V.062 11/3
Dependencies: FT6206 SDFileSystem ILI9341_t3
Fork of ATT_AWS_IoT_demo_v06 by
Diff: main.cpp
- Revision:
- 0:fc70c47eecb4
- Child:
- 9:1ac74f2d7bda
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/main.cpp Wed Jul 27 14:34:24 2016 +0100 @@ -0,0 +1,472 @@ +/* + * Hello world example of a TLS client: fetch an HTTPS page + * + * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) +*/ + +/** \file main.cpp + * \brief An example TLS Client application + * This application sends an HTTPS request to developer.mbed.org and searches for a string in + * the result. + * + * This example is implemented as a logic class (HelloHTTPS) wrapping a TCP socket. + * The logic class handles all events, leaving the main loop to just check if the process + * has finished. + */ + +/* Change to a number between 1 and 4 to debug the TLS connection */ +#define DEBUG_LEVEL 0 + +/* Change to 1 to skip certificate verification (UNSAFE, for debug only!) */ +#define UNSAFE 0 + +#include "mbed.h" +#include "NetworkStack.h" + +#include "EthernetInterface.h" +#include "TCPSocket.h" + +#include "mbedtls/platform.h" +#include "mbedtls/ssl.h" +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/error.h" +#if DEBUG_LEVEL > 0 +#include "mbedtls/debug.h" +#endif + +namespace { + +const char *HTTPS_SERVER_NAME = "developer.mbed.org"; +const int HTTPS_SERVER_PORT = 443; +const int RECV_BUFFER_SIZE = 600; + +const char HTTPS_PATH[] = "/media/uploads/mbed_official/hello.txt"; +const size_t HTTPS_PATH_LEN = sizeof(HTTPS_PATH) - 1; + +/* Test related data */ +const char *HTTPS_OK_STR = "200 OK"; +const char *HTTPS_HELLO_STR = "Hello world!"; + +/* personalization string for the drbg */ +const char *DRBG_PERS = "mbed TLS helloword client"; + +/* List of trusted root CA certificates + * currently only GlobalSign, the CA for developer.mbed.org + * + * To add more than one root, just concatenate them. + */ +const char SSL_CA_PEM[] = +/* GlobalSign Root certificate */ +"-----BEGIN CERTIFICATE-----\n" +"MIIEaTCCA1GgAwIBAgILBAAAAAABRE7wQkcwDQYJKoZIhvcNAQELBQAwVzELMAkG\n" +"A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv\n" +"b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw\n" +"MDBaFw0yNDAyMjAxMDAwMDBaMGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i\n" +"YWxTaWduIG52LXNhMTwwOgYDVQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBW\n" +"YWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n" +"DwAwggEKAoIBAQDHDmw/I5N/zHClnSDDDlM/fsBOwphJykfVI+8DNIV0yKMCLkZc\n" +"C33JiJ1Pi/D4nGyMVTXbv/Kz6vvjVudKRtkTIso21ZvBqOOWQ5PyDLzm+ebomchj\n" +"SHh/VzZpGhkdWtHUfcKc1H/hgBKueuqI6lfYygoKOhJJomIZeg0k9zfrtHOSewUj\n" +"mxK1zusp36QUArkBpdSmnENkiN74fv7j9R7l/tyjqORmMdlMJekYuYlZCa7pnRxt\n" +"Nw9KHjUgKOKv1CGLAcRFrW4rY6uSa2EKTSDtc7p8zv4WtdufgPDWi2zZCHlKT3hl\n" +"2pK8vjX5s8T5J4BO/5ZS5gIg4Qdz6V0rvbLxAgMBAAGjggElMIIBITAOBgNVHQ8B\n" +"Af8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUlt5h8b0cFilT\n" +"HMDMfTuDAEDmGnwwRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0\n" +"dHBzOi8vd3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCow\n" +"KKAmoCSGImh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYB\n" +"BQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNv\n" +"bS9yb290cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZI\n" +"hvcNAQELBQADggEBAEYq7l69rgFgNzERhnF0tkZJyBAW/i9iIxerH4f4gu3K3w4s\n" +"32R1juUYcqeMOovJrKV3UPfvnqTgoI8UV6MqX+x+bRDmuo2wCId2Dkyy2VG7EQLy\n" +"XN0cvfNVlg/UBsD84iOKJHDTu/B5GqdhcIOKrwbFINihY9Bsrk8y1658GEV1BSl3\n" +"30JAZGSGvip2CTFvHST0mdCF/vIhCPnG9vHQWe3WVjwIKANnuvD58ZAWR65n5ryA\n" +"SOlCdjSXVWkkDoPWoC209fN5ikkodBpBocLTJIg1MGCUF7ThBCIxPTsvFwayuJ2G\n" +"K1pp74P1S8SqtCr4fKGxhZSM9AyHDPSsQPhZSZg=\n" +"-----END