|
| 1 | +/* wolfssl-lwip-client.c |
| 2 | + * |
| 3 | + * Based on client-tls-pkcallback.c |
| 4 | + * |
| 5 | + * Copyright (C) 2006-2024 wolfSSL Inc. |
| 6 | + * |
| 7 | + * This file is part of wolfSSL. |
| 8 | + * |
| 9 | + * wolfSSL is free software; you can redistribute it and/or modify |
| 10 | + * it under the terms of the GNU General Public License as published by |
| 11 | + * the Free Software Foundation; either version 2 of the License, or |
| 12 | + * (at your option) any later version. |
| 13 | + * |
| 14 | + * wolfSSL is distributed in the hope that it will be useful, |
| 15 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 16 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 17 | + * GNU General Public License for more details. |
| 18 | + * |
| 19 | + * You should have received a copy of the GNU General Public License |
| 20 | + * along with this program; if not, write to the Free Software |
| 21 | + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
| 22 | + */ |
| 23 | + |
| 24 | +/* This example shows how to write a simple TLS client that uses the features |
| 25 | + * of the Analog Devices MAXQ1065 and 1080 USS. Note that this is not a |
| 26 | + * stand-alone application. This is part of an example that can be found in the |
| 27 | + * SDK supplied by Analog Devices. Please contact Analog Devices and ask for |
| 28 | + * CodeFusion Studio Trusted Edge Security Architecture Installer. */ |
| 29 | + |
| 30 | +#include "lwip/opt.h" |
| 31 | + |
| 32 | +#if !NO_SYS /* don't build if not configured to run an OS in lwipopts.h */ |
| 33 | + |
| 34 | +/***** Includes *****/ |
| 35 | +#include <stdio.h> |
| 36 | + |
| 37 | +/* wolfSSL */ |
| 38 | +#ifndef WOLFSSL_USER_SETTINGS |
| 39 | + #include <wolfssl/options.h> |
| 40 | +#endif |
| 41 | +#include <wolfssl/wolfcrypt/sha256.h> |
| 42 | +#include <wolfssl/wolfcrypt/cryptocb.h> |
| 43 | +#include <wolfssl/wolfcrypt/ecc.h> |
| 44 | +#include <wolfssl/wolfcrypt/rsa.h> |
| 45 | +#include <wolfssl/wolfcrypt/asn.h> |
| 46 | +#include <wolfssl/wolfcrypt/error-crypt.h> |
| 47 | + |
| 48 | +#include "lwip_crypto_libs_app.h" |
| 49 | +#include "crypto_keys.h" |
| 50 | + |
| 51 | +#define TLS12 1 |
| 52 | +#define TLS13 2 |
| 53 | + |
| 54 | +#define ECC 1 |
| 55 | +#define RSA 2 |
| 56 | +#define PSK 3 |
| 57 | + |
| 58 | +#if defined(TEST_TLS_1_3) |
| 59 | +static int tls_version = TLS13; |
| 60 | +#elif defined(TEST_TLS_1_2) |
| 61 | +static int tls_version = TLS12; |
| 62 | +#else |
| 63 | +#error TEST_TLS_1_3 or TEST_TLS_1_2 MUST be defined in project.mk to test TLS |
| 64 | +#endif |
| 65 | + |
| 66 | +#if defined(TEST_PSK) |
| 67 | +static int alg = PSK; |
| 68 | +#elif defined(TEST_RSA) |
| 69 | +static int alg = RSA; |
| 70 | +#else |
| 71 | +static int alg = ECC; |
| 72 | +#endif |
| 73 | + |
| 74 | +static char *ciphersuite = NULL; |
| 75 | +static const char* kIdentityStr = "Client_identity"; |
| 76 | + |
