Fix tests build.

Closes #2546. Thanks to Joachim Schachermayer.

CMakeLists.txt

@@ -11,7 +11,7 @@ project(mosquitto)
 cmake_minimum_required(VERSION 2.8)
 # Only for version 3 and up. cmake_policy(SET CMP0042 NEW)
 
-set (VERSION 1.6.12)
+set (VERSION 1.6.15)
 
 add_definitions (-DCMAKE -DVERSION=\"${VERSION}\")
 
@@ -21,6 +21,7 @@ if (WIN32)
 endif (WIN32)
 
 include(GNUInstallDirs)
+include(CheckSymbolExists)
 
 option(WITH_BUNDLED_DEPS "Build with bundled dependencies?" ON)
 option(WITH_TLS
@@ -89,6 +90,11 @@ if (WITH_DLT)
 	add_definitions("-DWITH_DLT")
 endif (WITH_DLT)
 
+check_symbol_exists(epoll_create "sys/epoll.h" HAVE_EPOLL)
+if (HAVE_EPOLL)
+	add_definitions("-DWITH_EPOLL")
+endif (HAVE_EPOLL)
+
 # ========================================
 # Include projects
 # ========================================

ChangeLog.txt

@@ -1,3 +1,80 @@
+1.6.16 - 2022-xx-xx
+===================
+
+Broker:
+- Add clients to session expiry check list when restarting and reloading from
+  persistence. Closes #2546.
+
+
+1.6.15 - 2021-06-08
+===================
+
+Security:
+- If a MQTT v5 client connects with a crafted CONNECT packet a memory leak
+  will occur. This has been fixed.
+
+
+1.6.14 - 2021-02-04
+===================
+
+Security:
+- If an empty or invalid CA file was provided to the client library for
+  verifying the remote broker, then the initial connection would fail but
+  subsequent connections would succeed without verifying the remote broker
+  certificate. Closes #2130.
+- If an empty or invalid CA file was provided to the broker for verifying the
+  remote broker for an outgoing bridge connection then the initial connection
+  would fail but subsequent connections would succeed without verifying the
+  remote broker certificate. Closes #2130.
+
+Broker:
+- Fix encrypted bridge connections incorrectly connecting when `bridge_cafile`
+  is empty or invalid. Closes #2130.
+
+Client library:
+- Fix encrypted connections incorrectly connecting when the CA file passed to
+  `mosquitto_tls_set()` is empty or invalid. Closes #2130.
+- Fix connections retrying very rapidly in some situations.
+
+Clients:
+- Fix possible loss of data in `mosquitto_pub -l` when sending multiple long
+  lines. Closes #2078.
+
+
+1.6.13 - 2021-02-04
+===================
+
+Broker:
+- Fix crash on Windows if loading a plugin fails. Closes #1866.
+- Fix DH group not being set for TLS connections, which meant ciphers using
+  DHE couldn't be used. Closes #1925. Closes #1476.
+- Fix local bridges being disconnected on SIGHUP. Closes #1942.
+- Fix $SYS/broker/publish/messages/+ counters not being updated for QoS 1, 2
+  messages. Closes #1968.
+- Fix listener not being reassociated with client when reloading a persistence
+  file and `per_listener_settings true` is set and the client did not set a
+  username. Closes #1891.
+- Fix file logging on Windows. Closes #1880.
+- Fix bridge sock not being removed from sock hash on error. Closes #1897.
+
+Client library:
+- Fix build on Mac Big Sur. Closes #1905.
+- Fix DH group not being set for TLS connections, which meant ciphers using
+  DHE couldn't be used. Closes #1925. Closes #1476.
+
+Clients:
+- mosquitto_sub will now quit with an error if the %U option is used on
+  Windows, rather than just quitting. Closes #1908.
+- Fix config files truncating options after the first space. Closes #2059.
+
+Apps:
+- Perform stricter parsing of input username in mosquitto_passwd. Closes
+  #570126 (Eclipse bugzilla).
+
+Build:
+- Enable epoll support in CMake builds.
+
+
 1.6.12 - 2020-08-19
 ===================
 