CERTIFICATE-----\n"; + +#if OLD_CERTIFICATE +/* GlobalSign Root R1 SHA1/RSA/2048 + * Serial no. 04 00 00 00 00 01 15 4b 5a c3 94 */ +"-----BEGIN CERTIFICATE-----\n" +"MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG\n" +"A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv\n" +"b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw\n" +"MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i\n" +"YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT\n" +"aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ\n" +"jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp\n" +"xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp\n" +"1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG\n" +"snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ\n" +"U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8\n" +"9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E\n" +"BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B\n" +"AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz\n" +"yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE\n" +"38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP\n" +"AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad\n" +"DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME\n" +"HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==\n" +"-----END CERTIFICATE-----\n"; +#endif +} + +/** + * \brief HelloHTTPS implements the logic for fetching a file from a webserver + * using a TCP socket and parsing the result. + */ +class HelloHTTPS { +public: + /** + * HelloHTTPS Constructor + * Initializes the TCP socket, sets up event handlers and flags. + * + * @param[in] domain The domain name to fetch from + * @param[in] port The port of the HTTPS server + */ + HelloHTTPS(const char * domain, const uint16_t port, NetworkInterface *net_iface) : + _domain(domain), _port(port) + { + + _error = false; + _gothello = false; + _got200 = false; + _bpos = 0; + _request_sent = 0; + _tcpsocket = new TCPSocket(net_iface); + + mbedtls_entropy_init(&_entropy); + mbedtls_ctr_drbg_init(&_ctr_drbg); + mbedtls_x509_crt_init(&_cacert); + mbedtls_ssl_init(&_ssl); + mbedtls_ssl_config_init(&_ssl_conf); + } + /** + * HelloHTTPS Desctructor + */ + ~HelloHTTPS() { + mbedtls_entropy_free(&_entropy); + mbedtls_ctr_drbg_free(&_ctr_drbg); + mbedtls_x509_crt_free(&_cacert); + mbedtls_ssl_free(&_ssl); + mbedtls_ssl_config_free(&_ssl_conf); + } + /** + * Start the test. + * + * Starts by clearing test flags, then resolves the address with DNS. + * + * @param[in] path The path of the file to fetch from the HTTPS server + * @return SOCKET_ERROR_NONE on success, or an error code on failure + */ + void startTest(const char *path) { + /* Initialize the flags */ + _got200 = false; + _gothello = false; + _error = false; + _disconnected = false; + _request_sent = false; + /* Fill the request buffer */ + _bpos = snprintf(_buffer, sizeof(_buffer) - 1, "GET %s HTTP/1.1\nHost: %s\n\n", path, HTTPS_SERVER_NAME); + + /* + * Initialize TLS-related stuf. + */ + int ret; + if ((ret = mbedtls_ctr_drbg_seed(&_ctr_drbg, mbedtls_entropy_func, &_entropy, + (const unsigned char *) DRBG_PERS, + sizeof (DRBG_PERS))) != 0) { + print_mbedtls_error("mbedtls_crt_drbg_init", ret); + _error = true; + return; + } + + if ((ret = mbedtls_x509_crt_parse(&_cacert, (const unsigned char *) SSL_CA_PEM, + sizeof (SSL_CA_PEM))) != 0) { + print_mbedtls_error("mbedtls_x509_crt_parse", ret); + _error = true; + return; + } + + if ((ret = mbedtls_ssl_config_defaults(&_ssl_conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT)) != 0) { + print_mbedtls_error("mbedtls_ssl_config_defaults", ret); + _error = true; + return; + } + + mbedtls_ssl_conf_ca_chain(&_ssl_conf, &_cacert, NULL); + mbedtls_ssl_conf_rng(&_ssl_conf, mbedtls_ctr_drbg_random, &_ctr_drbg); + +#if UNSAFE + mbedtls_ssl_conf_authmode(&_ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL); +#endif + +#if DEBUG_LEVEL > 0 + mbedtls_ssl_conf_verify(&_ssl_conf, my_verify, NULL); + mbedtls_ssl_conf_dbg(&_ssl_conf, my_debug, NULL); + mbedtls_debug_set_threshold(DEBUG_LEVEL); +#endif + + if ((ret = mbedtls_ssl_setup(&_ssl, &_ssl_conf)) != 0) { + print_mbedtls_error("mbedtls_ssl_setup", ret); + _error = true; + return; + } + + mbedtls_ssl_set_hostname(&_ssl, HTTPS_SERVER_NAME); + + mbedtls_ssl_set_bio(&_ssl, static_cast<void *>(_tcpsocket), + ssl_send, ssl_recv, NULL ); + + + /* Connect to the server */ + mbedtls_printf("Connecting with %s\r\n", _domain); + _tcpsocket->connect( _domain, _port ); + + /* Start the handshake, the rest will be done in onReceive() */ + mbedtls_printf("Starting the TLS handshake...\r\n"); + ret = mbedtls_ssl_handshake(&_ssl); + if (ret < 0) { + if (ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE) { + print_mbedtls_error("mbedtls_ssl_handshake", ret); + onError(_tcpsocket, -1 ); + } + return; + } + + ret = mbedtls_ssl_write(&_ssl, (const unsigned char *) _buffer, _bpos); + if (ret < 0) { + if (ret != MBEDTLS_ERR_SSL_WANT_READ && + ret != MBEDTLS_ERR_SSL_WANT_WRITE) { + print_mbedtls_error("mbedtls_ssl_write", ret); + onError(_tcpsocket, -1 ); + } + return; + } + + /* It also means the handshake is done, time to print info */ + printf("TLS connection to %s established\r\n", HTTPS_SERVER_NAME); + + char buf[1024]; + mbedtls_x509_crt_info(buf, sizeof(buf), "\r ", + mbedtls_ssl_get_peer_cert(&_ssl)); + mbedtls_printf("Server certificate:\r\n%s\r", buf); + +#if defined(UNSAFE) + uint32_t flags = mbedtls_ssl_get_verify_result(&_ssl); + if( flags != 0 ) + { + mbedtls_x509_crt_verify_info(buf, sizeof (buf), "\r ! ", flags); + printf("Certificate verification failed:\r\n%s\r\r\n", buf); + } + else +#endif + printf("Certificate verification passed\r\n\r\n"); + + + /* Read data out of the socket */ + ret = mbedtls_ssl_read(&_ssl, (unsigned char *) _buffer, sizeof(_buffer)); + if (ret < 0) { + if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { + print_mbedtls_error("mbedtls_ssl_read", ret); + onError(_tcpsocket, -1 ); + } + return; + } + _bpos = static_cast<size_t>(ret); + + _buffer[_bpos] = 0; + + /* Check each of the flags */ + _got200 = _got200 || strstr(_buffer, HTTPS_OK_STR) != NULL; + _gothello = _gothello || strstr(_buffer, HTTPS_HELLO_STR) != NULL; + + /* Print status messages */ + mbedtls_printf("HTTPS: Received %d chars from server\r\n", _bpos); + mbedtls_printf("HTTPS: Received 200 OK status ... %s\r\n", _got200 ? "[OK]" : "[FAIL]"); + mbedtls_printf("HTTPS: Received '%s' status ... %s\r\n", HTTPS_HELLO_STR, _gothello ? "[OK]" : "[FAIL]"); + mbedtls_printf("HTTPS: Received message:\r\n\r\n"); + mbedtls_printf("%s", _buffer); + _error = !(_got200 && _gothello); + + _tcpsocket->close(); + } + /** + * Check if the test has completed. + * @return Returns true if done, false otherwise. + */ + bool done() { + return _error || (_got200 && _gothello); + } + /** + * Check if there was an error + * @return Returns true if there was an error, false otherwise. + */ + bool error() { + return _error; + } + /** + * Closes the TCP socket + */ + void close() { + _tcpsocket->close(); + while (!