NuMaker connection with AWS IoT thru MQTT/HTTPS
Dependencies: MQTT
Revision 41:b878d7cd7035, committed 2020-03-27
- Comitter:
- ccli8
- Date:
- Fri Mar 27 14:32:06 2020 +0800
- Parent:
- 40:5a813d7ad6d8
- Child:
- 42:fa6f7f79a112
- Commit message:
- Make code work across mbed-os 5.15/6.x
1. Replace deprecated API
2. Re-implement MyTLSSocket with Mbed OS internal TLSSocket
3. Fix PRNG driver calling code with M480 BSP update
Changed in this revision
--- a/main.cpp Thu Nov 12 16:24:00 2020 +0800 +++ b/main.cpp Fri Mar 27 14:32:06 2020 +0800 @@ -14,8 +14,6 @@ #define AWS_IOT_HTTPS_TEST 0 #include "mbed.h" - -/* MyTLSSocket = Mbed TLS over TCPSocket */ #include "MyTLSSocket.h" #if AWS_IOT_MQTT_TEST @@ -238,13 +236,8 @@ * @param[in] net_iface Network interface */ AWS_IoT_MQTT_Test(const char * domain, const uint16_t port, NetworkInterface *net_iface) : - _domain(domain), _port(port) { - _tlssocket = new MyTLSSocket(net_iface, SSL_CA_CERT_PEM, SSL_USER_CERT_PEM, SSL_USER_PRIV_KEY_PEM); - /* Blocking mode */ - _tlssocket->set_blocking(true); - /* Print Mbed TLS handshake log */ - _tlssocket->set_debug(true); - + _domain(domain), _port(port), _net_iface(net_iface) { + _tlssocket = new MyTLSSocket; _mqtt_client = new MQTT::Client<MyTLSSocket, Countdown, MAX_MQTT_PACKET_SIZE>(*_tlssocket); } @@ -266,21 +259,61 @@ int tls_rc; int mqtt_rc; - + do { + /* Set host name of the remote host, used for certificate checking */ + _tlssocket->set_hostname(_domain); + + /* Set the certification of Root CA */ + tls_rc = _tlssocket->set_root_ca_cert(SSL_CA_CERT_PEM); + if (tls_rc != NSAPI_ERROR_OK) { + printf("TLSSocket::set_root_ca_cert(...) returned %d\n", tls_rc); + break; + } + + /* Set client certificate and client private key */ + tls_rc = _tlssocket->set_client_cert_key(SSL_USER_CERT_PEM, SSL_USER_PRIV_KEY_PEM); + if (tls_rc != NSAPI_ERROR_OK) { + printf("TLSSocket::set_client_cert_key(...) returned %d\n", tls_rc); + break; + } + + /* Blocking mode */ + _tlssocket->set_blocking(true); + + /* Open a network socket on the network stack of the given network interface */ + printf("Opening network socket on network stack\n"); + tls_rc = _tlssocket->open(_net_iface); + if (tls_rc != NSAPI_ERROR_OK) { + printf("Opens network socket on network stack failed: %d\n", tls_rc); + break; + } + printf("Opens network socket on network stack OK\n"); + + /* DNS resolution */ + printf("DNS resolution for %s...\n", _domain); + SocketAddress sockaddr; + tls_rc = _net_iface->gethostbyname(_domain, &sockaddr); + if (tls_rc != NSAPI_ERROR_OK) { + printf("DNS resolution for %s failed with %d\n", _domain, tls_rc); + break; + } + sockaddr.set_port(_port); + printf("DNS resolution for %s: %s:%d\n", _domain, sockaddr.get_ip_address(), sockaddr.get_port()); + /* Connect to the server */ /* Initialize TLS-related stuff */ printf("Connecting with %s:%d\n", _domain, _port); - tls_rc = _tlssocket->connect(_domain, _port); + tls_rc = _tlssocket->connect(sockaddr); if (tls_rc != NSAPI_ERROR_OK) { printf("Connects with %s:%d failed: %d\n", _domain, _port, tls_rc); break; } printf("Connects with %s:%d OK\n", _domain, _port); - + /* See the link below for AWS IoT support for MQTT: * http://docs.aws.amazon.com/iot/latest/developerguide/protocols.html */ - + /* MQTT connect */ /* The message broker does not support persistent sessions (connections made with * the cleanSession flag set to false. */ @@ -306,9 +339,9 @@ conn_data.cleansession = 1; //conn_data.username.cstring = "USERNAME"; //conn_data.password.cstring = "PASSWORD"; - + MQTT::connackData connack_data; - + /* _tlssocket must connect to the network endpoint before calling this. */ printf("MQTT connecting"); if ((mqtt_rc = _mqtt_client->connect(conn_data, connack_data)) != 0) { @@ -316,57 +349,56 @@ break; } printf("\rMQTT connects OK\n\n"); - + /* Subscribe/publish user topic */ printf("Subscribing/publishing user topic\n"); if (! sub_pub_topic(USER_MQTT_TOPIC, USER_MQTT_TOPIC_FILTERS, sizeof (USER_MQTT_TOPIC_FILTERS) / sizeof (USER_MQTT_TOPIC_FILTERS[0]), USER_MQTT_TOPIC_PUBLISH_MESSAGE)) { break; } printf("Subscribes/publishes user topic OK\n\n"); - + /* Subscribe/publish UpdateThingShadow topic */ printf("Subscribing/publishing UpdateThingShadow topic\n"); if (! sub_pub_topic(UPDATETHINGSHADOW_MQTT_TOPIC, UPDATETHINGSHADOW_MQTT_TOPIC_FILTERS, sizeof (UPDATETHINGSHADOW_MQTT_TOPIC_FILTERS) / sizeof (UPDATETHINGSHADOW_MQTT_TOPIC_FILTERS[0]), UPDATETHINGSHADOW_MQTT_TOPIC_PUBLISH_MESSAGE)) { break; } printf("Subscribes/publishes UpdateThingShadow topic OK\n\n"); - + /* Subscribe/publish GetThingShadow topic */ printf("Subscribing/publishing GetThingShadow topic\n"); if (! sub_pub_topic(GETTHINGSHADOW_MQTT_TOPIC, GETTHINGSHADOW_MQTT_TOPIC_FILTERS, sizeof (GETTHINGSHADOW_MQTT_TOPIC_FILTERS) / sizeof (GETTHINGSHADOW_MQTT_TOPIC_FILTERS[0]), GETTHINGSHADOW_MQTT_TOPIC_PUBLISH_MESSAGE)) { break; } printf("Subscribes/publishes GetThingShadow topic OK\n\n"); - + /* Subscribe/publish DeleteThingShadow topic */ printf("Subscribing/publishing DeleteThingShadow topic\n"); if (! sub_pub_topic(DELETETHINGSHADOW_MQTT_TOPIC, DELETETHINGSHADOW_MQTT_TOPIC_FILTERS, sizeof (DELETETHINGSHADOW_MQTT_TOPIC_FILTERS) / sizeof (DELETETHINGSHADOW_MQTT_TOPIC_FILTERS[0]), DELETETHINGSHADOW_MQTT_TOPIC_PUBLISH_MESSAGE)) { break; } printf("Subscribes/publishes DeleteThingShadow topic OK\n\n"); - + } while (0); - + printf("MQTT disconnecting"); if ((mqtt_rc = _mqtt_client->disconnect()) != 0) { printf("\rMQTT disconnects failed %d\n\n", mqtt_rc); } printf("\rMQTT disconnects OK\n\n"); - + _tlssocket->close(); } - protected: /** * @brief Subscribe/publish specific topic */ bool sub_pub_topic(const char *topic, const char **topic_filters, size_t topic_filters_size, const char *publish_message_body) { - + bool ret = false; int mqtt_rc; - + do { const char **topic_filter; const char **topic_filter_end = topic_filters + topic_filters_size; @@ -388,7 +420,7 @@ MQTT::Message message; int _bpos; - + _bpos = snprintf(_buffer, sizeof (_buffer) - 1, publish_message_body); if (_bpos < 0 || ((size_t) _bpos) > (sizeof (_buffer) - 1)) { printf("snprintf failed: %d\n", _bpos); @@ -411,7 +443,7 @@ break; } printf("\rMQTT publishes message to %s OK\n", topic); - + /* Receive message with subscribed topic */ printf("MQTT receives message with subscribed %s...\n", topic); Timer timer; @@ -441,12 +473,12 @@ } ret = true; - + } while (0); - + return ret; } - + protected: MyTLSSocket * _tlssocket; MQTT::Client<MyTLSSocket, Countdown, MAX_MQTT_PACKET_SIZE> * _mqtt_client; @@ -454,7 +486,8 @@ const char *_domain; /**< Domain name of the MQTT server */ const uint16_t _port; /**< Port number of the MQTT server */ char _buffer[MQTT_USER_BUFFER_SIZE]; /**< User buffer */ - + NetworkInterface *_net_iface; + private: static volatile uint16_t _message_arrive_count; @@ -465,7 +498,7 @@ printf("%.*s\n", message.payloadlen, (char*)message.payload); ++ _message_arrive_count; } - + static void clear_message_arrive_count() { _message_arrive_count = 0; } @@ -493,13 +526,8 @@ * @param[in] net_iface Network interface */ AWS_IoT_HTTPS_Test(const char * domain, const uint16_t port, NetworkInterface *net_iface) : - _domain(domain), _port(port) { - - _tlssocket = new MyTLSSocket(net_iface, SSL_CA_CERT_PEM, SSL_USER_CERT_PEM, SSL_USER_PRIV_KEY_PEM); - /* Non-blocking mode */ - _tlssocket->set_blocking(false); - /* Print Mbed TLS handshake log */ - _tlssocket->set_debug(true); + _domain(domain), _port(port), _net_iface(net_iface) { + _tlssocket = new MyTLSSocket; } /** * @brief AWS_IoT_HTTPS_Test Destructor @@ -515,19 +543,62 @@ * @param[in] path The path of the file to fetch from the HTTPS server */ void start_test() { - + int tls_rc; - + do { + /* Set host name of the remote host, used for certificate checking */ + _tlssocket->set_hostname(_domain); + + /* Set the certification of Root CA */ + tls_rc = _tlssocket->set_root_ca_cert(SSL_CA_CERT_PEM); + if (tls_rc != NSAPI_ERROR_OK) { + printf("TLSSocket::set_root_ca_cert(...) returned %d\n", tls_rc); + break; + } + + /* Set client certificate and client private key */ + tls_rc = _tlssocket->set_client_cert_key(SSL_USER_CERT_PEM, SSL_USER_PRIV_KEY_PEM); + if (tls_rc != NSAPI_ERROR_OK) { + printf("TLSSocket::set_client_cert_key(...) returned %d\n", tls_rc); + break; + } + + /* Open a network socket on the network stack of the given network interface */ + printf("Opening network socket on network stack\n"); + tls_rc = _tlssocket->open(_net_iface); + if (tls_rc != NSAPI_ERROR_OK) { + printf("Opens network socket on network stack failed: %d\n", tls_rc); + break; + } + printf("Opens network socket on network stack OK\n"); + + /* DNS resolution */ + printf("DNS resolution for %s...\n", _domain); + SocketAddress sockaddr; + tls_rc = _net_iface->gethostbyname(_domain, &sockaddr); + if (tls_rc != NSAPI_ERROR_OK) { + printf("DNS resolution for %s failed with %d\n", _domain, tls_rc); + break; + } + sockaddr.set_port(_port); + printf("DNS resolution for %s: %s:%d\n", _domain, sockaddr.get_ip_address(), sockaddr.get_port()); + /* Connect to the server */ /* Initialize TLS-related stuff */ printf("Connecting with %s:%d\n", _domain, _port); - tls_rc = _tlssocket->connect(_domain, _port); + tls_rc = _tlssocket->connect(sockaddr); if (tls_rc != NSAPI_ERROR_OK) { printf("Connects with %s:%d failed: %d\n", _domain, _port, tls_rc); break; } - printf("Connects with %s:%d OK\n\n", _domain, _port); + printf("Connects with %s:%d OK\n", _domain, _port); + + /* Non-blocking mode + * + * Don't change to non-blocking mode before connect; otherwise, we may meet NSAPI_ERROR_IN_PROGRESS. + */ + _tlssocket->set_blocking(false); /* Publish to user topic through HTTPS/POST */ printf("Publishing to user topic through HTTPS/POST\n"); @@ -535,42 +606,42 @@ break; } printf("Publishes to user topic through HTTPS/POST OK\n\n"); - + /* Update thing shadow by publishing to UpdateThingShadow topic through HTTPS/POST */ printf("Updating thing shadow by publishing to Update Thing Shadow topic through HTTPS/POST\n"); if (! run_req_resp(UPDATETHINGSHADOW_TOPIC_HTTPS_PATH, UPDATETHINGSHADOW_TOPIC_HTTPS_REQUEST_METHOD, UPDATETHINGSHADOW_TOPIC_HTTPS_REQUEST_MESSAGE_BODY)) { break; } printf("Update thing shadow by publishing to Update Thing Shadow topic through HTTPS/POST OK\n\n"); - + /* Get thing shadow by publishing to GetThingShadow topic through HTTPS/POST */ printf("Getting thing shadow by publishing to GetThingShadow topic through HTTPS/POST\n"); if (! run_req_resp(GETTHINGSHADOW_TOPIC_HTTPS_PATH, GETTHINGSHADOW_TOPIC_HTTPS_REQUEST_METHOD, GETTHINGSHADOW_TOPIC_HTTPS_REQUEST_MESSAGE_BODY)) { break; } printf("Get thing shadow by publishing to GetThingShadow topic through HTTPS/POST OK\n\n"); - + /* Delete thing shadow by publishing to DeleteThingShadow topic through HTTPS/POST */ printf("Deleting thing shadow by publishing to DeleteThingShadow topic through HTTPS/POST\n"); if (! run_req_resp(DELETETHINGSHADOW_TOPIC_HTTPS_PATH, DELETETHINGSHADOW_TOPIC_HTTPS_REQUEST_METHOD, DELETETHINGSHADOW_TOPIC_HTTPS_REQUEST_MESSAGE_BODY)) { break; } printf("Delete thing shadow by publishing to DeleteThingShadow topic through HTTPS/POST OK\n\n"); - + /* Update thing shadow RESTfully through HTTPS/POST */ printf("Updating thing shadow RESTfully through HTTPS/POST\n"); if (! run_req_resp(UPDATETHINGSHADOW_THING_HTTPS_PATH, UPDATETHINGSHADOW_THING_HTTPS_REQUEST_METHOD, UPDATETHINGSHADOW_THING_HTTPS_REQUEST_MESSAGE_BODY)) { break; } printf("Update thing shadow RESTfully through HTTPS/POST OK\n\n"); - + /* Get thing shadow RESTfully through HTTPS/GET */ printf("Getting thing shadow RESTfully through HTTPS/GET\n"); if (! run_req_resp(GETTHINGSHADOW_THING_HTTPS_PATH, GETTHINGSHADOW_THING_HTTPS_REQUEST_METHOD, GETTHINGSHADOW_THING_HTTPS_REQUEST_MESSAGE_BODY)) { break; } printf("Get thing shadow RESTfully through HTTPS/GET OK\n\n"); - + /* Delete thing shadow RESTfully through