client/client_shared.c

@@ -77,6 +77,10 @@ static int check_format(const char *str)
 					// JSON output, assuming JSON payload
 				}else if(str[i+1] == 'U'){
 					// Unix time+nanoseconds
+#ifdef WIN32
+					fprintf(stderr, "Error: The %%U format option is not supported on Windows.\n");
+					return 1;
+#endif
 				}else if(str[i+1] == 'x' || str[i+1] == 'X'){
 					// payload in hex
 				}else{
@@ -295,7 +299,7 @@ int client_config_load(struct mosq_config *cfg, int pub_or_sub, int argc, char *
 				 * program name as the first entry. */
 				args[1] = strtok(line, " ");
 				if(args[1]){
-					args[2] = strtok(NULL, " ");
+					args[2] = strtok(NULL, "");
 					if(args[2]){
 						count = 3;
 					}else{

client/pub_client.c

@@ -262,7 +262,7 @@ int pub_stdin_line_loop(struct mosquitto *mosq)
 					break;
 				}else{
 					line_buf_len += 1024;
-					pos += 1023;
+					pos += read_len-1;
 					read_len = 1024;
 					buf2 = realloc(line_buf, (size_t )line_buf_len);
 					if(!buf2){

config.mk

@@ -109,7 +109,7 @@ WITH_COVERAGE:=no
 
 # Also bump lib/mosquitto.h, CMakeLists.txt,
 # installer/mosquitto.nsi, installer/mosquitto64.nsi
-VERSION=1.6.12
+VERSION=1.6.15
 
 # Client library SO version. Bump if incompatible API/ABI changes are made.
 SOVERSION=1

installer/mosquitto.nsi

@@ -9,7 +9,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'
 
 Name "Eclipse Mosquitto"
-!define VERSION 1.6.12
+!define VERSION 1.6.15
 OutFile "mosquitto-${VERSION}-install-windows-x86.exe"
 
 InstallDir "$PROGRAMFILES\mosquitto"

installer/mosquitto64.nsi

@@ -9,7 +9,7 @@
 !define env_hklm 'HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment"'
 
 Name "Eclipse Mosquitto"
-!define VERSION 1.6.12
+!define VERSION 1.6.15
 OutFile "mosquitto-${VERSION}-install-windows-x64.exe"
 
 !include "x64.nsh"

lib/loop.c

@@ -209,6 +209,15 @@ static int interruptible_sleep(struct mosquitto *mosq, unsigned long reconnect_d
 #else
 	local_timeout.tv_usec = 0;
 #endif
+
+#ifndef WIN32
+	if(read(mosq->sockpairR, &pairbuf, 1) == 0){
+	}
+#else
+	recv(mosq->sockpairR, &pairbuf, 1, 0);
+#endif
+
+
 	FD_ZERO(&readfds);
 	maxfd = 0;
 	if(mosq->sockpairR != INVALID_SOCKET){

lib/mosquitto.c

@@ -24,6 +24,10 @@ Contributors:
 #include <strings.h>
 #endif
 
+#if defined(__APPLE__)
+#  include <mach/mach_time.h>
+#endif
+
 #include "logging_mosq.h"
 #include "mosquitto.h"
 #include "mosquitto_internal.h"
@@ -192,6 +196,7 @@ int mosquitto_reinitialise(struct mosquitto *mosq, const char *id, bool clean_st
 #ifdef WITH_TLS
 	mosq->ssl = NULL;
 	mosq->ssl_ctx = NULL;
+	mosq->ssl_ctx_defaults = true;
 	mosq->tls_cert_reqs = SSL_VERIFY_PEER;
 	mosq->tls_insecure = false;
 	mosq->want_write = false;

