Skip to content

Commit

Permalink
Add mosquitto OSP
Browse files Browse the repository at this point in the history
  • Loading branch information
embhorn committed Jun 5, 2024
1 parent 177ff27 commit e36465c
Show file tree
Hide file tree
Showing 3 changed files with 180 additions and 1 deletion.
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ wolfSSL can provide several advantages over using the default SSL/TLS implementa
* Portability across platforms and OS/RTOS environments
* Low/optimized memory use (runtime and footprint)
* [Best-tested](https://www.wolfssl.com/overview-of-testing-in-wolfssl/) SSL/TLS/crypto implementation available, reducing vulnerabilities
* Current protocol support, up to [TLS 1.3](https://www.wolfssl.com/tls13) and DTLS 1.2
* Current protocol support, up to [TLS 1.3](https://www.wolfssl.com/tls13) and [DTLS 1.3](https://www.wolfssl.com/whats-new-dtls-1-3/)
* Progressive algorithm support (ChaCha20, Poly1305, Curve/Ed25519, etc)
* [Commercial support](https://www.wolfssl.com/products/support-and-maintenance/) available direct from wolfSSL engineers
* [Commercial licenses](https://www.wolfssl.com/license/) available (in addition to standard GPLv2)
Expand All @@ -36,6 +36,7 @@ Each project port included in this repository is contained in its own subdirecto
| libssh2 | client-side C library for SSH2 | [Link](https://www.libssh2.org/) | [Link](https://www.wolfssl.com/open-source-project-ports-libssh2/) | [README](./libssh2/1.9.0/README.md) |
| lighttpd | lighttpd web server | [Link](https://www.lighttpd.net/) | [Link](https://www.wolfssl.com/lighttpd-support-wolfssl/) | [README](./lighttpd/README) |
| mariadb | MariaDB relational database | [Link](https://mariadb.org/) | | [README](./mariadb/10.5.11/README.md) |
| mosquitto | Eclipse Mosquitto - An open source MQTT broker | [Link](https://mosquitto.org/) | | [README](./mosquitto/README.md) |
| net-snmp | Simple Network Management Protocol | [Link](http://www.net-snmp.org/) | | [README](./net-snmp/README.md) |
| ntp | Network Time Protocol | [Link](http://www.ntp.org/) | [Link](https://www.wolfssl.com/open-source-project-ports-ntp/) | [README](./ntp/4.2.8p15/README.md) |
| NXP SE05X Middleware | wolfSSL HostCrypto support patch | [Link](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-high-flexibility:SE050) | | [README](./nxp-se05x-middleware/README.md) |
Expand Down
155 changes: 155 additions & 0 deletions mosquitto/2.0.15.patch
Original file line number Diff line number Diff line change
@@ -0,0 +1,155 @@
From ac6e407630b9352b166d2012e9732a12448c23e1 Mon Sep 17 00:00:00 2001
From: Eric Blankenhorn <eric@wolfssl.com>
Date: Thu, 1 Jun 2023 08:42:14 -0500
Subject: [PATCH] Use wolfSSL for TLS

Changes:
- `config.mk`: add the `WITH_TLS=wolfssl` option
- The`wolfssl/options.h` header is included by defining the `EXTERNAL_OPTS_OPENVPN` macro
- `net_mosq.c`: UI_METHOD not implemented in wolfSSL
- `net_mosq.h`: UI_METHOD not implemented in wolfSSL
- `net_mosq_ocsp.c`: safestack.h not implemented in wolfSSL

wolfSSL

```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-mosquitto
make
make install
```

Eclipse Mosquitto

```
git clone https://github.com/eclipse/mosquitto.git
cd mosquitto
git checkout v2.0.15
patch -p1 < <path/to/patch/file>
make WITH_TLS=wolfssl
make WITH_TLS=wolfssl test
```

---
config.mk | 19 +++++++++++++++++++
lib/net_mosq.c | 12 +++++++++---
lib/net_mosq.h | 2 ++
lib/net_mosq_ocsp.c | 2 ++
4 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/config.mk b/config.mk
index 73daefdf..f25fb0f3 100644
--- a/config.mk
+++ b/config.mk
@@ -253,6 +253,25 @@ ifeq ($(WITH_TLS),yes)
endif
endif

