123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483 |
- /* client-tls13.c
- *
- * Copyright (C) 2006-2024 wolfSSL Inc.
- *
- * This file is part of wolfSSL.
- *
- * wolfSSL is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * wolfSSL is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
- */
- /* C Standard Library */
- #include <stdlib.h>
- #include <stdio.h>
- #include <string.h>
- #include <time.h>
- /* POSIX Library */
- #include <sys/socket.h>
- #include <arpa/inet.h>
- #include <netinet/in.h>
- #include <unistd.h>
- /* wolfSSL Library */
- #include <wolfssl/options.h>
- #include <wolfssl/ssl.h>
- #include <wolfssl/wolfio.h>
- #include <wolfssl/wolfcrypt/port/iotsafe/iotsafe.h>
- #include <wolfssl/error-ssl.h>
- /* IoTSAFE Certificate slots */
- /* File Slot '02' is pre-provisioned with
- * the client ECC public key certificate.
- */
- #define CRT_CLIENT_FILE_ID 0x02
- /* File Slot '03' is pre-provisioned with the
- * server ECC public key certificate.
- */
- #define CRT_SERVER_FILE_ID 0x03
- /* IoTSAFE Key slots */
- /* Key slot '01' is pre-provisioned with
- * the client ECC private key.
- */
- #define PRIVKEY_ID 0x01
- /* Key slot '04' is used to generate the ECDH
- * key pair that will be used during the TLS
- * session.
- */
- #define ECDH_KEYPAIR_ID 0x04
- /* Key slot '05' is used to store the ECDH public
- * key received from the peer during the TLS
- * session.
- */
- #define PEER_PUBKEY_ID 0x05
- /* Key slot '05' is used to store the public key
- * used for ECC verification - disabled in IoTSAFE.
- */
- #define PEER_CERT_ID 0x05
- /* Function Declarations */
- extern int client_loop(const char *peer_ip, const char *peer_name,
- const char *peer_port, const char *temperature);
- #if defined(USE_SECRET_CALLBACK)
- static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret,
- int secretSz, void* ctx);
- #endif
- /* Function Definitions */
- #if defined(USE_SECRET_CALLBACK)
- #ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT
- #define WOLFSSL_SSLKEYLOGFILE_OUTPUT "sslkeylog.log"
- #endif
- /* Callback function for TLS v1.3 secrets for use with Wireshark */
- static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret,
- int secretSz, void* ctx)
- {
- int i;
- const char* str = NULL;
- unsigned char clientRandom[32];
- size_t clientRandomSz;
- XFILE fp = stderr;
- if (ctx) {
- fp = XFOPEN((const char*)ctx, "ab");
- if (fp == XBADFILE) {
- return BAD_FUNC_ARG;
- }
- }
- clientRandomSz = wolfSSL_get_client_random(ssl, clientRandom,
- sizeof(clientRandom));
- switch (id) {
- case CLIENT_EARLY_TRAFFIC_SECRET:
- str = "CLIENT_EARLY_TRAFFIC_SECRET"; break;
- case EARLY_EXPORTER_SECRET:
- str = "EARLY_EXPORTER_SECRET"; break;
- case CLIENT_HANDSHAKE_TRAFFIC_SECRET:
- str = "CLIENT_HANDSHAKE_TRAFFIC_SECRET"; break;
- case SERVER_HANDSHAKE_TRAFFIC_SECRET:
- str = "SERVER_HANDSHAKE_TRAFFIC_SECRET"; break;
- case CLIENT_TRAFFIC_SECRET:
- str = "CLIENT_TRAFFIC_SECRET_0"; break;
- case SERVER_TRAFFIC_SECRET:
- str = "SERVER_TRAFFIC_SECRET_0"; break;
- case EXPORTER_SECRET:
- str = "EXPORTER_SECRET"; break;
- }
- fprintf(fp, "%s ", str);
- for (i = 0; i < (int)clientRandomSz; i++) {
