summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorCarl Lundin <53273776+lundinc2@users.noreply.github.com>2021-02-04 16:17:34 -0800
committerGitHub <noreply@github.com>2021-02-04 16:17:34 -0800
commita78cb45d125e425163e231e7f2b98722c82b92c6 (patch)
treeee536e151bed5d32cf8276a41e0275c472b5097f
parentdfdf2ddf1f5c0fd338f985e97ba0af3603526426 (diff)
downloadfreertos-git-a78cb45d125e425163e231e7f2b98722c82b92c6.tar.gz
Minor changes to wolfSSL MQTT demo files (#493)
* Clean up demo config for wolfSSL mutual auth. * Add comment about picking the correct ROOT CA. * uncrustify using_wolfSSL.c and some other code style changes. * Apply suggestions from code review Co-authored-by: Archit Aggarwal <architag@amazon.com>
Diffstat
-rw-r--r--FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth_wolfSSL/demo_config.h39
-rw-r--r--FreeRTOS-Plus/Source/Application-Protocols/network_transport/freertos_plus_tcp/using_wolfSSL/using_wolfSSL.c249
2 files changed, 153 insertions, 135 deletions
diff --git a/FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth_wolfSSL/demo_config.h b/FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth_wolfSSL/demo_config.h
index d100e0dd7..6ce7f3828 100644
--- a/FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth_wolfSSL/demo_config.h
+++ b/FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth_wolfSSL/demo_config.h
@@ -76,7 +76,7 @@ extern void vLoggingPrintf(const char* pcFormatString,
*
* #define democonfigCLIENT_IDENTIFIER "insert here."
*/
-#define democonfigCLIENT_IDENTIFIER "demoDevice"
+
/**
* @brief Endpoint of the MQTT broker to connect to.
*
@@ -91,7 +91,7 @@ extern void vLoggingPrintf(const char* pcFormatString,
*
* #define democonfigMQTT_BROKER_ENDPOINT "...insert here..."
*/
-#define democonfigMQTT_BROKER_ENDPOINT "...insert here..."
+
/**
* @brief The port to use for the demo.
*
@@ -102,7 +102,7 @@ extern void vLoggingPrintf(const char* pcFormatString,
*
* #define democonfigMQTT_BROKER_PORT "...insert here..."
*/
-#define democonfigMQTT_BROKER_PORT 8883
+
/**
* @brief Server's root CA certificate.
*
@@ -111,16 +111,19 @@ extern void vLoggingPrintf(const char* pcFormatString,
* in the link below.
* https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html#server-authentication-certs
*
- * @note This certificate should be PEM-encoded.
*
- * Must include the PEM header and footer:
- * "-----BEGIN CERTIFICATE-----\n"\
- * "...base64 data...\n"\
- * "-----END CERTIFICATE-----\n"
+ * @note This certificate should be PEM-encoded.
+ * @note Define the path to the certificate, do not copy and paste the certificate
+ * contents to this macro.
+ * @warning If wolfSSL cannot verify the peer when connecting to AWS IoT, try
+ * using the root CA of Starfield Services found at
+ * https://www.amazontrust.com/repository/SFSRootCAG2.pem.
+ * wolfSSL requires that the whole CA certificate chain is trusted. AWS
+ * certificates are cross signed by this CA.
*
* #define democonfigROOT_CA_PEM "...insert here..."
*/
-#define democonfigROOT_CA_PEM "...insert here..."
+
/**
* @brief Client certificate.
*
@@ -129,15 +132,12 @@ extern void vLoggingPrintf(const char* pcFormatString,
* https://docs.aws.amazon.com/iot/latest/developerguide/client-authentication.html
*
* @note This certificate should be PEM-encoded.
- *
- * Must include the PEM header and footer:
- * "-----BEGIN CERTIFICATE-----\n"\
- * "...base64 data...\n"\
- * "-----END CERTIFICATE-----\n"
+ * @note Define the path to the certificate, do not copy and paste the certificate
+ * contents to this macro.