lib/mosquitto.h

@@ -48,7 +48,7 @@ extern "C" {
 
 #define LIBMOSQUITTO_MAJOR 1
 #define LIBMOSQUITTO_MINOR 6
-#define LIBMOSQUITTO_REVISION 12
+#define LIBMOSQUITTO_REVISION 15
 /* LIBMOSQUITTO_VERSION_NUMBER looks like 1002001 for e.g. version 1.2.1. */
 #define LIBMOSQUITTO_VERSION_NUMBER (LIBMOSQUITTO_MAJOR*1000000+LIBMOSQUITTO_MINOR*1000+LIBMOSQUITTO_REVISION)
 

lib/net_mosq.c

@@ -191,6 +191,9 @@ int net__socket_close(struct mosquitto *mosq)
 #endif
 {
 	int rc = 0;
+#ifdef WITH_BROKER
+	struct mosquitto *mosq_found;
+#endif
 
 	assert(mosq);
 #ifdef WITH_TLS
@@ -220,7 +223,10 @@ int net__socket_close(struct mosquitto *mosq)
 	{
 		if(mosq->sock != INVALID_SOCKET){
 #ifdef WITH_BROKER
-			HASH_DELETE(hh_sock, db->contexts_by_sock, mosq);
+			HASH_FIND(hh_sock, db->contexts_by_sock, &mosq->sock, sizeof(mosq->sock), mosq_found);
+			if(mosq_found){
+				HASH_DELETE(hh_sock, db->contexts_by_sock, mosq_found);
+			}
 #endif
 			rc = COMPAT_CLOSE(mosq->sock);
 			mosq->sock = INVALID_SOCKET;
@@ -617,8 +623,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 
 			if(!mosq->ssl_ctx){
 				log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to create TLS context.");
-				COMPAT_CLOSE(mosq->sock);
-				mosq->sock = INVALID_SOCKET;
 				net__print_ssl_error(mosq);
 				return MOSQ_ERR_TLS;
 			}
@@ -641,11 +645,13 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #endif
 		}else{
 			log__printf(mosq, MOSQ_LOG_ERR, "Error: Protocol %s not supported.", mosq->tls_version);
-			COMPAT_CLOSE(mosq->sock);
-			mosq->sock = INVALID_SOCKET;
 			return MOSQ_ERR_INVAL;
 		}
 
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		/* Allow use of DHE ciphers */
+		SSL_CTX_set_dh_auto(mosq->ssl_ctx, 1);
+#endif
 		/* Disable compression */
 		SSL_CTX_set_options(mosq->ssl_ctx, SSL_OP_NO_COMPRESSION);
 
