fail. Closes [#1067]. + +## Client +- Always print leading zeros in `mosquitto_sub` when output format is hex. + Closes [#1066]. + +## Build +- Fix building where TLS-PSK is not available. Closes [#68]. + + +[CVE-2018-20145]: https://nvd.nist.gov/vuln/detail/CVE-2018-20145 +[#68]: https://github.com/eclipse/mosquitto/issues/68 +[#537]: https://github.com/eclipse/mosquitto/issues/537 +[#613]: https://github.com/eclipse/mosquitto/issues/613 +[#772]: https://github.com/eclipse/mosquitto/issues/772 +[#1004]: https://github.com/eclipse/mosquitto/issues/1004 +[#1027]: https://github.com/eclipse/mosquitto/issues/1027 +[#1040]: https://github.com/eclipse/mosquitto/issues/1040 +[#1062]: https://github.com/eclipse/mosquitto/issues/1062 +[#1066]: https://github.com/eclipse/mosquitto/issues/1066 +[#1067]: https://github.com/eclipse/mosquitto/issues/1067 +[#1068]: https://github.com/eclipse/mosquitto/issues/1068 +[#1073]: https://github.com/eclipse/mosquitto/issues/1073