Support self signed certificates (#291)

* Support self signed certificates

Fix for https://github.com/espressif/arduino-esp32/issues/265

mbedtls_ssl_conf_authmode was defined before mbedtls_ssl_config_defaults causing several bugs when no CA certificate is defined.

* Implement Arduino's log facility

Replace printf by ESP log handling

* Remove \n from debug messages

log_ doesn't need \n to break line.
This commit is contained in:
copercini 2017-03-30 19:01:09 -03:00 committed by Me No Dev
parent fcbb3e7987
commit b46f1e2e3c

View File

@ -1,118 +1,55 @@
/* Provide SSL/TLS functions to ESP32 with Arduino IDE /* Provide SSL/TLS functions to ESP32 with Arduino IDE
* *
* Adapted from the ssl_client1 example in mbedtls. * Adapted from the ssl_client1 example of mbedtls.
* *
* Original Copyright (C) 2006-2015, ARM Limited, All Rights Reserved, Apache 2.0 License. * Original Copyright (C) 2006-2015, ARM Limited, All Rights Reserved, Apache 2.0 License.
* Additions Copyright (C) 2017 Evandro Luis Copercini, Apache 2.0 License. * Additions Copyright (C) 2017 Evandro Luis Copercini, Apache 2.0 License.
*/ */
#include "Arduino.h" #include "Arduino.h"
#include <esp32-hal-log.h>
#include <lwip/sockets.h> #include <lwip/sockets.h>
#include <lwip/err.h> #include <lwip/err.h>
#include <lwip/sockets.h> #include <lwip/sockets.h>
#include <lwip/sys.h> #include <lwip/sys.h>
#include <lwip/netdb.h> #include <lwip/netdb.h>
#include "ssl_client.h" #include "ssl_client.h"
const char *pers = "esp32-tls"; const char *pers = "esp32-tls";
#define DEBUG //Comment to supress debug messages
#ifdef DEBUG
#define DEBUG_PRINT(...) printf( __VA_ARGS__ )
#else
#define DEBUG_PRINT(x)
#endif
#ifdef CONFIG_MBEDTLS_DEBUG
#define MBEDTLS_DEBUG_LEVEL 4
/* mbedtls debug function that translates mbedTLS debug output
to ESP_LOGx debug output.
MBEDTLS_DEBUG_LEVEL 4 means all mbedTLS debug output gets sent here,
and then filtered to the ESP logging mechanism.
*/
static void mbedtls_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
const char *MBTAG = "mbedtls";
char *file_sep;
/* Shorten 'file' from the whole file path to just the filename
This is a bit wasteful because the macros are compiled in with
the full _FILE_ path in each case.
*/
file_sep = rindex(file, '/');
if (file_sep) {
file = file_sep + 1;
}
switch (level) {
case 1:
printf( "%s:%d %s \n", file, line, str);
break;
case 2:
case 3:
printf( "%s:%d %s \n", file, line, str);
case 4:
printf( "%s:%d %s \n", file, line, str);
break;
default:
printf( "Unexpected log level %d: %s \n", level, str);
break;
}
}
#endif
static int handle_error(int err) static int handle_error(int err)
{ {
#ifdef MBEDTLS_ERROR_C #ifdef MBEDTLS_ERROR_C
char error_buf[100]; char error_buf[100];
mbedtls_strerror(err, error_buf, 100); mbedtls_strerror(err, error_buf, 100);
printf("\n%s\n", error_buf); log_e("%s", error_buf);
#endif #endif
printf("\nMbedTLS message code: %d\n", err); log_e("MbedTLS message code: %d", err);
return err; return err;
} }
void ssl_init(sslclient_context *ssl_client) void ssl_init(sslclient_context *ssl_client)
{ {
/*
* Initialize the RNG and the session data
*/
mbedtls_ssl_init(&ssl_client->ssl_ctx); mbedtls_ssl_init(&ssl_client->ssl_ctx);
mbedtls_ssl_config_init(&ssl_client->ssl_conf); mbedtls_ssl_config_init(&ssl_client->ssl_conf);
mbedtls_ctr_drbg_init(&ssl_client->drbg_ctx); mbedtls_ctr_drbg_init(&ssl_client->drbg_ctx);
} }
int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key) int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key)
{ {
char buf[512]; char buf[512];
int ret, flags, len, timeout; int ret, flags, len, timeout;
int enable = 1; int enable = 1;
