/* * Hello world example of a TLS client: fetch an HTTPS page * * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved * * This file is part of mbed TLS (https://tls.mbed.org) * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License along * with this program; if not, write to the Free Software Foundation, Inc., * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #if !defined(TARGET_LIKE_MBED) #include int main() { printf("this program only works on mbed OS\n"); return 0; } #else /** \file main.cpp * \brief An example TLS Client application * This application sends an HTTPS request to developer.mbed.org and searches for a string in * the result. * * This example is implemented as a logic class (HelloHTTPS) wrapping a TCP socket. * The logic class handles all events, leaving the main loop to just check if the process * has finished. */ /* Change to a number between 1 and 4 to debug the TLS connection */ #define DEBUG_LEVEL 0 /* Change to 1 to skip certificate verification (UNSAFE, for debug only!) */ #define UNSAFE 0 #include "mbed.h" #include "EthernetInterface.h" #include "mbed-net-sockets/TCPStream.h" #include "test_env.h" #include "minar/minar.h" #include "lwipv4_init.h" #include "mbedtls/ssl.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/error.h" #if DEBUG_LEVEL > 0 #include "mbedtls/debug.h" #endif namespace { const char *HTTPS_SERVER_NAME = "developer.mbed.org"; const int HTTPS_SERVER_PORT = 443; const int RECV_BUFFER_SIZE = 600; const char HTTPS_PATH[] = "/media/uploads/mbed_official/hello.txt"; const size_t HTTPS_PATH_LEN = sizeof(HTTPS_PATH) - 1; /* Test related data */ const char *HTTPS_OK_STR = "200 OK"; const char *HTTPS_HELLO_STR = "Hello world!"; /* personalization string for the drbg */ const char *DRBG_PERS = "mbed TLS helloword client"; /* List of trusted root CA certificates * currently only GlobalSign, the CA for developer.mbed.org * * To add more than one root, just concatenate them. */ const char SSL_CA_PEM[] = /* GlobalSign Root R1 SHA1/RSA/2048 * Serial no. 04 00 00 00 00 01 15 4b 5a c3 94 */ "-----BEGIN CERTIFICATE-----\n" "MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG\n" "A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv\n" "b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw\n" "MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i\n" "YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT\n" "aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ\n" "jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp\n" "xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp\n" "1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG\n" "snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ\n" "U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8\n" "9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E\n" "BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B\n" "AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz\n" "yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE\n" "38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP\n" "AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad\n" "DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME\n" "HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==\n" "-----END CERTIFICATE-----\n"; } using namespace mbed::Sockets::v0; /** * \brief HelloHTTPS implements the logic for fetching a file from a webserver * using a TCP socket and parsing the result. */ class HelloHTTPS { public: /** * HelloHTTPS Constructor * Initializes the TCP socket, sets up event handlers and flags. * * Note that CThunk is used for event handlers. This will be changed to a C++ * function pointer in an upcoming release. * * * @param[in] domain The domain name to fetch from * @param[in] port The port of the HTTPS server */ HelloHTTPS(const char * domain, const uint16_t port) : _stream(SOCKET_STACK_LWIP_IPV4), _domain(domain), _port(port) { _error = false; _gothello = false; _got200 = false; _bpos = 0; _request_sent = 0; _stream.open(SOCKET_AF_INET4); mbedtls_entropy_init(&_entropy); mbedtls_ctr_drbg_init(&_ctr_drbg); mbedtls_x509_crt_init(&_cacert); mbedtls_ssl_init(&_ssl); mbedtls_ssl_config_init(&_ssl_conf); } /** * Initiate the test. * * Starts by clearing test flags, then resolves the address with DNS. * * @param[in] path The path of the file to fetch from the HTTPS server * @return SOCKET_ERROR_NONE on success, or an error code on failure */ void startTest(const char *path) { /* Initialize the flags */ _got200 = false; _gothello = false; _error = false; _disconnected = false; _request_sent = false; /* Fill the request buffer */ _bpos = snprintf(_buffer, sizeof(_buffer) - 1, "GET %s HTTP/1.1\nHost: %s\n\n", path, HTTPS_SERVER_NAME); /* * Initialize TLS-related stuf. */ int ret; if ((ret = mbedtls_ctr_drbg_seed(&_ctr_drbg, mbedtls_entropy_func, &_entropy, (const unsigned char *) DRBG_PERS, sizeof (DRBG_PERS))) != 0) { print_mbedtls_error("mbedtls_crt_drbg_init", ret); _error = true; return; } if ((ret = mbedtls_x509_crt_parse(&_cacert, (const unsigned char *) SSL_CA_PEM, sizeof (SSL_CA_PEM))) != 0) { print_mbedtls_error("mbedtls_x509_crt_parse", ret); _error = true; return; } if ((ret = mbedtls_ssl_config_defaults(&_ssl_conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT)) != 0) { print_mbedtls_error("mbedtls_ssl_config_defaults", ret); _error = true; return; } mbedtls_ssl_conf_ca_chain(&_ssl_conf, &_cacert, NULL); mbedtls_ssl_conf_rng(&_ssl_conf, mbedtls_ctr_drbg_random, &_ctr_drbg); #if UNSAFE mbedtls_ssl_conf_authmode(&_ssl_conf, MBEDTLS_SSL_VERIFY_OPTIONAL); #endif #if DEBUG_LEVEL > 0 mbedtls_ssl_conf_verify(&_ssl_conf, my_verify, NULL); mbedtls_ssl_conf_dbg(&_ssl_conf, my_debug, NULL); mbedtls_debug_set_threshold(DEBUG_LEVEL); #endif if ((ret = mbedtls_ssl_setup(&_ssl, &_ssl_conf)) != 0) { print_mbedtls_error("mbedtls_ssl_setup", ret); _error = true; return; } mbedtls_ssl_set_hostname(&_ssl, HTTPS_SERVER_NAME); mbedtls_ssl_set_bio(&_ssl, static_cast(&_stream), ssl_send, ssl_recv, NULL ); /* Connect to the server */ printf("Starting DNS lookup for %s\r\n", _domain); /* Resolve the domain name: */ socket_error_t err = _stream.resolve(_domain, TCPStream::DNSHandler_t(this, &HelloHTTPS::onDNS)); _stream.error_check(err); } /** * Check if the test has completed. * @return Returns true if done, false otherwise. */ bool done() { return _error || (_got200 && _gothello); } /** * Check if there was an error * @return Returns true if there was an error, false otherwise. */ bool error() { return _error; } /** * Closes the TCP socket */ void close() { _stream.close(); while (!_disconnected) __WFI(); } protected: /** * Helper for pretty-printing mbed TLS error codes */ static void print_mbedtls_error(const char *name, int err) { char buf[128]; mbedtls_strerror(err, buf, sizeof (buf)); printf("%s() failed: -0x%04x (%d): %s\r\n", name, -err, err, buf); } #if DEBUG_LEVEL > 0 /** * Debug callback for mbed TLS * Just prints on the USB serial port */ static void my_debug(void *ctx, int level, const char *file, int line, const char *str) { const char *p, *basename; (void) ctx; /* Extract basename from file */ for(p = basename = file; *p != '\0'; p++) { if(*p == '/' || *p == '\\') { basename = p + 1; } } printf("%s:%04d: |%d| %s", basename, line, level, str); } /** * Certificate verification callback for mbed TLS * Here we only use it to display information on each cert in the chain */ static int my_verify(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags) { char buf[1024]; (void) data; printf("\nVerifying certificate at depth %d:\n", depth); mbedtls_x509_crt_info(buf, sizeof (buf) - 1, " ", crt); printf("%s", buf); if (*flags == 0) printf("No verification issue for this certificate\n"); else { mbedtls_x509_crt_verify_info(buf, sizeof (buf), " ! ", *flags); printf("%s\n", buf); } return 0; } #endif /** * Receive callback for mbed TLS */ static int ssl_recv(void *ctx, unsigned char *buf, size_t len) { TCPStream *stream = static_cast(ctx); socket_error_t err = stream->recv(buf, &len); if (err == SOCKET_ERROR_NONE) { return static_cast(len); } else if (err == SOCKET_ERROR_WOULD_BLOCK) { return MBEDTLS_ERR_SSL_WANT_READ; } else { return -1; } } /** * Send callback for mbed TLS */ static int ssl_send(void *ctx, const unsigned char *buf, size_t len) { TCPStream *stream = static_cast(ctx); socket_error_t err = stream->send(buf, len); if (err == SOCKET_ERROR_NONE) { return static_cast(len); } else if (err == SOCKET_ERROR_WOULD_BLOCK) { return MBEDTLS_ERR_SSL_WANT_WRITE; } else { return -1; } } void onError(Socket *s, socket_error_t err) { (void) s; printf("MBED: Socket Error: %s (%d)\r\n", socket_strerror(err), err); _stream.close(); _error = true; MBED_HOSTTEST_RESULT(false); } /** * On Connect handler * Starts the TLS handshake */ void onConnect(TCPStream *s) { char buf[16]; _remoteAddr.fmtIPv4(buf,sizeof(buf)); printf("Connected to %s:%d\r\n", buf, _port); s->setOnReadable(TCPStream::ReadableHandler_t(this, &HelloHTTPS::onReceive)); s->setOnDisconnect(TCPStream::DisconnectHandler_t(this, &HelloHTTPS::onDisconnect)); /* Start the handshake, the rest will be done in onReceive() */ printf("Starting the TLS handshake...