HTTPS/DELETE */ printf("Deleting thing shadow RESTfully through HTTPS/DELETE\n"); if (! run_req_resp(DELETETHINGSHADOW_THING_HTTPS_PATH, DELETETHINGSHADOW_THING_HTTPS_REQUEST_METHOD, DELETETHINGSHADOW_THING_HTTPS_REQUEST_MESSAGE_BODY)) { @@ -590,9 +661,9 @@ * @brief Run request/response through HTTPS */ bool run_req_resp(const char *https_path, const char *https_request_method, const char *https_request_message_body) { - + bool ret = false; - + do { int tls_rc; bool _got200 = false; @@ -611,7 +682,7 @@ /* Print request message */ printf("HTTPS: Request message:\n"); printf("%s\n", _buffer); - + int offset = 0; do { tls_rc = _tlssocket->send((const unsigned char *) _buffer + offset, _bpos - offset); @@ -619,8 +690,9 @@ offset += tls_rc; } } while (offset < _bpos && - (tls_rc > 0 || tls_rc == MBEDTLS_ERR_SSL_WANT_READ || tls_rc == MBEDTLS_ERR_SSL_WANT_WRITE)); - if (tls_rc < 0) { + (tls_rc > 0 || tls_rc == NSAPI_ERROR_WOULD_BLOCK)); + if (tls_rc < 0 && + tls_rc != NSAPI_ERROR_WOULD_BLOCK) { print_mbedtls_error("_tlssocket->send", tls_rc); break; } @@ -675,10 +747,9 @@ } } } while ((offset_end == 0 || offset < offset_end) && - (tls_rc > 0 || tls_rc == MBEDTLS_ERR_SSL_WANT_READ || tls_rc == MBEDTLS_ERR_SSL_WANT_WRITE)); + (tls_rc > 0 || tls_rc == NSAPI_ERROR_WOULD_BLOCK)); if (tls_rc < 0 && - tls_rc != MBEDTLS_ERR_SSL_WANT_READ && - tls_rc != MBEDTLS_ERR_SSL_WANT_WRITE) { + tls_rc != NSAPI_ERROR_WOULD_BLOCK) { print_mbedtls_error("_tlssocket->read", tls_rc); break; } @@ -691,26 +762,27 @@ printf("HTTPS: Received 200 OK status ... %s\n", _got200 ? "[OK]" : "[FAIL]"); printf("HTTPS: Received message:\n"); printf("%s\n", _buffer); - + ret = true; - + } while (0); - + return ret; } - + protected: MyTLSSocket * _tlssocket; const char *_domain; /**< Domain name of the HTTPS server */ const uint16_t _port; /**< Port number of the HTTPS server */ char _buffer[HTTPS_USER_BUFFER_SIZE]; /**< User buffer */ + NetworkInterface *_net_iface; }; #endif // End of AWS_IOT_HTTPS_TEST int main() { - + /* The default 9600 bps is too slow to print full TLS debug info and could * cause the other party to time out. */ @@ -732,14 +804,20 @@ printf("Connecting to the network failed %d!\n", status); return -1; } - printf("Connected to the network successfully. IP address: %s\n", net->get_ip_address()); - + SocketAddress sockaddr; + status = net->get_ip_address(&sockaddr); + if (status != NSAPI_ERROR_OK) { + printf("Network interface get_ip_address(...) failed with %d", status); + return -1; + } + printf("Connected to the network successfully. IP address: %s\n", sockaddr.get_ip_address()); + #if AWS_IOT_MQTT_TEST AWS_IoT_MQTT_Test *mqtt_test = new AWS_IoT_MQTT_Test(AWS_IOT_MQTT_SERVER_NAME, AWS_IOT_MQTT_SERVER_PORT, net); mqtt_test->start_test(); delete mqtt_test; #endif // End of AWS_IOT_MQTT_TEST - + #if AWS_IOT_HTTPS_TEST AWS_IoT_HTTPS_Test *https_test = new AWS_IoT_HTTPS_Test(AWS_IOT_HTTPS_SERVER_NAME, AWS_IOT_HTTPS_SERVER_PORT, net); https_test->start_test();
--- a/my-tlssocket/MyTLSSocket.cpp Thu Nov 12 16:24:00 2020 +0800 +++ b/my-tlssocket/MyTLSSocket.cpp Fri Mar 27 14:32:06 2020 +0800 @@ -1,243 +1,53 @@ #include "mbed.h" #include "MyTLSSocket.h" - -MyTLSSocket::MyTLSSocket(NetworkInterface* net_iface, const char* ssl_ca_pem, const char* ssl_owncert_pem, const char* ssl_own_priv_key_pem) +MyTLSSocket::MyTLSSocket() { - _tcpsocket = new TCPSocket(net_iface); - _ssl_ca_pem = ssl_ca_pem; - _ssl_owncert_pem = ssl_owncert_pem; - _ssl_own_priv_key_pem = ssl_own_priv_key_pem; - _is_connected = false; - _debug = false; - _hostname = NULL; - _port = 0; - _error = 0; + /* TLSSocket prints debug message thru mbed-trace. We override it and print thru STDIO. */ +#if MBED_CONF_MY_TLSSOCKET_TLS_DEBUG_LEVEL > 0 + mbedtls_ssl_conf_verify(get_ssl_config(), my_verify, this); + mbedtls_ssl_conf_dbg(get_ssl_config(), my_debug, this); + mbedtls_debug_set_threshold(MBED_CONF_MY_TLSSOCKET_TLS_DEBUG_LEVEL); +#endif - DRBG_PERS = "mbed TLS