..
TLSSocketWrapper.cpp@0:5f745af3ec9b, 2019-08-23 (annotated)
- Committer:
- ImranBilalButt
- Date:
- Fri Aug 23 13:29:35 2019 +0000
- Revision:
- 0:5f745af3ec9b
- Child:
- 1:a6995e66c9f7
..
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
ImranBilalButt | 0:5f745af3ec9b | 1 | /* |
ImranBilalButt | 0:5f745af3ec9b | 2 | * PackageLicenseDeclared: Apache-2.0 |
ImranBilalButt | 0:5f745af3ec9b | 3 | * Copyright (c) 2017 ARM Limited |
ImranBilalButt | 0:5f745af3ec9b | 4 | * |
ImranBilalButt | 0:5f745af3ec9b | 5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
ImranBilalButt | 0:5f745af3ec9b | 6 | * you may not use this file except in compliance with the License. |
ImranBilalButt | 0:5f745af3ec9b | 7 | * You may obtain a copy of the License at |
ImranBilalButt | 0:5f745af3ec9b | 8 | * |
ImranBilalButt | 0:5f745af3ec9b | 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
ImranBilalButt | 0:5f745af3ec9b | 10 | * |
ImranBilalButt | 0:5f745af3ec9b | 11 | * Unless required by applicable law or agreed to in writing, software |
ImranBilalButt | 0:5f745af3ec9b | 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
ImranBilalButt | 0:5f745af3ec9b | 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
ImranBilalButt | 0:5f745af3ec9b | 14 | * See the License for the specific language governing permissions and |
ImranBilalButt | 0:5f745af3ec9b | 15 | * limitations under the License. |
ImranBilalButt | 0:5f745af3ec9b | 16 | */ |
ImranBilalButt | 0:5f745af3ec9b | 17 | |
ImranBilalButt | 0:5f745af3ec9b | 18 | #include "TLSSocketWrapper.h" |
ImranBilalButt | 0:5f745af3ec9b | 19 | #include "drivers/Timer.h" |
ImranBilalButt | 0:5f745af3ec9b | 20 | |
ImranBilalButt | 0:5f745af3ec9b | 21 | #define TRACE_GROUP "TLSW" |
ImranBilalButt | 0:5f745af3ec9b | 22 | #include "mbed-trace/mbed_trace.h" |
ImranBilalButt | 0:5f745af3ec9b | 23 | #include "mbed_mem_trace.h" |
ImranBilalButt | 0:5f745af3ec9b | 24 | #include "mbedtls/debug.h" |
ImranBilalButt | 0:5f745af3ec9b | 25 | //#include "mbedtls/config.h" |
ImranBilalButt | 0:5f745af3ec9b | 26 | //#include "mbedtls/timing.h" |
ImranBilalButt | 0:5f745af3ec9b | 27 | //#include "timing_alt.h" |
ImranBilalButt | 0:5f745af3ec9b | 28 | |
ImranBilalButt | 0:5f745af3ec9b | 29 | TLSSocketWrapper::TLSSocketWrapper(Socket *transport, const char *hostname) : |
ImranBilalButt | 0:5f745af3ec9b | 30 | _client_auth(false), |
ImranBilalButt | 0:5f745af3ec9b | 31 | _keep_transport_open(false), |
ImranBilalButt | 0:5f745af3ec9b | 32 | _handshake_completed(false), |
ImranBilalButt | 0:5f745af3ec9b | 33 | _transport(transport) |
ImranBilalButt | 0:5f745af3ec9b | 34 | { |
ImranBilalButt | 0:5f745af3ec9b | 35 | tls_init(); |
ImranBilalButt | 0:5f745af3ec9b | 36 | if (hostname) { |
ImranBilalButt | 0:5f745af3ec9b | 37 | set_hostname(hostname); |
ImranBilalButt | 0:5f745af3ec9b | 38 | } |
ImranBilalButt | 0:5f745af3ec9b | 39 | } |
ImranBilalButt | 0:5f745af3ec9b | 40 | |
ImranBilalButt | 0:5f745af3ec9b | 41 | TLSSocketWrapper::~TLSSocketWrapper() { |
ImranBilalButt | 0:5f745af3ec9b | 42 | if (_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 43 | close(); |
ImranBilalButt | 0:5f745af3ec9b | 44 | } |
ImranBilalButt | 0:5f745af3ec9b | 45 | } |
ImranBilalButt | 0:5f745af3ec9b | 46 | |
ImranBilalButt | 0:5f745af3ec9b | 47 | void TLSSocketWrapper::set_hostname(const char *hostname) |
ImranBilalButt | 0:5f745af3ec9b | 48 | { |
ImranBilalButt | 0:5f745af3ec9b | 49 | if (is_tls_allocated()) { |
ImranBilalButt | 0:5f745af3ec9b | 50 | printf("ssl hostname is set\n"); |
ImranBilalButt | 0:5f745af3ec9b | 51 | mbedtls_ssl_set_hostname(_ssl, hostname); |
ImranBilalButt | 0:5f745af3ec9b | 52 | } |
ImranBilalButt | 0:5f745af3ec9b | 53 | } |
ImranBilalButt | 0:5f745af3ec9b | 54 | |
ImranBilalButt | 0:5f745af3ec9b | 55 | void TLSSocketWrapper::keep_transport_open() |
ImranBilalButt | 0:5f745af3ec9b | 56 | { |
ImranBilalButt | 0:5f745af3ec9b | 57 | _keep_transport_open = true; |
ImranBilalButt | 0:5f745af3ec9b | 58 | } |
ImranBilalButt | 0:5f745af3ec9b | 59 | |
ImranBilalButt | 0:5f745af3ec9b | 60 | nsapi_error_t TLSSocketWrapper::set_root_ca_cert(const void *root_ca, size_t len) |
ImranBilalButt | 0:5f745af3ec9b | 61 | { |
ImranBilalButt | 0:5f745af3ec9b | 62 | if (!is_tls_allocated()) { |
ImranBilalButt | 0:5f745af3ec9b | 63 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 64 | } |
ImranBilalButt | 0:5f745af3ec9b | 65 | /* Parse CA certification */ |
ImranBilalButt | 0:5f745af3ec9b | 66 | int ret; |
ImranBilalButt | 0:5f745af3ec9b | 67 | if ((ret = mbedtls_x509_crt_parse(_cacert, static_cast<const unsigned char *>(root_ca), |
ImranBilalButt | 0:5f745af3ec9b | 68 | len)) != 0) { |
ImranBilalButt | 0:5f745af3ec9b | 69 | print_mbedtls_error("mbedtls_x509_crt_parse", ret); |
ImranBilalButt | 0:5f745af3ec9b | 70 | return NSAPI_ERROR_PARAMETER; |
ImranBilalButt | 0:5f745af3ec9b | 71 | } |
ImranBilalButt | 0:5f745af3ec9b | 72 | printf("Root CA Certificate Setting ... OK\n"); |
ImranBilalButt | 0:5f745af3ec9b | 73 | return NSAPI_ERROR_OK; |
ImranBilalButt | 0:5f745af3ec9b | 74 | |
ImranBilalButt | 0:5f745af3ec9b | 75 | } |
ImranBilalButt | 0:5f745af3ec9b | 76 | nsapi_error_t TLSSocketWrapper::set_root_ca_cert(const char *root_ca_pem) |
ImranBilalButt | 0:5f745af3ec9b | 77 | { |
ImranBilalButt | 0:5f745af3ec9b | 78 | return set_root_ca_cert(root_ca_pem, strlen(root_ca_pem) + 1); |
ImranBilalButt | 0:5f745af3ec9b | 79 | } |
ImranBilalButt | 0:5f745af3ec9b | 80 | |