@@ -667,15 +673,11 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 			engine = ENGINE_by_id(mosq->tls_engine);
 			if(!engine){
 				log__printf(mosq, MOSQ_LOG_ERR, "Error loading %s engine\n", mosq->tls_engine);
-				COMPAT_CLOSE(mosq->sock);
-				mosq->sock = INVALID_SOCKET;
 				return MOSQ_ERR_TLS;
 			}
 			if(!ENGINE_init(engine)){
 				log__printf(mosq, MOSQ_LOG_ERR, "Failed engine initialisation\n");
 				ENGINE_free(engine);
-				COMPAT_CLOSE(mosq->sock);
-				mosq->sock = INVALID_SOCKET;
 				return MOSQ_ERR_TLS;
 			}
 			ENGINE_set_default(engine, ENGINE_METHOD_ALL);
@@ -690,8 +692,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #if !defined(OPENSSL_NO_ENGINE)
 				ENGINE_FINISH(engine);
 #endif
-				COMPAT_CLOSE(mosq->sock);
-				mosq->sock = INVALID_SOCKET;
 				net__print_ssl_error(mosq);
 				return MOSQ_ERR_TLS;
 			}
@@ -702,8 +702,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #  if !defined(OPENSSL_NO_ENGINE)
 				ENGINE_FINISH(engine);
 #  endif
-				COMPAT_CLOSE(mosq->sock);
-				mosq->sock = INVALID_SOCKET;
 				net__print_ssl_error(mosq);
 				return MOSQ_ERR_TLS;
 			}
@@ -729,8 +727,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #if !defined(OPENSSL_NO_ENGINE)
 					ENGINE_FINISH(engine);
 #endif
-					COMPAT_CLOSE(mosq->sock);
-					mosq->sock = INVALID_SOCKET;
 					net__print_ssl_error(mosq);
 					return MOSQ_ERR_TLS;
 				}
@@ -743,16 +739,12 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 						if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){
 							log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha1");
 							ENGINE_FINISH(engine);
-							COMPAT_CLOSE(mosq->sock);
-							mosq->sock = INVALID_SOCKET;
 							net__print_ssl_error(mosq);
 							return MOSQ_ERR_TLS;
 						}
 						if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, mosq->tls_engine_kpass_sha1, NULL, 0)){
 							log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set engine pin");
 							ENGINE_FINISH(engine);
-							COMPAT_CLOSE(mosq->sock);
-							mosq->sock = INVALID_SOCKET;
 							net__print_ssl_error(mosq);
 							return MOSQ_ERR_TLS;
 						}
@@ -762,16 +754,12 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 					if(!pkey){
 						log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load engine private key file \"%s\".", mosq->tls_keyfile);
 						ENGINE_FINISH(engine);
-						COMPAT_CLOSE(mosq->sock);
-						mosq->sock = INVALID_SOCKET;
 						net__print_ssl_error(mosq);
 						return MOSQ_ERR_TLS;
 					}
 					if(SSL_CTX_use_PrivateKey(mosq->ssl_ctx, pkey) <= 0){
 						log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to use engine private key file \"%s\".", mosq->tls_keyfile);
 						ENGINE_FINISH(engine);
-						COMPAT_CLOSE(mosq->sock);
-						mosq->sock = INVALID_SOCKET;
 						net__print_ssl_error(mosq);
 						return MOSQ_ERR_TLS;
 					}
@@ -787,8 +775,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #if !defined(OPENSSL_NO_ENGINE)
 						ENGINE_FINISH(engine);
 #endif
-						COMPAT_CLOSE(mosq->sock);
-						mosq->sock = INVALID_SOCKET;
 						net__print_ssl_error(mosq);
 						return MOSQ_ERR_TLS;
 					}
@@ -799,8 +785,6 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #if !defined(OPENSSL_NO_ENGINE)
 					ENGINE_FINISH(engine);
 #endif
-					COMPAT_CLOSE(mosq->sock);
-					mosq->sock = INVALID_SOCKET;
 					net__print_ssl_error(mosq);
 					return MOSQ_ERR_TLS;
 				}
@@ -817,13 +801,26 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
 #endif
 
 
+void net__socket_close_compat(struct mosquitto *mosq)
+{
+#ifdef WITH_BROKER
+	struct mosquitto_db *db = mosquitto__get_db();
+	net__socket_close(db, mosq);
+#else
+	net__socket_close(mosq);
+#endif
+}
+
 int net__socket_connect_step3(struct mosquitto *mosq, const char *host)
 {
 #ifdef WITH_TLS
 	BIO *bio;
 
 	int rc = net__init_ssl_ctx(mosq);
-	if(rc) return rc;
+	if(rc){
+		net__socket_close_compat(mosq);
+		return rc;
+	}
 