+ifeq ($(WITH_TLS),wolfssl)
+ WOLFSSLDIR=/usr/local/include/wolfssl
+
+ APP_CPPFLAGS:=$(APP_CPPFLAGS) -DWITH_TLS -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL
+ BROKER_CPPFLAGS:=$(BROKER_CPPFLAGS) -DWITH_TLS -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL
+ BROKER_LDADD:=$(BROKER_LDADD) -lwolfssl
+ CLIENT_CPPFLAGS:=$(CLIENT_CPPFLAGS) -DWITH_TLS -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL
+ LIB_CPPFLAGS:=$(LIB_CPPFLAGS) -DWITH_TLS -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL
+ LIB_LIBADD:=$(LIB_LIBADD) -lwolfssl
+ PASSWD_LDADD:=$(PASSWD_LDADD) -lwolfssl
+ STATIC_LIB_DEPS:=$(STATIC_LIB_DEPS) -lwolfssl
+
+ ifeq ($(WITH_TLS_PSK),yes)
+ BROKER_CPPFLAGS:=$(BROKER_CPPFLAGS) -DWITH_TLS_PSK -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL
+ LIB_CPPFLAGS:=$(LIB_CPPFLAGS) -DWITH_TLS_PSK -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL
+ CLIENT_CPPFLAGS:=$(CLIENT_CPPFLAGS) -DWITH_TLS_PSK -DOPENSSL_NO_ENGINE -I$(WOLFSSLDIR) -DEXTERNAL_OPTS_OPENVPN -DUSE_WOLFSSL
+ endif
+endif
+
ifeq ($(WITH_THREADING),yes)
LIB_LDFLAGS:=$(LIB_LDFLAGS) -pthread
LIB_CPPFLAGS:=$(LIB_CPPFLAGS) -DWITH_THREADING
diff --git a/lib/net_mosq.c b/lib/net_mosq.c
index 80d9195b..c3a1122d 100644
--- a/lib/net_mosq.c
+++ b/lib/net_mosq.c
@@ -78,10 +78,12 @@ Contributors:
#include "util_mosq.h"

#ifdef WITH_TLS
+static bool is_tls_initialized = false;
int tls_ex_index_mosq = -1;
+
+#ifndef USE_WOLFSSL
UI_METHOD *_ui_method = NULL;

-static bool is_tls_initialized = false;

/* Functions taken from OpenSSL s_server/s_client */
static int ui_open(UI *ui)
@@ -125,7 +127,7 @@ UI_METHOD *net__get_ui_method(void)
{
return _ui_method;
}
-
+#endif /* !USE_WOLFSSL */
#endif

int net__init(void)
@@ -156,12 +158,14 @@ void net__cleanup(void)
# if !defined(OPENSSL_NO_ENGINE)
ENGINE_cleanup();
# endif
- is_tls_initialized = false;
# endif
+ is_tls_initialized = false;

CONF_modules_unload(1);
+#ifndef USE_WOLFSSL
cleanup_ui_method();
#endif
+#endif

#ifdef WITH_SRV
ares_library_cleanup();
@@ -189,7 +193,9 @@ void net__init_tls(void)
#if !defined(OPENSSL_NO_ENGINE)
ENGINE_load_builtin_engines();
#endif
+#ifndef USE_WOLFSSL
setup_ui_method();
+#endif
if(tls_ex_index_mosq == -1){
tls_ex_index_mosq = SSL_get_ex_new_index(0, "client context", NULL, NULL, NULL);
}
diff --git a/lib/net_mosq.h b/lib/net_mosq.h
index ded98760..90ccf08e 100644
--- a/lib/net_mosq.h
+++ b/lib/net_mosq.h
@@ -84,7 +84,9 @@ void net__print_ssl_error(struct mosquitto *mosq);
int net__socket_apply_tls(struct mosquitto *mosq);
int net__socket_connect_tls(struct mosquitto *mosq);
int mosquitto__verify_ocsp_status_cb(SSL * ssl, void *arg);
+#ifndef USE_WOLFSSL
UI_METHOD *net__get_ui_method(void);
+#endif
#define ENGINE_FINISH(e) if(e) ENGINE_finish(e)
#define ENGINE_SECRET_MODE "SECRET_MODE"
#define ENGINE_SECRET_MODE_SHA 0x1000
diff --git a/lib/net_mosq_ocsp.c b/lib/net_mosq_ocsp.c
index 8c762373..96732c21 100644
--- a/lib/net_mosq_ocsp.c
+++ b/lib/net_mosq_ocsp.c
@@ -49,7 +49,9 @@ in this Software without prior written authorization of the copyright holder.
#include <mosquitto_internal.h>
#include <net_mosq.h>

+#ifndef USE_WOLFSSL
#include <openssl/safestack.h>
+#endif
#include <openssl/tls1.h>
#include <openssl/ssl.h>
#include <openssl/ocsp.h>
--
2.34.1

23 changes: 23 additions & 0 deletions mosquitto/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
This folder contains patches for mosquitto to work with wolfSSL. Patches make it easier to add support for newer versions of a target library. The format of the patch names is: `<mosquitto version>.patch` Instructions for applying each patch are included in the patch commit message.

wolfSSL

```
git clone https://github.com/wolfSSL/wolfssl.git
cd wolfssl
./autogen.sh
./configure --enable-mosquitto
make
make install
```

Eclipse Mosquitto

```
git clone https://github.com/eclipse/mosquitto.git
cd mosquitto
git checkout v2.0.15
patch -p1 < <path/to/patch/file>
make WITH_TLS=wolfssl
make WITH_TLS=wolfssl test
```

0 comments on commit e36465c

Please sign in to comment.