ImranBilalButt | 0:5f745af3ec9b | 81 | nsapi_error_t TLSSocketWrapper::set_client_cert_key(const char *client_cert_pem, const char *client_private_key_pem) |
ImranBilalButt | 0:5f745af3ec9b | 82 | { |
ImranBilalButt | 0:5f745af3ec9b | 83 | return set_client_cert_key(client_cert_pem, strlen(client_cert_pem) + 1, client_private_key_pem, strlen(client_private_key_pem) + 1); |
ImranBilalButt | 0:5f745af3ec9b | 84 | } |
ImranBilalButt | 0:5f745af3ec9b | 85 | |
ImranBilalButt | 0:5f745af3ec9b | 86 | nsapi_error_t TLSSocketWrapper::set_client_cert_key(const void *client_cert, size_t client_cert_len, |
ImranBilalButt | 0:5f745af3ec9b | 87 | const void *client_private_key_pem, size_t client_private_key_len) |
ImranBilalButt | 0:5f745af3ec9b | 88 | { |
ImranBilalButt | 0:5f745af3ec9b | 89 | if (!is_tls_allocated()) { |
ImranBilalButt | 0:5f745af3ec9b | 90 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 91 | } |
ImranBilalButt | 0:5f745af3ec9b | 92 | int ret; |
ImranBilalButt | 0:5f745af3ec9b | 93 | |
ImranBilalButt | 0:5f745af3ec9b | 94 | if((NULL != client_cert) && (NULL != client_private_key_pem)) { |
ImranBilalButt | 0:5f745af3ec9b | 95 | mbedtls_x509_crt_init(_clicert); |
ImranBilalButt | 0:5f745af3ec9b | 96 | if((ret = mbedtls_x509_crt_parse(_clicert, static_cast<const unsigned char *>(client_cert), |
ImranBilalButt | 0:5f745af3ec9b | 97 | client_cert_len)) != 0) { |
ImranBilalButt | 0:5f745af3ec9b | 98 | print_mbedtls_error("mbedtls_x509_crt_parse", ret); |
ImranBilalButt | 0:5f745af3ec9b | 99 | return NSAPI_ERROR_PARAMETER; |
ImranBilalButt | 0:5f745af3ec9b | 100 | } |
ImranBilalButt | 0:5f745af3ec9b | 101 | printf("Client Certificate Setting ... ok\n"); |
ImranBilalButt | 0:5f745af3ec9b | 102 | mbedtls_pk_init(_pkctx); |
ImranBilalButt | 0:5f745af3ec9b | 103 | if((ret = mbedtls_pk_parse_key(_pkctx, static_cast<const unsigned char *>(client_private_key_pem), |
ImranBilalButt | 0:5f745af3ec9b | 104 | client_private_key_len, NULL, 0)) != 0) { |
ImranBilalButt | 0:5f745af3ec9b | 105 | print_mbedtls_error("mbedtls_pk_parse_key", ret); |
ImranBilalButt | 0:5f745af3ec9b | 106 | return NSAPI_ERROR_PARAMETER; |
ImranBilalButt | 0:5f745af3ec9b | 107 | } |
ImranBilalButt | 0:5f745af3ec9b | 108 | printf("Client pvt. Key Setting ... ok\n"); |
ImranBilalButt | 0:5f745af3ec9b | 109 | _client_auth = true; |
ImranBilalButt | 0:5f745af3ec9b | 110 | } |
ImranBilalButt | 0:5f745af3ec9b | 111 | return NSAPI_ERROR_OK; |
ImranBilalButt | 0:5f745af3ec9b | 112 | } |
ImranBilalButt | 0:5f745af3ec9b | 113 | |
ImranBilalButt | 0:5f745af3ec9b | 114 | int TLSSocketWrapper::set_client_kpsa_kpsaID_cipher(){ |
ImranBilalButt | 0:5f745af3ec9b | 115 | const unsigned char _kpsa[5] = { 0x05, 0x04, 0x03, 0x02, 0x01 }; |
ImranBilalButt | 0:5f745af3ec9b | 116 | // const unsigned char *_kpsa = "1a2b3c4d5e1a2b3c4d5e"; // 4 Bytes PSK |
ImranBilalButt | 0:5f745af3ec9b | 117 | const unsigned char *_kpsaID = "AE456-LOCK@in.provider.com"; // 15 Bytes PSK-ID |
ImranBilalButt | 0:5f745af3ec9b | 118 | /* The supported CERT ciphersuites are as follows: |
ImranBilalButt | 0:5f745af3ec9b | 119 | CipherSuite TLS_RSA_WITH_AES_128_CCM = {0xC0,0x9C} |
ImranBilalButt | 0:5f745af3ec9b | 120 | CipherSuite TLS_RSA_WITH_AES_256_CCM = {0xC0,0x9D) |
ImranBilalButt | 0:5f745af3ec9b | 121 | CipherSuite TLS_DHE_RSA_WITH_AES_128_CCM = {0xC0,0x9E} |
ImranBilalButt | 0:5f745af3ec9b | 122 | CipherSuite TLS_DHE_RSA_WITH_AES_256_CCM = {0xC0,0x9F} |
ImranBilalButt | 0:5f745af3ec9b | 123 | CipherSuite TLS_RSA_WITH_AES_128_CCM_8 = {0xC0,0xA0} |
ImranBilalButt | 0:5f745af3ec9b | 124 | CipherSuite TLS_RSA_WITH_AES_256_CCM_8 = {0xC0,0xA1) |
ImranBilalButt | 0:5f745af3ec9b | 125 | CipherSuite TLS_DHE_RSA_WITH_AES_128_CCM_8 = {0xC0,0xA2} |
ImranBilalButt | 0:5f745af3ec9b | 126 | CipherSuite TLS_DHE_RSA_WITH_AES_256_CCM_8 = {0xC0,0xA3} |
ImranBilalButt | 0:5f745af3ec9b | 127 | // The supported PSK ciphersuites are as follows: |
ImranBilalButt | 0:5f745af3ec9b | 128 | CipherSuite TLS_PSK_WITH_AES_128_CCM = {0xC0,0xA4} |
ImranBilalButt | 0:5f745af3ec9b | 129 | CipherSuite TLS_PSK_WITH_AES_256_CCM = {0xC0,0xA5) |
ImranBilalButt | 0:5f745af3ec9b | 130 | CipherSuite TLS_DHE_PSK_WITH_AES_128_CCM = {0xC0,0xA6} |
ImranBilalButt | 0:5f745af3ec9b | 131 | CipherSuite TLS_DHE_PSK_WITH_AES_256_CCM = {0xC0,0xA7} |
ImranBilalButt | 0:5f745af3ec9b | 132 | CipherSuite TLS_PSK_WITH_AES_128_CCM_8 = {0xC0,0xA8} |
ImranBilalButt | 0:5f745af3ec9b | 133 | CipherSuite TLS_PSK_WITH_AES_256_CCM_8 = {0xC0,0xA9) |
ImranBilalButt | 0:5f745af3ec9b | 134 | CipherSuite TLS_PSK_DHE_WITH_AES_128_CCM_8 = {0xC0,0xAA} |
ImranBilalButt | 0:5f745af3ec9b | 135 | CipherSuite TLS_PSK_DHE_WITH_AES_256_CCM_8 = {0xC0,0xAB} |
ImranBilalButt | 0:5f745af3ec9b | 136 | // The supported PSK Cipher is (TLS) |
ImranBilalButt | 0:5f745af3ec9b | 137 | TLS_PSK_WITH_RC4_128_SHA = { 0x00, 0x8A }; |
ImranBilalButt | 0:5f745af3ec9b | 138 | TLS_PSK_WITH_3DES_EDE_CBC_SHA = { 0x00, 0x8B }; |
ImranBilalButt | 0:5f745af3ec9b | 139 | TLS_PSK_WITH_AES_128_CBC_SHA = { 0x00, 0x8C }; |
ImranBilalButt | 0:5f745af3ec9b | 140 | TLS_PSK_WITH_AES_256_CBC_SHA = { 0x00, 0x8D }; */ |
ImranBilalButt | 0:5f745af3ec9b | 141 | /*int cipher[10]; |
ImranBilalButt | 0:5f745af3ec9b | 142 | for(int i=0; i<4; i++) { |
ImranBilalButt | 0:5f745af3ec9b | 143 | cipher[i*2]=0; |
ImranBilalButt | 0:5f745af3ec9b | 144 | cipher[i*2+1]=0x8A+i; |
ImranBilalButt | 0:5f745af3ec9b | 145 | } |
ImranBilalButt | 0:5f745af3ec9b | 146 | cipher[8] = 0; |