| 77 | +static unsigned int my_psk_client_cb(struct WOLFSSL* ssl, const char* hint, |
| 78 | + char* identity, unsigned int id_max_len, |
| 79 | + uint8_t* key, unsigned int key_max_len) |
| 80 | +{ |
| 81 | + (void)ssl; |
| 82 | + (void)hint; |
| 83 | + (void)key; |
| 84 | + (void)key_max_len; |
| 85 | + |
| 86 | + /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */ |
| 87 | + XSTRNCPY(identity, kIdentityStr, id_max_len); |
| 88 | + |
| 89 | + /* For TLS 1.2, we indicate that MAXQ has the PSK. */ |
| 90 | + return USE_HW_PSK; |
| 91 | +} |
| 92 | + |
| 93 | +#ifdef WOLFSSL_TLS13 |
| 94 | +static unsigned int my_psk_client_cs_cb(struct WOLFSSL* ssl, const char* hint, |
| 95 | + char* identity, unsigned int id_max_len, |
| 96 | + unsigned char* key, unsigned int key_max_len, |
| 97 | + const char* ciphersuite) |
| 98 | +{ |
| 99 | + (void)ssl; |
| 100 | + (void)hint; |
| 101 | + (void)key; |
| 102 | + (void)key_max_len; |
| 103 | + |
| 104 | +#ifdef WOLFSSL_PSK_MULTI_ID_PER_CS |
| 105 | + /* Multiple calls for each cipher suite. First identity byte indicates the |
| 106 | + * number of identites seen so far for cipher suite. */ |
| 107 | + if (identity[0] != 0) { |
| 108 | + return 0; |
| 109 | + } |
| 110 | +#endif /* WOLFSSL_PSK_MULTI_ID_PER_CS */ |
| 111 | + |
| 112 | + /* see internal.h MAX_PSK_ID_LEN for PSK identity limit */ |
| 113 | + XSTRNCPY(identity, kIdentityStr, id_max_len); |
| 114 | + XSTRNCAT(identity, ciphersuite + XSTRLEN(ciphersuite) - 6, id_max_len); |
| 115 | + |
| 116 | + /* For TLS 1.3, we just return an unmodified key. */ |
| 117 | + return 32; |
| 118 | +} |
| 119 | +#endif /* WOLFSSL_TLS13 */ |
| 120 | + |
| 121 | +void mxc_wolfssl_create(int sockfd, WOLFSSL **ssl) |
| 122 | +{ |
| 123 | + int ret; |
| 124 | + int exit_clean = 1; |
| 125 | + |
| 126 | + /* declare wolfSSL objects */ |
| 127 | + WOLFSSL_CTX* ctx = NULL; |
| 128 | + |
| 129 | + /*---------------------------------------------------*/ |
| 130 | + /* Start of wolfSSL initialization and configuration */ |
| 131 | + /*---------------------------------------------------*/ |
| 132 | +#ifdef DEBUG_WOLFSSL |
| 133 | + wolfSSL_Debugging_ON(); |
| 134 | +#endif |
| 135 | + |
| 136 | + /* Initialize wolfSSL */ |
| 137 | + if ((ret = wolfSSL_Init()) != WOLFSSL_SUCCESS) { |
| 138 | + MXC_ERR_MSG("ERROR: Failed to initialize the library\n"); |
| 139 | + goto exit; |
| 140 | + } |
| 141 | + |
| 142 | + /* Create and initialize WOLFSSL_CTX */ |
| 143 | +#ifdef WOLFSSL_TLS13 |
| 144 | + if (tls_version == TLS13) { |
| 145 | + MXC_DEBUG_MSG_GRN("TLS v1.3\n"); |
| 146 | + ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method()); |
| 147 | + } else |
| 148 | +#endif /* WOLFSSL_TLS13 */ |
| 149 | + { |
| 150 | + MXC_DEBUG_MSG_GRN("TLS v1.2\n"); |
| 151 | + ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); |
| 152 | + } |
| 153 | + |
| 154 | + if (ctx == NULL) { |
| 155 | + MXC_ERR_MSG("ERROR: failed to create WOLFSSL_CTX\n"); |
| 156 | + ret = -1; |