 	if(mosq->ssl_ctx){
 		if(mosq->ssl){
@@ -831,8 +828,7 @@ int net__socket_connect_step3(struct mosquitto *mosq, const char *host)
 		}
 		mosq->ssl = SSL_new(mosq->ssl_ctx);
 		if(!mosq->ssl){
-			COMPAT_CLOSE(mosq->sock);
-			mosq->sock = INVALID_SOCKET;
+			net__socket_close_compat(mosq);
 			net__print_ssl_error(mosq);
 			return MOSQ_ERR_TLS;
 		}
@@ -840,8 +836,7 @@ int net__socket_connect_step3(struct mosquitto *mosq, const char *host)
 		SSL_set_ex_data(mosq->ssl, tls_ex_index_mosq, mosq);
 		bio = BIO_new_socket(mosq->sock, BIO_NOCLOSE);
 		if(!bio){
-			COMPAT_CLOSE(mosq->sock);
-			mosq->sock = INVALID_SOCKET;
+			net__socket_close_compat(mosq);
 			net__print_ssl_error(mosq);
 			return MOSQ_ERR_TLS;
 		}
@@ -851,12 +846,12 @@ int net__socket_connect_step3(struct mosquitto *mosq, const char *host)
 		 * required for the SNI resolving
 		 */
 		if(SSL_set_tlsext_host_name(mosq->ssl, host) != 1) {
-			COMPAT_CLOSE(mosq->sock);
-			mosq->sock = INVALID_SOCKET;
+			net__socket_close_compat(mosq);
 			return MOSQ_ERR_TLS;
 		}
 
 		if(net__socket_connect_tls(mosq)){
+			net__socket_close_compat(mosq);
 			return MOSQ_ERR_TLS;
 		}
 

lib/packet_mosq.c

@@ -285,6 +285,8 @@ int packet__write(struct mosquitto *mosq)
 			mosquitto__free(packet);
 			return MOSQ_ERR_SUCCESS;
 #endif
+		}else if(((packet->command)&0xF0) == CMD_PUBLISH){
+			G_PUB_MSGS_SENT_INC(1);
 		}
 
 		/* Free data and reset values */

lib/socks_mosq.c

@@ -23,6 +23,7 @@ Contributors:
 #  include <ws2tcpip.h>
 #elif __QNX__
 #  include <sys/socket.h>
+#  include <arpa/inet.h>
 #  include <netinet/in.h>
 #else
 #  include <arpa/inet.h>

set-version.sh

@@ -2,7 +2,7 @@
 
 MAJOR=1
 MINOR=6
-REVISION=12
+REVISION=15
 
 sed -i "s/^VERSION=.*/VERSION=${MAJOR}.${MINOR}.${REVISION}/" config.mk
 

snap/snapcraft.yaml

@@ -1,5 +1,5 @@
 name: mosquitto
-version: 1.6.12
+version: 1.6.15
 summary: Eclipse Mosquitto MQTT broker
 description: This is a message broker that supports version 5.0, 3.1.1, and 3.1 of the MQTT
     protocol.
@@ -57,6 +57,7 @@ parts:
     make-parameters: ["prefix=/usr", "WITH_WEBSOCKETS=yes", "WITH_ADNS=yes", "CFLAGS=-Wall -ggdb -O2 -I$SNAPCRAFT_STAGE -D_GNU_SOURCE"]
     source: https://github.com/eclipse/mosquitto
     source-type: git
+    source-branch: 1.6.x
 
     build-packages:
       - libssl-dev

src/bridge.c

@@ -90,6 +90,7 @@ int bridge__new(struct mosquitto_db *db, struct mosquitto__bridge *bridge)
 	new_context->tls_alpn = new_context->bridge->tls_alpn;
 	new_context->tls_engine = db->config->default_listener.tls_engine;
 	new_context->tls_keyform = db->config->default_listener.tls_keyform;
+	new_context->ssl_ctx_defaults = true;
 #ifdef FINAL_WITH_TLS_PSK
 	new_context->tls_psk_identity = new_context->bridge->tls_psk_identity;
 	new_context->tls_psk = new_context->bridge->tls_psk;

