Mark Radbourne
Demo using MBED TLS
Dependencies: EthernetInterface NTPClient iothub_amqp_transport iothub_client mbed-rtos mbed
Fork of
iothub_client_sample_amqp
by 
Azure IoT
azure_c_shared_utility/tlsio_mbedtls.c
- Committer:
- markrad
- Date:
- 2017-01-05
- Revision:
- 58:f50b97b08851
File content as of revision 58:f50b97b08851:
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.
#include "azure_c_shared_utility/tlsio_mbedconfig.h"
#ifdef USE_MBED_TLS
#include <stdlib.h>
#ifdef _CRTDBG_MAP_ALLOC
#include <crtdbg.h>
#endif
#include "mbedtls/config.h"
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/certs.h"
#include "mbedtls/entropy_poll.h"
#include <stdio.h>
#include <stdbool.h>
#include <string.h>
#include "azure_c_shared_utility/tlsio.h"
#include "azure_c_shared_utility/tlsio_mbedtls.h"
#include "azure_c_shared_utility/socketio.h"
typedef enum TLSIO_STATE_ENUM_TAG
{
TLSIO_STATE_NOT_OPEN,
TLSIO_STATE_OPENING_UNDERLYING_IO,
TLSIO_STATE_IN_HANDSHAKE,
TLSIO_STATE_OPEN,
TLSIO_STATE_CLOSING,
TLSIO_STATE_ERROR
} TLSIO_STATE_ENUM;
typedef struct TLS_IO_INSTANCE_TAG
{
XIO_HANDLE socket_io;
ON_BYTES_RECEIVED on_bytes_received;
ON_IO_OPEN_COMPLETE on_io_open_complete;
ON_IO_CLOSE_COMPLETE on_io_close_complete;
ON_IO_ERROR on_io_error;
void* on_bytes_received_context;
void* on_io_open_complete_context;
void* on_io_close_complete_context;
void* on_io_error_context;
TLSIO_STATE_ENUM tlsio_state;
unsigned char* socket_io_read_bytes;
size_t socket_io_read_byte_count;
ON_SEND_COMPLETE on_send_complete;
void* on_send_complete_callback_context;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config config;
mbedtls_x509_crt cacert;
mbedtls_ssl_session ssn;
} TLS_IO_INSTANCE;
static const IO_INTERFACE_DESCRIPTION tlsio_mbedtls_interface_description =
{
tlsio_mbedtls_retrieveoptions,
tlsio_mbedtls_create,
tlsio_mbedtls_destroy,
tlsio_mbedtls_open,
tlsio_mbedtls_close,
tlsio_mbedtls_send,
tlsio_mbedtls_dowork,
tlsio_mbedtls_setoption
};
#if defined (MBED_TLS_DEBUG_ENABLE)
void mbedtls_debug(void *ctx, int level,const char *file, int line, const char *str )
{
((void) level);
printf("%s (%d): %s\r\n", file,line,str);
}
#endif
static void indicate_error(TLS_IO_INSTANCE* tls_io_instance)
{
if (tls_io_instance->on_io_error != NULL)
{
tls_io_instance->on_io_error(tls_io_instance->on_io_error_context);
}
}
static void indicate_open_complete(TLS_IO_INSTANCE* tls_io_instance, IO_OPEN_RESULT open_result)
{
if (tls_io_instance->on_io_open_complete != NULL)
{
tls_io_instance->on_io_open_complete(tls_io_instance->on_io_open_complete_context, open_result);
}
}
static int decode_ssl_received_bytes(TLS_IO_INSTANCE* tls_io_instance)
{
int result = 0;
unsigned char buffer[64];
int rcv_bytes = 1;
while (rcv_bytes > 0)
{
rcv_bytes = mbedtls_ssl_read(&tls_io_instance->ssl, buffer, sizeof(buffer));
if (rcv_bytes > 0)
{
if (tls_io_instance->on_bytes_received != NULL)
{
tls_io_instance->on_bytes_received(tls_io_instance->on_bytes_received_context, buffer, rcv_bytes);
}
}
}
return result;
}
static int on_handshake_done(mbedtls_ssl_context* ssl, void* context)
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)context;
if (tls_io_instance->tlsio_state == TLSIO_STATE_IN_HANDSHAKE)
{
tls_io_instance->tlsio_state = TLSIO_STATE_OPEN;
indicate_open_complete(tls_io_instance, IO_OPEN_OK);
}
return 0;
}
static int mbedtls_connect(void* context) {
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)context;
int result = 0;
do {
result = mbedtls_ssl_handshake(&tls_io_instance->ssl);
}
while( result == MBEDTLS_ERR_SSL_WANT_READ || result == MBEDTLS_ERR_SSL_WANT_WRITE );
if(result == 0)
{
on_handshake_done(&tls_io_instance->ssl,(void *)tls_io_instance);
}
return result;
}
static void on_underlying_io_open_complete(void* context, IO_OPEN_RESULT open_result)
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)context;
int result = 0;
if (open_result != IO_OPEN_OK)
{
tls_io_instance->tlsio_state = TLSIO_STATE_ERROR;
indicate_open_complete(tls_io_instance, IO_OPEN_ERROR);