*
* #define democonfigCLIENT_CERTIFICATE_PEM "...insert here..."
*/
-#define democonfigCLIENT_CERTIFICATE_PEM "...insert here..."
+
/**
* @brief Client's private key.
*
@@ -146,15 +146,12 @@ extern void vLoggingPrintf(const char* pcFormatString,
* https://docs.aws.amazon.com/iot/latest/developerguide/client-authentication.html
*
* @note This private key should be PEM-encoded.
- *
- * Must include the PEM header and footer:
- * "-----BEGIN RSA PRIVATE KEY-----\n"\
- * "...base64 data...\n"\
- * "-----END RSA PRIVATE KEY-----\n"
+ * @note define the path to the certificate, do not copy and paste the certificate
+ * contents to this macro.
*
* #define democonfigCLIENT_PRIVATE_KEY_PEM "...insert here..."
*/
-#define democonfigCLIENT_PRIVATE_KEY_PEM "...insert here..."
+
/**
* @brief Set the stack size of the main demo task.
*
diff --git a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/freertos_plus_tcp/using_wolfSSL/using_wolfSSL.c b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/freertos_plus_tcp/using_wolfSSL/using_wolfSSL.c
index 9d606d6c1..9a6d60b07 100644
--- a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/freertos_plus_tcp/using_wolfSSL/using_wolfSSL.c
+++ b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/freertos_plus_tcp/using_wolfSSL/using_wolfSSL.c
@@ -86,51 +86,59 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext,
*
* @return #TLS_TRANSPORT_SUCCESS, #TLS_TRANSPORT_INSUFFICIENT_MEMORY, or #TLS_TRANSPORT_INTERNAL_ERROR.
*/
-static TlsTransportStatus_t initTLS(void);
+static TlsTransportStatus_t initTLS( void );
/*
-* @brief Receive date from the socket passed as the context
-*
-* @param[in] ssl WOLFSSL object.
-* @param[in] buf Buffer for received data
-* @param[in] sz Size to receive
-* @param[in] context Socket to be received from
-*
-* @return received size( > 0 ), #WOLFSSL_CBIO_ERR_CONN_CLOSE, #WOLFSSL_CBIO_ERR_WANT_READ.
-*/
-static int wolfSSL_IORecvGlue(WOLFSSL* ssl, char* buf, int sz, void* context);
+ * @brief Receive date from the socket passed as the context
+ *
+ * @param[in] ssl WOLFSSL object.
+ * @param[in] buf Buffer for received data
+ * @param[in] sz Size to receive
+ * @param[in] context Socket to be received from
+ *
+ * @return received size( > 0 ), #WOLFSSL_CBIO_ERR_CONN_CLOSE, #WOLFSSL_CBIO_ERR_WANT_READ.
+ */
+static int wolfSSL_IORecvGlue( WOLFSSL * ssl,
+ char * buf,
+ int sz,
+ void * context );
/*
-* @brief Send date to the socket passed as the context
-*
-* @param[in] ssl WOLFSSL object.
-* @param[in] buf Buffer for data to be sent
-* @param[in] sz Size to send
-* @param[in] context Socket to be sent to
-*
-* @return received size( > 0 ), #WOLFSSL_CBIO_ERR_CONN_CLOSE, #WOLFSSL_CBIO_ERR_WANT_WRITE.
-*/
-static int wolfSSL_IOSendGlue(WOLFSSL* ssl, char* buf, int sz, void* context);
+ * @brief Send date to the socket passed as the context
+ *
+ * @param[in] ssl WOLFSSL object.
+ * @param[in] buf Buffer for data to be sent
+ * @param[in] sz Size to send
+ * @param[in] context Socket to be sent to
+ *
+ * @return received size( > 0 ), #WOLFSSL_CBIO_ERR_CONN_CLOSE, #WOLFSSL_CBIO_ERR_WANT_WRITE.
