Add tls_server example, showing binding a socket and accepting a TLS connection
This commit is contained in:
parent
3e7edd43aa
commit
c8716747bb
3 changed files with 327 additions and 0 deletions
4
examples/tls_server/Makefile
Normal file
4
examples/tls_server/Makefile
Normal file
|
@ -0,0 +1,4 @@
|
|||
PROGRAM=tls_server
|
||||
COMPONENTS = FreeRTOS lwip core extras/mbedtls
|
||||
|
||||
include ../../common.mk
|
65
examples/tls_server/cert.c
Normal file
65
examples/tls_server/cert.c
Normal file
|
@ -0,0 +1,65 @@
|
|||
/* This is the unencrypted RSA 2048-bit private key and certificate to use for the server, in PEM
|
||||
format, as dumped via:
|
||||
|
||||
openssl req -x509 -nodes -days 365 -sha256 -newkey rsa:2048 -keyout cert.pem -out cert.pem
|
||||
|
||||
... and then the relevant parts of the .pem file copied out into the strings below.
|
||||
*/
|
||||
#include <stdio.h>
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
|
||||
const char *server_key =
|
||||
"-----BEGIN PRIVATE KEY-----\r\n"
|
||||
"MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCr5Pq7VARJJKa5\r\n"
|
||||
"gl68F2TJARsJ71fp4a48uVPwwtm7L7ili+qxhtB73AOjpiR/ZqJBkpMrSjbNdHPp\r\n"
|
||||
"vz9Bk164msv81DXzDuzn5QXuvbI87IFdnCM+I+xLSPCjBbPjPQsm7UJUG9pfjAAZ\r\n"
|
||||
"lF4KAN53OLpKOeu6ut7b0lHJ1H/YLeBOMcReTbObYa6QHO4+Rl7n9MMkDg1geCsW\r\n"
|
||||
"as6LznPVM1Jy7kh7IZZ3As+4dQ+V3VJ3/t/+lOK5O+WtAWZ96b7AHxc0DkgCLWz9\r\n"
|
||||
"+4fpRxHtjD4sA7nXEpgk6qYqS/8N0tHKQBC+uDSWxE3t0mF2Jr1D1gGlFy3VV5r2\r\n"
|
||||
"fEfWN74JAgMBAAECggEBAI7gB4v3HIzTOwVMmIOMikgMdDYAy7jpzZJJlLy0qJdO\r\n"
|
||||
"5hIrxwqB/P5GdHvsl7+RRmJse4jq6bxCBCqQvPo7jOqyN8VRefoqOL3S/ehfoivD\r\n"
|
||||
"hQ+SvTRkVX6KBQHrtoa1cXSMlqokcJEkY9zfFn8IE+FStH0Hwaj2tFBQc4zn5M+A\r\n"
|
||||
"jXsfySLT5dbQws/mJwn5DcuBtNqUBaYmUxRVOpiqbidmiszcqOEcfqfbL+fLmmhB\r\n"
|
||||
"mMdsKj79yUG98XtAwDo6zYqrt/KZ+Zty/9KIw1KLmYa2Cf6UWTCj4CKyVJuI0vy7\r\n"
|
||||
"pqFYC5a5C/MtLt+R6CgbcRey598NkpDZwOyt0BgdKoECgYEA1eDFq9qhMmxKNUtE\r\n"
|
||||
"K4e9u90xYNhSdKQV/XyXp+Fk0aSGuDdjLJm+q1i2KD6RfbuxCy41VPNs/EOlp6mP\r\n"
|
||||
"+fCTDVSrBLkOS/d2Dib/0XWi3o/Np6ZB9PZbU8tXqqKcaKmkhTOI/P3c+4Ap2xfD\r\n"
|
||||
