Add DTLS support to MQTT-SN client

embhorn · embhorn · commit 5ff973a18360 · 2023-08-25T16:43:02.000-05:00
diff --git a/README.md b/README.md
@@ -189,6 +189,10 @@ This example enables the wolfMQTT client to connect to the IBM Watson Internet o
 ### MQTT-SN Example
 The Sensor Network client implements the MQTT-SN protocol for low-bandwidth networks. There are several differences from MQTT, including the ability to use a two byte Topic ID instead the full topic during subscribe and publish. The SN client requires an MQTT-SN gateway. The gateway acts as an intermediary between the SN clients and the broker. This client was tested with the Eclipse Paho MQTT-SN Gateway, which connects by default to the public Eclipse broker, much like our wolfMQTT Client example. The address of the gateway must be configured as the host. The example is located in `/examples/sn-client/`.
 
+To enable Sensor Network protocol support, configure wolfMQTT using:
+`./configure --enable-sn`
+
+#### QoS-1
 A special feature of MQTT-SN is the ability to use QoS level -1 (negative one) to publish to a predefined topic without first connecting to the gateway. There is no feedback in the application if there was an error, so confirmation of the test would involve running the `sn-client` first and watching for the publish from the `sn-client_qos-1`. There is an example provided in `/examples/sn-client/sn-client_qos-1`. It requires some configuration changes of the gateway.
 
 * Enable the the QoS-1 feature, predefined topics, and change the gateway name in `gateway.conf`:
@@ -210,6 +214,18 @@ GatewayName=WolfGateway
 WolfGatewayQoS-1,wolfMQTT/example/testTopic, 1
 ```
 
+#### MQTT-SN with DTLS
+MQTT-SN can be secured using DTLS. This enables encryption of sensor data to the gateway. The Eclipse Paho MQTT-SN Gateway supports DTLS clients.
+
+To build the Eclipse Paho MQTT-SN Gateway with DTLS:
+`<gateway-folder>/MQTTSNGateway$ ./build.sh dtls`
+
+To build wolfSSL with DTLS support:
+`./configure --enable-dtls && make && sudo make install`
+
+To run the wolfMQTT sn-client example with DTLS:
+`./examples/sn-client/sn-client -t`
+
 ### Multithread Example
 This example exercises the multithreading capabilities of the client library. The client implements two tasks: one that publishes to the broker; and another that waits for messages from the broker. The publish thread is created `NUM_PUB_TASKS` times (10 by default) and sends unique messages to the broker. This feature is enabled using the `--enable-mt` configuration option. The example is located in `/examples/multithread/`.
 
diff --git a/examples/mqttexample.c b/examples/mqttexample.c
@@ -198,31 +198,26 @@ void mqtt_show_usage(MQTTCtx* mqttCtx)
     PRINTF("-?          Help, print this usage");
     PRINTF("-h <host>   Host to connect to, default: %s",
             mqttCtx->host);
-    /* Remove TLS and SNI args for sn-client */ 
-    if(XSTRNCMP(mqttCtx->app_name, "sn-client", 10)){
 #ifdef ENABLE_MQTT_TLS
         PRINTF("-p <num>    Port to connect on, default: Normal %d, TLS %d",
                 MQTT_DEFAULT_PORT, MQTT_SECURE_PORT);
         PRINTF("-t          Enable TLS");
         PRINTF("-A <file>   Load CA (validate peer)");
         PRINTF("-K <key>    Use private key (for TLS mutual auth)");
         PRINTF("-c <cert>   Use certificate (for TLS mutual auth)");
-#ifdef HAVE_SNI
-        PRINTF("-S <str>    Use Host Name Indication, blank defaults to host");
-#endif
-#ifdef HAVE_PQC
+    #ifdef HAVE_SNI
+        /* Remove SNI args for sn-client */
+        if(XSTRNCMP(mqttCtx->app_name, "sn-client", 10)){
+            PRINTF("-S <str>    Use Host Name Indication, blank defaults to host");
+        }
+    #endif
+    #ifdef HAVE_PQC
         PRINTF("-Q <str>    Use Key Share with post-quantum algorithm");
-#endif
+    #endif
 #else
         PRINTF("-p <num>    Port to connect on, default: %d",
              MQTT_DEFAULT_PORT);
 #endif
-    }
-    
-    else{