\r\n"); int ret = mbedtls_ssl_handshake(&_ssl); if (ret < 0) { if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { print_mbedtls_error("mbedtls_ssl_handshake", ret); onError(s, SOCKET_ERROR_UNKNOWN); } return; } } /** * On Receive handler * Parses the response from the server, to check for the HTTPS 200 status code and the expected response ("Hello World!") */ void onReceive(Socket *s) { /* Send request if not done yet */ if (!_request_sent) { int ret = mbedtls_ssl_write(&_ssl, (const unsigned char *) _buffer, _bpos); if (ret < 0) { if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { print_mbedtls_error("mbedtls_ssl_write", ret); onError(s, SOCKET_ERROR_UNKNOWN); } return; } /* If we get here, the request was sent */ _request_sent = 1; /* It also means the handshake is done, time to print info */ printf("TLS connection to %s established\r\n", HTTPS_SERVER_NAME); { char buf[1024]; mbedtls_x509_crt_info(buf, sizeof(buf), "\r ", mbedtls_ssl_get_peer_cert(&_ssl)); printf("Server certificate:\r\n%s\r", buf); #if defined(UNSAFE) uint32_t flags = mbedtls_ssl_get_verify_result(&_ssl); if( flags != 0 ) { mbedtls_x509_crt_verify_info(buf, sizeof (buf), "\r ! ", flags); printf("Certificate verification failed:\r\n%s\r\r\n", buf); } else #endif printf("Certificate verification passed\r\n\r\n"); } } /* Read data out of the socket */ int ret = mbedtls_ssl_read(&_ssl, (unsigned char *) _buffer, sizeof(_buffer)); if (ret < 0) { if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { print_mbedtls_error("mbedtls_ssl_read", ret); onError(s, SOCKET_ERROR_UNKNOWN); } return; } _bpos = static_cast(ret); _buffer[_bpos] = 0; /* Check each of the flags */ _got200 = _got200 || strstr(_buffer, HTTPS_OK_STR) != NULL; _gothello = _gothello || strstr(_buffer, HTTPS_HELLO_STR) != NULL; /* Print status messages */ printf("HTTPS: Received %d chars from server\r\n", _bpos); printf("HTTPS: Received 200 OK status ... %s\r\n", _got200 ? "[OK]" : "[FAIL]"); printf("HTTPS: Received '%s' status ... %s\r\n", HTTPS_HELLO_STR, _gothello ? "[OK]" : "[FAIL]"); printf("HTTPS: Received message:\r\n\r\n"); printf("%s", _buffer); _error = !(_got200 && _gothello); s->close(); } /** * On DNS Handler * Reads the address returned by DNS, then starts the connect process. */ void onDNS(Socket *s, struct socket_addr addr, const char *domain) { /* Check that the result is a valid DNS response */ if (socket_addr_is_any(&addr)) { /* Could not find DNS entry */ printf("Could not find DNS entry for %s", HTTPS_SERVER_NAME); onError(s, SOCKET_ERROR_DNS_FAILED); } else { /* Start connecting to the remote host */ char buf[16]; _remoteAddr.setAddr(&addr); _remoteAddr.fmtIPv4(buf,sizeof(buf)); printf("DNS Response Received:\r\n%s: %s\r\n", domain, buf); printf("Connecting to %s:%d\r\n", buf, _port); socket_error_t err = _stream.connect(_remoteAddr, _port, TCPStream::ConnectHandler_t(this, &HelloHTTPS::onConnect)); if (err != SOCKET_ERROR_NONE) { onError(s, err); } } } void onDisconnect(TCPStream *s) { s->close(); MBED_HOSTTEST_RESULT(!error()); } protected: TCPStream _stream; /**< The TCP Socket */ const char *_domain; /**< The domain name of the HTTPS server */ const uint16_t _port; /**< The HTTPS server port */ char _buffer[RECV_BUFFER_SIZE]; /**< The response buffer */ size_t _bpos; /**< The current offset in the response buffer */ SocketAddr _remoteAddr; /**< The remote address */ volatile bool _got200; /**< Status flag for HTTPS 200 */ volatile bool _gothello; /**< Status flag for finding the test string */ volatile bool _error; /**< Status flag for an error */ volatile bool _disconnected; volatile bool _request_sent; mbedtls_entropy_context _entropy; mbedtls_ctr_drbg_context _ctr_drbg; mbedtls_x509_crt _cacert; mbedtls_ssl_context _ssl; mbedtls_ssl_config _ssl_conf; }; /** * The main loop of the HTTPS Hello World test */ EthernetInterface eth; HelloHTTPS *hello; void app_start(int, char*[]) { /* The default 9600 bps is too slow to print full TLS debug info and could * cause the other party to time out. Select a higher baud rate for * printf(), regardless of debug level for the sake of uniformity. */ Serial pc(USBTX, USBRX); pc.baud(115200); MBED_HOSTTEST_TIMEOUT(120); MBED_HOSTTEST_SELECT(default); MBED_HOSTTEST_DESCRIPTION(mbed TLS example HTTPS client); MBED_HOSTTEST_START("MBEDTLS_EX_HTTPS_CLIENT"); /* Initialise with DHCP, connect, and start up the stack */ eth.init(); eth.connect(); lwipv4_socket_init(); hello = new HelloHTTPS(HTTPS_SERVER_NAME, HTTPS_SERVER_PORT); printf("Client IP Address is %s\r\n", eth.getIPAddress()); mbed::FunctionPointer1 fp(hello, &HelloHTTPS::startTest); minar::Scheduler::postCallback(fp.bind(HTTPS_PATH)); } #endif /* TARGET_LIKE_MBED */