"BtN/GBe5DRO7Nn60va3A0cSF2fECgYEAzb9+kFnEf13XGvk529wgDbl3tHsNrHRZ\r\n"
|
||||
"OW+fBNt/5D+H8Ky4m1Hkejk28q77fCQPRvf0LeNKCWq/rDLjjkC7EB5hDztHXFf0\r\n"
|
||||
"ptNLyOVnh16hSs4BrzLebfsSqMCYgWGxGJe3udxm+wPnMA5tf0rATY2B0wlZ90ew\r\n"
|
||||
"pjjK5BdbTZkCgYA0zLef9GpFG2y6eWlL4cfaQAH3qY+5keSH3qFF5aPRCW/kvG+0\r\n"
|
||||
"TARBIrZdewzJ4HMVkoPCBBJMuJqFqJuNlXGIIfXSRakc4et4FPKkkAj0LsYTdDzm\r\n"
|
||||
"L4deSV3MFzbLs82UwKM56aYLRJmQp+4SmlXO6dRaQRu/mUofZWyrnHt60QKBgQCC\r\n"
|
||||
"5eUAs4vXOH2k9JDB9w8RjEDDO1KcuD0X1JMIBRodvemfzlN4xaYluIbj6T2oYkyx\r\n"
|
||||
"6wiXtTYiPZ8KUCoEE9yvSZSYmy8waekFxgI+Iu0165eUPvJFY4it0gGyCS49ikig\r\n"
|
||||
"i83g2n9ODdKk+Vjilk04SeIhwJ5TO3IAnrs+WDnHaQKBgC5wQI35xrhJKD12SI2P\r\n"
|
||||
"VFdX3+5WUEIJ5Sivu5r2a5nPY+Ee2H5NuhWf742VFAg6YCfK1yYuK2v/vJ/haLiZ\r\n"
|
||||
"qBZe3F6B0UBfQnzUtVbenNliLj60SbBve3INDgTw2abm0v3Dcx4wbMT8w2ShiC83\r\n"
|
||||
"7Rr0nUhGs0IUayU5dLpd3qB1\r\n"
|
||||
"-----END PRIVATE KEY-----\r\n";
|
||||
|
||||
const char *server_cert =
|
||||
"-----BEGIN CERTIFICATE-----\r\n"
|
||||
"MIIDyTCCArGgAwIBAgIJAPEyjXMZ6kAsMA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV\r\n"
|
||||
"BAYTAkFVMQwwCgYDVQQIDANWaWMxEjAQBgNVBAcMCU1lbGJvdXJuZTEeMBwGA1UE\r\n"
|
||||
"CgwVZXNwLW9wZW4tcnRvcyBQdHkgTHRkMRwwGgYDVQQLDBNTbmFrZW9pbCBTYWxl\r\n"
|
||||
"cyBVbml0MQwwCgYDVQQDDANlc3AwHhcNMTYwMjA4MDM0NDU1WhcNMTcwMjA3MDM0\r\n"
|
||||
"NDU1WjB7MQswCQYDVQQGEwJBVTEMMAoGA1UECAwDVmljMRIwEAYDVQQHDAlNZWxi\r\n"
|
||||
"b3VybmUxHjAcBgNVBAoMFWVzcC1vcGVuLXJ0b3MgUHR5IEx0ZDEcMBoGA1UECwwT\r\n"
|
||||
"U25ha2VvaWwgU2FsZXMgVW5pdDEMMAoGA1UEAwwDZXNwMIIBIjANBgkqhkiG9w0B\r\n"
|
||||
"AQEFAAOCAQ8AMIIBCgKCAQEAq+T6u1QESSSmuYJevBdkyQEbCe9X6eGuPLlT8MLZ\r\n"
|
||||
"uy+4pYvqsYbQe9wDo6Ykf2aiQZKTK0o2zXRz6b8/QZNeuJrL/NQ18w7s5+UF7r2y\r\n"
|
||||
"POyBXZwjPiPsS0jwowWz4z0LJu1CVBvaX4wAGZReCgDedzi6Sjnrurre29JRydR/\r\n"
|
||||
"2C3gTjHEXk2zm2GukBzuPkZe5/TDJA4NYHgrFmrOi85z1TNScu5IeyGWdwLPuHUP\r\n"
|
||||
"ld1Sd/7f/pTiuTvlrQFmfem+wB8XNA5IAi1s/fuH6UcR7Yw+LAO51xKYJOqmKkv/\r\n"
|
||||
"DdLRykAQvrg0lsRN7dJhdia9Q9YBpRct1Vea9nxH1je+CQIDAQABo1AwTjAdBgNV\r\n"
|
||||
"HQ4EFgQUkg2t3waA/P/HYDEebQS/6NbWryEwHwYDVR0jBBgwFoAUkg2t3waA/P/H\r\n"
|
||||