src/context.c

@@ -135,6 +135,16 @@ void context__cleanup(struct mosquitto_db *db, struct mosquitto *context, bool d
 			mosquitto__free(context->bridge->remote_password);
 		}
 		context->bridge->remote_password = NULL;
+#ifdef WITH_TLS
+		if(context->ssl){
+			SSL_free(context->ssl);
+			context->ssl = NULL;
+		}
+		if(context->ssl_ctx){
+			SSL_CTX_free(context->ssl_ctx);
+			context->ssl_ctx = NULL;
+		}
+#endif
 	}
 #endif
 

src/handle_connect.c

@@ -882,11 +882,13 @@ handle_connect_error:
 		mosquitto__free(will_struct->msg.topic);
 		mosquitto__free(will_struct);
 	}
+	context->will = NULL;
 #ifdef WITH_TLS
 	if(client_cert) X509_free(client_cert);
 #endif
 	/* We return an error here which means the client is freed later on. */
 	context->clean_start = true;
 	context->session_expiry_interval = 0;
+	context->will_delay_interval = 0;
 	return rc;
 }

src/logging.c

@@ -39,6 +39,8 @@ extern struct mosquitto_db int_db;
 HANDLE syslog_h;
 #endif
 
+static char log_fptr_buffer[BUFSIZ];
+
 /* Options for logging should be:
  *
  * A combination of:
@@ -135,7 +137,7 @@ int log__init(struct mosquitto__config *config)
 		}
 		config->log_fptr = mosquitto__fopen(config->log_file, "at", true);
 		if(config->log_fptr){
-			setvbuf(config->log_fptr, NULL, _IOLBF, 0);
+			setvbuf(config->log_fptr, log_fptr_buffer, _IOLBF, sizeof(log_fptr_buffer));
 		}else{
 			log_destinations = MQTT3_LOG_STDERR;
 			log_priorities = MOSQ_LOG_ERR;
@@ -345,6 +347,10 @@ int log__vprintf(int priority, const char *fmt, va_list va)
 			}else{
 				fprintf(log_fptr, "%s\n", s);
 			}
+#ifdef WIN32
+			/* Windows does support line buffering, so flush. */
+			fflush(log_fptr);
+#endif
 		}
 		if(log_destinations & MQTT3_LOG_SYSLOG){
 #ifndef WIN32

src/loop.c

@@ -721,6 +721,9 @@ static void loop_handle_reads_writes(struct mosquitto_db *db, struct pollfd *pol
 	if(!context) {
 		return;
 	}
+	if(context->sock == INVALID_SOCKET){
+		return;
+	}
 	for (i=0;i<1;i++) {
 #else
 	HASH_ITER(hh_sock, db->contexts_by_sock, context, ctxt_tmp){
@@ -728,6 +731,9 @@ static void loop_handle_reads_writes(struct mosquitto_db *db, struct pollfd *pol
 			continue;
 		}
 
+		if(pollfds[context->pollfd_index].fd == INVALID_SOCKET){
+			continue;
+		}
 		assert(pollfds[context->pollfd_index].fd == context->sock);
 #endif
 

src/mosquitto_broker_internal.h

@@ -713,6 +713,7 @@ int mosquitto_security_auth_continue(struct mosquitto_db *db, struct mosquitto *
  * Session expiry
  * ============================================================ */
 int session_expiry__add(struct mosquitto_db *db, struct mosquitto *context);
+int session_expiry__add_from_persistence(struct mosquitto_db *db, struct mosquitto *context, time_t expiry_time);
 void session_expiry__remove(struct mosquitto *context);
 void session_expiry__remove_all(struct mosquitto_db *db);
 void session_expiry__check(struct mosquitto_db *db, time_t now);

src/mosquitto_passwd.c

@@ -16,6 +16,7 @@ Contributors:
 
 #include "config.h"
 