helloword client"; - - mbedtls_entropy_init(&_entropy); - mbedtls_ctr_drbg_init(&_ctr_drbg); - mbedtls_x509_crt_init(&_cacert); - mbedtls_x509_crt_init(&_owncert); - mbedtls_pk_init(&_own_priv_key); - mbedtls_ssl_init(&_ssl); - mbedtls_ssl_config_init(&_ssl_conf); + /* Enable RFC 6066 max_fragment_length extension in SSL */ +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && (MBED_CONF_MY_TLSSOCKET_TLS_MAX_FRAG_LEN > 0) + mbedtls_ssl_conf_max_frag_len(get_ssl_config(), MBED_CONF_MY_TLSSOCKET_TLS_MAX_FRAG_LEN); +#endif } MyTLSSocket::~MyTLSSocket() { - mbedtls_entropy_free(&_entropy); - mbedtls_ctr_drbg_free(&_ctr_drbg); - mbedtls_x509_crt_free(&_cacert); - mbedtls_x509_crt_free(&_owncert); - mbedtls_pk_free(&_own_priv_key); - mbedtls_ssl_free(&_ssl); - mbedtls_ssl_config_free(&_ssl_conf); - - if (_tcpsocket) { - _tcpsocket->close(); - delete _tcpsocket; - } } -nsapi_error_t MyTLSSocket::close() -{ - return _tcpsocket->close(); -} - -nsapi_error_t MyTLSSocket::connect(const char *hostname, uint16_t port) -{ - _hostname = hostname; - _port = port; - - /* Initialize the flags */ - /* - * Initialize TLS-related stuf. - */ - int ret; - if ((ret = mbedtls_ctr_drbg_seed(&_ctr_drbg, mbedtls_entropy_func, &_entropy, - (const unsigned char *) DRBG_PERS, - sizeof (DRBG_PERS))) != 0) { - print_mbedtls_error("mbedtls_crt_drbg_init", ret); - _error = ret; - return _error; - } - - if ((ret = mbedtls_x509_crt_parse(&_cacert, (const unsigned char *)_ssl_ca_pem, - strlen(_ssl_ca_pem) + 1)) != 0) { - print_mbedtls_error("mbedtls_x509_crt_parse", ret); - _error = ret; - return _error; - } - - if ((ret = mbedtls_x509_crt_parse(&_owncert, (const unsigned char *) _ssl_owncert_pem, - strlen(_ssl_owncert_pem) + 1)) != 0) { - print_mbedtls_error("mbedtls_x509_crt_parse", ret); - _error = ret; - return _error; - } - - if ((ret = mbedtls_pk_parse_key(&_own_priv_key, (const unsigned char *) _ssl_own_priv_key_pem, - strlen(_ssl_own_priv_key_pem) + 1, NULL, 0)) != 0) { - print_mbedtls_error("mbedtls_pk_parse_key", ret); - _error = ret; - return _error; - } - - if ((ret = mbedtls_ssl_config_defaults(&_ssl_conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT)) != 0) { - print_mbedtls_error("mbedtls_ssl_config_defaults", ret); - _error = ret; - return _error; - } - - mbedtls_ssl_conf_ca_chain(&_ssl_conf, &_cacert, NULL); - mbedtls_ssl_conf_own_cert(&_ssl_conf, &_owncert, &_own_priv_key); - mbedtls_ssl_conf_rng(&_ssl_conf, mbedtls_ctr_drbg_random, &_ctr_drbg); - - /* It is possible to disable authentication by passing - * MBEDTLS_SSL_VERIFY_NONE in the call to mbedtls_ssl_conf_authmode() - */ - mbedtls_ssl_conf_authmode(&_ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED); - - /* Enable RFC 6066 max_fragment_length extension in SSL */ -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && (MBED_CONF_MY_TLSSOCKET_TLS_MAX_FRAG_LEN > 0) - mbedtls_ssl_conf_max_frag_len(&_ssl_conf, MBED_CONF_MY_TLSSOCKET_TLS_MAX_FRAG_LEN); -#endif - -#if MBED_CONF_MY_TLSSOCKET_TLS_DEBUG_LEVEL > 0 - mbedtls_ssl_conf_verify(&_ssl_conf, my_verify, this); - mbedtls_ssl_conf_dbg(&_ssl_conf, my_debug, this); - mbedtls_debug_set_threshold(MBED_CONF_MY_TLSSOCKET_TLS_DEBUG_LEVEL); -#endif - - if ((ret = mbedtls_ssl_setup(&_ssl, &_ssl_conf)) != 0) { - print_mbedtls_error("mbedtls_ssl_setup", ret); - _error = ret; - return _error; - } - - mbedtls_ssl_set_hostname(&_ssl, _hostname); - - mbedtls_ssl_set_bio(&_ssl, static_cast<void *>(_tcpsocket), - ssl_send, ssl_recv, NULL ); - - /* Connect to the server */ - if (_debug) { - mbedtls_printf("Connecting to %s:%d\r\n", _hostname, _port); - } - ret = _tcpsocket->connect(_hostname, _port); - if (ret != NSAPI_ERROR_OK) { - if (_debug) { - mbedtls_printf("Failed to connect\r\n"); - } - onError(_tcpsocket, -1); - return _error; - } - - /* Start the handshake, the rest will be done in onReceive() */ - if (_debug) { - mbedtls_printf("Starting the TLS handshake...