From 5d9c535a91308cb1f05164323688d8d74ddd92cb Mon Sep 17 00:00:00 2001 From: Eric Blankenhorn Date: Wed, 31 May 2023 16:57:03 -0500 Subject: [PATCH] Add mosquitto OSP --- README.md | 3 +- mosquitto/2.0.15.patch | 155 +++++++++++++++++++++++++++++++++++++++++ mosquitto/README.md | 1 + 3 files changed, 158 insertions(+), 1 deletion(-) create mode 100644 mosquitto/2.0.15.patch create mode 100644 mosquitto/README.md diff --git a/README.md b/README.md index e958fe73..ea8b597b 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ wolfSSL can provide several advantages over using the default SSL/TLS implementa * Portability across platforms and OS/RTOS environments * Low/optimized memory use (runtime and footprint) * [Best-tested](https://www.wolfssl.com/overview-of-testing-in-wolfssl/) SSL/TLS/crypto implementation available, reducing vulnerabilities -* Current protocol support, up to [TLS 1.3](https://www.wolfssl.com/tls13) and DTLS 1.2 +* Current protocol support, up to [TLS 1.3](https://www.wolfssl.com/tls13) and [DTLS 1.3](https://www.wolfssl.com/whats-new-dtls-1-3/) * Progressive algorithm support (ChaCha20, Poly1305, Curve/Ed25519, etc) * [Commercial support](https://www.wolfssl.com/products/support-and-maintenance/) available direct from wolfSSL engineers * [Commercial licenses](https://www.wolfssl.com/license/) available (in addition to standard GPLv2) @@ -35,6 +35,7 @@ Each project port included in this repository is contained in its own subdirecto | libssh2 | client-side C library for SSH2 | [Link](https://www.libssh2.org/) | [Link](https://www.wolfssl.com/open-source-project-ports-libssh2/) | [README](./libssh2/1.9.0/README.md) | | lighttpd | lighttpd web server | [Link](https://www.lighttpd.net/) | [Link](https://www.wolfssl.com/lighttpd-support-wolfssl/) | [README](./lighttpd/README) | | mariadb | MariaDB relational database | [Link](https://mariadb.org/) | | [README](./mariadb/10.5.11/README.md) | +| mosquitto | Eclipse Mosquitto - An open source MQTT broker | [Link](https://mosquitto.org/) | | [README](./mosquitto/README.md) | | net-snmp | Simple Network Management Protocol | [Link](http://www.net-snmp.org/) | | [README](./net-snmp/README.md) | | ntp | Network Time Protocol | [Link](http://www.ntp.org/) | [Link](https://www.wolfssl.com/open-source-project-ports-ntp/) | [README](./ntp/4.2.8p15/README.md) | | NXP SE05X Middleware | wolfSSL HostCrypto support patch | [Link](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-high-flexibility:SE050) | | [README](./nxp-se05x-middleware/README.md) | diff --git a/mosquitto/2.0.15.patch b/mosquitto/2.0.15.patch new file mode 100644 index 00000000..4d530d40 --- /dev/null +++ b/mosquitto/2.0.15.patch @@ -0,0 +1,155 @@ +From ac6e407630b9352b166d2012e9732a12448c23e1 Mon Sep 17 00:00:00 2001 +From: Eric Blankenhorn +Date: Thu, 1 Jun 2023 08:42:14 -0500 +Subject: [PATCH] Use wolfSSL for TLS + +Changes: +- `config.mk`: add the `WITH_TLS=wolfssl` option +- The`wolfssl/options.h` header is included by defining the `EXTERNAL_OPTS_OPENVPN` macro +- `net_mosq.c`: UI_METHOD not implemented in wolfSSL +- `net_mosq.h`: UI_METHOD not implemented in wolfSSL +- `net_mosq_ocsp.c`: safestack.h not implemented in wolfSSL + +wolfSSL + +``` +git clone https://github.com/wolfSSL/wolfssl.git +cd wolfssl +./autogen.sh +./configure --enable-opensslextra --enable-opensslall --enable-ocsp --enable-ocspstapling --enable-context-extra-user-data --enable-psk --enable-sessioncerts --enable-crl CFLAGS="-DOPENSSL_VERSION_NUMBER=0x10100000" +make +make install +``` + +Eclipse Mosquitto + +``` +git clone https://github.com/eclipse/mosquitto.git +cd mosquitto +git checkout v2.0.15 +patch -p1 < +make WITH_TLS=wolfssl +make WITH_TLS=wolfssl test +``` + +--- + config.mk | 19 +++++++++++++++++++ + lib/net_mosq.c | 12 +++++++++--- + lib/net_mosq.h | 2 ++ + lib/net_mosq_ocsp.c | 2 ++ + 4 files changed, 32 insertions(+), 3 