"YDEebQS/6NbWryEwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEApIvY\r\n"
|
||||
"FN+ufDkqiGYwZygX4uo2ysAE3QtruwsFnna0+asat/TNlrFivif9pEW50pHnZV2+\r\n"
|
||||
"WZte/LgemeSwSqGekVSYGzbeZciuOdrnwadyBqGJoLTB+JjJRJqdlVR+OrVme0J2\r\n"
|
||||
"rBZkQ85/LZAZ8XoLDPopg++nU35NBEK5qImEWyUJb1TPUZbVKQu4aPi9ArprDnDd\r\n"
|
||||
"62UyNiDWvHx9yR2hDb9oI5jVnMHNLSCrD2baBVktFwPgJ2gdnPXOzhWHaLVKzl+7\r\n"
|
||||
"TMjIxLP6uepl7rg0P6j0UCYt7dSTLlb06wi0zWpUVErpP+sGOXYLDLfls+Ewofd9\r\n"
|
||||
"MYQhZNPFw+6LzuwWCA==\r\n"
|
||||
"-----END CERTIFICATE-----\r\n";
|
258
examples/tls_server/tls_server.c
Normal file
258
examples/tls_server/tls_server.c
Normal file
|
@ -0,0 +1,258 @@
|
|||
/* tls_server - simple TLS server that outputs some statistics to a connecting client,
|
||||
* then closes the socket.
|
||||
*
|
||||
* Similar to the the ssl_server example in mbedtls.
|
||||
*
|
||||
* To test this program, connect to the ESP using openssl command line like this:
|
||||
*
|
||||
* openssl s_client -connect 192.168.66.209:800
|
||||
*
|
||||
* The openssl command line client will print some information for the (self-signed) server certificate,
|
||||
* then after a couple of seconds (validation) there will be a few lines of text output sent from the ESP.
|
||||
*
|
||||
* See the cert.c file for private key & certificate (PEM format), plus information for generation.
|
||||
*
|
||||
* Original Copyright (C) 2006-2015, ARM Limited, All Rights Reserved, Apache 2.0 License.
|
||||
* Additions Copyright (C) 2016 Angus Gratton, Apache 2.0 License.
|
||||
*/
|
||||
#include "espressif/esp_common.h"
|
||||
#include "esp/uart.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#include "FreeRTOS.h"
|
||||
#include "task.h"
|
||||
|
||||
#include "lwip/err.h"
|
||||
#include "lwip/sockets.h"
|
||||
#include "lwip/sys.h"
|
||||
#include "lwip/netdb.h"
|
||||
#include "lwip/dns.h"
|
||||
#include "lwip/api.h"
|
||||
|
||||
#include "ssid_config.h"
|
||||
|
||||
/* Server cert & key */
|
||||
extern const char *server_cert;
|
||||
extern const char *server_key;
|
||||
|
||||
/* mbedtls/config.h MUST appear before all other mbedtls headers, or
|
||||
you'll get the default config.
