From be9e05ed24db5b2ea286e32c86777b43862d0f7b Mon Sep 17 00:00:00 2001 From: Jan-Piet Mens Date: Wed, 17 May 2017 11:15:19 +0200 Subject: [PATCH] add support for TLS-PSK closes #74 --- README.md | 2 ++ recorder.c | 30 ++++++++++++++++++++++++++++-- udata.h | 2 ++ 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d07caca..87dc206 100644 --- a/README.md +++ b/README.md @@ -220,6 +220,8 @@ This section lists the most important options of the Recorder with their long na `--port` is the port number of the MQTT broker and overrides `$OTR_PORT`; it defaults to 1883. Setting this to 0 disables MQTT even if it is compiled-in. +`--identity` and `--psk` define the TLS PSK identity and preshared key respectively to use in a TLS-PSK connection to Mosquitto. Note that the listener needs to be set up accordingly and that it is an error to configure `--cafile` together with these options. + `--user` overrides `$OTR_USER` and specifies the username to use in the MQTT connection. `--qos` specifies the MQTT QoS to use; it defaults to 2. diff --git a/recorder.c b/recorder.c index 4f6a693..ec24649 100644 --- a/recorder.c +++ b/recorder.c @@ -1153,6 +1153,8 @@ void usage(char *prog) printf(" --pubprefix -P republish prefix (dflt: no republish)\n"); printf(" --host -H MQTT host (localhost)\n"); printf(" --port -p MQTT port (1883)\n"); + printf(" --psk PSK hint\n"); + printf(" --identity PSK identity\n"); #endif printf(" --logfacility syslog facility (local0)\n"); printf(" --quiet disable printing of messages to stdout\n"); @@ -1223,6 +1225,8 @@ int main(int argc, char **argv) udata.capath = NULL; udata.certfile = NULL; udata.keyfile = NULL; + udata.psk = NULL; + udata.identity = NULL; #endif udata.ignoreretained = TRUE; udata.skipdemo = TRUE; @@ -1332,6 +1336,8 @@ int main(int argc, char **argv) { "qos", required_argument, 0, 'q'}, { "host", required_argument, 0, 'H'}, { "port", required_argument, 0, 'p'}, + { "psk", required_argument, 0, 20}, + { "identity", required_argument, 0, 21}, #endif /* !MQTT */ { "storage", required_argument, 0, 'S'}, { "logfacility", required_argument, 0, 4}, @@ -1440,6 +1446,13 @@ int main(int argc, char **argv) if (ud->browser_apikey) free(ud->browser_apikey); ud->browser_apikey = strdup(optarg); break; + + case 20: + ud->psk = strdup(optarg); + break; + case 21: + ud->identity = strdup(optarg); + break; #endif case 'D': ud->skipdemo = FALSE; @@ -1627,6 +1640,18 @@ int main(int argc, char **argv) mosquitto_username_pw_set(mosq, ud->username, ud->password); } + if (ud->psk && ud->cafile) { + olog(LOG_ERR, "Configuring TLS together with PSK is an error"); + exit(2); + } + + if (ud->psk && *ud->psk && ud->identity && *ud->identity) { + rc = mosquitto_tls_psk_set(mosq, + ud->psk, + ud->identity, + NULL); /* Ciphers */ + } + if (ud->cafile && *ud->cafile) { if (access(ud->cafile, R_OK) != 0) { @@ -1655,10 +1680,11 @@ int main(int argc, char **argv) } - olog(LOG_INFO, "connecting to MQTT on %s:%d as clientID %s %s TLS", + olog(LOG_INFO, "connecting to MQTT on %s:%d as clientID %s %s %s", ud->hostname, ud->port, ud->clientid, - (ud->cafile && *ud->cafile) ? "with" : "without"); + ((ud->cafile && *ud->cafile) || (ud->psk && *ud->psk)) ? "with" : "without", + (ud->psk && *ud->identity) ? "PSK" : "TLS"); rc = mosquitto_connect(mosq, ud->hostname, ud->port, 60); if (rc) { diff --git a/udata.h b/udata.h index d510e1d..08502b3 100644 --- a/udata.h +++ b/udata.h @@ -26,6 +26,8 @@ struct udata { char *capath; /* CA path */ char *certfile; /* certificate (client) */ char *keyfile; /* client key */ + char *identity; /* PSK identity (hint) */ + char *psk; /* PSK */ #endif int skipdemo; /* True if _demo users are to be skipped */ int revgeo; /* True (default) if we should do reverse Geo lookups */