DEBUG_PRINT("Free heap before TLS %u\n", xPortGetFreeHeapSize()); log_i("Free heap before TLS %u", xPortGetFreeHeapSize());
log_i("Starting socket");
ssl_client->socket = -1; ssl_client->socket = -1;
ssl_client->socket = lwip_socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); ssl_client->socket = lwip_socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (ssl_client->socket < 0) { if (ssl_client->socket < 0) {
printf("\r\nERROR opening socket\r\n"); log_e("ERROR opening socket");
return ssl_client->socket; return ssl_client->socket;
} }
@ -129,33 +66,35 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
lwip_setsockopt(ssl_client->socket, IPPROTO_TCP, TCP_NODELAY, &enable, sizeof(enable)); lwip_setsockopt(ssl_client->socket, IPPROTO_TCP, TCP_NODELAY, &enable, sizeof(enable));
lwip_setsockopt(ssl_client->socket, SOL_SOCKET, SO_KEEPALIVE, &enable, sizeof(enable)); lwip_setsockopt(ssl_client->socket, SOL_SOCKET, SO_KEEPALIVE, &enable, sizeof(enable));
} else { } else {
printf("\r\nConnect to Server failed!\r\n"); log_e("Connect to Server failed!");
return -1; return -1;
} }
fcntl( ssl_client->socket, F_SETFL, fcntl( ssl_client->socket, F_GETFL, 0 ) | O_NONBLOCK ); fcntl( ssl_client->socket, F_SETFL, fcntl( ssl_client->socket, F_GETFL, 0 ) | O_NONBLOCK );
log_i("Seeding the random number generator");
DEBUG_PRINT( "Seeding the random number generator\n");
mbedtls_entropy_init(&ssl_client->entropy_ctx); mbedtls_entropy_init(&ssl_client->entropy_ctx);
ret = mbedtls_ctr_drbg_seed(&ssl_client->drbg_ctx, mbedtls_entropy_func, ret = mbedtls_ctr_drbg_seed(&ssl_client->drbg_ctx, mbedtls_entropy_func,
&ssl_client->entropy_ctx, (const unsigned char *) pers, strlen(pers)); &ssl_client->entropy_ctx, (const unsigned char *) pers, strlen(pers));
if (ret < 0) { if (ret < 0) {
return handle_error(ret); return handle_error(ret);
} }
log_i("Setting up the SSL/TLS structure...");
if ((ret = mbedtls_ssl_config_defaults(&ssl_client->ssl_conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
return handle_error(ret);
}
/* MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and /* MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
MBEDTLS_SSL_VERIFY_NONE if not. MBEDTLS_SSL_VERIFY_NONE if not.
*/ */
if (rootCABuff != NULL) { if (rootCABuff != NULL) {
DEBUG_PRINT( "Loading CA cert\n"); log_i("Loading CA cert");
mbedtls_x509_crt_init(&ssl_client->ca_cert); mbedtls_x509_crt_init(&ssl_client->ca_cert);
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
ret = mbedtls_x509_crt_parse(&ssl_client->ca_cert, (const unsigned char *)rootCABuff, strlen(rootCABuff) + 1); ret = mbedtls_x509_crt_parse(&ssl_client->ca_cert, (const unsigned char *)rootCABuff, strlen(rootCABuff) + 1);
@ -163,35 +102,25 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
//mbedtls_ssl_conf_verify(&ssl_client->ssl_ctx, my_verify, NULL ); //mbedtls_ssl_conf_verify(&ssl_client->ssl_ctx, my_verify, NULL );
if (ret < 0) { if (ret < 0) {
return handle_error(ret); return handle_error(ret);
} }
} else { } else {
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE);
log_i("WARNING: Use certificates for a more secure communication!");
} }
if (cli_cert != NULL && cli_key != NULL) { if (cli_cert != NULL && cli_key != NULL) {
mbedtls_x509_crt_init(&ssl_client->client_cert); mbedtls_x509_crt_init(&ssl_client->client_cert);
mbedtls_pk_init(&ssl_client->client_key); mbedtls_pk_init(&ssl_client->client_key);
DEBUG_PRINT( "Loading CRT cert\n"); log_i("Loading CRT cert");
ret = mbedtls_x509_crt_parse(&ssl_client->client_cert, (const unsigned char *)cli_cert, strlen(cli_cert) + 1); ret = mbedtls_x509_crt_parse(&ssl_client->client_cert, (const unsigned char *)cli_cert, strlen(cli_cert) + 1);