}
else
{
tls_io_instance->tlsio_state = TLSIO_STATE_IN_HANDSHAKE;
result = mbedtls_connect(tls_io_instance);
if (result != 0)
{
indicate_open_complete(tls_io_instance, IO_OPEN_ERROR);
}
}
}
static void on_underlying_io_bytes_received(void* context, const unsigned char* buffer, size_t size)
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)context;
unsigned char* new_socket_io_read_bytes = (unsigned char*)realloc(tls_io_instance->socket_io_read_bytes, tls_io_instance->socket_io_read_byte_count + size);
if (new_socket_io_read_bytes == NULL)
{
tls_io_instance->tlsio_state = TLSIO_STATE_ERROR;
indicate_error(tls_io_instance);
}
else
{
tls_io_instance->socket_io_read_bytes = new_socket_io_read_bytes;
(void)memcpy(tls_io_instance->socket_io_read_bytes + tls_io_instance->socket_io_read_byte_count, buffer, size);
tls_io_instance->socket_io_read_byte_count += size;
}
}
static void on_underlying_io_error(void* context)
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)context;
switch (tls_io_instance->tlsio_state)
{
default:
case TLSIO_STATE_NOT_OPEN:
case TLSIO_STATE_ERROR:
break;
case TLSIO_STATE_OPENING_UNDERLYING_IO:
case TLSIO_STATE_IN_HANDSHAKE:
tls_io_instance->tlsio_state = TLSIO_STATE_ERROR;
indicate_open_complete(tls_io_instance, IO_OPEN_ERROR);
break;
case TLSIO_STATE_OPEN:
tls_io_instance->tlsio_state = TLSIO_STATE_ERROR;
indicate_error(tls_io_instance);
break;
}
}
static void on_underlying_io_close_complete(void* context)
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)context;
if (tls_io_instance->tlsio_state == TLSIO_STATE_CLOSING)
{
if (tls_io_instance->on_io_close_complete != NULL)
{
tls_io_instance->on_io_close_complete(tls_io_instance->on_io_close_complete_context);
}
}
}
static int on_io_recv(void *context,unsigned char *buf, size_t sz)
{
int result;
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)context;
unsigned char* new_socket_io_read_bytes;
while (tls_io_instance->socket_io_read_byte_count == 0)
{
xio_dowork(tls_io_instance->socket_io);
if (tls_io_instance->tlsio_state == TLSIO_STATE_OPEN)
{
break;
}
}
result = tls_io_instance->socket_io_read_byte_count;
if (result > sz)
{
result = sz;
}
if (result > 0)
{
(void)memcpy((void *)buf,tls_io_instance->socket_io_read_bytes, result);
(void)memmove(tls_io_instance->socket_io_read_bytes, tls_io_instance->socket_io_read_bytes + result, tls_io_instance->socket_io_read_byte_count - result);
tls_io_instance->socket_io_read_byte_count -= result;
if (tls_io_instance->socket_io_read_byte_count > 0)
{
new_socket_io_read_bytes = (unsigned char*)realloc(tls_io_instance->socket_io_read_bytes, tls_io_instance->socket_io_read_byte_count);
if (new_socket_io_read_bytes != NULL)
{
tls_io_instance->socket_io_read_bytes = new_socket_io_read_bytes;
}
}
else
{
free(tls_io_instance->socket_io_read_bytes);
tls_io_instance->socket_io_read_bytes = NULL;
}
}
if ((result == 0) && (tls_io_instance->tlsio_state == TLSIO_STATE_OPEN))
{
result = MBEDTLS_ERR_SSL_WANT_READ;
}
return result;
}
static int on_io_send(void *context,const unsigned char *buf, size_t sz)
{
int result;
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)context;
if (xio_send(tls_io_instance->socket_io, buf, sz, tls_io_instance->on_send_complete, tls_io_instance->on_send_complete_callback_context) != 0)
{
tls_io_instance->tlsio_state = TLSIO_STATE_ERROR;
indicate_error(tls_io_instance);
result = 0;
}
else
{
result = sz;
}
return result;
}
//static int tlsio_entropy_poll(void *v,unsigned char *output,size_t len,size_t *olen)
int mbedtls_hardware_poll(void *v,unsigned char *output,size_t len,size_t *olen)
{
srand(time(NULL));
char *c = (char*)malloc(len);
memset(c, 0, len);
for(uint16_t i=0; i < len; i++){
c[i] = rand() % 256;
}
memmove(output, c, len);
*olen = len;
free(c);
return( 0 );
}
static void mbedtls_init(void *instance,const char *host) {
TLS_IO_INSTANCE *result = (TLS_IO_INSTANCE *)instance;
char *pers = "azure_iot_client";
// mbedTLS initialize...
