|
@ -0,0 +1,215 @@ |
|
|
|
|
|
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
|
|
|
|
|
|
index bdcaa19..f207e32 100644
|
|
|
|
|
|
--- a/lib/net_mosq.c
|
|
|
|
|
|
+++ b/lib/net_mosq.c
|
|
|
|
|
|
@@ -141,7 +141,9 @@ int net__init(void)
|
|
|
|
|
|
| OPENSSL_INIT_ADD_ALL_DIGESTS \ |
|
|
|
|
|
| OPENSSL_INIT_LOAD_CONFIG, NULL); |
|
|
|
|
|
# endif |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_load_builtin_engines(); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
setup_ui_method(); |
|
|
|
|
|
if(tls_ex_index_mosq == -1){ |
|
|
|
|
|
tls_ex_index_mosq = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL); |
|
|
|
|
|
@@ -599,6 +601,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
|
|
|
|
|
SSL_CTX_set_mode(mosq->ssl_ctx, SSL_MODE_RELEASE_BUFFERS); |
|
|
|
|
|
#endif |
|
|
|
|
|
|
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
if(mosq->tls_engine){ |
|
|
|
|
|
engine = ENGINE_by_id(mosq->tls_engine); |
|
|
|
|
|
if(!engine){ |
|
|
|
|
|
@@ -615,12 +618,15 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
|
|
|
|
|
ENGINE_set_default(engine, ENGINE_METHOD_ALL); |
|
|
|
|
|
ENGINE_free(engine); /* release the structural reference from ENGINE_by_id() */ |
|
|
|
|
|
} |
|
|
|
|
|
+#endif
|
|
|
|
|
|
|
|
|
|
|
|
if(mosq->tls_ciphers){ |
|
|
|
|
|
ret = SSL_CTX_set_cipher_list(mosq->ssl_ctx, mosq->tls_ciphers); |
|
|
|
|
|
if(ret == 0){ |
|
|
|
|
|
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set TLS ciphers. Check cipher list \"%s\".", mosq->tls_ciphers); |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
COMPAT_CLOSE(mosq->sock); |
|
|
|
|
|
mosq->sock = INVALID_SOCKET; |
|
|
|
|
|
net__print_ssl_error(mosq); |
|
|
|
|
|
@@ -647,7 +653,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
|
|
|
|
|
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load CA certificates, check capath \"%s\".", mosq->tls_capath); |
|
|
|
|
|
} |
|
|
|
|
|
#endif |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
COMPAT_CLOSE(mosq->sock); |
|
|
|
|
|
mosq->sock = INVALID_SOCKET; |
|
|
|
|
|
net__print_ssl_error(mosq); |
|
|
|
|
|
@@ -672,7 +680,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
|
|
|
|
|
#else |
|
|
|
|
|
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client certificate \"%s\".", mosq->tls_certfile); |
|
|
|
|
|
#endif |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
COMPAT_CLOSE(mosq->sock); |
|
|
|
|
|
mosq->sock = INVALID_SOCKET; |
|
|
|
|
|
net__print_ssl_error(mosq); |
|
|
|
|
|
@@ -681,6 +691,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
|
|
|
|
|
} |
|
|
|
|
|
if(mosq->tls_keyfile){ |
|
|
|
|
|
if(mosq->tls_keyform == mosq_k_engine){ |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
UI_METHOD *ui_method = net__get_ui_method(); |
|
|
|
|
|
if(mosq->tls_engine_kpass_sha1){ |
|
|
|
|
|
if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){ |
|
|
|
|
|
@@ -714,6 +725,7 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
|
|
|
|
|
net__print_ssl_error(mosq); |
|
|
|
|
|
return MOSQ_ERR_TLS; |
|
|
|
|
|
} |
|
|
|
|
|
+#endif
|
|
|
|
|
|
}else{ |
|
|
|
|
|
ret = SSL_CTX_use_PrivateKey_file(mosq->ssl_ctx, mosq->tls_keyfile, SSL_FILETYPE_PEM); |
|
|
|
|
|
if(ret != 1){ |
|
|
|
|
|
@@ -722,7 +734,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
|
|
|
|
|
#else |
|
|
|
|
|
log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load client key file \"%s\".", mosq->tls_keyfile); |
|
|
|
|
|
#endif |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
COMPAT_CLOSE(mosq->sock); |
|
|
|
|
|
mosq->sock = INVALID_SOCKET; |
|
|
|
|
|
net__print_ssl_error(mosq); |
|
|
|
|
|
@@ -732,7 +746,9 @@ static int net__init_ssl_ctx(struct mosquitto *mosq)
|
|
|
|
|
|
ret = SSL_CTX_check_private_key(mosq->ssl_ctx); |
|
|
|
|
|
if(ret != 1){ |
|
|
|
|
|
log__printf(mosq, MOSQ_LOG_ERR, "Error: Client certificate/key are inconsistent."); |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
COMPAT_CLOSE(mosq->sock); |
|
|
|
|
|
mosq->sock = INVALID_SOCKET; |
|
|
|
|
|
net__print_ssl_error(mosq); |
|
|
|
|
|
diff --git a/lib/options.c b/lib/options.c
|
|
|
|
|
|
index 005b781..6dc4262 100644
|
|
|
|
|
|
--- a/lib/options.c
|
|
|
|
|
|
+++ b/lib/options.c
|
|
|
|
|
|
@@ -255,6 +255,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons
|
|
|
|
|
|
switch(option){ |
|
|
|
|
|
case MOSQ_OPT_TLS_ENGINE: |
|
|
|
|
|
#ifdef WITH_TLS |
|
|
|
|
|
+# if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
eng = ENGINE_by_id(value); |
|
|
|
|
|
if(!eng){ |
|
|
|
|
|
return MOSQ_ERR_INVAL; |
|
