nil jack
/
NuMaker-mbed-AWS-IoT-example
test
TLSSocket.h
- Committer:
- kernel2418
- Date:
- 2018-03-14
- Revision:
- 0:9d5f28595388
File content as of revision 0:9d5f28595388:
#ifndef _TLS_SOCKET_H_ #define _TLS_SOCKET_H_ /* Change to a number between 1 and 4 to debug the TLS connection */ #define DEBUG_LEVEL 0 #include "mbedtls/platform.h" #include "mbedtls/ssl.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/error.h" #if DEBUG_LEVEL > 0 #include "mbedtls/debug.h" #endif #include "mbedtls_utils.h" /** * \brief TLSSocket a wrapper around TCPSocket for interacting with TLS servers */ class TLSSocket { public: TLSSocket(NetworkInterface* net_iface, const char* ssl_ca_pem, const char* ssl_owncert_pem, const char* ssl_own_priv_key_pem) { _tcpsocket = new TCPSocket(net_iface); _ssl_ca_pem = ssl_ca_pem; _ssl_owncert_pem = ssl_owncert_pem; _ssl_own_priv_key_pem = ssl_own_priv_key_pem; _is_connected = false; _debug = false; _hostname = NULL; _port = 0; _error = 0; DRBG_PERS = "mbed TLS helloword client"; mbedtls_entropy_init(&_entropy); mbedtls_ctr_drbg_init(&_ctr_drbg); mbedtls_x509_crt_init(&_cacert); mbedtls_x509_crt_init(&_owncert); mbedtls_pk_init(&_own_priv_key); mbedtls_ssl_init(&_ssl); mbedtls_ssl_config_init(&_ssl_conf); } ~TLSSocket() { mbedtls_entropy_free(&_entropy); mbedtls_ctr_drbg_free(&_ctr_drbg); mbedtls_x509_crt_free(&_cacert); mbedtls_x509_crt_free(&_owncert); mbedtls_pk_free(&_own_priv_key); mbedtls_ssl_free(&_ssl); mbedtls_ssl_config_free(&_ssl_conf); if (_tcpsocket) { _tcpsocket->close(); delete _tcpsocket; } // @todo: free DRBG_PERS ? } /** Close the socket * * Closes any open connection and deallocates any memory associated * with the socket. Called from destructor if socket is not closed. * * @return 0 on success, negative error code on failure */ nsapi_error_t close() { return _tcpsocket->close(); } nsapi_error_t connect(const char *hostname, uint16_t port) { _hostname = hostname; _port = port; /* Initialize the flags */ /* * Initialize TLS-related stuf. */ int ret; if ((ret = mbedtls_ctr_drbg_seed(&_ctr_drbg, mbedtls_entropy_func, &_entropy, (const unsigned char *) DRBG_PERS, sizeof (DRBG_PERS))) != 0) { print_mbedtls_error("mbedtls_crt_drbg_init", ret); _error = ret; return _error; } if ((ret = mbedtls_x509_crt_parse(&_cacert, (const unsigned char *)_ssl_ca_pem, strlen(_ssl_ca_pem) + 1)) != 0) { print_mbedtls_error("mbedtls_x509_crt_parse", ret); _error = ret; return _error; } if ((ret = mbedtls_x509_crt_parse(&_owncert, (const unsigned char *) _ssl_owncert_pem, strlen(_ssl_owncert_pem) + 1)) != 0) { print_mbedtls_error("mbedtls_x509_crt_parse", ret); _error = ret; return _error; } if ((ret = mbedtls_pk_parse_key(&_own_priv_key, (const unsigned char *) _ssl_own_priv_key_pem, strlen(_ssl_own_priv_key_pem) + 1, NULL, 0)) != 0) { print_mbedtls_error("mbedtls_pk_parse_key", ret); _error = ret; return _error; } if ((ret = mbedtls_ssl_config_defaults(&_ssl_conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT)) != 0) { print_mbedtls_error("mbedtls_ssl_config_defaults", ret); _error = ret; return _error; } mbedtls_ssl_conf_ca_chain(&_ssl_conf, &_cacert, NULL); mbedtls_ssl_conf_own_cert(&_ssl_conf, &_owncert, &_own_priv_key); mbedtls_ssl_conf_rng(&_ssl_conf, mbedtls_ctr_drbg_random, &_ctr_drbg); /* It is possible to disable authentication by passing * MBEDTLS_SSL_VERIFY_NONE in the call to mbedtls_ssl_conf_authmode() */ mbedtls_ssl_conf_authmode(&_ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED); #if DEBUG_LEVEL > 0 mbedtls_ssl_conf_verify(&_ssl_conf, my_verify, NULL); mbedtls_ssl_conf_dbg(&_ssl_conf, my_debug, NULL); mbedtls_debug_set_threshold(DEBUG_LEVEL); #endif if ((ret = mbedtls_ssl_setup(&_ssl, &_ssl_conf)) != 0) { print_mbedtls_error("mbedtls_ssl_setup", ret); _error = ret; return _error; } mbedtls_ssl_set_hostname(&_ssl, _hostname); mbedtls_ssl_set_bio(&_ssl, static_cast<void *>(_tcpsocket), ssl_send, ssl_recv, NULL ); /* Connect to the server */ if (_debug) mbedtls_printf("Connecting to %s:%d\r\n", _hostname, _port); ret = _tcpsocket->connect(_hostname, _port); if (ret != NSAPI_ERROR_OK) { if (_debug) mbedtls_printf("Failed to connect\r\n"); onError(_tcpsocket, -1); return _error; } /* Start the handshake, the rest will be done in onReceive() */ if (_debug) mbedtls_printf("Starting the TLS handshake...\r\n"); do { ret = mbedtls_ssl_handshake(&_ssl); } while (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE); if (ret < 0) { print_mbedtls_error("mbedtls_ssl_handshake", ret); onError(_tcpsocket, ret); return ret; } /* It also means the handshake is done, time to print info */ if (_debug) mbedtls_printf("TLS connection to %s:%d established\r\n", _hostname, _port); const uint32_t buf_size = 1024; char *buf = new char[buf_size]; mbedtls_x509_crt_info(buf, buf_size, "\r ", mbedtls_ssl_get_peer_cert(&_ssl)); if (_debug) mbedtls_printf("Server certificate:\r\n%s\r", buf); uint32_t flags = mbedtls_ssl_get_verify_result(&_ssl); if( flags != 0 ) { mbedtls_x509_crt_verify_info(buf, buf_size, "\r ! ", flags); if (_debug) mbedtls_printf("Certificate verification failed:\r\n%s\r\r\n", buf); } else { if (_debug) mbedtls_printf("Certificate verification passed\r\n\r\n"); } delete [] buf; buf = NULL; _is_connected = true; return 0; } /** Send data over a TCP socket * * The socket must be connected to a remote host. Returns the number of * bytes sent from the buffer. * * By default, send blocks until all data is sent. If socket is set to * non-blocking or times out, a partial amount can be written. * NSAPI_ERROR_WOULD_BLOCK is returned if no data was written. * * @param data Buffer of data to send to the host * @param size Size of the buffer in bytes * @return Number of sent bytes on success, negative error * code on failure */ nsapi_size_or_error_t send(const void *data, nsapi_size_t size) { return mbedtls_ssl_write(&_ssl, (const uint8_t *) data, size); } /** Receive data over a TCP socket * * The socket must be connected to a remote host. Returns the number of * bytes received into the buffer. * * By default, recv blocks until some data is received. If socket is set to * non-blocking or times out, NSAPI_ERROR_WOULD_BLOCK can be returned to * indicate no data. * * @param data Destination buffer for data received from the host * @param size Size of the buffer in bytes * @return Number of received bytes on success, negative error * code on failure */ nsapi_size_or_error_t recv(void *data, nsapi_size_t size) { return mbedtls_ssl_read(&_ssl, (uint8_t *) data, size); } /** Set blocking or non-blocking mode of the socket * * Initially all sockets are in blocking mode. In non-blocking mode * blocking operations such as send/recv/accept return * NSAPI_ERROR_WOULD_BLOCK if they can not continue. * * set_blocking(false) is equivalent to set_timeout(-1) * set_blocking(true) is equivalent to set_timeout(0) * * @param blocking true for blocking mode, false for non-blocking mode. */ void set_blocking(bool blocking) { _tcpsocket->set_blocking(blocking); } /** Set