diff --git a/MQTTSNGateway/README.md b/MQTTSNGateway/README.md index 86f9f56..3c7b8bb 100644 --- a/MQTTSNGateway/README.md +++ b/MQTTSNGateway/README.md @@ -28,11 +28,14 @@ $ ./MQTT-SNGateway [-f Config file name] BrokerName=iot.eclipse.org BrokerPortNo=1883 -SecureConnection=NO -#BrokerPortNo=8883 -#SecureConnection=YES +BrokerSecurePortNo=8883 + ClientAuthentication=NO -ClientList=clients.conf +#ClientsList=/path/to/your_clients.conf + +RootCAfile=/path/to/your_Root_CA.crt +RootCApath=/path/to/your_certs_directory/ + GatewayID=1 GatewayName=PahoGateway-01 KeepAlive=900 @@ -49,12 +52,12 @@ Baudrate=38400 SerialDevice=/dev/ttyUSB0 ``` -**BrokerName** to specify a domain name of the Broker, and **BrokerPortNo** is a port No of the Broker. If the Broker have to connected via TLS, set BrokerPortNo=8883 and **SecureConnection=YES**. +**BrokerName** to specify a domain name of the Broker, and **BrokerPortNo** is a port No of the Broker. **BrokerSecurePortNo** is for TLS connection. **MulticastIP** and **MulticastPortNo** is a multicast address for ADVERTISE, GWSEARCH and GWINFO messages. Gateway is waiting GWSEARCH multicast message and when receiving it send GWINFO message via Broadcast address. Clients can get the gateway address (Gateway IP address and **GatewayPortNo**) from GWINFO message by means of std::recvfrom(), Client should know the BroadcastIP and PortNo to send a SEARCHGW message. **GatewayId** is defined by GWSEARCH message. **KeepAlive** is a duration of ADVERTISE message in seconds. -when **ClientAuthentication** is YES, see MQTTSNGWClient.cpp line53, clients file specified by ClientList is required. This file defines connect allowed clients by ClientId, IPaddress and PortNo. +when **ClientAuthentication** is YES, see MQTTSNGWClient.cpp line53, clients file specified by ClientsList is required. This file defines connect allowed clients by ClientId, IPaddress and PortNo. diff --git a/MQTTSNGateway/gateway.conf b/MQTTSNGateway/gateway.conf index 80a0858..89dd921 100644 --- a/MQTTSNGateway/gateway.conf +++ b/MQTTSNGateway/gateway.conf @@ -16,14 +16,18 @@ BrokerName=iot.eclipse.org BrokerPortNo=1883 BrokerSecurePortNo=8883 -#SecureConnection=YES + ClientAuthentication=NO -ClientList=clients.conf +#ClientsList=/path/to/your_clients.conf + +RootCAfile=/usr/share/ca-certificates/ISRG_Root_X1.crt +RootCApath=/etc/ssl/certs/ + GatewayID=1 GatewayName=PahoGateway-01 KeepAlive=900 -#LoginID= -#Password= +#LoginID=your_ID +#Password=your_Password # UDP GatewayPortNo=10000 diff --git a/MQTTSNGateway/src/MQTTGWPacket.cpp b/MQTTSNGateway/src/MQTTGWPacket.cpp index 1c10522..74a885f 100644 --- a/MQTTSNGateway/src/MQTTGWPacket.cpp +++ b/MQTTSNGateway/src/MQTTGWPacket.cpp @@ -17,6 +17,7 @@ #include "MQTTGWPacket.h" #include +#include using namespace MQTTSNGW; diff --git a/MQTTSNGateway/src/MQTTSNGWBrokerRecvTask.cpp b/MQTTSNGateway/src/MQTTSNGWBrokerRecvTask.cpp index cf00553..967c63a 100644 --- a/MQTTSNGateway/src/MQTTSNGWBrokerRecvTask.cpp +++ b/MQTTSNGateway/src/MQTTSNGWBrokerRecvTask.cpp @@ -89,7 +89,6 @@ void BrokerRecvTask::run(void) { /* Check sockets is ready to read */ int activity = select(maxSock + 1, &rset, 0, 0, &timeout); - if (activity > 0) { client = _gateway->getClientList()->getClient(); @@ -110,6 +109,7 @@ void BrokerRecvTask::run(void) if ( rc > 0 ) { if ( log(client, packet) == -1 ) + { continue; } @@ -169,7 +169,7 @@ void BrokerRecvTask::run(void) */ int