ImranBilalButt | 0:5f745af3ec9b | 147 | cipher[9] = 0; */ |
ImranBilalButt | 0:5f745af3ec9b | 148 | |
ImranBilalButt | 0:5f745af3ec9b | 149 | /*mbedtls_ssl_conf_ciphersuites(_ssl_conf, cipher); |
ImranBilalButt | 0:5f745af3ec9b | 150 | printf("mbedtls_ssl_conf_ciphersuites() .. ok\n"); |
ImranBilalButt | 0:5f745af3ec9b | 151 | |
ImranBilalButt | 0:5f745af3ec9b | 152 | int cipher; |
ImranBilalButt | 0:5f745af3ec9b | 153 | const int *cipherPTR; |
ImranBilalButt | 0:5f745af3ec9b | 154 | cipher = MBEDTLS_SSL_CIPHERSUITES; |
ImranBilalButt | 0:5f745af3ec9b | 155 | cipherPTR = &cipher; */ |
ImranBilalButt | 0:5f745af3ec9b | 156 | |
ImranBilalButt | 0:5f745af3ec9b | 157 | int kpsa_len = strlen((const char*) _kpsa); |
ImranBilalButt | 0:5f745af3ec9b | 158 | int kpsaID_len = strlen((const char*) _kpsaID); |
ImranBilalButt | 0:5f745af3ec9b | 159 | int ret; |
ImranBilalButt | 0:5f745af3ec9b | 160 | mbedtls_ssl_set_hs_psk(_ssl, _kpsa, kpsa_len); |
ImranBilalButt | 0:5f745af3ec9b | 161 | if( (ret = mbedtls_ssl_conf_psk(_ssl_conf, _kpsa, kpsa_len , _kpsaID, kpsaID_len)) != 0){ |
ImranBilalButt | 0:5f745af3ec9b | 162 | print_mbedtls_error("mbedtls_psk_error", ret); |
ImranBilalButt | 0:5f745af3ec9b | 163 | // return NSAPI_ERROR_PARAMETER; |
ImranBilalButt | 0:5f745af3ec9b | 164 | return -1; |
ImranBilalButt | 0:5f745af3ec9b | 165 | } |
ImranBilalButt | 0:5f745af3ec9b | 166 | printf("Ok.\n"); |
ImranBilalButt | 0:5f745af3ec9b | 167 | return 0; |
ImranBilalButt | 0:5f745af3ec9b | 168 | } |
ImranBilalButt | 0:5f745af3ec9b | 169 | |
ImranBilalButt | 0:5f745af3ec9b | 170 | nsapi_error_t TLSSocketWrapper::do_handshake() { |
ImranBilalButt | 0:5f745af3ec9b | 171 | nsapi_error_t _error; |
ImranBilalButt | 0:5f745af3ec9b | 172 | const char DRBG_PERS[] = "mbed TLS client"; |
ImranBilalButt | 0:5f745af3ec9b | 173 | |
ImranBilalButt | 0:5f745af3ec9b | 174 | const int *cipherArray; |
ImranBilalButt | 0:5f745af3ec9b | 175 | cipherArray = mbedtls_ssl_list_ciphersuites(); |
ImranBilalButt | 0:5f745af3ec9b | 176 | printf("[+] The allowed ciphersuites are: \n"); |
ImranBilalButt | 0:5f745af3ec9b | 177 | int i = 0; |
ImranBilalButt | 0:5f745af3ec9b | 178 | while (cipherArray[i] != 0) { |
ImranBilalButt | 0:5f745af3ec9b | 179 | printf("[.] cipherArray[%d] = %d\n", i, cipherArray[i]); |
ImranBilalButt | 0:5f745af3ec9b | 180 | i++; |
ImranBilalButt | 0:5f745af3ec9b | 181 | } |
ImranBilalButt | 0:5f745af3ec9b | 182 | |
ImranBilalButt | 0:5f745af3ec9b | 183 | if (!_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 184 | printf("[-] transport/socket not available\n"); |
ImranBilalButt | 0:5f745af3ec9b | 185 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 186 | } |
ImranBilalButt | 0:5f745af3ec9b | 187 | if (!is_tls_allocated()) { |
ImranBilalButt | 0:5f745af3ec9b | 188 | printf("[-] no tls allocated\n"); |
ImranBilalButt | 0:5f745af3ec9b | 189 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 190 | } |
ImranBilalButt | 0:5f745af3ec9b | 191 | |
ImranBilalButt | 0:5f745af3ec9b | 192 | _transport->set_blocking(false); |
ImranBilalButt | 0:5f745af3ec9b | 193 | /* |
ImranBilalButt | 0:5f745af3ec9b | 194 | * Initialize TLS-related stuf. |
ImranBilalButt | 0:5f745af3ec9b | 195 | */ |
ImranBilalButt | 0:5f745af3ec9b | 196 | int ret; |
ImranBilalButt | 0:5f745af3ec9b | 197 | if ((ret = mbedtls_ctr_drbg_seed(_ctr_drbg, mbedtls_entropy_func, _entropy, |
ImranBilalButt | 0:5f745af3ec9b | 198 | (const unsigned char *) DRBG_PERS, |
ImranBilalButt | 0:5f745af3ec9b | 199 | sizeof (DRBG_PERS))) != 0) { |
ImranBilalButt | 0:5f745af3ec9b | 200 | print_mbedtls_error("mbedtls_crt_drbg_init", ret); |
ImranBilalButt | 0:5f745af3ec9b | 201 | _error = ret; |
ImranBilalButt | 0:5f745af3ec9b | 202 | return _error; |
ImranBilalButt | 0:5f745af3ec9b | 203 | } |
ImranBilalButt | 0:5f745af3ec9b | 204 | |
ImranBilalButt | 0:5f745af3ec9b | 205 | printf("[+] Configuring a dtls-client session initiation ... "); |
ImranBilalButt | 0:5f745af3ec9b | 206 | mbedtls_ssl_conf_endpoint(_ssl_conf, MBEDTLS_SSL_IS_CLIENT); |
ImranBilalButt | 0:5f745af3ec9b | 207 | mbedtls_ssl_conf_transport(_ssl_conf, MBEDTLS_SSL_TRANSPORT_DATAGRAM); |
ImranBilalButt | 0:5f745af3ec9b | 208 | |
ImranBilalButt | 0:5f745af3ec9b | 209 | tr_info("mbedtls_ssl_config_defaults()"); |
ImranBilalButt | 0:5f745af3ec9b | 210 | if ((ret = mbedtls_ssl_config_defaults(_ssl_conf, |
ImranBilalButt | 0:5f745af3ec9b | 211 | MBEDTLS_SSL_IS_CLIENT, |
ImranBilalButt | 0:5f745af3ec9b | 212 | MBEDTLS_SSL_TRANSPORT_DATAGRAM, |
ImranBilalButt | 0:5f745af3ec9b | 213 | MBEDTLS_SSL_PRESET_DEFAULT)) != 0) { |
ImranBilalButt | 0:5f745af3ec9b | 214 | print_mbedtls_error("mbedtls_ssl_config_defaults", ret); |
ImranBilalButt | 0:5f745af3ec9b | 215 | _error = ret; |
ImranBilalButt | 0:5f745af3ec9b | 216 | return _error; |
ImranBilalButt | 0:5f745af3ec9b | 217 | } |
ImranBilalButt | 0:5f745af3ec9b | 218 | tr_info("mbedtls_ssl_conf_ca_chain()"); |
ImranBilalButt | 0:5f745af3ec9b | 219 | mbedtls_ssl_conf_ca_chain(_ssl_conf, _cacert, NULL); |
ImranBilalButt | 0:5f745af3ec9b | 220 | tr_info("mbedtls_ssl_conf_rng()"); |
ImranBilalButt | 0:5f745af3ec9b | 221 | mbedtls_ssl_conf_rng(_ssl_conf, mbedtls_ctr_drbg_random, _ctr_drbg); |
ImranBilalButt | 0:5f745af3ec9b | 222 | printf("ok\n"); |
ImranBilalButt | 0:5f745af3ec9b | 223 | |
ImranBilalButt | 0:5f745af3ec9b | 224 | /* It is possible to disable authentication by passing |