|
|
|
|
@@ -265,6 +266,7 @@ int mosquitto_string_option(struct mosquitto *mosq, enum mosq_opt_t option, cons
|
|
|
|
|
|
return MOSQ_ERR_NOMEM; |
|
|
|
|
|
} |
|
|
|
|
|
return MOSQ_ERR_SUCCESS; |
|
|
|
|
|
+#endif
|
|
|
|
|
|
#else |
|
|
|
|
|
return MOSQ_ERR_NOT_SUPPORTED; |
|
|
|
|
|
#endif |
|
|
|
|
|
diff --git a/src/net.c b/src/net.c
|
|
|
|
|
|
index 74b4ee8..495f8b2 100644
|
|
|
|
|
|
--- a/src/net.c
|
|
|
|
|
|
+++ b/src/net.c
|
|
|
|
|
|
@@ -534,6 +534,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
|
|
|
|
|
|
return 1; |
|
|
|
|
|
} |
|
|
|
|
|
if(listener->tls_engine){ |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
engine = ENGINE_by_id(listener->tls_engine); |
|
|
|
|
|
if(!engine){ |
|
|
|
|
|
log__printf(NULL, MOSQ_LOG_ERR, "Error loading %s engine\n", listener->tls_engine); |
|
|
|
|
|
@@ -548,6 +549,7 @@ int net__socket_listen(struct mosquitto__listener *listener)
|
|
|
|
|
|
} |
|
|
|
|
|
ENGINE_set_default(engine, ENGINE_METHOD_ALL); |
|
|
|
|
|
ENGINE_free(engine); /* release the structural reference from ENGINE_by_id() */ |
|
|
|
|
|
+#endif
|
|
|
|
|
|
} |
|
|
|
|
|
/* FIXME user data? */ |
|
|
|
|
|
if(listener->require_certificate){ |
|
|
|
|
|
@@ -560,10 +562,13 @@ int net__socket_listen(struct mosquitto__listener *listener)
|
|
|
|
|
|
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server certificate \"%s\". Check certfile.", listener->certfile); |
|
|
|
|
|
net__print_error(MOSQ_LOG_ERR, "Error: %s"); |
|
|
|
|
|
COMPAT_CLOSE(sock); |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
return 1; |
|
|
|
|
|
} |
|
|
|
|
|
if(listener->tls_keyform == mosq_k_engine){ |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
UI_METHOD *ui_method = net__get_ui_method(); |
|
|
|
|
|
if(listener->tls_engine_kpass_sha1){ |
|
|
|
|
|
if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){ |
|
|
|
|
|
@@ -593,13 +598,16 @@ int net__socket_listen(struct mosquitto__listener *listener)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
return 1; |
|
|
|
|
|
} |
|
|
|
|
|
+#endif
|
|
|
|
|
|
}else{ |
|
|
|
|
|
rc = SSL_CTX_use_PrivateKey_file(listener->ssl_ctx, listener->keyfile, SSL_FILETYPE_PEM); |
|
|
|
|
|
if(rc != 1){ |
|
|
|
|
|
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load server key file \"%s\". Check keyfile.", listener->keyfile); |
|
|
|
|
|
net__print_error(MOSQ_LOG_ERR, "Error: %s"); |
|
|
|
|
|
COMPAT_CLOSE(sock); |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
return 1; |
|
|
|
|
|
} |
|
|
|
|
|
} |
|
|
|
|
|
@@ -608,7 +616,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
|
|
|
|
|
|
log__printf(NULL, MOSQ_LOG_ERR, "Error: Server certificate/key are inconsistent."); |
|
|
|
|
|
net__print_error(MOSQ_LOG_ERR, "Error: %s"); |
|
|
|
|
|
COMPAT_CLOSE(sock); |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
return 1; |
|
|
|
|
|
} |
|
|
|
|
|
/* Load CRLs if they exist. */ |
|
|
|
|
|
@@ -618,7 +628,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
|
|
|
|
|
|
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to obtain TLS store."); |
|
|
|
|
|
net__print_error(MOSQ_LOG_ERR, "Error: %s"); |
|
|
|
|
|
COMPAT_CLOSE(sock); |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
return 1; |
|
|
|
|
|
} |
|
|
|
|
|
lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); |
|
|
|
|
|
@@ -627,7 +639,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
|
|
|
|
|
|
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load certificate revocation file \"%s\". Check crlfile.", listener->crlfile); |
|
|
|
|
|
net__print_error(MOSQ_LOG_ERR, "Error: %s"); |
|
|
|
|
|
COMPAT_CLOSE(sock); |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
return 1; |
|
|
|
|
|
} |
|
|
|
|
|
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK); |
|
|
|
|
|
@@ -644,7 +658,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
|
|
|
|
|
|
|
|
|
|
|
|
if(mosquitto__tls_server_ctx(listener)){ |
|
|
|
|
|
COMPAT_CLOSE(sock); |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
return 1; |
|
|
|
|
|
} |
|
|
|
|
|
SSL_CTX_set_psk_server_callback(listener->ssl_ctx, psk_server_callback); |
|
|
|
|
|
@@ -654,7 +670,9 @@ int net__socket_listen(struct mosquitto__listener *listener)
|
|
|
|
|
|
log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set TLS PSK hint."); |
|
|
|
|
|
net__print_error(MOSQ_LOG_ERR, "Error: %s"); |
|
|
|
|
|
COMPAT_CLOSE(sock); |
|
|
|
|
|
+#if !defined(OPENSSL_NO_ENGINE)
|
|
|
|
|
|
ENGINE_FINISH(engine); |
|
|
|
|
|
+#endif
|
|
|
|
|
|
return 1; |
|
|
|
|
|
} |
|
|
|
|
|
} |