-        PRINTF("-p <num>    Port to connect on, default: %d",
-             MQTT_DEFAULT_PORT);
-    }
     PRINTF("-q <num>    Qos Level 0-2, default: %d",
             mqttCtx->qos);
     PRINTF("-s          Disable clean session connect flag");
@@ -401,10 +396,9 @@ int mqtt_parse_args(MQTTCtx* mqttCtx, int argc, char** argv)
             mqtt_show_usage(mqttCtx);
             return MY_EX_USAGE;
         }
-    
-        /* Remove TLS and SNI functionality for sn-client */
+
+        /* Remove SNI functionality for sn-client */
         if(!XSTRNCMP(mqttCtx->app_name, "sn-client", 10)){
-            mqttCtx->use_tls = 0;
         #ifdef HAVE_SNI    
             useSNI=0;
         #endif
@@ -646,7 +640,8 @@ int mqtt_tls_cb(MqttClient* client)
                 return rc;
             }
         }
-    #elif defined(WOLFMQTT_ZEPHYR)
+    #else
+        /* Note: Zephyr example uses NO_FILESYSTEM */
     #ifdef WOLFSSL_ENCRYPTED_KEYS
         /* Setup password callback for pkcs8 key */
         wolfSSL_CTX_set_default_passwd_cb(client->tls.ctx,
@@ -714,12 +709,78 @@ int mqtt_tls_cb(MqttClient* client)
 
     return rc;
 }
+
+#ifdef WOLFMQTT_SN
+int mqtt_dtls_cb(MqttClient* client) {
+#ifdef WOLFSSL_DTLS
+    int rc = WOLFSSL_FAILURE;
+
+    client->tls.ctx = wolfSSL_CTX_new(wolfDTLSv1_2_client_method());
+    if (client->tls.ctx) {
+        wolfSSL_CTX_set_verify(client->tls.ctx, WOLFSSL_VERIFY_PEER,
+                mqtt_tls_verify_cb);
+
+        /* default to success */
+        rc = WOLFSSL_SUCCESS;
+
+#if !defined(NO_CERT) && !defined(NO_FILESYSTEM)
+        if (mTlsCaFile) {
+            /* Load CA certificate file */
+            rc = wolfSSL_CTX_load_verify_locations(client->tls.ctx,
+                mTlsCaFile, NULL);
+            if (rc != WOLFSSL_SUCCESS) {
+                PRINTF("Error loading CA %s: %d (%s)", mTlsCaFile,
+                    rc, wolfSSL_ERR_reason_error_string(rc));
+                return rc;
+            }
+        }
+        if (mTlsCertFile && mTlsKeyFile) {
+            /* Load If using a mutual authentication */
+            rc = wolfSSL_CTX_use_certificate_file(client->tls.ctx,
+                mTlsCertFile, WOLFSSL_FILETYPE_PEM);
+            if (rc != WOLFSSL_SUCCESS) {
+                PRINTF("Error loading certificate %s: %d (%s)", mTlsCertFile,
+                    rc, wolfSSL_ERR_reason_error_string(rc));
+                return rc;
+            }
+
+            rc = wolfSSL_CTX_use_PrivateKey_file(client->tls.ctx,
+                mTlsKeyFile, WOLFSSL_FILETYPE_PEM);
+            if (rc != WOLFSSL_SUCCESS) {
+                PRINTF("Error loading key %s: %d (%s)", mTlsKeyFile,
+                    rc, wolfSSL_ERR_reason_error_string(rc));
+                return rc;
+            }
+        }
+#endif
+
+        client->tls.ssl = wolfSSL_new(client->tls.ctx);
+        if (client->tls.ssl == NULL) {
+            rc = WOLFSSL_FAILURE;
+            return rc;
+        }
+    }
+
+    PRINTF("MQTT DTLS Setup (%d)", rc);
+#else /* WOLFSSL_DTLS */
+    (void)client;
+    int rc = 0;
+    PRINTF("MQTT DTLS Setup - Must enable DTLS in wolfSSL!");
+#endif
+    return rc;
+}
+#endif /* WOLFMQTT_SN */
 #else
 int mqtt_tls_cb(MqttClient* client)
 {
     (void)client;
     return 0;
 }
+int mqtt_dtls_cb(MqttClient* client)
+{
+    (void)client;
+    return 0;
+}
 #endif /* ENABLE_MQTT_TLS */
 
 int mqtt_file_load(const char* filePath, byte** fileBuf, int *fileLen)
diff --git a/examples/mqttexample.h b/examples/mqttexample.h
@@ -188,6 +188,11 @@ int mqtt_parse_args(MQTTCtx* mqttCtx, int argc, char** argv);
 int err_sys(const char* msg);
 
 int mqtt_tls_cb(MqttClient* client);
+
+#ifdef WOLFMQTT_SN
+int mqtt_dtls_cb(MqttClient* client);
+#endif
+
 word16 mqtt_get_packetid(void);
 
 #ifdef WOLFMQTT_NONBLOCK
diff --git a/examples/mqttnet.c b/examples/mqttnet.c
@@ -24,38 +24,14 @@
     #include <config.h>
 #endif
 
-#include "wolfmqtt/mqtt_client.h"
 #include "examples/mqttnet.h"
-#include "examples/mqttexample.h"