ImranBilalButt | 0:5f745af3ec9b | 225 | MBEDTLS_SSL_VERIFY_NONE in the call to mbedtls_ssl_conf_authmode() |
ImranBilalButt | 0:5f745af3ec9b | 226 | */ |
ImranBilalButt | 0:5f745af3ec9b | 227 | printf("[+] Configuring the Session Information ... "); |
ImranBilalButt | 0:5f745af3ec9b | 228 | tr_info("mbedtls_ssl_conf_authmode()"); |
ImranBilalButt | 0:5f745af3ec9b | 229 | mbedtls_ssl_conf_authmode(_ssl_conf, MBEDTLS_SSL_VERIFY_NONE); |
ImranBilalButt | 0:5f745af3ec9b | 230 | |
ImranBilalButt | 0:5f745af3ec9b | 231 | mbedtls_ssl_conf_verify(_ssl_conf, my_verify, NULL); |
ImranBilalButt | 0:5f745af3ec9b | 232 | mbedtls_ssl_conf_dbg(_ssl_conf, my_debug, NULL); |
ImranBilalButt | 0:5f745af3ec9b | 233 | mbedtls_debug_set_threshold(3); |
ImranBilalButt | 0:5f745af3ec9b | 234 | |
ImranBilalButt | 0:5f745af3ec9b | 235 | /* configure the timers for retransmission of lost handshake messages |
ImranBilalButt | 0:5f745af3ec9b | 236 | 1,000 milli-sec minimum time to 6,000 milli-sec maximum delay */ |
ImranBilalButt | 0:5f745af3ec9b | 237 | mbedtls_ssl_conf_handshake_timeout(_ssl_conf, 1000, 6000); |
ImranBilalButt | 0:5f745af3ec9b | 238 | |
ImranBilalButt | 0:5f745af3ec9b | 239 | /* Anti-Replay Protection */ |
ImranBilalButt | 0:5f745af3ec9b | 240 | mbedtls_ssl_conf_dtls_anti_replay(_ssl_conf, MBEDTLS_SSL_ANTI_REPLAY_ENABLED); |
ImranBilalButt | 0:5f745af3ec9b | 241 | |
ImranBilalButt | 0:5f745af3ec9b | 242 | /* Bad Mac Limit for 10 Packets */ |
ImranBilalButt | 0:5f745af3ec9b | 243 | mbedtls_ssl_conf_dtls_badmac_limit(_ssl_conf, 10); |
ImranBilalButt | 0:5f745af3ec9b | 244 | |
ImranBilalButt | 0:5f745af3ec9b | 245 | /* Set the limit for the Maximum Transmission Unit for DTLS Payload |
ImranBilalButt | 0:5f745af3ec9b | 246 | {1500 Bits Set} */ |
ImranBilalButt | 0:5f745af3ec9b | 247 | mbedtls_ssl_set_mtu( _ssl , 1500 ); |
ImranBilalButt | 0:5f745af3ec9b | 248 | |
ImranBilalButt | 0:5f745af3ec9b | 249 | tr_info("mbedtls_ssl_setup()"); |
ImranBilalButt | 0:5f745af3ec9b | 250 | if ((ret = mbedtls_ssl_setup(_ssl, _ssl_conf)) != 0) { |
ImranBilalButt | 0:5f745af3ec9b | 251 | print_mbedtls_error("mbedtls_ssl_setup", ret); |
ImranBilalButt | 0:5f745af3ec9b | 252 | _error = ret; |
ImranBilalButt | 0:5f745af3ec9b | 253 | return _error; |
ImranBilalButt | 0:5f745af3ec9b | 254 | } |
ImranBilalButt | 0:5f745af3ec9b | 255 | printf("ok\n"); |
ImranBilalButt | 0:5f745af3ec9b | 256 | |
ImranBilalButt | 0:5f745af3ec9b | 257 | printf("[+] Configuring the Bio ... "); |
ImranBilalButt | 0:5f745af3ec9b | 258 | mbedtls_ssl_set_bio(_ssl, this, ssl_send, ssl_recv, NULL ); |
ImranBilalButt | 0:5f745af3ec9b | 259 | printf("ok\n"); |
ImranBilalButt | 0:5f745af3ec9b | 260 | |
ImranBilalButt | 0:5f745af3ec9b | 261 | if(_client_auth) { |
ImranBilalButt | 0:5f745af3ec9b | 262 | printf("[+] Configuring Client's pvtKey & certKey ... "); |
ImranBilalButt | 0:5f745af3ec9b | 263 | if((ret = mbedtls_ssl_conf_own_cert(_ssl_conf, _clicert, _pkctx)) != 0) { |
ImranBilalButt | 0:5f745af3ec9b | 264 | print_mbedtls_error("mbedtls_ssl_conf_own_cert", ret); |
ImranBilalButt | 0:5f745af3ec9b | 265 | _error = ret; |
ImranBilalButt | 0:5f745af3ec9b | 266 | return _error; |
ImranBilalButt | 0:5f745af3ec9b | 267 | } |
ImranBilalButt | 0:5f745af3ec9b | 268 | printf("ok\n"); |
ImranBilalButt | 0:5f745af3ec9b | 269 | } |
ImranBilalButt | 0:5f745af3ec9b | 270 | |
ImranBilalButt | 0:5f745af3ec9b | 271 | printf("[+] Timing Call-Back Setting ... "); |
ImranBilalButt | 0:5f745af3ec9b | 272 | mbedtls_ssl_set_timer_cb(_ssl, _ssl_timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay); |
ImranBilalButt | 0:5f745af3ec9b | 273 | printf("ok\n"); |
ImranBilalButt | 0:5f745af3ec9b | 274 | |
ImranBilalButt | 0:5f745af3ec9b | 275 | /* Start the handshake, the rest will be done in onReceive() */ |
ImranBilalButt | 0:5f745af3ec9b | 276 | //uint32_t init, final, TCPH, TTPH; |
ImranBilalButt | 0:5f745af3ec9b | 277 | printf("[+] DTLS Handshake Connecting \n"); |
ImranBilalButt | 0:5f745af3ec9b | 278 | //init = osKernelGetTickCount(); |
ImranBilalButt | 0:5f745af3ec9b | 279 | if ((ret = mbedtls_ssl_handshake(_ssl)) != 0) { |
ImranBilalButt | 0:5f745af3ec9b | 280 | printf("[-] mbedtls_ssl_handshake error %d\n", ret); |
ImranBilalButt | 0:5f745af3ec9b | 281 | return ret; |
ImranBilalButt | 0:5f745af3ec9b | 282 | } |
ImranBilalButt | 0:5f745af3ec9b | 283 | else { |
ImranBilalButt | 0:5f745af3ec9b | 284 | //final = osKernelGetTickCount(); |
ImranBilalButt | 0:5f745af3ec9b | 285 | printf("[+] DTLS Hanshake Connected \n"); |
ImranBilalButt | 0:5f745af3ec9b | 286 | } |
ImranBilalButt | 0:5f745af3ec9b | 287 | |
ImranBilalButt | 0:5f745af3ec9b | 288 | //TCPH = final - init; |
ImranBilalButt | 0:5f745af3ec9b | 289 | //TTPH = TCPH/osKernelGetTickFreq(); |
ImranBilalButt | 0:5f745af3ec9b | 290 | |
ImranBilalButt | 0:5f745af3ec9b | 291 | //printf("\nTCPH: %d\n", TCPH); |
ImranBilalButt | 0:5f745af3ec9b | 292 | //printf("\nTTPH: %d\n", TTPH); |
ImranBilalButt | 0:5f745af3ec9b | 293 | //printf("\nTickFreq: %d\n", osKernelGetTickFreq()); |
ImranBilalButt | 0:5f745af3ec9b | 294 | |
ImranBilalButt | 0:5f745af3ec9b | 295 | /* It also means the handshake is done, time to print info */ |
ImranBilalButt | 0:5f745af3ec9b | 296 | tr_info("[+] TLS connection to %s established\r\n", _ssl->hostname); |
ImranBilalButt | 0:5f745af3ec9b | 297 | // Prints the server certificate and verify it. |
ImranBilalButt | 0:5f745af3ec9b | 298 | |
ImranBilalButt | 0:5f745af3ec9b | 299 | const size_t buf_size = 1024; |
