feat(mosq): Added support for TLS transport using ESP-TLS

Author: david-cermak

.github/workflows/mosq__build.yml

@@ -64,6 +64,7 @@ jobs:
       - name: Run Test
         working-directory: ${{ env.TEST_DIR }}
         run: |
+          python -m pip install pytest-embedded-serial-esp pytest-embedded-idf pytest-rerunfailures pytest-timeout pytest-ignore-test-results
           unzip ci/artifacts.zip -d ci
           for dir in `ls -d ci/build_*`; do
           rm -rf build sdkconfig.defaults

ci/check_copyright_config.yaml

@@ -53,6 +53,7 @@ mosquitto_component:
   allowed_licenses:
     - EPL-2.0
     - Apache-2.0
+    - BSD-3-Clause
 
 slim_modem_examples:
   include:

components/mosquitto/CMakeLists.txt

@@ -7,7 +7,6 @@ set(m_deps_dir ${m_dir}/deps)
 set(m_srcs
         ${m_lib_dir}/memory_mosq.c
         ${m_lib_dir}/util_mosq.c
-        ${m_lib_dir}/net_mosq.c
         ${m_lib_dir}/will_mosq.c
         ${m_lib_dir}/alias_mosq.c
         ${m_lib_dir}/send_mosq.c
@@ -46,7 +45,6 @@ set(m_srcs
         ${m_src_dir}/mux.c
         ${m_src_dir}/mux_epoll.c
         ${m_src_dir}/mux_poll.c
-        ${m_src_dir}/net.c
         ${m_src_dir}/password_mosq.c
         ${m_src_dir}/persist_read.c
         ${m_src_dir}/persist_read_v234.c
@@ -73,20 +71,26 @@ set(m_srcs
         ${m_src_dir}/xtreport.c)
 
 idf_component_register(SRCS ${m_srcs}
-                            port/callbacks.c port/config.c port/signals.c port/ifaddrs.c port/broker.c port/files.c
+                            port/callbacks.c
+                            port/config.c
+                            port/signals.c
+                            port/ifaddrs.c
+                            port/broker.c
+                            port/files.c
+                            port/net__esp_tls.c
                     PRIV_INCLUDE_DIRS port/priv_include port/priv_include/sys ${m_dir} ${m_src_dir}
                                       ${m_incl_dir} ${m_lib_dir} ${m_deps_dir}
                     INCLUDE_DIRS ${m_incl_dir} port/include
-                    PRIV_REQUIRES newlib
+                    PRIV_REQUIRES newlib esp-tls
         )
 
 target_compile_definitions(${COMPONENT_LIB} PRIVATE "WITH_BROKER")
 target_compile_options(${COMPONENT_LIB} PRIVATE "-Wno-format")
 
-# Some mosquittos source unconditionally define `_GNU_SOURCE` which collides with IDF build system
+# Some mosquitto source unconditionally define `_GNU_SOURCE` which collides with IDF build system
 # producing warning: "_GNU_SOURCE" redefined
 # This workarounds this issue by undefining the macro for the selected files
-set(sources_that_define_gnu_source ${m_lib_dir}/net_mosq.c ${m_src_dir}/loop.c ${m_src_dir}/mux_poll.c)
+set(sources_that_define_gnu_source ${m_src_dir}/loop.c ${m_src_dir}/mux_poll.c)
 foreach(offending_src ${sources_that_define_gnu_source})
     set_source_files_properties(${offending_src} PROPERTIES COMPILE_OPTIONS "-U_GNU_SOURCE")
 endforeach()

components/mosquitto/README.md

@@ -1,21 +1,21 @@
 # ESP32 Mosquitto Port
 
-This is a lightweight port of the Mosquitto broker designed to run on the ESP32. It currently supports a single listener and TCP transport only.
+This is a lightweight port of the Mosquitto broker designed to run on the ESP32. It currently supports a single listener with TCP transport or TLS transport based on ESP-TLS library.
 
 ## Supported Options
 
-The Espressif port supports a limited set of options (with plans to add more in future releases). These options can be configured through a structure passed to the `mosq_broker_start()` function. For detailed information on available configuration options, refer to the [API documentation](api.md).
+The Espressif port supports a limited set of options (with plans to add more in future releases). These options can be configured through a structure passed to the `mosq_broker_run()` function. For detailed information on available configuration options, refer to the [API documentation](api.md).
 
 ## API
 
 ### Starting the Broker
 
-To start the broker, call the `mosq_broker_start()` function with a properly configured settings structure. The broker operates in the context of the calling task and does not create a separate task.
+To start the broker, call the `mosq_broker_run()` function with a properly configured settings structure. The broker operates in the context of the calling task and does not create a separate task.
 
