Add an example for how to enable TLS verification. (#381)

* Add an example for how to enable TLS verification.

TLS should really be used with verification enabled, as otherwise you
can still suffer from a "man in the middle" attack. Add an example that
demonstrates how to do this.

Fixes #337

pico_w/wifi/tls_client/tls_common.c

@@ -0,0 +1,227 @@
+/*
+ * Copyright (c) 2023 Raspberry Pi (Trading) Ltd.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <string.h>
+#include <time.h>
+
+#include "pico/stdlib.h"
+#include "pico/cyw43_arch.h"
+#include "lwip/pbuf.h"
+#include "lwip/altcp_tcp.h"
+#include "lwip/altcp_tls.h"
+#include "lwip/dns.h"
+
+typedef struct TLS_CLIENT_T_ {
+    struct altcp_pcb *pcb;
+    bool complete;
+    int error;
+    const char *http_request;
+    int timeout;
+} TLS_CLIENT_T;
+
+static struct altcp_tls_config *tls_config = NULL;
+
+static err_t tls_client_close(void *arg) {
+    TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
+    err_t err = ERR_OK;
+
+    state->complete = true;
+    if (state->pcb != NULL) {
+        altcp_arg(state->pcb, NULL);
+        altcp_poll(state->pcb, NULL, 0);
+        altcp_recv(state->pcb, NULL);
+        altcp_err(state->pcb, NULL);
+        err = altcp_close(state->pcb);
+        if (err != ERR_OK) {
+            printf("close failed %d, calling abort\n", err);
+            altcp_abort(state->pcb);
+            err = ERR_ABRT;
+        }
+        state->pcb = NULL;
+    }
+    return err;
+}
+
+static err_t tls_client_connected(void *arg, struct altcp_pcb *pcb, err_t err) {
+    TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
+    if (err != ERR_OK) {
+        printf("connect failed %d\n", err);
+        return tls_client_close(state);
+    }
+
+    printf("connected to server, sending request\n");
+    err = altcp_write(state->pcb, state->http_request, strlen(state->http_request), TCP_WRITE_FLAG_COPY);
+    if (err != ERR_OK) {
+        printf("error writing data, err=%d", err);
+        return tls_client_close(state);
+    }
+
+    return ERR_OK;
+}
+
+static err_t tls_client_poll(void *arg, struct altcp_pcb *pcb) {
+    TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
+    printf("timed out\n");
+    state->error = PICO_ERROR_TIMEOUT;
+    return tls_client_close(arg);
+}
+
+static void tls_client_err(void *arg, err_t err) {
+    TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
+    printf("tls_client_err %d\n", err);
+    tls_client_close(state);
+    state->error = PICO_ERROR_GENERIC;
+}
+
+static err_t tls_client_recv(void *arg, struct altcp_pcb *pcb, struct pbuf *p, err_t err) {
+    TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
+    if (!p) {
+        printf("connection closed\n");
+        return tls_client_close(state);
+    }
+
+    if (p->tot_len > 0) {
+        /* For simplicity this examples creates a buffer on stack the size of the data pending here, 
+           and copies all the data to it in one go.
+           Do be aware that the amount of data can potentially be a bit large (TLS record size can be 16 KB),
+           so you may want to use a smaller fixed size buffer and copy the data to it using a loop, if memory is a concern */
+        char buf[p->tot_len + 1];
+
+        pbuf_copy_partial(p, buf, p->tot_len, 0);
+        buf[p->tot_len] = 0;
+
+        printf("***\nnew data received from server:\n***\n\n%s\n", buf);
+
+        altcp_recved(pcb, p->tot_len);
+    }
+    pbuf_free(p);
+
+    return ERR_OK;
+}
+
+static void tls_client_connect_to_server_ip(const ip_addr_t *ipaddr, TLS_CLIENT_T *state)
+{
+    err_t err;
+    u16_t port = 443;
+
+    printf("connecting to server IP %s port %d\n", ipaddr_ntoa(ipaddr), port);
+    err = altcp_connect(state->pcb, ipaddr, port, tls_client_connected);
+    if (err != ERR_OK)
+    {
+        fprintf(stderr, "error initiating connect, err=%d\n", err);
