diff --git a/tasmota/CHANGELOG.md b/tasmota/CHANGELOG.md index 0f5b4ec47..d9c9b1bfc 100644 --- a/tasmota/CHANGELOG.md +++ b/tasmota/CHANGELOG.md @@ -4,7 +4,7 @@ ### 8.5.0.1 20200907 -- New released +- Add ``#define USE_MQTT_AWS_IOT_LIGHT`` for password based AWS IoT authentication ### 8.5.0 20200907 diff --git a/tasmota/StackThunk_light.cpp b/tasmota/StackThunk_light.cpp index c9f9bc78e..3c0d91bcf 100644 --- a/tasmota/StackThunk_light.cpp +++ b/tasmota/StackThunk_light.cpp @@ -40,8 +40,10 @@ uint32_t *stack_thunk_light_save = NULL; /* Saved A1 while in BearSSL */ uint32_t stack_thunk_light_refcnt = 0; //#define _stackSize (5600/4) -#ifdef USE_MQTT_TLS_FORCE_EC_CIPHER +#if defined(USE_MQTT_AWS_IOT) #define _stackSize (5300/4) // using a light version of bearssl we can save 300 bytes +#elif defined(USE_MQTT_TLS_FORCE_EC_CIPHER) + #define _stackSize (4800/4) // no private key, we can reduce a little, max observed 4300 #else #define _stackSize (3600/4) // using a light version of bearssl we can save 2k #endif diff --git a/tasmota/WiFiClientSecureLightBearSSL.cpp b/tasmota/WiFiClientSecureLightBearSSL.cpp index 209555c3f..d85373688 100755 --- a/tasmota/WiFiClientSecureLightBearSSL.cpp +++ b/tasmota/WiFiClientSecureLightBearSSL.cpp @@ -872,7 +872,11 @@ extern "C" { #ifdef USE_MQTT_TLS_FORCE_EC_CIPHER // we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt unless forced - br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15); + br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15); // TODO +#endif +#ifdef USE_MQTT_AWS_IOT_LIGHT + static const char * alpn_mqtt = "mqtt"; + br_ssl_engine_set_protocol_names(&cc->eng, &alpn_mqtt, 1); #endif } } @@ -880,13 +884,6 @@ extern "C" { // Called by connect() to do the actual SSL setup and handshake. // Returns if the SSL handshake succeeded. bool WiFiClientSecure_light::_connectSSL(const char* hostName) { -// #ifdef USE_MQTT_AWS_IOT -// if ((!_chain_P) || (!_sk_ec_P)) { -// setLastError(ERR_MISSING_EC_KEY); -// return false; -// } -// #endif - // Validation context, either full CA validation or checking only fingerprints #ifdef USE_MQTT_TLS_CA_CERT br_x509_minimal_context *x509_minimal; diff --git a/tasmota/my_user_config.h b/tasmota/my_user_config.h index 5f94c5fc0..961a82e10 100644 --- a/tasmota/my_user_config.h +++ b/tasmota/my_user_config.h @@ -389,7 +389,8 @@ // #define USE_MQTT_TLS_CA_CERT // Force full CA validation instead of fingerprints, slower, but simpler to use. (+2.2k code, +1.9k mem during connection handshake) // This includes the LetsEncrypt CA in tasmota_ca.ino for verifying server certificates // #define USE_MQTT_TLS_FORCE_EC_CIPHER // Force Elliptic Curve cipher (higher security) required by some servers (automatically enabled with USE_MQTT_AWS_IOT) (+11.4k code, +0.4k mem) -// #define USE_MQTT_AWS_IOT // Enable MQTT for AWS IoT - requires a private key (+11.9k code, +0.4k mem) +// #define USE_MQTT_AWS_IOT_LIGHT // Enable MQTT for AWS IoT in light mode, with user/password instead of private certificate +// #define USE_MQTT_AWS_IOT // [Deprecated] Enable MQTT for AWS IoT - requires a private key (+11.9k code, +0.4k mem) // Note: you need to generate a private key + certificate per device and update 'tasmota/tasmota_aws_iot.cpp' // Full documentation here: https://github.com/arendst/Tasmota/wiki/AWS-IoT // #define USE_4K_RSA // Support 4096 bits certificates, instead of 2048 @@ -820,7 +821,7 @@ #include "user_config_override.h" // Configuration overrides for my_user_config.h #endif -#if defined(USE_DISCOVERY) && defined(USE_MQTT_AWS_IOT) +#if defined(USE_DISCOVERY) && (defined(USE_MQTT_AWS_IOT) || defined(USE_MQTT_AWS_IOT_LIGHT)) #error "Select either USE_DISCOVERY or USE_MQTT_AWS_IOT, mDNS takes too much code space and is not needed for AWS IoT" #endif diff --git a/tasmota/xdrv_02_mqtt.ino b/tasmota/xdrv_02_mqtt.ino index 767e65b8e..bcd71005f 100644 --- a/tasmota/xdrv_02_mqtt.ino +++ b/tasmota/xdrv_02_mqtt.ino @@ -154,7 +154,7 @@ void MqttInit(void) String host = String(SettingsText(SET_MQTT_HOST)); if (host.indexOf(".iot.") && host.endsWith(".amazonaws.com")) { // look for ".iot." and ".amazonaws.com" in the domain name Settings.flag4.mqtt_no_retain = true; - Mqtt.tls_private_key = true; + // Mqtt.tls_private_key = true; } if (Settings.flag4.mqtt_tls) { @@ -353,7 +353,7 @@ void MqttPublishPrefixTopic_P(uint32_t prefix, const char* subtopic, bool retain GetTopic_P(stopic, prefix, mqtt_topic, romram); MqttPublish(stopic, retained); -#ifdef USE_MQTT_AWS_IOT +#if defined(USE_MQTT_AWS_IOT) || defined(USE_MQTT_AWS_IOT_LIGHT) if ((prefix > 0) && (Settings.flag4.awsiot_shadow) && (Mqtt.connected)) { // placeholder for SetOptionXX // compute the target topic char *topic = SettingsText(SET_MQTT_TOPIC); @@ -1350,7 +1350,7 @@ void MqttSaveSettings(void) #endif WebGetArg("mc", tmp, sizeof(tmp)); SettingsUpdateText(SET_MQTT_CLIENT, (!strlen(tmp)) ? MQTT_CLIENT_ID : tmp); -#if defined(USE_MQTT_TLS) && defined(USE_MQTT_AWS_IOT) +#if defined(USE_MQTT_TLS) && (defined(USE_MQTT_AWS_IOT) || defined(USE_MQTT_AWS_IOT_LIGHT)) AddLog_P2(LOG_LEVEL_INFO, PSTR(D_LOG_MQTT D_CMND_MQTTHOST " %s, " D_CMND_MQTTPORT " %d, " D_CMND_MQTTCLIENT " %s, " D_CMND_TOPIC " %s, " D_CMND_FULLTOPIC " %s"), SettingsText(SET_MQTT_HOST), Settings.mqtt_port, SettingsText(SET_MQTT_CLIENT), SettingsText(SET_MQTT_TOPIC), SettingsText(SET_MQTT_FULLTOPIC)); #else // USE_MQTT_AWS_IOT