ImranBilalButt | 0:5f745af3ec9b | 300 | char* buf = new char[buf_size]; |
ImranBilalButt | 0:5f745af3ec9b | 301 | mbedtls_x509_crt_info(buf, buf_size, "\r ", mbedtls_ssl_get_peer_cert(_ssl)); |
ImranBilalButt | 0:5f745af3ec9b | 302 | tr_debug("[+] Server certificate:\r\n%s\r\n", buf); |
ImranBilalButt | 0:5f745af3ec9b | 303 | |
ImranBilalButt | 0:5f745af3ec9b | 304 | uint32_t flags = mbedtls_ssl_get_verify_result(_ssl); |
ImranBilalButt | 0:5f745af3ec9b | 305 | if( flags != 0 ) { |
ImranBilalButt | 0:5f745af3ec9b | 306 | // Verification failed. |
ImranBilalButt | 0:5f745af3ec9b | 307 | mbedtls_x509_crt_verify_info(buf, buf_size, "\r ! ", flags); |
ImranBilalButt | 0:5f745af3ec9b | 308 | tr_error("[+] Certificate verification failed:\r\n%s", buf); |
ImranBilalButt | 0:5f745af3ec9b | 309 | } else { |
ImranBilalButt | 0:5f745af3ec9b | 310 | // Verification succeeded. |
ImranBilalButt | 0:5f745af3ec9b | 311 | tr_info("[+] Certificate verification passed"); |
ImranBilalButt | 0:5f745af3ec9b | 312 | } |
ImranBilalButt | 0:5f745af3ec9b | 313 | delete[] buf; |
ImranBilalButt | 0:5f745af3ec9b | 314 | _handshake_completed = true; |
ImranBilalButt | 0:5f745af3ec9b | 315 | |
ImranBilalButt | 0:5f745af3ec9b | 316 | return 0; |
ImranBilalButt | 0:5f745af3ec9b | 317 | } |
ImranBilalButt | 0:5f745af3ec9b | 318 | |
ImranBilalButt | 0:5f745af3ec9b | 319 | nsapi_error_t TLSSocketWrapper::send(const void *data, nsapi_size_t size) { |
ImranBilalButt | 0:5f745af3ec9b | 320 | int ret; |
ImranBilalButt | 0:5f745af3ec9b | 321 | |
ImranBilalButt | 0:5f745af3ec9b | 322 | if (!is_tls_allocated()) { |
ImranBilalButt | 0:5f745af3ec9b | 323 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 324 | } |
ImranBilalButt | 0:5f745af3ec9b | 325 | |
ImranBilalButt | 0:5f745af3ec9b | 326 | tr_debug("send %d", size); |
ImranBilalButt | 0:5f745af3ec9b | 327 | //uint32_t init, final, TCPH, TTPH; |
ImranBilalButt | 0:5f745af3ec9b | 328 | //init = osKernelGetTickCount(); |
ImranBilalButt | 0:5f745af3ec9b | 329 | ret = mbedtls_ssl_write(_ssl, (const unsigned char *) data, size); |
ImranBilalButt | 0:5f745af3ec9b | 330 | //final = osKernelGetTickCount(); |
ImranBilalButt | 0:5f745af3ec9b | 331 | |
ImranBilalButt | 0:5f745af3ec9b | 332 | /*TCPH = final - init; |
ImranBilalButt | 0:5f745af3ec9b | 333 | TTPH = TCPH/osKernelGetTickFreq(); |
ImranBilalButt | 0:5f745af3ec9b | 334 | |
ImranBilalButt | 0:5f745af3ec9b | 335 | printf("\nTCPH: %d\n", TCPH); |
ImranBilalButt | 0:5f745af3ec9b | 336 | printf("\nTTPH: %d\n", TTPH); |
ImranBilalButt | 0:5f745af3ec9b | 337 | printf("\nTickFreq: %d\n", osKernelGetTickFreq()); */ |
ImranBilalButt | 0:5f745af3ec9b | 338 | |
ImranBilalButt | 0:5f745af3ec9b | 339 | if (ret == MBEDTLS_ERR_SSL_WANT_WRITE || |
ImranBilalButt | 0:5f745af3ec9b | 340 | ret == MBEDTLS_ERR_SSL_WANT_READ) { |
ImranBilalButt | 0:5f745af3ec9b | 341 | // translate to socket error |
ImranBilalButt | 0:5f745af3ec9b | 342 | return NSAPI_ERROR_WOULD_BLOCK; |
ImranBilalButt | 0:5f745af3ec9b | 343 | } |
ImranBilalButt | 0:5f745af3ec9b | 344 | if (ret < 0) { |
ImranBilalButt | 0:5f745af3ec9b | 345 | print_mbedtls_error("mbedtls_ssl_write", ret); |
ImranBilalButt | 0:5f745af3ec9b | 346 | } |
ImranBilalButt | 0:5f745af3ec9b | 347 | return ret; // Assume "non negative errorcode" to be propagated from Socket layer |
ImranBilalButt | 0:5f745af3ec9b | 348 | } |
ImranBilalButt | 0:5f745af3ec9b | 349 | |
ImranBilalButt | 0:5f745af3ec9b | 350 | nsapi_size_or_error_t TLSSocketWrapper::sendto(const SocketAddress &, const void *data, nsapi_size_t size) |
ImranBilalButt | 0:5f745af3ec9b | 351 | { |
ImranBilalButt | 0:5f745af3ec9b | 352 | // Ignore the SocketAddress |
ImranBilalButt | 0:5f745af3ec9b | 353 | return send(data, size); |
ImranBilalButt | 0:5f745af3ec9b | 354 | } |
ImranBilalButt | 0:5f745af3ec9b | 355 | |
ImranBilalButt | 0:5f745af3ec9b | 356 | nsapi_size_or_error_t TLSSocketWrapper::recv(void *data, nsapi_size_t size) { |
ImranBilalButt | 0:5f745af3ec9b | 357 | int ret; |
ImranBilalButt | 0:5f745af3ec9b | 358 | |
ImranBilalButt | 0:5f745af3ec9b | 359 | if (!is_tls_allocated()) { |
ImranBilalButt | 0:5f745af3ec9b | 360 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 361 | } |
ImranBilalButt | 0:5f745af3ec9b | 362 | |
ImranBilalButt | 0:5f745af3ec9b | 363 | ret = mbedtls_ssl_read(_ssl, (unsigned char *) data, size); |
ImranBilalButt | 0:5f745af3ec9b | 364 | |
ImranBilalButt | 0:5f745af3ec9b | 365 | if (ret == MBEDTLS_ERR_SSL_WANT_WRITE || |
ImranBilalButt | 0:5f745af3ec9b | 366 | ret == MBEDTLS_ERR_SSL_WANT_READ) { |
ImranBilalButt | 0:5f745af3ec9b | 367 | // translate to socket error |
ImranBilalButt | 0:5f745af3ec9b | 368 | return NSAPI_ERROR_WOULD_BLOCK; |
ImranBilalButt | 0:5f745af3ec9b | 369 | } else if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { |
ImranBilalButt | 0:5f745af3ec9b | 370 | /* MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY is not considered as error. |
ImranBilalButt | 0:5f745af3ec9b | 371 | * Just ignre here. Once connection is closed, mbedtls_ssl_read() |
ImranBilalButt | 0:5f745af3ec9b | 372 | * will return 0. |
ImranBilalButt | 0:5f745af3ec9b | 373 | */ |
ImranBilalButt | 0:5f745af3ec9b | 374 | return 0; |
ImranBilalButt | 0:5f745af3ec9b | 375 | } else if (ret < 0) { |
ImranBilalButt | 0:5f745af3ec9b | 376 | print_mbedtls_error("mbedtls_ssl_read", ret); |
ImranBilalButt | 0:5f745af3ec9b | 377 | // TODO: Should I translate SSL errors to some socket error? |