mbedtls_entropy_init(&result->entropy);
mbedtls_ctr_drbg_init(&result->ctr_drbg);
mbedtls_ssl_init(&result->ssl);
mbedtls_ssl_session_init(&result->ssn);
mbedtls_ssl_config_init(&result->config);
mbedtls_x509_crt_init(&result->cacert);
mbedtls_entropy_add_source(&result->entropy,mbedtls_hardware_poll,NULL,128,0);
mbedtls_ctr_drbg_seed(&result->ctr_drbg,mbedtls_entropy_func,&result->entropy,(const unsigned char *)pers,strlen(pers));
mbedtls_ssl_config_defaults(&result->config,MBEDTLS_SSL_IS_CLIENT,MBEDTLS_SSL_TRANSPORT_STREAM,MBEDTLS_SSL_PRESET_DEFAULT);
mbedtls_ssl_conf_rng(&result->config,mbedtls_ctr_drbg_random,&result->ctr_drbg);
mbedtls_ssl_conf_authmode(&result->config,MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_min_version(&result->config,MBEDTLS_SSL_MAJOR_VERSION_3,MBEDTLS_SSL_MINOR_VERSION_3); // v1.2
mbedtls_ssl_set_bio(&result->ssl,instance,on_io_send,on_io_recv,NULL);
mbedtls_ssl_set_hostname(&result->ssl,host);
mbedtls_ssl_set_session(&result->ssl,&result->ssn);
#if defined (MBED_TLS_DEBUG_ENABLE)
mbedtls_ssl_conf_dbg(&result->config, mbedtls_debug,stdout);
mbedtls_debug_set_threshold(5);
#endif
mbedtls_ssl_setup(&result->ssl,&result->config);
}
OPTIONHANDLER_HANDLE tlsio_mbedtls_retrieveoptions(CONCRETE_IO_HANDLE handle)
{
(void)handle;
return NULL;
}
CONCRETE_IO_HANDLE tlsio_mbedtls_create(void* io_create_parameters)
{
LogInfo("Starting MBED TLS\r\n");
TLSIO_CONFIG* tls_io_config = io_create_parameters;
TLS_IO_INSTANCE* result;
if (tls_io_config == NULL)
{
LogError("NULL tls_io_config");
result = NULL;
}
else
{
result = malloc(sizeof(TLS_IO_INSTANCE));
if (result != NULL)
{
SOCKETIO_CONFIG socketio_config;
socketio_config.hostname = tls_io_config->hostname;
socketio_config.port = tls_io_config->port;
socketio_config.accepted_socket = NULL;
result->on_bytes_received = NULL;
result->on_bytes_received_context = NULL;
result->on_io_open_complete = NULL;
result->on_io_open_complete_context = NULL;
result->on_io_close_complete = NULL;
result->on_io_close_complete_context = NULL;
result->on_io_error = NULL;
result->on_io_error_context = NULL;
const IO_INTERFACE_DESCRIPTION* socket_io_interface = socketio_get_interface_description();
if (socket_io_interface == NULL)
{
LogError("get socket io interface failed");
free(result);
result = NULL;
}
else
{
result->socket_io = xio_create(socket_io_interface, &socketio_config);
if (result->socket_io == NULL)
{
LogError("socket xio create failed");
free(result);
result = NULL;
}
else
{
result->socket_io_read_bytes = NULL;
result->socket_io_read_byte_count = 0;
result->on_send_complete = NULL;
result->on_send_complete_callback_context = NULL;
// mbeTLS initialize
mbedtls_init((void *)result,tls_io_config->hostname);
result->tlsio_state = TLSIO_STATE_NOT_OPEN;
}
}
}
}
return result;
}
void tlsio_mbedtls_destroy(CONCRETE_IO_HANDLE tls_io)
{
if (tls_io != NULL)
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)tls_io;
// mbedTLS cleanup...