 It's recommended to analyze the stack size needed for the task, but in general, the broker requires at least 4 kB of stack size.
 
 ```c
-mosq_broker_start(&config);
+mosq_broker_run(&config);
 ```
 
 ## Memory Footprint Considerations

components/mosquitto/api.md

@@ -20,7 +20,8 @@
 
 | Type | Name |
 | ---: | :--- |
-|  int | [**mosq\_broker\_start**](#function-mosq_broker_start) (struct [**mosq\_broker\_config**](#struct-mosq_broker_config) \*config) <br>_Start mosquitto broker._ |
+|  int | [**mosq\_broker\_run**](#function-mosq_broker_run) (struct [**mosq\_broker\_config**](#struct-mosq_broker_config) \*config) <br>_Start mosquitto broker._ |
+|  void | [**mosq\_broker\_stop**](#function-mosq_broker_stop) (void) <br>_Stops running broker._ |
 
 
 ## Structures and Types Documentation
@@ -37,14 +38,16 @@ Variables:
 
 -  int port  <br>Port number of the broker to listen to
 
+-  esp\_tls\_cfg\_server\_t \* tls_cfg  <br>ESP-TLS configuration (if TLS transport used) Please refer to the ESP-TLS official documentation for more details on configuring the TLS options. You can open the respective docs with this idf.py command: `idf.py docs -sp api-reference/protocols/esp_tls.html`
+
 
 ## Functions Documentation
 
-### function `mosq_broker_start`
+### function `mosq_broker_run`
 
 _Start mosquitto broker._
 ```c
-int mosq_broker_start (
+int mosq_broker_run (
     struct mosq_broker_config *config
 )
 ```
@@ -63,3 +66,16 @@ This API runs the broker in the calling thread and blocks until the mosquitto ex
 **Returns:**
 
 int Exit code (0 on success)
+### function `mosq_broker_stop`
+
+_Stops running broker._
+```c
+void mosq_broker_stop (
+    void
+)
+```
+
+
+**Note:**
+
+After calling this API, function mosq\_broker\_run() unblocks and returns.

components/mosquitto/examples/broker/README.md

@@ -2,7 +2,7 @@
 
 ## Overview
 
-This example runs a TCP broker on a specified host and port.
+This example runs a broker on TLS or TCP transport, specified host and port.
 
 ### How to use this example
 
@@ -13,6 +13,19 @@ If you enabled also the mqtt client, this example will connect to the local brok
 
 You can connect to the ESP32 mosquitto broker using some other client using the ESP32 IPv4 address and the port specified in the project configuration menu.
 
+> [!IMPORTANT]
+> The certificates and keys provided in this example are intended for testing purposes only. They are self-signed, single-use, and configured with a common name of "127.0.0.1". Do not reuse these credentials in any production or real-world applications, as they are not secure for such environments.
+
+For more information on setting up TLS configuration (including certificates and keys), please refer to the ESP-TLS documentation:
+```bash
+idf.py docs -sp api-reference/protocols/esp_tls.html
+```
+
+Configuring the TLS option for the broker is quite similar to setting it up for an HTTPS server, as both involve server-side security configuration. Refer to the HTTPS server documentation for details:
+```bash
+idf.py docs -sp api-reference/protocols/esp_https_server.html
+```
+
 ### Test version
 
 This example is also used for testing on loopback interface only, disabling any actual connection, just using the local mqtt client to the loopback interface.

components/mosquitto/examples/broker/main/CMakeLists.txt

@@ -1,2 +1,3 @@
-idf_component_register(SRCS "broker.c"
-                       PRIV_REQUIRES newlib nvs_flash esp_netif esp_event mqtt)
+idf_component_register(SRCS "example_broker.c"
+                       PRIV_REQUIRES newlib nvs_flash esp_netif esp_event mqtt
+                       EMBED_TXTFILES servercert.pem serverkey.pem cacert.pem)

components/mosquitto/examples/broker/main/Kconfig.projbuild

@@ -19,4 +19,11 @@ menu "Example Configuration"
             If enabled, it runs a local mqtt client connecting
             to the same endpoint ans the broker listens to
 
+    config EXAMPLE_BROKER_WITH_TLS
+        bool "Use TLS"
+        default y
+        help
+            If enabled, the broker (and the client too, if enabled)
+            uses TLS transport layer
+
 endmenu