- fprintf(fp, "%02x", clientRandom[i]);
- }
- fprintf(fp, " ");
- for (i = 0; i < secretSz; i++) {
- fprintf(fp, "%02x", secret[i]);
- }
- fprintf(fp, "\n");
- if (fp != stderr) {
- XFCLOSE(fp);
- }
- return 0;
- }
- #endif /* USE_SECRET_CALLBACK */
- int client_loop(const char *peer_ip, const char *peer_name,
- const char *peer_port, const char *temperature)
- {
- int ret = 0;
- /* Declare TCP objects */
- int sockfd = -1;
- struct sockaddr_in servAddr = {0};
- /* Declare TCP messaging buffer */
- char buff[2048] = {0};
- size_t len = 0;
- /* Declare certificate temporary buffer */
- uint8_t cert_buffer[2048] = {0};
- uint32_t cert_buffer_size = 0;
- uint8_t *cert_iter = NULL;
- /* Declare wolfSSL objects */
- WOLFSSL_CTX* ctx = NULL;
- WOLFSSL* ssl = NULL;
- WC_RNG rng = {0};
- char randombytes[16] = {0};
- /* Construct HTTP POST */
- /* Header */
- strcat(buff, "POST /iot/device HTTP/1.1\r\n");
- strcat(buff, "Content-Type: application/json\r\n");
- strcat(buff, "Content-Length: 1000\r\n");
- strcat(buff, "Accept: */*\r\n");
- strcat(buff, "Host: ");
- strcat(buff, peer_name);
- strcat(buff, ":");
- strcat(buff, peer_port);
- strcat(buff, "\r\n");
- /* Delimiter */
- strcat(buff, "\r\n");
- /* Body */
- srand(time(NULL));
- int devid = rand() % 100;
- char snum[5] = {0};
- snprintf(snum, sizeof(snum), "%d", devid);
- strcat(buff, "{");
- strcat(buff, "\"deviceId\": \"");
- strcat(buff, snum);
- strcat(buff, "\",");
- strcat(buff, "\"sensorType\": \"Temperature\",");
- strcat(buff, "\"sensorValue\": \"");
- strcat(buff, temperature);
- strcat(buff, "\",");
- strcat(buff, "\"sensorUnit\": \"Celsius\",");
- strcat(buff, "\"sensorTime\": 1582181510");
- strcat(buff, "}");
- strcat(buff, "\r\n");
- printf("\n\nPOST REQUEST\n\n%s\n\n", buff);
- /*---------------------------------*/
- /* Start of Socket */
- /*---------------------------------*/
- printf("---- Preparing TCP socket\n");
- /* Create a socket that uses an internet IPv4 address,
- * Sets the socket to be stream based (TCP),
- * 0 means choose the default protocol. */
- printf("---- Creating socket\n");
- if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
- {
- fprintf(stderr, "ERROR: failed to create the socket\n");
- ret = -1;
- goto exit;
- }
- /* Fill in the server address */
- printf("Peer port: %s\n", peer_port);
- servAddr.sin_family = AF_INET; /* Using IPv4 */
- servAddr.sin_port = htons(atoi(peer_port));
- /* Get the server IPv4 address from the command line call */
- printf("---- Checking peer IP address\n");
- printf("Peer IP address: %s <IPv4 address>\n", peer_ip);
- if (inet_pton(AF_INET, peer_ip, &servAddr.sin_addr) != 1)
- {
- fprintf(stderr, "ERROR: invalid peer IP address\n");
- ret = -1;
- goto exit;
- }
- /* Connect to the server */
- printf("---- Connecting to the peer socket\n");
- if ((ret = connect(sockfd, (struct sockaddr*) &servAddr, sizeof(servAddr)))
- == -1)
- {
- fprintf(stderr, "ERROR: failed to connect\n");
- goto exit;
- }
- printf("---- TCP socket connection established\n");
- /*---------------------------------*/
- /* Start of Security */
- /*---------------------------------*/
