0da9d4576b
* Add an example for how to enable TLS verification. TLS should really be used with verification enabled, as otherwise you can still suffer from a "man in the middle" attack. Add an example that demonstrates how to do this. Fixes #337
228 lines
6.9 KiB
C
228 lines
6.9 KiB
C
/*
|
|
* Copyright (c) 2023 Raspberry Pi (Trading) Ltd.
|
|
*
|
|
* SPDX-License-Identifier: BSD-3-Clause
|
|
*/
|
|
|
|
#include <string.h>
|
|
#include <time.h>
|
|
|
|
#include "pico/stdlib.h"
|
|
#include "pico/cyw43_arch.h"
|
|
#include "lwip/pbuf.h"
|
|
#include "lwip/altcp_tcp.h"
|
|
#include "lwip/altcp_tls.h"
|
|
#include "lwip/dns.h"
|
|
|
|
typedef struct TLS_CLIENT_T_ {
|
|
struct altcp_pcb *pcb;
|
|
bool complete;
|
|
int error;
|
|
const char *http_request;
|
|
int timeout;
|
|
} TLS_CLIENT_T;
|
|
|
|
static struct altcp_tls_config *tls_config = NULL;
|
|
|
|
static err_t tls_client_close(void *arg) {
|
|
TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
|
|
err_t err = ERR_OK;
|
|
|
|
state->complete = true;
|
|
if (state->pcb != NULL) {
|
|
altcp_arg(state->pcb, NULL);
|
|
altcp_poll(state->pcb, NULL, 0);
|
|
altcp_recv(state->pcb, NULL);
|
|
altcp_err(state->pcb, NULL);
|
|
err = altcp_close(state->pcb);
|
|
if (err != ERR_OK) {
|
|
printf("close failed %d, calling abort\n", err);
|
|
altcp_abort(state->pcb);
|
|
err = ERR_ABRT;
|
|
}
|
|
state->pcb = NULL;
|
|
}
|
|
return err;
|
|
}
|
|
|
|
static err_t tls_client_connected(void *arg, struct altcp_pcb *pcb, err_t err) {
|
|
TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
|
|
if (err != ERR_OK) {
|
|
printf("connect failed %d\n", err);
|
|
return tls_client_close(state);
|
|
}
|
|
|
|
printf("connected to server, sending request\n");
|
|
err = altcp_write(state->pcb, state->http_request, strlen(state->http_request), TCP_WRITE_FLAG_COPY);
|
|
if (err != ERR_OK) {
|
|
printf("error writing data, err=%d", err);
|
|
return tls_client_close(state);
|
|
}
|
|
|
|
return ERR_OK;
|
|
}
|
|
|
|
static err_t tls_client_poll(void *arg, struct altcp_pcb *pcb) {
|
|
TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
|
|
printf("timed out\n");
|
|
state->error = PICO_ERROR_TIMEOUT;
|
|
return tls_client_close(arg);
|
|
}
|
|
|
|
static void tls_client_err(void *arg, err_t err) {
|
|
TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
|
|
printf("tls_client_err %d\n", err);
|
|
tls_client_close(state);
|
|
state->error = PICO_ERROR_GENERIC;
|
|
}
|
|
|
|
static err_t tls_client_recv(void *arg, struct altcp_pcb *pcb, struct pbuf *p, err_t err) {
|
|
TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
|
|
if (!p) {
|
|
printf("connection closed\n");
|
|
return tls_client_close(state);
|
|
}
|
|
|
|
if (p->tot_len > 0) {
|
|
/* For simplicity this examples creates a buffer on stack the size of the data pending here,
|
|
and copies all the data to it in one go.