components/mosquitto/examples/broker/main/cacert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDIzCCAgugAwIBAgIUXichctvCn6/6xXr0+UOBaqwkBMMwDQYJKoZIhvcNAQEL
+BQAwITELMAkGA1UEBhMCQ1oxEjAQBgNVBAMMCUVzcHJlc3NpZjAeFw0yNDA3MDgx
+NDE5NDNaFw0yNTA3MDgxNDE5NDNaMCExCzAJBgNVBAYTAkNaMRIwEAYDVQQDDAlF
+c3ByZXNzaWYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqAGUZALUS
+AwWkslBH0RJcgyTTYZ6Q3xadG9rubTGN0DNt8INlguElN9eUhj7VzQZeGxRtAk3A
+b4r5MpTWAAC8maDgZU97TOmAaxA04h0P2MHTGG4i1vSm2/jebhh5Ydh8nKs9DdAO
+YJWfbtt3XukBe5VJcmp7OICz88LFc/fArrAnBFdmrVX+0Y2l/5KDW6ItvcXhorpz
+sO5hOnPXIs4Hq5TYOJbUw6h9E8O6bxUG4AXcSWqqbLJ6PzEFSBMBnjwBQn4HCWvM
+GV6w2+I1QbtOTe6yNzBa7O3yqzSYeTcdpjv/FFngo4oRN1RMiCYc1Ae3hJiIhDlN
+SRB1CHPi4MblAgMBAAGjUzBRMB0GA1UdDgQWBBTdlh8T2ze2K81IrZCpUv9yhZq2
+qjAfBgNVHSMEGDAWgBTdlh8T2ze2K81IrZCpUv9yhZq2qjAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBDTt9V3LnyBjHDi9pQa+Q8bjVYCMaOSBFE
+LJj8GhkXxtfTzqO2u7vkvfz+2MaRDNpL2lePWDB0BwINT+mSYNWjD5bP2mdgJ2nK
+BStzWT6MR4hiQ6u6hXy2Q8brqPN+dP4Pay8fXHe3JNadC/nSk4AC3EvVDpghCJJB
+1W5az4YmJzK0F6S84AkKnXYdlYyb94RwWSevn7HYZM+xQjoJmBhQ+XnQ7o2uaEur
+52igRRHQQ4xrF5JrbGAqfFVqfA8lJDYiAZCG/aNlV0VpgzyxpDxvPFvvlEYJoL63
+/asgSIzYoBknZjNZnPSKcsYGa+0Bjjh7tS50bV++5sN+aW/WDRLd
+-----END CERTIFICATE-----

components/mosquitto/examples/broker/main/broker.c renamed to components/mosquitto/examples/broker/main/example_broker.c

@@ -14,6 +14,16 @@
 
 const static char *TAG = "mqtt_broker";
 
+#if CONFIG_EXAMPLE_BROKER_WITH_TLS
+extern const unsigned char servercert_start[] asm("_binary_servercert_pem_start");
+extern const unsigned char servercert_end[]   asm("_binary_servercert_pem_end");
+extern const unsigned char serverkey_start[] asm("_binary_serverkey_pem_start");
+extern const unsigned char serverkey_end[]   asm("_binary_serverkey_pem_end");
+extern const char cacert_start[] asm("_binary_cacert_pem_start");
+extern const char cacert_end[]   asm("_binary_cacert_pem_end");
+#endif
+
+
 #if CONFIG_EXAMPLE_BROKER_RUN_LOCAL_MQTT_CLIENT
 static void mqtt_event_handler(void *handler_args, esp_event_base_t base, int32_t event_id, void *event_data)
 {
@@ -63,7 +73,13 @@ static void mqtt_app_start(struct mosq_broker_config *config)
 {
     esp_mqtt_client_config_t mqtt_cfg = {
         .broker.address.hostname = "127.0.0.1",
-        .broker.address.transport = MQTT_TRANSPORT_OVER_TCP,    // we support only TCP transport now
+#if CONFIG_EXAMPLE_BROKER_WITH_TLS
+        .broker.address.transport = MQTT_TRANSPORT_OVER_SSL,
+        .broker.verification.certificate = cacert_start,
+        .broker.verification.certificate_len = cacert_end - cacert_start,
+#else
+        .broker.address.transport = MQTT_TRANSPORT_OVER_TCP,
+#endif
         .broker.address.port = config->port,
     };
     esp_mqtt_client_handle_t client = esp_mqtt_client_init(&mqtt_cfg);
@@ -79,11 +95,22 @@ void app_main(void)
     ESP_ERROR_CHECK(esp_event_loop_create_default());
     ESP_ERROR_CHECK(example_connect());
 
-    struct mosq_broker_config config = { .host = CONFIG_EXAMPLE_BROKER_HOST, .port = CONFIG_EXAMPLE_BROKER_PORT };
+    struct mosq_broker_config config = { .host = CONFIG_EXAMPLE_BROKER_HOST, .port = CONFIG_EXAMPLE_BROKER_PORT, .tls_cfg = NULL };
 
 #if CONFIG_EXAMPLE_BROKER_RUN_LOCAL_MQTT_CLIENT
     mqtt_app_start(&config);
 #endif
+
+#if CONFIG_EXAMPLE_BROKER_WITH_TLS
+    esp_tls_cfg_server_t tls_cfg = {
+        .servercert_buf = servercert_start,
+        .servercert_bytes = servercert_end - servercert_start,
+        .serverkey_buf = serverkey_start,
+        .serverkey_bytes = serverkey_end - serverkey_start,
+    };
+    config.tls_cfg = &tls_cfg;
+#endif
+
     // broker continues to run in this task
-    mosq_broker_start(&config);
+    mosq_broker_run(&config);
 }