- printf("---- Preparing wolfSSL TLS 1.3\n");
- /* Initialize wolfSSL */
- printf("---- Initializing wolfSSL\n");
- if ((ret = wolfSSL_Init()) != WOLFSSL_SUCCESS)
- {
- fprintf(stderr, "ERROR: Failed to initialize the library\n");
- goto exit;
- }
- /* Allow debug print in wolfSSL */
- printf("---- Allowing debug print in wolfSSL\n");
- if ((ret = wolfSSL_Debugging_ON()) != 0)
- {
- fprintf(stderr, "WARNING: Failed to enable wolfSSL debug print\n");
- }
- /* Initialize RNG */
- printf("---- Initializing RNG\n");
- if ((ret = wc_InitRng(&rng)) != 0)
- {
- fprintf(stderr, "ERROR: Failed to initialize the random number generator\n");
- goto exit;
- }
- /* Obtain a sample RND */
- printf("---- Testing getting RND\n");
- if ((ret = wc_RNG_GenerateBlock(
- &rng,
- (byte*)randombytes,
- sizeof(randombytes)))
- != 0)
- {
- fprintf(stderr, "ERROR: Failed to get random numbers\n");
- goto exit;
- }
- else
- {
- printf("Random bytes: ");
- for (uint8_t i = 0; i < sizeof(randombytes); i++)
- printf("%02X", (unsigned int)randombytes[i]);
- printf("\n");
- }
- /* Create and initialize WOLFSSL_CTX */
- printf("---- Creating wolfSSL TLS 1.3 context object\n");
- if ((ctx = wolfSSL_CTX_new(wolfTLSv1_3_client_method())) == NULL)
- {
- fprintf(stderr, "ERROR: failed to create WOLFSSL_CTX\n");
- ret = -1;
- goto exit;
- }
- /* Initialize IoTSAFE */
- printf("---- Enabling IoTSAFE\n");
- if ((ret = wolfSSL_CTX_iotsafe_enable(ctx)) != 0)
- {
- fprintf(stderr, "ERROR: Failed to initialize IoTSAFE\n");
- goto exit;
- }
- /* Extract client certificate from IoTSAFE*/
- printf("---- Extracting client certificate from IoTSAFE\n");
- if ((cert_buffer_size = wolfIoTSafe_GetCert(
- CRT_CLIENT_FILE_ID,
- cert_buffer,
- sizeof(cert_buffer)))
- < 1)
- {
- fprintf(stderr, "ERROR: Bad client certificate\n");
- ret = -1;
- goto exit;
- }
- /* Print extracted client certificate */
- printf("---- Printing extracted client certificate\n");
- cert_iter = (uint8_t*)&cert_buffer;
- printf("Extracted client certificate in HEX:\n");
- for (uint32_t i = 0; i < cert_buffer_size; i++)
- printf("%02X", (unsigned int)*(cert_iter++));
- printf("\n");
- /* Load client certificate */
- printf("---- Loading client certificate\n");
- if ((ret = wolfSSL_CTX_use_certificate_buffer(ctx, cert_buffer,
- cert_buffer_size, WOLFSSL_FILETYPE_ASN1))
- != WOLFSSL_SUCCESS)
- {
- fprintf(stderr, "ERROR: Failed to load client certificate\n");
- return -1;
- }
- /* Extract server certificate from IoTSAFE*/
- printf("---- Extracting server certificate from IoTSAFE\n");
- if ((cert_buffer_size = wolfIoTSafe_GetCert(
- CRT_SERVER_FILE_ID,
- cert_buffer,
- sizeof(cert_buffer)))
- < 1)
- {
- fprintf(stderr, "ERROR: Bad server certificate\n");
- ret = -1;
- goto exit;
- }
- /* Print extracted server certificate */
- printf("---- Printing extracted server certificate\n");
- cert_iter = (uint8_t*)&cert_buffer;
- printf("Extracted server certificate in HEX:\n");
- for (uint32_t i = 0; i < cert_buffer_size; i++)
- printf("%02X", (unsigned int)*(cert_iter++));
- printf("\n");
- /* Load server certificate */
- printf("---- Loading server certificate\n");