\r\n"); - } - do { - ret = mbedtls_ssl_handshake(&_ssl); - } while (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE); - if (ret < 0) { - print_mbedtls_error("mbedtls_ssl_handshake", ret); - onError(_tcpsocket, ret); - return ret; - } - - /* It also means the handshake is done, time to print info */ - if (_debug) { - mbedtls_printf("TLS connection to %s:%d established\r\n", _hostname, _port); - } - - const uint32_t buf_size = 1024; - char *buf = new char[buf_size]; - mbedtls_x509_crt_info(buf, buf_size, "\r ", mbedtls_ssl_get_peer_cert(&_ssl)); - if (_debug) { - mbedtls_printf("Server certificate:\r\n%s\r", buf); - } - - uint32_t flags = mbedtls_ssl_get_verify_result(&_ssl); - if (flags != 0) { - mbedtls_x509_crt_verify_info(buf, buf_size, "\r ! ", flags); - if (_debug) { - mbedtls_printf("Certificate verification failed:\r\n%s\r\r\n", buf); - } - } - else { - if (_debug) mbedtls_printf("Certificate verification passed\r\n\r\n"); - } - delete [] buf; - buf = NULL; - - _is_connected = true; - - return 0; -} - -nsapi_size_or_error_t MyTLSSocket::send(const void *data, nsapi_size_t size) -{ - return mbedtls_ssl_write(&_ssl, (const uint8_t *) data, size); -} - -nsapi_size_or_error_t MyTLSSocket::recv(void *data, nsapi_size_t size) -{ - return mbedtls_ssl_read(&_ssl, (uint8_t *) data, size); -} - -void MyTLSSocket::set_blocking(bool blocking) -{ - _tcpsocket->set_blocking(blocking); -} - -void MyTLSSocket::set_timeout(int timeout) -{ - _tcpsocket->set_timeout(timeout); -} - -bool MyTLSSocket::connected() -{ - return _is_connected; -} - -nsapi_error_t MyTLSSocket::error() -{ - return _error; -} - -TCPSocket* MyTLSSocket::get_tcp_socket() -{ - return _tcpsocket; -} - -mbedtls_ssl_context *MyTLSSocket::get_ssl_context() -{ - return &_ssl; -} - -void MyTLSSocket::set_debug(bool debug) -{ - _debug = debug; -} - int MyTLSSocket::read(unsigned char* buffer, int len, int timeout) { set_timeout(timeout); + int rc = recv(buffer, len); - return (rc == MBEDTLS_ERR_SSL_WANT_READ || rc == MBEDTLS_ERR_SSL_WANT_WRITE) ? 0 : rc; + if (rc >= 0) { + return rc; + } else if (rc == NSAPI_ERROR_WOULD_BLOCK) { + return 0; + } else { + printf("TLSSocket recv(%d) failed with %d\n", len, rc); + return -1; + } } int MyTLSSocket::write(unsigned char* buffer, int len, int timeout) { set_timeout(timeout); + int rc = send(buffer, len); - return (rc == MBEDTLS_ERR_SSL_WANT_READ || rc == MBEDTLS_ERR_SSL_WANT_WRITE) ? 0 : rc; + if (rc >= 0) { + return rc; + } else if (rc == NSAPI_ERROR_WOULD_BLOCK) { + return 0; + } else { + printf("TLSSocket send(%d) failed with %d\n", len, rc); + return -1; + } } #if MBED_CONF_MY_TLSSOCKET_TLS_DEBUG_LEVEL > 0 @@ -254,9 +64,7 @@ } } - if (tlssocket->_debug) { - mbedtls_printf("%s:%04d: |%d| %s", basename, line, level, str); - } + mbedtls_printf("%s:%04d: |%d| %s", basename, line, level, str); } int MyTLSSocket::my_verify(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags) @@ -265,65 +73,19 @@ char *buf = new char[buf_size]; MyTLSSocket *tlssocket = static_cast<MyTLSSocket *>(data); - if (tlssocket->_debug) { - mbedtls_printf("\nVerifying certificate at depth %d:\n", depth); - } + printf("\nVerifying certificate at depth %d:\n", depth); mbedtls_x509_crt_info(buf, buf_size - 1, " ", crt); - if (tlssocket->_debug) { - mbedtls_printf("%s", buf); - } - + printf("%s", buf); + if (*flags == 0) { - if (tlssocket->_debug) { - mbedtls_printf("No verification issue for this certificate\n"); - } - } - else { + printf("No verification issue for this certificate\n"); + } else { mbedtls_x509_crt_verify_info(buf, buf_size, " ! ", *flags); - if (tlssocket->_debug) mbedtls_printf("%s\n", buf); + printf("%s\n", buf); } delete[] buf; + return 0; } #endif - -int MyTLSSocket::ssl_recv(void *ctx, unsigned char *buf, size_t len) -{ - int recv = -1; - TCPSocket *socket = static_cast<TCPSocket *>(ctx); - recv = socket->recv(buf, len); - - if (NSAPI_ERROR_WOULD_BLOCK == recv) { - return MBEDTLS_ERR_SSL_WANT_READ; - } - else if (recv < 0) { - return -1; - } - else { - return recv; - } -} - -int MyTLSSocket::ssl_send(void *ctx, const unsigned char *buf, size_t len) -{ - int size = -1; - TCPSocket *socket = static_cast<TCPSocket *>(ctx); - size = socket->send(buf, len); - - if (NSAPI_ERROR_WOULD_BLOCK == size) { - return MBEDTLS_ERR_SSL_WANT_WRITE; - } - else if (size < 0) { - return -1; - } - else { - return size; - } -} - -void MyTLSSocket::onError(TCPSocket *s, int error) -{ - s->close(); - _error = error; -}