if (ret < 0) { if (ret < 0) {
return handle_error(ret); return handle_error(ret);
} }
DEBUG_PRINT( "Loading private key\n"); log_i("Loading private key");
ret = mbedtls_pk_parse_key(&ssl_client->client_key, (const unsigned char *)cli_key, strlen(cli_key) + 1, NULL, 0); ret = mbedtls_pk_parse_key(&ssl_client->client_key, (const unsigned char *)cli_key, strlen(cli_key) + 1, NULL, 0);
if (ret != 0) { if (ret != 0) {
return handle_error(ret); return handle_error(ret);
@ -203,48 +132,29 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
/* /*
// TODO: implement match CN verification // TODO: implement match CN verification
DEBUG_PRINT( "Setting hostname for TLS session...\n"); log_i("Setting hostname for TLS session...");
// Hostname set here should match CN in server certificate // Hostname set here should match CN in server certificate
if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0) if((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, host)) != 0)
{ {
return handle_error(ret); return handle_error(ret);
} }
*/ */
DEBUG_PRINT( "Setting up the SSL/TLS structure...\n");
if ((ret = mbedtls_ssl_config_defaults(&ssl_client->ssl_conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
return handle_error(ret);
}
mbedtls_ssl_conf_rng(&ssl_client->ssl_conf, mbedtls_ctr_drbg_random, &ssl_client->drbg_ctx); mbedtls_ssl_conf_rng(&ssl_client->ssl_conf, mbedtls_ctr_drbg_random, &ssl_client->drbg_ctx);
#ifdef CONFIG_MBEDTLS_DEBUG
mbedtls_debug_set_threshold(MBEDTLS_DEBUG_LEVEL);
mbedtls_ssl_conf_dbg(&ssl_client->ssl_conf, mbedtls_debug, NULL);
#endif
if ((ret = mbedtls_ssl_setup(&ssl_client->ssl_ctx, &ssl_client->ssl_conf)) != 0) { if ((ret = mbedtls_ssl_setup(&ssl_client->ssl_ctx, &ssl_client->ssl_conf)) != 0) {
return handle_error(ret); return handle_error(ret);
} }
mbedtls_ssl_set_bio(&ssl_client->ssl_ctx, &ssl_client->socket, mbedtls_net_send, mbedtls_net_recv, NULL ); mbedtls_ssl_set_bio(&ssl_client->ssl_ctx, &ssl_client->socket, mbedtls_net_send, mbedtls_net_recv, NULL );
DEBUG_PRINT( "Performing the SSL/TLS handshake...\n"); log_i("Performing the SSL/TLS handshake...");
while ((ret = mbedtls_ssl_handshake(&ssl_client->ssl_ctx)) != 0) { while ((ret = mbedtls_ssl_handshake(&ssl_client->ssl_ctx)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != -76) { if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != -76) { //workaround for bug: https://github.com/espressif/esp-idf/issues/434
return handle_error(ret); return handle_error(ret);
} }
delay(10); delay(10);
vPortYield(); vPortYield();
@ -252,32 +162,28 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
if (cli_cert != NULL && cli_key != NULL) { if (cli_cert != NULL && cli_key != NULL) {
DEBUG_PRINT("Protocol is %s \nCiphersuite is %s\n", mbedtls_ssl_get_version(&ssl_client->ssl_ctx), mbedtls_ssl_get_ciphersuite(&ssl_client->ssl_ctx)); log_i("Protocol is %s Ciphersuite is %s", mbedtls_ssl_get_version(&ssl_client->ssl_ctx), mbedtls_ssl_get_ciphersuite(&ssl_client->ssl_ctx));
if ((ret = mbedtls_ssl_get_record_expansion(&ssl_client->ssl_ctx)) >= 0) { if ((ret = mbedtls_ssl_get_record_expansion(&ssl_client->ssl_ctx)) >= 0) {
DEBUG_PRINT("Record expansion is %d\n", ret); log_i("Record expansion is %d", ret);
} else { } else {
DEBUG_PRINT("Record expansion is unknown (compression)\n"); log_i("Record expansion is unknown (compression)");
} }
} }
log_i("Verifying peer X.509 certificate...");
DEBUG_PRINT( "Verifying peer X.509 certificate...\n");
if ((flags = mbedtls_ssl_get_verify_result(&ssl_client->ssl_ctx)) != 0) { if ((flags = mbedtls_ssl_get_verify_result(&ssl_client->ssl_ctx)) != 0) {