| 157 | + goto exit; |
| 158 | + } |
| 159 | + |
| 160 | + /* At this point you would normally register a CA certificate, however, it |
| 161 | + * resides in MAXQ10xx and has already been registered. */ |
| 162 | +#ifndef NO_FILESYSTEM |
| 163 | + /* Load the dummy private key; actually a public key. The actual private |
| 164 | + * key resides in MAXQ 10xx. */ |
| 165 | + if (key_file != NULL) { |
| 166 | + if ((ret = wolfSSL_CTX_use_PrivateKey_file(ctx, key_file, |
| 167 | + WOLFSSL_FILETYPE_PEM)) != WOLFSSL_SUCCESS) { |
| 168 | + MXC_ERR_MSG("ERROR: failed to load %s, please check the " |
| 169 | + "file.\n", key_file); |
| 170 | + goto exit; |
| 171 | + } |
| 172 | + } |
| 173 | +#else |
| 174 | + |
| 175 | +#if defined (TEST_RSA) |
| 176 | + ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, rsa_key_der_2048, |
| 177 | + sizeof(rsa_key_der_2048), WOLFSSL_FILETYPE_ASN1); |
| 178 | +#elif defined (HAVE_ECC) |
| 179 | + ret = wolfSSL_CTX_use_PrivateKey_buffer(ctx, ecc_key_der_256, |
| 180 | + sizeof(ecc_key_der_256), WOLFSSL_FILETYPE_ASN1); |
| 181 | +#else |
| 182 | + ret = wolfSSL_CTX_use_PrivateKey_buffer(srv_ctx, server_key_der_2048, |
| 183 | + sizeof_server_key_der_2048, WOLFSSL_FILETYPE_ASN1); |
| 184 | +#endif |
| 185 | + |
| 186 | + if (ret != WOLFSSL_SUCCESS) { |
| 187 | + MXC_DEBUG_MSG("error loading private key\n"); |
| 188 | + goto exit; |
| 189 | + } |
| 190 | +#endif |
| 191 | + /* If specified, set the ciphersuite. */ |
| 192 | + if (ciphersuite != NULL) { |
| 193 | + if (wolfSSL_CTX_set_cipher_list(ctx, ciphersuite) != WOLFSSL_SUCCESS) { |
| 194 | + MXC_ERR_MSG("Invalid cipher suite.\n"); |
| 195 | + goto exit; |
| 196 | + } |
| 197 | + } |
| 198 | +#ifndef NO_PSK |
| 199 | + if (alg == PSK) { |
| 200 | + wolfSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb); |
| 201 | +#ifdef WOLFSSL_TLS13 |
| 202 | + if (tls_version == TLS13) { |
| 203 | + wolfSSL_CTX_set_psk_client_cs_callback(ctx, my_psk_client_cs_cb); |
| 204 | + } |
| 205 | +#endif /* WOLFSSL_TLS13 */ |
| 206 | + |
| 207 | + if (ciphersuite != NULL) { |
| 208 | + wolfSSL_CTX_set_psk_callback_ctx(ctx, (void*)ciphersuite); |
| 209 | + } |
| 210 | + } |
| 211 | +#endif |
| 212 | + /* Validate peer certificate */ |
| 213 | + wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); |
| 214 | + |
| 215 | + /* Create a WOLFSSL object */ |
| 216 | + if ((*ssl = wolfSSL_new(ctx)) == NULL) { |
| 217 | + MXC_ERR_MSG("ERROR: failed to create WOLFSSL object\n"); |
| 218 | + ret = -1; |
| 219 | + goto exit; |
| 220 | + } |
| 221 | + |
| 222 | + exit_clean = 0; |
| 223 | +exit: |
| 224 | + /* Cleanup and return */ |
| 225 | + if (ctx != NULL) |
| 226 | + wolfSSL_CTX_free(ctx); |
| 227 | + if (exit_clean) |
| 228 | + mxc_wolfssl_close(sockfd, *ssl); |
| 229 | +} |
| 230 | + |
| 231 | +void mxc_wolfssl_connect(int sockfd, WOLFSSL *ssl) |
| 232 | +{ |
| 233 | + int ret, err; |
| 234 | + int exit_clean = 0; |
| 235 | + |