BrokerRecvTask::log(Client* client, MQTTGWPacket* packet) { - char pbuf[(SIZEOF_LOG_PACKET + 5 )* 3]; + char pbuf[(SIZE_OF_LOG_PACKET + 5 )* 3]; char msgId[6]; int rc = 0; diff --git a/MQTTSNGateway/src/MQTTSNGWBrokerSendTask.cpp b/MQTTSNGateway/src/MQTTSNGWBrokerSendTask.cpp index 252be70..0c44ee7 100644 --- a/MQTTSNGateway/src/MQTTSNGWBrokerSendTask.cpp +++ b/MQTTSNGateway/src/MQTTSNGWBrokerSendTask.cpp @@ -19,6 +19,7 @@ #include "MQTTSNGateway.h" #include "MQTTSNGWClient.h" #include "MQTTGWPacket.h" +#include using namespace std; using namespace MQTTSNGW; @@ -34,8 +35,11 @@ BrokerSendTask::BrokerSendTask(Gateway* gateway) _gateway = gateway; _gateway->attach((Thread*)this); _host = 0; - _service = 0; - _serviceSecure = 0; + _port = 0; + _portSecure = 0; + _certDirectory = 0; + _rootCAfile = 0; + _light = 0; } @@ -45,13 +49,25 @@ BrokerSendTask::~BrokerSendTask() { free(_host); } - if (_service) + if (_port) { - free(_service); + free(_port); } - if (_serviceSecure) + if (_portSecure) { - free(_serviceSecure); + free(_portSecure); + } + if (_certDirectory) + { + free(_certDirectory); + } + if (_rootCApath) + { + free(_rootCApath); + } + if (_rootCAfile) + { + free(_rootCAfile); } } @@ -68,12 +84,26 @@ void BrokerSendTask::initialize(int argc, char** argv) } if (_gateway->getParam("BrokerPortNo", param) == 0) { - _service = strdup(param); + _port = strdup(param); } if (_gateway->getParam("BrokerSecurePortNo", param) == 0) - { - _serviceSecure = strdup(param); - } + { + _portSecure = strdup(param); + } + + if (_gateway->getParam("CertsDirectory", param) == 0) + { + _certDirectory = strdup(param); + } + if (_gateway->getParam("RootCApath", param) == 0) + { + _rootCApath = strdup(param); + } + if (_gateway->getParam("RootCAfile", param) == 0) + { + _rootCAfile = strdup(param); + } + _light = _gateway->getLightIndicator(); } @@ -93,7 +123,7 @@ void BrokerSendTask::run() client = ev->getClient(); packet = ev->getMQTTGWPacket(); - if ( client->getNetwork()->isValid() && packet->getType() == CONNECT ) + if ( client->getNetwork()->isValid() && !client->getNetwork()->isSecure() && packet->getType() == CONNECT ) { client->getNetwork()->close(); } @@ -101,16 +131,37 @@ void BrokerSendTask::run() if ( !client->getNetwork()->isValid() ) { /* connect to the broker and send a packet */ - char* service = _service; + char* portNo = _port; + const char* cert = 0; + const char* keyFile = 0; + string certFile; + string privateKeyFile; + if (client->isSecureNetwork()) { - service = _serviceSecure; + portNo = _portSecure; + if ( _certDirectory ) + { + certFile = _certDirectory; + certFile += client->getClientId(); + certFile += ".crt"; + cert = certFile.c_str(); + privateKeyFile = _certDirectory; + privateKeyFile += client->getClientId(); + privateKeyFile += ".key"; + keyFile = privateKeyFile.c_str(); + } + rc = client->getNetwork()->connect(_host, portNo, _rootCApath, _rootCAfile, cert, keyFile); + } + else + { + rc = client->getNetwork()->connect(_host, portNo); } - if ( !client->getNetwork()->connect(_host, service) ) + if ( !rc ) { - /* disconnect the broker and chage the client's status */ - WRITELOG("%s BrokerSendTask can't open the socket. errno=%d %s%s\n", + /* disconnect the broker and change the client's status */ + WRITELOG("%s BrokerSendTask can't connect to the broker. errno=%d %s%s\n", ERRMSG_HEADER, rc == -1 ? errno : 0, client->getClientId(), ERRMSG_FOOTER); client->disconnected(); client->getNetwork()->disconnect(); @@ -151,7 +202,7 @@ void BrokerSendTask::run() */ void BrokerSendTask::log(Client* client, MQTTGWPacket* packet) { - char pbuf[(SIZEOF_LOG_PACKET + 5 )* 3]; + char pbuf[(SIZE_OF_LOG_PACKET + 5 )* 3]; char msgId[6]; switch (packet->getType()) diff --git a/MQTTSNGateway/src/MQTTSNGWBrokerSendTask.h b/MQTTSNGateway/src/MQTTSNGWBrokerSendTask.h index f663f7d..81b0a7a 100644 --- a/MQTTSNGateway/src/MQTTSNGWBrokerSendTask.h +++ b/MQTTSNGateway/src/MQTTSNGWBrokerSendTask.h @@ -39,8 +39,11 @@ private: Gateway* _gateway; char* _host; - char* _service; - char* _serviceSecure; + char* _port; + char* _portSecure; + char* _rootCApath; + char* _rootCAfile; + char* _certDirectory; LightIndicator* _light; }; diff --git a/MQTTSNGateway/src/MQTTSNGWClient.cpp b/MQTTSNGateway/src/MQTTSNGWClient.cpp index 6ff6725..430498b 100644 --- a/MQTTSNGateway/src/MQTTSNGWClient.cpp +++ b/MQTTSNGateway/src/MQTTSNGWClient.cpp @@ -206,7 +206,7 @@ Client* ClientList::createClient(SensorNetAddress* addr, MQTTSNString* clientId, } /* anonimous clients */ - if ( _clientCnt > DEFAULT_MAX_CLIENTS ) + if ( _clientCnt > MAX_CLIENTS ) { return 0; // full of clients } @@ -951,14 +951,7 @@ TopicIdMapelement::~TopicIdMapelement() TopicIdMap::TopicIdMap() { - char param[MQTTSNGW_PARAM_MAX]; - - _maxInflight = DEFAULT_INFLIGHTMESSAGE; - if ( theProcess->getParam("MaxInflightMsg", param) == 0 ) - { - _maxInflight = atoi(param); - } - + _maxInflight = MAX_INFLIGHTMESSAGES; _msgIds = 0; _first = 0; _end = 0; diff --git a/MQTTSNGateway/src/MQTTSNGWClient.h b/MQTTSNGateway/src/MQTTSNGWClient.h index d4081b4..0ba2b03 100644 --- a/MQTTSNGateway/src/MQTTSNGWClient.h +++ b/MQTTSNGateway/src/MQTTSNGWClient.h @@ -312,7 +312,7 @@ private: uint8_t _snMsgId; Network* _network; // Broker - bool _secureNetwork; // SSL + bool _secureNetwork; // SSL bool _sensorNetype; // false: unstable network like a G3 SensorNetAddress _sensorNetAddr; diff --git a/MQTTSNGateway/src/MQTTSNGWClientRecvTask.cpp b/MQTTSNGateway/src/MQTTSNGWClientRecvTask.cpp index 01937a5..a8db6d3 100644 --- a/MQTTSNGateway/src/MQTTSNGWClientRecvTask.cpp +++ b/MQTTSNGateway/src/MQTTSNGWClientRecvTask.cpp @@ -16,6 +16,7 @@ #include "MQTTSNGWClientRecvTask.h" #include "MQTTSNGateway.h" +#include char* currentDateTime(void); /*===================================== Class ClientRecvTask @@ -107,7 +108,7 @@ void ClientRecvTask::run() packet->getCONNECT(&data); /* create a client */ - client = _gateway->getClientList()->createClient(_sensorNetwork->getSenderAddress(), &data.clientID, false, _gateway->getGWParams()->secureConnection); + client = _gateway->getClientList()->createClient(_sensorNetwork->getSenderAddress(), &data.clientID, false, false); //_gateway->getGWParams()->secureConnection); if (!client) { @@ -139,7 +140,7 @@ void ClientRecvTask::run() void ClientRecvTask::log(Client* client, MQTTSNPacket* packet) { - char pbuf[SIZEOF_LOG_PACKET * 3]; + char pbuf[SIZE_OF_LOG_PACKET * 3]; char msgId[6]; const char* clientId = client ? (const char*)client->getClientId() :"Non Active Client !" ; diff --git a/MQTTSNGateway/src/MQTTSNGWClientSendTask.cpp b/MQTTSNGateway/src/MQTTSNGWClientSendTask.cpp index 9cdf43f..b7d7bff 100644 --- a/MQTTSNGateway/src/MQTTSNGWClientSendTask.cpp +++ b/MQTTSNGateway/src/MQTTSNGWClientSendTask.cpp @@ -64,7 +64,7 @@ void ClientSendTask::run() void ClientSendTask::log(Client* client, MQTTSNPacket* packet) { - char pbuf[SIZEOF_LOG_PACKET * 3]; + char pbuf[SIZE_OF_LOG_PACKET * 3]; char msgId[6]; switch (packet->getType()) diff --git a/MQTTSNGateway/src/MQTTSNGWConnectionHandler.cpp b/MQTTSNGateway/src/MQTTSNGWConnectionHandler.cpp index 980f170..cae95f2 100644 --- a/MQTTSNGateway/src/MQTTSNGWConnectionHandler.cpp +++ b/MQTTSNGateway/src/MQTTSNGWConnectionHandler.cpp @@ -18,6 +18,7 @@ #include "MQTTSNGateway.h" #include "MQTTSNGWPacket.h" #include "MQTTGWPacket.h" +#include using namespace std; using namespace MQTTSNGW; @@ -54,7 +55,7 @@ void MQTTSNConnectionHandler::handleSearchgw(MQTTSNPacket* packet) { if (packet->getType() == MQTTSN_SEARCHGW) { - if (_gateway->getClientList()->getClientCount() < DEFAULT_MAX_CLIENTS) + if (_gateway->getClientList()->getClientCount() < MAX_CLIENTS) { MQTTSNPacket* gwinfo = new MQTTSNPacket(); gwinfo->setGWINFO(_gateway->getGWParams()->gatewayId); diff --git a/MQTTSNGateway/src/MQTTSNGWDefines.h b/MQTTSNGateway/src/MQTTSNGWDefines.h index 2c897fc..839708e 100644 --- a/MQTTSNGateway/src/MQTTSNGWDefines.h +++ b/MQTTSNGateway/src/MQTTSNGWDefines.h @@ -27,13 +27,13 @@ namespace MQTTSNGW //#define DEBUG_NWSTACK // print out SensorNetwork log /*================================= - * Parametrs + * MQTT-SN Parametrs ==================================*/ +#define MAX_CLIENTS (100) // Number of Clients can be handled. #define MAX_CLIENTID_LENGTH (64) // Max length of clientID +#define MAX_INFLIGHTMESSAGES (10) // Number of inflight messages #define MQTTSNGW_MAX_PACKET_SIZE (1024) // Max Packet size (5+2+TopicLen+PayloadLen) -#define SIZEOF_LOG_PACKET (500) // Length of the packet log in bytes - -#define MQTTSNGW_TLS_CA_DIR "/etc/ssl/certs" +#define SIZE_OF_LOG_PACKET (500) // Length of the packet log in bytes /*================================= * Data Type diff --git a/MQTTSNGateway/src/MQTTSNGWPacket.cpp b/MQTTSNGateway/src/MQTTSNGWPacket.cpp index 1dc9324..23ec9f9 100644 --- a/MQTTSNGateway/src/MQTTSNGWPacket.cpp +++ b/MQTTSNGateway/src/MQTTSNGWPacket.cpp @@ -354,7 +354,7 @@ char* MQTTSNPacket::print(char* pbuf) int value = 0; int i = MQTTSNPacket_decode(_buf, _bufLen, &value); - int size = _bufLen > SIZEOF_LOG_PACKET ? SIZEOF_LOG_PACKET : _bufLen; + int size = _bufLen > SIZE_OF_LOG_PACKET ? SIZE_OF_LOG_PACKET : _bufLen; for (; i < size; i++) { diff --git a/MQTTSNGateway/src/MQTTSNGWPacketHandleTask.cpp b/MQTTSNGateway/src/MQTTSNGWPacketHandleTask.cpp index c24659b..77dc86b 100644 --- a/MQTTSNGateway/src/MQTTSNGWPacketHandleTask.cpp +++ b/MQTTSNGateway/src/MQTTSNGWPacketHandleTask.cpp @@ -26,6 +26,7 @@ #include "MQTTSNGWConnectionHandler.h" #include "MQTTSNGWPublishHandler.h" #include "MQTTSNGWSubscribeHandler.h" +#include using namespace std; using namespace MQTTSNGW; diff --git a/MQTTSNGateway/src/MQTTSNGWPublishHandler.cpp b/MQTTSNGateway/src/MQTTSNGWPublishHandler.cpp index 68bd47a..6c4bff3 100644 --- a/MQTTSNGateway/src/MQTTSNGWPublishHandler.cpp +++ b/MQTTSNGateway/src/MQTTSNGWPublishHandler.cpp @@ -19,7 +19,7 @@ #include "MQTTGWPacket.h" #include "MQTTSNGateway.h" #include "MQTTSNGWClient.h" - +#include using namespace std; using namespace MQTTSNGW; diff --git a/MQTTSNGateway/src/MQTTSNGateway.cpp b/MQTTSNGateway/src/MQTTSNGateway.cpp index e18a77b..8b6e72c 100644 --- a/MQTTSNGateway/src/MQTTSNGateway.cpp +++ b/MQTTSNGateway/src/MQTTSNGateway.cpp @@ -17,7 +17,7 @@ #include "MQTTSNGateway.h" #include "SensorNetwork.h" #include "MQTTSNGWProcess.h" - +#include using namespace