--- a/my-tlssocket/MyTLSSocket.h Thu Nov 12 16:24:00 2020 +0800 +++ b/my-tlssocket/MyTLSSocket.h Fri Mar 27 14:32:06 2020 +0800 @@ -1,111 +1,21 @@ #ifndef _MY_TLS_SOCKET_H_ #define _MY_TLS_SOCKET_H_ -#include "mbedtls/platform.h" -#include "mbedtls/ssl.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/error.h" +#include "mbed.h" +#include "TLSSocket.h" +#include "mbedtls_utils.h" #if MBED_CONF_MY_TLSSOCKET_TLS_DEBUG_LEVEL > 0 #include "mbedtls/debug.h" #endif -#include "mbedtls_utils.h" - -/** - * \brief MyTLSSocket a wrapper around TCPSocket for interacting with TLS servers - */ -class MyTLSSocket { +/* MyTLSSocket = TLSSocket + MQTT lib required timed read/write + debug thru console */ +class MyTLSSocket : public TLSSocket +{ public: - MyTLSSocket(NetworkInterface* net_iface, const char* ssl_ca_pem, const char* ssl_owncert_pem, const char* ssl_own_priv_key_pem); + MyTLSSocket(); ~MyTLSSocket(); - /** Close the socket - * - * Closes any open connection and deallocates any memory associated - * with the socket. Called from destructor if socket is not closed. - * - * @return 0 on success, negative error code on failure - */ - nsapi_error_t close(); - - nsapi_error_t connect(const char *hostname, uint16_t port); - - /** Send data over a TCP socket - * - * The socket must be connected to a remote host. Returns the number of - * bytes sent from the buffer. - * - * By default, send blocks until all data is sent. If socket is set to - * non-blocking or times out, a partial amount can be written. - * NSAPI_ERROR_WOULD_BLOCK is returned if no data was written. - * - * @param data Buffer of data to send to the host - * @param size Size of the buffer in bytes - * @return Number of sent bytes on success, negative error - * code on failure - */ - nsapi_size_or_error_t send(const void *data, nsapi_size_t size); - - /** Receive data over a TCP socket - * - * The socket must be connected to a remote host. Returns the number of - * bytes received into the buffer. - * - * By default, recv blocks until some data is received. If socket is set to - * non-blocking or times out, NSAPI_ERROR_WOULD_BLOCK can be returned to - * indicate no data. - * - * @param data Destination buffer for data received from the host - * @param size Size of the buffer in bytes - * @return Number of received bytes on success, negative error - * code on failure - */ - nsapi_size_or_error_t recv(void *data, nsapi_size_t size); - - /** Set blocking or non-blocking mode of the socket - * - * Initially all sockets are in blocking mode. In non-blocking mode - * blocking operations such as send/recv/accept return - * NSAPI_ERROR_WOULD_BLOCK if they can not continue. - * - * set_blocking(false) is equivalent to set_timeout(-1) - * set_blocking(true) is equivalent to set_timeout(0) - * - * @param blocking true for blocking mode, false for non-blocking mode. - */ - void set_blocking(bool blocking); - - /** Set timeout on blocking socket operations - * - * Initially all sockets have unbounded timeouts. NSAPI_ERROR_WOULD_BLOCK - * is returned if a blocking operation takes longer than the specified - * timeout. A timeout of 0 removes the timeout from the socket. A negative - * value give the socket an unbounded timeout. - * - * set_timeout(0) is equivalent to set_blocking(false) - * set_timeout(-1) is equivalent to set_blocking(true) - * - * @param timeout Timeout in milliseconds - */ - void set_timeout(int timeout); - - bool connected(); - - nsapi_error_t