ImranBilalButt | 0:5f745af3ec9b | 378 | } |
ImranBilalButt | 0:5f745af3ec9b | 379 | return ret; |
ImranBilalButt | 0:5f745af3ec9b | 380 | } |
ImranBilalButt | 0:5f745af3ec9b | 381 | |
ImranBilalButt | 0:5f745af3ec9b | 382 | nsapi_size_or_error_t TLSSocketWrapper::recvfrom(SocketAddress *address, void *data, nsapi_size_t size) |
ImranBilalButt | 0:5f745af3ec9b | 383 | { |
ImranBilalButt | 0:5f745af3ec9b | 384 | //TODO: Need Socket::getpeername() to get address |
ImranBilalButt | 0:5f745af3ec9b | 385 | return recv(data, size); |
ImranBilalButt | 0:5f745af3ec9b | 386 | } |
ImranBilalButt | 0:5f745af3ec9b | 387 | |
ImranBilalButt | 0:5f745af3ec9b | 388 | void TLSSocketWrapper::print_mbedtls_error(const char *name, int err) { |
ImranBilalButt | 0:5f745af3ec9b | 389 | char *buf = new char[128]; |
ImranBilalButt | 0:5f745af3ec9b | 390 | mbedtls_strerror(err, buf, 128); |
ImranBilalButt | 0:5f745af3ec9b | 391 | tr_err("%s() failed: -0x%04x (%d): %s", name, -err, err, buf); |
ImranBilalButt | 0:5f745af3ec9b | 392 | delete[] buf; |
ImranBilalButt | 0:5f745af3ec9b | 393 | } |
ImranBilalButt | 0:5f745af3ec9b | 394 | |
ImranBilalButt | 0:5f745af3ec9b | 395 | |
ImranBilalButt | 0:5f745af3ec9b | 396 | #if MBED_CONF_TLS_SOCKET_DEBUG_LEVEL > 0 |
ImranBilalButt | 0:5f745af3ec9b | 397 | |
ImranBilalButt | 0:5f745af3ec9b | 398 | void TLSSocketWrapper::my_debug(void *ctx, int level, const char *file, int line, |
ImranBilalButt | 0:5f745af3ec9b | 399 | const char *str) |
ImranBilalButt | 0:5f745af3ec9b | 400 | { |
ImranBilalButt | 0:5f745af3ec9b | 401 | const char *p, *basename; |
ImranBilalButt | 0:5f745af3ec9b | 402 | (void) ctx; |
ImranBilalButt | 0:5f745af3ec9b | 403 | |
ImranBilalButt | 0:5f745af3ec9b | 404 | /* Extract basename from file */ |
ImranBilalButt | 0:5f745af3ec9b | 405 | for(p = basename = file; *p != '\0'; p++) { |
ImranBilalButt | 0:5f745af3ec9b | 406 | if(*p == '/' || *p == '\\') { |
ImranBilalButt | 0:5f745af3ec9b | 407 | basename = p + 1; |
ImranBilalButt | 0:5f745af3ec9b | 408 | } |
ImranBilalButt | 0:5f745af3ec9b | 409 | } |
ImranBilalButt | 0:5f745af3ec9b | 410 | |
ImranBilalButt | 0:5f745af3ec9b | 411 | tr_debug("%s:%04d: |%d| %s", basename, line, level, str); |
ImranBilalButt | 0:5f745af3ec9b | 412 | } |
ImranBilalButt | 0:5f745af3ec9b | 413 | |
ImranBilalButt | 0:5f745af3ec9b | 414 | int TLSSocketWrapper::my_verify(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags) |
ImranBilalButt | 0:5f745af3ec9b | 415 | { |
ImranBilalButt | 0:5f745af3ec9b | 416 | const uint32_t buf_size = 1024; |
ImranBilalButt | 0:5f745af3ec9b | 417 | char *buf = new char[buf_size]; |
ImranBilalButt | 0:5f745af3ec9b | 418 | (void) data; |
ImranBilalButt | 0:5f745af3ec9b | 419 | |
ImranBilalButt | 0:5f745af3ec9b | 420 | tr_debug("\nVerifying certificate at depth %d:\n", depth); |
ImranBilalButt | 0:5f745af3ec9b | 421 | mbedtls_x509_crt_info(buf, buf_size - 1, " ", crt); |
ImranBilalButt | 0:5f745af3ec9b | 422 | tr_debug("%s", buf); |
ImranBilalButt | 0:5f745af3ec9b | 423 | |
ImranBilalButt | 0:5f745af3ec9b | 424 | if (*flags == 0) |
ImranBilalButt | 0:5f745af3ec9b | 425 | tr_info("No verification issue for this certificate\n"); |
ImranBilalButt | 0:5f745af3ec9b | 426 | else |
ImranBilalButt | 0:5f745af3ec9b | 427 | { |
ImranBilalButt | 0:5f745af3ec9b | 428 | mbedtls_x509_crt_verify_info(buf, buf_size, " ! ", *flags); |
ImranBilalButt | 0:5f745af3ec9b | 429 | tr_info("%s\n", buf); |
ImranBilalButt | 0:5f745af3ec9b | 430 | } |
ImranBilalButt | 0:5f745af3ec9b | 431 | |
ImranBilalButt | 0:5f745af3ec9b | 432 | delete[] buf; |
ImranBilalButt | 0:5f745af3ec9b | 433 | |
ImranBilalButt | 0:5f745af3ec9b | 434 | return 0; |
ImranBilalButt | 0:5f745af3ec9b | 435 | } |
ImranBilalButt | 0:5f745af3ec9b | 436 | #endif /* MBED_CONF_TLS_SOCKET_DEBUG_LEVEL > 0 */ |
ImranBilalButt | 0:5f745af3ec9b | 437 | |
ImranBilalButt | 0:5f745af3ec9b | 438 | |
ImranBilalButt | 0:5f745af3ec9b | 439 | int TLSSocketWrapper::ssl_recv(void *ctx, unsigned char *buf, size_t len) { |
ImranBilalButt | 0:5f745af3ec9b | 440 | int recv; |
ImranBilalButt | 0:5f745af3ec9b | 441 | |
ImranBilalButt | 0:5f745af3ec9b | 442 | TLSSocketWrapper *my = static_cast<TLSSocketWrapper *>(ctx); |
ImranBilalButt | 0:5f745af3ec9b | 443 | |
ImranBilalButt | 0:5f745af3ec9b | 444 | if (!my->_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 445 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 446 | } |
ImranBilalButt | 0:5f745af3ec9b | 447 | |
ImranBilalButt | 0:5f745af3ec9b | 448 | recv = my->_transport->recv(buf, len); |
ImranBilalButt | 0:5f745af3ec9b | 449 | |
ImranBilalButt | 0:5f745af3ec9b | 450 | if (NSAPI_ERROR_WOULD_BLOCK == recv) { |
ImranBilalButt | 0:5f745af3ec9b | 451 | return MBEDTLS_ERR_SSL_WANT_READ; |
ImranBilalButt | 0:5f745af3ec9b | 452 | } else if(recv < 0) { |
ImranBilalButt | 0:5f745af3ec9b | 453 | tr_error("Socket recv error %d", recv); |
ImranBilalButt | 0:5f745af3ec9b | 454 | } |
ImranBilalButt | 0:5f745af3ec9b | 455 | // Propagate also Socket errors to SSL, it allows negative error codes to be returned here. |
ImranBilalButt | 0:5f745af3ec9b | 456 | return recv; |
ImranBilalButt | 0:5f745af3ec9b | 457 | } |
ImranBilalButt | 0:5f745af3ec9b | 458 | |
ImranBilalButt | 0:5f745af3ec9b | 459 | int TLSSocketWrapper::ssl_send(void *ctx, const unsigned char *buf, size_t len) { |
ImranBilalButt | 0:5f745af3ec9b | 460 | int size = -1; |
ImranBilalButt | 0:5f745af3ec9b | 461 | TLSSocketWrapper *my = static_cast<TLSSocketWrapper *>(ctx); |