- if ((ret = wolfSSL_CTX_trust_peer_buffer(ctx, cert_buffer,
- cert_buffer_size, WOLFSSL_FILETYPE_ASN1))
- != WOLFSSL_SUCCESS)
- {
- fprintf(stderr, "ERROR: Failed to load server certificate\n");
- return -1;
- }
- /* Set client to authenticate server */
- printf("---- Enabling client to authenticate server\n");
- wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL);
- /* Create a WOLFSSL object */
- printf("---- Creating wolfSSL TLS 1.3 connection object\n");
- if ((ssl = wolfSSL_new(ctx)) == NULL)
- {
- fprintf(stderr, "ERROR: failed to create WOLFSSL object\n");
- ret = -1;
- goto exit;
- }
- /* Attach IoTSAFE usage to the wolfSSL */
- printf("---- Using IoTSAFE for TLS 1.3\n");
- if ((ret = wolfSSL_iotsafe_on(
- ssl, PRIVKEY_ID, ECDH_KEYPAIR_ID,
- PEER_PUBKEY_ID, PEER_CERT_ID))
- != 0)
- {
- fprintf(stderr, "ERROR: Failed to use IoTSAFE\n");
- goto exit;
- }
- /* Attach wolfSSL to the socket */
- printf("---- Attaching TLS 1.3 to the socket\n");
- if ((ret = wolfSSL_set_fd(ssl, sockfd)) != WOLFSSL_SUCCESS)
- {
- fprintf(stderr, "ERROR: Failed to set the file descriptor\n");
- goto exit;
- }
- #ifdef USE_SECRET_CALLBACK
- /* Logging usage for wireshark */
- printf("---- Attaching TLS 1.3 secret callback for wireshark\n");
- if ((ret = wolfSSL_set_tls13_secret_cb(
- ssl,
- Tls13SecretCallback,
- (void*)WOLFSSL_SSLKEYLOGFILE_OUTPUT))
- != WOLFSSL_SUCCESS)
- {
- fprintf(stderr, "ERROR: Failed to set the secret callback\n");
- goto exit;
- }
- #endif
- /* Connect to wolfSSL on the server side */
- printf("---- Start TLS 1.3 handshaking\n");
- if ((ret = wolfSSL_connect(ssl)) != WOLFSSL_SUCCESS)
- {
- fprintf(stderr, "ERROR: failed to connect to wolfSSL\n");
- goto exit;
- }
- printf("---- wolfSSL TLS 1.3 connection established\n");
- /*---------------------------------*/
- /* Start of Communication */
- /*---------------------------------*/
- printf("---- Communication starts\n");
- /* Get a message for the server from stdin */
- printf("Enter message for server:\n");
- printf("[OUT]:\n");
- printf("\n\n%s\n\n", buff);
- len = strlen(buff);
- /* Send the message to the server */
- printf("Sending message to the server\n");
- if ((size_t) (ret = wolfSSL_write(ssl, buff, len)) != len)
- {
- fprintf(stderr, "ERROR: failed to write entire message\n");
- fprintf(stderr, "%d bytes of %d bytes were sent\n", ret, (int) len);
- goto exit;
- }
- /* Read the server data into our buff array */
- printf("Receiving message from the server\n");
- memset(buff, 0, sizeof(buff));
- if ((ret = wolfSSL_read(ssl, buff, sizeof(buff) - 1)) < 0)
- {
- fprintf(stderr, "ERROR: failed to read\n");
- goto exit;
- }
- /* Print to stdout any data the server sends */
- printf("[IN] :\n%s\n", buff);
- /* Return reporting a success */
- ret = 0;
- printf("---- Communication ends\n");
- exit:
- /* Cleanup and return */
- if (sockfd != -1)
- close(sockfd); /* Close the connection to the server */
- if (ssl)
- wolfSSL_free(ssl); /* Free the wolfSSL object */
- if (ctx)
- wolfSSL_CTX_free(ctx); /* Free the wolfSSL context object */
- wc_FreeRng(&rng); /* Cleanup the RNG */
- wolfSSL_Cleanup(); /* Cleanup the wolfSSL environment */
- return ret;
- }
|