timeout on blocking socket operations * * Initially all sockets have unbounded timeouts. NSAPI_ERROR_WOULD_BLOCK * is returned if a blocking operation takes longer than the specified * timeout. A timeout of 0 removes the timeout from the socket. A negative * value give the socket an unbounded timeout. * * set_timeout(0) is equivalent to set_blocking(false) * set_timeout(-1) is equivalent to set_blocking(true) * * @param timeout Timeout in milliseconds */ void set_timeout(int timeout) { _tcpsocket->set_timeout(timeout); } bool connected() { return _is_connected; } nsapi_error_t error() { return _error; } TCPSocket* get_tcp_socket() { return _tcpsocket; } mbedtls_ssl_context* get_ssl_context() { return &_ssl; } /** * Set the debug flag. * * If this flag is set, debug information from mbed TLS will be logged to stdout. */ void set_debug(bool debug) { _debug = debug; } /** * Timed recv for MQTT lib */ int read(unsigned char* buffer, int len, int timeout) { set_timeout(timeout); return recv(buffer, len); } /** * Timed send for MQTT lib */ int write(unsigned char* buffer, int len, int timeout) { set_timeout(timeout); return send(buffer, len); } protected: #if DEBUG_LEVEL > 0 /** * Debug callback for mbed TLS * Just prints on the USB serial port */ static void my_debug(void *ctx, int level, const char *file, int line, const char *str) { const char *p, *basename; (void) ctx; /* Extract basename from file */ for(p = basename = file; *p != '\0'; p++) { if(*p == '/' || *p == '\\') { basename = p + 1; } } if (_debug) { mbedtls_printf("%s:%04d: |%d| %s", basename, line, level, str); } } /** * Certificate verification callback for mbed TLS * Here we only use it to display information on each cert in the chain */ static int my_verify(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags) { const uint32_t buf_size = 1024; char *buf = new char[buf_size]; (void) data; if (_debug) mbedtls_printf("\nVerifying certificate at depth %d:\n", depth); mbedtls_x509_crt_info(buf, buf_size - 1, " ", crt); if (_debug) mbedtls_printf("%s", buf); if (*flags == 0) if (_debug) mbedtls_printf("No verification issue for this certificate\n"); else { mbedtls_x509_crt_verify_info(buf, buf_size, " ! ", *flags); if (_debug) mbedtls_printf("%s\n", buf); } delete[] buf; return 0; } #endif /** * Receive callback for mbed TLS */ static int ssl_recv(void *ctx, unsigned char *buf, size_t len) { int recv = -1; TCPSocket *socket = static_cast<TCPSocket *>(ctx); recv = socket->recv(buf, len); if (NSAPI_ERROR_WOULD_BLOCK == recv) { return MBEDTLS_ERR_SSL_WANT_READ; } else if (recv < 0) { return -1; } else { return recv; } } /** * Send callback for mbed TLS */ static int ssl_send(void *ctx, const unsigned char *buf, size_t len) { int size = -1; TCPSocket *socket = static_cast<TCPSocket *>(ctx); size = socket->send(buf, len); if(NSAPI_ERROR_WOULD_BLOCK == size) { return MBEDTLS_ERR_SSL_WANT_WRITE; } else if (size < 0){ return -1; } else { return size; } } private: void onError(TCPSocket *s, int error) { s->close(); _error = error; } TCPSocket* _tcpsocket; const char* DRBG_PERS; const char* _ssl_ca_pem; const char* _ssl_owncert_pem; const char* _ssl_own_priv_key_pem; const char* _hostname; uint16_t _port; bool _debug; bool _is_connected; nsapi_error_t _error; mbedtls_entropy_context _entropy; mbedtls_ctr_drbg_context _ctr_drbg; mbedtls_x509_crt _cacert; mbedtls_x509_crt _owncert; mbedtls_pk_context _own_priv_key; mbedtls_ssl_context _ssl; mbedtls_ssl_config _ssl_conf; }; #endif // _TLS_SOCKET_H_