ImranBilalButt | 0:5f745af3ec9b | 462 | |
ImranBilalButt | 0:5f745af3ec9b | 463 | if (!my->_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 464 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 465 | } |
ImranBilalButt | 0:5f745af3ec9b | 466 | |
ImranBilalButt | 0:5f745af3ec9b | 467 | size = my->_transport->send(buf, len); |
ImranBilalButt | 0:5f745af3ec9b | 468 | |
ImranBilalButt | 0:5f745af3ec9b | 469 | if (NSAPI_ERROR_WOULD_BLOCK == size) { |
ImranBilalButt | 0:5f745af3ec9b | 470 | return MBEDTLS_ERR_SSL_WANT_WRITE; |
ImranBilalButt | 0:5f745af3ec9b | 471 | } else if(size < 0){ |
ImranBilalButt | 0:5f745af3ec9b | 472 | tr_error("Socket send error %d", size); |
ImranBilalButt | 0:5f745af3ec9b | 473 | } |
ImranBilalButt | 0:5f745af3ec9b | 474 | // Propagate also Socket errors to SSL, it allows negative error codes to be returned here. |
ImranBilalButt | 0:5f745af3ec9b | 475 | return size; |
ImranBilalButt | 0:5f745af3ec9b | 476 | } |
ImranBilalButt | 0:5f745af3ec9b | 477 | |
ImranBilalButt | 0:5f745af3ec9b | 478 | void TLSSocketWrapper::tls_init() { |
ImranBilalButt | 0:5f745af3ec9b | 479 | _entropy = new mbedtls_entropy_context; |
ImranBilalButt | 0:5f745af3ec9b | 480 | _ctr_drbg = new mbedtls_ctr_drbg_context; |
ImranBilalButt | 0:5f745af3ec9b | 481 | _cacert = new mbedtls_x509_crt; |
ImranBilalButt | 0:5f745af3ec9b | 482 | _clicert = new mbedtls_x509_crt; |
ImranBilalButt | 0:5f745af3ec9b | 483 | _pkctx = new mbedtls_pk_context; |
ImranBilalButt | 0:5f745af3ec9b | 484 | _ssl = new mbedtls_ssl_context; |
ImranBilalButt | 0:5f745af3ec9b | 485 | _ssl_conf = new mbedtls_ssl_config; |
ImranBilalButt | 0:5f745af3ec9b | 486 | _ssl_timer = new mbedtls_timing_delay_context; |
ImranBilalButt | 0:5f745af3ec9b | 487 | |
ImranBilalButt | 0:5f745af3ec9b | 488 | mbedtls_entropy_init(_entropy); |
ImranBilalButt | 0:5f745af3ec9b | 489 | mbedtls_ctr_drbg_init(_ctr_drbg); |
ImranBilalButt | 0:5f745af3ec9b | 490 | mbedtls_x509_crt_init(_cacert); |
ImranBilalButt | 0:5f745af3ec9b | 491 | mbedtls_x509_crt_init(_clicert); |
ImranBilalButt | 0:5f745af3ec9b | 492 | mbedtls_pk_init(_pkctx); |
ImranBilalButt | 0:5f745af3ec9b | 493 | mbedtls_ssl_init(_ssl); |
ImranBilalButt | 0:5f745af3ec9b | 494 | mbedtls_ssl_config_init(_ssl_conf); |
ImranBilalButt | 0:5f745af3ec9b | 495 | } |
ImranBilalButt | 0:5f745af3ec9b | 496 | |
ImranBilalButt | 0:5f745af3ec9b | 497 | void TLSSocketWrapper::tls_free() { |
ImranBilalButt | 0:5f745af3ec9b | 498 | mbedtls_entropy_free(_entropy); |
ImranBilalButt | 0:5f745af3ec9b | 499 | mbedtls_ctr_drbg_free(_ctr_drbg); |
ImranBilalButt | 0:5f745af3ec9b | 500 | mbedtls_x509_crt_free(_cacert); |
ImranBilalButt | 0:5f745af3ec9b | 501 | mbedtls_x509_crt_free(_clicert); |
ImranBilalButt | 0:5f745af3ec9b | 502 | mbedtls_pk_free(_pkctx); |
ImranBilalButt | 0:5f745af3ec9b | 503 | mbedtls_ssl_free(_ssl); |
ImranBilalButt | 0:5f745af3ec9b | 504 | mbedtls_ssl_config_free(_ssl_conf); |
ImranBilalButt | 0:5f745af3ec9b | 505 | |
ImranBilalButt | 0:5f745af3ec9b | 506 | delete _entropy; |
ImranBilalButt | 0:5f745af3ec9b | 507 | delete _ctr_drbg; |
ImranBilalButt | 0:5f745af3ec9b | 508 | delete _cacert; |
ImranBilalButt | 0:5f745af3ec9b | 509 | delete _clicert; |
ImranBilalButt | 0:5f745af3ec9b | 510 | delete _pkctx; |
ImranBilalButt | 0:5f745af3ec9b | 511 | delete _ssl; |
ImranBilalButt | 0:5f745af3ec9b | 512 | delete _ssl_conf; |
ImranBilalButt | 0:5f745af3ec9b | 513 | delete _ssl_timer; |
ImranBilalButt | 0:5f745af3ec9b | 514 | _ssl = NULL; // Marks that TLS context is freed |
ImranBilalButt | 0:5f745af3ec9b | 515 | } |
ImranBilalButt | 0:5f745af3ec9b | 516 | |
ImranBilalButt | 0:5f745af3ec9b | 517 | bool TLSSocketWrapper::is_tls_allocated() { |
ImranBilalButt | 0:5f745af3ec9b | 518 | return _ssl != NULL; |
ImranBilalButt | 0:5f745af3ec9b | 519 | } |
ImranBilalButt | 0:5f745af3ec9b | 520 | |
ImranBilalButt | 0:5f745af3ec9b | 521 | nsapi_error_t TLSSocketWrapper::close() |
ImranBilalButt | 0:5f745af3ec9b | 522 | { |
ImranBilalButt | 0:5f745af3ec9b | 523 | if (!_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 524 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 525 | } |
ImranBilalButt | 0:5f745af3ec9b | 526 | if (!is_tls_allocated()) { |
ImranBilalButt | 0:5f745af3ec9b | 527 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 528 | } |
ImranBilalButt | 0:5f745af3ec9b | 529 | |
ImranBilalButt | 0:5f745af3ec9b | 530 | tr_info("Closing TLS"); |
ImranBilalButt | 0:5f745af3ec9b | 531 | |
ImranBilalButt | 0:5f745af3ec9b | 532 | int ret = 0; |
ImranBilalButt | 0:5f745af3ec9b | 533 | if (_handshake_completed) { |
ImranBilalButt | 0:5f745af3ec9b | 534 | _transport->set_blocking(true); |
ImranBilalButt | 0:5f745af3ec9b | 535 | ret = mbedtls_ssl_close_notify(_ssl); |
ImranBilalButt | 0:5f745af3ec9b | 536 | if (ret) { |
ImranBilalButt | 0:5f745af3ec9b | 537 | print_mbedtls_error("mbedtls_ssl_close_notify", ret); |
ImranBilalButt | 0:5f745af3ec9b | 538 | } |
ImranBilalButt | 0:5f745af3ec9b | 539 | _handshake_completed = false; |
ImranBilalButt | 0:5f745af3ec9b | 540 | } |
ImranBilalButt | 0:5f745af3ec9b | 541 | |
ImranBilalButt | 0:5f745af3ec9b | 542 | if (!_keep_transport_open) { |
ImranBilalButt | 0:5f745af3ec9b | 543 | int ret2 = _transport->close(); |
ImranBilalButt | 0:5f745af3ec9b | 544 | if (!ret) { |
ImranBilalButt | 0:5f745af3ec9b | 545 | ret = ret2; |
ImranBilalButt | 0:5f745af3ec9b | 546 | } |