-#include "examples/mqttport.h"
-
-/* Local context for Net callbacks */
-typedef enum {
-    SOCK_BEGIN = 0,
-    SOCK_CONN
-} NB_Stat;
 
 #if 0 /* TODO: add multicast support */
 typedef struct MulticastCtx {
 
 } MulticastCtx;
 #endif
 
-
-typedef struct _SocketContext {
-    SOCKET_T fd;
-    NB_Stat stat;
-    SOCK_ADDR_IN addr;
-#ifdef MICROCHIP_MPLAB_HARMONY
-    word32 bytes;
-#endif
-#if defined(WOLFMQTT_MULTITHREAD) && defined(WOLFMQTT_ENABLE_STDIN_CAP)
-    /* "self pipe" -> signal wake sleep() */
-    SOCKET_T pfd[2];
-#endif
-    MQTTCtx* mqttCtx;
-} SocketContext;
-
 /* Private functions */
 
 /* -------------------------------------------------------------------------- */
@@ -578,7 +554,7 @@ static int SN_NetConnect(void *context, const char* host, word16 port,
     struct addrinfo hints;
     MQTTCtx* mqttCtx = sock->mqttCtx;
 
-    PRINTF("NetConnect: Host %s, Port %u, Timeout %d ms, Use TLS %d",
+    PRINTF("NetConnect: Host %s, Port %u, Timeout %d ms, Use DTLS %d",
         host, port, timeout_ms, mqttCtx->use_tls);
 
     /* Get address information for host and locate IPv4 */
@@ -830,6 +806,11 @@ static int NetRead_ex(void *context, byte* buf, int buf_len,
             }
             else {
                 bytes += rc; /* Data */
+    #if defined(WOLFMQTT_SN) && defined(WOLFSSL_DTLS)
+                if (wolfSSL_dtls(mqttCtx->client.tls.ssl)) {
+                    break;
+                }
+    #endif
             }
         }
 
diff --git a/examples/mqttnet.h b/examples/mqttnet.h
@@ -27,6 +27,27 @@
 #endif
 
 #include "examples/mqttexample.h"
+#include "examples/mqttport.h"
+
+/* Local context for Net callbacks */
+typedef enum {
+    SOCK_BEGIN = 0,
+    SOCK_CONN
+} NB_Stat;
+
+typedef struct _SocketContext {
+    SOCKET_T fd;
+    NB_Stat stat;
+    SOCK_ADDR_IN addr;
+#ifdef MICROCHIP_MPLAB_HARMONY
+    word32 bytes;
+#endif
+#if defined(WOLFMQTT_MULTITHREAD) && defined(WOLFMQTT_ENABLE_STDIN_CAP)
+    /* "self pipe" -> signal wake sleep() */
+    SOCKET_T pfd[2];
+#endif
+    MQTTCtx* mqttCtx;
+} SocketContext;
 
 /* Functions used to handle the MqttNet structure creation / destruction */
 int MqttClientNet_Init(MqttNet* net, MQTTCtx* mqttCtx);
diff --git a/examples/sn-client/sn-client.c b/examples/sn-client/sn-client.c
@@ -139,9 +139,14 @@ int sn_test(MQTTCtx *mqttCtx)
         goto exit;
     }
 
-    /* Setup socket direct to gateway (UDP network, so no TLS) */
+    /* The client.ctx will be stored in the cert callback ctx during
+       MqttSocket_Connect for use by mqtt_tls_verify_cb */
+    mqttCtx->client.ctx = mqttCtx;
+
+    /* Setup socket direct to gateway */
     rc = MqttClient_NetConnect(&mqttCtx->client, mqttCtx->host,
-           mqttCtx->port, DEFAULT_CON_TIMEOUT_MS, 0, NULL);
+           mqttCtx->port, DEFAULT_CON_TIMEOUT_MS,
+           mqttCtx->use_tls, mqtt_dtls_cb);
 
     PRINTF("MQTT-SN Socket Connect: %s (%d)",
         MqttClient_ReturnCodeToString(rc), rc);
diff --git a/src/mqtt_packet.c b/src/mqtt_packet.c
@@ -3524,14 +3524,18 @@ int SN_Packet_Read(MqttClient *client, byte* rx_buf, int rx_buf_len,
     int timeout_ms)
 {
     int rc, len = 0, remain_read = 0;
-    word16 total_len = 0;
+    word16 total_len = 0, idx = 0;
 
     switch (client->packet.stat)
     {
         case MQTT_PK_BEGIN:
         {
-            /* Read first 2 bytes using MSG_PEEK */
-            rc = MqttSocket_Peek(client, rx_buf, 2, timeout_ms);
+            /* Read first 2 bytes */
+            if (client->flags & MQTT_CLIENT_FLAG_IS_TLS) {
+                rc = MqttSocket_Read(client, rx_buf, 2, timeout_ms);
+            } else {
+                rc = MqttSocket_Peek(client, rx_buf, 2, timeout_ms);
+            }
             if (rc < 0) {
                 return MqttPacket_HandleNetError(client, rc);
             }
@@ -3544,16 +3548,29 @@ int SN_Packet_Read(MqttClient *client, byte* rx_buf, int rx_buf_len,
 
             if (rx_buf[0] == SN_PACKET_LEN_IND){