+#include <ctype.h>
 #include <errno.h>
 #include <openssl/opensslv.h>
 #include <openssl/evp.h>
@@ -519,6 +520,8 @@ int main(int argc, char *argv[])
 	int rc;
 	bool do_update_file = false;
 	char *backup_file;
+	int i;
+	size_t slen;
 
 	signal(SIGINT, handle_sigint);
 	signal(SIGTERM, handle_sigint);
@@ -589,9 +592,22 @@ int main(int argc, char *argv[])
 		print_usage();
 		return 1;
 	}
-	if(username && strlen(username) > 65535){
-		fprintf(stderr, "Error: Username must be less than 65536 characters long.\n");
-		return 1;
+	if(username){
+		slen = strlen(username);
+		if(slen > 65535){
+			fprintf(stderr, "Error: Username must be less than 65536 characters long.\n");
+			return 1;
+		}
+		for(i=0; i<slen; i++){
+			if(iscntrl(username[i])){
+				fprintf(stderr, "Error: Username must not contain control characters.\n");
+				return 1;
+			}
+		}
+		if(strchr(username, ':')){
+			fprintf(stderr, "Error: Username must not contain the ':' character.\n");
+			return 1;
+		}
 	}
 	if(password_cmd && strlen(password_cmd) > 65535){
 		fprintf(stderr, "Error: Password must be less than 65536 characters long.\n");

src/net.c

@@ -369,6 +369,9 @@ int net__tls_server_ctx(struct mosquitto__listener *listener)
 	SSL_CTX_set_ecdh_auto(listener->ssl_ctx, 1);
 #endif
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+	SSL_CTX_set_dh_auto(listener->ssl_ctx, 1);
+#endif
 
 #ifdef SSL_OP_NO_RENEGOTIATION
 	SSL_CTX_set_options(listener->ssl_ctx, SSL_OP_NO_RENEGOTIATION);

src/persist_read.c

@@ -199,17 +199,17 @@ static int persist__client_chunk_restore(struct mosquitto_db *db, FILE *db_fptr)
 			/* username is not freed here, it is now owned by context */
 			context->username = chunk.username;
 			chunk.username = NULL;
-			/* in per_listener_settings mode, try to find the listener by persisted port */
-			if(db->config->per_listener_settings && !context->listener && chunk.F.listener_port > 0){
-				for(i=0; i < db->config->listener_count; i++){
-					if(db->config->listeners[i].port == chunk.F.listener_port){
-						context->listener = &db->config->listeners[i];
-						break;
-					}
+		}
+		/* in per_listener_settings mode, try to find the listener by persisted port */
+		if(db->config->per_listener_settings && !context->listener && chunk.F.listener_port > 0){
+			for(i=0; i < db->config->listener_count; i++){
+				if(db->config->listeners[i].port == chunk.F.listener_port){
+					context->listener = &db->config->listeners[i];
+					break;
 				}
 			}
 		}
-		/* FIXME - we should expire clients here if they have exceeded their time */
+		session_expiry__add_from_persistence(db, context, chunk.F.session_expiry_time);
 	}else{
 		rc = 1;
 	}

src/persist_write.c

@@ -177,9 +177,9 @@ static int persist__client_save(struct mosquitto_db *db, FILE *db_fptr)
 			if(context->username){
 				chunk.F.username_len = strlen(context->username);
 				chunk.username = context->username;
-				if(context->listener){
-					chunk.F.listener_port = context->listener->port;
-				}
+			}
+			if(context->listener){
+				chunk.F.listener_port = context->listener->port;
 			}
 
 			rc = persist__chunk_client_write_v6(db_fptr, &chunk);

src/security.c

@@ -32,7 +32,7 @@ void LIB_ERROR(void)
 {
 #ifdef WIN32
 	char *buf;
-	FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_STRING,
+	FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
 			NULL, GetLastError(), LANG_NEUTRAL, (LPTSTR)&buf, 0, NULL);
 	log__printf(NULL, MOSQ_LOG_ERR, "Load error: %s", buf);
 	LocalFree(buf);

src/security_default.c

@@ -1025,6 +1025,10 @@ int mosquitto_security_apply_default(struct mosquitto_db *db)
 #endif
 