ImranBilalButt | 0:5f745af3ec9b | 547 | } |
ImranBilalButt | 0:5f745af3ec9b | 548 | |
ImranBilalButt | 0:5f745af3ec9b | 549 | _transport = NULL; |
ImranBilalButt | 0:5f745af3ec9b | 550 | |
ImranBilalButt | 0:5f745af3ec9b | 551 | tls_free(); |
ImranBilalButt | 0:5f745af3ec9b | 552 | |
ImranBilalButt | 0:5f745af3ec9b | 553 | return ret; |
ImranBilalButt | 0:5f745af3ec9b | 554 | } |
ImranBilalButt | 0:5f745af3ec9b | 555 | |
ImranBilalButt | 0:5f745af3ec9b | 556 | nsapi_error_t TLSSocketWrapper::connect(const SocketAddress &address) |
ImranBilalButt | 0:5f745af3ec9b | 557 | { |
ImranBilalButt | 0:5f745af3ec9b | 558 | printf("Hello from TLSSocketWrapper::connect().\n"); |
ImranBilalButt | 0:5f745af3ec9b | 559 | if (!_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 560 | printf("transport not available\n"); |
ImranBilalButt | 0:5f745af3ec9b | 561 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 562 | } |
ImranBilalButt | 0:5f745af3ec9b | 563 | //TODO: We could initiate the hanshake here, if there would be separate function call to set the target hostname |
ImranBilalButt | 0:5f745af3ec9b | 564 | nsapi_error_t ret = _transport->connect(address); |
ImranBilalButt | 0:5f745af3ec9b | 565 | if (ret) { |
ImranBilalButt | 0:5f745af3ec9b | 566 | printf("transport->connect() failed, %d\n", ret); |
ImranBilalButt | 0:5f745af3ec9b | 567 | printf("error return from TLSSocketWrapper::connect %d\n", ret); |
ImranBilalButt | 0:5f745af3ec9b | 568 | return ret; |
ImranBilalButt | 0:5f745af3ec9b | 569 | } |
ImranBilalButt | 0:5f745af3ec9b | 570 | return do_handshake(); |
ImranBilalButt | 0:5f745af3ec9b | 571 | } |
ImranBilalButt | 0:5f745af3ec9b | 572 | |
ImranBilalButt | 0:5f745af3ec9b | 573 | nsapi_error_t TLSSocketWrapper::bind(const SocketAddress &address) |
ImranBilalButt | 0:5f745af3ec9b | 574 | { |
ImranBilalButt | 0:5f745af3ec9b | 575 | if (!_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 576 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 577 | } |
ImranBilalButt | 0:5f745af3ec9b | 578 | return _transport->bind(address); |
ImranBilalButt | 0:5f745af3ec9b | 579 | } |
ImranBilalButt | 0:5f745af3ec9b | 580 | |
ImranBilalButt | 0:5f745af3ec9b | 581 | void TLSSocketWrapper::set_blocking(bool blocking) |
ImranBilalButt | 0:5f745af3ec9b | 582 | { |
ImranBilalButt | 0:5f745af3ec9b | 583 | if (!_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 584 | return; |
ImranBilalButt | 0:5f745af3ec9b | 585 | } |
ImranBilalButt | 0:5f745af3ec9b | 586 | _transport->set_blocking(blocking); |
ImranBilalButt | 0:5f745af3ec9b | 587 | } |
ImranBilalButt | 0:5f745af3ec9b | 588 | |
ImranBilalButt | 0:5f745af3ec9b | 589 | void TLSSocketWrapper::set_timeout(int timeout) |
ImranBilalButt | 0:5f745af3ec9b | 590 | { |
ImranBilalButt | 0:5f745af3ec9b | 591 | if (!_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 592 | return; |
ImranBilalButt | 0:5f745af3ec9b | 593 | } |
ImranBilalButt | 0:5f745af3ec9b | 594 | _transport->set_timeout(timeout); |
ImranBilalButt | 0:5f745af3ec9b | 595 | } |
ImranBilalButt | 0:5f745af3ec9b | 596 | |
ImranBilalButt | 0:5f745af3ec9b | 597 | void TLSSocketWrapper::sigio(mbed::Callback<void()> func) |
ImranBilalButt | 0:5f745af3ec9b | 598 | { |
ImranBilalButt | 0:5f745af3ec9b | 599 | if (!_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 600 | return; |
ImranBilalButt | 0:5f745af3ec9b | 601 | } |
ImranBilalButt | 0:5f745af3ec9b | 602 | // Allow sigio() to propagate to upper level and handle errors on recv() and send() |
ImranBilalButt | 0:5f745af3ec9b | 603 | _transport->sigio(func); |
ImranBilalButt | 0:5f745af3ec9b | 604 | } |
ImranBilalButt | 0:5f745af3ec9b | 605 | |
ImranBilalButt | 0:5f745af3ec9b | 606 | nsapi_error_t TLSSocketWrapper::setsockopt(int level, int optname, const void *optval, unsigned optlen) |
ImranBilalButt | 0:5f745af3ec9b | 607 | { |
ImranBilalButt | 0:5f745af3ec9b | 608 | if (!_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 609 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 610 | } |
ImranBilalButt | 0:5f745af3ec9b | 611 | return _transport->setsockopt(level, optname, optval, optlen); |
ImranBilalButt | 0:5f745af3ec9b | 612 | } |
ImranBilalButt | 0:5f745af3ec9b | 613 | |
ImranBilalButt | 0:5f745af3ec9b | 614 | nsapi_error_t TLSSocketWrapper::getsockopt(int level, int optname, void *optval, unsigned *optlen) |
ImranBilalButt | 0:5f745af3ec9b | 615 | { |
ImranBilalButt | 0:5f745af3ec9b | 616 | if (!_transport) { |
ImranBilalButt | 0:5f745af3ec9b | 617 | return NSAPI_ERROR_NO_SOCKET; |
ImranBilalButt | 0:5f745af3ec9b | 618 | } |
ImranBilalButt | 0:5f745af3ec9b | 619 | return _transport->getsockopt(level, optname, optval, optlen); |
ImranBilalButt | 0:5f745af3ec9b | 620 | } |
ImranBilalButt | 0:5f745af3ec9b | 621 | |
ImranBilalButt | 0:5f745af3ec9b | 622 | Socket *TLSSocketWrapper::accept(nsapi_error_t *err) |
ImranBilalButt | 0:5f745af3ec9b | 623 | { |
ImranBilalButt | 0:5f745af3ec9b | 624 | if (err) { |
ImranBilalButt | 0:5f745af3ec9b | 625 | *err = NSAPI_ERROR_UNSUPPORTED; |
ImranBilalButt | 0:5f745af3ec9b | 626 | } |
ImranBilalButt | 0:5f745af3ec9b | 627 | return NULL; |
ImranBilalButt | 0:5f745af3ec9b | 628 | } |
ImranBilalButt | 0:5f745af3ec9b | 629 | |
ImranBilalButt | 0:5f745af3ec9b | 630 | nsapi_error_t TLSSocketWrapper::listen(int) |
ImranBilalButt | 0:5f745af3ec9b | 631 | { |
ImranBilalButt | 0:5f745af3ec9b | 632 | return NSAPI_ERROR_UNSUPPORTED; |
ImranBilalButt | 0:5f745af3ec9b | 633 | } |