_disconnected) + __WFI(); + } +protected: + /** + * Helper for pretty-printing mbed TLS error codes + */ + static void print_mbedtls_error(const char *name, int err) { + char buf[128]; + mbedtls_strerror(err, buf, sizeof (buf)); + mbedtls_printf("%s() failed: -0x%04x (%d): %s\r\n", name, -err, err, buf); + } + +#if DEBUG_LEVEL > 0 + /** + * Debug callback for mbed TLS + * Just prints on the USB serial port + */ + static void my_debug(void *ctx, int level, const char *file, int line, + const char *str) + { + const char *p, *basename; + (void) ctx; + + /* Extract basename from file */ + for(p = basename = file; *p != '\0'; p++) { + if(*p == '/' || *p == '\\') { + basename = p + 1; + } + } + + mbedtls_printf("%s:%04d: |%d| %s", basename, line, level, str); + } + + /** + * Certificate verification callback for mbed TLS + * Here we only use it to display information on each cert in the chain + */ + static int my_verify(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags) + { + char buf[1024]; + (void) data; + + mbedtls_printf("\nVerifying certificate at depth %d:\n", depth); + mbedtls_x509_crt_info(buf, sizeof (buf) - 1, " ", crt); + mbedtls_printf("%s", buf); + + if (*flags == 0) + mbedtls_printf("No verification issue for this certificate\n"); + else + { + mbedtls_x509_crt_verify_info(buf, sizeof (buf), " ! ", *flags); + mbedtls_printf("%s\n", buf); + } + + return 0; + } +#endif + + /** + * Receive callback for mbed TLS + */ + static int ssl_recv(void *ctx, unsigned char *buf, size_t len) { + int recv = -1; + TCPSocket *socket = static_cast<TCPSocket *>(ctx); + recv = socket->recv(buf, len); + + if(NSAPI_ERROR_WOULD_BLOCK == recv){ + return MBEDTLS_ERR_SSL_WANT_READ; + }else if(recv < 0){ + return -1; + }else{ + return recv; + } + } + + /** + * Send callback for mbed TLS + */ + static int ssl_send(void *ctx, const unsigned char *buf, size_t len) { + int size = -1; + TCPSocket *socket = static_cast<TCPSocket *>(ctx); + size = socket->send(buf, len); + + if(NSAPI_ERROR_WOULD_BLOCK == size){ + return len; + }else if(size < 0){ + return -1; + }else{ + return size; + } + } + + void onError(TCPSocket *s, int error) { + printf("MBED: Socket Error: %d\r\n", error); + s->close(); + _error = true; + } + +protected: + TCPSocket* _tcpsocket; + + const char *_domain; /**< The domain name of the HTTPS server */ + const uint16_t _port; /**< The HTTPS server port */ + char _buffer[RECV_BUFFER_SIZE]; /**< The response buffer */ + size_t _bpos; /**< The current offset in the response buffer */ + volatile bool _got200; /**< Status flag for HTTPS 200 */ + volatile bool _gothello; /**< Status flag for finding the test string */ + volatile bool _error; /**< Status flag for an error */ + volatile bool _disconnected; + volatile bool _request_sent; + + mbedtls_entropy_context _entropy; + mbedtls_ctr_drbg_context _ctr_drbg; + mbedtls_x509_crt _cacert; + mbedtls_ssl_context _ssl; + mbedtls_ssl_config _ssl_conf; +}; + +/** + * The main loop of the HTTPS Hello World test + */ +int main() { + /* The default 9600 bps is too slow to print full TLS debug info and could + * cause the other party to time out. */ + + /* Inititalise with DHCP, connect, and start up the stack */ + EthernetInterface eth_iface; + eth_iface.connect(); + mbedtls_printf("Using Ethernet LWIP\r\n"); + const char *ip_addr = eth_iface.get_ip_address(); + if (ip_addr) { + mbedtls_printf("Client IP Address is %s\r\n", ip_addr); + } else { + mbedtls_printf("No Client IP Address\r\n"); + } + + HelloHTTPS hello(HTTPS_SERVER_NAME, HTTPS_SERVER_PORT, ð_iface); + hello.startTest(HTTPS_PATH); +}