|
||||
|
||||
(Although mostly that isn't a big problem, you just might get
|
||||
errors at link time if functions don't exist.) */
|
||||
#include "mbedtls/config.h"
|
||||
|
||||
#include "mbedtls/net.h"
|
||||
#include "mbedtls/debug.h"
|
||||
#include "mbedtls/ssl.h"
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/error.h"
|
||||
#include "mbedtls/certs.h"
|
||||
|
||||
#define PORT "800"
|
||||
|
||||
void tls_server_task(void *pvParameters)
|
||||
{
|
||||
int successes = 0, failures = 0, ret;
|
||||
printf("TLS server task starting...\n");
|
||||
|
||||
const char *pers = "tls_server";
|
||||
|
||||
mbedtls_entropy_context entropy;
|
||||
mbedtls_ctr_drbg_context ctr_drbg;
|
||||
mbedtls_ssl_context ssl;
|
||||
mbedtls_x509_crt srvcert;
|
||||
mbedtls_pk_context pkey;
|
||||
mbedtls_ssl_config conf;
|
||||
mbedtls_net_context server_ctx;
|
||||
|
||||
/*
|
||||
* 0. Initialize the RNG and the session data
|
||||
*/
|
||||
mbedtls_ssl_init(&ssl);
|
||||
mbedtls_x509_crt_init(&srvcert);
|
||||
mbedtls_pk_init( &pkey );
|
||||
mbedtls_ctr_drbg_init(&ctr_drbg);
|
||||
printf("\n . Seeding the random number generator...");
|
||||
|
||||
mbedtls_ssl_config_init(&conf);
|
||||
|
||||
mbedtls_entropy_init(&entropy);
|
||||
if((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
|
||||
(const unsigned char *) pers,
|
||||
strlen(pers))) != 0)
|
||||
{
|
||||
printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
|
||||
while(1) {} /* todo: replace with abort() */
|
||||
}
|
||||
|
||||
printf(" ok\n");
|
||||
|
||||
/*
|
||||
* 0. Initialize certificates
|
||||
*/
|
||||
printf(" . Loading the server certificate ...");
|
||||
|
||||
ret = mbedtls_x509_crt_parse(&srvcert, (uint8_t*)server_cert, strlen(server_cert)+1);
|
||||
if(ret < 0)
|
||||
{
|
||||
printf(" failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret);
|
||||
while(1) {} /* todo: replace with abort() */
|
||||
}
|
||||
|
||||
printf(" ok (%d skipped)\n", ret);
|
||||
|
||||
printf(" . Loading the server private key ...");
|
||||
ret = mbedtls_pk_parse_key(&pkey, (uint8_t *)server_key, strlen(server_key)+1, NULL, 0);
|
||||
if(ret != 0)
|
||||
{
|
||||
printf(" failed\n ! mbedtls_pk_parse_key returned - 0x%x\n\n", -ret);
|
||||
while(1) { } /*todo: replace with abort() */
|
||||
}
|
||||
|
||||
printf(" ok\n");
|
||||
|
||||
/*
|
||||
* 2. Setup stuff
|
||||
*/
|
||||
printf(" . Setting up the SSL/TLS structure...");
|
||||
|
||||
if((ret = mbedtls_ssl_config_defaults(&conf,
|
||||
MBEDTLS_SSL_IS_SERVER,
|
||||
MBEDTLS_SSL_TRANSPORT_STREAM,
|
||||
MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
|
||||
{
|
||||
printf(" failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret);
|
||||
goto exit;
|
||||
}
|
||||
|
||||
printf(" ok\n");
|
||||
|
||||
mbedtls_ssl_conf_ca_chain(&conf, srvcert.next, NULL);
|
||||
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 )
|
||||
{
|
||||
printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
|
||||
while(1) { }
|
||||
}
|
||||
|
||||
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
|
||||
#ifdef MBEDTLS_DEBUG_C
|
||||
mbedtls_debug_set_threshold(DEBUG_LEVEL);
|
||||
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
|
||||
#endif
|
||||
|
||||
if((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
|
||||
{
|
||||
printf(" failed\n ! mbedtls_ssl_setup returned %d\n\n", ret);
|
||||