|
|
Do be aware that the amount of data can potentially be a bit large (TLS record size can be 16 KB),
|
|
so you may want to use a smaller fixed size buffer and copy the data to it using a loop, if memory is a concern */
|
|
char buf[p->tot_len + 1];
|
|
|
|
pbuf_copy_partial(p, buf, p->tot_len, 0);
|
|
buf[p->tot_len] = 0;
|
|
|
|
printf("***\nnew data received from server:\n***\n\n%s\n", buf);
|
|
|
|
altcp_recved(pcb, p->tot_len);
|
|
}
|
|
pbuf_free(p);
|
|
|
|
return ERR_OK;
|
|
}
|
|
|
|
static void tls_client_connect_to_server_ip(const ip_addr_t *ipaddr, TLS_CLIENT_T *state)
|
|
{
|
|
err_t err;
|
|
u16_t port = 443;
|
|
|
|
printf("connecting to server IP %s port %d\n", ipaddr_ntoa(ipaddr), port);
|
|
err = altcp_connect(state->pcb, ipaddr, port, tls_client_connected);
|
|
if (err != ERR_OK)
|
|
{
|
|
fprintf(stderr, "error initiating connect, err=%d\n", err);
|
|
tls_client_close(state);
|
|
}
|
|
}
|
|
|
|
static void tls_client_dns_found(const char* hostname, const ip_addr_t *ipaddr, void *arg)
|
|
{
|
|
if (ipaddr)
|
|
{
|
|
printf("DNS resolving complete\n");
|
|
tls_client_connect_to_server_ip(ipaddr, (TLS_CLIENT_T *) arg);
|
|
}
|
|
else
|
|
{
|
|
printf("error resolving hostname %s\n", hostname);
|
|
tls_client_close(arg);
|
|
}
|
|
}
|
|
|
|
|
|
static bool tls_client_open(const char *hostname, void *arg) {
|
|
err_t err;
|
|
ip_addr_t server_ip;
|
|
TLS_CLIENT_T *state = (TLS_CLIENT_T*)arg;
|
|
|
|
state->pcb = altcp_tls_new(tls_config, IPADDR_TYPE_ANY);
|
|
if (!state->pcb) {
|
|
printf("failed to create pcb\n");
|
|
return false;
|
|
}
|
|
|
|
altcp_arg(state->pcb, state);
|
|
altcp_poll(state->pcb, tls_client_poll, state->timeout * 2);
|
|
altcp_recv(state->pcb, tls_client_recv);
|
|
altcp_err(state->pcb, tls_client_err);
|
|
|
|
/* Set SNI */
|
|
mbedtls_ssl_set_hostname(altcp_tls_context(state->pcb), hostname);
|
|
|
|
printf("resolving %s\n", hostname);
|
|
|
|
// cyw43_arch_lwip_begin/end should be used around calls into lwIP to ensure correct locking.
|
|
// You can omit them if you are in a callback from lwIP. Note that when using pico_cyw_arch_poll
|
|
// these calls are a no-op and can be omitted, but it is a good practice to use them in
|
|
// case you switch the cyw43_arch type later.
|
|
cyw43_arch_lwip_begin();
|
|
|
|
err = dns_gethostbyname(hostname, &server_ip, tls_client_dns_found, state);
|
|
if (err == ERR_OK)
|
|
{
|
|
/* host is in DNS cache */
|
|
tls_client_connect_to_server_ip(&server_ip, state);
|
|
}
|
|
else if (err != ERR_INPROGRESS)
|
|
{
|
|
printf("error initiating DNS resolving, err=%d\n", err);
|
|
tls_client_close(state->pcb);
|
|
}
|
|
|
|
cyw43_arch_lwip_end();
|
|
|
|
return err == ERR_OK || err == ERR_INPROGRESS;
|
|
}
|
|
|
|
// Perform initialisation
|
|
static TLS_CLIENT_T* tls_client_init(void) {
|
|
TLS_CLIENT_T *state = calloc(1, sizeof(TLS_CLIENT_T));
|
|
if (!state) {
|
|
printf("failed to allocate state\n");
|
|
return NULL;
|
|
}
|
|
|
|
return state;
|
|
}
|
|
|
|
bool run_tls_client_test(const uint8_t *cert, size_t cert_len, const char *server, const char *request, int timeout) {
|
|
|
|
/* No CA certificate checking */
|
|
tls_config = altcp_tls_create_config_client(cert, cert_len);
|
|
assert(tls_config);
|
|
|
|
//mbedtls_ssl_conf_authmode(&tls_config->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
|
|
|
TLS_CLIENT_T *state = tls_client_init();
|
|
if (!state) {
|
|
return false;
|
|
}
|
|
state->http_request = request;
|
|
state->timeout = timeout;
|
|
if (!tls_client_open(server, state)) {
|
|
return false;
|
|
}
|
|
while(!state->complete) {
|
|
// the following #ifdef is only here so this same example can be used in multiple modes;
|
|
// you do not need it in your code
|
|
#if PICO_CYW43_ARCH_POLL
|
|
// if you are using pico_cyw43_arch_poll, then you must poll periodically from your
|
|
// main loop (not from a timer) to check for Wi-Fi driver or lwIP work that needs to be done.
|
|
cyw43_arch_poll();
|
|
// you can poll as often as you like, however if you have nothing else to do you can
|
|
// choose to sleep until either a specified time, or cyw43_arch_poll() has work to do:
|
|
cyw43_arch_wait_for_work_until(make_timeout_time_ms(1000));
|
|
#else
|
|
// if you are not using pico_cyw43_arch_poll, then WiFI driver and lwIP work
|
|
// is done via interrupt in the background. This sleep is just an example of some (blocking)
|
|
// work you might be doing.
|
|
sleep_ms(1000);
|
|
#endif
|
|
}
|
|
int err = state->error;
|
|
free(state);
|
|
altcp_tls_free_config(tls_config);
|
|
return err == 0;
|
|
}
|