+        tls_client_close(state);
+    }
+}
+
+static void tls_client_dns_found(const char* hostname, const ip_addr_t *ipaddr, void *arg)
+{
+    if (ipaddr)
+    {
+        printf("DNS resolving complete\n");
+        tls_client_connect_to_server_ip(ipaddr, (TLS_CLIENT_T *) arg);
+    }
+    else
+    {
+        printf("error resolving hostname %s\n", hostname);
+        tls_client_close(arg);
+    }
+}
+
+
+static bool tls_client_open(const char *hostname, void *arg) {
+    err_t err;
+    ip_addr_t server_ip;
+    TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
+
+    state->pcb = altcp_tls_new(tls_config, IPADDR_TYPE_ANY);
+    if (!state->pcb) {
+        printf("failed to create pcb\n");
+        return false;
+    }
+
+    altcp_arg(state->pcb, state);
+    altcp_poll(state->pcb, tls_client_poll, state->timeout * 2);
+    altcp_recv(state->pcb, tls_client_recv);
+    altcp_err(state->pcb, tls_client_err);
+
+    /* Set SNI */
+    mbedtls_ssl_set_hostname(altcp_tls_context(state->pcb), hostname);
+
+    printf("resolving %s\n", hostname);
+
+    // cyw43_arch_lwip_begin/end should be used around calls into lwIP to ensure correct locking.
+    // You can omit them if you are in a callback from lwIP. Note that when using pico_cyw_arch_poll
+    // these calls are a no-op and can be omitted, but it is a good practice to use them in
+    // case you switch the cyw43_arch type later.
+    cyw43_arch_lwip_begin();
+
+    err = dns_gethostbyname(hostname, &server_ip, tls_client_dns_found, state);
+    if (err == ERR_OK)
+    {
+        /* host is in DNS cache */
+        tls_client_connect_to_server_ip(&server_ip, state);
+    }
+    else if (err != ERR_INPROGRESS)
+    {
+        printf("error initiating DNS resolving, err=%d\n", err);
+        tls_client_close(state->pcb);
+    }
+
+    cyw43_arch_lwip_end();
+
+    return err == ERR_OK || err == ERR_INPROGRESS;
+}
+
+// Perform initialisation
+static TLS_CLIENT_T* tls_client_init(void) {
+    TLS_CLIENT_T *state = calloc(1, sizeof(TLS_CLIENT_T));
+    if (!state) {
+        printf("failed to allocate state\n");
+        return NULL;
+    }
+
+    return state;
+}
+
+bool run_tls_client_test(const uint8_t *cert, size_t cert_len, const char *server, const char *request, int timeout) {
+
+    /* No CA certificate checking */
+    tls_config = altcp_tls_create_config_client(cert, cert_len);
+    assert(tls_config);
+
+    //mbedtls_ssl_conf_authmode(&tls_config->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+
+    TLS_CLIENT_T *state = tls_client_init();
+    if (!state) {
+        return false;
+    }
+    state->http_request = request;
+    state->timeout = timeout;
+    if (!tls_client_open(server, state)) {
+        return false;
+    }
+    while(!state->complete) {
+        // the following #ifdef is only here so this same example can be used in multiple modes;
+        // you do not need it in your code
+#if PICO_CYW43_ARCH_POLL
+        // if you are using pico_cyw43_arch_poll, then you must poll periodically from your
+        // main loop (not from a timer) to check for Wi-Fi driver or lwIP work that needs to be done.
+        cyw43_arch_poll();
+        // you can poll as often as you like, however if you have nothing else to do you can
+        // choose to sleep until either a specified time, or cyw43_arch_poll() has work to do:
+        cyw43_arch_wait_for_work_until(make_timeout_time_ms(1000));
+#else
+        // if you are not using pico_cyw43_arch_poll, then WiFI driver and lwIP work
+        // is done via interrupt in the background. This sleep is just an example of some (blocking)
+        // work you might be doing.
+        sleep_ms(1000);
+#endif
+    }
+    int err = state->error;
+    free(state);
+    altcp_tls_free_config(tls_config);
+    return err == 0;
+}