error(); - - TCPSocket* get_tcp_socket(); - - mbedtls_ssl_context* get_ssl_context(); - - /** - * Set the debug flag. - * - * If this flag is set, debug information from mbed TLS will be logged to stdout. - */ - void set_debug(bool debug); - /** * Timed recv for MQTT lib */ @@ -117,56 +27,20 @@ int write(unsigned char* buffer, int len, int timeout); protected: - #if MBED_CONF_MY_TLSSOCKET_TLS_DEBUG_LEVEL > 0 /** - * Debug callback for mbed TLS + * Debug callback for Mbed TLS * Just prints on the USB serial port */ static void my_debug(void *ctx, int level, const char *file, int line, const char *str); /** - * Certificate verification callback for mbed TLS + * Certificate verification callback for Mbed TLS * Here we only use it to display information on each cert in the chain */ static int my_verify(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags); #endif - - /** - * Receive callback for mbed TLS - */ - static int ssl_recv(void *ctx, unsigned char *buf, size_t len); - - /** - * Send callback for mbed TLS - */ - static int ssl_send(void *ctx, const unsigned char *buf, size_t len); - -private: - void onError(TCPSocket *s, int error); - - TCPSocket* _tcpsocket; - - const char* DRBG_PERS; - const char* _ssl_ca_pem; - const char* _ssl_owncert_pem; - const char* _ssl_own_priv_key_pem; - const char* _hostname; - uint16_t _port; - - bool _debug; - bool _is_connected; - - nsapi_error_t _error; - - mbedtls_entropy_context _entropy; - mbedtls_ctr_drbg_context _ctr_drbg; - mbedtls_x509_crt _cacert; - mbedtls_x509_crt _owncert; - mbedtls_pk_context _own_priv_key; - mbedtls_ssl_context _ssl; - mbedtls_ssl_config _ssl_conf; }; #endif // _MY_TLS_SOCKET_H_
--- a/my-tlssocket/mbed_lib.json Thu Nov 12 16:24:00 2020 +0800 +++ b/my-tlssocket/mbed_lib.json Fri Mar 27 14:32:06 2020 +0800 @@ -3,7 +3,7 @@ "config": { "tls-debug-level": { "help": "Debug level for TLS. Larger value for more verbose message. Its value can be 0, 1, 2, 3, or 4", - "value": 1 + "value": 0 }, "tls-max-frag-len": { "help": "Maximum fragment length value for the payload in one packet, doesn't include TLS header and encryption overhead. Is needed for constrainted devices having low MTU sizes, Value 0 = disabled, 1 = MBEDTLS_SSL_MAX_FRAG_LEN_512, 2= MBEDTLS_SSL_MAX_FRAG_LEN_1024, 3 = MBEDTLS_SSL_MAX_FRAG_LEN_2048, 4 = MBEDTLS_SSL_MAX_FRAG_LEN_4096",
--- a/pre-main/provision.cpp Thu Nov 12 16:24:00 2020 +0800 +++ b/pre-main/provision.cpp Fri Mar 27 14:32:06 2020 +0800 @@ -19,7 +19,7 @@ #include "mbed.h" #include "mbedtls/config.h" #include "entropy_poll.h" -#include "psa/crypto.h" +//#include "psa/crypto.h" #include "kvstore_global_api.h" #include "KVStore.h" #include "TDBStore.h"
--- a/targets/TARGET_NUVOTON/platform_entropy.cpp Thu Nov 12 16:24:00 2020 +0800 +++ b/targets/TARGET_NUVOTON/platform_entropy.cpp Fri Mar 27 14:32:06 2020 +0800 @@ -180,7 +180,11 @@ { #if NU_CRYPTO_PRNG_PRESENT crypto_init(); +#if TARGET_NUC472 || (MBED_MAJOR_VERSION < 6) PRNG_ENABLE_INT(); +#else + PRNG_ENABLE_INT(CRPT); +#endif #endif uint32_t seed = 0; @@ -194,8 +198,12 @@ #if NU_CRYPTO_PRNG_PRESENT /* PRNG reload seed */ +#if TARGET_NUC472 || (MBED_MAJOR_VERSION < 6) PRNG_Open(PRNG_KEYSIZE_ID, 1, seed); #else + PRNG_Open(CRPT, PRNG_KEYSIZE_ID, 1, seed); +#endif +#else srand(seed); #endif /* #if NU_CRYPTO_PRNG_PRESENT */ } @@ -203,7 +211,11 @@ NuEADCSeedRandom::~NuEADCSeedRandom() { #if NU_CRYPTO_PRNG_PRESENT +#if TARGET_NUC472 || (MBED_MAJOR_VERSION < 6) PRNG_DISABLE_INT(); +#else + PRNG_DISABLE_INT(CRPT); +#endif crypto_uninit(); #endif /* #if NU_CRYPTO_PRNG_PRESENT */ } @@ -221,11 +233,18 @@ uint32_t rand_data[PRNG_KEYSIZE / sizeof(uint32_t)]; while (rmn) { crypto_prng_prestart(); +#if TARGET_NUC472 || (MBED_MAJOR_VERSION < 6) PRNG_Start(); +#else + PRNG_Start(CRPT); +#endif crypto_prng_wait(); +#if TARGET_NUC472 || (MBED_MAJOR_VERSION < 6) PRNG_Read(rand_data); - +#else + PRNG_Read(CRPT, rand_data); +#endif size_t n = (rmn >= PRNG_KEYSIZE) ? PRNG_KEYSIZE : rmn; memcpy(output_ind, rand_data, n);