+ */
+static int wolfSSL_IOSendGlue( WOLFSSL * ssl,
+ char * buf,
+ int sz,
+ void * context );
/*-----------------------------------------------------------*/
-static int wolfSSL_IORecvGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
+static int wolfSSL_IORecvGlue( WOLFSSL * ssl,
+ char * buf,
+ int sz,
+ void * context )
{
- ( void )ssl; /* to prevent unused warning*/
+ ( void ) ssl; /* to prevent unused warning*/
+ BaseType_t read = 0;
- Socket_t xSocket = (Socket_t)context;
+ Socket_t xSocket = ( Socket_t ) context;
- BaseType_t read;
-
- read = FreeRTOS_recv(xSocket, (void*)buf, (size_t)sz, 0);
+ read = FreeRTOS_recv( xSocket, ( void * ) buf, ( size_t ) sz, 0 );
- if ((read == 0 ) ||
- (read == -pdFREERTOS_ERRNO_EWOULDBLOCK))
+ if( ( read == 0 ) ||
+ ( read == -pdFREERTOS_ERRNO_EWOULDBLOCK ) )
{
read = WOLFSSL_CBIO_ERR_WANT_READ;
}
- else if (read == -pdFREERTOS_ERRNO_ENOTCONN)
+ else if( read == -pdFREERTOS_ERRNO_ENOTCONN )
{
read = WOLFSSL_CBIO_ERR_CONN_CLOSE;
}
@@ -138,23 +146,25 @@ static int wolfSSL_IORecvGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
{
/* do nothing */
}
- return (int)read;
+
+ return ( int ) read;
}
/*-----------------------------------------------------------*/
-static int wolfSSL_IOSendGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
+static int wolfSSL_IOSendGlue( WOLFSSL * ssl,
+ char * buf,
+ int sz,
+ void * context )
{
- ( void )ssl; /* to prevent unused warning*/
-
- Socket_t xSocket = (Socket_t)context;
+ ( void ) ssl; /* to prevent unused warning*/
+ Socket_t xSocket = ( Socket_t ) context;
+ BaseType_t sent = FreeRTOS_send( xSocket, ( void * ) buf, ( size_t ) sz, 0 );
- BaseType_t sent = FreeRTOS_send(xSocket, (void*)buf, (size_t)sz, 0);
-
- if ( sent == -pdFREERTOS_ERRNO_EWOULDBLOCK )
+ if( sent == -pdFREERTOS_ERRNO_EWOULDBLOCK )
{
sent = WOLFSSL_CBIO_ERR_WANT_WRITE;
}
- else if ( sent == -pdFREERTOS_ERRNO_ENOTCONN )
+ else if( sent == -pdFREERTOS_ERRNO_ENOTCONN )
{
sent = WOLFSSL_CBIO_ERR_CONN_CLOSE;
}
@@ -162,138 +172,137 @@ static int wolfSSL_IOSendGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
{
/* do nothing */
}
- return (int)sent;
+
+ return ( int ) sent;
}
/*-----------------------------------------------------------*/
-static TlsTransportStatus_t initTLS(void)
+static TlsTransportStatus_t initTLS( void )
{
/* initialize wolfSSL */
wolfSSL_Init();
-#ifdef DEBUG_WOLFSSL
- wolfSSL_Debugging_ON();
-#endif
+ #ifdef DEBUG_WOLFSSL
+ wolfSSL_Debugging_ON();
+ #endif
return TLS_TRANSPORT_SUCCESS;
}
/*-----------------------------------------------------------*/
-static TlsTransportStatus_t tlsSetup(NetworkContext_t* pNetCtx,