mbedtls_ssl_close_notify(&tls_io_instance->ssl);
mbedtls_ssl_free(&tls_io_instance->ssl);
mbedtls_ssl_config_free(&tls_io_instance->config);
mbedtls_x509_crt_free(&tls_io_instance->cacert);
mbedtls_ctr_drbg_free(&tls_io_instance->ctr_drbg);
mbedtls_entropy_free(&tls_io_instance->entropy);
if (tls_io_instance->socket_io_read_bytes != NULL)
{
free(tls_io_instance->socket_io_read_bytes);
}
xio_destroy(tls_io_instance->socket_io);
free(tls_io);
}
}
int tlsio_mbedtls_open(CONCRETE_IO_HANDLE tls_io, ON_IO_OPEN_COMPLETE on_io_open_complete, void* on_io_open_complete_context, ON_BYTES_RECEIVED on_bytes_received, void* on_bytes_received_context, ON_IO_ERROR on_io_error, void* on_io_error_context)
{
int result = 0;
if (tls_io == NULL)
{
LogError("NULL tls_io");
result = __LINE__;
}
else
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)tls_io;
if (tls_io_instance->tlsio_state != TLSIO_STATE_NOT_OPEN)
{
LogError("IO should not be open");
result = __LINE__;
}
else
{
tls_io_instance->on_bytes_received = on_bytes_received;
tls_io_instance->on_bytes_received_context = on_bytes_received_context;
tls_io_instance->on_io_open_complete = on_io_open_complete;
tls_io_instance->on_io_open_complete_context = on_io_open_complete_context;
tls_io_instance->on_io_error = on_io_error;
tls_io_instance->on_io_error_context = on_io_error_context;
tls_io_instance->tlsio_state = TLSIO_STATE_OPENING_UNDERLYING_IO;
if (xio_open(tls_io_instance->socket_io, on_underlying_io_open_complete, tls_io_instance, on_underlying_io_bytes_received, tls_io_instance, on_underlying_io_error, tls_io_instance) != 0)
{
LogError("Underlying IO open failed");
tls_io_instance->tlsio_state = TLSIO_STATE_NOT_OPEN;
result = __LINE__;
}
else
{
result = 0;
}
}
}
return result;
}
int tlsio_mbedtls_close(CONCRETE_IO_HANDLE tls_io, ON_IO_CLOSE_COMPLETE on_io_close_complete, void* callback_context)
{
int result = 0;
if (tls_io == NULL)
{
result = __LINE__;
}
else
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)tls_io;
if ((tls_io_instance->tlsio_state == TLSIO_STATE_NOT_OPEN) ||
(tls_io_instance->tlsio_state == TLSIO_STATE_CLOSING))
{
result = __LINE__;
}
else
{
tls_io_instance->tlsio_state = TLSIO_STATE_CLOSING;
tls_io_instance->on_io_close_complete = on_io_close_complete;
tls_io_instance->on_io_close_complete_context = callback_context;
if (xio_close(tls_io_instance->socket_io, on_underlying_io_close_complete, tls_io_instance) != 0)
{
result = __LINE__;
}
else
{
result = 0;
}
}
}
return result;
}
int tlsio_mbedtls_send(CONCRETE_IO_HANDLE tls_io, const void* buffer, size_t size, ON_SEND_COMPLETE on_send_complete, void* callback_context)
{
int result;
if (tls_io == NULL)
{
result = __LINE__;
}
else
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)tls_io;
if (tls_io_instance->tlsio_state != TLSIO_STATE_OPEN)
{
result = __LINE__;
}
else
{
tls_io_instance->on_send_complete = on_send_complete;
tls_io_instance->on_send_complete_callback_context = callback_context;
int res = mbedtls_ssl_write(&tls_io_instance->ssl, buffer, size);
if (res != size)
{
result = __LINE__;
}
else
{
result = 0;
}
}
}
return result;
}
void tlsio_mbedtls_dowork(CONCRETE_IO_HANDLE tls_io)
{
if (tls_io != NULL)
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)tls_io;
if ((tls_io_instance->tlsio_state != TLSIO_STATE_NOT_OPEN) &&
(tls_io_instance->tlsio_state != TLSIO_STATE_ERROR))
{
decode_ssl_received_bytes(tls_io_instance);
xio_dowork(tls_io_instance->socket_io);
}
}
}
const IO_INTERFACE_DESCRIPTION* tlsio_mbedtls_get_interface_description(void)
{
return &tlsio_mbedtls_interface_description;
}
int tlsio_mbedtls_setoption(CONCRETE_IO_HANDLE tls_io, const char* optionName, const void* value)
{
int result = 0;
if (tls_io == NULL || optionName == NULL)
{
result = __LINE__;
}
else
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE*)tls_io;
if (strcmp("TrustedCerts", optionName) == 0)
{
result = mbedtls_x509_crt_parse(&tls_io_instance->cacert,(const unsigned char *)value,(int)(strlen(value)+1));
if( result != 0 )
{
result = __LINE__;
}
else
{
mbedtls_ssl_conf_ca_chain(&tls_io_instance->config,&tls_io_instance->cacert,NULL);
}
}
else if (tls_io_instance->socket_io == NULL)
{
result = __LINE__;
}
else
{
result = xio_setoption(tls_io_instance->socket_io, optionName, value);
}
}
return result;
}
#endif // USE_MBED_TLS