MQTTSNGW; char* currentDateTime(void); @@ -31,7 +31,7 @@ Gateway::Gateway() theProcess = this; _params.loginId = 0; _params.password = 0; - _packetEventQue.setMaxSize(DEFAULT_INFLIGHTMESSAGE * DEFAULT_MAX_CLIENTS); + _packetEventQue.setMaxSize(MAX_INFLIGHTMESSAGES * MAX_CLIENTS); } Gateway::~Gateway() @@ -107,7 +107,7 @@ void Gateway::initialize(int argc, char** argv) string fileName; if (!strcasecmp(param, "YES")) { - if (getParam("ClientList", param) == 0) + if (getParam("ClientsList", param) == 0) { fileName = string(param); } @@ -118,20 +118,10 @@ void Gateway::initialize(int argc, char** argv) if (!_clientList.authorize(fileName.c_str())) { - throw Exception("Gateway::initialize: No client list which defined by configuration."); + throw Exception("Gateway::initialize: No client list defined by configuration."); } } } - - if (getParam("SecureConnection", param) == 0) - { - _params.secureConnection = !strcasecmp(param, "YES"); - } - else - { - _params.secureConnection = false; - } - } void Gateway::run(void) diff --git a/MQTTSNGateway/src/MQTTSNGateway.h b/MQTTSNGateway/src/MQTTSNGateway.h index 3f7d540..cc60367 100644 --- a/MQTTSNGateway/src/MQTTSNGateway.h +++ b/MQTTSNGateway/src/MQTTSNGateway.h @@ -26,14 +26,12 @@ namespace MQTTSNGW * Gateway default parameters ===========================================================*/ #define DEFAULT_KEEP_ALIVE_TIME (900) // 900 secs = 15 mins -#define DEFAULT_MAX_CLIENTS (100) // Number of Clients can be handled. #define DEFAULT_MQTT_VERSION (4) // Defualt MQTT version -#define DEFAULT_INFLIGHTMESSAGE (10) // Number of inflight messages /*================================= * Starting prompt ==================================*/ -#define GATEWAY_VERSION " * Version: 0.3.3" +#define GATEWAY_VERSION " * Version: 0.4.0" #define PAHO_COPYRIGHT0 " * MQTT-SN Transparent Gateway" #define PAHO_COPYRIGHT1 " * Part of Project Paho in Eclipse" @@ -155,7 +153,6 @@ typedef struct uint8_t mqttVersion; uint16_t maxInflightMsgs; uint8_t* gatewayName; - bool secureConnection; }GatewayParams; /*===================================== diff --git a/MQTTSNGateway/src/linux/Network.cpp b/MQTTSNGateway/src/linux/Network.cpp index 0ba5661..6d43da7 100644 --- a/MQTTSNGateway/src/linux/Network.cpp +++ b/MQTTSNGateway/src/linux/Network.cpp @@ -22,6 +22,7 @@ #include #include #include +#include #include "Network.h" #include "MQTTSNGWDefines.h" @@ -232,54 +233,27 @@ int TCPStack::getSock() =======================================*/ int Network::_numOfInstance = 0; SSL_CTX* Network::_ctx = 0; -SSL_SESSION* Network::_session = 0; Network::Network(bool secure) : TCPStack() { - char error[256]; - if (secure) - { - _numOfInstance++; - if (_ctx == 0) - { - SSL_load_error_strings(); - SSL_library_init(); - _ctx = SSL_CTX_new(TLSv1_2_client_method()); - if (_ctx == 0) - { - ERR_error_string_n(ERR_get_error(), error, sizeof(error)); - WRITELOG("SSL_CTX_new() %s\n", error); - throw Exception( ERR_get_error(), "Network can't create SSL context."); - } - if (!SSL_CTX_load_verify_locations(_ctx, 0, MQTTSNGW_TLS_CA_DIR)) - { - ERR_error_string_n(ERR_get_error(), error, sizeof(error)); - WRITELOG("SSL_CTX_load_verify_locations() %s\n", error); - throw Exception( ERR_get_error(), "Network can't load CA_LIST."); - } - } - } _ssl = 0; - _disconReq = false; _secureFlg = secure; _busy = false; + _session = 0; + _sslValid = false; } Network::~Network() { - if (_secureFlg) - { - _numOfInstance--; - } if (_ssl) { SSL_free(_ssl); + _numOfInstance--; } - if (_session && _numOfInstance == 0) + if (_session ) { SSL_SESSION_free(_session); - _session = 0; } if (_ctx && _numOfInstance == 0) { @@ -289,78 +263,172 @@ Network::~Network() } } -bool Network::connect(const char* host, const char* service) +bool Network::connect(const char* host, const char* port) +{ + if (_secureFlg) + { + return false; + } + + if (getSock() == 0) + { + if (!TCPStack::connect(host, port)) + { + return false; + } + } + return true; +} + +bool Network::connect(const char* host, const char* port, const char* caPath, const char* caFile, const char* cert, const char* prvkey) { char errmsg[256]; - int rc = 0; char peer_CN[256]; - SSL_SESSION* sess = 0; - X509* peer; + int rc = 0; - if (isValid()) - { - return false; - } - if (!TCPStack::connect(host, service)) - { - return false; - } if (!_secureFlg) { - return true; + WRITELOG("TLS is not required.\n"); + return false; } - SSL* ssl = SSL_new(_ctx); - if (ssl == 0) + if (_ctx == 0) + { + SSL_load_error_strings(); + SSL_library_init(); + _ctx = SSL_CTX_new(TLS_client_method()); + if (_ctx == 0) + { + ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); + WRITELOG("SSL_CTX_new() %s\n", errmsg); + return false; + } + + if (!SSL_CTX_load_verify_locations(_ctx, caFile, caPath)) + { + ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); + WRITELOG("SSL_CTX_load_verify_locations() %s\n", errmsg); + return false; + } + } + + if (!_sslValid) + { + if ( !TCPStack::connect(host, port) ) + { + return false; + } + /* + if ( _ssl ) + { + if (!SSL_set_fd(_ssl, getSock())) + { + ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); + WRITELOG("SSL_set_fd() %s\n", errmsg); + SSL_free(_ssl); + } + else + { + _sslValid = true; + return true; + } + } + */ + } + + _ssl = SSL_new(_ctx); + if (_ssl == 0) { ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); WRITELOG("SSL_new() %s\n", errmsg); return false; } - rc = SSL_set_fd(ssl, TCPStack::getSock()); - if (rc == 0) + if (!SSL_set_fd(_ssl, getSock())) { - SSL_free(ssl); + ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); + WRITELOG("SSL_set_fd() %s\n", errmsg); + SSL_free(_ssl); + } + + SSL_set_options(_ssl, SSL_OP_NO_TICKET); + + if ( cert ) + { + if ( SSL_use_certificate_file(_ssl, cert, SSL_FILETYPE_PEM) <= 0 ) + { + ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); + WRITELOG("SSL_use_certificate_file() %s %s\n", cert, errmsg); + SSL_free(_ssl); + _ssl = 0; + return false; + } + } + if ( prvkey ) + { + if ( SSL_use_PrivateKey_file(_ssl, prvkey, SSL_FILETYPE_PEM) <= 0 ) + { + ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); + WRITELOG("SSL_use_PrivateKey_file() %s %s\n", prvkey, errmsg); + SSL_free(_ssl); + _ssl = 0; + return false; + } + } + + if (!SSL_set_fd(_ssl, TCPStack::getSock())) + { + ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); + WRITELOG("SSL_set_fd() %s\n", errmsg); + SSL_free(_ssl); + _ssl = 0; return false; } if (_session) { - rc = SSL_set_session(ssl, sess); + rc = SSL_set_session(_ssl, _session); } - else - { - rc = SSL_connect(ssl); - } - if (rc != 1) + + if (SSL_connect(_ssl) != 1) { ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); WRITELOG("SSL_connect() %s\n", errmsg); - SSL_free(ssl); + SSL_free(_ssl); + _ssl = 0; return false; } - if (SSL_get_verify_result(ssl) != X509_V_OK) + if ( (rc = SSL_get_verify_result(_ssl)) != X509_V_OK) { - WRITELOG("SSL_get_verify_result() error: Certificate doesn't verify.