- const char* pHostName,
- const NetworkCredentials_t* pNetCred )
+static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetCtx,
+ const char * pHostName,
+ const NetworkCredentials_t * pNetCred )
{
TlsTransportStatus_t returnStatus = TLS_TRANSPORT_SUCCESS;
-
- /*char errString[80];*/
-
- configASSERT(pNetCtx != NULL);
- configASSERT(pHostName != NULL);
- configASSERT(pNetCred != NULL);
- configASSERT(pNetCred->pRootCa != NULL);
- configASSERT(pNetCtx->tcpSocket != NULL);
+ Socket_t xSocket = { 0 };
+ configASSERT( pNetCtx != NULL );
+ configASSERT( pHostName != NULL );
+ configASSERT( pNetCred != NULL );
+ configASSERT( pNetCred->pRootCa != NULL );
+ configASSERT( pNetCtx->tcpSocket != NULL );
- if (pNetCtx->sslContext.ctx == NULL )
+ if( pNetCtx->sslContext.ctx == NULL )
{
/* Attempt to create a context that uses the TLS 1.3 or 1.2 */
pNetCtx->sslContext.ctx =
wolfSSL_CTX_new( wolfSSLv23_client_method_ex( NULL ) );
}
- if (pNetCtx->sslContext.ctx != NULL )
+ if( pNetCtx->sslContext.ctx != NULL )
{
/* attempt to load ca cert file, client cert file and client private key file */
if( wolfSSL_CTX_load_verify_locations( pNetCtx->sslContext.ctx,
- (const char*)(pNetCred->pRootCa), NULL) == SSL_SUCCESS )
+ ( const char * ) ( pNetCred->pRootCa ), NULL ) == SSL_SUCCESS )
{
- if( wolfSSL_CTX_use_certificate_file(pNetCtx->sslContext.ctx,
- (const char*)(pNetCred->pClientCert), SSL_FILETYPE_PEM)
- == SSL_SUCCESS )
+ if( wolfSSL_CTX_use_certificate_file( pNetCtx->sslContext.ctx,
+ ( const char * ) ( pNetCred->pClientCert ), SSL_FILETYPE_PEM )
+ == SSL_SUCCESS )
{
- if ( wolfSSL_CTX_use_PrivateKey_file(pNetCtx->sslContext.ctx,
- (const char*)(pNetCred->pPrivateKey), SSL_FILETYPE_PEM)
- == SSL_SUCCESS)
+ if( wolfSSL_CTX_use_PrivateKey_file( pNetCtx->sslContext.ctx,
+ ( const char * ) ( pNetCred->pPrivateKey ), SSL_FILETYPE_PEM )
+ == SSL_SUCCESS )
{
/* create a ssl object */
- pNetCtx->sslContext.ssl =
- wolfSSL_new(pNetCtx->sslContext.ctx);
+ pNetCtx->sslContext.ssl =
+ wolfSSL_new( pNetCtx->sslContext.ctx );
- if (pNetCtx->sslContext.ssl != NULL)
+ if( pNetCtx->sslContext.ssl != NULL )
{
- Socket_t xSocket = pNetCtx->tcpSocket;
+ xSocket = pNetCtx->tcpSocket;
/* set Recv/Send glue functions to the WOLFSSL object */
- wolfSSL_SSLSetIORecv(pNetCtx->sslContext.ssl,
- wolfSSL_IORecvGlue);
- wolfSSL_SSLSetIOSend(pNetCtx->sslContext.ssl,
- wolfSSL_IOSendGlue);
+ wolfSSL_SSLSetIORecv( pNetCtx->sslContext.ssl,
+ wolfSSL_IORecvGlue );
+ wolfSSL_SSLSetIOSend( pNetCtx->sslContext.ssl,
+ wolfSSL_IOSendGlue );
/* set socket as a context of read/send glue funcs */
- wolfSSL_SetIOReadCtx(pNetCtx->sslContext.ssl, xSocket);