deletions(-) + +diff --git a/config.mk b/config.mk +index 73daefdf..f25fb0f3 100644 +--- a/config.mk ++++ b/config.mk +@@ -253,6 +253,25 @@ ifeq ($(WITH_TLS),yes) + endif + endif + ++ifeq ($(WITH_TLS),wolfssl) ++ WOLFSSLDIR=/usr/local/include/wolfssl ++ ++ APP_CPPFLAGS:=$(APP_CPPFLAGS) -DWITH_TLS -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL ++ BROKER_CPPFLAGS:=$(BROKER_CPPFLAGS) -DWITH_TLS -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL ++ BROKER_LDADD:=$(BROKER_LDADD) -lwolfssl ++ CLIENT_CPPFLAGS:=$(CLIENT_CPPFLAGS) -DWITH_TLS -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL ++ LIB_CPPFLAGS:=$(LIB_CPPFLAGS) -DWITH_TLS -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL ++ LIB_LIBADD:=$(LIB_LIBADD) -lwolfssl ++ PASSWD_LDADD:=$(PASSWD_LDADD) -lwolfssl ++ STATIC_LIB_DEPS:=$(STATIC_LIB_DEPS) -lwolfssl ++ ++ ifeq ($(WITH_TLS_PSK),yes) ++ BROKER_CPPFLAGS:=$(BROKER_CPPFLAGS) -DWITH_TLS_PSK -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL ++ LIB_CPPFLAGS:=$(LIB_CPPFLAGS) -DWITH_TLS_PSK -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL ++ CLIENT_CPPFLAGS:=$(CLIENT_CPPFLAGS) -DWITH_TLS_PSK -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL ++ endif ++endif ++ + ifeq ($(WITH_THREADING),yes) + LIB_LDFLAGS:=$(LIB_LDFLAGS) -pthread + LIB_CPPFLAGS:=$(LIB_CPPFLAGS) -DWITH_THREADING +diff --git a/lib/net_mosq.c b/lib/net_mosq.c +index 80d9195b..c3a1122d 100644 +--- a/lib/net_mosq.c ++++ b/lib/net_mosq.c +@@ -78,10 +78,12 @@ Contributors: + #include "util_mosq.h" + + #ifdef WITH_TLS ++static bool is_tls_initialized = false; + int tls_ex_index_mosq = -1; ++ ++#ifndef USE_WOLFSSL + UI_METHOD *_ui_method = NULL; + +-static bool is_tls_initialized = false; + + /* Functions taken from OpenSSL s_server/s_client */ + static int ui_open(UI *ui) +@@ -125,7 +127,7 @@ UI_METHOD *net__get_ui_method(void) + { + return _ui_method; + } +- ++#endif /* !USE_WOLFSSL */ + #endif + + int net__init(void) +@@ -156,12 +158,14 @@ void net__cleanup(void) + # if !defined(OPENSSL_NO_ENGINE) + ENGINE_cleanup(); + # endif +- is_tls_initialized = false; + # endif ++ is_tls_initialized = false; + + CONF_modules_unload(1); ++#ifndef USE_WOLFSSL + cleanup_ui_method(); + #endif ++#endif + + #ifdef WITH_SRV + ares_library_cleanup(); +@@ -189,7 +193,9 @@ void net__init_tls(void) + #if !defined(OPENSSL_NO_ENGINE) + ENGINE_load_builtin_engines(); + #endif ++#ifndef USE_WOLFSSL + setup_ui_method(); ++#endif + if(tls_ex_index_mosq == -1){ + tls_ex_index_mosq = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL); + } +diff --git a/lib/net_mosq.h b/lib/net_mosq.h +index ded98760..90ccf08e 100644 +--- a/lib/net_mosq.h ++++ b/lib/net_mosq.h +@@ -84,7 +84,9 @@ void net__print_ssl_error(struct mosquitto *mosq); + int net__socket_apply_tls(struct mosquitto *mosq); + int net__socket_connect_tls(struct mosquitto *mosq); + int mosquitto__verify_ocsp_status_cb(SSL * ssl, void *arg); ++#ifndef USE_WOLFSSL + UI_METHOD *net__get_ui_method(void); ++#endif + #define ENGINE_FINISH(e) if(e) ENGINE_finish(e) + #define ENGINE_SECRET_MODE "SECRET_MODE" + #define ENGINE_SECRET_MODE_SHA 0x1000 +diff --git a/lib/net_mosq_ocsp.c b/lib/net_mosq_ocsp.c +index 8c762373..96732c21 100644 +--- a/lib/net_mosq_ocsp.c ++++ b/lib/net_mosq_ocsp.c +@@ -49,7 +49,9 @@ in this Software without prior written authorization of the copyright holder. + #include + #include + ++#ifndef USE_WOLFSSL + #include ++#endif + #include + #include + #include +-- +2.34.1 + diff --git a/mosquitto/README.md b/mosquitto/README.md new file mode 100644 index 00000000..5f25de11 --- /dev/null +++ b/mosquitto/README.md @@ -0,0 +1 @@ +This folder contains patches for mosquitto to work with wolfSSL. Patches make it easier to add support for newer versions of a target library. The format of the patch names is: `.patch` Instructions for applying each patch are included in the patch commit message. \ No newline at end of file