| 236 | +#ifdef WOLFSSL_TLS13 |
| 237 | + if (alg == RSA) { |
| 238 | + if (wolfSSL_UseKeyShare(ssl, WOLFSSL_FFDHE_2048) != WOLFSSL_SUCCESS) { |
| 239 | + MXC_ERR_MSG("ERROR: failed to create WOLFSSL object\n"); |
| 240 | + ret = -1; |
| 241 | + exit_clean = 1; |
| 242 | + goto exit; |
| 243 | + } |
| 244 | + } |
| 245 | +#endif /* WOLFSSL_TLS13 */ |
| 246 | + //MXC_DEBUG_MSG("mxc_wolfssl_connect->wolfSSL_set_fd\n"); |
| 247 | + /* Attach wolfSSL to the socket */ |
| 248 | + if ((ret = wolfSSL_set_fd(ssl, sockfd)) != WOLFSSL_SUCCESS) { |
| 249 | + MXC_ERR_MSG("ERROR: Failed to set the file descriptor\n"); |
| 250 | + exit_clean = 1; |
| 251 | + goto exit; |
| 252 | + } |
| 253 | + |
| 254 | + wolfSSL_SSLSetIORecv(ssl, mxc_wolfssl_receive); |
| 255 | + wolfSSL_SSLSetIOSend(ssl, mxc_wolfssl_send); |
| 256 | + |
| 257 | + //MXC_DEBUG_MSG("mxc_wolfssl_connect->wolfSSL_connect\n"); |
| 258 | + /* Connect to wolfSSL on the server side */ |
| 259 | + do { |
| 260 | + ret = wolfSSL_connect(ssl); |
| 261 | + err = wolfSSL_get_error(ssl, ret); |
| 262 | + } while (err == WC_PENDING_E); |
| 263 | + if (ret != WOLFSSL_SUCCESS) { |
| 264 | + MXC_ERR_MSG("ERROR: failed to connect to wolfSSL\n"); |
| 265 | + exit_clean = 1; |
| 266 | + goto exit; |
| 267 | + } |
| 268 | + |
| 269 | + MXC_DEBUG_MSG_GRN("\nmxc_wolfssl_connect-> Done\n\n"); |
| 270 | + |
| 271 | +exit: |
| 272 | + if (exit_clean) |
| 273 | + mxc_wolfssl_close(sockfd, ssl); |
| 274 | +} |
| 275 | + |
| 276 | +void mxc_wolfssl_write(WOLFSSL* ssl, const void* data, int sz) |
| 277 | +{ |
| 278 | + int ret; |
| 279 | + |
| 280 | + MXC_DEBUG_MSG(". mxc_wolfssl_write...\n"); |
| 281 | + |
| 282 | + /* Send the message to the server */ |
| 283 | + if ((ret = wolfSSL_write(ssl, data, sz)) != sz) { |
| 284 | + MXC_ERR_MSG("ERROR: failed to write entire message\n"); |
| 285 | + MXC_ERR_MSG("%d bytes of %d bytes were sent", ret, sz); |
| 286 | + } |
| 287 | +} |
| 288 | + |
| 289 | +int mxc_wolfssl_read(WOLFSSL* ssl) |
| 290 | +{ |
| 291 | + int ret; |
| 292 | + char buff[SOCKET_BUF_SIZE]; |
| 293 | + |
| 294 | + /* Read the server data into our buff array */ |
| 295 | + memset(buff, 0, sizeof(buff)); |
| 296 | + if ((ret = wolfSSL_read(ssl, buff, sizeof(buff)-1)) == -1) { |
| 297 | + MXC_ERR_MSG("ERROR: failed to read\n"); |
| 298 | + } |
| 299 | + |
| 300 | + /* Print to stdout any data the server sends */ |
| 301 | + MXC_DEBUG_MSG("Server: %s\n", buff); |
| 302 | + return ret; |
| 303 | +} |
| 304 | + |
| 305 | +void mxc_wolfssl_close(int sockfd, WOLFSSL* ssl) |
| 306 | +{ |
| 307 | + unsigned char lBuff[SOCKET_BUF_SIZE]; |
| 308 | + /* Cleanup and return */ |
| 309 | + if (ssl != NULL) |
| 310 | + wolfSSL_free(ssl); |
| 311 | + |
| 312 | + wolfSSL_Cleanup(); |
| 313 | + |
| 314 | + if (sockfd >= 0) |
| 315 | + lwip_close(sockfd); |
| 316 | + while(lwip_read(sockfd, lBuff, SOCKET_BUF_SIZE) > 0); |
| 317 | +} |
| 318 | + |
| 319 | +#endif /* !NO_SYS */ |
0 commit comments