- wolfSSL_SetIOWriteCtx(pNetCtx->sslContext.ssl, xSocket);
+ wolfSSL_SetIOReadCtx( pNetCtx->sslContext.ssl, xSocket );
+ wolfSSL_SetIOWriteCtx( pNetCtx->sslContext.ssl, xSocket );
/* let wolfSSL perform tls handshake */
- if (wolfSSL_connect(pNetCtx->sslContext.ssl)
- == SSL_SUCCESS)
+ if( wolfSSL_connect( pNetCtx->sslContext.ssl )
+ == SSL_SUCCESS )
{
returnStatus = TLS_TRANSPORT_SUCCESS;
}
else
{
- wolfSSL_shutdown(pNetCtx->sslContext.ssl);
- wolfSSL_free(pNetCtx->sslContext.ssl);
+ wolfSSL_shutdown( pNetCtx->sslContext.ssl );
+ wolfSSL_free( pNetCtx->sslContext.ssl );
pNetCtx->sslContext.ssl = NULL;
- wolfSSL_CTX_free(pNetCtx->sslContext.ctx);
+ wolfSSL_CTX_free( pNetCtx->sslContext.ctx );
pNetCtx->sslContext.ctx = NULL;
- LogError(("Failed to establish a TLS connection"));
+ LogError( ( "Failed to establish a TLS connection" ) );
returnStatus = TLS_TRANSPORT_HANDSHAKE_FAILED;
}
}
else
{
- wolfSSL_CTX_free(pNetCtx->sslContext.ctx);
+ wolfSSL_CTX_free( pNetCtx->sslContext.ctx );
pNetCtx->sslContext.ctx = NULL;
- LogError(("Failed to create wolfSSL object"));
+ LogError( ( "Failed to create wolfSSL object" ) );
returnStatus = TLS_TRANSPORT_INTERNAL_ERROR;
}
}
else
{
- wolfSSL_CTX_free(pNetCtx->sslContext.ctx);
+ wolfSSL_CTX_free( pNetCtx->sslContext.ctx );
pNetCtx->sslContext.ctx = NULL;
- LogError(("Failed to load client-private-key file"));
+ LogError( ( "Failed to load client-private-key file" ) );
returnStatus = TLS_TRANSPORT_INVALID_CREDENTIALS;
}
}
else
{
- wolfSSL_CTX_free(pNetCtx->sslContext.ctx);
+ wolfSSL_CTX_free( pNetCtx->sslContext.ctx );
pNetCtx->sslContext.ctx = NULL;
- LogError(("Failed to load client-certificate file"));
+ LogError( ( "Failed to load client-certificate file" ) );
returnStatus = TLS_TRANSPORT_INVALID_CREDENTIALS;
}
}
else
{
- wolfSSL_CTX_free(pNetCtx->sslContext.ctx);
+ wolfSSL_CTX_free( pNetCtx->sslContext.ctx );
pNetCtx->sslContext.ctx = NULL;
- LogError(("Failed to load ca-certificate file"));
+ LogError( ( "Failed to load ca-certificate file" ) );
returnStatus = TLS_TRANSPORT_INVALID_CREDENTIALS;
}
}
else
{
- LogError(("Failed to create a wolfSSL_CTX"));
+ LogError( ( "Failed to create a wolfSSL_CTX" ) );
returnStatus = TLS_TRANSPORT_CONNECT_FAILURE;
}
-
+
return returnStatus;
}
@@ -311,7 +320,7 @@ TlsTransportStatus_t TLS_FreeRTOS_Connect( NetworkContext_t * pNetworkContext,
{
TlsTransportStatus_t returnStatus = TLS_TRANSPORT_SUCCESS;
BaseType_t socketStatus = 0;
-
+
if( ( pNetworkContext == NULL ) ||
( pHostName == NULL ) ||
@@ -350,7 +359,7 @@ TlsTransportStatus_t TLS_FreeRTOS_Connect( NetworkContext_t * pNetworkContext,
/* Initialize tls. */
if( returnStatus == TLS_TRANSPORT_SUCCESS )