printf( "Failed to verify peer certificate!\n"); log_e("Failed to verify peer certificate!");
bzero(buf, sizeof(buf)); bzero(buf, sizeof(buf));
mbedtls_x509_crt_verify_info(buf, sizeof(buf), " ! ", flags); mbedtls_x509_crt_verify_info(buf, sizeof(buf), " ! ", flags);
printf( "verification info: %s\n", buf); log_e("verification info: %s", buf);
stop_ssl_socket(ssl_client, rootCABuff, cli_cert, cli_key); //It's not safe continue. stop_ssl_socket(ssl_client, rootCABuff, cli_cert, cli_key); //It's not safe continue.
return handle_error(ret); return handle_error(ret);
} else { } else {
DEBUG_PRINT( "Certificate verified.\n"); log_i("Certificate verified.");
} }
log_i("Free heap after TLS %u", xPortGetFreeHeapSize());
DEBUG_PRINT("Free heap after TLS %u\n", xPortGetFreeHeapSize());
return ssl_client->socket; return ssl_client->socket;
} }
@ -285,7 +191,7 @@ int start_ssl_client(sslclient_context *ssl_client, uint32_t ipAddress, uint32_t
void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key) void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key)
{ {
DEBUG_PRINT( "\nCleaning SSL connection.\n"); log_i("Cleaning SSL connection.");
if (ssl_client->socket >= 0) { if (ssl_client->socket >= 0) {
close(ssl_client->socket); close(ssl_client->socket);
@ -313,13 +219,12 @@ void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, cons
int data_to_read(sslclient_context *ssl_client) int data_to_read(sslclient_context *ssl_client)
{ {
int ret, res; int ret, res;
ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, NULL, 0); ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, NULL, 0);
//printf("RET: %i\n",ret); //for low level debug //log_e("RET: %i",ret); //for low level debug
res = mbedtls_ssl_get_bytes_avail(&ssl_client->ssl_ctx); res = mbedtls_ssl_get_bytes_avail(&ssl_client->ssl_ctx);
//printf("RES: %i\n",res); //log_e("RES: %i",res);
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0 && ret != -76) { //RC:76 sockets is not connected if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0 && ret != -76) {
return handle_error(ret); return handle_error(ret);
} }
@ -327,33 +232,30 @@ int data_to_read(sslclient_context *ssl_client)
} }
int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len) int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len)
{ {
//DEBUG_PRINT( "Writing HTTP request...\n"); //for low level debug //log_i("Writing HTTP request..."); //for low level debug
int ret = -1; int ret = -1;
while ((ret = mbedtls_ssl_write(&ssl_client->ssl_ctx, data, len)) <= 0) { while ((ret = mbedtls_ssl_write(&ssl_client->ssl_ctx, data, len)) <= 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != -76) { //RC:76 sockets is not connected if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != -76) {
return handle_error(ret); return handle_error(ret);
} }
} }
len = ret; len = ret;
//DEBUG_PRINT( "%d bytes written\n", len); //for low level debug //log_i("%d bytes written", len); //for low level debug
return ret; return ret;
} }
int get_ssl_receive(sslclient_context *ssl_client, uint8_t *data, int length) int get_ssl_receive(sslclient_context *ssl_client, uint8_t *data, int length)
{ {
//DEBUG_PRINT( "Reading HTTP response...\n"); //for low level debug //log_i( "Reading HTTP response..."); //for low level debug
int ret = -1; int ret = -1;
ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, data, length); ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, data, length);
//DEBUG_PRINT( "%d bytes readed\n", ret); //for low level debug //log_i( "%d bytes readed", ret); //for low level debug
return ret; return ret;
} }