goto exit;
|
||||
}
|
||||
|
||||
while(1) {
|
||||
mbedtls_net_context client_ctx;
|
||||
mbedtls_net_init(&server_ctx);
|
||||
mbedtls_net_init(&client_ctx);
|
||||
printf("top of loop, free heap = %u\n", xPortGetFreeHeapSize());
|
||||
|
||||
/*
|
||||
* 1. Start the connection
|
||||
*/
|
||||
ret = mbedtls_net_bind(&server_ctx, "0.0.0.0", PORT, MBEDTLS_NET_PROTO_TCP);
|
||||
if(ret != 0)
|
||||
{
|
||||
printf(" failed\n ! mbedtls_net_bind returned %d\n\n", ret);
|
||||
goto exit;
|
||||
}
|
||||
|
||||
printf(" ok\n");
|
||||
|
||||
ret=mbedtls_net_accept(&server_ctx, &client_ctx, NULL, 0 , NULL);
|
||||
if( ret != 0 ){
|
||||
printf(" Failed to accept connection. Restarting.\n");
|
||||
mbedtls_net_free(&server_ctx);
|
||||
continue;
|
||||
}
|
||||
|
||||
mbedtls_ssl_set_bio(&ssl, &client_ctx, mbedtls_net_send, mbedtls_net_recv, NULL);
|
||||
|
||||
/*
|
||||
* 4. Handshake
|
||||
*/
|
||||
printf(" . Performing the SSL/TLS handshake...");
|
||||
|
||||
while((ret = mbedtls_ssl_handshake(&ssl)) != 0)
|
||||
{
|
||||
if(ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
|
||||
{
|
||||
printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret);
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
|
||||
printf(" ok\n");
|
||||
|
||||
|
||||
/*
|
||||
* 3. Write the GET request
|
||||
*/
|
||||
printf(" > Writing status to new client... ");
|
||||
|
||||
struct sockaddr_in peer_addr;
|
||||
socklen_t peer_addr_len = sizeof(struct sockaddr_in);
|
||||
getpeername(client_ctx.fd, (struct sockaddr *)&peer_addr, &peer_addr_len);
|
||||
unsigned char buf[256];
|
||||
int len = sprintf((char *) buf, "O hai, client %d.%d.%d.%d:%d\nFree heap size is %d bytes\n",
|
||||
ip4_addr1(&peer_addr.sin_addr), ip4_addr2(&peer_addr.sin_addr),
|
||||
ip4_addr3(&peer_addr.sin_addr), ip4_addr4(&peer_addr.sin_addr),
|
||||
peer_addr.sin_port, xPortGetFreeHeapSize());
|
||||
while((ret = mbedtls_ssl_write(&ssl, buf, len)) <= 0)
|
||||
{
|
||||
if(ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
|
||||
{
|
||||
printf(" failed\n ! mbedtls_ssl_write returned %d\n\n", ret);
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
|
||||
len = ret;
|
||||
printf(" %d bytes written. Closing socket on client.\n\n%s", len, (char *) buf);
|
||||
|
||||
mbedtls_ssl_close_notify(&ssl);
|
||||
|
||||
exit:
|
||||
mbedtls_ssl_session_reset(&ssl);
|
||||
mbedtls_net_free(&client_ctx);
|
||||
mbedtls_net_free(&server_ctx);
|
||||
|
||||
if(ret != 0)
|
||||
{
|
||||
char error_buf[100];
|
||||
mbedtls_strerror(ret, error_buf, 100);
|
||||
printf("\n\nLast error was: %d - %s\n\n", ret, error_buf);
|
||||
failures++;
|
||||
} else {
|
||||
successes++;
|
||||
}
|
||||
|
||||
printf("\n\nsuccesses = %d failures = %d\n", successes, failures);
|
||||
printf("Waiting for next client...\n");
|
||||
}
|
||||
}
|
||||
|
||||
void user_init(void)
|
||||
{
|
||||
uart_set_baud(0, 115200);
|
||||
printf("SDK version:%s\n", sdk_system_get_sdk_version());
|
||||
|
||||
struct sdk_station_config config = {
|
||||
.ssid = WIFI_SSID,
|
||||
.password = WIFI_PASS,
|
||||
};
|
||||
|
||||
/* required to call wifi_set_opmode before station_set_config */
|
||||
sdk_wifi_set_opmode(STATION_MODE);
|
||||
sdk_wifi_station_set_config(&config);
|
||||
|
||||
xTaskCreate(&tls_server_task, (signed char *)"server_task", 2048, NULL, 2, NULL);
|
||||
}
|
Loading…
Reference in a new issue