 	HASH_ITER(hh_id, db->contexts_by_id, context, ctxt_tmp){
+		if(context->bridge){
+			continue;
+		}
+
 		/* Check for anonymous clients when allow_anonymous is false */
 		if(db->config->per_listener_settings){
 			if(context->listener){

src/session_expiry.c

@@ -80,6 +80,24 @@ int session_expiry__add(struct mosquitto_db *db, struct mosquitto *context)
 }
 
 
+int session_expiry__add_from_persistence(struct mosquitto_db *db, struct mosquitto *context, time_t expiry_time)
+{
+	struct session_expiry_list *item;
+
+	item = mosquitto__calloc(1, sizeof(struct session_expiry_list));
+	if(!item) return MOSQ_ERR_NOMEM;
+
+	item->context = context;
+	item->context->session_expiry_time = expiry_time;
+
+	context->expiry_list_item = item;
+
+	DL_INSERT_INORDER(expiry_list, item, session_expiry__cmp);
+
+	return MOSQ_ERR_SUCCESS;
+}
+
+
 void session_expiry__remove(struct mosquitto *context)
 {
 	if(context->expiry_list_item){

test/broker/07-will-delay-invalid-573191.py

@@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+
+# Test for https://bugs.eclipse.org/bugs/show_bug.cgi?id=573191
+# Check under valgrind/asan for leaks.
+
+from mosq_test_helper import *
+
+def do_test():
+    rc = 1
+    keepalive = 60
+
+    mid = 1
+    props = mqtt5_props.gen_uint32_prop(mqtt5_props.PROP_WILL_DELAY_INTERVAL, 3)
+    connect_packet = mosq_test.gen_connect("will-573191-test", keepalive=keepalive, proto_ver=5, will_topic="", will_properties=props)
+    connack_packet = b""
+
+    port = mosq_test.get_port()
+    broker = mosq_test.start_broker(filename=os.path.basename(__file__), port=port)
+
+    try:
+        sock = mosq_test.do_client_connect(connect_packet, connack_packet, timeout=30, port=port)
+        sock.close()
+        rc = 0
+    finally:
+        broker.terminate()
+        broker.wait()
+        (stdo, stde) = broker.communicate()
+        if rc:
+            print(stde.decode('utf-8'))
+            exit(rc)
+
+do_test()

test/broker/Makefile

@@ -140,6 +140,7 @@ endif
 	./06-bridge-reconnect-local-out.py
 
 07 :
+	./07-will-delay-invalid-573191.py
 	./07-will-delay-reconnect.py
 	./07-will-delay-recover.py
 	./07-will-delay-session-expiry.py

test/broker/test.py

@@ -114,6 +114,7 @@ tests = [
     (3, './06-bridge-per-listener-settings.py'),
     (2, './06-bridge-reconnect-local-out.py'),
 
+    (1, './07-will-delay-invalid-573191.py'),
     (1, './07-will-delay-reconnect.py'),
     (1, './07-will-delay-recover.py'),
     (1, './07-will-delay-session-expiry.py'),

test/unit/persist_read_stubs.c

@@ -148,3 +148,11 @@ void db__msg_store_ref_inc(struct mosquitto_msg_store *store)
 	store->ref_count++;
 }
 
+int session_expiry__add_from_persistence(struct mosquitto_db *db, struct mosquitto *context, time_t expiry_time)
+{
+	UNUSED(db);
+	UNUSED(context);
+	UNUSED(expiry_time);
+
+	return 0;
+}

test/unit/persist_write_stubs.c

@@ -69,3 +69,12 @@ int send__pubrel(struct mosquitto *mosq, uint16_t mid)
 	return MOSQ_ERR_SUCCESS;
 }
 
+int session_expiry__add_from_persistence(struct mosquitto_db *db, struct mosquitto *context, time_t expiry_time)
+{
+	UNUSED(db);
+	UNUSED(context);
+	UNUSED(expiry_time);
+
+	return 0;
+}
+