- {
+ {
returnStatus = initTLS();
}
@@ -382,21 +391,23 @@ TlsTransportStatus_t TLS_FreeRTOS_Connect( NetworkContext_t * pNetworkContext,
void TLS_FreeRTOS_Disconnect( NetworkContext_t * pNetworkContext )
{
- WOLFSSL* pSsl = pNetworkContext->sslContext.ssl;
+ WOLFSSL * pSsl = pNetworkContext->sslContext.ssl;
+ WOLFSSL_CTX * pCtx = NULL;
/* shutdown an active TLS connection */
- wolfSSL_shutdown(pSsl);
+ wolfSSL_shutdown( pSsl );
/* cleanup WOLFSSL object */
- wolfSSL_free(pSsl);
+ wolfSSL_free( pSsl );
pNetworkContext->sslContext.ssl = NULL;
/* Call socket shutdown function to close connection. */
- Sockets_Disconnect(pNetworkContext->tcpSocket);
+ Sockets_Disconnect( pNetworkContext->tcpSocket );
/* free WOLFSSL_CTX object*/
- WOLFSSL_CTX* pCtx = pNetworkContext->sslContext.ctx;
- wolfSSL_CTX_free(pCtx);
+ pCtx = pNetworkContext->sslContext.ctx;
+
+ wolfSSL_CTX_free( pCtx );
pNetworkContext->sslContext.ctx = NULL;
wolfSSL_Cleanup();
@@ -409,21 +420,26 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
size_t bytesToRecv )
{
int32_t tlsStatus = 0;
- int iResult = 0;
- WOLFSSL* pSsl = pNetworkContext->sslContext.ssl;
-
+ int iResult = 0;
+ WOLFSSL * pSsl = pNetworkContext->sslContext.ssl;
+
iResult = wolfSSL_read( pSsl, pBuffer, bytesToRecv );
- if (iResult > 0)
+ if( iResult > 0 )
+ {
tlsStatus = iResult;
- else if ( wolfSSL_want_read( pSsl ) == 1 )
+ }
+ else if( wolfSSL_want_read( pSsl ) == 1 )
+ {
tlsStatus = 0;
+ }
else
{
tlsStatus = wolfSSL_state( pSsl );
- LogError(("Error from wolfSSL_read %d : %s ",
- iResult, wolfSSL_ERR_reason_error_string( tlsStatus )));
+ LogError( ( "Error from wolfSSL_read %d : %s ",
+ iResult, wolfSSL_ERR_reason_error_string( tlsStatus ) ) );
}
+
return tlsStatus;
}
@@ -434,21 +450,26 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
size_t bytesToSend )
{
int32_t tlsStatus = 0;
- int iResult = 0;
- WOLFSSL* pSsl = pNetworkContext->sslContext.ssl;
-
+ int iResult = 0;
+ WOLFSSL * pSsl = pNetworkContext->sslContext.ssl;
+
iResult = wolfSSL_write( pSsl, pBuffer, bytesToSend );
-
- if (iResult > 0)
+
+ if( iResult > 0 )
+ {
tlsStatus = iResult;
- else if( wolfSSL_want_write( pSsl ) == 1)
+ }
+ else if( wolfSSL_want_write( pSsl ) == 1 )
+ {
tlsStatus = 0;
+ }
else
{
- tlsStatus = wolfSSL_state(pSsl);
- LogError(("Error from wolfSL_write %d : %s ",
- iResult, wolfSSL_ERR_reason_error_string( tlsStatus )));
+ tlsStatus = wolfSSL_state( pSsl );
+ LogError( ( "Error from wolfSL_write %d : %s ",
+ iResult, wolfSSL_ERR_reason_error_string( tlsStatus ) ) );
}
+
return tlsStatus;
}
/*-----------------------------------------------------------*/
View Lorry Controller Status