                 /* Read length stored in first three bytes, type in fourth */
-                rc = MqttSocket_Peek(client, rx_buf, 4, timeout_ms);
-                if (rc < 0) {
-                    return MqttPacket_HandleNetError(client, rc);
+                if (client->flags & MQTT_CLIENT_FLAG_IS_TLS) {
+                    rc = MqttSocket_Read(client, rx_buf+len, 2, timeout_ms);
+                    if (rc < 0) {
+                        return MqttPacket_HandleNetError(client, rc);
+                    }
+                    else if (rc != 2) {
+                        return MqttPacket_HandleNetError(client,
+                                 MQTT_TRACE_ERROR(MQTT_CODE_ERROR_NETWORK));
+                    }
+                    rc += len;
                 }
-                else if (rc != 4) {
-                    return MqttPacket_HandleNetError(client,
-                             MQTT_TRACE_ERROR(MQTT_CODE_ERROR_NETWORK));
+                else {
+                    rc = MqttSocket_Peek(client, rx_buf, 4, timeout_ms);
+                    if (rc < 0) {
+                        return MqttPacket_HandleNetError(client, rc);
+                    }
+                    else if (rc != 4) {
+                        return MqttPacket_HandleNetError(client,
+                                 MQTT_TRACE_ERROR(MQTT_CODE_ERROR_NETWORK));
+                    }
+                    len = rc;
                 }
 
-                len = rc;
                 (void)MqttDecode_Num(&rx_buf[1], &total_len);
                 client->packet.header_len = len;
             }
@@ -3580,7 +3597,12 @@ int SN_Packet_Read(MqttClient *client, byte* rx_buf, int rx_buf_len,
             }
             else if ((total_len == 2) || (total_len == 4)) {
                 /* Handle peek */
-                client->packet.remain_len = total_len;
+                if (client->flags & MQTT_CLIENT_FLAG_IS_TLS) {
+                    client->packet.remain_len = total_len - len;
+                }
+                else {
+                    client->packet.remain_len = total_len;
+                }
             }
             else {
                 client->packet.remain_len = 0;
@@ -3592,16 +3614,22 @@ int SN_Packet_Read(MqttClient *client, byte* rx_buf, int rx_buf_len,
                 client->packet.remain_len = rx_buf_len -
                                             client->packet.header_len;
             }
-
+            if (client->flags & MQTT_CLIENT_FLAG_IS_TLS) {
+                total_len -= client->packet.header_len;
+                idx = client->packet.header_len;
+            }
             /* Read whole message */
             if (client->packet.remain_len > 0) {
-                rc = MqttSocket_Read(client, &rx_buf[0],
+                rc = MqttSocket_Read(client, &rx_buf[idx],
                         total_len, timeout_ms);
                 if (rc <= 0) {
                     return MqttPacket_HandleNetError(client, rc);
                 }
                 remain_read = rc;
             }
+            if (client->flags & MQTT_CLIENT_FLAG_IS_TLS) {
+                remain_read += client->packet.header_len;
+            }
 
             break;
         }
diff --git a/wolfmqtt/mqtt_client.h b/wolfmqtt/mqtt_client.h
@@ -510,11 +510,11 @@ WOLFMQTT_API int MqttClient_IsMessageActive(
  *  \param      client      Pointer to MqttClient structure
  *  \param      host        Address of the broker server
  *  \param      port        Optional custom port. If zero will use defaults
+ *  \param      timeout_ms  Milliseconds until read timeout
  *  \param      use_tls     If non-zero value will connect with and use TLS for
                             encryption of data
  *  \param      cb          A function callback for configuration of the SSL
                             context certificate checking
- *  \param      timeout_ms  Milliseconds until read timeout
  *  \return     MQTT_CODE_SUCCESS or MQTT_CODE_ERROR_*
                 (see enum MqttPacketResponseCodes)
  */
