Openssl engine support

[nicopernas]

These two commits enable OpenSSL engine support on both libmosquitto and broker code paths.

An OpenSSL engine can be used to offload CPU intensive cryptographic operations to a dedicated hardware. The main goal behind these patches though is to being able to access to a TPM module (Trusted Platform Module) from mosquitto clients.

Taken from the Wikipedia

Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. TPM's technical specification was written by a computer industry consortium called Trusted Computing Group (TCG). International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) standardized the specification as ISO/IEC 11889 in 2009

The patches add two new options to libmosquitto and mosquitto.conf.

• tls-engine: specifies the ID of the OpenSSL engine to be used. These can be listed by running openssl engine -t
• keyform: specifies the key format. It can be pem (default) or engine.

All existent tests are still passing but no new ones have been added. The setup I've used to test the patches is quite complex and didn't think it would be a good idea to incorporate it as an automated test. It involves using a TPM emulator, TrouSerS and an OpenSSL TPM engine. I have a detailed guide of how to set it up and the results I got in case you are wondering.

Nico.

[ralight]

Thanks for this, I'm looking at it and will get back to you.

[nicopernas]

Hi Roger, did you get a chance to look into the patch? It looks like the branch which I forked from has changed quite a lot since July and the patch does not apply anymore. Should I upload a new version of it?

Thanks,
Nico.

[perrettecl]

Hello,
Is possible to know when this future will be integrated ? Thank you.

[ralight]

This is a worthwhile PR. It wasn't included in version 1.5, but I'd be keen on getting it into the next features release. Are you willing to take a look at it again? If you are, please base it on the develop branch. I plan to release version 1.5.1 next week, then will merge what is currently the fixes branch into it, but there shouldn't be much trouble with it.

[nicopernas]

It's going to be hard to test but let me see what I can do. I used to have the environment set up and a guide on how to do it again, but that stayed with my previous job :)
Maybe someone else is willing to help with the testing part?

I'll try to send something over the weekend.

Nico.

[nicopernas]

I've rebased my changes from develop and they build, so that's a good first step. I am going to give the testing a try.
Bad news is I don't have permissions to push to my original fork, so I think I'd have to create a new PR, not sure if I can re-write this one.

[ralight]

If it means having to create a new PR, that's no problem for me. Good work on the fast response.

[nicopernas]

I've created #915 with a revisited version of these changes. Feel free to close this one.

[ralight]

Closing as requested, I'll be looking at the new one tomorrow hopefully.