\n"); - SSL_free(ssl); + WRITELOG("SSL_get_verify_result() error: %s.\n", X509_verify_cert_error_string(rc)); + SSL_free(_ssl); + _ssl = 0; return false; } - peer = SSL_get_peer_certificate(ssl); + X509* peer = SSL_get_peer_certificate(_ssl); X509_NAME_get_text_by_NID(X509_get_subject_name(peer), NID_commonName, peer_CN, 256); - if (strcasecmp(peer_CN, host)) + char* pos = peer_CN; + if ( *pos == '*') { - WRITELOG("SSL_get_peer_certificate() error: Broker dosen't much host name.\n"); - SSL_free(ssl); + while (*host++ != '.'); + pos += 2; + } + if ( strcmp(host, pos)) + { + WRITELOG("SSL_get_peer_certificate() error: Broker %s dosen't match the host name %s\n", peer_CN, host); + SSL_free(_ssl); + _ssl = 0; return false; } + if (_session == 0) { - _session = sess; + _session = SSL_get1_session(_ssl); } - _ssl = ssl; + _numOfInstance++; + _sslValid = true; return true; } @@ -372,7 +440,11 @@ int Network::send(const uint8_t* buf, uint16_t length) bool writeBlockedOnRead = false; int bpos = 0; - if (_secureFlg) + if (!_secureFlg) + { + return TCPStack::send(buf, length); + } + else { _mutex.lock(); _busy = true; @@ -387,7 +459,7 @@ int Network::send(const uint8_t* buf, uint16_t length) int activity = select(getSock() + 1, &rset, &wset, 0, 0); if (activity > 0) { - if (FD_ISSET(getSock(), &wset) || (writeBlockedOnRead && FD_ISSET(getSock(), &rset))) + if (FD_ISSET(getSock(), &wset) || (writeBlockedOnRead && FD_ISSET(getSock(), &rset))) { writeBlockedOnRead = false; @@ -421,10 +493,6 @@ int Network::send(const uint8_t* buf, uint16_t length) } } } - else - { - return TCPStack::send(buf, length); - } } int Network::recv(uint8_t* buf, uint16_t len) @@ -438,92 +506,107 @@ int Network::recv(uint8_t* buf, uint16_t len) fd_set rset; fd_set wset; - if (_secureFlg) + if (!_secureFlg) { - if (_busy) + return TCPStack::recv(buf, len); + } + + if (_busy) + { + return 0; + } + _mutex.lock(); + _busy = true; + + loop: do + { + readBlockedOnWrite = false; + readBlocked = false; + + rlen = SSL_read(_ssl, buf + bpos, len - bpos); + + switch (SSL_get_error(_ssl, rlen)) { - return 0; + case SSL_ERROR_NONE: + _busy = false; + _mutex.unlock(); + return rlen + bpos; + break; + case SSL_ERROR_ZERO_RETURN: + SSL_shutdown(_ssl); + _ssl = 0; + TCPStack::close(); + _busy = false; + _mutex.unlock(); + return -1; + break; + case SSL_ERROR_WANT_READ: + readBlocked = true; + break; + case SSL_ERROR_WANT_WRITE: + readBlockedOnWrite = true; + break; + default: + ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); + WRITELOG("Network::recv() %s\n", errmsg); + _busy = false; + _mutex.unlock(); + return -1; } - _mutex.lock(); - _busy = true; + } while (SSL_pending(_ssl) && !readBlocked); - loop: do + bpos += rlen; + while (true) + { + FD_ZERO(&rset); + FD_ZERO(&wset); + FD_SET(getSock(), &rset); + FD_SET(getSock(), &wset); + + int activity = select(getSock() + 1, &rset, &wset, 0, 0); + if (activity > 0) { - readBlockedOnWrite = false; - readBlocked = false; - - rlen = SSL_read(_ssl, buf + bpos, len - bpos); - - switch (SSL_get_error(_ssl, rlen)) + if ((FD_ISSET(getSock(),&rset) && !writeBlockedOnRead) + || (readBlockedOnWrite && FD_ISSET(getSock(), &wset))) { - case SSL_ERROR_NONE: - _busy = false; - _mutex.unlock(); - return rlen + bpos; - break; - case SSL_ERROR_ZERO_RETURN: - SSL_shutdown(_ssl); - _ssl = 0; - TCPStack::close(); - _busy = false; - _mutex.unlock(); - return -1; - break; - case SSL_ERROR_WANT_READ: - readBlocked = true; - break; - case SSL_ERROR_WANT_WRITE: - readBlockedOnWrite = true; - break; - default: - ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); - WRITELOG("TLSStack::recv() default %s\n", errmsg); - _busy = false; - _mutex.unlock(); - return -1; + goto loop; } - } while (SSL_pending(_ssl) && !readBlocked); - - bpos += rlen; - while (true) + } + else { - FD_ZERO(&rset); - FD_ZERO(&wset); - FD_SET(getSock(), &rset); - FD_SET(getSock(), &wset); - - int activity = select(getSock() + 1, &rset, &wset, 0, 0); - if (activity > 0) - { - if ((FD_ISSET(getSock(),&rset) && !writeBlockedOnRead) - || (readBlockedOnWrite && FD_ISSET(getSock(), &wset))) - { - goto loop; - } - } - else - { - ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); - WRITELOG("TLSStack::recv() select %s\n", errmsg); - _busy = false; - _mutex.unlock(); - return -1; - } + ERR_error_string_n(ERR_get_error(), errmsg, sizeof(errmsg)); + WRITELOG("TLSStack::recv() select %s\n", errmsg); + _busy = false; + _mutex.unlock(); + return -1; } } - return TCPStack::recv(buf, len); +} + +void Network::close(void) +{ + if (_secureFlg) + { + _sslValid = false; + SSL_free(_ssl); + _ssl = 0; + } + TCPStack::close(); } bool Network::isValid() { - if (!_secureFlg) + if (_secureFlg) + { + if (_sslValid && !_busy) + { + return true; + } + } + else { return TCPStack::isValid(); } - if (_ssl) - { - return true; - } return false; } @@ -533,12 +616,11 @@ void Network::disconnect() { SSL_shutdown(_ssl); _ssl = 0; - TCPStack::close(); - } - else - { - TCPStack::close(); } + _sslValid = false; + _busy = false; + TCPStack::close(); + } int Network::getSock() @@ -546,18 +628,6 @@ int Network::getSock() return TCPStack::getSock(); } -SSL* Network::getSSL() -{ - if (_secureFlg) - { - return _ssl; - } - else - { - return 0; - } -} - bool Network::isSecure() { return _secureFlg; diff --git a/MQTTSNGateway/src/linux/Network.h b/MQTTSNGateway/src/linux/Network.h index d8ed45b..c5bfaed 100644 --- a/MQTTSNGateway/src/linux/Network.h +++ b/MQTTSNGateway/src/linux/Network.h @@ -71,26 +71,27 @@ public: Network(bool secure); virtual ~Network(); - bool connect(const char* host, const char* service); - void disconnect(); - int send(const uint8_t* buf, uint16_t length); - int recv(uint8_t* buf, uint16_t len); + bool connect(const char* host, const char* port, const char* caPath, const char* caFile, const char* sert, const char* prvkey); + bool connect(const char* host, const char* port); + void disconnect(void); + void close(void); + int send(const uint8_t* buf, uint16_t length); + int recv(uint8_t* buf, uint16_t len); - bool isValid(); - bool isSecure(); - int getSock(); - SSL* getSSL(); + bool isValid(void); + bool isSecure(void); + int getSock(void); private: static SSL_CTX* _ctx; static int _numOfInstance; - static SSL_SESSION* _session; + SSL_SESSION* _session; SSL* _ssl; bool _secureFlg; - bool _disconReq; Mutex _mutex; bool _busy; + bool _sslValid; }; #endif /* NETWORK_H_ */ diff --git a/MQTTSNGateway/src/mainGateway.cpp b/MQTTSNGateway/src/mainGateway.cpp index 43f8988..9ffc74a 100644 --- a/MQTTSNGateway/src/mainGateway.cpp +++ b/MQTTSNGateway/src/mainGateway.cpp @@ -24,9 +24,6 @@ using namespace MQTTSNGW; /* * Gateway Process - * - * Certificate file "/etc/ssl/certs" - * This is defined in MQTTSNGWDefines.h */ Gateway* gateway = new Gateway(); PacketHandleTask* t0 = new PacketHandleTask(gateway);